Skip to main content

This package implements an encoding to bypass entropy antivirus check.

Project description

EntropyEncoding logo

EntropyEncoding

Description

This package implements an encoding to bypass entropy antivirus check.

I have researched about entropy bypass techniques and found people who use adding low-entropy data to bypass entropy check. I think adding data can be optimized and more efficient with a simple entropy encoding to reduce entropy score.

Adding low-entropy data:

  1. you get a larger file
  2. you do not change payload entropy (if the antivirus software splits the file for entropy calculation, it will probably have high entropy on a payload chunk)

Requirements

This package require:

  • python3
  • python3 Standard Library

Installation

python3 -m pip install EntropyEncoding
git clone "https://github.com/mauricelambert/EntropyEncoding.git"
cd "EntropyEncoding"
python3 -m pip install .

Usages

from EntropyEncoding import *

payload = b"shellcode_payload    0000111122223333444455556666777788889999AAAABBBBCCCCDDDDEEEEFFFF" * 120
key = bytes([0,255,127,55,155,25,225,10,220,40,190,26,100,70,90,45,235,32,64,128,215,28,46,158,123,13,8,5,168,191,69])

encrypted_payload = bytes([key[i % len(key)] ^ x for i, x in enumerate(payload)])

print(shannon_entropy(encrypted_payload))  # 7.753825816757683, good encryption or compression have an entropy score > 7.9 and < 8
                                           # Malicious entropy is detected by antivirus software when entropy score is greater than ~= 7.2
                                           # This encrypted payload will be detected as malicious entropy by antivirus software
encoded_shellcode = entropy_encode(encrypted_payload)
encoded2_shellcode = entropy_encode2(encrypted_payload)
print(encoded_shellcode)
print(encoded2_shellcode)

assert entropy_decode(encoded_shellcode)   == encrypted_payload
assert entropy_decode2(encoded2_shellcode) == encrypted_payload

print(shannon_entropy(encoded_shellcode))  # 5.770760744294572, entropy score is smaller than 7.2, antivirus software will not detect this payload with entropy checks
print(shannon_entropy(encoded2_shellcode)) # 5.767383412620195, entropy score is smaller than 7.2, antivirus software will not detect this payload with entropy checks

r"""
I get entropy score from Windows executable, average score is ~= 5 (so 5.7 can be a legitimate entropy score):
>>> from glob import iglob
>>> from statistics import mean
>>> from EntropyEncoding import *
>>> entropy = []
>>> for a in iglob(r"C:\Windows\System32\*.exe"): entropy.append(shannon_entropy(open(a, "rb").read()))
...
>>> max(entropy)
7.932014219115418
>>> min(entropy)
1.6379445326685684
>>> mean(entropy)
5.063622509688209
>>>
"""

Tests results:

~# python3 EntropyEncoding.py
Entropy for non-encoded secrets: 4.521591372417719
Entropy for non-encoded encrypted secrets: 7.951320327821406
Entropy for entropy-encoded encrypted secrets: 5.774096152750044
Entropy for non-encoded exe: 5.22055339277441
Entropy for non-encoded encrypted exe: 7.914685739354301
Entropy for entropy-encoded encrypted exe: 5.759477906043907
~# 

Links

License

Licensed under the GPL, version 3.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

EntropyEncoding-0.0.5.tar.gz (30.8 kB view details)

Uploaded Source

File details

Details for the file EntropyEncoding-0.0.5.tar.gz.

File metadata

  • Download URL: EntropyEncoding-0.0.5.tar.gz
  • Upload date:
  • Size: 30.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.11.4

File hashes

Hashes for EntropyEncoding-0.0.5.tar.gz
Algorithm Hash digest
SHA256 e8e4a15e3c25969fd737079991e605b81a0ec713079ce3e6acb24c54660d86c5
MD5 2bbdd9928fd8845d36b929e8202863d9
BLAKE2b-256 0e5e79c7275a6ce73827230beacd77225759a5d5842061642e40ab2726b48e41

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page