Giters

packing-box / bintropy

Analysis tool for estimating the likelihood that a binary contains compressed or encrypted bytes

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

bintropy.entropy fails for MIPS malware binary

nikhilh-20 opened this issue · comments

commented

Malware sample link: https://bazaar.abuse.ch/sample/acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35/

bintropy.entropy() on v1.3.6 fails to return average and highest block entropy for ELF malware: acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35 and that causes bintropy.bintropy(<sample_path>, decide=False) to fail.

$ pip freeze | grep bintropy
bintropy==1.3.6

In [1]: import bintropy

In [2]: with open("acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35.elf", "rb") as f:
    ...:     exe = f.read()
    ...: 

In [3]: bintropy.entropy(exe, blocksize=256, ignore_half_block_zeros=True)
Out[3]: ([None, None], 0.0)

In [4]: bintropy.bintropy("acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35.elf", decide=False)
---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)
Cell In[2], line 1
----> 1 bintropy.bintropy("acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35.elf", decide=False)

File ~/venv/lib/python3.8/site-packages/bintropy/__init__.py:122, in bintropy(executable, mode, blocksize, ignore_half_block_zeros, decide, threshold_average_entropy, threshold_highest_entropy, logger, **kwargs)
    120                 msg += ("\n    #{: <%s}: {}" % iw).format(i + 1, "-" if j is None else j)
    121         __log(logger, msg)
--> 122     return is_packed(e[0], e[1], _t1, _t2, logger) if decide else (max([x for x in e[0] if x is not None]), e[1])
    123 # SECOND AND THIRD MODES: compute a weighted entropy of all the sections or segments of the executable
    124 else:
    125     def _handle(n, d):

ValueError: max() arg is an empty sequence

In [5]: bintropy.bintropy("acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35.elf")
Out[5]: False
commented

Hi @nikhilh-20
Thank you for mentioning this.
It seems that I didn't address the case when all the blocks are set to None because of ignore_half_block_zeros=True. It then means that the max function gets an empty sequence as the None values get filtered. It is now fixed.