{"id":21004377,"url":"https://github.com/fr0gger/unprotect","last_synced_at":"2025-05-15T01:33:02.962Z","repository":{"id":37595065,"uuid":"174851494","full_name":"fr0gger/unprotect","owner":"fr0gger","description":"Unprotect is a python tool for parsing PE malware and extract evasion techniques. ","archived":false,"fork":false,"pushed_at":"2023-05-22T21:12:51.000Z","size":1412,"stargazers_count":95,"open_issues_count":3,"forks_count":16,"subscribers_count":6,"default_branch":"master","last_synced_at":"2023-08-12T17:07:49.504Z","etag":null,"topics":["anti-debug","evasion","malware","packer","python","sandbox"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fr0gger.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-03-10T16:42:32.000Z","updated_at":"2023-08-04T19:31:34.000Z","dependencies_parsed_at":"2023-01-19T12:33:01.840Z","dependency_job_id":null,"html_url":"https://github.com/fr0gger/unprotect","commit_stats":null,"previous_names":[],"tags_count":0,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fr0gger%2Funprotect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fr0gger%2Funprotect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fr0gger%2Funprotect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fr0gger%2Funprotect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fr0gger","download_url":"https://codeload.github.com/fr0gger/unprotect/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225320337,"owners_count":17455947,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-debug","evasion","malware","packer","python","sandbox"],"created_at":"2024-11-19T08:34:46.747Z","updated_at":"2024-11-19T08:34:47.382Z","avatar_url":"https://github.com/fr0gger.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# UNPROTECT [PROJECT]: Unprotect Malware for the Mass\nThe Unprotect Project is an Open Source project that aims to propose a classification about Evasion Techniques to help to understand and analyze a malware. This project is dedicated to Windows PE malware. It is licensed under APACHE License version 2.0.\n\n![logo](LogoUnprotect.png)\n\nThe Unprotect Project contains two main parts: \n* A website with a complete database and evasion techniques classification.\n* A python standalone tool to detect evasion technique in a specific malware. \n\nThe standalone tool available in this repository contains the following features: \n\n![features](features.png)\n\n## Disclaimer\nThis tool is an attempt to bring a tool to the community dedicated to malware evasion techniques. It started as a side project and of course requires some improvements. Of course, it is not perfect nor magic! This version is an early prototype.  \n\nPlease take notes of the following:\n* This project currently works with python2.7 (it will be upgraded to python3 in next versions). \n* It might have some bugs or vulnerabilities.\n* This tool is currently working only with a valid PE file (support of additional format file will be added in a later version). \n* There is currently no option supported, the standard output will provide you a full report.\n* The analysis can take time depending of the PE size (more than 5 minutes for a PE bigger than 1MB).\n* This tool has been tested on Mac OS and Linux, a Windows version can be found in the folder unprotect_windows. \n\n## Getting Started\n### Prerequisites\nYou must install some packages before to start. \n#### Linux\n```bash\nsudo apt-get install python-pip\nsudo apt-get install build-essential libffi-dev python python-dev python-pip automake autoconf libtool\nsudo apt-get install libfuzzy-dev\nsudo apt-get install ssdeep\n```\n#### Mac OS\n```bash\nbrew install virtualenv\nbrew install ssdeep\nbrew install libmagic\n```\n#### Windows\n```bash\npip install virtualenv\n```\n### Variables To Modify \nBefore to run the installation setup, you will need to modify the config.py files to put your own VirusTotal API. \nPut your Virustotal API Key in the [config.py](https://github.com/fr0gger/unprotect/blob/master/module/config.py) file:\n```\nAPIKEY = \"\u003center_key\u003e\"\n```\nAdditionally, the user might want to add his own Yara rules to scan a PE. This can be added in the file [module/yara-rules/user_rules.yar](https://github.com/fr0gger/unprotect/blob/master/module/yara-rules/user_rules.yar).\n\n\n### Virtualenv\nThe tool is currently running under [Virtualenv](https://virtualenv.pypa.io/en/latest/), which creates a virtual python work environment to avoid any issue with the current OS as well with the versioning. \n\nCreate your own virtualenv: \n```\nvirtualenv -p python2.7 unprotect\n```\nEnable your virtual env: \n```\nsource unprotect/bin/activate\n```\n\n### Package requirements\nInstall the dependencies: \n```\nsudo pip install -r requirements.txt\n```\nRun unprotect: \n```\npython unprotect.py\n```\n## Usage\nThe current version of Unprotect doesn’t support any options. The simple way to use unprotect is to run it against a PE file:\n```\npython unprotect.py \u003cPE_file\u003e\n```\n## Report Example\nReport example can be found here: [Report](https://github.com/fr0gger/unprotect/tree/master/report_example)\n## Built With\n* [Capstone](http://www.capstone-engine.org/)\n* [PEfile](https://github.com/erocarrera/pefile)\n* [YARA](https://github.com/VirusTotal/yara)\n* [FLOSS](https://github.com/fireeye/flare-floss)\n \n## Licence\nThis project is licensed under the APACHE License version 2.0 - see the [LICENSE.md](LICENSE.md) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffr0gger%2Funprotect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffr0gger%2Funprotect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffr0gger%2Funprotect/lists"}