Hashycalls is an import address table obfuscation utility for C/C++ implants targeting the windows operating system. This tool automates the process of creating hashes & associated resolution code. Developers need only provide a list of api calls to generate the hashycalls template. Implant side, this template can be used to access all of the function calls. Upon compilation, the function calls will not appear in the import address table.
The hashycalls module itself is only intended for use on windows. Linux is not currently supported however this feature is not off the table.
The template only supports x64 based implants.
git clone https://github.com/wizardy0ga/hashycalls
pip install .\hashycalls
pip install hashycalls
Using hashycalls from the command line
Using hashycalls in a script
Using the hashycalls template file
Writing a basic injector with hashycalls
Writing a compilation script for the basic injector
This provides a brief synopsis on using the module & generated template file.
The module is the first step to using this in your project. The module provides user interfaces from the command line & in python scripts for automating your implants build routine.
If your python Scripts directory is in your PATH variable, the hashycalls command can be accessed from the command line. This provides ease of access for generating templates & writing them to applicable directories. Click here for further command line usage information.
Hashycalls provides the HashyCalls class which is a container for the associated source & header files. This interface allows developers to import & modify the source code within their own automated build routines. Click here for more information on this topic.
from hashycalls import HashyCalls
hashysource = HashyCalls(
apicalls = [ 'OpenProcess', 'VirtualAllocEx', 'WriteProcessMemory', 'CreateRemoteThread' ]
, algo = 'djb2'
, globals = True
, api_list_name = 'pHashyCalls'
, seed = 782
, debug = False
)
hashysource.source.write_to_dir('src')
hashysource.header.write_to_dir('inc')To use hashycalls in your implant, include the hashycalls.h header file in any source file where you need to access the hidden function calls. InitApiCalls needs to be called once during runtime to populate the hashed api structure. From there, developers can access function calls using the structure itself or the EXEC macro.
# include "hashycalls.h"
int main()
{
/* Initialize the hashed api calls */
# ifdef hc_GLOBAL
if ( !InitApiCalls() )
return -1;
# endif
# ifndef hc_GLOBAL
PHWINAPI hWin32;
if ( ( hWin32 = InitApiCalls() ) == NULL )
return -1;
# endif
/* Running some functions using both sytax styles */
hWin32->Kernel32.GetCurrentProcessId();
EXEC( User32, MessageBoxA ) ( 0, "Testing", "Hashed MessageBoxA", MB_OK );
return 0;
}Have to give credit where it's do!
The HWINAPI structure is heavily influenced by Cracked5piders INSTANCE structure for grouping api calls in the havoc payload. Check out the havoc framwork repository & website.
reverseame has provided a repository containing a dataset for the entire windows API in JSON. This dataset has proven to be very useful for some of my projects, having saved me the time & effort of creating one myself. Checkout the winapi-categories repository for yourself.
VX-API is a great repo!