hasherezade/mal_unpack

GitHub: hasherezade/mal_unpack

基于PE-sieve的动态加壳卸载工具，自动触发、提取并转储恶意载荷。

Stars: 806 | Forks: 77

# mal_unpack ![](https://static.pigsec.cn/wp-content/uploads/repos/2026/04/95e158462d225309.png) [![Build status](https://ci.appveyor.com/api/projects/status/3cqqlah6unfhasik?svg=true)](https://ci.appveyor.com/project/hasherezade/mal-unpack) [![Codacy Badge](https://app.codacy.com/project/badge/Grade/fedbe124aa694761907bbe51bfc8d6f9)](https://app.codacy.com/gh/hasherezade/mal_unpack/dashboard?branch=master) [![Commit activity](https://img.shields.io/github/commit-activity/m/hasherezade/mal_unpack)](https://github.com/hasherezade/mal_unpack/commits) [![Last Commit](https://img.shields.io/github/last-commit/hasherezade/mal_unpack/master)](https://github.com/hasherezade/mal_unpack/commits) [![GitHub release](https://img.shields.io/github/release/hasherezade/mal_unpack.svg)](https://github.com/hasherezade/mal_unpack/releases) [![GitHub release date](https://img.shields.io/github/release-date/hasherezade/mal_unpack?color=blue)](https://github.com/hasherezade/mal_unpack/releases) [![Github All Releases](https://img.shields.io/github/downloads/hasherezade/mal_unpack/total.svg)](https://github.com/hasherezade/mal_unpack/releases) [![Github Latest Release](https://img.shields.io/github/downloads/hasherezade/mal_unpack/latest/total.svg)](https://github.com/hasherezade/mal_unpack/releases) [![License](https://img.shields.io/badge/License-BSD%202--Clause-blue.svg)](https://github.com/hasherezade/mal_unpack/blob/master/LICENSE) [![Platform Badge](https://img.shields.io/badge/Windows-0078D6?logo=windows)](https://github.com/hasherezade/mal_unpack) Dynamic unpacker based on [PE-sieve](https://github.com/hasherezade/pe-sieve.git) ( 📖 [Read more](https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ#pe-sieve-vs-malunpack---what-is-the-difference) ). It deploys a packed malware, waits for it to unpack the payload, dumps the payload, and kills the original process. ## ⚙ 用法 Basic usage: ``` mal_unpack.exe /exe /timeout ``` + By default, it dumps implanted PEs. + If you want to dump shellcodes, use the option: [`/shellc`](https://github.com/hasherezade/pe-sieve/wiki/4.1.-Detect-shellcodes-(shellc)). + If you want to dump modified/hooked/patched PEs, use the option `/hooks`. + If you want the unpacker to terminate on timeout, rather than on the first found implant, use `/trigger T`. ## 🛠 辅助工具与实用程序 + For the best performance, install [MalUnpackCompanion driver](https://github.com/hasherezade/mal_unpack_drv). + Check also the python wrapper: [MalUnpack Runner](https://github.com/hasherezade/mal_unpack_py/tree/master/runner) + Check the python Library: [MalUnpack Lib](https://github.com/hasherezade/mal_unpack_py/tree/master/mal_unpack_lib) ## Clone Use **recursive clone** to get the repo together with submodules: ``` git clone --recursive https://github.com/hasherezade/mal_unpack.git ``` ## 构建 Download the latest [release](https://github.com/hasherezade/mal_unpack/releases).

标签：C++, DAST, payload提取, PE-sieve, PE文件, Ruby on Rails, Shellcode, SSH蜜罐, Timeout参数, Windows可执行文件, Windows平台, 二进制发布, 云资产清单, 内存转储, 动态解包, 取证, 可执行文件分析, 威胁狩猎, 客户端加密, 开源工具, 恶意代码卸载, 恶意软件分析, 打包器, 技术调研, 数据擦除, 样本分析, 样本脱壳, 植入PE, 端点可见性, 脱壳, 自动化分析, 跨站脚本, 进程注入, 进程终止, 逆向工具, 逆向工程