https://github.com/eset/wslink-vm-analyzer
WslinkVMAnalyzer is a tool to facilitate analysis of code protected by a virtual machine featured in Wslink malware
https://github.com/eset/wslink-vm-analyzer
deobfuscation malware miasm reverse-engineering virtual-machine
Last synced: 9 months ago
JSON representation
WslinkVMAnalyzer is a tool to facilitate analysis of code protected by a virtual machine featured in Wslink malware
- Host: GitHub
- URL: https://github.com/eset/wslink-vm-analyzer
- Owner: eset
- License: other
- Created: 2022-02-04T16:12:05.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2022-06-05T21:59:03.000Z (almost 4 years ago)
- Last Synced: 2025-06-25T22:03:41.726Z (9 months ago)
- Topics: deobfuscation, malware, miasm, reverse-engineering, virtual-machine
- Language: Python
- Homepage:
- Size: 1.78 MB
- Stars: 46
- Watchers: 7
- Forks: 5
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
WslinkVMAnalyzer
================
WslinkVMAnalyzer is a tool primarily developed to facilitate analysis of
[Wslink](https://www.welivesecurity.com/2021/10/27/wslink-unique-undocumented-malicious-loader-runs-server/),
which is a unique loader running as a server and executing received modules in-memory. This tool uses [Miasm](https://github.com/cea-sec/miasm), an open
source framework that provides us with a symbolic execution engine.
The tool and structure of the virtual machine is described in our [blogpost](https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-virtual-machine/).
Install
-------
% pip3 install https://github.com/eset/wslink-vm-analyzer/archive/refs/heads/master.tar.gz
Example usage
-------------
In the ``examples`` directory, you will find a dump of the virtual machine and
two Python scripts. The scripts output Graphviz DOT files (``vma.dot``) which
can by converted to SVG or any other format supported by Graphviz.
(./examples) % python3 VM1.py
(./examples) % dot -Tsvg vma.dot -o vma.svg