Skip to content

malwaremusings/unpacker

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

unpacker

WinAppDbg script to automate malware unpacking.

Features

  • Detects certain unpacking behaviour (but not all)
    • Determines original entry point
      • Determines jump point to original entry point
    • Dumps unpacked code to a file
    • Attempts to find unpacking loop
  • Dumps memory decrypted by CryptDecrypt()
  • Dumps memory decompressed by RtlDecompressBuffer()
  • Attempts to detect process hollowing
    • Dumps injected memory blocks to a file
  • Dumps decrypted network traffic

More information

Automated Unpacking: A Behaviour Based Approach

Beyond Automated Unpacking: Extracting Decrypted/Decompressed Memory Blocks

File hashes

I'm testing a mechanism for verifying the integrity of my code downloaded from GitHub by storing the file hashes in my DNS zone. This has the advantage of preventing (or lessening the chance of) an attacker being able to modify the code and also modify the corresponding hashes.

To get the SHA256 hash for the zip download file (I'm only doing the zip downloads at the moment, because I have to enter all of this information manually), issue a DNS request for the TXT record .sha256.malwaremusings.com.

For instance, to obtain the SHA256 hash for unpacker-master.zip, issue a DNS TXT record request for unpacker-master.sha256.malwaremusings.com.

About

Automated malware unpacker

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages