irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add markdown wiki with 473 pages and zk browser

Browse Source 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/wiki/workflows/unpacking-workflow.md
+69
View File
@@ -0,0 +1,69 @@
# Unpacking Packed Executables
> Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques.
**FOR610 Labs:** 4.1, 4.2, 4.3, 5.3, 5.8, 5.10
## Steps
### Step 1: Packing Identification
**Tools:** [[tools/diec|diec]], [[tools/peframe|peframe]]
Identify packer: DIE detects UPX, ASPack, PECompact, Themida, etc. Check entropy (>7.0 suggests packing). Look for: few imports, unusual section names (.UPX, .packed).
```bash
diec specimen.exe
peframe specimen.exe
```
### Step 2: Automated Unpacking
**Tools:** [[tools/upx|upx]], [[tools/de4dot|de4dot]]
Try known unpackers first. UPX: upx -d <sample>. .NET: de4dot <sample>. If automated unpacking fails (modified packer), proceed to manual.
```bash
upx -d packed.exe
de4dot obfuscated.exe
```
### Step 3: Emulation-Based Unpacking
**Tools:** [[tools/speakeasy|speakeasy]], [[tools/qiling|qiling]]
Emulate execution to let the unpacker run. Speakeasy and Qiling can trace API calls during unpacking without a debugger. Look for VirtualAlloc followed by memcpy patterns.
```bash
speakeasy -t specimen.exe -o report.json 2> report.txt
python3 -c "from qiling import Qiling; ql = Qiling(['<sample>'], '/path/to/rootfs')"
```
### Step 4: Debugger-Based Unpacking [W]
**Tools:** [[tools/x64dbg|x64dbg]], [[tools/x32dbg|x32dbg]]
Set breakpoints on: VirtualAlloc/VirtualProtect (memory allocation), tail JMP to OEP (end of unpacker), or stack breakpoint (ESP trick). Step to OEP.
### Step 5: Anti-Debug Bypass [W]
**Tools:** [[tools/scyllahide|scyllahide]]
If malware detects debugger: enable ScyllaHide. Handles IsDebuggerPresent, NtQueryInformationProcess, timing checks.
### Step 6: Memory Dumping [W]
**Tools:** [[tools/ollydumpex|ollydumpex]], [[tools/scylla|scylla]]
At OEP: dump process with OllyDumpEx. Fix IAT with Scylla (IAT Autosearch → Get Imports → Fix Dump).
### Step 7: PE Fixup [W]
**Tools:** [[tools/pe-unmapper|pe-unmapper]]
If dump has virtual alignment: pe_unmapper /in <dump> /base 400000 /out <fixed>. Only needed if sections have wrong raw sizes.
### Step 8: Verification
**Tools:** [[tools/strings|strings]], [[tools/peframe|peframe]], [[tools/capa|capa]]
Verify: strings are now visible, imports are reasonable, capa detects capabilities. If good, route to Static Analysis Workflow for full analysis.
```bash
strings binary.exe
peframe specimen.exe
capa specimen.exe
```
#unpacking #packing #iat #memory-dump #oep #workflow