Awesome
#️⃣ Binary Ninja HashDB Plugin
HashDB is a community-sourced library of hashing algorithms used in malware. This plugin queries the OALabs HashDB Lookup Service for hash values which appear in the currently analyzed file, fetches a list of strings which match those hashes, and collects the string values into an enum type definition. The defined enum type can then be applied to the binary for further analysis.
Usage
Looking up a hash (HashDB - Hash Lookup)
The HashDB - Hash Lookup command looks up the hash value highlighted by the cursor.
Hunting for the correct hash algorithm (HashDB - Hunt)
The HashDB - Hunt command attempts to identify the hash algorithm which was used to generate a particular hash value. The identified algorithm is set as the default algorithm for future hash lookups in this binary, in the HashDB > HashDB Hash Algorithm setting.
It is the user's responsibility to ensure that the identified hash algorithm is correct! The list of all hash algorithms known to the OALabs HashDB lookup service is maintained at the OALabs/hashdb repository, under the algorithms directory; a Python implementation of each hash algorithm is inside each listed file, and can be checked against the implementation of the API hashing function in the binary being analyzed.
Viewing and applying found hashes
Found hashes are added as enum entries under a new enum type named hashdb_strings_{NAME_OF_ALGORITHM}. The names and values of the found hashes can be viewed in the Types menu.
The enum type can then be applied to variables in the database.
If you are using Binary Ninja >= 3.3, you can also apply the resolved hash names using the new Select Enum dialog (accessible by pressing the M key, or through Display as > Enum Member in the context menu).
The name prefix used in the enum type (by default hashdb_strings) can be changed in Binary Ninja's settings, under HashDB > HashDB Enum Name.
Looking up multiple hashes (HashDB - Multiple Hash Lookup)
Multiple hashes can be selected and looked up at once using the HashDB - Multiple Hash Lookup command.
The resolved hashes can then be applied by setting the selected variables to the created enum type.
Settings
The settings for this plugin can be changed from Binary Ninja's Settings interface (Edit > Preferences > Settings). The settings list can be filtered to show only the HashDB plugin's settings by searching HashDB in the Settings search box.
The following settings are applied globally:
- HashDB API URL (
hashdb.url). If you wish to use a different HashDB instance than the default OALabs HashDB, such as an internally hosted version, you can change this setting to point at your desired instance. - HashDB Enum Name (
hashdb.enum_name)
The following settings are specific to an individual binary. They are saved in the analysis database (.bndb file) for that binary, and will be restored the next time you open the analysis database.
- HashDB Hash Algorithm (
hashdb.algorithm) - HashDB Hash Algorithm Data Type (
hashdb.algorithm_type)
Keyboard shortcuts
Keyboard shortcuts can be set for this plugin's commands from Binary Ninja's Keybindings interface (Edit > Preferences > Keybindings). The command list can be filtered to show only the HashDB plugin's commands by searching HashDB in the Keybindings search box.
The plugin currently does not ship with any keyboard shortcuts set by default.
Installation
This plugin can be installed via either:
-
Searching for the HashDB plugin in Binary Ninja's built-in plugin manager (Plugins > Manage Plugins). This is the recommended method.
-
Cloning this repository into your user plugins folder.
- The location of the user plugins folder will vary depending on the platform Binary Ninja is installed on. The easiest way to find the location of the folder is via the Plugins > Open Plugin Folder... command.
- If you are performing an installation via this method, you must also install this plugin's Python dependencies manually. This can be done by either:
- Running the Install python3 module... command (via the Command Palette), and pasting the contents of
requirements.txtin this repository into the dialog window. - Running
pip install -r requirements.txtin the Python environment used by Binary Ninja.
- Running the Install python3 module... command (via the Command Palette), and pasting the contents of
This plugin requires Python >= 3.7, and Binary Ninja version >= 2.4.2846.
License
This plugin is released under a 3-Clause BSD license.
This plugin is a derivative work of the IDA Plugin from OALabs for connecting to their HashDB service, and is forked from Vector 35's initial implementation at psifertex/hashdb-bn.