If we have a block of data with very high entropy (i.e. To proceed with analysis of the actual firmware, it must first be decompressed/decrypted. If the entropy is very high, it is a good sign that the file is indeed compressed or encrypted. One way to determine this is through performing an entropy analysis of the file. In order to analyse the firmware, it first needs to be determined whether it is encrypted or compressed. If we want to analyze the code, its decompressed form need to be recovered somehow.įirmware Analysis - In systems with relatively severe hardware constraints, such as embedded systems, firmware updates are often delivered in compressed form in order to save space. Executable compression complicates analysis, so it is a relatively common feature of programs developed for criminal purposes. Malware Analysis - If we have an executable which has a header that can be parsed successfully and the program loads and runs without error, but the overall entropy level of the file is very high and the code can't be analyzed statically because the data outside of the file header and program headers looks random (hence the high entropy), it probably means that the executable is in fact compressed on disk and is decompressed at runtime. In fact, compressed and encrypted data have close to the maximum possible level of entropy, which can be used as a heuristic to identify it as such in order to differentiate it from non-compressed/non-encrypted data.Įxample use cases in reverse engineering: I want to know what it is used for?įor our purposes, entropy can be though of as information density or as a measure of randomness in information, which is what makes it useful in the context of reverse engineering and binary analysis.Ĭompressed and encrypted data have higher entropy than e.g.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |