_ _ __ _ __ _
| | | | / / (_) \ \ | |
| | | |_ __ | | _ | | _ __ __ _ ___| | _____ _ __
| | | | '_ \/ / | | \ \ '_ \ / _` |/ __| |/ / _ \ '__|
| |_| | | | \ \ | | / / |_) | (_| | (__| < __/ |
\___/|_| |_|| | |_| | || .__/ \__,_|\___|_|\_\___|_|
\_\ /_/ | |
|_|
The usage of runtime packers by malware authors is very common, as it is a technique that helps to hinder analysis. Furthermore, packers are a challenge for antivirus products, as they make it impossible to identify malware by signatures or hashes alone.
In order to be able to analyze a packed malware sample, it is often required to unpack the binary. Usually this means, that the analyst will have to manually unpack the binary by using dynamic analysis techniques (Tools: OllyDbg, x64Dbg). There are also some approaches for automatic unpacking, but they are all only available for Windows. Therefore when targeting a packed Windows malware the analyst will require a Windows machine. The goal of our project is to enable platform independent automatic unpacking by using emulation.
- UPX: Cross-platform, open source packer
- ASPack: Advanced commercial packer with a high compression ratio
- PEtite: Freeware packer, similar to ASPack
- FSG: Freeware, fast to unpack
pip3 install -r requirements.txt
python3 unipacker.py
You will then be presented with the file opening prompt. After selecting a sample, you land in the Un{i}packer shell where you can control
the emulation. For more information on available commands refer to the help command.