June 2010 Archives

Utility for entropy calculation of 32-bit executable and binary files is released. It can be useful for express searching of a file blocks with a high entropy - encrypted chunks, encryption keys, etc. Utility can be built as a IDA plugin and as a standalone program.
It allows to calculate entropy of a sections of the file by utility launch, calculate entropy of any block of the file, build entropy map of a specified section.

ida-ent-gen.PNG

Double-click on the row in ListView copies Address and Length to appropriate fields on the form. Calculate button shows entropy for a data block from StartAddress to StartAddress + Length. Draw button allows to build entropy map of the data block. ChunksSize specifies a length of chunks used for entropy calculation in this mode. And StepSize field is used as a indent between current and next chunks. Double-click on the map in IDA plugin mode allows to go to the specified location in IDA listing.

ida-ent-graph.PNG

Deep Analyze button performs a lot of calculations from StartAddress to StartAddress + Length with a varying block size from 1 to ChunkSize and with StepSize indent. If calculated entropy value is greater than MaxEntropy for the chunk, it will be added to result report. Double-click on the row in IDA plugin mode allows to go to the specified location in IDA listing.

ida-ent-table.PNG

Launch feature in IDA plugin mode is IDA listing selection check. I.e. utility fills StartAddress, Length and pushes to Calculate button. To start utility as IDA plugin simply copy in to ./IDA/plugins/ and press F11 (default hotkey) or choose Edit -> Plugins ->Entropy plugin.

In standalone mode utility shows GetOpenFileName dialog when started without command-line parameters. Command line format is "ida-ent.exe [-sw] filename", where switches are one of the following: --binary (-b), --pe (-p), --elf (-e). By default utility tries to determine file format (PE, ELF) by checking signature.

UPD: Overlay (non-empty data block in the rest of file) detection was added in standalone mode for PE (checked) and ELF (not checked). Problem with a window focus in plugin mode was fixed. Also utility was released under GNU GPL.

Sources (for MS Visual C++ 2008 EE) and precompiled standalone utility, IDA Pro 5.5 plugin, IDA Free 4.9 plugin are available in the archive.

About this Archive

This page is an archive of entries from June 2010 listed from newest to oldest.

May 2010 is the previous archive.

July 2010 is the next archive.

Find recent content on the main index or look in the archives to find all content.