Generating fast hashes, part 2

I previously shilled xxHash (https://pentester.wtf/blog/2020-10-13-xxhash/), but I’m pretty happy when I see malware using fast hashes for non security related tasks, rather than just using SHA/Bcrypt/whatever and being terribly slow. With that in mind, I’d like to reiterate:

If you’re writing code malware, and need to generate deterministic identifiers for data - such as if you’re scraping a website comparing processes on an endpoint to ones you care about (i.e. msbuild), and your code looks like this:

>>> import hashlib
>>> import psutil
>>> # SUPER SECRET PROCESS WE DON'T WANT PEOPLE TO KNOW WE'RE LOOKING FOR
>>> NOT-SECRET-OBVIOUS-HASH = d4c5d22baf120b953ceb85a4d142f1c5fef2b002b2f1a050345ec1e90c5aeaa8
>>> # Dump processes, iterate over them one by one
>>> for p in psutil.process_iter():
>>>    m = hashlib.sha256()
>>>    m.update(str.encode(p.name()))
>>>    if m.hexdigest() == NOT-SECRET-OBVIOUS-HASH:
>>>        # Inject into memory, be naughty, etc

Then you’re burning CPU cycles a lot, for properties you probably didn’t want: i.e. taking forever to defeat someone just bruteforcing a password dump. Instead, consider using something like xxHash (https://github.com/Cyan4973/xxHash), which is going to be significantly quicker, and save a lot of resources.

Instead, consider doing what the authors of SUNSPOT did, and just use ELFhash! https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

Obviously tongue in cheek, but it’s cool to see the use of non-cryptographic hashes for appropriate applications, instead of just mindlessly applying SHA everywhere.

Plus, to the inexperienced SOC/Blue teamer, they’re not going to reverse that hashing algorithm - it’s more likely they’re going to be lazy and look for SHA primatives or just imports.