https://github.com/hzqst/unicorn_pe

Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files.
https://github.com/hzqst/unicorn_pe

Last synced: 6 months ago
JSON representation

Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files.

• Host: GitHub
• URL: https://github.com/hzqst/unicorn_pe
• Owner: hzqst
• License: mit
• Created: 2019-01-02T02:41:15.000Z (almost 7 years ago)
• Default Branch: master
• Last Pushed: 2024-05-09T15:38:14.000Z (over 1 year ago)
• Last Synced: 2025-04-09T05:05:27.277Z (7 months ago)
• Language: C
• Homepage:
• Size: 34.7 MB
• Stars: 833
• Watchers: 41
• Forks: 204
• Open Issues: 19
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-reverse-engineering - **208**星

README

          
# Unicorn PE

Unicorn PE is an [unicorn](https://github.com/unicorn-engine/unicorn) based instrumentation project/framework designed to emulate code execution for windows PE files, especially packed ones.

## Feature

Dump PE image from emu-memory into file, fix import table, decrypt VMProtect strings, decrypt VMProtect imports.

Partial support for exception. (only #DB and #BP)

Show disasm for all instructions that is being executed.

Update BlackBone to latest ver (2020.4.5).

## TODO

Feature: x86 (low priority) -- 0%

## Build

Visual Studio 2017 or 2019

Open unicorn_pe.sln with Visual Studio

Build project "unicorn_pe" as x64/Release or x64/Debug. (No x86 support for now)

## Usage

unicorn_pe (filename or filepath) [-k for kernel mode driver emulation] [-disasm for displaying disasm] [-dump for binary dump] [-packed for packed binary] [-boundcheck for memory access bound check, may slower the execution]

## Programming

...to be documented

## Snapshots

### original driver

![1](https://github.com/hzqst/unicorn_pe/raw/master/img/img1.png)

### vmprotect packed driver

![2](https://github.com/hzqst/unicorn_pe/raw/master/img/img2.png)

### vmprotect is fixing encrypted IAT

![3](https://github.com/hzqst/unicorn_pe/raw/master/img/img3.png)

### vmprotect goes back to original entry point

![4](https://github.com/hzqst/unicorn_pe/raw/master/img/img4.png)

### vmprotect packed DLL, full user-mode emulation.

![4](https://github.com/hzqst/unicorn_pe/raw/master/img/img5.png)

## License

This software is released under the MIT License, see LICENSE.

## Dependencies 

A modification of https://github.com/DarthTon/Blackbone is done for PE manual-mapping.

https://github.com/unicorn-engine/unicorn for emulation.

https://github.com/aquynh/capstone for disasm.