def entropyCheck(dataList, changeThreshold=0.15):
reads, writes = readsWrites(dataList)
if len(reads) > 1 and len(writes) > 1:
uniqueIn = numUniqueBytes(reads) / float(len(reads))
differentIn = numDifferentBytes(reads) / float(len(reads))
entropyIn = calcEntropyLutz(reads)
uniqueOut = numUniqueBytes(writes) / float(len(writes))
differentOut = numDifferentBytes(writes) / float(len(writes))
entropyOut = calcEntropyLutz(writes)
if min(abs(uniqueIn - uniqueOut), abs(entropyIn - entropyOut),
abs(differentIn - differentOut)) > changeThreshold:
logging.debug("\tentropy hit")
logging.debug("\t input: %f / %f / %f" %
(uniqueIn, entropyIn, differentIn))
logging.debug("\toutput: %f / %f / %f" %
(uniqueOut, entropyOut, differentOut))
logging.debug("\tdeltas: %f / %f / %f" %
(abs(uniqueIn - uniqueOut),
abs(entropyIn - entropyOut),
abs(differentIn - differentOut)))
logging.debug("\t indata: %r" % reads)
logging.debug("\toutdata: %r" % writes)
def lutz(self, changeThreshold = 0.15):
# The detection algorithm searches for loops that decrease
# entropy for any of the three entropy measures by more
# than 15% and contain xor and arithmetic operations in their loop body.
uniqueBBLs = self.target.getUniqueBBLs()
loops = self.target.getLoops().stats
loopExecutions = self.target.getLoops().execs
for startEIP, endEIP, execs, minIter, avgIter, maxIter, totalIter in loops:
executions = loopExecutions[startEIP]
for execution in executions:
for iteration in execution:
intlistWrites = []
intlistReads = []
datas = []
for instruction in iteration:
for data in instruction.data:
if data.mode != None:
datas.append(data)
inputAddr = []
outputAddr = []
for data in datas:
if data.mode == data.modeRead and data.addr not in inputAddr:
inputAddr.append(data.addr)
for i in data.data2int8list():
intlistReads.append(i)
datas.reverse()
for data in datas:
if data.mode == data.modeWrite and data.addr not in outputAddr:
outputAddr.append(data.addr)
for i in data.data2int8list():
intlistWrites.append(i)
if not (len(intlistWrites) > 1 and len(intlistReads) > 1):
# logging.debug("\tmissing in or output (> 1)")
continue
uniqueIn = numUniqueBytes(intlistReads)/float(len(intlistReads))
differentIn = numDifferentBytes(intlistReads)/float(len(intlistReads))
entropyIn = calcEntropyLutz(intlistReads)
uniqueOut = numUniqueBytes(intlistWrites)/float(len(intlistWrites))
differentOut = numDifferentBytes(intlistWrites)/float(len(intlistWrites))
entropyOut = calcEntropyLutz(intlistWrites)
if min(abs(uniqueIn-uniqueOut), abs(entropyIn-entropyOut), abs(differentIn-differentOut)) > changeThreshold:
logging.info("entropy hit: bbl %s of %s:%s, bitwise = %f, writes %d reads %d" % (hex(iteration[0].eip), iteration[0].modulefile(), iteration[0].symbol, iteration.isBitwiseArithPercentage(), len(intlistWrites), len(intlistReads)))
logging.debug("%r - %r\texes %d\tmin %d\tavg %d\tmax %d\ttotal %d" % (startEIP, endEIP, execs, minIter, avgIter, maxIter, totalIter))
logging.debug(" input: %f / %f / %f" % (uniqueIn, entropyIn, differentIn))
logging.debug("output: %f / %f / %f" % (uniqueOut, entropyOut, differentOut))
logging.debug("deltas: %f / %f / %f" % (abs(uniqueIn-uniqueOut), abs(entropyIn-entropyOut), abs(differentIn-differentOut)))
logging.debug(" indata: %r" % intlistReads)
logging.debug("outdata: %r" % intlistWrites)
def entropyCheck(dataList, changeThreshold = 0.15):
reads, writes = readsWrites(dataList)
if len(reads) > 1 and len(writes) > 1:
uniqueIn = numUniqueBytes(reads)/float(len(reads))
differentIn = numDifferentBytes(reads)/float(len(reads))
entropyIn = calcEntropyLutz(reads)
uniqueOut = numUniqueBytes(writes)/float(len(writes))
differentOut = numDifferentBytes(writes)/float(len(writes))
entropyOut = calcEntropyLutz(writes)
if min(abs(uniqueIn-uniqueOut), abs(entropyIn-entropyOut), abs(differentIn-differentOut)) > changeThreshold:
logging.debug("\tentropy hit")
logging.debug("\t input: %f / %f / %f" % (uniqueIn, entropyIn, differentIn))
logging.debug("\toutput: %f / %f / %f" % (uniqueOut, entropyOut, differentOut))
logging.debug("\tdeltas: %f / %f / %f" % (abs(uniqueIn-uniqueOut), abs(entropyIn-entropyOut), abs(differentIn-differentOut)))
logging.debug("\t indata: %r" % reads)
logging.debug("\toutdata: %r" % writes)
def lutz(self, changeThreshold=0.15):
# The detection algorithm searches for loops that decrease
# entropy for any of the three entropy measures by more
# than 15% and contain xor and arithmetic operations in their loop body.
uniqueBBLs = self.target.getUniqueBBLs()
loops = self.target.getLoops().stats
loopExecutions = self.target.getLoops().execs
for startEIP, endEIP, execs, minIter, avgIter, maxIter, totalIter in loops:
executions = loopExecutions[startEIP]
for execution in executions:
for iteration in execution:
intlistWrites = []
intlistReads = []
datas = []
for instruction in iteration:
for data in instruction.data:
if data.mode != None:
datas.append(data)
inputAddr = []
outputAddr = []
for data in datas:
if data.mode == data.modeRead and data.addr not in inputAddr:
inputAddr.append(data.addr)
for i in data.data2int8list():
intlistReads.append(i)
datas.reverse()
for data in datas:
if data.mode == data.modeWrite and data.addr not in outputAddr:
outputAddr.append(data.addr)
for i in data.data2int8list():
intlistWrites.append(i)
if not (len(intlistWrites) > 1 and len(intlistReads) > 1):
# logging.debug("\tmissing in or output (> 1)")
continue
uniqueIn = numUniqueBytes(intlistReads) / float(
len(intlistReads))
differentIn = numDifferentBytes(intlistReads) / float(
len(intlistReads))
entropyIn = calcEntropyLutz(intlistReads)
uniqueOut = numUniqueBytes(intlistWrites) / float(
len(intlistWrites))
differentOut = numDifferentBytes(intlistWrites) / float(
len(intlistWrites))
entropyOut = calcEntropyLutz(intlistWrites)
if min(abs(uniqueIn - uniqueOut),
abs(entropyIn - entropyOut),
abs(differentIn - differentOut)) > changeThreshold:
logging.info(
"entropy hit: bbl %s of %s:%s, bitwise = %f, writes %d reads %d"
% (hex(iteration[0].eip),
iteration[0].modulefile(), iteration[0].symbol,
iteration.isBitwiseArithPercentage(),
len(intlistWrites), len(intlistReads)))
logging.debug(
"%r - %r\texes %d\tmin %d\tavg %d\tmax %d\ttotal %d"
% (startEIP, endEIP, execs, minIter, avgIter,
maxIter, totalIter))
logging.debug(" input: %f / %f / %f" %
(uniqueIn, entropyIn, differentIn))
logging.debug("output: %f / %f / %f" %
(uniqueOut, entropyOut, differentOut))
logging.debug("deltas: %f / %f / %f" %
(abs(uniqueIn - uniqueOut),
abs(entropyIn - entropyOut),
abs(differentIn - differentOut)))
logging.debug(" indata: %r" % intlistReads)
logging.debug("outdata: %r" % intlistWrites)
