bintropy.entropy fails for MIPS malware binary
nikhilh-20 opened this issue · comments
Malware sample link: https://bazaar.abuse.ch/sample/acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35/
bintropy.entropy()
on v1.3.6 fails to return average and highest block entropy for ELF malware: acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35
and that causes bintropy.bintropy(<sample_path>, decide=False)
to fail.
$ pip freeze | grep bintropy
bintropy==1.3.6
In [1]: import bintropy
In [2]: with open("acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35.elf", "rb") as f:
...: exe = f.read()
...:
In [3]: bintropy.entropy(exe, blocksize=256, ignore_half_block_zeros=True)
Out[3]: ([None, None], 0.0)
In [4]: bintropy.bintropy("acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35.elf", decide=False)
---------------------------------------------------------------------------
ValueError Traceback (most recent call last)
Cell In[2], line 1
----> 1 bintropy.bintropy("acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35.elf", decide=False)
File ~/venv/lib/python3.8/site-packages/bintropy/__init__.py:122, in bintropy(executable, mode, blocksize, ignore_half_block_zeros, decide, threshold_average_entropy, threshold_highest_entropy, logger, **kwargs)
120 msg += ("\n #{: <%s}: {}" % iw).format(i + 1, "-" if j is None else j)
121 __log(logger, msg)
--> 122 return is_packed(e[0], e[1], _t1, _t2, logger) if decide else (max([x for x in e[0] if x is not None]), e[1])
123 # SECOND AND THIRD MODES: compute a weighted entropy of all the sections or segments of the executable
124 else:
125 def _handle(n, d):
ValueError: max() arg is an empty sequence
In [5]: bintropy.bintropy("acb6ad9fe1438e5d9993f25e1d140b7e876b91e131dba4c7f39faa53254c6e35.elf")
Out[5]: False
Hi @nikhilh-20
Thank you for mentioning this.
It seems that I didn't address the case when all the blocks are set to None
because of ignore_half_block_zeros=True
. It then means that the max
function gets an empty sequence as the None
values get filtered. It is now fixed.