Uchihash: deal with malware embedded hashes

by do son · February 21, 2021

Uchihash

Uchihash is a small utility that can save malware analysts the time of dealing with embedded hash values used for various things such as:

Dynamically importing APIs (especially in shellcode)
Checking running process used by analysts (Anti-Analysis)
Checking VM or Antivirus artifacts (Anti-Analysis)

Uchihash can generate hashes with your own custom hashing algorithm, search for a list of hashes in an already generated hashmap, and also it can generate an IDAPython script to annotate the hashes with their corresponding values for easier analysis.

Available Hashing Algorithms

md4
md5
sha1
sha224
sha256
sha384
sha512
ripemd160
whirlpool
crc8
crc16
crc32
crc64
djb2
sdbm
loselose
fnv1_32
fnv1a_32
fnv1_64
fnv1a_64
murmur3

Installation

$ git clone https://github.com/N1ght-W0lf/Uchihash.git 
$ pip install -r requirements.txt

Usage

usage: uchihash.py [-h] [--algo ALGO] [--apis] [--keywords] [--list LIST] [--script SCRIPT] [--search SEARCH] [--hashes HASHES] [--ida]



optional arguments:

  -h, --help       show this help message and exit

  --algo ALGO      Hashing algorithm

  --apis           Calculate hashes of APIs

  --keywords       Calculate hashes of keywords

  --list LIST      Calculate hashes of your own word list

  --script SCRIPT  Script file containing your custom hashing algorithm

  --search SEARCH  Search a JSON File containing hashes mapped to words

  --hashes HASHES  File containing list of hashes to search for

  --ida            Generate an IDAPython script to annotate hash values



Examples:

    * python uchihash.py --algo crc32 --apis

    * python uchihash.py --algo murmur3 --list mywords.txt

    * python uchihash.py --search hashmap.txt --hashes myhashes.txt

Tutorial

Uchihash: deal with malware embedded hashes

Search

Brilliantly

Content & Links