Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Suggestions/Enhancements]: ENABLE User To change predefined hashed functions and modules #522

Open
kapiushion opened this issue Oct 9, 2024 · 1 comment
Open

[Feature Suggestions/Enhancements]: ENABLE User To change predefined hashed functions and modules #522

kapiushion opened this issue Oct 9, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@kapiushion
Copy link

Contact Details

[email protected]

What is the idea?

Is there a way to change the hashing string of the modules and addresses? i realized that is possible to change the addresses Hash string, by just simply changing the key and rehashing again, how ever the module hash , is not possible, for example, the ntdll, the default it uses is 0x70e61753, using the same algorithm, i was not able to get that hash, you actually get this 0x1edab0ed, so i am not sure where you did come up with that hash. i would like to know, so i can modify the hashes, since nowadays,there are a ton of signature detections in memory because of those, and since we can not change them, since if you change the key, you must change the hashes of all them, and since right now i have not been able to change any of the modules hashes, because they give a different value, is not possible for the moment; so i would like to know how you did come up with that hash, how you calculate it, so i can change the hash key, to avoid signature memory detections.

Is_it_already_in?

No (You checked and it doesn't.)

Relevant code samples

the default hashing string uses this code

#!/usr/bin/env python3

# -*- coding:utf-8 -*-

import sys



def hash_string( string ):

    try:

        hash = 5381



        for x in string.upper():

            hash = (( hash << 5 ) + hash ) + ord(x)



        return hash & 0xFFFFFFFF

    except:

        pass



if __name__ in '__main__':

    try:

        print('0x%x' % hash_string(sys.argv[1]));

    except IndexError:

        print('usage: %s [string]' % sys.argv[0]);

it works fine to hash all the functions, but not for the modules, the values does not match



### Are-You-Trolling?

- [X] I declare I made an effort and provided the necessary information for an understanding of the feature by the Framework authors.
@kapiushion kapiushion added the enhancement New feature or request label Oct 9, 2024
@kapiushion kapiushion changed the title [Feature Suggestions/Enhancements]: [Feature Suggestions/Enhancements]: ENABLE User To change predefined hashed functions and modules Oct 9, 2024
@Cracked5pider
Copy link
Member

There is a bug when it comes to module based hashes.
#515
I will change this in the future

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Cracked5pider @kapiushion