Dynamic unpacker based on PE-sieve ( 📖 Read more ).
It deploys a packed malware, waits for it to unpack the payload, dumps the payload, and kills the original process.
Caution
This unpacker deploys the original malware. Use it only on a VirtualMachine.
Basic usage:
mal_unpack.exe /exe <path_to_the_malware> /timeout <timeout: ms>- By default, it dumps implanted PEs.
- If you want to dump shellcodes, use the option:
/shellc. - If you want to dump modified/hooked/patched PEs, use the option
/hooks. - If you want the unpacker to terminate on timeout, rather than on the first found implant, use
/trigger T.
Important
The available arguments are documented on Wiki. They can also be listed using the argument /help.
- For the best performance, install MalUnpackCompanion driver.
- Check also the python wrapper: MalUnpack Runner
- Check the python Library: MalUnpack Lib
Use recursive clone to get the repo together with submodules:
git clone --recursive https://github.com/hasherezade/mal_unpack.gitDownload the latest release.