capa-rules
capa-rules copied to clipboard
Published
20 hours ago •
mandiant
mandiant
resolve API via shellcode hash
Summary
Generic way to identify shellcode hashing functions. See #166
Features
- (tight) loops
- ROR/ROL/SHIFT/XOR/ADD/SUB
- PEB offsets
- PE offsets
I took a quick initial look at this
Here's a basic block from sample 8bac633f24d21e9f88425e0d3fbaf5c5
0x10004620 ror ecx, 0xd
0x10004623 movsx eax, al
0x10004626 lea edx, [edx + 1]
0x10004629 add ecx, eax
0x1000462b mov al, byte [edx]
0x1000462d test al, al
0x1000462f jne 0x10004620
Along with the extracted features
bb : 0x10004620: basic block
bb : 0x10004620: characteristic(tight loop)
insn: 0x10004620: number(0xD)
insn: 0x10004620: number/x32(0xD)
insn: 0x10004620: mnemonic(ror)
insn: 0x10004623: mnemonic(movsx)
insn: 0x10004626: offset(0x1)
insn: 0x10004626: offset/x32(0x1)
insn: 0x10004626: mnemonic(lea)
insn: 0x10004629: mnemonic(add)
insn: 0x1000462b: offset(0x0)
insn: 0x1000462b: offset/x32(0x0)
insn: 0x1000462b: mnemonic(mov)
insn: 0x1000462d: mnemonic(test)
insn: 0x1000462f: mnemonic(jnz)
The following rule should be a reasonable candidate for an cursory ROR 0xD rule. I'm sure there are more variants with instructions broken up that will need to be accounted for.
rule:
meta:
name: resolve function by hash ror 13
namespace: linking/runtime-linking
author: "@_re_fox"
scope: basic block
mbc:
- Execution::Shared Modules [T1129]
examples:
features:
- and:
- mnemonic: ror
- mnemonic: add
- number: 0xd
- characteristic: tight loop
I'll stress test the rule and put up an initial PR.
This issue will probably be open for a moment, there are many more algorithms to hunt for (https://github.com/fireeye/flare-ida/blob/master/shellcode_hashes/make_sc_hash_db.py).
After giving this a closer look, I may have been overly optimistic.
Basic blocks like 0x6545E4B0 in sample capa-testfiles/0761142efbda6c4b1e801223de723578.dll_ make this more difficult.
Large basic blocks with many arithmetic instructions.
There are a couple ways to proceed forward.
One option is to limit the number of instruction/mnemonic hits with count.
Another option is to consider more tightly matching on the mnemonic -> constant relationship. There was an issue created for this. The primary problem with this approach is that it begins to converge on pattern matching within binaries, which is probably out of scope.
some relevant features from 2c541f...
getting features for current function 0x1400024F4
func: 0x1400024f4: characteristic(loop)
insn: 0x140002503: offset(0x3C) = IMAGE_DOS_HEADER.e_lfanew
insn: 0x14000250c: offset(0x88) = IMAGE_NT_HEADERS64.OptionalHeader.DataDirectory.VirtualAddress
insn: 0x140002514: mnemonic(add)
insn: 0x140002545: number(0x65)
insn: 0x140002545: mnemonic(imul)
alternative strategy is to generate rules from shellcode_hashes that look for the hash values themselves. there are 48 algorithms implemented there today (and 721k hash values total). we could take the dozen or so most common APIs to be obfuscated by hash (socket, VirtualProtect, AdjustTokenPrivilege, etc.) and emit rules like:
name: reference API via hash rot13
3 or more:
- 0x12343324 = rot13(socket)
- 0x34294329 = rot13(AdjustTokenPrivileges)
- 0x65659956 = rot13(VirtualProtect)
- ...
so this would add around 50 new rules and maybe 600 new number features. that being said, i dont think most of these will hit very often, so that's not awesome (we should profile before/after to ensure the performance hit isn't too bad). but, if it leads an analyst to the right algorithm quickly, that's a big win. i think it should be pretty easy to generate these, so I'm inclined to try this out.
explored the prevalence of shellcode hashes in VT with process written up here: http://www.williballenthin.com/post/shellcode-hash-prevalence/
9162 sll1AddHash32
391 ror13AddHash32
95 crc32
75 ror13AddHash32AddDll
59 rol5XorHash32
27 poisonIvyHash
23 shr2Shl5XorHash32
16 rol7XorHash32
16 imul83hAdd
13 or21hXorRor11Hash32
12 fnv1Xor67f
9 xorShr8Hash32
7 ror9AddHash32
7 ror13AddHash32Sub20h
5 ror13AddWithNullHash32
5 crc32Xor0xca9d4d4e
5 addRor4WithNullHash32
5 addRor13Hash32
5 addRol5HashOncemore32
5 add1505Shl5Hash32
4 shl7Shr19AddHash32
4 ror7AddHash32
4 rol7AddHash32
4 chAddRol8Hash32
3 xorRol9Hash32
3 ror13AddHash32Sub1
3 ror11AddHash32
3 rol9XorHash32
3 rol9AddHash32
3 rol3XorHash32
3 playWith0xe8677835Hash
3 hash_Carbanak
2 rol3XorEax
2 mult21AddHash32
2 imul21hAddHash32
2 addRor13HashOncemore32
1 shl7SubHash32DoublePulser
1 shift0x82F63B78
1 ror13AddHash32DllSimple
1 rol8Xor0xB0D4D06Hash32
1 rol7AddXor2Hash32
1 rol5AddHash32
1 hash_ror13AddUpperDllnameHash32
1 dualaccModFFF1Hash
1 crc32bzip2lower
1 adler32_666
i took the results from above and included only hashes with more than 10 hits (arbitrarily):
import urllib
import sqlite3
import binascii
import textwrap
import collections
db = sqlite3.connect("./shellcode_hashes/sc_hashes.db")
conn = db.cursor()
cursor = conn.execute('''
SELECT symbol_name, hash_name, hash_size, hash_val
FROM symbol_hashes
INNER JOIN hash_types ON symbol_hashes.hash_type = hash_types.hash_type
WHERE symbol_name IN (
"LoadLibraryA",
"LoadLibraryW",
"GetProcAddress",
"VirtualAlloc",
"VirtualProtect",
"CreateRemoteThread",
"WriteProcessMemory",
"socket",
"InternetOpenA",
"InternetOpenW",
"GetVersion",
"WSAStartup",
"Sleep"
)
ORDER BY symbol_name, hash_name;
''')
hashes = collections.defaultdict(dict)
for symbol_name, hash_name, hash_size, hash_val in cursor.fetchall():
assert hash_size == 32
hashes[hash_name][symbol_name] = hash_val
for hash_name, symbols in sorted(hashes.items()):
if hash_name not in ("sll1AddHash32", "ror13AddHash32", "crc32", "ror13AddHash32AddDll",
"rol5XorHash32", "poisonIvyHash", "shr2Shl5XorHash32", "rol7XorHash32",
"imul83hAdd", "or21hXorRor11Hash32", "fnv1Xor67f"):
continue
numbers = []
for symbol_name, hash_val in sorted(symbols.items()):
content = binascii.hexlify(hash_val.to_bytes(4, "little")).decode("ascii").upper()
numbers.append(f' - number: {hex(hash_val)} = {hash_name}({symbol_name})')
rule = """
rule:
meta:
name: references API by hash {hash_name}
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
{numbers}
""".format(hash_name=hash_name, numbers="\n".join(numbers))
print(rule)
rule:
meta:
name: references API by hash crc32
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0xff808c10 = crc32(CreateRemoteThread)
- number: 0xc97c1fff = crc32(GetProcAddress)
- number: 0x4ccf1a0f = crc32(GetVersion)
- number: 0xda16a83d = crc32(InternetOpenA)
- number: 0x2ec21d6c = crc32(InternetOpenW)
- number: 0x3fc1bd8d = crc32(LoadLibraryA)
- number: 0xcb1508dc = crc32(LoadLibraryW)
- number: 0xcef2eda8 = crc32(Sleep)
- number: 0x9ce0d4a = crc32(VirtualAlloc)
- number: 0x10066f2f = crc32(VirtualProtect)
- number: 0xa0f5fc93 = crc32(WSAStartup)
- number: 0x4f58972e = crc32(WriteProcessMemory)
- number: 0x5e568bb = crc32(socket)
rule:
meta:
name: references API by hash fnv1Xor67f
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0xc398c21c = fnv1Xor67f(CreateRemoteThread)
- number: 0xf8f4515a = fnv1Xor67f(GetProcAddress)
- number: 0x3a2f51e6 = fnv1Xor67f(GetVersion)
- number: 0xe23b9098 = fnv1Xor67f(InternetOpenA)
- number: 0xd03b7cee = fnv1Xor67f(InternetOpenW)
- number: 0x53b20170 = fnv1Xor67f(LoadLibraryA)
- number: 0x41b1ecc6 = fnv1Xor67f(LoadLibraryW)
- number: 0x2fa62ad7 = fnv1Xor67f(Sleep)
- number: 0x328537e = fnv1Xor67f(VirtualAlloc)
- number: 0x8206278c = fnv1Xor67f(VirtualProtect)
- number: 0x20125a20 = fnv1Xor67f(WSAStartup)
- number: 0xc0088895 = fnv1Xor67f(WriteProcessMemory)
- number: 0x90127013 = fnv1Xor67f(socket)
rule:
meta:
name: references API by hash imul83hAdd
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0x71469c9c = imul83hAdd(CreateRemoteThread)
- number: 0x9ab9b854 = imul83hAdd(GetProcAddress)
- number: 0x8e4423da = imul83hAdd(GetVersion)
- number: 0x8c4b642 = imul83hAdd(InternetOpenA)
- number: 0x8c4b658 = imul83hAdd(InternetOpenW)
- number: 0x7f201f78 = imul83hAdd(LoadLibraryA)
- number: 0x7f201f8e = imul83hAdd(LoadLibraryW)
- number: 0xbf858053 = imul83hAdd(Sleep)
- number: 0xde893462 = imul83hAdd(VirtualAlloc)
- number: 0x6c6ec404 = imul83hAdd(VirtualProtect)
- number: 0xb3522634 = imul83hAdd(WSAStartup)
- number: 0xa11bea85 = imul83hAdd(WriteProcessMemory)
- number: 0xa6402d9f = imul83hAdd(socket)
rule:
meta:
name: references API by hash or21hXorRor11Hash32
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0xdf8469b4 = or21hXorRor11Hash32(CreateRemoteThread)
- number: 0x3366cd77 = or21hXorRor11Hash32(GetProcAddress)
- number: 0x57536a6e = or21hXorRor11Hash32(GetVersion)
- number: 0xa9657c76 = or21hXorRor11Hash32(InternetOpenA)
- number: 0xa965cc76 = or21hXorRor11Hash32(InternetOpenW)
- number: 0x94d07c92 = or21hXorRor11Hash32(LoadLibraryA)
- number: 0x94d0cc92 = or21hXorRor11Hash32(LoadLibraryW)
- number: 0x20c558ca = or21hXorRor11Hash32(Sleep)
- number: 0x8c552db6 = or21hXorRor11Hash32(VirtualAlloc)
- number: 0x74631d3f = or21hXorRor11Hash32(VirtualProtect)
- number: 0x4cd71aa6 = or21hXorRor11Hash32(WSAStartup)
- number: 0x8f022e10 = or21hXorRor11Hash32(WriteProcessMemory)
- number: 0x2ec5991a = or21hXorRor11Hash32(socket)
rule:
meta:
name: references API by hash poisonIvyHash
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0xcf4a7f65 = poisonIvyHash(CreateRemoteThread)
- number: 0xffc97c1f = poisonIvyHash(GetProcAddress)
- number: 0x42f13d06 = poisonIvyHash(GetVersion)
- number: 0x8ab0b534 = poisonIvyHash(InternetOpenA)
- number: 0x962800e3 = poisonIvyHash(InternetOpenW)
- number: 0x4134d1ad = poisonIvyHash(LoadLibraryA)
- number: 0x5dac647a = poisonIvyHash(LoadLibraryW)
- number: 0xac136ba = poisonIvyHash(Sleep)
- number: 0x4402890e = poisonIvyHash(VirtualAlloc)
- number: 0x79c3d4bb = poisonIvyHash(VirtualProtect)
- number: 0xbba4d88f = poisonIvyHash(WSAStartup)
- number: 0xe9bbad5 = poisonIvyHash(WriteProcessMemory)
- number: 0x8eb460e1 = poisonIvyHash(socket)
rule:
meta:
name: references API by hash rol5XorHash32
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0xca306453 = rol5XorHash32(CreateRemoteThread)
- number: 0xe5b6b6db = rol5XorHash32(GetProcAddress)
- number: 0x4d14af33 = rol5XorHash32(GetVersion)
- number: 0x81548ce = rol5XorHash32(InternetOpenA)
- number: 0x81548d8 = rol5XorHash32(InternetOpenW)
- number: 0xb4a1003b = rol5XorHash32(LoadLibraryA)
- number: 0xb4a1002d = rol5XorHash32(LoadLibraryW)
- number: 0x70798d0 = rol5XorHash32(Sleep)
- number: 0xa48d8a33 = rol5XorHash32(VirtualAlloc)
- number: 0x4a155a82 = rol5XorHash32(VirtualProtect)
- number: 0x2e264ec4 = rol5XorHash32(WSAStartup)
- number: 0x2a466170 = rol5XorHash32(WriteProcessMemory)
- number: 0xe0c020d4 = rol5XorHash32(socket)
rule:
meta:
name: references API by hash rol7XorHash32
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0xe61874b3 = rol7XorHash32(CreateRemoteThread)
- number: 0x1fc0eaee = rol7XorHash32(GetProcAddress)
- number: 0xcb932ce2 = rol7XorHash32(GetVersion)
- number: 0x8593dd7 = rol7XorHash32(InternetOpenA)
- number: 0x8593dc1 = rol7XorHash32(InternetOpenW)
- number: 0xc8ac8026 = rol7XorHash32(LoadLibraryA)
- number: 0xc8ac8030 = rol7XorHash32(LoadLibraryW)
- number: 0x3d9972f5 = rol7XorHash32(Sleep)
- number: 0x697a6afe = rol7XorHash32(VirtualAlloc)
- number: 0xa9de6f5a = rol7XorHash32(VirtualProtect)
- number: 0xcdde757d = rol7XorHash32(WSAStartup)
- number: 0xbea0bf35 = rol7XorHash32(WriteProcessMemory)
- number: 0xfc7af16a = rol7XorHash32(socket)
rule:
meta:
name: references API by hash ror13AddHash32
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0x72bd9cdd = ror13AddHash32(CreateRemoteThread)
- number: 0x7c0dfcaa = ror13AddHash32(GetProcAddress)
- number: 0xcfd98161 = ror13AddHash32(GetVersion)
- number: 0x57e84429 = ror13AddHash32(InternetOpenA)
- number: 0x57e8443f = ror13AddHash32(InternetOpenW)
- number: 0xec0e4e8e = ror13AddHash32(LoadLibraryA)
- number: 0xec0e4ea4 = ror13AddHash32(LoadLibraryW)
- number: 0xdb2d49b0 = ror13AddHash32(Sleep)
- number: 0x91afca54 = ror13AddHash32(VirtualAlloc)
- number: 0x7946c61b = ror13AddHash32(VirtualProtect)
- number: 0x3bfcedcb = ror13AddHash32(WSAStartup)
- number: 0xd83d6aa1 = ror13AddHash32(WriteProcessMemory)
- number: 0x492f0b6e = ror13AddHash32(socket)
rule:
meta:
name: references API by hash ror13AddHash32AddDll
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0x799aacc6 = ror13AddHash32AddDll(CreateRemoteThread)
- number: 0x7802f749 = ror13AddHash32AddDll(GetProcAddress)
- number: 0x9dbd95a6 = ror13AddHash32AddDll(GetVersion)
- number: 0xa779563a = ror13AddHash32AddDll(InternetOpenA)
- number: 0xa829563a = ror13AddHash32AddDll(InternetOpenW)
- number: 0x726774c = ror13AddHash32AddDll(LoadLibraryA)
- number: 0x7d6774c = ror13AddHash32AddDll(LoadLibraryW)
- number: 0xe035f044 = ror13AddHash32AddDll(Sleep)
- number: 0xe553a458 = ror13AddHash32AddDll(VirtualAlloc)
- number: 0xc38ae110 = ror13AddHash32AddDll(VirtualProtect)
- number: 0x8b4978af = ror13AddHash32AddDll(WSAStartup)
- number: 0xe7bdd8c5 = ror13AddHash32AddDll(WriteProcessMemory)
- number: 0x7861e240 = ror13AddHash32AddDll(socket)
rule:
meta:
name: references API by hash shr2Shl5XorHash32
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0x7e8cc469 = shr2Shl5XorHash32(CreateRemoteThread)
- number: 0x935034af = shr2Shl5XorHash32(GetProcAddress)
- number: 0xfa129d1a = shr2Shl5XorHash32(GetVersion)
- number: 0x3dd6e351 = shr2Shl5XorHash32(InternetOpenA)
- number: 0x3dd6e34b = shr2Shl5XorHash32(InternetOpenW)
- number: 0xf08a755b = shr2Shl5XorHash32(LoadLibraryA)
- number: 0xf08a7565 = shr2Shl5XorHash32(LoadLibraryW)
- number: 0x650211cd = shr2Shl5XorHash32(Sleep)
- number: 0x8abf0222 = shr2Shl5XorHash32(VirtualAlloc)
- number: 0xbd9c0637 = shr2Shl5XorHash32(VirtualProtect)
- number: 0x4b1d14c4 = shr2Shl5XorHash32(WSAStartup)
- number: 0xd51e7b84 = shr2Shl5XorHash32(WriteProcessMemory)
- number: 0x7fd77e67 = shr2Shl5XorHash32(socket)
rule:
meta:
name: references API by hash sll1AddHash32
namespace: linking/runtime-linking/shellcode-hash
authors:
- [email protected]
scope: function
references:
- https://www.mandiant.com/resources/blog/precalculated-string-hashes-reverse-engineering-shellcode
- https://github.com/mandiant/flare-ida/tree/master/shellcode_hashes
features:
- 3 or more:
- number: 0x33cd714 = sll1AddHash32(CreateRemoteThread)
- number: 0x348bfa = sll1AddHash32(GetProcAddress)
- number: 0x34990 = sll1AddHash32(GetVersion)
- number: 0x1af002 = sll1AddHash32(InternetOpenA)
- number: 0x1af02e = sll1AddHash32(InternetOpenW)
- number: 0xd5786 = sll1AddHash32(LoadLibraryA)
- number: 0xd57b2 = sll1AddHash32(LoadLibraryW)
- number: 0x1abc = sll1AddHash32(Sleep)
- number: 0xe3142 = sll1AddHash32(VirtualAlloc)
- number: 0x38d13c = sll1AddHash32(VirtualProtect)
- number: 0x39314 = sll1AddHash32(WSAStartup)
- number: 0x3980f62 = sll1AddHash32(WriteProcessMemory)
- number: 0x36a4 = sll1AddHash32(socket)
yara matches against samples in our corpus, annotated with capa matches using above shellcode hash rules. disappointing that these don't hit?
edit: upon triaging, many of these hashes show up onsey-twosey, not all grouped in the same function, so the 3 or more clause is too restrictive. i've changed the rule logic to be scope: basic block and or instead of 3 or more.
❯ yara sc_hashes.yar tests/data/
sc_hash_rol7XorHash32 tests/data//50d5ee1ce2ca5e30c6b1019ee64eeec2.exe_ (4 hits)
0x71e3:$InternetOpenA: D7 3D 59 08
0x45dd:$LoadLibraryA: 26 80 AC C8
0x584:$VirtualAlloc: FE 6A 7A 69
0x658:$VirtualAlloc: FE 6A 7A 69
0x5b13:$VirtualAlloc: FE 6A 7A 69
sc_hash_add1505Shl5Hash32 tests/data//6be0ae5cb7c3155f70d608fc7670d2d9.exe_ (not in proposed ruleset)
0x1019e:$GetProcAddress: 1F BB 31 CF
0x10094:$GetVersion: 8B 61 82 27
0x1ce02:$InternetOpenA: A1 70 AD F4
0xf44d:$LoadLibraryA: FB F0 BF 5F
0xfa84:$LoadLibraryA: FB F0 BF 5F
0x1003b:$LoadLibraryW: 11 F1 BF 5F
0xfc13:$Sleep: FE E5 19 0E
0x1cefe:$WSAStartup: 83 C6 28 61
sc_hash_ror13AddHash32AddDll tests/data//c1969efd1e2be79909b880f4dbb8725e52efca82236f8a2165c5a8245393fcd6.exe_ (one hit)
0x336aa:$InternetOpenA: 3A 56 79 A7
0x3369c:$LoadLibraryA: 4C 77 26 07
0x338d8:$VirtualAlloc: 58 A4 53 E5
sc_hash_rol7XorHash32 tests/data//2d3edc218a90f03089cc01715a9f047f.exe_ (no hits, stored in global table)
0x99a6:$GetProcAddress: EE EA C0 1F
0x99aa:$LoadLibraryA: 26 80 AC C8
0x99b6:$Sleep: F5 72 99 3D
0x99ba:$VirtualAlloc: FE 6A 7A 69
sc_hash_rol5XorHash32 tests/data//a933a1a402775cfa94b6bee0963f4b46.dll_ (no hits, shellcode in file overlay)
0x34eab:$GetProcAddress: DB B6 B6 E5
0x34ea6:$LoadLibraryA: 3B 00 A1 B4
0x34e9c:$VirtualAlloc: 33 8A 8D A4
0x34eb5:$VirtualProtect: 82 5A 15 4A
sc_hash_rol7XorHash32 tests/data//daa13ae302fe8b618ddbf590537443ef.exe_ (function @ 0x4195C6)
0x1aa2f:$GetProcAddress: EE EA C0 1F
0x19372:$LoadLibraryA: 26 80 AC C8
0x19713:$LoadLibraryA: 26 80 AC C8
0x1a98e:$Sleep: F5 72 99 3D
0x196c8:$VirtualAlloc: FE 6A 7A 69
0x1973d:$VirtualProtect: 5A 6F DE A9
sll1AddHash32 has an unfortunate set of hashes that are commonly seen numbers/constants:
sc_hash_sll1AddHash32 tests/data//112f9f0e8d349858a80dd8c14190e620.exe_
0x652da:$GetVersion: 90 49 03 00
0x653a96:$GetVersion: 90 49 03 00
0x268d5a:$Sleep: BC 1A 00 00
0x2be470:$Sleep: BC 1A 00 00
0x667d64:$Sleep: BC 1A 00 00
0x42be9a:$socket: A4 36 00 00
0x7202a2:$socket: A4 36 00 00
0x7ce844:$socket: A4 36 00 00
recommend not using this one. and probably explains why its so prevalent in the VT retrohunt.
Awesome, loved following along here and in the blog. This is great research and adding the modified rules should make for a great addition.