Locked unipacker: Automatic and platform-independent unpacker for Windows binaries

[itsMe]

This is the hidden content, please

• Sign In
• or
• Sign Up

The usage of runtime packers by malware authors is very common, as it is a technique that helps to hinder analysis. Furthermore, packers are a challenge for antivirus products, as they make it impossible to identify malware by signatures or hashes alone.

In order to be able to analyze a packed malware sample, it is often required to unpack the binary. Usually, this means, that the analyst will have to manually unpack the binary by using dynamic analysis techniques (Tools: OllyDbg, x64Dbg). There are also some approaches for automatic unpacking, but they are all only available for Windows. Therefore when targeting a packed Windows malware the analyst will require a Windows machine. The goal of our project is to enable platform-independent automatic unpacking by using emulation.

Supported packers

•     UPX: Cross-platform, open source packer
•     ASPack: Advanced commercial packer with a high compression ratio
•     PEtite: Freeware packer, similar to ASPack
•     FSG: Freeware, fast to unpack

Any other packers should work as well, as long as the needed API functions are implemented in Unipacker. For packers that aren’t specifically known you will be asked whether you would like to manually specify the start and end addresses for emulation. If you would like to start at the entry point declared in the PE header and just emulate until section hopping is detected, press Enter

This is the hidden content, please

• Sign In
• or
• Sign Up