Challenge 29: Single-Byte Hash Evasion
Objective
Evade Rule 6’s SHA256 signature detection by modifying a single byte of the malware binary.
Prerequisites
Start the EDR with signatures loaded:
edr_agent.exe --signatures signatures/malware_hashes.txt --verbose --no-kill
Scanner Behavior
Rule 6 computes SHA256 of the on-disk process image and compares it against loaded signatures:
proc ruleHashCheck(info: ProcessInfo): seq[Detection] =
if gSignatureHashes.len == 0: return
let imgHash = sha256File(info.imagePath)
if imgHash in gSignatureHashes: ...
A single byte change produces a completely different SHA256 hash.
Rules
- Take any binary whose hash is in the signature file
- Modify exactly one byte (append a null, change a resource, patch a padding byte)
- Run the modified binary — Rule 6 must not trigger
Hints
Hint 1
SHA256 is a cryptographic hash — even a 1-bit change produces an entirely different digest.Hint 2
Try:echo. >> malware.exe to append a newline byte. The binary still runs, but the hash is now different.
MostShittyEDR