From Collaborative RCE Tool Library
Ent
| Tool name: | Ent |
|
||
|---|---|---|---|---|
| Author: | Gynvael Coldwind | |||
| Website: | http://gynvael.coldwind.pl/?id=158 | |||
| Current version: | 0.0.3 | |||
| Last updated: | March 9, 2009 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free / Open Source | |||
| Description: | Ent does two things: 1) it measures entropy of a file 2) it measures density of FPU instructions in the code section, if the file is a PE (Why file entropy measurement is interesting is a story for another day (maybe for tomorrow) ;>) The tool was made in C++, and currently it's Windows only (the next version will be portable, I'm just using some structures from winnt.h), and it uses libpng for PNG creation. The executable binary with the source code is (as always) available on the end of this post. Ent is run from the command line, and we provide him with the name of a file that we won't to measure entropy of. Then, Ent divides the file to 256-byte fragments, and calculates entropy (using some entropy formula I found somewhere - check the source code for details) and draws a chart. If the file is a PE file, it additionally mark the sections (blue for data, green for code, gray for unused/headers), and in the code section it calculates FPU density and draws another small red chart. The FPU calculating is not very precise - it works by finding bytes from range D8 to DF inclusive, which are used as FPU opcodes. However, excluding some false-positives in high-entropy area, this method is sufficient. Below in the screen shot you can see a chart of a sample PE file. |
|||
| Related URLs: |
|
|||
| Screenshot: |
|---|
 |
Feed containing all updates for this tool.
(please also edit it if you think it fits well in some additional category, since this can also be controlled)
You are welcome to add your own useful notes about this tool, for others to see!