→ IDA Entropy Plugin

| 2 Comments | No TrackBacks

Utility for entropy calculation of 32-bit executable and binary files is released. It can be useful for express searching of a file blocks with a high entropy - encrypted chunks, encryption keys, etc. Utility can be built as a IDA plugin and as a standalone program.
It allows to calculate entropy of a sections of the file by utility launch, calculate entropy of any block of the file, build entropy map of a specified section.


Double-click on the row in ListView copies Address and Length to appropriate fields on the form. Calculate button shows entropy for a data block from StartAddress to StartAddress + Length. Draw button allows to build entropy map of the data block. ChunksSize specifies a length of chunks used for entropy calculation in this mode. And StepSize field is used as a indent between current and next chunks. Double-click on the map in IDA plugin mode allows to go to the specified location in IDA listing.


Deep Analyze button performs a lot of calculations from StartAddress to StartAddress + Length with a varying block size from 1 to ChunkSize and with StepSize indent. If calculated entropy value is greater than MaxEntropy for the chunk, it will be added to result report. Double-click on the row in IDA plugin mode allows to go to the specified location in IDA listing.


Launch feature in IDA plugin mode is IDA listing selection check. I.e. utility fills StartAddress, Length and pushes to Calculate button. To start utility as IDA plugin simply copy in to ./IDA/plugins/ and press F11 (default hotkey) or choose Edit -> Plugins ->Entropy plugin.

In standalone mode utility shows GetOpenFileName dialog when started without command-line parameters. Command line format is "ida-ent.exe [-sw] filename", where switches are one of the following: --binary (-b), --pe (-p), --elf (-e). By default utility tries to determine file format (PE, ELF) by checking signature.

UPD: Overlay (non-empty data block in the rest of file) detection was added in standalone mode for PE (checked) and ELF (not checked). Problem with a window focus in plugin mode was fixed. Also utility was released under GNU GPL.

Sources (for MS Visual C++ 2008 EE) and precompiled standalone utility, IDA Pro 5.5 plugin, IDA Free 4.9 plugin are available in the archive.

No TrackBacks

TrackBack URL: http://smokedchicken.org/m/mt-tb.cgi/35


Энтропийные карты рулят =). Было бы неплохо, если бы вы сделали ещё визуализацию по всему файлу, по всему файлу + оверлей. Плюс можно бы было вручную задать какие секции включать туда. Я бы был счастлив =)

Ага, ещё после регистрации на почту приходит письмо вида
?????? ?? ??????????? ???????? ??? ??????????????? «/var/log/smokedchicken.log».

об активации =) пофикси плиз =)

About this Entry

This page contains a single entry by Павел Збицкий published on June 19, 2010 2:33 AM.

DC18: bin500 was the previous entry in this blog.

Получение шелла через SQLite3 в веб-директории PHP is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.