From Collaborative RCE Tool Library
Entropy Analyzers
| Tool name: | Ent |
| ||
|---|---|---|---|---|
| Author: | Gynvael Coldwind | |||
| Website: | http://gynvael.coldwind.pl/?id=158 | |||
| Current version: | 0.0.3 | |||
| Last updated: | March 9, 2009 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Ent does two things: 1) it measures entropy of a file 2) it measures density of FPU instructions in the code section, if the file is a PE (Why file entropy measurement is interesting is a story for another day (maybe for tomorrow) ;>) The tool was made in C++, and currently it's Windows only (the next version will be portable, I'm just using some structures from winnt.h), and it uses libpng for PNG creation. The executable binary with the source code is (as always) available on the end of this post. Ent is run from the command line, and we provide him with the name of a file that we won't to measure entropy of. Then, Ent divides the file to 256-byte fragments, and calculates entropy (using some entropy formula I found somewhere - check the source code for details) and draws a chart. If the file is a PE file, it additionally mark the sections (blue for data, green for code, gray for unused/headers), and in the code section it calculates FPU density and draws another small red chart. The FPU calculating is not very precise - it works by finding bytes from range D8 to DF inclusive, which are used as FPU opcodes. However, excluding some false-positives in high-entropy area, this method is sufficient. Below in the screen shot you can see a chart of a sample PE file. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | RDG Packer Detector |
| ||
|---|---|---|---|---|
| Author: | RDGMax | |||
| Website: | http://www.rdgsoft.8k.com | |||
| Current version: | 0.6.6 | |||
| Last updated: | April 15, 2009 | |||
| Direct D/L link: | http://www.egrupos.net/grupo/rdgsoft/ficheros/3/verFichero/29/RDG%20Packer%20Detector%20v0.6.6%202k8.rar | |||
| License type: | Free | |||
| Description: | RDG Packer Detector is a detector packers, Cryptors, Compilers, Packers Scrambler,Joiners,Installers. -Holds Fast detection system.. -Has detection system Powerful Analyzing the complete file, allowing the detection of Muli-packers in several cases. -You can create your own Signatures detection. -Holds Crypto-Graphic Analyzer. -Allows you to calculate the checksum of a file. -Allows you to calculate the Entropy, reporting if the program looked at the compressed, encrypted or not. -OEP-Detector (Original Point of Entry) of a program. -You can Check and download and you always signaturas.RDG Packer Detector will be updated. -Plug-ins Loader.. -Signatures converter. -Detector distortive Entry Point. -De-Binder an extractor attachments. -System Improved heuristic. What's New! v0.6.6 -New Interface! -Fast Mode Detection and Mode Powerful Improved! -Super base signatures Updated! -Heuristic detection of Binders -Detection and Extraction Overlay! -Check and Auto-Update of signatures! -Super Fast Detection of MD5 Hash! -Support for Multiple Plug-ins for both RDG Packer Detector and other detectors! -Detection of Multiple-MPG formats, GIF, RAR, ZIP, MP3 etc.. -Detection and removal of attachments! | |||
| Also listed in: | Compiler Identifiers, PE EXE Signature Tools, Packer Identifier Signatures, Packer Identifiers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Hexer Plugin - Calculating the entropy of a file |
| ||
|---|---|---|---|---|
| Author: | Sebastian Porst | |||
| Website: | http://www.the-interweb.com/serendipity/index.php?/archives/99-Sample-Hexer-Plugin-Calculating-the-entropy-of-a-file.html#extended | |||
| Current version: | 1.4.0 | |||
| Last updated: | July 1, 2008 | |||
| Direct D/L link: | http://www.the-interweb.com/serendipity/exit.php?url_id=699&entry_id=107 | |||
| License type: | Free / Open Source | |||
| Description: | I finally got around to write an example plugin for my hex editor Hexer to show how simple it is to extend Hexer according to your own needs. The Java plugin I am going to present calculates the entropy of files according to the method presented on Ero Carrera's blog. The plugin adds a new tab containing a line chart and a button to the File Statistics dialog. When the user clicks the button, the entropy of the active file (that is the file in the last active hex window) is calculated and shown in the line chart. The screenshot below shows the entropy distribution of Notepad.exe. You can download the source file of the plugin here. The archive contains the source file EntropyCalculator.java as well as two class files which were created by compiling the source file using Java 1.6. To install the plugin, simply copy the two class files to the plugins directory of your Hexer installation. Since the plugin uses the JFreeChart library to display the graph it is also necessary to get the files jcommon-1.0.12.jar and jfreechart-1.0.9.jar from the JFreeChart package. Copy those files into the jars directory of your Hexer installation. At the beginning of the source file the methods getDescription(), getGuid(), getName(), and init() are implemented. These methods must be implemented by all classes that implement the Hexer plugin interface IPlugin. The first three methods return the name, the description, and the GUID of the plugin. These values are necessary for plugin management. The init() method is called once by Hexer when the plugin is loaded for the first time. Its parameter of type IPluginInterface can be used by the plugin to interact with Hexer. Afterwards the necessary methods of the IStatsPlugin plugin are implemented. This interface must be implemented by all plugins that want to extend the File Statistics dialog. The method getStatsDescription() returns the description of the file statistic as displayed in the tab header of the File Statistics dialog ("Entropy" in this case). The method getStatsComponent() returns the component that is used to display the calculated file statistic in the File Statistics dialog. For the Entropy Calculator plugin we only need the line chart and the button. That's all that is necessary to extend the Hexer File Statistics dialog. The remaining methods are used to calculate and display the entropy. They are basically a direct Python-to-Java conversion of the code from Ero Carrera's blog. The only difference is that I averaged the entropies of larger files to make sure that the dataset is small enough for the line chart component to handle. If you do not want to extend the File Statistics dialog but prefer to have your own Entropy dialog you can simply modify the plugin. Just implement the interface IPlugin instead of IStatsPlugin, add a menu to the Hexer main menu in the init() method, and create the dialog when the menu is clicked. | |||
| Also listed in: | Hex Editors, Hexer Extensions | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
