File entropy (analysis.entropy)
- analysis.entropy: malcat.Entropy
The
analysis.entropyobject is amalcat.Entropyinstance that gives you access to the entropy of the file, as computed and cached by the Entropy computation algorithm. Also the different file hashes (crc32, md5, sha1, sha256 and tlsh) are accessible through this item.
Note that in addition to this documentation, you can find usage examples in the sample script which is loaded when you hit F8.
Entropy costs
Since Malcat’s Entropy computation is pretty optimised and cache-based, it is very cheap to query entropy using the malcat.Entropy object. If you query the entropy of a file interval, it won’t be as precise as a normal Shannon entropy computation, but the result will be instant (O(1)). So use it and abuse it in your scripts and custom anomalies!
The Entropy object
- class malcat.Entropy
This class allows you to query the file’s pre-computed entropy. It gives you also access the file’s different hash values.
- __getitem__(interval)
compute the entropy of a given file interval. The entropy is given as a number between 0 (lowest entropy) to 255 (highest entropy, random data)
mid_address = analysis.map.from_phys(analysis.file.size // 2) print(f"Entropy of first half of the file: {analysis.entropy[:mid_address]} ({100*analysis.entropy[:mid_address] // 255}%)") print(f"Entropy of second half of the file: {analysis.entropy[mid_address:]} ({100*analysis.entropy[mid_address:] // 255}%)")
- Parameters:
interval (slice) – effective address interval
- Return type:
int (between 0 and 255)
- crc32: str
the hexadecimal representation of the crc32 of the file
- md5: str
the hexadecimal representation of the md5 of the file
- sha1: str
the hexadecimal representation of the sha1 of the file
- sha256: str
the hexadecimal representation of the sha256 of the file
- tlsh: str
the hexadecimal representation of the tlsh hash of the file