AI Summary: mal_unpack is a dynamic malware unpacker that leverages PE-sieve to deploy packed malware, allowing it to unpack and dump the payload while terminating the original process. Its primary use case is for malware analysis in controlled environments, with notable features including options for dumping implanted PEs, shellcodes, and modified artifacts, as well as performance enhancements through an auxiliary driver.

README

mal_unpack

Dynamic unpacker based on PE-sieve ( 📖 Read more ).

It deploys a packed malware, waits for it to unpack the payload, dumps the payload, and kills the original process.

[!CAUTION]
This unpacker deploys the original malware. Use it only on a VirtualMachine.

⚙ Usage

Basic usage:

mal_unpack.exe /exe <path_to_the_malware> /timeout <timeout: ms>

• By default, it dumps implanted PEs.
• If you want to dump shellcodes, use the option: /shellc.
• If you want to dump modified/hooked/patched PEs, use the option /hooks.
• If you want the unpacker to terminate on timeout, rather than on the first found implant, use /trigger T.

[!IMPORTANT]
The available arguments are documented on Wiki. They can also be listed using the argument /help.

🛠 Helpers and utilities

• For the best performance, install MalUnpackCompanion driver.
• Check also the python wrapper: MalUnpack Runner
• Check the python Library: MalUnpack Lib

Clone

Use recursive clone to get the repo together with submodules:

git clone --recursive https://github.com/hasherezade/mal_unpack.git

Builds

Download the latest release.