Entropy

Entropy

The entropy allows to quickly detect the different parts of a document, or to know if a document is compressed or encrypted.

The entropy could be considered as the number of bits that are required to guess the remaining bits.
So high entropy means completely different values, and low entropy means similar values.

A 0 entropy value means that all the values of the block inside which the entropy is computed are equals (the same motif is repeated for the full block content).
It is the case of padding which write the same motif until a specific alignment.

That is why a low entropy permits to detect different sections of a file. (As the end of sections are filled with the same motif, the end of sections will get a low entropy)

Notice: depending of the block size used to compute the entropy, and the document end of sections size, you may won't get a 0 entropy but a low value.
The reason is that entropy is computed per block, and
    - the entropy block size could be larger than the end of section size
or - the entropy block may not be aligned with the end of section, so it can contain a part of repeated motif and a part of not identical data


Common entropy results

Windows executable (PE) exe, dll, sys...

Windows executable (PE) exe, dll, sys...
End of sections are detected due to the padding used for section alignment.
As the padding is done with the same motif, the entropy decrease.
Notice: that doesn't mean each time entropy decrease you get a new section.
By the way the entropy can decrease for some embedded resource (Images, text, ...)



Packed executable

Packed executable

The packed executables entropy curves can be split in multiple parts:
- a first part similar to PE (as minimal PE header are required)
- a second part similar to compressed or encrypted files
- optionally, other parts with unencoded resources or a decrypting code section
This is logical as packed executables are compressed and, according to the packing algorithm, encrypted or not



Compressed file

Compressed file entropy: high entropy

Encrypted file

Encrypted file entropy
The entropy of encrypted files must be high and stable.
It must be insensitive to the document content,
this avoid the encrypted file to be analyzed and reversed