Unicorn PE
Unicorn PE is an unicorn based instrumentation project/framework designed to emulate code execution for windows PE files, especially packed ones.
Feature
Dump PE image from emu-memory into file, fix import table, decrypt VMProtect strings, decrypt VMProtect imports.
Partial support for exception. (only #DB and #BP)
Show disasm for all instructions that is being executed.
Update BlackBone to latest ver (2020.4.5).
TODO
Feature: x86 (low priority) -- 0%
Build
Visual Studio 2017 or 2019
Open unicorn_pe.sln with Visual Studio
Build project "unicorn_pe" as x64/Release or x64/Debug. (No x86 support for now)
Usage
unicorn_pe (filename or filepath) [-k for kernel mode driver emulation] [-disasm for displaying disasm] [-dump for binary dump] [-packed for packed binary] [-boundcheck for memory access bound check, may slower the execution]
Programming
...to be documented
Snapshots
original driver
vmprotect packed driver
vmprotect is fixing encrypted IAT
vmprotect goes back to original entry point
vmprotect packed DLL, full user-mode emulation.
License
This software is released under the MIT License, see LICENSE.
Dependencies
A modification of https://github.com/DarthTon/Blackbone is done for PE manual-mapping.
https://github.com/unicorn-engine/unicorn for emulation.
https://github.com/aquynh/capstone for disasm.