自定义 String 哈希算法教学文档<\/h1>

1. 哈希算法概述<\/h2>

1.1 定义<\/h3>
将字符串映射为唯一的整数(哈希值)的算法，公式表示为：H(s) = 唯一HASH值<\/p>

1.2 特点<\/h3>

唯一性(抗碰撞性)<\/strong>：理想状态下不同输入应生成唯一哈希值，根据鸽巢原理，哈希冲突必然存在，但碰撞概率非常低<\/li>

不可逆性(单向性)<\/strong>：从哈希值反推原始输入在计算上不可行(即使已知算法)<\/li> <\/ol>
1.3 应用场景<\/h3>

避免检测<\/strong>：将API名称转换为整数哈希值，消除可读字符串特征，降低静态分析风险<\/li>
减小shellcode体积<\/strong>：32位哈希值(4字节)通常比API名称字符串更短<\/li> <\/ol>
2. ROTR32算法<\/h2>
2.1 算法原理<\/h3>
ROTR32(32位循环右移)是一种位运算操作，将32位整数的二进制表示向右循环移动指定位数，移出的位从左侧重新填充。<\/p>
计算公式<\/strong>：<\/p>
ROTR32(x, n) = (x >> n) | (x << (32 - n)) <\/code><\/pre> 2.2 实现代码<\/h3> C语言实现<\/h4> #include<\/span> <stdint.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>uint32_t<\/span> rotr32<\/span>(uint32_t<\/span> value, uint32_t<\/span> shift) { <\/span><\/span> return<\/span> (value >><\/span> shift) |<\/span> (value <<<\/span> (32<\/span> -<\/span> shift)); <\/span><\/span>} <\/span><\/span> <\/span><\/span>uint32_t<\/span> hash_string_rotr32<\/span>(const<\/span> char<\/span>*<\/span> str) { <\/span><\/span> uint32_t<\/span> hash =<\/span> 0<\/span>; <\/span><\/span> for<\/span> (; *<\/span>str; ++<\/span>str) { <\/span><\/span> hash =<\/span> rotr32(hash, 13<\/span>) +<\/span> *<\/span>str; <\/span><\/span> } <\/span><\/span> return<\/span> hash; <\/span><\/span>} <\/span><\/span><\/code><\/pre>Python实现<\/h4> def<\/span> rotr32<\/span>(value, shift): <\/span><\/span> shift %=<\/span> 32<\/span> # 确保移动位数在[0,31]范围内<\/span> <\/span><\/span> return<\/span> ((value >><\/span> shift) |<\/span> (value <<<\/span> (32<\/span> -<\/span> shift))) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span> <\/span><\/span>def<\/span> hash_string_rotr32<\/span>(s): <\/span><\/span> hash_val =<\/span> 0<\/span> <\/span><\/span> for<\/span> c in<\/span> s: <\/span><\/span> hash_val =<\/span> rotr32(hash_val, 13<\/span>) +<\/span> ord(c) <\/span><\/span> hash_val &=<\/span> 0xFFFFFFFF<\/span> # 限制为32位<\/span> <\/span><\/span> return<\/span> hash_val <\/span><\/span><\/code><\/pre>Go实现<\/h4> func<\/span> rotr32<\/span>(value<\/span> uint32<\/span>, shift<\/span> uint32<\/span>) uint32<\/span> { <\/span><\/span> return<\/span> (value<\/span> >><\/span> shift<\/span>) | (value<\/span> <<<\/span> (32<\/span> -<\/span> shift<\/span>)) <\/span><\/span>} <\/span><\/span> <\/span><\/span>func<\/span> hashStringRotr32<\/span>(s<\/span> string<\/span>) uint32<\/span> { <\/span><\/span> var<\/span> hash<\/span> uint32<\/span> = 0<\/span> <\/span><\/span> for<\/span> _<\/span>, c<\/span> :=<\/span> range<\/span> s<\/span> { <\/span><\/span> hash<\/span> = rotr32<\/span>(hash<\/span>, 13<\/span>) +<\/span> uint32(c<\/span>) <\/span><\/span> } <\/span><\/span> return<\/span> hash<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>MASM汇编实现<\/h4> ; 输入: esi = 字符串指针 <\/span><\/span><\/span>; 输出: eax = 哈希值 <\/span><\/span><\/span><\/span>hash_string_rotr32: <\/span><\/span> xor<\/span> eax<\/span>, eax<\/span> <\/span><\/span> xor<\/span> ecx<\/span>, ecx<\/span> <\/span><\/span>.loop: <\/span><\/span> mov<\/span> cl<\/span>, [esi<\/span>] <\/span><\/span> test<\/span> cl<\/span>, cl<\/span> <\/span><\/span> jz<\/span> .done<\/span> <\/span><\/span> ror<\/span> eax<\/span>, 13<\/span> <\/span><\/span> add<\/span> eax<\/span>, ecx<\/span> <\/span><\/span> inc<\/span> esi<\/span> <\/span><\/span> jmp<\/span> .loop<\/span> <\/span><\/span>.done: <\/span><\/span> ret<\/span> <\/span><\/span><\/code><\/pre>2.3 常见API哈希值示例<\/h3> ws2_32.dll+WSAStartup = 4645344Ch ws2_32.dll+WSASocketA = 0B83D505Ah ws2_32.dll+connect = 6AF3406Dh ws2_32.dll+recv = 0F1606037h kernel32.dll+LoadLibraryA = 56590AE9h kernel32.dll+VirtualAlloc = 0FBFA86AFh kernel32.dll+GetProcAddress = 0E658B905h kernel32.dll+VirtualProtect = 0E3918276h kernel32.dll+ExitProcess = 0DE2D94D9h <\/code><\/pre> 3. CRC32算法<\/h2> 3.1 算法原理<\/h3> CRC32是一种32位循环冗余校验算法，通过多项式除法生成固定长度的校验码。<\/p> 计算流程<\/strong>：<\/p> 初始化：crc = 0xFFFFFFFF<\/li> 混合字节：crc ^ 0x01 = 0xFFFFFFFE<\/li> 8轮位操作：第1轮: 0xFFFFFFFE & 1 = 0 → 右移 → 0x7FFFFFFF<\/li> 第2轮: 0x7FFFFFFF & 1 = 1 → 右移并异或多项式 → (0x3FFFFFFF) ^ 0xEDB88320<\/li> ...(重复8次)<\/li> <\/ul> <\/li> 最终取反：得到校验码<\/li> <\/ol> 3.2 实现代码<\/h3> C语言实现<\/h4> #include<\/span> <stdint.h><\/span> <\/span><\/span><\/span><\/span> <\/span><\/span>uint32_t<\/span> crc32<\/span>(const<\/span> char<\/span>*<\/span> str) { <\/span><\/span> uint32_t<\/span> crc =<\/span> 0xFFFFFFFF<\/span>; <\/span><\/span> for<\/span> (; *<\/span>str; ++<\/span>str) { <\/span><\/span> crc ^=<\/span> *<\/span>str; <\/span><\/span> for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 8<\/span>; i++<\/span>) { <\/span><\/span> if<\/span> (crc &<\/span> 1<\/span>) { <\/span><\/span> crc =<\/span> (crc >><\/span> 1<\/span>) ^<\/span> 0xEDB88320<\/span>; <\/span><\/span> } else<\/span> { <\/span><\/span> crc >>=<\/span> 1<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> return<\/span> ~<\/span>crc; <\/span><\/span>} <\/span><\/span><\/code><\/pre>Python实现<\/h4> def<\/span> crc32<\/span>(s): <\/span><\/span> crc =<\/span> 0xFFFFFFFF<\/span> <\/span><\/span> for<\/span> c in<\/span> s: <\/span><\/span> crc ^=<\/span> ord(c) <\/span><\/span> for<\/span> _ in<\/span> range(8<\/span>): <\/span><\/span> if<\/span> crc &<\/span> 1<\/span>: <\/span><\/span> crc =<\/span> (crc >><\/span> 1<\/span>) ^<\/span> 0xEDB88320<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> crc >>=<\/span> 1<\/span> <\/span><\/span> return<\/span> (~<\/span>crc) &<\/span> 0xFFFFFFFF<\/span> <\/span><\/span><\/code><\/pre>Go实现<\/h4> func<\/span> crc32<\/span>(s<\/span> string<\/span>) uint32<\/span> { <\/span><\/span> crc<\/span> :=<\/span> uint32(0xFFFFFFFF<\/span>) <\/span><\/span> for<\/span> _<\/span>, c<\/span> :=<\/span> range<\/span> s<\/span> { <\/span><\/span> crc<\/span> ^= uint32(c<\/span>) <\/span><\/span> for<\/span> i<\/span> :=<\/span> 0<\/span>; i<\/span> < 8<\/span>; i<\/span>++<\/span> { <\/span><\/span> if<\/span> crc<\/span>&<\/span>1<\/span> ==<\/span> 1<\/span> { <\/span><\/span> crc<\/span> = (crc<\/span> >><\/span> 1<\/span>) ^ 0xEDB88320<\/span> <\/span><\/span> } else<\/span> { <\/span><\/span> crc<\/span> >>=<\/span> 1<\/span> <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> return<\/span> ^crc<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>4. 算法选择建议<\/h2> ROTR32<\/strong>：<\/p> 实现简单，计算速度快<\/li> 在MSF和CS的stager中被广泛使用<\/li> 抗碰撞性良好<\/li> <\/ul> <\/li> CRC32<\/strong>：<\/p> 主要用于数据校验<\/li> 计算过程稍复杂<\/li> 在pe_to_shellcode等项目中使用<\/li> <\/ul> <\/li> <\/ol> 5. 注意事项<\/h2> 不同实现可能产生不同的哈希值，使用时需确保一致性<\/li> 汇编实现可能与高级语言实现有细微差异，需特别注意<\/li> 哈希冲突不可避免，但在实际应用中概率很低<\/li> <\/ol>

自定义 String 哈希算法教学文档<\/h1>

1. 哈希算法概述<\/h2>

1.1 定义<\/h3> 将字符串映射为唯一的整数(哈希值)的算法，公式表示为：H(s) = 唯一HASH值<\/p>

2. ROTR32算法<\/h2>

2.2 实现代码<\/h3>

3. CRC32算法<\/h2>

3.2 实现代码<\/h3>

5. 注意事项<\/h2> 不同实现可能产生不同的哈希值，使用时需确保一致性<\/li> 汇编实现可能与高级语言实现有细微差异，需特别注意<\/li> 哈希冲突不可避免，但在实际应用中概率很低<\/li> <\/ol>

1.1 定义<\/h3>
将字符串映射为唯一的整数(哈希值)的算法，公式表示为：H(s) = 唯一HASH值<\/p>

5. 注意事项<\/h2>

不同实现可能产生不同的哈希值，使用时需确保一致性<\/li>
汇编实现可能与高级语言实现有细微差异，需特别注意<\/li>
哈希冲突不可避免，但在实际应用中概率很低<\/li> <\/ol>