sandfly-entropyscan can quickly scan files or running processes, determine whether they are Linux/Unix ELF executable programs, and report their entropy (a measure of randomness). Some malicious software for Linux, after being packaged or encrypted, will show very high entropy. With the help of this tool, researchers can quickly find executable files or processes with high entropy.
Function introduction
1. Developed based on Golang, supporting cross-platform and multiple architectures;
2. Independent running code, no other dependent components are required, and it can be used directly on the target computer device;
3. Not affected by LD_PRELOAD style rootkits;
4. Built-in PID cracking, which can find hidden files or hidden processes from certain types of loadable kernel modules (LKM) rootkits;
5. Generate entropy, MD5, SHA1, SHA256, and SHA512 hash values for target files;
6. It can be used as a scanning script to automatically find issues;
7. Incident response personnel can use it to quickly scan and lock potential malware on Linux hosts;
Tool download
Researchers can directly use the following command to clone the source code of this project to their local machine:
git clone https://github.com/sandflysecurity/sandfly-entropyscan.git
Code building
Firstly, we need to install and configure the latest version ofGolangEnvironment.
Next, switch to the project directory in the command line terminal and run the following command to build the code:
cd sandfly-entropyscan/ cd sandfly-entropyscan/
go build
Then run the tool code according to the requirements and parameter options:
https://www.freebuf.com/articles/system/sandfly-entropyscan
Tool parameter options
-csv: Output results in CSV format;
-delim: Modify the default delimiter of the CSV file, default is “,”, can be modified to “|” and others;
-dir string: Specify the name of the directory to be analyzed;
-file string: Specify the full path of the file to be analyzed;
-proc: Detect running processes;
-elf: Only detect ELF executable programs;
-entropy float: Display all files/processes with entropy greater than or equal to a certain value, minimum 0.0 to maximum 8.0, default 0 displays all files;
-version: Display tool version and exit;
Tool usage examples
Search for all executable files under /tmp directory:
Search for executable files with entropy greater than or equal to 7.7 in the /var/www directory:
sandfly-entropyscan -dir /var/www -elf -entropy 7.7
Generate entropy and encrypted hash for all running processes in CSV format:
sandfly-entropyscan -proc -csv
Search for any process that may be packed or encrypted with entropy greater than 7.7:
sandfly-entropyscan -proc -entropy 7.7
Generate entropy and encrypted hash for all files under the /bin directory and output in CSV format:
sandfly-entropyscan -dir /bin -csv
Scan all files in a directory with entropy greater than 7.7:
sandfly-entropyscan -dir /path/to/dir -entropy 7.7
Quickly detect a file and generate entropy and encrypted hash, and determine whether it is an executable program:
sandfly-entropyscan -file /dev/shm/suspicious_file
License agreement
The development and release of this project followMITOpen source license agreement.
Project address
sandfly-entropyscan:【GitHub Gateway】
Reference materials
AsyncRAT: Using Python to load and TryCloudflare tunnel
Cloudflare WAF Bypass (simple but effective)
Analysis of the Agent Tesla spyware disguised as a screen saver program
Introduction to common flow control algorithms and solutions in high concurrency scenarios
How to talk about cybersecurity to people who don’t (yet) care
评论已关闭