{ "id": "f2b3c676-ee52-40d5-a0f2-7aaa1de5f632", "created_at": "2026-04-06T01:30:08.685522Z", "updated_at": "2026-04-10T03:20:02.563387Z", "deleted_at": null, "sha1_hash": "ea16699b295bc701b3941f5bc742a132aefb56eb", "title": "Understanding BlackMatter's API Hashing", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 155551, "plain_text": "Understanding BlackMatter's API Hashing\r\nBy Jan Gru\r\nArchived: 2026-04-06 01:06:18 UTC\r\nFor the calculation of the API hash each character is added up one by another. In each iteration a seeded ROR-13-\r\noperation is performed, as the following figure illustrates.\r\nFigure 3: Algorithm to calculate the API hash\r\nBecause of the fact, that the hash of the module name is used as a seed, a two step process has to be employed to\r\nconstruct the final API hash for a single function.\r\nFirst, the module name is hashed in a similar manner with a seed of 0. This happens in the function at 004010bb ,\r\nwhich is not shown here. It is looped over the characters, which are transformed to lower case. In each iteration a\r\nrotation by 13 bits of the dword value resulting from the previous iteration is performed and the current character\r\nvalue is added. This leads to the following Python implementation:\r\ndef calc_mod_hash(modname):\r\n mask = 0xFFFFFFFF\r\n h = 0\r\nhttps://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html\r\nPage 1 of 3\n\nfor c in modname + \"\\x00\":\r\ncc = ord(c)\r\nif (0x40 \u003c cc and cc \u003c 0x5b):\r\n cc = (cc | 0x20) \u0026 mask\r\nh = (h \u003e\u003e 0xd) | (h \u003c\u003c 0x13)\r\nh = (h + cc) \u0026 mask\r\n return h\r\nThe resulting hash of the module name is then used as a seed for the similar but simpler function presented at fig.\r\n3, which finally calculates the actual function hash. The following Python code shows the logic found in this\r\nfunction at 00401096 :\r\ndef calc_func_hash(modhash, funcname):\r\n mask = 0xFFFFFFFF\r\n h = modhash\r\n for c in funcname + \"\\x00\":\r\ncc = ord(c)\r\nh = (h \u003e\u003e 0xd) | (h \u003c\u003c 0x13)\r\nh = (h + cc) \u0026 mask\r\n return h\r\nNote: It is important to add the nullbyte, so that for a function name of n characters, n+1 ROR-operations are\r\nperformed.7\r\nIn summary this leads to the following calculation of a function hash as it is used by BlackMatter:\r\ndef get_api_hash(modname, funcname):\r\n return calc_func_hash(calc_mod_hash(modname), funcname)\r\nLet's test it:\r\nmn = \"kernel32.dll\"\r\nfn = \"GetProcAddress\"\r\nprint(hex(get_api_hash(mn, fn)))\r\nmn = \"kernel32.dll\"\r\nfn = \"LoadLibraryA\"\r\nprint(hex(get_api_hash(mn, fn)))\r\n#+Result\r\n: 0xbb93705c\r\nhttps://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html\r\nPage 2 of 3\n\n: 0x27d05eb2\r\nIndeed, both hashes can be found in the binary, as fig. 3 shows:\r\nFigure 4: Function hashes of LoadLibraryA and GetProcAdress\r\nActually only 0x5d6015f ^ 0x22065fed , wich results in 0x27d05eb2 can be found, since all API hashes are\r\nstored XORed with 0x22065fed and are XORed again with this value before a comparison with the calculated\r\nhash.\r\nSource: https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html\r\nhttps://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html" ], "report_names": [ "2021-08-05-understanding-blackmatters-api-hashing.html" ], "threat_actors": [], "ts_created_at": 1775439008, "ts_updated_at": 1775791202, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ea16699b295bc701b3941f5bc742a132aefb56eb.pdf", "text": "https://archive.orkl.eu/ea16699b295bc701b3941f5bc742a132aefb56eb.txt", "img": "https://archive.orkl.eu/ea16699b295bc701b3941f5bc742a132aefb56eb.jpg" } }