# EntropyEncoding
## Description
This package implements an encoding to bypass entropy antivirus check.
I have researched about entropy bypass techniques and found people who use adding low-entropy data to bypass entropy check. I think adding data can be optimized and more efficient with a simple entropy encoding to reduce entropy score.
Adding low-entropy data:
1. you get a larger file
2. you do not change payload entropy (if the antivirus software splits the file for entropy calculation, it will probably have high entropy on a payload chunk)
## Requirements
This package require:
- python3
- python3 Standard Library
## Installation
```bash
python3 -m pip install EntropyEncoding
```
```bash
git clone "https://github.com/mauricelambert/EntropyEncoding.git"
cd "EntropyEncoding"
python3 -m pip install .
```
## Usages
```python
from EntropyEncoding import *
payload = b"shellcode_payload 0000111122223333444455556666777788889999AAAABBBBCCCCDDDDEEEEFFFF" * 120
key = bytes([0,255,127,55,155,25,225,10,220,40,190,26,100,70,90,45,235,32,64,128,215,28,46,158,123,13,8,5,168,191,69])
encrypted_payload = bytes([key[i % len(key)] ^ x for i, x in enumerate(payload)])
print(shannon_entropy(encrypted_payload)) # 7.753825816757683, good encryption or compression have an entropy score > 7.9 and < 8
# Malicious entropy is detected by antivirus software when entropy score is greater than ~= 7.2
# This encrypted payload will be detected as malicious entropy by antivirus software
encoded_shellcode = entropy_encode(encrypted_payload)
encoded2_shellcode = entropy_encode2(encrypted_payload)
print(encoded_shellcode)
print(encoded2_shellcode)
assert entropy_decode(encoded_shellcode) == encrypted_payload
assert entropy_decode2(encoded2_shellcode) == encrypted_payload
print(shannon_entropy(encoded_shellcode)) # 5.770760744294572, entropy score is smaller than 7.2, antivirus software will not detect this payload with entropy checks
print(shannon_entropy(encoded2_shellcode)) # 5.767383412620195, entropy score is smaller than 7.2, antivirus software will not detect this payload with entropy checks
r"""
I get entropy score from Windows executable, average score is ~= 5 (so 5.7 can be a legitimate entropy score):
>>> from glob import iglob
>>> from statistics import mean
>>> from EntropyEncoding import *
>>> entropy = []
>>> for a in iglob(r"C:\Windows\System32\*.exe"): entropy.append(shannon_entropy(open(a, "rb").read()))
...
>>> max(entropy)
7.932014219115418
>>> min(entropy)
1.6379445326685684
>>> mean(entropy)
5.063622509688209
>>>
"""
```
Tests results:
```
~# python3 EntropyEncoding.py
Entropy for non-encoded secrets: 4.521591372417719
Entropy for non-encoded encrypted secrets: 7.951320327821406
Entropy for entropy-encoded encrypted secrets: 5.774096152750044
Entropy for non-encoded exe: 5.22055339277441
Entropy for non-encoded encrypted exe: 7.914685739354301
Entropy for entropy-encoded encrypted exe: 5.759477906043907
~#
```
## Links
- [Pypi](https://pypi.org/project/EntropyEncoding)
- [Github](https://github.com/mauricelambert/EntropyEncoding)
- [Documentation](https://mauricelambert.github.io/info/python/security/EntropyEncoding.html)
## License
Licensed under the [GPL, version 3](https://www.gnu.org/licenses/).
Raw data
{
"_id": null,
"home_page": "https://github.com/mauricelambert/EntropyEncoding",
"name": "EntropyEncoding",
"maintainer": "Maurice Lambert",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "Maurice Lambert <mauricelambert434@gmail.com>",
"keywords": "entropy,antivirus-bypass,payload-encoding,encoding,malware",
"author": "Maurice Lambert",
"author_email": "Maurice Lambert <mauricelambert434@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/0e/5e/79c7275a6ce73827230beacd77225759a5d5842061642e40ab2726b48e41/EntropyEncoding-0.0.5.tar.gz",
"platform": "Windows",
"description": "![EntropyEncoding logo](https://mauricelambert.github.io/info/python/security/EntropyEncoding.gif \"EntropyEncoding logo\")\n\n# EntropyEncoding\n\n## Description\n\nThis package implements an encoding to bypass entropy antivirus check.\n\nI have researched about entropy bypass techniques and found people who use adding low-entropy data to bypass entropy check. I think adding data can be optimized and more efficient with a simple entropy encoding to reduce entropy score.\n\nAdding low-entropy data:\n 1. you get a larger file\n 2. you do not change payload entropy (if the antivirus software splits the file for entropy calculation, it will probably have high entropy on a payload chunk)\n\n## Requirements\n\nThis package require:\n - python3\n - python3 Standard Library\n\n## Installation\n\n```bash\npython3 -m pip install EntropyEncoding\n```\n\n```bash\ngit clone \"https://github.com/mauricelambert/EntropyEncoding.git\"\ncd \"EntropyEncoding\"\npython3 -m pip install .\n```\n\n## Usages\n\n```python\nfrom EntropyEncoding import *\n\npayload = b\"shellcode_payload 0000111122223333444455556666777788889999AAAABBBBCCCCDDDDEEEEFFFF\" * 120\nkey = bytes([0,255,127,55,155,25,225,10,220,40,190,26,100,70,90,45,235,32,64,128,215,28,46,158,123,13,8,5,168,191,69])\n\nencrypted_payload = bytes([key[i % len(key)] ^ x for i, x in enumerate(payload)])\n\nprint(shannon_entropy(encrypted_payload)) # 7.753825816757683, good encryption or compression have an entropy score > 7.9 and < 8\n # Malicious entropy is detected by antivirus software when entropy score is greater than ~= 7.2\n # This encrypted payload will be detected as malicious entropy by antivirus software\nencoded_shellcode = entropy_encode(encrypted_payload)\nencoded2_shellcode = entropy_encode2(encrypted_payload)\nprint(encoded_shellcode)\nprint(encoded2_shellcode)\n\nassert entropy_decode(encoded_shellcode) == encrypted_payload\nassert entropy_decode2(encoded2_shellcode) == encrypted_payload\n\nprint(shannon_entropy(encoded_shellcode)) # 5.770760744294572, entropy score is smaller than 7.2, antivirus software will not detect this payload with entropy checks\nprint(shannon_entropy(encoded2_shellcode)) # 5.767383412620195, entropy score is smaller than 7.2, antivirus software will not detect this payload with entropy checks\n\nr\"\"\"\nI get entropy score from Windows executable, average score is ~= 5 (so 5.7 can be a legitimate entropy score):\n>>> from glob import iglob\n>>> from statistics import mean\n>>> from EntropyEncoding import *\n>>> entropy = []\n>>> for a in iglob(r\"C:\\Windows\\System32\\*.exe\"): entropy.append(shannon_entropy(open(a, \"rb\").read()))\n...\n>>> max(entropy)\n7.932014219115418\n>>> min(entropy)\n1.6379445326685684\n>>> mean(entropy)\n5.063622509688209\n>>>\n\"\"\"\n```\n\nTests results:\n\n```\n~# python3 EntropyEncoding.py\nEntropy for non-encoded secrets: 4.521591372417719\nEntropy for non-encoded encrypted secrets: 7.951320327821406\nEntropy for entropy-encoded encrypted secrets: 5.774096152750044\nEntropy for non-encoded exe: 5.22055339277441\nEntropy for non-encoded encrypted exe: 7.914685739354301\nEntropy for entropy-encoded encrypted exe: 5.759477906043907\n~# \n```\n\n## Links\n\n - [Pypi](https://pypi.org/project/EntropyEncoding)\n - [Github](https://github.com/mauricelambert/EntropyEncoding)\n - [Documentation](https://mauricelambert.github.io/info/python/security/EntropyEncoding.html)\n\n## License\n\nLicensed under the [GPL, version 3](https://www.gnu.org/licenses/).\n",
"bugtrack_url": null,
"license": "GPL-3.0 License",
"summary": "This package implements an encoding to bypass entropy antivirus check.",
"version": "0.0.5",
"project_urls": {
"Documentation": "https://mauricelambert.github.io/info/python/security/EntropyEncoding.html",
"Github": "https://github.com/mauricelambert/EntropyEncoding",
"Homepage": "https://github.com/mauricelambert/EntropyEncoding"
},
"split_keywords": [
"entropy",
"antivirus-bypass",
"payload-encoding",
"encoding",
"malware"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "0e5e79c7275a6ce73827230beacd77225759a5d5842061642e40ab2726b48e41",
"md5": "2bbdd9928fd8845d36b929e8202863d9",
"sha256": "e8e4a15e3c25969fd737079991e605b81a0ec713079ce3e6acb24c54660d86c5"
},
"downloads": -1,
"filename": "EntropyEncoding-0.0.5.tar.gz",
"has_sig": false,
"md5_digest": "2bbdd9928fd8845d36b929e8202863d9",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 30783,
"upload_time": "2023-09-05T10:42:08",
"upload_time_iso_8601": "2023-09-05T10:42:08.983001Z",
"url": "https://files.pythonhosted.org/packages/0e/5e/79c7275a6ce73827230beacd77225759a5d5842061642e40ab2726b48e41/EntropyEncoding-0.0.5.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-09-05 10:42:08",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "mauricelambert",
"github_project": "EntropyEncoding",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "entropyencoding"
}
JSON
