diff options
| -rw-r--r-- | README.md | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-Entropy.ps1 | 106 | ||||
| -rw-r--r-- | ReverseEngineering/ReverseEngineering.psd1 | 2 |
3 files changed, 111 insertions, 1 deletions
@@ -140,6 +140,10 @@ Displays the process modules that have been loaded since the call to Register-Pr Stops the running process module trace +#### `Get-Entropy` + +Calculates the entropy of a file or byte array. + ## AntivirusBypass **AV doesn't stand a chance against PowerShell!** diff --git a/ReverseEngineering/Get-Entropy.ps1 b/ReverseEngineering/Get-Entropy.ps1 new file mode 100644 index 0000000..42e5d28 --- /dev/null +++ b/ReverseEngineering/Get-Entropy.ps1 @@ -0,0 +1,106 @@ +function Get-Entropy +{ +<# +.SYNOPSIS + + Calculates the entropy of a file or byte array. + + PowerSploit Function: Get-Entropy + Author: Matthew Graeber (@mattifestation) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.PARAMETER ByteArray + + Specifies the byte array containing the data from which entropy will be calculated. + +.PARAMETER FilePath + + Specifies the path to the input file from which entropy will be calculated. + +.EXAMPLE + + C:\PS>Get-Entropy -FilePath C:\Windows\System32\kernel32.dll + +.EXAMPLE + + C:\PS>ls C:\Windows\System32\*.dll | % { Get-Entropy -FilePath $_ } + +.EXAMPLE + + C:\PS>$RandArray = New-Object Byte[](10000) + C:\PS>foreach ($Offset in 0..9999) { $RandArray[$Offset] = [Byte] (Get-Random -Min 0 -Max 256) } + C:\PS>$RandArray | Get-Entropy + + Description + ----------- + Calculates the entropy of a large array containing random bytes. + +.EXAMPLE + + C:\PS> 0..255 | Get-Entropy + + Description + ----------- + Calculates the entropy of 0-255. This should equal exactly 8. + +.OUTPUTS + + System.Double + + Get-Entropy outputs a double representing the entropy of the byte array. + +.LINK + + http://www.exploit-monday.com +#> + + [CmdletBinding()] Param ( + [Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True, ParameterSetName = 'Bytes')] + [ValidateNotNullOrEmpty()] + [Byte[]] + $ByteArray, + + [Parameter(Mandatory = $True, Position = 0, ParameterSetName = 'File')] + [ValidateNotNullOrEmpty()] + [IO.FileInfo] + $FilePath + ) + + BEGIN + { + $FrequencyTable = @{} + $ByteArrayLength = 0 + } + + PROCESS + { + if ($PsCmdlet.ParameterSetName -eq 'File') + { + $ByteArray = [IO.File]::ReadAllBytes($FilePath.FullName) + } + + foreach ($Byte in $ByteArray) + { + $FrequencyTable[$Byte]++ + $ByteArrayLength++ + } + } + + END + { + $Entropy = 0.0 + + foreach ($Byte in 0..255) + { + $ByteProbability = ([Double] $FrequencyTable[[Byte]$Byte]) / $ByteArrayLength + if ($ByteProbability -gt 0) + { + $Entropy += -$ByteProbability * [Math]::Log($ByteProbability, 2) + } + } + + Write-Output $Entropy + } +}
\ No newline at end of file diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 index de364e1..d9c733f 100644 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ b/ReverseEngineering/ReverseEngineering.psd1 @@ -76,7 +76,7 @@ ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; G FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',
'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',
- 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
+ 'Get-Entropy.ps1', 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
|