Karma-X Blog

Shellcode leveraging the DJB2 hash algorithm is not quite as common as ROR13. See our previous blog here on disrupting ROR13 which includes disrupting a whole litany of things including Metasploit, Meterpreter, Cobalt Strike, and other malware, but it has been used in several prominent malware examples including GuLoader, Caro Kann, and Hell's Gate. The DJB2 algorithm, although simple, provides a robust means of obfuscating and resolving API function names, making detection and analysis more challenging. This blog delves into the techniques used in these frameworks and how defenders can disrupt such shellcode.

DJB2, another weak shellcode API hashing algorithm

The DJB2 hash function, created by Daniel J. Bernstein, is a simple yet effective hashing algorithm widely used in various applications, including shellcode obfuscation. Its effectiveness lies in its ability to generate a unique hash for each input string, making it difficult for security tools to detect obfuscated API calls through simple pattern matching.

GuLoader, Caro Kann, and Hell's Gate

GuLoader, a sophisticated malware loader, Caro Kann a shellcode that uses DJB2 for api resolution, and Hell's Gate, a technique for executing direct syscalls, are notable examples that use DJB2 hashing to obfuscate and resolve API function names. This technique involves hashing the names of API functions and comparing them with precomputed hashes within the shellcode. If a match is found, the shellcode can dynamically resolve and execute the desired function.

DJB2 Hash Function in Shellcode

The DJB2 hash function can be implemented in various programming languages. Below is a simple implementation in C:

unsigned long djb2(unsigned char *str) 
{
    unsigned long hash = 5381;
    int c;

    while (c = *str++) 
    {
        dwHash = ((dwHash << 5) + dwHash) + c;
    }

    return dwHash;
}

This function iterates over each character in the input string, updating the hash value through bitwise operations and additions. The resulting hash is a compact 32-bit integer representing the obfuscated function name.

Example in Hell's Gate and other Malware

Hell's Gate uses DJB2 hashing to dynamically resolve syscalls it needs for execution. Below is an excerpt from Hell's Gate illustrating this approach:

DWORD64 djb2(PBYTE str) 
{
    DWORD64 dwHash = 0x7734773477347734;
    INT c;

    while (c = *str++)
        dwHash = ((dwHash << 0x5) + dwHash) + c;

    return dwHash;
}

This hashing function is applied to native function names extracted from the Export Address Table (EAT) of ntdll.dll, allowing the shellcode to identify and use the correct system calls.

Finding DJB2 Hash Collisions

One effective way to disrupt shellcode using DJB2 hashing is by finding hash collisions. By identifying multiple strings that produce the same hash value, defenders can insert these collisions into the system to confuse or disrupt the shellcode.

Python Code to Find DJB2 Hash Collisions

Below is a Python script to find DJB2 hash collisions for specific target hashes:

import random
import string

def djb2(s: str) -> int:
    hash_val = 5381
    for char in s:
        hash_val = ((hash_val << 5) + hash_val) + ord(char)
    return hash_val & 0xFFFFFFFF

def next_string(s: str) -> str:
    charset = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_'
    if not s:
        return charset[0]
    s_list = list(s)
    idx = len(s_list) - 1
    while idx >= 0:
        char_idx = charset.index(s_list[idx])
        if char_idx < len(charset) - 1:
            s_list[idx] = charset[char_idx + 1]
            return ''.join(s_list)
        else:
            s_list[idx] = charset[0]
            idx -= 1
    return charset[0] + ''.join(s_list)

def find_collision(target_hashes):
    s = ''
    collisions = {}

    while len(collisions) < len(target_hashes):
        fuzzed_string = s
        hash_val = djb2(fuzzed_string)
        if hash_val in target_hashes and hash_val not in collisions:
            print(f"Found collision: '{fuzzed_string}' hashes to {hash_val:08x}")
            collisions[hash_val] = fuzzed_string
        s = next_string(s)
    return collisions

target_hashes = [0x7040ee75, 0x5fbff0fb, 0x668fcf2e, 0x382c0f97]
collisions = find_collision(target_hashes)

for hash_val, coll_str in collisions.items():
    print(f"Found collision: '{coll_str}' hashes to {hash_val:08x}")

This script generates random strings and computes their DJB2 hashes, checking for collisions with the target hashes.

Mitigating Shellcode with DJB2 Hashing

Defenders can exploit hash collisions to mitigate shellcode attacks by inserting precomputed collisions into the resolution path of shellcode routines. When a collision is encountered, the shellcode's execution can be intercepted and disrupted before it interacts with the system.

By leveraging hash collisions, defenders can create robust protections that enhance overall security stopping malware in its tracks.

Conclusion

Disrupting shellcode that uses the DJB2 hash algorithm requires a deep understanding of the hashing process and the ability to identify collisions. By implementing techniques to find and exploit these collisions, defenders can effectively neutralize threats posed by advanced shellcode obfuscation methods.

For more information on our advanced Karma-X EDR platform and how it can protect your enterprise, reach out right away!

References:

https://www.hick.org/code/skape/papers/win32-shellcode.pdf
https://redops.at/en/blog/exploring-hells-gate
https://blog.sonicwall.com/en-us/2022/06/guloader-a-fileless-shellcode-based-malware-in-action/
https://github.com/Karma-X-Inc/Shellcode-Hash-Collisions
https://github.com/S3cur3Th1sSh1t/Caro-Kann/

Protect your systems for free today! You can start by accessing Vitamin-K here! (after signing up and logging in)