The tool I'm talking about it called Ent (for the lack of a better name), and it does two things:
1) it measures entropy of a file
2) it measures density of FPU instructions in the code section, if the file is a PE
(Why file entropy measurement is interesting is a story for another day (maybe for tomorrow) ;>)
The tool was made in C++, and currently it's Windows only (the next version will be portable, I'm just using some structures from winnt.h), and it uses libpng for PNG creation. The executable binary with the source code is (as always) available on the end of this post.
Ent is run from the command line, and we provide him with the name of a file that we won't to measure entropy of. Then, Ent divides the file to 256-byte fragments, and calculates entropy (using some entropy formula I found somewhere - check the source code for details) and draws a chart. If the file is a PE file, it additionally mark the sections (blue for data, green for code, gray for unused/headers), and in the code section it calculates FPU density and draws another small red chart. The FPU calculating is not very precise - it works by finding bytes from range D8 to DF inclusive, which are used as FPU opcodes. However, excluding some false-positives in high-entropy area, this method is sufficient.
Below one can see a chart of a sample PE file (related to the third phase of this years hackedchallenge contest).
And thats all for now.
ent_v003.zip (185KB, bin+src, windows)
Comments:
There was a similar utility that I used: http://www.fourmilab.ch/random/
Huh, didn't know about it. It even has the same name. Hmm. But my makes nicer charts ;DDD
http://sourceforge.net/projects/ciat/
Thanks for the link ;> It's very interesting, and it's a good addition to my tool box ;>
Ent.exe <filename>
Ent v.0.0.3, an entropy level and FPU density measurement tool
by gynvael.coldwind//vx and j00ru//vx
Calculating entropy... [Fent(00009800h - 000098FFh) = 25%]
PE File found, scanning code section for FPU instructions...
Done.
C:inEnt>
No graph pops up!
Haha yep, it doesn't open the file automatically. However thanks for your comment, I will try to add that feature ;>
Add a comment: