GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → fkie-cad → RoAMer

fkie-cad / RoAMer

Licence: AGPL-3.0 license
Robust Automated Malware Unpacker

Programming Languages

python
139335 projects - #7 most used programming language
Batchfile
5799 projects

Labels

unpackermalware-unpackerroamer

Projects that are alternatives of or similar to RoAMer

unbox
🎁 unbox - Unpack and Decompile the $h*! out of things
Stars: ✭ 39 (-45.83%)
Mutual labels:  unpacker
Unity-Studio
UnityStudio Stable版本分支,支持U3D 5.x。
Stars: ✭ 33 (-54.17%)
Mutual labels:  unpacker
.NetReactorStringDecryptor
A string decryptor for .NET Reactor.
Stars: ✭ 20 (-72.22%)
Mutual labels:  unpacker
npk-tools
Mikrotik's NPK files managing tools
Stars: ✭ 63 (-12.5%)
Mutual labels:  unpacker
CTR-tools
Crash Team Racing (PS1) tools - a C# framework by DCxDemo and a set of tools to parse files found in the original kart racing game by Naughty Dog.
Stars: ✭ 93 (+29.17%)
Mutual labels:  unpacker
NetReactorSlayer
An open source (GPLv3) deobfuscator for Eziriz .NET Reactor
Stars: ✭ 260 (+261.11%)
Mutual labels:  unpacker
homm3-unpacker
Parse HOMM3 game files
Stars: ✭ 23 (-68.06%)
Mutual labels:  unpacker
Uniextract2
Universal Extractor 2 is a tool to extract files from any type of archive or installer.
Stars: ✭ 1,966 (+2630.56%)
Mutual labels:  unpacker
N-Gage stuff
Some N-Gage stuff for translation and modding
Stars: ✭ 21 (-70.83%)
Mutual labels:  unpacker
gust tools
A set of utilities for dealing with Gust (Koei Tecmo) PC games files
Stars: ✭ 117 (+62.5%)
Mutual labels:  unpacker
agsutils
contains utils for AGS: game extractor, repacker, disassembler and assembler
Stars: ✭ 30 (-58.33%)
Mutual labels:  unpacker
Unpackers
My collection of unpackers for malware packers/crypters
Stars: ✭ 25 (-65.28%)
Mutual labels:  unpacker
cstruct-go
a fast c-style struct packer & unpacker for golang
Stars: ✭ 28 (-61.11%)
Mutual labels:  unpacker
source-map-unpack
Unpack 🛍 your JS source maps 🗺 to original files and folders.
Stars: ✭ 115 (+59.72%)
Mutual labels:  unpacker
mozitools
Mozi Botnet related tools helping to unpack a sample, decode a configuration and track active Mozi nodes using DHT.
Stars: ✭ 23 (-68.06%)
Mutual labels:  unpacker
PboViewer
Cross-platform PBO maker / unpacker
Stars: ✭ 28 (-61.11%)
Mutual labels:  unpacker
unpacker
基于ART主动调用的脱壳机
Stars: ✭ 385 (+434.72%)
Mutual labels:  unpacker
Detect It Easy
Program for determining types of files for Windows, Linux and MacOS.
Stars: ✭ 2,982 (+4041.67%)
Mutual labels:  unpacker
ISx
ISx is an InstallShield installer extractor
Stars: ✭ 79 (+9.72%)
Mutual labels:  unpacker
.NetReactorCfCleaner
A control flow cleaner for .NET Reactor.
Stars: ✭ 42 (-41.67%)
Mutual labels:  unpacker
View All Similar Projects ➔

RoAMer

This repository is the home of RoAMer, the "Robust Automatic Malware Unpacker". RoAMer is a generic malware unpacker based on dynamic analysis.

It is a generic unpacker based on dynamic analysis. The paper has been presented on MALWARE 2019. Citation: Thorsten Jenke, Daniel Plohmann, and Elmar Padilla, "RoAMer: The Robust Automated Malware Unpacker," 2019 14th International Conference on Malicious and Unwanted Software (MALWARE), Nantucket, MA, USA, 2019, pp. 67-74.

This is still a very early version.

Setup

Requirements and Pre-Setup

To run RoAMer you need to have a VirtualBox or KVM environment with a Windows Virtual Machine (VM) to unpack the malware on. So far, we have only tested RoAMer on Windows7 64Bit.

Virtual machine for upacking process

  • Hardened VM: example howto
    • At least Firewall and Windows Defender need to be deactivated in the VM
    • Virtual Network, where the host system is able to communicate with the VM
  • Python (virtual) environment (<= v3.7) that satisfies:

Host System

  • Python3 (virtual) environment (>= v3.6)

Compile on Windows VM

  • clone the git repository
  • execute compile.bat in Windows CMD, this will compile the python scripts into Windows executable files
  • the executables can be found in unpacker/dist, pewhitelister/dist and receiver/dist

Deployment

  • run PeHeaderWhitelister.exe C:\ in Windows CMD in the VM and copy the resulting pe_header_whitelist.json file of this script to the current VM's users home directory (C:\Users\%username%\)
  • Copy the file unpacker/dist/main.exe from the VM to the host system into $Repository/roamer/bin
  • Ensure that the receiver main.exe is not stored at C:\Users\%username%\main.exe (this path is already reserved for the unpacker main.exe)
  • start receiver main.exe in the VM within a command line terminal (cmd.exe) as an administrator
  • move desktop the symbols so that the upper left corner of your desktop is free
  • create a shortcut to notepad as the first icon directly below the free space (right click -> New -> Shortcut: C:\Windows\notepad.exe)
  • open notepad with the new shortcut and move the notepad windows over the notepad shortcut icon, then close notepad
  • create a snapshot of the VM in VirtualBox and name it e.g. init

Screenshot how the VM should look like at the end: Screenshot of vm

Configuration

  • check the host's config.py and set the SNAPSHOT_NAME (e.g. init) and VM_NAME (e.g. win7box)
  • Set host_ip, host_port, guest_ip, guest_port to the correct values of your setup

Check configuration

Make sure that the following files are existent in your setup:

VM: C:\Users\%username%\pe_header_whitelist.json

Host: ../RoAMer/roamer/bin/main.exe

How To Use

  • Adjust config.py parameters as needed. The default configuration was the most successful as determined by the Thesis' evaluation.
  • Just start /run.py <path_to_sample> and RoAMer will then do its magic in the VM and respond with the identified dumps.
  • The script will start the VM with the snapshot you've specified in config.py

FAQ / Known issues

Why do I have to move the desktop icons away then place a notepad window there?

The unpacker is performing mouse moving and click actions, that malware is less likely to detect that it is going to be unpacked. The actions are in the left upper screen area, moving icons away prevents from starting several useless programs.

Whitelister script runs into "InvalidArgument" exception

This may occur when some broken exe files are located in you AppData or Windows Update directory, remove these corrupt files, then whitelister will run through.

The Unpacker cannot connect back to the host: "WinError 10060 - A connection attempt failed because the party did not properly respond..."

In case you encounter a situation where the host is able to start up the virtual machine, transfer files and start the analysis, but no data is transferred back to the host, please ensure that your host does not have firewall settings that block incoming connections (like UFW on Ubuntu or similar).

Compatibility issues on Windows 10

RoAMer was originally developed to unpack on Windows 7 64Bit systems, we monitored some issues on Windows 10 that might or might not be critical for execution. We're currently working on resolving these issues.

Why is the malware not getting unpacked.

RoAMer is doing a really bad job at conveying information on why it was not able to unpack a given sample. We can offer, that you send us the sample and we check, why RoAMer was not able to unpack the malware. Maybe this leads us to the discovery of some bugs.

Mentions

RoAMer was mentioned in TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer by Thomas Barabosch.

Sources

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].