Binary Entropy Analyzer written in Zig
Part of the NullSec offensive security toolkit
Discord: discord.gg/killers
Portal: bad-antics.github.io
ZigScan is a high-performance binary entropy analyzer that identifies packed, encrypted, and obfuscated sections in executables. Built with Zig's compile-time features and memory safety, it provides detailed entropy analysis for malware investigation and reverse engineering.
- Compile-time Execution:
comptimefor zero-cost abstractions - Memory Safety: No GC, explicit allocation
- Error Unions: Robust error handling
- Optionals: Null safety
- Inline Assembly: Low-level access when needed
- C Interop: Seamless FFI
- Generic Functions: Type-safe generics
| Indicator | Entropy | Risk | MITRE | Description |
|---|---|---|---|---|
| Encryption | >7.5 | CRITICAL | T1027.002 | Data appears random |
| Packing | >7.0 | HIGH | T1027 | Compressed/packed data |
| Packer Section | - | HIGH | T1027.002 | UPX/packer signatures |
| Hidden Code | >6.0 | MEDIUM | T1620 | Shellcode in data |
| NOP Padding | <4.0 | LOW | T1620 | Shellcode sleds |
| Range | Interpretation |
|---|---|
| 0.0 - 1.0 | Uniform/empty data |
| 1.0 - 4.0 | Low complexity (NOPs, padding) |
| 4.0 - 6.0 | Normal code/data |
| 6.0 - 7.0 | Compiled code |
| 7.0 - 7.5 | Compressed data |
| 7.5 - 8.0 | Encrypted/packed |
# Clone
git clone https://github.com/bad-antics/nullsec-zigscan.git
cd nullsec-zigscan
# Build (requires Zig 0.11+)
zig build-exe -O ReleaseFast zigscan.zig
# Run
./zigscan binary.exe# Analyze a binary
./zigscan malware.exe
# Verbose output
./zigscan -v sample.dll
# JSON output
./zigscan -j binary.exe > analysis.json
# Custom entropy threshold
./zigscan -t 7.2 packed.exeUSAGE:
zigscan [OPTIONS] <BINARY>
OPTIONS:
-h, --help Show help
-v, --verbose Verbose output
-j, --json JSON output format
-t, --threshold Entropy threshold (default: 7.0)
╔══════════════════════════════════════════════════════════════════╗
║ NullSec ZigScan - Binary Entropy Analyzer ║
╚══════════════════════════════════════════════════════════════════╝
[Demo Mode]
Analyzing binary entropy distribution...
Section Analysis:
┌──────────┬────────────┬──────────┬─────────┬──────────┐
│ Name │ Offset │ Size │ Entropy │ Status │
├──────────┼────────────┼──────────┼─────────┼──────────┤
│ .text │ 0x00001000 │ 45056 │ 6.20 │ OK │
│ .data │ 0x0000C000 │ 8192 │ 4.80 │ OK │
│ .rdata │ 0x0000E000 │ 4096 │ 5.10 │ OK │
│ UPX0 │ 0x00010000 │ 32768 │ 7.80 │ SUSPECT │
│ UPX1 │ 0x00018000 │ 65536 │ 7.90 │ SUSPECT │
│ .rsrc │ 0x00028000 │ 16384 │ 7.20 │ SUSPECT │
│ .enc │ 0x0002C000 │ 24576 │ 7.95 │ SUSPECT │
│ .stub │ 0x00032000 │ 512 │ 3.20 │ SUSPECT │
└──────────┴────────────┴──────────┴─────────┴──────────┘
[CRITICAL] Extremely high entropy - likely encrypted/packed
Section: .enc
Entropy: 7.95
MITRE: T1027.002
Recommendation: Unpack before analysis
[CRITICAL] Extremely high entropy - likely encrypted/packed
Section: UPX1
Entropy: 7.90
MITRE: T1027.002
Recommendation: Unpack before analysis
[HIGH] Packer section detected
Section: UPX0
Entropy: 7.80
MITRE: T1027.002
Recommendation: Unpack with appropriate tool
═══════════════════════════════════════════
Summary:
Sections Analyzed: 8
Issues Found: 6
Critical: 2
High: 3
Medium: 1
fn calculateEntropy(data: []const u8) f64 {
var freq: [256]u64 = [_]u64{0} ** 256;
for (data) |byte| {
freq[byte] += 1;
}
var entropy: f64 = 0.0;
const len_f64: f64 = @floatFromInt(data.len);
for (freq) |count| {
if (count > 0) {
const p: f64 = @as(f64, @floatFromInt(count)) / len_f64;
entropy -= p * @log2(p);
}
}
return entropy;
}const RiskLevel = enum {
critical,
high,
medium,
low,
info,
pub fn toString(self: RiskLevel) []const u8 {
return switch (self) {
.critical => "CRITICAL",
.high => "HIGH",
.medium => "MEDIUM",
.low => "LOW",
.info => "INFO",
};
}
};fn analyzeSection(section: Section) ?Finding {
if (section.entropy > 7.5) {
return Finding{
.section_name = section.name,
.issue = "Extremely high entropy",
.risk = .critical,
.mitre = "T1027.002",
};
}
return null;
}┌────────────────────────────────────────────────────────────────┐
│ ZigScan Architecture │
├────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Binary │───▶│ Header │───▶│ Section │ │
│ │ File │ │ Parser │ │ Table │ │
│ └─────────────┘ └─────────────┘ └──────┬──────┘ │
│ │ │
│ ┌────────────────────────────────────────┘ │
│ ▼ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Entropy Calculator │ │
│ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │
│ │ │ Byte │ │ Shannon │ │ Entropy │ │ │
│ │ │ Freq │─│ Formula │─│ Score │ │ │
│ │ └──────────┘ └──────────┘ └──────────┘ │ │
│ └────────────────────────┬─────────────────────────┘ │
│ │ │
│ ┌───────────────────┼───────────────────┐ │
│ ▼ ▼ ▼ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ Packer │ │ Crypto │ │ Code │ │
│ │ Detect │ │ Detect │ │ Anomaly │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ │
│ │ │ │ │
│ └──────────────────┼──────────────────┘ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ Analysis Report │ │
│ └─────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────┘
| Requirement | Zig Advantage |
|---|---|
| Performance | C-level speed |
| Memory Safety | Compile-time checks |
| Binary Analysis | Direct memory access |
| Small Binary | No runtime overhead |
| Cross-compile | Easy target switching |
| No Hidden Control | Explicit allocation |
MIT License - See LICENSE for details.
- nullsec-nimhunter - Memory forensics (Nim)
- nullsec-binarydiff - Binary diff (Swift)
- nullsec-byteforge - Payload builder (Kotlin)