Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Armadillo #35

Open
crypto2011 opened this issue Oct 3, 2019 · 1 comment
Open

Armadillo #35

crypto2011 opened this issue Oct 3, 2019 · 1 comment

Comments

@crypto2011
Copy link

crypto2011 commented Oct 3, 2019
edited

How can I add new unpacker (for example, for Armadillo)?
@Masrepus
Copy link
Member

Masrepus commented Oct 3, 2019

First you need a yara rule identifying the packer. This needs to be placed in packer_signatures.yar. Suppose the rule is named "armadillo". Then, in unpackers.py, you need to create a new class inheriting from AutomaticDefaultUnpacker. This class needs to set some parameters in its constructor: The default constructor that is to be implemented is def __init__(self, sample) where you first need to call the super constructor and then set self.name to the string identifying your unpacker, e.g. "armadillo".

Then, there is self.allowed_sections, which is a list of section names where execution should be allowed. Whenever these sections are about to be left, we assume that the unpacking process is done and then the dumping begins. If you do not update self.allowed_sections, by default it will only contain the section where the entrypoint is located.

If you changed the allowed sections, you then need to update self.allowed_addr_ranges. This is simply done by calling self.allowed_addr_ranges = self.get_allowed_addr_ranges().

The last thing that needs to be specified is the memory-to-exe dumping process. The default value of self.dumper is ImageDump() from imagedump.py, which does not perform any import table fixing. If import fixing is desired (usually needed for correct execution on Windows), select ImportRebuilderDump(), which is the most comon choice for most packers.

You can look at the different unpacker classes for further info about how different values can be modified, but if you have any additional questions or need to modify something in a more complex way for an unpacker to work, just ask here.

One small side note about Armadillo: To my knowledge, it is a VM-based packer, which does not fully unpack the executable in memory but rather performs some form of emulation. Thus, the unpacking process is not so straightforward, as currently supported unpackers assume that by dumping the binary from memory and changing the entrypoint, we will have an unpacked file. This is not the case with VM-based packers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Masrepus @crypto2011