1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
/*************************************************************************/
/* Copyright (c) 2015 dx, http://kaimi.ru */
/* */
/* Permission is hereby granted, free of charge, to any person */
/* obtaining a copy of this software and associated documentation */
/* files (the "Software"), to deal in the Software without */
/* restriction, including without limitation the rights to use, */
/* copy, modify, merge, publish, distribute, sublicense, and/or */
/* sell copies of the Software, and to permit persons to whom the */
/* Software is furnished to do so, subject to the following conditions: */
/* The above copyright notice and this permission notice shall be */
/* included in all copies or substantial portions of the Software. */
/* */
/* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */
/* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */
/* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.*/
/* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */
/* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */
/* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */
/* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */
/*************************************************************************/
#include <cmath>
#include "entropy.h"
#include "utils.h"
namespace pe_bliss
{
//Calculates entropy for PE image section
double entropy_calculator::calculate_entropy(const section& s)
{
if(s.get_raw_data().empty()) //Don't count entropy for empty sections
throw pe_exception("Section is empty", pe_exception::section_is_empty);
return calculate_entropy(s.get_raw_data().data(), s.get_raw_data().length());
}
//Calculates entropy for istream (from current position of stream)
double entropy_calculator::calculate_entropy(std::istream& file)
{
uint32_t byte_count[256] = {0}; //Byte count for each of 255 bytes
if(file.bad())
throw pe_exception("Stream is bad", pe_exception::stream_is_bad);
std::streamoff pos = file.tellg();
std::streamoff length = pe_utils::get_file_size(file);
length -= file.tellg();
if(!length) //Don't calculate entropy for empty buffers
throw pe_exception("Data length is zero", pe_exception::data_is_empty);
//Count bytes
for(std::streamoff i = 0; i != length; ++i)
++byte_count[static_cast<unsigned char>(file.get())];
file.seekg(pos);
return calculate_entropy(byte_count, length);
}
//Calculates entropy for data block
double entropy_calculator::calculate_entropy(const char* data, size_t length)
{
uint32_t byte_count[256] = {0}; //Byte count for each of 255 bytes
if(!length) //Don't calculate entropy for empty buffers
throw pe_exception("Data length is zero", pe_exception::data_is_empty);
//Count bytes
for(size_t i = 0; i != length; ++i)
++byte_count[static_cast<unsigned char>(data[i])];
return calculate_entropy(byte_count, length);
}
//Calculates entropy for this PE file (only section data)
double entropy_calculator::calculate_entropy(const pe_base& pe)
{
uint32_t byte_count[256] = {0}; //Byte count for each of 255 bytes
size_t total_data_length = 0;
//Count bytes for each section
for(section_list::const_iterator it = pe.get_image_sections().begin(); it != pe.get_image_sections().end(); ++it)
{
const std::string& data = (*it).get_raw_data();
size_t length = data.length();
total_data_length += length;
for(size_t i = 0; i != length; ++i)
++byte_count[static_cast<unsigned char>(data[i])];
}
return calculate_entropy(byte_count, total_data_length);
}
//Calculates entropy from bytes count
double entropy_calculator::calculate_entropy(const uint32_t byte_count[256], std::streamoff total_length)
{
double entropy = 0.; //Entropy result value
//Calculate entropy
for(uint32_t i = 0; i < 256; ++i)
{
double temp = static_cast<double>(byte_count[i]) / total_length;
if(temp > 0.)
entropy += std::abs(temp * (std::log(temp) * pe_utils::log_2));
}
return entropy;
}
}
|