mal_unpack
May 27, 2025 ยท View on GitHub
Dynamic unpacker based on PE-sieve ( ๐ Read more ).
It deploys a packed malware, waits for it to unpack the payload, dumps the payload, and kills the original process.
Caution
This unpacker deploys the original malware. Use it only on a VirtualMachine.
โ Usage
Basic usage:
mal_unpack.exe /exe <path_to_the_malware> /timeout <timeout: ms>
- By default, it dumps implanted PEs.
- If you want to dump shellcodes, use the option:
/shellc. - If you want to dump modified/hooked/patched PEs, use the option
/hooks. - If you want the unpacker to terminate on timeout, rather than on the first found implant, use
/trigger T.
Important
The available arguments are documented on Wiki. They can also be listed using the argument /help.
๐ Helpers and utilities
- For the best performance, install MalUnpackCompanion driver.
- Check also the python wrapper: MalUnpack Runner
- Check the python Library: MalUnpack Lib
Clone
Use recursive clone to get the repo together with submodules:
git clone --recursive https://github.com/hasherezade/mal_unpack.git
Builds
Download the latest release.