Data

Tools

Indexes

Applications

Experiments

Open Source Science

unipacker

Automatic and platform-independent unpacker for Windows binaries based on emulation

https://github.com/unipacker/unipacker

Science Score: 59.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
    Found 5 DOI reference(s) in README
  • Academic publication links
    Links to: springer.com, acm.org, zenodo.org
  • Committers with academic emails
    2 of 9 committers (22.2%) from academic institutions
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (11.6%) to scientific vocabulary

Keywords

debugger dumper emulation packers pefile python reverse-engineering security unicorn-engine unpacker windows
Last synced: 6 months ago · JSON representation

Repository

Automatic and platform-independent unpacker for Windows binaries based on emulation

Basic Info
  • Host: GitHub
  • Owner: unipacker
  • License: gpl-2.0
  • Language: Python
  • Default Branch: master
  • Homepage:
  • Size: 8.58 MB
Statistics
  • Stars: 708
  • Watchers: 32
  • Forks: 86
  • Open Issues: 29
  • Releases: 8
Topics
debugger dumper emulation packers pefile python reverse-engineering security unicorn-engine unpacker windows
Created about 7 years ago · Last pushed over 1 year ago
Metadata Files
Readme License Citation

README.md 

 _   _         __  _  __                    _
| | | |       / / (_) \ \                  | |
| | | |_ __  | |   _   | | _ __   __ _  ___| | _____ _ __
| | | | '_ \/ /   | |   \ \ '_ \ / _` |/ __| |/ / _ \ '__|
| |_| | | | \ \   | |   / / |_) | (_| | (__|   <  __/ |
 \___/|_| |_|| |  |_|  | || .__/ \__,_|\___|_|\_\___|_|
              \_\     /_/ | |
                          |_|

Un{i}packer PyPI: unipacker Docker Cloud Build Status DOI

| | | |---|---| | Master | Build Status | | Dev | Build Status |

Unpacking PE files using Unicorn Engine

The usage of runtime packers by malware authors is very common, as it is a technique that helps to hinder analysis. Furthermore, packers are a challenge for antivirus products, as they make it impossible to identify malware by signatures or hashes alone.

In order to be able to analyze a packed malware sample, it is often required to unpack the binary. Usually this means, that the analyst will have to manually unpack the binary by using dynamic analysis techniques (Tools: OllyDbg, x64Dbg). There are also some approaches for automatic unpacking, but they are all only available for Windows. Therefore when targeting a packed Windows malware the analyst will require a Windows machine. The goal of our project is to enable platform independent automatic unpacking by using emulation that yields runnable Windows binaries.

Fully supported packers

  • ASPack: Advanced commercial packer with a high compression ratio
  • FSG: Freeware, fast to unpack
  • MEW: Specifically designed for small binaries
  • MPRESS: Free, more complex packer
  • PEtite: Freeware packer, similar to ASPack
  • UPX: Cross-platform, open source packer
  • YZPack

Other packers

Any other packers should work as well, as long as the needed API functions are implemented in Un{i}packer. For packers that aren't specifically known you will be asked whether you would like to manually specify the start and end addresses for emulation. If you would like to start at the entry point declared in the PE header and just emulate until section hopping is detected, press Enter

Showcase

We are humbled to see some active usage of Un{i}packer for research projects, university courses and other resources that teach students about malware obfuscation:

  • Tutorial video belonging to the Master's course "Malware Analysis and Cyber Threat Intelligence" at the Westphalian University, demonstrating how to analyze obfuscated malware with Un{i}packer
  • DeepReflect: Paper presenting a tool for localizing and identifying malware components within a malicious binary. Its dataset relies on a Un{i}packer preprocessing step
  • BDHunter: Paper describing a system that automatically identifies behavior dispatchers to assist triggering malicious behaviors. The tool requires unpacked malware samples as input, where the authors propose using Un{i}packer
  • JARV1S Disassembler: Disassembler that uses Un{i}packer as a preprocessing step
  • Anti-Anti-Virus 2 lecture of University of Virginia's "CS 4630: Defense Against the Dark Arts", using Un{i}packer as an example for unpacking techniques
  • Mastering Malware Analysis: The second edition of this comprehensive guide to malware analysis by Alexey Kleymenov and Amr Thabet also explains how unpacking and deobfuscation works, mentioning Un{i}packer as a suitable tool for several popular packers
  • Malflow: Paper presenting a static analysis method to classify malware families. Its dataset relies, among others, on a Un{i}packer preprocessing step. The authors publish the experiment's full dataset on Kaggle, containing analysis of unpacked samples from BODMAS: Radare2 disassembled objects, instructions statistics, malware transformed into RGB images, and more.
  • PhD research: thesis and related static analysis research projects, some of them using Un{i}packer for malware preprocessing.

If you are using Un{i}packer for additional projects and would like them featured in this list, we would love to hear from you!

Usage

Normal installation

Install the YARA package for your OS, get Un{i}packer from PyPi and start it using the automatically created command line wrapper: pip3 install unipacker unipacker For detailed instructions on how to use Un{i}packer please refer to the Wiki. Additionally, all of the shell commands are documented. To access this information, use the help command

You can take a quick look at Un{i}packer in action in a (german) video by Prof. Chris Dietrich

Development mode installation

Clone the repository, and inside the project root folder activate development mode using pip3 install -e .

Using Docker

You can also use the provided Dockerfile to run a containerized version of Un{i}packer: docker run -it -v ~/local_samples:/root/unipacker/local_samples vfsrfs/unipacker Assuming you have a folder called local_samples in your home directory, this will be mounted inside the container. Un{i}packer will thus be able to access those binaries via /root/unipacker/local_samples

RESTful API

A 3rd party wrapper created by @rpgeeganage allows to unpack samples by sending a request to a RESTful server: https://github.com/rpgeeganage/restful4up

GitHub Events

Total
  • Issues event: 3
  • Watch event: 55
  • Issue comment event: 2
  • Fork event: 5
Last Year
  • Issues event: 3
  • Watch event: 55
  • Issue comment event: 2
  • Fork event: 5

Committers

Last synced: almost 3 years ago

All Time
  • Total Commits: 202
  • Total Committers: 9
  • Avg Commits per committer: 22.444
  • Development Distribution Score (DDS): 0.475
Top Committers
Name Email Commits
Samuel Hopstock m****7@g****m 106
vfsrfs c****l@t****e 84
Steven s****g@m****a 4
vfsrfs 4****s@u****m 2
lubiedo l****o@g****m 2
vfsrfs c****l@g****m 1
garanews p****g@t****t 1
vfsrfs v****s@v****e 1
x0r19x91 x****1@u****m 1
Committer Domains (Top 20 + Academic)
vfsrfs.me: 1 tiscali.it: 1 mail.mcgill.ca: 1 tum.de: 1

Issues and Pull Requests

Last synced: 7 months ago

All Time
  • Total issues: 49
  • Total pull requests: 10
  • Average time to close issues: about 2 months
  • Average time to close pull requests: about 19 hours
  • Total issue authors: 19
  • Total pull request authors: 8
  • Average comments per issue: 2.02
  • Average comments per pull request: 1.2
  • Merged pull requests: 10
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 2
  • Pull requests: 1
  • Average time to close issues: N/A
  • Average time to close pull requests: about 5 hours
  • Issue authors: 2
  • Pull request authors: 1
  • Average comments per issue: 0.0
  • Average comments per pull request: 1.0
  • Merged pull requests: 1
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
  • Masrepus (22)
  • crypto2011 (5)
  • garanews (3)
  • steven-hh-ding (2)
  • attilamester (2)
  • balika011 (2)
  • Bhuvanamitra (2)
  • MrSmiley-006 (1)
  • esmailzadeh1 (1)
  • kittyflip (1)
  • gcarlos64 (1)
  • demberto (1)
  • PavelKotov1 (1)
  • ibay770 (1)
  • rpgeeganage (1)
Pull Request Authors
  • Masrepus (2)
  • wesinator (2)
  • MrROBUST (2)
  • steven-hh-ding (2)
  • grepwood (2)
  • garanews (1)
  • lubiedo (1)
  • ghost (1)
Top Labels
Issue Labels
bug (1)
Pull Request Labels

Packages

  • Total packages: 1
  • Total downloads:
    • pypi 258 last-month
  • Total dependent packages: 2
  • Total dependent repositories: 1
  • Total versions: 14
  • Total maintainers: 1
pypi.org: unipacker

Automatic and platform-independent unpacker for Windows binaries based on emulation

  • Versions: 14
  • Dependent Packages: 2
  • Dependent Repositories: 1
  • Downloads: 258 Last month
Rankings
Stargazers count: 2.6%
Forks count: 5.2%
Dependent packages count: 10.1%
Average: 11.0%
Downloads: 15.3%
Dependent repos count: 21.6%
Maintainers (1)
Masrepus
Last synced: 6 months ago

Dependencies

setup.py pypi
  • capstone *
  • cmd2 ==0.9.12
  • colorama *
  • gnureadline *
  • pefile *
  • pyreadline *
  • unicorn-unipacker ==1.0.3b7
  • yara-python *
Dockerfile docker
  • alpine 3.13.2 build
requirements.txt pypi