mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-25 20:11:36 +01:00
46 lines
1.5 KiB
Markdown
46 lines
1.5 KiB
Markdown
## Cobalt Strike UDRL Hasher
|
|
|
|
Simple helper utility recomputing `DLL Reflective Loader` hashes, for offensive engineering needs whenever we want to recompile [User Defined Reflective Loaders](https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/malleable-c2-extend_user-defined-rdll.htm) and such.
|
|
|
|
Ever came across [such hashes](https://github.com/stephenfewer/ReflectiveDLLInjection/blob/master/dll/src/ReflectiveLoader.h#L43) before?
|
|
|
|
```
|
|
#define KERNEL32DLL_HASH 0x6A4ABC5B
|
|
#define NTDLLDLL_HASH 0x3CFA685D
|
|
|
|
#define LOADLIBRARYA_HASH 0xEC0E4E8E
|
|
#define GETPROCADDRESS_HASH 0x7C0DFCAA
|
|
#define VIRTUALALLOC_HASH 0x91AFCA54
|
|
#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
|
|
|
|
[...]
|
|
|
|
#define HASH_KEY 13
|
|
```
|
|
|
|
These can be used for a straightforward signaturing.
|
|
|
|
We can regenerate them easily with utility included here:
|
|
|
|
```
|
|
cmd> hash 55
|
|
|
|
#define KERNEL32DLL_HASH 0xA6154C3A // kernel32.dll
|
|
#define NTDLLDLL_HASH 0x0521447A // ntdll.dll
|
|
|
|
#define LOADLIBRARYA_HASH 0xE0D79FEB // LoadLibraryA
|
|
#define GETPROCADDRESS_HASH 0x6BAC2F89 // GetProcAddress
|
|
#define VIRTUALALLOC_HASH 0x9EE2D962 // VirtualAlloc
|
|
#define VIRTUALPROTECT_HASH 0x9154022F // VirtualProtect
|
|
#define NTFLUSHINSTRUCTIONCACHE_HASH 0x7353E65D // NtFlushInstructionCache
|
|
|
|
#define HASH_KEY 55
|
|
|
|
```
|
|
|
|
**Notice** - if you want to get hash for a DLL, be sure to include its extension:
|
|
|
|
```
|
|
hash 55 kernel32.dll
|
|
```
|