1 files changed, 56 insertions, 0 deletions
diff --git a/modules/entropy.py b/modules/entropy.py
new file mode 100644
index 0000000..48b2924
--- /dev/null
+++ b/modules/entropy.py
@@ -0,0 +1,56 @@
+''' This module uses shannon's Entropy to detect packed malwares
+'''
+import os
+import math
+import logging
+logging.basicConfig(level=logging.DEBUG)
+import scanmodule
+def main():
+    return Entropy()
+class Entropy(scanmodule.ScanModule):
+    name = 'entropy'
+    def populate(self, path):
+        pass
+    def load(self, path):
+        pass
+    def save(self, path):
+        pass
+    def __compute_score(self, path):
+        return (self.__entropy(path) - 5) * 100
+    def is_malware(self, path):
+        score = self.__compute_score(path)
+        logging.info('Entropy score for ' + path + ' : ' + str(score))
+        return  score > 75
+    def evaluate(self, path):
+        ''' Computes an arbitraty score for the given path
+        @ret A sorted list of the form [name, match_in_percent_superior_to_zero]
+        '''
+        score = self.__compute_score(path)
+        if score > 0:
+            return [['MALWARE', score],]
+        return None
+    def __entropy(self, path):
+        ''' Computes shannon's entropy for the given file
+        @param path Path to the file
+        '''
+        # Computes the frequency of each byte in the file
+        fsize = max(float(os.path.getsize(path)), 1.0)
+        freq = [0] * 256
+        with open(path, 'rb') as f:
+            for c in f.read():
+                freq[ord(c)] += 1
+        entropy = 0.0
+        for f in freq:
+            if f:
+                f /= fsize
+                entropy += f * math.log(f, 2)
+        return -entropy

diff --git a/modules/entropy.py b/modules/entropy.py new file mode 100644 index 0000000..48b2924 --- /dev/null +++ b/modules/entropy.py
@@ -0,0 +1,56 @@
	1	''' This module uses shannon's Entropy to detect packed malwares
	2	'''
	3	import os
	4	import math
	5	import logging
	6	logging.basicConfig(level=logging.DEBUG)
	7
	8	import scanmodule
	9
	10	def main():
	11	return Entropy()
	12
	13	class Entropy(scanmodule.ScanModule):
	14	name = 'entropy'
	15	def populate(self, path):
	16	pass
	17	def load(self, path):
	18	pass
	19	def save(self, path):
	20	pass
	21
	22	def __compute_score(self, path):
	23	return (self.__entropy(path) - 5) * 100
	24
	25	def is_malware(self, path):
	26	score = self.__compute_score(path)
	27	logging.info('Entropy score for ' + path + ' : ' + str(score))
	28	return score > 75
	29
	30	def evaluate(self, path):
	31	''' Computes an arbitraty score for the given path
	32	@ret A sorted list of the form [name, match_in_percent_superior_to_zero]
	33	'''
	34	score = self.__compute_score(path)
	35	if score > 0:
	36	return [['MALWARE', score],]
	37	return None
	38
	39	def __entropy(self, path):
	40	''' Computes shannon's entropy for the given file
	41	@param path Path to the file
	42	'''
	43	# Computes the frequency of each byte in the file
	44	fsize = max(float(os.path.getsize(path)), 1.0)
	45
	46	freq = [0] * 256
	47	with open(path, 'rb') as f:
	48	for c in f.read():
	49	freq[ord(c)] += 1
	50
	51	entropy = 0.0
	52	for f in freq:
	53	if f:
	54	f /= fsize
	55	entropy += f * math.log(f, 2)
	56	return -entropy