Created by
Alexander Hanel
| import pefile
import sys
import os
import json
def fnv32a( _str ):
# https://gist.github.com/vaiorabbit/5670985
_str = _str.encode("UTF-8", "ignore")
hval = 0x811c9dc5
fnv_32_prime = 0x01000193
uint32_max = 2 ** 32
for s in _str:
hval = hval ^ ord(s)
hval = (hval * fnv_32_prime) % uint32_max
return hval
def get_exports(dll_path):
export_list = []
try:
pe = pefile.PE(dll_path, fast_load=False)
for entry in pe.DIRECTORY_ENTRY_EXPORT.symbols:
export_list.append(entry.name)
return True,export_list
except Exception as e:
return False, e
def look_up():
with open("fvnv32a_hashes.json", "r") as json_file:
hashes = json.load(json_file)
ea = here()
value = idc.GetOperandValue(ea, 0) ^ 0xFC0
for api, values in hashes.items():
if value in values:
print type(api)
MakeComm(ea, api.encode('ascii', 'ignore'))
def run():
hash_dict = {}
dll_list = ["user32", "kernelBase", "kernel32", "msvcrt", "ntdll",
"shlwapi", "shell32", "secur32", "advapi32", "ws2_32", "version",
"psapi", "wininet", "gdi32"]
winpath = os.environ['WINDIR']
for dll in dll_list:
dll_path = os.path.join(winpath, "System32", dll + ".dll")
status, export_list = get_exports(dll_path)
if status:
for export in export_list:
if export:
temp_hash = fnv32a(export)
hash_dict[export] = (temp_hash, hex(temp_hash))
else:
print "ERROR: %s" % export_list
with open("fvnv32a_hashes.json", "w") as json_file:
json.dump(hash_dict, json_file)
|
