100 Days of Red Team

Share this post

100 Days of Red Team
100 Days of Red Team
What is API hashing and how it enables red team trade-craft?
Copy link
Facebook
Email
Notes
More

What is API hashing and how it enables red team trade-craft?

Learn what is API hashing and how to use it for red team trade-craft.

Uday Mittal
Jan 16, 2025

Share this post

100 Days of Red Team
100 Days of Red Team
What is API hashing and how it enables red team trade-craft?
Copy link
Facebook
Email
Notes
More
Share

Typically, whenever a piece of code needs to call a Windows API, it references the same by its name. This results in the API name being part of the code as well as the Import Address Table (IAT) of the executable. For a non-malicious application, this isn’t a problem. However, for a malware or a red team operator crafted payload this poses a big problem. For example, an endpoint detection solution can figure out if the payload is up to something mischievous by analyzing the APIs it is referencing.

Calling Windows API by its name.
The API gets added to the executable IAT.

One way to avoid this is by using the GetProcAddress() Windows API to resolve the required Windows API during runtime (i.e. dynamically). This solves the problem to a certain extent. The name of Windows APIs referenced in the payload will not be part of the IAT. However, GetProcAddress() API will appear in both, code and the IAT. A malware analyst can reverse engineer the malware and figure out which Windows APIs are being resolved by the GetProcAddress() API.

Using GetProcAddress() to dynamically resolve API address.
This leaves GetProcAddress() in the IAT.

Thanks for reading 100 Days of Red Team! Subscribe for free to receive new posts and support my work.

So, we need to figure out a way that can obfuscate the usage of GetProcAddress() API itself. This can be done through a technique known as API Hashing.

In API Hashing, unique hashes are created for Windows APIs and these hashes are then used to search for the required Windows APIs from the respective library. This requires a custom method / function which can dynamically resolve the address of a Windows API through a given hash instead of its name. This means we’ll need to create an alternate implementation of the GetProcAddress() API.

Custom implementation of GetProcAddress()
GetProcAddress() is no longer in the IAT.
Red Team Notes
- API Hashing is technique in which unique hashes are created for Windows APIs and these hashes are then used to search for the required Windows APIs from the respective library instead of their names.
- It is a type of API Obfuscation technique.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

The code shown in above snippets is available in 100 Days of Red Team GitHub repository.

Below is a short demonstration of API Hashing in action in my lab.

Examples of real-world malware / cyber-attacks where this technique was used include Lazarus Group, Pteranodon and Latrodectus.

Here’s a video from OALabs that shows how to reverse engineer API hashes:

References

  • Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection (must read)

  • Windows API Hashing in Malware

  • API-Hashing in the Sodinokibi/REvil Ransomware – Why and How?

  • Malware - Windows API hashing 1

  • Windows-API-Hashing

Thanks for reading 100 Days of Red Team! Subscribe for free to receive new posts and support my work.

Share this post

100 Days of Red Team
100 Days of Red Team
What is API hashing and how it enables red team trade-craft?
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Uday Mittal
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More