Utility for entropy calculation of 32-bit executable and binary files released. It can be usefull for express searching of a file blocks with a high entropy - encrypted chunks, encryption keys, etc. Utility can be built as a IDA plugin and as a standalone utility.
It allow to calculate entropy of a sections of the file by utility launch, calculate entropy of any block of the file, build entropy map of a specified section.
Double-click on the row in ListView copies Address and Length to appropiate fields on the form. Calculate button shows entropy for a data block from StartAddress to StartAddress + Length. Draw button allows to build entropy map of the data block. ChunksSize specifies a length of chunks used for entropy calculation in this mode. And StepSize fileld is used as a indent between current and next chunks. Double-click on the map in IDA plugin mode allows to go to the specified location in IDA listing.
Deep Analyze button performs a lot of calculations from StartAddress to StartAddress + Length with a varing block size from 1 to ChunkSize and with StepSize indent. If calculated entropy value greater than MaxEntropy for the chunk, it will be added to result report. Double-click on the row in IDA plugin mode allows to go to the specified location in IDA listing.
Launch feature in IDA plugin mode is IDA listing selection check. I.e. utility fills StartAddress, Length and pushs to Calculate button. To start utility as IDA plugin simply copy in to ./IDA/plugins/ and press F11 (default hotkey) or choose Edit -> Plugins ->Entropy plugin.
In standalone mode utility shows GetOpenFileName dialog when started without command-line parameters. Command line format is "ida-ent.exe [-sw] filename", where switches are one of the following: --binary (-b), --pe (-p), --elf (-e). By default utility tries to determine file format (PE, ELF) by checking signature.
Sources (for MS Visual C++ 2008 EE) and precompiled standalone utulity, IDA Pro 5.5 plugin, IDA Free 4.9 plugin are available in the archive.
发表于 2010-6-30 23:33
发表于 2010-7-1 00:07
