Using unipacker as a package & Parallel Calls

[steven-hh-ding]

Hello, thanks a lot for the great work! There are two minor things that we would love to adjust for integration purpose. It will be great if we can adjust the verbosity of the printing or logging level with log.info/error. Also If we understand the code correctly, the current implmentation always generate unpack.exe and then move the the user supplied dest path. However, this prevents us having parallel runs for unpacking (they always ends up the same file). Could we make it part of the arguments for UnpackerEngine? So far our workaround is:

dest = file + '_unipacker'
def _dump(_self, uc, apicall_handler, sample, path=dest):
  _self.dumper.dump_image(uc, _self.BASE_ADDR, _self.virtualmemorysize, apicall_handler, sample, path)

uni_sample.dump = _dump

Again, thanks a lot for the great work!

[steven-hh-ding]

We can try to draft a PR if you think this is a good idea.

[Masrepus]

Thanks for your interest in integrating unipacker! Both suggestions sound like good ideas. The log level customization is probably not that interesting for the interactive shell use case, but I could imagine that the headless mode, which I suppose you are using primarily, would benefit from this.
Regarding the dump location, that should be rather trivial to do, I'll have a look at that just now

[steven-hh-ding]

Thanks a lot! One more thing when using it as a package: when pe file is open with pefile.PE, it will not be properly closed so we can't modify/delete the original opened file.

https://github.com/unipacker/unipacker/blob/master/unipacker/core.py#L394
https://github.com/unipacker/unipacker/blob/master/unipacker/core.py#L408

Error when trying to delete the original file:

[WinError 32] The process cannot access the file because it is being used by another process:

One option is to close the PE object directly: erocarrera/pefile#214
Alternatively, we did this in our code instead to prevent handling issues:

        f = open(path, "rb")
        file_bytes = f.read()
        f.close()
        pe = pefile.PE(data=file_bytes)

Thanks a lot.

[Masrepus]

Ah I think pefile mmaps the file instead of reading it completely. Reading it like you did it should make no difference for our use case, as we need to copy the bytes anyway

[Masrepus]

I'll take care of the logging part at a later point, probably in a few days. If you need it earlier, feel free to draft a quick PR

[steven-hh-ding]

wow thanks a lot for the commits! that's fast! 🚀

we can update the logging part, as well as the conflict of .unipacker_brokenimport.exe when multi-processing.

[Masrepus]

Alright, the new release including your newest changes is now out. Expect the CI build to be done in around 40 minutes, and afterwards the package will be pushed to PyPi