C++ application that uses memory and code hooks to detect packers
C++ C Python
Latest commit 5c91b2f Jul 20, 2016 @nickcano nickcano committed on GitHub Merge pull request #8 from BromiumLabs/rtldecompressbuffer
Added a hook for RtlDecompressBuffer
Permalink
Failed to load latest commit information.
PackerAttacker Initial commit Apr 15, 2015
PackerAttackerHook
detours Initial commit Apr 15, 2015
experiments
.gitignore Initial commit Apr 15, 2015
LICENSE
README.md Update README.md Sep 29, 2015
ThePackerAttacker.sln Improved PE section tracking and restricted tracking of Apr 17, 2015

README.md

PackerAttacker

Description

The Packer Attacker is a generic hidden code extractor for Windows malware. It supports the following types of pacers:

  1. Running from heap
  2. Replaceing PE header
  3. Injecting in a process

The Packer Attacker is based on Microsoft Detours.

Compilation

Compile with Microsoft C++ 2010 and Detours library. You'll have two files:

  1. PackerAttackerHook.dll - unpacking engine
  2. PackerAttacker.exe - DLL injector that executes malware and injects PackerAttackerHook.dll

Setting up

  1. Create folder C:\dumps - all the extracted hidden code will be saved there
  2. Put PackerAttacker.exe and PackerAttackerHook.dll to %PATH%
  3. If it's a clean machine you're going to need MSVC++ redistributable

Usage

PackerAttacker.exe

Misc

Currently only PE EXE files are supported.