File: hash.rst

package info (click to toggle)
yara 4.5.4-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 13,820 kB
  • sloc: ansic: 52,244; yacc: 2,873; lex: 2,019; cpp: 863; makefile: 479; javascript: 85; sh: 47; python: 35
file content (80 lines) | stat: -rw-r--r-- 2,604 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 

.. _hash-module:

###########
Hash module
###########

.. versionadded:: 3.2.0

The Hash module allows you to calculate hashes (MD5, SHA1, SHA256) from portions
of your file and create signatures based on those hashes.

.. important::
    This module depends on the OpenSSL library. Please refer to
    :ref:`compiling-yara` for information about how to build OpenSSL-dependant
    features into YARA.

    Good news for Windows users: this module is already included in the official
    Windows binaries.

.. warning::
    The returned hash string is always in lowercase. This means that rule condition matching on hashes 
    ``hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d"`` 
    requires the hash string to be given in lowercase, otherwise the match condition 
    will not work. (see https://github.com/VirusTotal/yara/issues/1004)

.. c:function:: md5(offset, size)

    Returns the MD5 hash for *size* bytes starting at *offset*. When scanning a
    running process the *offset* argument should be a virtual address within
    the process address space. The returned string is always in lowercase.

    *Example: hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d"*

.. c:function:: md5(string)

    Returns the MD5 hash for the given string.

    *Example: hash.md5("dummy") == "275876e34cf609db118f3d84b799a790"*

.. c:function:: sha1(offset, size)

    Returns the SHA1 hash for the *size* bytes starting at *offset*. When
    scanning a running process the *offset* argument should be a virtual address
    within the process address space. The returned string is always in
    lowercase.

.. c:function:: sha1(string)

    Returns the SHA1 hash for the given string.

.. c:function:: sha256(offset, size)

    Returns the SHA256 hash for the *size* bytes starting at *offset*. When
    scanning a running process the *offset* argument should be a virtual address
    within the process address space. The returned string is always in
    lowercase.

.. c:function:: sha256(string)

    Returns the SHA256 hash for the given string.

.. c:function:: checksum32(offset, size)

    Returns a 32-bit checksum for the *size* bytes starting at *offset*. The
    checksum is just the sum of all the bytes (unsigned).

.. c:function:: checksum32(string)

    Returns a 32-bit checksum for the given string. The checksum is just the
    sum of all the bytes in the string (unsigned).

.. c:function:: crc32(offset, size)

    Returns a crc32 checksum for the *size* bytes starting at *offset*.

.. c:function:: crc32(string)

    Returns a crc32 checksum for the given string.