data-manipulation/hashing/murmur
rule:
meta:
name: hash data using murmur3
namespace: data-manipulation/hashing/murmur
authors:
- william.ballenthin@mandiant.com
scopes:
static: function
dynamic: unsupported # requires characteristic, mnemonic features
mbc:
- Data::Non-Cryptographic Hash::MurmurHash [C0030.001]
references:
- https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cpp
examples:
- c66172b12971a329f8d5ff01665f204b:0x404A18
features:
- or:
- and:
- number: 0x85ebca6b = 32-bit finalization mix constant 1
- number: 0xc2b2ae35 = 32-bit finalization mix constant 2
- and:
- number: 0xff51afd7ed558ccd = 64-bit finalization mix constant 1
- number: 0xc4ceb9fe1a85ec53 = 64-bit finalization mix constant 2
- and:
- number: 0xcc9e2d51 = c1 32-bit hash
- number: 0x1b873593 = c2 32-bit hash
- and:
- number: 0x239b961b = 32-bit c1 for 128-bit hash
- number: 0xab0e9789 = 32-bit c2 for 128-bit hash
- number: 0x38b34ae5 = 32-bit c3 for 128-bit hash
- number: 0xa1e38b93 = 32-bit c4 for 128-bit hash
- and:
- number: 0x87c37b91114253d5 = 64-bit c1 for 128-bit hash
- number: 0x4cf5ad432745937f = 64-bit c2 for 128-bit hash
- basic block:
- and:
- description: 'hash >> 16; hash >> 13; hash >> 16'
- count(mnemonic(shr)): 3
- instruction:
- mnemonic: shr
- number: 16
- instruction:
- mnemonic: shr
- number: 13
- optional:
- count(characteristic(nzxor)): 3 or more
- and:
# Group this two blocks under an `and` as on their own they are not
# unique enough and would cause false positives
- instruction:
- description: k ROL r1
- mnemonic: rol
- number: 15 = r1
- instruction:
- description: hash ROL r2
- mnemonic: rol
- number: 13 = r2
last edited: 2023-11-24 10:34:28