Windows executable (PE) exe, dll, sys...
|
|
Windows executable (PE) exe, dll, sys...
End of sections are detected due to the padding used for section alignment.
As the padding is done with the same motif, the entropy decrease.
Notice: that doesn't mean each time entropy decrease you get a new section.
By the way the entropy can decrease for some embedded resource (Images, text, ...)
|
Packed executable
|
|
Packed executable
The packed executables entropy curves can be split in multiple parts:
- a first part similar to PE (as minimal PE header are required)
- a second part similar to compressed or encrypted files
- optionally, other parts with unencoded resources or a decrypting code section
This is logical as packed executables are compressed and, according to the packing algorithm, encrypted or not
|
|
Compressed file
|
|
Compressed file entropy: high entropy
|
Encrypted file
|
|
Encrypted file entropy
The entropy of encrypted files must be high and stable.
It must be insensitive to the document content,
this avoid the encrypted file to be analyzed and reversed
|
|