-
Notifications
You must be signed in to change notification settings - Fork 159
/
hash-data-using-fnv.yml
35 lines (35 loc) · 1.15 KB
/
hash-data-using-fnv.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
rule:
meta:
name: hash data using fnv
namespace: data-manipulation/hashing/fnv
author:
- moritz.raabe@fireeye.com
- "@_re_fox"
description: can be any Fowler-Noll-Vo (FNV) hash variant, including FNV-1, FNV-1a, FNV-0
scope: function
mbc:
- Data::Non-Cryptographic Hash::FNV [C0030.005]
references:
- https://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function
- http://isthe.com/chongo/tech/comp/fnv/
- https://create.stephan-brumme.com/fnv-hash/
examples:
- ad4229879180e267f431ac6666b6a0a2:0x14007B4D4
features:
- and:
- optional:
- characteristic: loop
# FNV-0 hash does not use these initialization values
- number/x64: 0xcbf29ce484222325 = FNV_offset_basis
- number/x32: 0x811c9dc5 = FNV_offset_basis
- or:
- number/x64: 0x100000001b3 = FNV prime
- number/x32: 0x01000193 = FNV prime
- basic block:
# FNV-1 hash does multiply then XOR
# FNV-1a hash does XOR then multiply
- and:
- characteristic: nzxor
- or:
- mnemonic: imul
- mnemonic: mul