{"id":20292489,"url":"https://github.com/mauricelambert/entropyencoding","last_synced_at":"2025-09-22T17:31:54.759Z","repository":{"id":186197009,"uuid":"674804186","full_name":"mauricelambert/EntropyEncoding","owner":"mauricelambert","description":"This package implements an encoding to bypass entropy antivirus check.","archived":false,"fork":false,"pushed_at":"2024-03-10T15:12:19.000Z","size":223,"stargazers_count":4,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-11-14T15:17:28.516Z","etag":null,"topics":["bypass-antivirus","encoding","entropy","entropy-encoding","malware-development","payload-encoder"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mauricelambert.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-08-04T20:30:47.000Z","updated_at":"2024-05-24T06:15:08.000Z","dependencies_parsed_at":null,"dependency_job_id":"bae110c3-eb8a-47f8-802e-c78402363bb7","html_url":"https://github.com/mauricelambert/EntropyEncoding","commit_stats":null,"previous_names":["mauricelambert/entropyencoding"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mauricelambert%2FEntropyEncoding","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mauricelambert%2FEntropyEncoding/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mauricelambert%2FEntropyEncoding/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mauricelambert%2FEntropyEncoding/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mauricelambert","download_url":"https://codeload.github.com/mauricelambert/EntropyEncoding/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":233869023,"owners_count":18743094,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass-antivirus","encoding","entropy","entropy-encoding","malware-development","payload-encoder"],"created_at":"2024-11-14T15:17:33.962Z","updated_at":"2025-09-22T17:31:49.462Z","avatar_url":"https://github.com/mauricelambert.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"![EntropyEncoding logo](https://mauricelambert.github.io/info/python/security/EntropyEncoding.gif \"EntropyEncoding logo\")\r\n\r\n# EntropyEncoding\r\n\r\n## Description\r\n\r\nThis package implements an encoding to bypass entropy antivirus check.\r\n\r\nI have researched about entropy bypass techniques and found people who use adding low-entropy data to bypass entropy check. I think adding data can be optimized and more efficient with a simple entropy encoding to reduce entropy score.\r\n\r\nAdding low-entropy data:\r\n 1. you get a larger file\r\n 2. you do not change payload entropy (if the antivirus software splits the file for entropy calculation, it will probably have high entropy on a payload chunk)\r\n\r\n## Requirements\r\n\r\nThis package require:\r\n - python3\r\n - python3 Standard Library\r\n\r\n## Installation\r\n\r\n```bash\r\npython3 -m pip install EntropyEncoding\r\n```\r\n\r\n```bash\r\ngit clone \"https://github.com/mauricelambert/EntropyEncoding.git\"\r\ncd \"EntropyEncoding\"\r\npython3 -m pip install .\r\n```\r\n\r\n## Usages\r\n\r\n```python\r\nfrom EntropyEncoding import *\r\n\r\npayload = b\"shellcode_payload    0000111122223333444455556666777788889999AAAABBBBCCCCDDDDEEEEFFFF\" * 120\r\nkey = bytes([0,255,127,55,155,25,225,10,220,40,190,26,100,70,90,45,235,32,64,128,215,28,46,158,123,13,8,5,168,191,69])\r\n\r\nencrypted_payload = bytes([key[i % len(key)] ^ x for i, x in enumerate(payload)])\r\n\r\nprint(shannon_entropy(encrypted_payload))  # 7.753825816757683, good encryption or compression have an entropy score \u003e 7.9 and \u003c 8\r\n                                           # Malicious entropy is detected by antivirus software when entropy score is greater than ~= 7.2\r\n                                           # This encrypted payload will be detected as malicious entropy by antivirus software\r\nencoded_shellcode = entropy_encode(encrypted_payload)\r\nencoded2_shellcode = entropy_encode2(encrypted_payload)\r\nprint(encoded_shellcode)\r\nprint(encoded2_shellcode)\r\n\r\nassert entropy_decode(encoded_shellcode)   == encrypted_payload\r\nassert entropy_decode2(encoded2_shellcode) == encrypted_payload\r\n\r\nprint(shannon_entropy(encoded_shellcode))  # 5.770760744294572, entropy score is smaller than 7.2, antivirus software will not detect this payload with entropy checks\r\nprint(shannon_entropy(encoded2_shellcode)) # 5.767383412620195, entropy score is smaller than 7.2, antivirus software will not detect this payload with entropy checks\r\n\r\nr\"\"\"\r\nI get entropy score from Windows executable, average score is ~= 5 (so 5.7 can be a legitimate entropy score):\r\n\u003e\u003e\u003e from glob import iglob\r\n\u003e\u003e\u003e from statistics import mean\r\n\u003e\u003e\u003e from EntropyEncoding import *\r\n\u003e\u003e\u003e entropy = []\r\n\u003e\u003e\u003e for a in iglob(r\"C:\\Windows\\System32\\*.exe\"): entropy.append(shannon_entropy(open(a, \"rb\").read()))\r\n...\r\n\u003e\u003e\u003e max(entropy)\r\n7.932014219115418\r\n\u003e\u003e\u003e min(entropy)\r\n1.6379445326685684\r\n\u003e\u003e\u003e mean(entropy)\r\n5.063622509688209\r\n\u003e\u003e\u003e\r\n\"\"\"\r\n```\r\n\r\nTests results:\r\n\r\n```\r\n~# python3 EntropyEncoding.py\r\nEntropy for non-encoded secrets: 4.521591372417719\r\nEntropy for non-encoded encrypted secrets: 7.951320327821406\r\nEntropy for entropy-encoded encrypted secrets: 5.774096152750044\r\nEntropy for non-encoded exe: 5.22055339277441\r\nEntropy for non-encoded encrypted exe: 7.914685739354301\r\nEntropy for entropy-encoded encrypted exe: 5.759477906043907\r\n~# \r\n```\r\n\r\n## Links\r\n\r\n - [Pypi](https://pypi.org/project/EntropyEncoding)\r\n - [Github](https://github.com/mauricelambert/EntropyEncoding)\r\n - [Documentation](https://mauricelambert.github.io/info/python/security/EntropyEncoding.html)\r\n\r\n## License\r\n\r\nLicensed under the [GPL, version 3](https://www.gnu.org/licenses/).\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmauricelambert%2Fentropyencoding","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmauricelambert%2Fentropyencoding","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmauricelambert%2Fentropyencoding/lists"}