Reducing Binary Entropy
Introduction
Entry is the amount of randomness within a data set. As randomness increases, so does entropy. There are many type of entropy. In cybersecurity, we're focused on Shannon's entropy.
The image shows how to utilize entropy while threat hunting.

Measuring Entropy
Several tools can determine the entropy of a given file such as pestudio and Sigcheck.
We can use SciPy's scipy.stats.entropy
combined with matplotlib to create a visual of entropy.
def calc_entropy(buffer):
if isinstance(buffer, str):
buffer = buffer.encode()
entropy = 0
for x in range(256):
p = (float(buffer.count(bytes([x])))) / len(buffer)
if p > 0:
entropy += - p * math.log(p, 2)
return entropy
Choosing an Encryption Algorithm
When picking an encryption, encoding, or any other obfuscation algorithm. It's important to keep entropy in mind, that includes choosing the corrent algorithm but one that isn't too weak.
Another effective method to keeping entropy low is using the obfuscation algorithms.
IPv4fuscation, IPv6fuscation, Macfuscation, and UUIDfuscation** instead of using encryption algorithms**
Inserting English Strings
Another method we can use to reduce entropy is inserting english strings into the final implementation. It's recommended to use either all lower case or all upper case strings** to reduce the number of possibilities for every byte.**
Padding by Bytes
An easy way to reduce entropy is to pad the payloads ciphertext with the same byte repeatedly. Here is a MsfVenom payload before and after appending it with 285 bytes of 0xEA.
drastically dropping entropy from 5.88325
to 3.77597.

CRT Library Independant
The CRT, or C Runtime Library, is a standard interface for the C programming language. The CRT contains a collection of functions & macros. These functions are meant for managing memory, opening and manipulating files, etc. (memcpy, fopen, strcpy).
Removing CRT can drastically reduce the entropy of the final implementation.

Tool - EntropyReducer
It's also possible to reduce a payload's entropy using EntropyReducer, a tool developed by the MalDev Academy team.
EntropyReducer uses a custom algorithm that utilizes linked lists to insert null bytes between each BUFF_SIZE byte chunk of the payload.
Last updated