irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
0a008354932a91d9f02f14bf54b5fbad9f3b6375
docker_file_analysis/data/generated/workflows/unpacking-workflow.txt
T
tobias f3ccc09c3d Add FOR610 tool/workflow knowledge base and data pipeline 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00

87 lines
3.0 KiB
Plaintext
Raw Blame History

============================================================
Unpacking Packed Executables
============================================================
Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques.
Related FOR610 Labs: 4.1, 4.2, 4.3, 5.3, 5.8, 5.10
────────────────────────────────────────────────────────────
Step 1: Packing Identification
Tools: diec, peframe
Identify packer: DIE detects UPX, ASPack, PECompact,
Themida, etc. Check entropy (>7.0 suggests packing).
Look for: few imports, unusual section names (.UPX,
.packed).
$ diec specimen.exe
$ peframe specimen.exe
Step 2: Automated Unpacking
Tools: upx, de4dot
Try known unpackers first. UPX: upx -d <sample>. .NET:
de4dot <sample>. If automated unpacking fails
(modified packer), proceed to manual.
$ upx -d packed.exe
$ de4dot obfuscated.exe
Step 3: Emulation-Based Unpacking
Tools: speakeasy, qiling
Emulate execution to let the unpacker run. Speakeasy
and Qiling can trace API calls during unpacking
without a debugger. Look for VirtualAlloc followed by
memcpy patterns.
$ speakeasy -t specimen.exe -o report.json 2> report.txt
$ python3 -c "from qiling import Qiling; ql = Qiling(['<sample>'], '/path/to/rootfs')"
Step 4: Debugger-Based Unpacking [W]
Tools: x64dbg, x32dbg
Set breakpoints on: VirtualAlloc/VirtualProtect
(memory allocation), tail JMP to OEP (end of
unpacker), or stack breakpoint (ESP trick). Step to
OEP.
$ x64dbg.exe specimen.exe
$ x32dbg.exe specimen.exe
Step 5: Anti-Debug Bypass [W]
Tools: scyllahide
If malware detects debugger: enable ScyllaHide.
Handles IsDebuggerPresent, NtQueryInformationProcess,
timing checks.
$ Plugins > ScyllaHide > Options > Enable all
Step 6: Memory Dumping [W]
Tools: ollydumpex, scylla
At OEP: dump process with OllyDumpEx. Fix IAT with
Scylla (IAT Autosearch → Get Imports → Fix Dump).
$ Plugins > OllyDumpEx > Dump process
$ Scylla x64 > Attach to process > Dump > IAT Autosearch > Fix Dump
Step 7: PE Fixup [W]
Tools: pe-unmapper
If dump has virtual alignment: pe_unmapper /in <dump>
/base 400000 /out <fixed>. Only needed if sections
have wrong raw sizes.
$ pe_unmapper /in dumped.exe /base 400000 /out fixed.exe
Step 8: Verification
Tools: strings, peframe, capa
Verify: strings are now visible, imports are
reasonable, capa detects capabilities. If good, route
to Static Analysis Workflow for full analysis.
$ strings binary.exe
$ peframe specimen.exe
$ capa specimen.exe
────────────────────────────────────────────────────────────
Tip: 'fhelp cheat <tool>' for full examples
'Ctrl+G' for interactive cheatsheet browser
Reference in New Issue View Git Blame Copy Permalink