Skip to content

Wannabe99/unipacker

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits

DLLs

DLLs

 
 

Sample

Sample

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

NOTICE

NOTICE

 
 

README.md

README.md

 
 

apicalls.py

apicalls.py

 
 

banner

banner

 
 

fortunes

fortunes

 
 

kernel_structs.py

kernel_structs.py

 
 

malwrsig.yar

malwrsig.yar

 
 

packer_signatures.yar

packer_signatures.yar

 
 

requirements.txt

requirements.txt

 
 

unipacker.py

unipacker.py

 
 

unpackers.py

unpackers.py

 
 

utils.py

utils.py

 
 

Repository files navigation

 _   _         __  _  __                    _
| | | |       / / (_) \ \                  | |
| | | |_ __  | |   _   | | _ __   __ _  ___| | _____ _ __
| | | | '_ \/ /   | |   \ \ '_ \ / _` |/ __| |/ / _ \ '__|
| |_| | | | \ \   | |   / / |_) | (_| | (__|   <  __/ |
 \___/|_| |_|| |  |_|  | || .__/ \__,_|\___|_|\_\___|_|
              \_\     /_/ | |
                          |_|

Un{i}packer

Unpacking PE files using Unicorn Engine

The usage of runtime packers by malware authors is very common, as it is a technique that helps to hinder analysis. Furthermore, packers are a challenge for antivirus products, as they make it impossible to identify malware by signatures or hashes alone.

In order to be able to analyze a packed malware sample, it is often required to unpack the binary. Usually this means, that the analyst will have to manually unpack the binary by using dynamic analysis techniques (Tools: OllyDbg, x64Dbg). There are also some approaches for automatic unpacking, but they are all only available for Windows. Therefore when targeting a packed Windows malware the analyst will require a Windows machine. The goal of our project is to enable platform independent automatic unpacking by using emulation.

Fully supported packers

  • UPX: Cross-platform, open source packer
  • ASPack: Advanced commercial packer with a high compression ratio
  • PEtite: Freeware packer, similar to ASPack
  • FSG: Freeware, fast to unpack
  • YZPack

Other packers

Any other packers should work as well, as long as the needed API functions are implemented in Un{i}packer. For packers that aren't specifically known you will be asked whether you would like to manually specify the start and end addresses for emulation. If you would like to start at the entry point declared in the PE header and just emulate until section hopping is detected, press Enter

Usage

Normal installation

Install r2 and YARA

pip3 install -r requirements.txt
python3 unipacker.py

Attention! It is strongly advised to use the requirements.txt, as we use a custom version of unicorn-engine that differs from the PyPi package version. Additionally, one might accidentally install the "yara" package instead of "yara-python", which will lead to errors.

For detailed instructions on how to use Un{i}packer please refer to the Wiki. Additionally, all of the shell commands are documented. To access this information, use the help command

Using Docker

You can also use the provided Dockerfile to run a containerized version of Un{i}packer:

docker build -t unipacker . && \
docker run \
-v ~/local_samples:/root/unipacker/local_samples \
--name unipacker \
--rm \
unipacker

Assuming you have a folder called local_samples in your home directory, this will be mounted inside the container. Un{i}packer will thus be able to access those binaries via /root/unipacker/local_samples

About

Automatic and platform-independent unpacker for Windows binaries based on emulation

Resources

Readme

License

GPL-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 89.0%
  • YARA 10.4%
  • Dockerfile 0.6%