Add Get-Entropy

README.md

@@ -140,6 +140,10 @@ Displays the process modules that have been loaded since the call to Register-Pr
 
 Stops the running process module trace
 
+#### `Get-Entropy`
+
+Calculates the entropy of a file or byte array.
+
 ## AntivirusBypass
 
 **AV doesn't stand a chance against PowerShell!**

ReverseEngineering/Get-Entropy.ps1

@@ -0,0 +1,106 @@
+function Get-Entropy
+{
+<#
+.SYNOPSIS
+
+    Calculates the entropy of a file or byte array.
+
+    PowerSploit Function: Get-Entropy
+    Author: Matthew Graeber (@mattifestation)
+    License: BSD 3-Clause
+    Required Dependencies: None
+    Optional Dependencies: None
+
+.PARAMETER ByteArray
+
+    Specifies the byte array containing the data from which entropy will be calculated.
+
+.PARAMETER FilePath
+
+    Specifies the path to the input file from which entropy will be calculated.
+
+.EXAMPLE
+
+    C:\PS>Get-Entropy -FilePath C:\Windows\System32\kernel32.dll
+
+.EXAMPLE
+
+    C:\PS>ls C:\Windows\System32\*.dll | % { Get-Entropy -FilePath $_ }
+
+.EXAMPLE
+
+    C:\PS>$RandArray = New-Object Byte[](10000)
+    C:\PS>foreach ($Offset in 0..9999) { $RandArray[$Offset] = [Byte] (Get-Random -Min 0 -Max 256) }
+    C:\PS>$RandArray | Get-Entropy
+
+    Description
+    -----------
+    Calculates the entropy of a large array containing random bytes.
+
+.EXAMPLE
+
+    C:\PS> 0..255 | Get-Entropy
+
+    Description
+    -----------
+    Calculates the entropy of 0-255. This should equal exactly 8.
+
+.OUTPUTS
+
+    System.Double
+
+    Get-Entropy outputs a double representing the entropy of the byte array.
+
+.LINK
+
+    http://www.exploit-monday.com
+#>
+
+    [CmdletBinding()] Param (
+        [Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True, ParameterSetName = 'Bytes')]
+        [ValidateNotNullOrEmpty()]
+        [Byte[]]
+        $ByteArray,
+
+        [Parameter(Mandatory = $True, Position = 0, ParameterSetName = 'File')]
+        [ValidateNotNullOrEmpty()]
+        [IO.FileInfo]
+        $FilePath
+    )
+
+    BEGIN
+    {
+        $FrequencyTable = @{}
+        $ByteArrayLength = 0
+    }
+
+    PROCESS
+    {
+        if ($PsCmdlet.ParameterSetName -eq 'File')
+        {
+            $ByteArray = [IO.File]::ReadAllBytes($FilePath.FullName)
+        }
+
+        foreach ($Byte in $ByteArray)
+        {
+            $FrequencyTable[$Byte]++
+            $ByteArrayLength++
+        }
+    }
+
+    END
+    {
+        $Entropy = 0.0
+
+        foreach ($Byte in 0..255)
+        {
+            $ByteProbability = ([Double] $FrequencyTable[[Byte]$Byte]) / $ByteArrayLength
+            if ($ByteProbability -gt 0)
+            {
+                $Entropy += -$ByteProbability * [Math]::Log($ByteProbability, 2)
+            }
+        }
+
+        Write-Output $Entropy
+    }
+}

ReverseEngineering/ReverseEngineering.psd1

@@ -76,7 +76,7 @@ ModuleList = @(@{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; G
 FileList = 'ReverseEngineering.psm1', 'ReverseEngineering.psd1', 'Get-ILDisassembly.ps1', 'Get-NtSystemInformation.format.ps1xml',
                'Get-NtSystemInformation.ps1', 'Get-Member.ps1', 'Get-MethodAddress.ps1', 'Get-PEB.format.ps1xml',
                'Get-PEB.ps1', 'Get-Strings.ps1', 'Get-StructFromMemory.ps1', 'ConvertTo-String.ps1',
-               'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
+               'Get-Entropy.ps1', 'New-Object.ps1', 'Get-ILDisassembly.format.ps1xml', 'ProcessModuleTrace.ps1', 'Usage.md'
 
 # Private data to pass to the module specified in RootModule/ModuleToProcess
 # PrivateData = ''