ContextQMD
Back to Yara

Hash module

docs/modules/hash.rst

4.5.52.5 KB
Original Source

.. _hash-module:

########### Hash module ###########

.. versionadded:: 3.2.0

The Hash module allows you to calculate hashes (MD5, SHA1, SHA256) from portions of your file and create signatures based on those hashes.

.. important:: This module depends on the OpenSSL library. Please refer to :ref:compiling-yara for information about how to build OpenSSL-dependant features into YARA.

Good news for Windows users: this module is already included in the official
Windows binaries.

.. warning:: The returned hash string is always in lowercase. This means that rule condition matching on hashes hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d" requires the hash string to be given in lowercase, otherwise the match condition will not work. (see https://github.com/VirusTotal/yara/issues/1004)

.. c:function:: md5(offset, size)

Returns the MD5 hash for *size* bytes starting at *offset*. When scanning a
running process the *offset* argument should be a virtual address within
the process address space. The returned string is always in lowercase.

*Example: hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d"*

.. c:function:: md5(string)

Returns the MD5 hash for the given string.

*Example: hash.md5("dummy") == "275876e34cf609db118f3d84b799a790"*

.. c:function:: sha1(offset, size)

Returns the SHA1 hash for the *size* bytes starting at *offset*. When
scanning a running process the *offset* argument should be a virtual address
within the process address space. The returned string is always in
lowercase.

.. c:function:: sha1(string)

Returns the SHA1 hash for the given string.

.. c:function:: sha256(offset, size)

Returns the SHA256 hash for the *size* bytes starting at *offset*. When
scanning a running process the *offset* argument should be a virtual address
within the process address space. The returned string is always in
lowercase.

.. c:function:: sha256(string)

Returns the SHA256 hash for the given string.

.. c:function:: checksum32(offset, size)

Returns a 32-bit checksum for the *size* bytes starting at *offset*. The
checksum is just the sum of all the bytes (unsigned).

.. c:function:: checksum32(string)

Returns a 32-bit checksum for the given string. The checksum is just the
sum of all the bytes in the string (unsigned).

.. c:function:: crc32(offset, size)

Returns a crc32 checksum for the *size* bytes starting at *offset*.

.. c:function:: crc32(string)

Returns a crc32 checksum for the given string.