本文为看雪论坛优秀文章
一 • 信息熵
log2(1/pa) + log2(1/pb) + ... + log2(1/pn)
= ∑ log2(1/pn)
S=log(1/pa) + log(1/pb) + ... + log(1/pn)
= ∑ log(1/pn)
= ∑ -p*log(p)
二 • 实现
I(n)=(S(a/256))+(S(b/256))....(S(n/256))
double CEntropy::calculate()
{
double entropy = 0;
DWORD dwMapSize = g_GlobalInfo.GetSize();
for (int i = 0; i < 256; i++)
{
double p_x = double(g_GlobalInfo.count(((char)i))) / dwMapSize;
if (p_x > 0)
entropy += -p_x * (log(p_x));
}
return entropy;
}
aGVsbG8gd29yZA==
hello word
encode_base64_entropy = 3.0351414
decode_base64_entropy = 2.1535325
Chr(104)+Chr(101)+Chr(108)+Chr(108)+Chr(111)+Chr(9)+Chr(119)+Chr(111)+Chr(114)+Chr(100)
三 • 扩展
当然如果混淆算法经过特殊处理,是可以计算到一个接近正常的信息熵,那么我们需要更多的维度去判断,这里我们可以使用一个密码学的概念「巧合指数」。
double CLanguageIC::calculate()
{
DWORD64 _char_count = 0;
DWORD64 _total_char_count = 0;
for (int i = 0; i < 256; i++)
{
DWORD64 charcount = g_GlobalInfo.count(((char)i));
_char_count += charcount * (charcount - 1);
_total_char_count += charcount;
}
double ic = 0;
if (_total_char_count - 1 != 0)
ic = double(_char_count) / (_total_char_count * (_total_char_count - 1));
calculate_char_count();
return ic;
}
hello word
aGVsbG8gd29yZA==
Chr(104)+Chr(101)+Chr(108)+Chr(108)+Chr(111)+Chr(9)+Chr(119)+Chr(111)+Chr(114)+Chr(100)
a1 = 0.0761905
a2 = 0.0380952
a2 = 0.0967511
double CEntropyMI::calculate()
{
double entropy = 0;
DWORD dwMapSize = g_GlobalInfo.GetSize();
for (int i = 0; i < 256; i++)
{
double p_x = double(g_GlobalInfo.count(((char)i))) / dwMapSize;
double p_y = (double)1 / 256;
double p_x_y = p_x * p_y;
if (p_x > 0)
entropy += -(p_x * p_x_y) * (log(((p_x * p_x_y) / p_y)));
}
return entropy;
}
四 • 总结
看雪ID:wuxiwudi
https://bbs.pediy.com/user-home-258629.htm
*本文由看雪论坛 wuxiwudi 原创,转载请注明来自看雪社区。
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!