You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As discussed, hash_Carbanak is actually the well-known PJW hash that is commonly used for hash tables (ref: Mastering Algorithms in C, ElfHash, etc.). This change renames the hash as such so it can be more easily recognized, but adds a comment to the pseudocode to retain the information that it has notably been used in Carbanak. I tested this by copying INTERESTING_DLLS from the system32 directory on a 64-bit system to a directory and creating a new sc_hashes.db which I have added to this branch. The updated sc_hashes.db is 22MB versus the previous one which was only 16MB.
During testing, I updated the documentary string srsvc.dll in the INTERESTING_DLLS string to srvsvc.dll which I believe is what was intended.
Based on learning that INTERESTING_DLLS is inaccurate or outdated, I have reverted my changes to sc_hashes.db and will leave those updates to the maintainer.
Be advised that in a scenario where we are just renaming an algorithm, running make_sc_hash_db.py against sc_hashes.db without first deleting the .db file will result in the hash algorithm and all associated data appearing twice in sc_hashes.db - once under the original name and again under the new name. This would also make the resulting sqlite file bigger than it was before (as I noticed previously).
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
As discussed,
hash_Carbanakis actually the well-known PJW hash that is commonly used for hash tables (ref: Mastering Algorithms in C, ElfHash, etc.). This change renames the hash as such so it can be more easily recognized, but adds a comment to the pseudocode to retain the information that it has notably been used in Carbanak. I tested this by copyingINTERESTING_DLLSfrom thesystem32directory on a 64-bit system to a directory and creating a newsc_hashes.dbwhich I have added to this branch. The updatedsc_hashes.dbis 22MB versus the previous one which was only 16MB.During testing, I updated the documentary string
srsvc.dllin theINTERESTING_DLLSstring tosrvsvc.dllwhich I believe is what was intended.