fr0gger/unprotect fr0gger/unprotect

  • Stars
    star
    107
  • Rank 323,587 (Top 7 %)
  • Language
    Python
  • License
    Other
  • Created over 5 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
fr0gger/unprotect
github

fr0gger

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Unprotect is a python tool for parsing PE malware and extract evasion techniques.

UNPROTECT [PROJECT]: Unprotect Malware for the Mass

The Unprotect Project is an Open Source project that aims to propose a classification about Evasion Techniques to help to understand and analyze a malware. This project is dedicated to Windows PE malware. It is licensed under APACHE License version 2.0.

logo

The Unprotect Project contains two main parts:

  • A website with a complete database and evasion techniques classification.
  • A python standalone tool to detect evasion technique in a specific malware.

The standalone tool available in this repository contains the following features:

features

Disclaimer

This tool is an attempt to bring a tool to the community dedicated to malware evasion techniques. It started as a side project and of course requires some improvements. Of course, it is not perfect nor magic! This version is an early prototype.

Please take notes of the following:

  • This project currently works with python2.7 (it will be upgraded to python3 in next versions).
  • It might have some bugs or vulnerabilities.
  • This tool is currently working only with a valid PE file (support of additional format file will be added in a later version).
  • There is currently no option supported, the standard output will provide you a full report.
  • The analysis can take time depending of the PE size (more than 5 minutes for a PE bigger than 1MB).
  • This tool has been tested on Mac OS and Linux, a Windows version can be found in the folder unprotect_windows.

Getting Started

Prerequisites

You must install some packages before to start.

Linux

sudo apt-get install python-pip
sudo apt-get install build-essential libffi-dev python python-dev python-pip automake autoconf libtool
sudo apt-get install libfuzzy-dev
sudo apt-get install ssdeep

Mac OS

brew install virtualenv
brew install ssdeep
brew install libmagic

Windows

pip install virtualenv

Variables To Modify

Before to run the installation setup, you will need to modify the config.py files to put your own VirusTotal API. Put your Virustotal API Key in the config.py file:

APIKEY = "<enter_key>"

Additionally, the user might want to add his own Yara rules to scan a PE. This can be added in the file module/yara-rules/user_rules.yar.

Virtualenv

The tool is currently running under Virtualenv, which creates a virtual python work environment to avoid any issue with the current OS as well with the versioning.

Create your own virtualenv:

virtualenv -p python2.7 unprotect

Enable your virtual env:

source unprotect/bin/activate

Package requirements

Install the dependencies:

sudo pip install -r requirements.txt

Run unprotect:

python unprotect.py

Usage

The current version of Unprotect doesn’t support any options. The simple way to use unprotect is to run it against a PE file:

python unprotect.py <PE_file>

Report Example

Report example can be found here: Report

Built With

Licence

This project is licensed under the APACHE License version 2.0 - see the LICENSE.md file for details.

More Repositories

1

Awesome-GPT-Agents

A curated list of GPT agents for cybersecurity
4,833
star
2

awesome-ida-x64-olly-plugin

A curated list of IDA x64DBG, Ghidra and OllyDBG plugins.
1,123
star
3

Awesome_Malware_Techniques

This is a repository of resource about Malware techniques
622
star
4

IATelligence

IATelligence is a Python script that will extract the IAT of a PE file and request GPT to get more information about the API and the ATT&CK matrix related
Python
342
star
5

vthunting

Vthunting is a tiny script used to generate report about Virus Total hunting and send it by email, slack or telegram.
Python
156
star
6

jupyter-collection

Collection of Jupyter Notebooks by @fr0gger_
HTML
127
star
7

Unprotect_Submission

Repository to publish your evasion techniques and contribute to the project
C++
121
star
8

RocProtect-V1

Emulating Virtual Environment to stay protected against advanced malware
C++
98
star
9

MalwareMuncher

Malware Muncher is a proof-of-concept Python script that utilizes the Frida framework for binary instrumentation and API hooking, enabling users to conduct malware analysis.
JavaScript
40
star
10

SuperPeHasher

SuperPeHasher is a wrapper for several hash algorithms dedicated to PE file.
Python
27
star
11

Yara-Unprotect

This repository regroups the Yara Rules for the Unprotect Project
YARA
25
star
12

JupyterUniverse

Jupyter Univere is a search engine for all infosec jupyter notebooks
18
star
13

hash.py

hash.py is a python script that calculates a fingerprint (MD5, SHA256, SHA512). The script also allows you to compare two fingerprints to check if it is consistent. It can be used in digital forensics.
Python
10
star
14

Check-Domain-Availability

Tiny script to verify if a domain or a list of domain is available.
Python
9
star
15

shellcode2exe_package

x64 Windows package of the shellcode2exe tool
7
star
16

strings_similarity

This is a short Jupyter Notebook to demonstrate Strings extraction to generate a graph.
Jupyter Notebook
6
star
17

fr0gger

5
star
18

Scripts_and_Snippets

Scripts and Snippets
Python
5
star
19

scapside.py

A scapside.py is a pretty little tool to perform basic network attacks using Scapy
Python
5
star
20

Timer

Gym Timer
C++
2
star
21

Jupyter-Universe

A repository to centralise Jupyter Notebook about Cybersecurity
1
star