Giters

hasherezade / mal_unpack

Dynamic unpacker based on PE-sieve

Home Page:https://www.youtube.com/watch?v=8LZ6ksoytpU

Repository from Github https://github.comhasherezade/mal_unpackRepository from Github https://github.comhasherezade/mal_unpack

libpeconvmalware-analysismalware-unpackermemory-forensicspe-sieve

mal_unpack

Build status Codacy Badge Commit activity Last Commit

GitHub release GitHub release date Github All Releases Github Latest Release

License Platform Badge

Dynamic unpacker based on PE-sieve ( ๐Ÿ“– Read more ).

It deploys a packed malware, waits for it to unpack the payload, dumps the payload, and kills the original process.

Caution

This unpacker deploys the original malware. Use it only on a VirtualMachine.

โš™ Usage

Basic usage:

mal_unpack.exe /exe <path_to_the_malware> /timeout <timeout: ms>
  • By default, it dumps implanted PEs.
  • If you want to dump shellcodes, use the option: /shellc.
  • If you want to dump modified/hooked/patched PEs, use the option /hooks.
  • If you want the unpacker to terminate on timeout, rather than on the first found implant, use /trigger T.

Important

The available arguments are documented on Wiki. They can also be listed using the argument /help.

๐Ÿ›  Helpers and utilities

Clone

Use recursive clone to get the repo together with submodules:

git clone --recursive https://github.com/hasherezade/mal_unpack.git

Builds

Download the latest release.

About

Dynamic unpacker based on PE-sieve

https://www.youtube.com/watch?v=8LZ6ksoytpU

libpeconvmalware-analysismalware-unpackermemory-forensicspe-sieve

License:BSD 2-Clause "Simplified" License

Languages

Language:C 57.4%Language:C++ 41.4%Language:CMake 1.1%Language:Batchfile 0.1%