From 807248f9343a4cabb48c3be1a512b27f6377e871 Mon Sep 17 00:00:00 2001 From: Julien Voisin Date: Tue, 3 Mar 2015 15:58:59 +0100 Subject: First commit! --- modules/entropy.py | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 modules/entropy.py (limited to 'modules/entropy.py') diff --git a/modules/entropy.py b/modules/entropy.py new file mode 100644 index 0000000..48b2924 --- /dev/null +++ b/modules/entropy.py @@ -0,0 +1,56 @@ +''' This module uses shannon's Entropy to detect packed malwares +''' +import os +import math +import logging +logging.basicConfig(level=logging.DEBUG) + +import scanmodule + +def main(): + return Entropy() + +class Entropy(scanmodule.ScanModule): + name = 'entropy' + def populate(self, path): + pass + def load(self, path): + pass + def save(self, path): + pass + + def __compute_score(self, path): + return (self.__entropy(path) - 5) * 100 + + def is_malware(self, path): + score = self.__compute_score(path) + logging.info('Entropy score for ' + path + ' : ' + str(score)) + return score > 75 + + def evaluate(self, path): + ''' Computes an arbitraty score for the given path + @ret A sorted list of the form [name, match_in_percent_superior_to_zero] + ''' + score = self.__compute_score(path) + if score > 0: + return [['MALWARE', score],] + return None + + def __entropy(self, path): + ''' Computes shannon's entropy for the given file + @param path Path to the file + ''' + # Computes the frequency of each byte in the file + fsize = max(float(os.path.getsize(path)), 1.0) + + freq = [0] * 256 + with open(path, 'rb') as f: + for c in f.read(): + freq[ord(c)] += 1 + + entropy = 0.0 + for f in freq: + if f: + f /= fsize + entropy += f * math.log(f, 2) + return -entropy -- cgit v1.3