Unicorn PE

Unicorn PE is an unicorn based instrumentation project/framework designed to emulate code execution for windows PE files, especially packed ones.

Feature

Dump PE image from emu-memory into file, fix import table, decrypt VMProtect strings, decrypt VMProtect imports.

Partial support for exception. (only #DB and #BP)

Show disasm for all instructions that is being executed.

Update BlackBone to latest ver (2020.4.5).

TODO

Feature: x86 (low priority) -- 0%

Build

Visual Studio 2017 or 2019

Open unicorn_pe.sln with Visual Studio

Build project "unicorn_pe" as x64/Release or x64/Debug. (No x86 support for now)

Usage

unicorn_pe (filename or filepath) [-k for kernel mode driver emulation] [-disasm for displaying disasm] [-dump for binary dump] [-packed for packed binary] [-boundcheck for memory access bound check, may slower the execution]

Programming

...to be documented

Snapshots

original driver

vmprotect packed driver

vmprotect is fixing encrypted IAT

vmprotect goes back to original entry point

vmprotect packed DLL, full user-mode emulation.

License

This software is released under the MIT License, see LICENSE.

Dependencies

A modification of https://github.com/DarthTon/Blackbone is done for PE manual-mapping.

https://github.com/unicorn-engine/unicorn for emulation.

https://github.com/aquynh/capstone for disasm.

About

Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files.

MIT License

Languages

Language:C 88.7%Language:C++ 2.7%Language:C# 1.8%Language:Java 1.7%Language:Python 1.6%Language:OCaml 0.6%Language:Visual Basic 6.0 0.5%Language:Pascal 0.3%Language:Shell 0.3%Language:F# 0.3%Language:Ruby 0.3%Language:Rust 0.2%Language:Haskell 0.2%Language:Go 0.2%Language:CMake 0.2%Language:Makefile 0.1%Language:Objective-C 0.1%Language:PowerShell 0.0%Language:Batchfile 0.0%Language:VBA 0.0%Language:Assembly 0.0%Language:Cython 0.0%Language:Tcl 0.0%Language:Smalltalk 0.0%