Hash techniques

← maldev README · docs/index

The hash/ package supplies three families of hashing primitives: cryptographic (MD5, SHA-1, SHA-256, SHA-512) for integrity and identifiers, API hashing (ROR13 + ROR13Module) for shellcode-style plaintext-free function resolution, and fuzzy hashing (ssdeep, TLSH) for variant detection and similarity scoring.

TL;DR

flowchart TD
    Q{What do you need?} -->|fingerprint a buffer| C[SHA256 / MD5]
    Q -->|resolve a Win32 API by hash| R[ROR13]
    Q -->|find variants of a known sample| F[ssdeep / TLSH]

Packages

Package	Tech page	Detection	One-liner
`hash`	cryptographic-hashes.md · fuzzy-hashing.md	very-quiet	MD5/SHA-* (integrity), ROR13 (API hashing), ssdeep + TLSH (similarity)

Quick decision tree

You want to…	Use
…identify a payload by content	`hash.SHA256`
…compute a Windows API name hash for a shellcode resolver	`hash.ROR13`
…compute a module-name hash matching PEB-walk shellcode	`hash.ROR13Module`
…score similarity between two samples (variant detection)	`hash.SsdeepCompare` or `hash.TLSHCompare`
…screen a directory of suspicious binaries against a known-bad seed	see Advanced example

MITRE ATT&CK

The hash package itself is utility. It is referenced from techniques that consume it:

Used by	Why
`win/api.ResolveByHash`	Plaintext-free Win32 API resolution (T1027.007)
Researcher / hunter workflows	Variant detection, signature defeat measurement
`pe/morph`	Build-time fingerprint shifting; pair with fuzzy hashing to verify the morph kept the family intact

maldev

Hash techniques

TL;DR

Packages

Quick decision tree

MITRE ATT&CK

See also