Add Shannon entropy analysis to detect obfuscated payloads

[contemas-tschmidt]

Summary

• Adds --entropy flag that flags PHP files containing string literals with unusually high Shannon entropy (≥ 5.3 bits/char by default)
• Targets quoted string literals ≥ 40 characters — the typical carrier for encrypted, XOR-obfuscated, or base64-packed payloads
• Complements signature-based detection: catches novel obfuscation that has no known pattern/signature
• Adds --entropy-threshold option to override the default threshold

Why entropy analysis?

Signature-based scanners only detect known malware. Attackers increasingly use:

• XOR-encrypted payloads with rotating keys
• Multi-layer encoding (gzip → base64 → str_rot13)
• Custom obfuscators that produce no recognizable function names

High-entropy string literals are a reliable indicator of such techniques. A string of 60+ chars with entropy > 5.3 bits/char is almost certainly encoded/encrypted data.

Integration

Fits cleanly into the existing scan() pipeline — runs after all pattern checks, respects --no-stop, and uses the same printPath() output format:

# ER # {/path/to/infected.php} #[entropy:5.90] # 12

Works alongside pattern detection — if a file triggers both a signature and high entropy, both findings are reported (with --no-stop).

Test

# Should flag (entropy 5.90, no known pattern match):
echo '<?php $a = "K7gH2mPxR9sNqL4vT0cA8fZdYeWoUiJbXlj3Q6nBy5wMhEkVuCp1FtGrIDsOz"; echo $a;' > test.php
php scan.php -d . --entropy -n --disable-stats -p -L
# → # ER # {./test.php} #[entropy:5.9] # 2

# Should not flag (clean, low entropy):
echo '<?php echo "Hello World"; ?>' > clean.php
php scan.php -d . --entropy -n --disable-stats
# → # OK # {./clean.php}

🤖 Generated with Claude Code

[scr34m]

This is a very interesting idea, i'll test a bit before merging on my code sample with malicious codes.