shellcode-hashes - create enum of resolved values

[jhsmith]

Create an enum & apply it for all identified hash values.

[doomedraven]

im working on the fusion of both words for myself, of shellcode-hashes and hashdb, so we have can both of them, + they have hashdb-ida that is easy to extend to support localdb

that was super easy to add to hashdb to keep generating localdb, example:

import algorithms

# ('ror7AddHash32',       32, pseudocode_ror7AddHash32),
        for algo in algorithms.__all__:
            algo = getattr(algorithms, algo)
            self.addHashType(algo.__name__.split(".")[-1], sizes_map[algo.TYPE], algo.DESCRIPTION)

@mr-tz @williballenthin what do you think guys?

and if you ask why i do this is bcz

1. yesterday hashdb was down and is useful to do few clicks in ida to have all hashes resolved resolved
2. unittests of algorithms so is more tested in case if something is updated
3. my idea also to create some json maybe, that will have all data, so when we adding new dll it just add missed names, and you not need to provide over and over the same dlls to get it all, so it would update db too

[mr-tz]

@doomedraven I like your idea, but am not sure how it's related to this issue. Can you clarify?
Regardless, I think your updates would be a good addition.

[doomedraven]

hashdb-ida already does the enumeration in ida, if it match 1 hash it allows export all hashes from that library to ida's enum

[mr-tz]

Ah, perfect then 👍

[doomedraven]

i have almost already everything coded to support flare's offline db hashes, just need to find few things, i will show you it near to the weekend

[doomedraven]

hello with delay but that is done, you can generate now offline db with hashes and use my modified version of hashdb to do lookups and have it to do the rest for you, also if not found in local it goes online(you can change that for you). to make it work just clone https://github.com/OALabs/hashdb put make_sc_hash_db_ng.py inside and execute as python3 make_sc_hash_db_ng.py sc_hashes.db path_to_dlls

then drop generated db + hashdb.py to ida plugins folder and volia. to see what i have moded use search for HASHDB_USE_LOCALDB

hashdb.py.txt
make_sc_hash_db_ng.py.txt

        hash_lookup_sql = """select symbol_hashes.symbol_name, source_libs.lib_name from symbol_hashes INNER JOIN hash_types ON symbol_hashes.hash_type = hash_types.hash_type INNER JOIN source_libs ON symbol_hashes.lib_key where symbol_hashes.hash_val=? AND hash_types.hash_name=? and symbol_hashes.lib_key == source_libs.lib_key;"""
        hunt_algo_sql = """select hash_types.hash_name from hash_types INNER JOIN symbol_hashes ON symbol_hashes.hash_type = hash_types.hash_type  where symbol_hashes.hash_val=?;"""
        algo_lookup_sql = """select hash_name,hash_size from hash_types;"""

[mr-tz]

Great. Do you think we should add this to flare-ida and/or to hashdb directly?

[doomedraven]

i spoke with Herrcore about this, he told that they are not interested in having offline part. so i think this only can be useful for us who don't have access to internet all the time

[mr-tz]

Alright, thanks for the insight!