topology

package
v4.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 11, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	MaxStringLiteralLen = 4096      // 4KB limit per string
	MaxTotalStringBytes = 1024 * 64 // 64KB limit per function

)

Functions

func CalculateEntropy 

func CalculateEntropy(data []byte) float64

Returns the Shannon entropy of a byte slice. Result ranges from 0.0 (completely uniform/predictable) to 8.0 (maximum randomness). High entropy (>7.0) often indicates packed/encrypted code. Normal code typically has entropy between 4.5 and 6.5.

func CalculateEntropyNormalized 

func CalculateEntropyNormalized(data []byte) float64

Returns entropy normalized to 0.0-1.0 range. Useful for direct comparison and threshold checks.

func EntropyDistance 

func EntropyDistance(e1, e2 float64) float64

Calculates the absolute difference between two entropy values. Used for fuzzy matching: two functions with similar entropy are more likely related.

func EntropyMatch 

func EntropyMatch(e1, e2, tolerance float64) bool

Returns true if two entropy values are within the given tolerance. Default tolerance of 0.5 is recommended for malware family matching.

func GenerateFuzzyHash 

func GenerateFuzzyHash(t *FunctionTopology) string

GenerateFuzzyHash creates a short representation of the function structure.

func MapSimilarity 

func MapSimilarity(a, b map[string]int) float64

MapSimilarity calculates the similarity between two frequency maps.

func SetTopologyLimits 

func SetTopologyLimits(maxLen, maxTotal int)

SetTopologyLimits adjusts the memory safeguards for string processing.

func TopologyFingerprint 

func TopologyFingerprint(t *FunctionTopology) string

func TopologySimilarity 

func TopologySimilarity(a, b *FunctionTopology) float64

TopologySimilarity calculates the similarity between two function topologies.

Types

type EntropyClass 

type EntropyClass int

Categorizes entropy levels for quick analysis. 

const (
	EntropyLow    EntropyClass = iota // < 4.0: Simple/sparse code
	EntropyNormal                     // 4.0-6.5: Typical compiled code
	EntropyHigh                       // 6.5-7.5: Potentially obfuscated
	EntropyPacked                     // > 7.5: Likely packed/encrypted
)

func ClassifyEntropy 

func ClassifyEntropy(entropy float64) EntropyClass

Determines the entropy class from a raw entropy value.

func (EntropyClass) String 

func (c EntropyClass) String() string

type EntropyProfile 

type EntropyProfile struct {
	// Overall entropy of the function body
	Overall float64

	// Entropy of string literals within the function
	StringLiteralEntropy float64

	// Entropy classification
	Classification EntropyClass
}

Captures entropy characteristics for malware analysis.

func CalculateEntropyProfile 

func CalculateEntropyProfile(bodyBytes []byte, stringLiterals []string) EntropyProfile

Builds a complete entropy profile for analysis.

type FunctionTopology 

type FunctionTopology struct {
	FuzzyHash string

	// Basic metrics
	ParamCount  int
	ReturnCount int
	BlockCount  int
	InstrCount  int
	LoopCount   int
	BranchCount int // if statements
	PhiCount    int

	// Complexity metrics
	CyclomaticComplexity int

	// Call profile: map of "package.func" or "method" -> count
	CallSignatures map[string]int

	// Granular instruction tracking
	InstrCounts map[string]int

	// Type signature (normalized)
	ParamTypes  []string
	ReturnTypes []string

	// Control flow features
	HasDefer   bool
	HasRecover bool
	HasPanic   bool
	HasGo      bool
	HasSelect  bool
	HasRange   bool

	// Operator profile
	BinOpCounts map[string]int
	UnOpCounts  map[string]int

	// String literal hashes (for behavioral matching)
	StringLiterals []string

	// Entropy analysis for obfuscation detection
	EntropyScore   float64
	EntropyProfile EntropyProfile

	// Multi-signal obfuscation analysis: sliding-window and const-pool entropy,
	// indirect/reflective dispatch ratio, control-flow flattening, and in-loop
	// decoder fingerprints. Captures payloads the string-only entropy path misses.
	Obfuscation ObfuscationProfile
	// contains filtered or unexported fields
}

FunctionTopology captures the structural "shape" of a function independent of names.

func ExtractTopology 

func ExtractTopology(fn *ssa.Function) *FunctionTopology

ExtractTopology analyzes an SSA function and extracts its structural features.

type ObfuscationClass added in v4.3.0 

type ObfuscationClass int

ObfuscationClass buckets the overall obfuscation score for quick triage. 

const (
	ObfuscationNone     ObfuscationClass = iota // < 0.25
	ObfuscationLow                              // 0.25 - 0.50
	ObfuscationModerate                         // 0.50 - 0.75
	ObfuscationHigh                             // >= 0.75
)

func (ObfuscationClass) String added in v4.3.0 

func (c ObfuscationClass) String() string

type ObfuscationProfile added in v4.3.0 

type ObfuscationProfile struct {
	// MaxWindowEntropy is the highest Shannon entropy (0..8) found in any
	// sliding window across the concatenated constant pool (strings + byte/int
	// arrays). Unlike a global mean, a single packed blob surfaces here even
	// when surrounded by benign data.
	MaxWindowEntropy float64

	// ConstPoolEntropy is the Shannon entropy (0..8) of the *non-string*
	// constant pool: integer and byte constants flowing into the function.
	// This is the signal the old path was completely missing.
	ConstPoolEntropy float64

	// ByteArrayPayloadBytes is the total number of bytes contributed by
	// small-integer constants (0..255) that look like an encoded payload.
	ByteArrayPayloadBytes int

	// IndirectCallRatio is dynamic+reflective calls over all calls. High values
	// indicate dispatch-table / reflection obfuscation that evades name-based
	// signatures.
	IndirectCallRatio float64

	// FlatteningScore estimates control-flow-flattening likelihood from the
	// dispatcher shape (one block with many predecessors and successors driving
	// a state variable). 0..1.
	FlatteningScore float64

	// DecoderLoopLikelihood is 0..1 evidence of an in-loop decode/XOR routine:
	// a loop body containing byte-wise arithmetic/bitwise ops over an indexed
	// buffer. This is the structural fingerprint of a string/payload decryptor.
	DecoderLoopLikelihood float64

	// Score is the aggregate 0..1 obfuscation score.
	Score float64

	// Class is the bucketed Score.
	Class ObfuscationClass

	// Indicators lists the human-readable signals that fired, for reporting.
	Indicators []string
}

ObfuscationProfile captures multi-signal obfuscation evidence for a function. All ratios are normalized 0..1 unless noted.

func AnalyzeObfuscation added in v4.3.0 

func AnalyzeObfuscation(t *FunctionTopology) ObfuscationProfile

AnalyzeObfuscation builds an ObfuscationProfile for an already-extracted topology. It re-walks the SSA function (held in t.fn) to gather the non-string constant pool, which ExtractTopology intentionally does not retain. If the underlying function is unavailable it falls back to string-only signals so the result is still meaningful for synthesized topologies in tests.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.