https://github.com/kasperskylab/apihashes

IDA Pro plugin for recognizing known hashes of API function names
https://github.com/kasperskylab/apihashes

Last synced: 7 months ago
JSON representation

IDA Pro plugin for recognizing known hashes of API function names

• Host: GitHub
• URL: https://github.com/kasperskylab/apihashes
• Owner: KasperskyLab
• License: other
• Created: 2022-05-12T13:50:32.000Z (about 4 years ago)
• Default Branch: master
• Last Pushed: 2022-05-12T13:51:13.000Z (about 4 years ago)
• Last Synced: 2025-04-13T01:56:43.973Z (about 1 year ago)
• Language: Python
• Size: 4.18 MB
• Stars: 81
• Watchers: 4
• Forks: 15
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: License.txt

Awesome Lists containing this project

README

          
## Apihashes v2 IDA plugin

Apihashes is an IDA plugin that allows to automatically identify and mark known hash values for API function names. 

The plugin is implemented as a hook that checks the operands of new instructions and data items, and uses a database of pre-calculated hashes.

The database is generated from a set of PE files using a script "make\_apihashesv2\_table.py". You can modify the script to add new hashing algorithms and non-standard DLLs.

## Installation

Copy the files apihashesv2.py, apihashesv2.bin (the database) and the directory apihashesv2\_search into the %IDADIR%/plugins directory. The plugin should be loaded automatically when IDA starts.

Dependencies: Python 3, pefile.

## Generating your own database

If needed, modify make\_apihashesv2\_table.py to add the new hashing algoritm. Add the function to the *hashers* list.

Run the script, providing the directories or filenames containing the target DLLs, for example the Windows "system32" directory.

```

python3 make_apihashesv2_table.py ...path_to_system32...

```

Processing will take some time, and as a result the script will generate a new file *apihashesv2.bin* in the current directory. Copy it to the %IDADIR%/plugins directory and reload IDA.