Hash module

New in version 3.2.0.

The Hash module allows you to calculate hashes (MD5, SHA1, SHA256) from portions of your file and create signatures based on those hashes.

Important

This module depends on the OpenSSL library. Please refer to Compiling and installing YARA for information about how to build OpenSSL-dependant features into YARA.

Good news for Windows users: this module is already included in the official Windows binaries.

Warning

The returned hash string is always in lowercase. This means that rule condition matching on hashes hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d" requires the hash string to be given in lowercase, otherwise the match condition will not work. (see https://github.com/VirusTotal/yara/issues/1004)

md5(offset, size)

Returns the MD5 hash for size bytes starting at offset. When scanning a running process the offset argument should be a virtual address within the process address space. The returned string is always in lowercase.

Example: hash.md5(0, filesize) == "feba6c919e3797e7778e8f2e85fa033d"

md5(string)

Returns the MD5 hash for the given string.

Example: hash.md5("dummy") == "275876e34cf609db118f3d84b799a790"

sha1(offset, size)

Returns the SHA1 hash for the size bytes starting at offset. When scanning a running process the offset argument should be a virtual address within the process address space. The returned string is always in lowercase.

sha1(string)

Returns the SHA1 hash for the given string.

sha256(offset, size)

Returns the SHA256 hash for the size bytes starting at offset. When scanning a running process the offset argument should be a virtual address within the process address space. The returned string is always in lowercase.

sha256(string)

Returns the SHA256 hash for the given string.

checksum32(offset, size)

Returns a 32-bit checksum for the size bytes starting at offset. The checksum is just the sum of all the bytes (unsigned).

checksum32(string)

Returns a 32-bit checksum for the given string. The checksum is just the sum of all the bytes in the string (unsigned).

crc32(offset, size)

Returns a crc32 checksum for the size bytes starting at offset.

crc32(string)

Returns a crc32 checksum for the given string.