Hash techniques
The hash/ package supplies three families of hashing primitives:
cryptographic (MD5, SHA-1, SHA-256, SHA-512) for integrity and
identifiers, API hashing (ROR13 + ROR13Module) for shellcode-style
plaintext-free function resolution, and fuzzy hashing (ssdeep, TLSH)
for variant detection and similarity scoring.
TL;DR
Where to start (novice path):
- Need to fingerprint a buffer? →
SHA256(cryptographic-hashes.md). Standard integrity hash.- Need to resolve Win32 APIs by hash (no plaintext name in the binary)? →
ROR13+ROR13Module. Pair withsyscalls/api-hashingfor the runtime resolution side.- Need to score similarity between samples (variant detection, morph verification)? →
fuzzy-hashing— ssdeep + TLSH.
Packages
| Package | Tech page | Detection | One-liner |
|---|---|---|---|
hash | cryptographic-hashes.md · fuzzy-hashing.md | very-quiet | MD5/SHA-* (integrity), ROR13 (API hashing), ssdeep + TLSH (similarity) |
Quick decision tree
| You want to… | Use |
|---|---|
| …identify a payload by content | hash.SHA256 |
| …compute a Windows API name hash for a shellcode resolver | hash.ROR13 |
| …compute a module-name hash matching PEB-walk shellcode | hash.ROR13Module |
| …score similarity between two samples (variant detection) | hash.SsdeepCompare or hash.TLSHCompare |
| …screen a directory of suspicious binaries against a known-bad seed | see Advanced example |
MITRE ATT&CK
The hash package itself is utility. It is referenced from techniques that consume it:
| Used by | Why |
|---|---|
win/api.ResolveByHash | Plaintext-free Win32 API resolution (T1027.007) |
| Researcher / hunter workflows | Variant detection, signature defeat measurement |
pe/morph | Build-time fingerprint shifting; pair with fuzzy hashing to verify the morph kept the family intact |
See also
- API hashing — dedicated tech page on the shellcode-style ROR13 use case.
crypto— confidentiality layer (hashis often used to derive integrity checks alongside).- Researcher path: fuzzy hashing for variant tracking