Simple helper utility recomputing DLL Reflective Loader hashes, for offensive engineering needs whenever we want to recompile User Defined Reflective Loaders and such.
Ever came across such hashes before?
#define KERNEL32DLL_HASH 0x6A4ABC5B
#define NTDLLDLL_HASH 0x3CFA685D
#define LOADLIBRARYA_HASH 0xEC0E4E8E
#define GETPROCADDRESS_HASH 0x7C0DFCAA
#define VIRTUALALLOC_HASH 0x91AFCA54
#define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8
[...]
#define HASH_KEY 13
These can be used for a straightforward signaturing.
We can regenerate them easily with utility included here:
cmd> hash 55
#define KERNEL32DLL_HASH 0xA6154C3A // kernel32.dll
#define NTDLLDLL_HASH 0x0521447A // ntdll.dll
#define LOADLIBRARYA_HASH 0xE0D79FEB // LoadLibraryA
#define GETPROCADDRESS_HASH 0x6BAC2F89 // GetProcAddress
#define VIRTUALALLOC_HASH 0x9EE2D962 // VirtualAlloc
#define VIRTUALPROTECT_HASH 0x9154022F // VirtualProtect
#define NTFLUSHINSTRUCTIONCACHE_HASH 0x7353E65D // NtFlushInstructionCache
#define HASH_KEY 55
Notice - if you want to get hash for a DLL, be sure to include its extension:
hash 55 kernel32.dll