Karma-X Blog
Disrupting Hell's Gate, Caro Kann, and GuLoader with DJB2 Hash Collisions
Shellcode Disruption Revisited with DJB2 Hash Collisions
Shellcode leveraging the DJB2 hash algorithm is not quite as common as ROR13. See our previous blog here on disrupting ROR13 which includes disrupting a whole litany of things including Metasploit, Meterpreter, Cobalt Strike, and other malware, but it has been used in several prominent malware examples including GuLoader, Caro Kann, and Hell's Gate. The DJB2 algorithm, although simple, provides a robust means of obfuscating and resolving API function names, making detection and analysis more challenging. This blog delves into the techniques used in these frameworks and how defenders can disrupt such shellcode.
DJB2, another weak shellcode API hashing algorithm
The DJB2 hash function, created by Daniel J. Bernstein, is a simple yet effective hashing algorithm widely used in various applications, including shellcode obfuscation. Its effectiveness lies in its ability to generate a unique hash for each input string, making it difficult for security tools to detect obfuscated API calls through simple pattern matching.
GuLoader, Caro Kann, and Hell's Gate
GuLoader, a sophisticated malware loader, Caro Kann a shellcode that uses DJB2 for api resolution, and Hell's Gate, a technique for executing direct syscalls, are notable examples that use DJB2 hashing to obfuscate and resolve API function names. This technique involves hashing the names of API functions and comparing them with precomputed hashes within the shellcode. If a match is found, the shellcode can dynamically resolve and execute the desired function.
DJB2 Hash Function in Shellcode
The DJB2 hash function can be implemented in various programming languages. Below is a simple implementation in C:
unsigned long djb2(unsigned char *str)
{
unsigned long hash = 5381;
int c;
while (c = *str++)
{
dwHash = ((dwHash << 5) + dwHash) + c;
}
return dwHash;
}
This function iterates over each character in the input string, updating the hash value through bitwise operations and additions. The resulting hash is a compact 32-bit integer representing the obfuscated function name.
Example in Hell's Gate and other Malware
Hell's Gate uses DJB2 hashing to dynamically resolve syscalls it needs for execution. Below is an excerpt from Hell's Gate illustrating this approach:
DWORD64 djb2(PBYTE str)
{
DWORD64 dwHash = 0x7734773477347734;
INT c;
while (c = *str++)
dwHash = ((dwHash << 0x5) + dwHash) + c;
return dwHash;
}
This hashing function is applied to native function names extracted from the Export Address Table (EAT) of ntdll.dll, allowing the shellcode to identify and use the correct system calls.
One effective way to disrupt shellcode using DJB2 hashing is by finding hash collisions. By identifying multiple strings that produce the same hash value, defenders can insert these collisions into the system to confuse or disrupt the shellcode.
Python Code to Find DJB2 Hash Collisions
Below is a Python script to find DJB2 hash collisions for specific target hashes:
import random
import string
def djb2(s: str) -> int:
hash_val = 5381
for char in s:
hash_val = ((hash_val << 5) + hash_val) + ord(char)
return hash_val & 0xFFFFFFFF
def next_string(s: str) -> str:
charset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_'
if not s:
return charset[0]
s_list = list(s)
idx = len(s_list) - 1
while idx >= 0:
char_idx = charset.index(s_list[idx])
if char_idx < len(charset) - 1:
s_list[idx] = charset[char_idx + 1]
return ''.join(s_list)
else:
s_list[idx] = charset[0]
idx -= 1
return charset[0] + ''.join(s_list)
def find_collision(target_hashes):
s = ''
collisions = {}
while len(collisions) < len(target_hashes):
fuzzed_string = s
hash_val = djb2(fuzzed_string)
if hash_val in target_hashes and hash_val not in collisions:
print(f"Found collision: '{fuzzed_string}' hashes to {hash_val:08x}")
collisions[hash_val] = fuzzed_string
s = next_string(s)
return collisions
target_hashes = [0x7040ee75, 0x5fbff0fb, 0x668fcf2e, 0x382c0f97]
collisions = find_collision(target_hashes)
for hash_val, coll_str in collisions.items():
print(f"Found collision: '{coll_str}' hashes to {hash_val:08x}")
This script generates random strings and computes their DJB2 hashes, checking for collisions with the target hashes.
Defenders can exploit hash collisions to mitigate shellcode attacks by inserting precomputed collisions into the resolution path of shellcode routines. When a collision is encountered, the shellcode's execution can be intercepted and disrupted before it interacts with the system.
By leveraging hash collisions, defenders can create robust protections that enhance overall security stopping malware in its tracks.
Disrupting shellcode that uses the DJB2 hash algorithm requires a deep understanding of the hashing process and the ability to identify collisions. By implementing techniques to find and exploit these collisions, defenders can effectively neutralize threats posed by advanced shellcode obfuscation methods.
For more information on our advanced Karma-X EDR platform and how it can protect your enterprise, reach out right away!
References:
https://www.hick.org/code/skape/papers/win32-shellcode.pdf
https://redops.at/en/blog/exploring-hells-gate
https://blog.sonicwall.com/en-us/2022/06/guloader-a-fileless-shellcode-based-malware-in-action/
https://github.com/Karma-X-Inc/Shellcode-Hash-Collisions
https://github.com/S3cur3Th1sSh1t/Caro-Kann/
Protect your systems for free today! You can start by accessing Vitamin-K here! (after signing up and logging in)
The Bottom Line: Karma-X discovered another way to stop sophisticated malware by exploiting the same trick we used before—but this time against a different code system (DJB2) used by advanced threats like GuLoader, Hell's Gate, and Caro Kann. We're systematically defeating the hacker's playbook, one algorithm at a time.
Remember our previous blog about ROR13 hash collisions? We explained how hackers use secret codes to hide what they're doing, and how we create "fake keys" that confuse their code.
This blog is the sequel. Different secret code (DJB2 instead of ROR13), but the same winning strategy.
ROR13 Blog: We disrupted Metasploit, Meterpreter, Cobalt Strike, and hundreds of common hacking tools
This Blog (DJB2): We're disrupting GuLoader, Hell's Gate, Caro Kann, and other advanced malware families
Together, we're covering the entire spectrum of shellcode-based attacks.
DJB2 is another "scrambling system" (hash algorithm) that malware uses to hide what it's doing—just like ROR13, but with a different formula.
The burglar analogy (from our ROR13 blog):
DJB2 vs ROR13: Think of them like different brands of combination locks. They work on the same principle (scrambling words into numbers), but use different mechanisms. Hackers choose whichever one they think is less likely to be detected.
Three notorious malware families rely heavily on DJB2:
What it does: A sophisticated "loader" malware that downloads and executes other malicious programs on your computer. It's like a criminal that breaks into your house and then opens the door for their accomplices.
Why it's dangerous: Can bypass most antivirus software and deliver ransomware, banking trojans, or spyware.
What it does: An advanced technique that allows malware to directly talk to the Windows kernel (the core of your operating system) while bypassing security software watching for suspicious behavior.
Why it's dangerous: It's like a burglar who can talk directly to the building's structural beams, bypassing all security cameras and alarms.
What it does: A shellcode framework (hacking toolkit) that uses DJB2 to hide its API calls when attacking systems.
Why it's dangerous: Provides hackers with ready-made tools to bypass defenses, like buying a lockpicking kit instead of making your own.
Just like with ROR13, we exploit the weakness of DJB2 by creating hash collisions.
Step 1: The Hacker's Code
Step 2: Karma-X's Trap
Step 3: Attack Fails
Real-world comparison: It's like replacing a criminal's weapon with a toy that looks identical from far away. When they try to use it, they discover it doesn't work—too late.
| Hash Algorithm | Malware Disrupted |
|---|---|
| ROR13 (Previous blog) |
Metasploit, Meterpreter, Cobalt Strike, Sliver, Brute Ratel, most common attack frameworks |
| DJB2 (This blog) |
GuLoader, Hell's Gate, Caro Kann, sophisticated evasive malware |
| Future Algorithms (Coming soon) |
We've already cracked algorithms hackers haven't even deployed yet 🎯 |
Here's what makes Karma-X special:
Traditional Security Approach:
Karma-X Protection Approach:
DJB2 (created by Daniel J. Bernstein) is a simple hash function that works like this:
Start with hash = 5381
For each character in the string:
hash = (hash × 33) + character_value
Return hash
Why it's used in malware:
Why it's vulnerable:
Organizations protected by Karma-X:
This is the second blog in our shellcode disruption series, but it won't be the last:
Goal: Make ALL hash-based shellcode obfuscation techniques obsolete.
For Business Leaders:
For Security Teams:
For Everyone:
Hackers think they're clever by using DJB2 hashing to hide their malware. We're cleverer.
By exploiting the mathematical weaknesses in their obfuscation techniques, we make their attacks fail at the most fundamental level. GuLoader can't load. Hell's Gate can't open. Caro Kann can't resolve.
Attack. Not. Worky. 💪
Shellcode disruption is just ONE layer of Karma-X's protection. We defend against entire classes of attacks at the kernel level.
Whether adversary nation or criminal actors, Karma-X significantly reduces exploitation risk of any organization.
From small business to enterprise, Karma-X installs simply and immediately adds peace of mind
Karma-X doesn't interfere with other software, only malware and exploits, due to its unique design.
Whether adversary nation or criminal actors, Karma-X significantly reduces exploitation risk of any organization
Update to deploy new defensive techniques to suit your organization's needs as they are offered