-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Armadillo #35
Comments
First you need a yara rule identifying the packer. This needs to be placed in packer_signatures.yar. Suppose the rule is named "armadillo". Then, in unpackers.py, you need to create a new class inheriting from Then, there is If you changed the allowed sections, you then need to update The last thing that needs to be specified is the memory-to-exe dumping process. The default value of You can look at the different unpacker classes for further info about how different values can be modified, but if you have any additional questions or need to modify something in a more complex way for an unpacker to work, just ask here. One small side note about Armadillo: To my knowledge, it is a VM-based packer, which does not fully unpack the executable in memory but rather performs some form of emulation. Thus, the unpacking process is not so straightforward, as currently supported unpackers assume that by dumping the binary from memory and changing the entrypoint, we will have an unpacked file. This is not the case with VM-based packers. |
How can I add new unpacker (for example, for Armadillo)?
The text was updated successfully, but these errors were encountered: