Malware Detection: Context Triggered Piecewise Hashes (CTPH)
A CTPH is a rolling hash and involves multiple traditional cryptographic hashes for one or more fixed-size segments in a file. One of the most popular CTPH methods is ssdeep. This was created, in 2006, by Jesse Kornblum [1] and uses fuzzy hashes:
This aims to match similar byte sequences, no matter if there are differences between these sequences. For this, we break a file up into fragments with a rolling hash function. We then produce a small hash for each of those fragments. These are then aggregated to produce the complete hash of a file. In comparing file signatures, we treat the resultant hash value as a string and then use an edit distance method to compare.
With this, ssdeep keeps the state based on just the last few bytes as an input. Bytes are added to the state, and then removed once other bytes have been added — this is similar to having a window that moves over the input data. Areas that have the same byte sequences in parts will produce the same hash output sequence for that segment.
The code is [here]:
package main
import (
"fmt"
"os"
"github.com/glaslos/ssdeep"
)
func getSSD(msg…
