https://github.com/hasherezade/mal_unpack
Dynamic unpacker based on PE-sieve
https://github.com/hasherezade/mal_unpack
libpeconv malware-analysis malware-unpacker memory-forensics pe-sieve
Last synced: 6 months ago
JSON representation
Dynamic unpacker based on PE-sieve
- Host: GitHub
- URL: https://github.com/hasherezade/mal_unpack
- Owner: hasherezade
- License: bsd-2-clause
- Created: 2018-07-08T18:24:00.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2025-03-16T16:00:40.000Z (8 months ago)
- Last Synced: 2025-04-07T13:01:47.403Z (7 months ago)
- Topics: libpeconv, malware-analysis, malware-unpacker, memory-forensics, pe-sieve
- Language: C
- Homepage:
- Size: 980 KB
- Stars: 720
- Watchers: 28
- Forks: 71
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-executable-packing - MalUnpack - Dynamic unpacker based on PE-sieve. (:wrench: Tools / Before 2000)
README
# mal_unpack
[](https://ci.appveyor.com/project/hasherezade/mal-unpack)
[](https://app.codacy.com/gh/hasherezade/mal_unpack/dashboard?branch=master)
[](https://github.com/hasherezade/mal_unpack/commits)
[](https://github.com/hasherezade/mal_unpack/commits)
[](https://github.com/hasherezade/mal_unpack/releases)
[](https://github.com/hasherezade/mal_unpack/releases)
[](https://github.com/hasherezade/mal_unpack/releases)
[](https://github.com/hasherezade/mal_unpack/releases)
[](https://github.com/hasherezade/mal_unpack/blob/master/LICENSE)
[](https://github.com/hasherezade/mal_unpack)
Dynamic unpacker based on [PE-sieve](https://github.com/hasherezade/pe-sieve.git) ( 📖 [Read more](https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ#pe-sieve-vs-malunpack---what-is-the-difference) ).
It deploys a packed malware, waits for it to unpack the payload, dumps the payload, and kills the original process.
> [!CAUTION]
> This unpacker deploys the original malware. Use it only on a VirtualMachine.
## âš™ Usage
Basic usage:
```console
mal_unpack.exe /exe /timeout
```
+ By default, it dumps implanted PEs.
+ If you want to dump shellcodes, use the option: [`/shellc`](https://github.com/hasherezade/pe-sieve/wiki/4.1.-Detect-shellcodes-(shellc)).
+ If you want to dump modified/hooked/patched PEs, use the option `/hooks`.
+ If you want the unpacker to terminate on timeout, rather than on the first found implant, use `/trigger T`.
> [!IMPORTANT]
> The available arguments are documented on [Wiki](https://github.com/hasherezade/pe-sieve/wiki). They can also be listed using the argument `/help`.
## 🛠Helpers and utilities
+ For the best performance, install [MalUnpackCompanion driver](https://github.com/hasherezade/mal_unpack_drv).
+ Check also the python wrapper: [MalUnpack Runner](https://github.com/hasherezade/mal_unpack_py/tree/master/runner)
+ Check the python Library: [MalUnpack Lib](https://github.com/hasherezade/mal_unpack_py/tree/master/mal_unpack_lib)
## Clone
Use **recursive clone** to get the repo together with submodules:
```console
git clone --recursive https://github.com/hasherezade/mal_unpack.git
```
## Builds
Download the latest [release](https://github.com/hasherezade/mal_unpack/releases).