The Packer Attacker is a generic unpacker for Windows malware. It supports the following types of packers:
- Running from heap
- Replacing PE header
- Injecting in a process using WriteProcessMemory/NtWriteVirtualMemory
- Process Doppelganging
The Packer Attacker is based on Microsoft Detours.
Compile with Visual Studio 2017 and Detours library. You'll have two files:
- PackerAttackerHook.dll - unpacking engine
- PackerAttacker.exe - DLL injector that executes malware and injects PackerAttackerHook.dll
Make sure your detours library file is the same version as in the header.
- Create folder C:\dumps - all the extracted hidden code will be saved there
- Put PackerAttacker.exe and PackerAttackerHook.dll to %PATH%
Currently only PE EXE files are supported.
BromiumLabs for the original PackerAttacker.