PE-sieve
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Loading...
Searching...
No Matches
entropy.h
Go to the documentation of this file.
1#pragma once
2
3#include <cmath>
4#include <map>
5namespace pesieve {
6
7 namespace stats {
8
9 template <typename T> size_t generateHistogram(IN T buffer[], IN size_t bufferSize, OUT std::map<T, size_t> &counts)
10 {
11 if (!buffer || !bufferSize) return 0;
12
13 for (size_t i = 0; i < bufferSize; ++i) {
14 const T val = buffer[i];
15 counts[val]++;
16 }
17 return counts.size();
18 }
19
20 // Shannon's Entropy calculation based on: https://stackoverflow.com/questions/20965960/shannon-entropy
21 template <typename T>
22 double calcShannonEntropy(std::map<T, size_t>& histogram, size_t totalSize)
23 {
24 if (!totalSize) return 0;
25 double entropy = 0;
26 for (auto it = histogram.begin(); it != histogram.end(); ++it) {
27 double p_x = (double)it->second / totalSize;
28 if (p_x > 0) entropy -= p_x * log(p_x) / log((double)2);
29 }
30 return entropy;
31 }
32
33 template <typename T> static double ShannonEntropy(T buffer[], size_t bufferSize)
34 {
35 std::map<T, size_t> counts;
36 if (!generateHistogram<T>(buffer, bufferSize, counts)) {
37 return 0;
38 }
39 return calcShannonEntropy<T>(counts, bufferSize);
40 }
41
42 }; // namespace stats
43
44}; //namespace pesieve
45
pesieve::stats::calcShannonEntropy
double calcShannonEntropy(std::map< T, size_t > &histogram, size_t totalSize)
Definition entropy.h:22
pesieve::stats::generateHistogram
size_t generateHistogram(IN T buffer[], IN size_t bufferSize, OUT std::map< T, size_t > &counts)
Definition entropy.h:9
pesieve::fill_iat
size_t fill_iat(BYTE *vBuf, size_t vBufSize, IN const peconv::ExportsMapper *exportsMap, IN OUT IATBlock &iat, IN ThunkFoundCallback *callback)
Definition iat_finder.h:31
Generated by doxygen 1.10.0