_____________________________________________________________________
[Entyzer+ v0.6 - Orezmus Build:220214]
[Advanced Entropy Analyzer]
<All Rights Reserved (C) 2010-2014>
_____________________________________________________________________
Mohamad Fadel Mokbel
http://www.mfmokbel.com
mfmokbel [AT] live [DOT] com
_____________________________________________________________________
- Description: Entropy Analyzer+ with Hex editing capabilities (-h:hex)
and supports for other statistical measurements (-h &
-h:stat).
Entyzer+ is an Advanced Entropy Analyzer armed with various
mathematical binary editing capabilities. It features many
custom and known algorithms that align with the concept of
information theory. Moreover, it is a command-line tool with
around 30 major features. The tool can be used in the fields
of Reverse Code Engineering, malware analysis (with an
optimized and generalized implementation of Flame’s Worm
substitution algorithm), System Forensics and other related
areas.
_____________________________________________________________________
Note: Input(s) and Output(s) are in decimal. In Hex if noted.
Everything works at the byte level (1-gram). Otherwise, as noted.
+ Syntax: Entyzer -f <filename> { -b [<start_offset> <size>] }
- To get the Entropy, Redundancy, A. Mean and StdDev. for any file
or for a specific block.
+ Syntax: Entyzer -f <filename> -graph <IsValue> <Color Template>
- To generate a hue visualization of the data as an HTML file.
- IsValue takes either 0 or 1. 1 for having the frequency of each
character displayed, 0 otherwise.
- Color Template takes a value between 1 and 7 for different templates:
1:= Gray I, 2:= Gray II, 3:= Tan, 4:= Olive Green, 5:= Blue,
6:= Green + Green + Yellow, 7:= Orange + Orange + Yellow
+ Syntax: Entyzer -f <filename> -xml
- To generate an XML report: general and Entropy information, percentage
and frequency of every hex value.
+ Syntax: Entyzer -pe <filename>
- To get the Entropy, Redundancy and StdDev. for every section of a
PE binary file.
+ Syntax: Entyzer -elf -section -<option> <filename>
- <option> = list, To list all the sections names of an elf binary file.
<option> = all, To get the Entropy, Redundancy and StdDev.
for every section of an elf binary file.
<option> = select, Option select is followed by a <section_name>
To get the Entropy, Redundancy and StdDev. for a selected
section of an elf binary file. (e.g. section_name = .text)
+ Syntax: Entyzer -elf -SDCAlg <filename * 5>
- To apply the Symbiotic Differential Comparison Algorithm on a reference
elf binary file and 4 files compiled at varying levels of optimizations
(in increasing order). Only the .text section is considered.
- For more information about 'SDCAlg' and 'KLD', please refer to the
paper "An Unobtrusive Entropy Based Compiler Optimization Comparator"
+ Syntax: Entyzer -elf -section -select <section_name> -KLD <filename * 2>
- To apply Kullback-Leibler Divergence (KLD) measure on two elf files
for a selected section. The implementation also reports the Resistor
Average (RA) distance which symmetrizes KLD.
+ Syntax: Entyzer -f -KLD <filename * 2>
- To apply KLD and RA on any file.
[?] To list the hex transformation options, use the sub-option -h:hex
[?] To list the distance metrics options, use the sub-option -h:stat
+ Syntax: Entyzer -f <filename> -hext: <operation> <operand>
{ -b [<start_offset> <end_offset>[ }
- To apply various mathematical hex transformations (operations) on
a specific file. All the operations work at the byte level. If the
block (-b) option is specified, the transformation operates only on
the range specified by the SO and EO, otherwise the whole file is
taken. <operand> accepts a decimal value between 0 and 255.
- The <operation> can take any of the following transformations:
+ {mod, neg, div, mult, bfmult, sub, add} (neg takes no operand)
# ex. [... -hext: bfmult <Key>]
This is a decoder for encoded data with the multiplication
operation; since in case of an overflow, the resulting value looses
the high byte value.
+ Binary operations: {xor, or, and, inv} (inv takes no operand)
+ {rxor} (Rolling XOR, takes more than one operand/key). The
size of the key is limitd by the file size !(-b).
Keys must be seperated with a space.
# ex. [... -hext: rxor 4 1 56 90 124 250]
+ {xorxv} (XOR Except This Value (ETV), takes ETV)
+ {xorkeybf} (Brute force data XORed with 1-byte key)
# ex. [... -hext: xorkeybf <data>]
A brute forcer for data XORed/encrypted with 1-byte key.
<data> takes the 'original plain version' to search for;
minimum of 2 values are needed. If a match is found, it
reports the key and the index at which the data is located
in the file.
+ {nprxo} (Null-Preserving XOR, !XOR 0 & operand values)
+ {swpnb} (Swap Nibbles, swpnb takes no operand)
+ {sleft, sright, rotl, rotr} => Shift/Rotate Left/Right
# ex. [... -hext: xor 4 -b 10 20]
+ {rand} (Randomize takes two operand values: Min and Max)
+ {xrand} (This option provides a generic implementation of
encrypting data using the XOR binary operator, with keys
generated using rand() function based on a chosen seed
value and key selection mode. Option -b is not applicable)
** Options [... -hext: xrand <seed value> -m <r|h|l> -s <c|f>]
# ex. [... -hext: xrand 222153 -m r 20 199 -s c]
# ex. [... -hext: xrand 63546354 -m h -s f]
seed value : <seed value> to initialize the pseudo random
number generator rand().
mode option (-m) : key selector. Data will be XORed with the
values of the chosen mode. Takes either of the
following options: r, h, or l.
r: range mode. Takes additional two arguments,
a minimum and maximum values. This mode
limits keys' values to values between the
chosen minimum and maximum.
h: high byte value. Takes the high byte value
of the generated pseudo random value. Takes
no additional arguments.
l: low byte value. Takes the low byte value of
the generated pseudo random value. Takes no
additional arguments.
save option (-s) : data output. Takes either of the following
options: c or f
c: displays to the console window some
statistical information about the
transformation process.
Information displayed:
- rand() : <entropy of the generated pseudo random
values. Maximum is 14.9999>
- High Byte : <entropy of the high byte values of the
rand() values. Maximum is 8.0>
- Low Byte : <entropy of the low byte values of the
rand() values. Maximum is 8.0>
- Original Data: <entropy of the original data. Input
file>
- XORed Data : <entropy of the data after
transformation>
f: generates a CSV file with the name of the
input file. All generated data is in hex.
CSV file contains original bytes, generated
pseudo random values, mode values (depends
on the mode), and XORed values.
+ {flame} (Apply Flame's Substitution Algorithm)
- The implementation is inspired by the Flame/SkyWiper Worm.
- Entyzer features an optimized and generalized implementation
of Falme's Substitution Algorithm.
- The command line options are the following:
- ... -hext: flame <Substitution Table> -pm <0|1> -p <0|1>
- The argument <Substitution Table> takes a file name (in binary
format) of size 256 bytes. This table contains the set of
keys. Thus, modification on the table is done via a Hex
editor.
- The option '-pm' represents the Parsing Mode. Two modes are
supported.
- If the argument is 0, it replaces the index value at the key
position with the key value.
- For example,
0 1 2 3 4 5 ...
0 EA 82 63 AE A3 8C ...
// For every '0x00' replace it with '0xEA'
- If the argument is 1, it replaces the key value with the
index value.
- For example,
0 1 2 3 4 5 ...
0 EA 82 63 AE A3 8C ...
// For every '0xEA' replace it with '0x00'
- The option '-p' outputs statistics about the transformation
process.
- If the argument is 0, it outputs nothing.
- If the argument is 1, it outputs to the console window
various statistics about the changes that have been applied
to the original file. The values of the parameters 'Value'
and 'Key' are in hex while the values of the parameter
'Changes' are in decimal.
- 'flame' transformation also supports the '-b' option.
- For reference, three 'Substitution Tables' are included in this
release ('Template' folder):
- flamemode1: Is the actual table used in the Flame Worm.
- flamemode0: Same as in flamemode1, but for pm = 0.
- ftemplatex: Contains a raw template of size 256.
+ {t1e} (The (t1e) encryption/decryption template module)
# Takes 3 operand values: 'x', 'y' and 'z'
# t1e := {add x, xor y, sub z} - t1d := {add z, xor y, sub x}
# ex. To encrypt: [... -hext: t1e x y z]
# To decrypt: [... -hext: t1e z y x]
+ Syntax: Entyzer -f <filename> -cpp [ -b <start_offset> <end_offset> ]
- To generate an unsigned C/C++ hex char byte array.
+ Syntax: Entyzer -f <filename> -<operation>
{ -b [<start_offset> <end_offset>] }
- To apply various mathematical distance metrics (operations) on a
specific file. All the operations work at the byte level (1-gram). If
the block (-b) option is specified, the metric operates only on the
range specified by the SO and EO, otherwise the whole file is taken.
- The <operation> can take any of the following metrics:
+ {snr} (Signal to Noise Ratio)
- Calculates Signal to Noise Ratio (snr). Reports "Mean" (of a
discrete probability distribution), "Standard Deviation" (for a
discrete random variable with different probabilities), and snr
(Mean/StdDev). Option -b is not applicable.
+ {spsidx} (Simpson's Index)
- 256-Dimension (256-gram - HexBytes) - Difference/Diversity quantifier
1 = Infinite diversity, 0 = No diversity
for low numbers -> LSI = High Diversity, HSI = Low Diversity
+ {cbrdst} (Canberra's Distance)
- 1-Dimension (1-gram) - Sensitive to very minute variations
+ {srndst} (Sorensen's Distance)
- Also known as Bray Curtis Distance - Measures the similarity between bytes
+ {mkskidst} (Minkowski's Distance of Order, Lambda = 3)
+ {mhtndst} (Manhattan's Distance, Lambda = 1)
# ex. [Entyzer -f test -cbrdst]
+ Syntax: Entyzer -f -pearson <filename * 2>
- To get Pearson's Test-Statistic (Chi-Square Test) between two files.
First file represents the Reference data set, second file represents
the New data set to be tested against the Reference one. This is for
finding the similarity level between two files.
+ Syntax: Entyzer -bfent <filename> -m <1|2|3|4> -s <NPR> <MV> <PPR>
-d <0|1> { -b [<start_offset> <end_offset>[ }
- To Brute Force for a specific Entropy value/range. -m stands for mode
of operation. Four modes are supported, 1, 2, 3 or 4. (NPR/PPR)
Negative/Positive Permissible Ranges take a value between [0,1]. Main
Value (MV) is the Entropy central value sought. -d is for dumping found
Entropy value(s), 0 to the console window and 1 to a csv file (the name
of the generated csv file takes the name of the original file
<filename>).
# ex. [Entyzer -bfent test -m 3 -s 0.3 5.8 0.7 -d 1]
Please refer to "On the Intractability of Designing an Efficient
Entropy Brute Forcer" for more information about
how to use this feature.
[----------------------------------------------------]
+ Entyzer.exe Signature:
- 32-Bit: MD5 3B0BE2A5F5EFD5F60BAAE68A56395325
- 64-Bit: MD5 B9023822025A66908CD70DAA6FB3FA38
+ Libraries used:
- ELFIO library by Serge Lamikhov
- MD5 Library by Benjamin Grüdelbach
[----------------------------------------------------]