Unprotect is a python tool for parsing PE malware and extract evasion techniques.
The Unprotect Project is an Open Source project that aims to propose a classification about Evasion Techniques to help to understand and analyze a malware. This project is dedicated to Windows PE malware. It is licensed under APACHE License version 2.0.
The Unprotect Project contains two main parts:
The standalone tool available in this repository contains the following features:
This tool is an attempt to bring a tool to the community dedicated to malware evasion techniques. It started as a side project and of course requires some improvements. Of course, it is not perfect nor magic! This version is an early prototype.
Please take notes of the following:
You must install some packages before to start.
sudo apt-get install python-pip
sudo apt-get install build-essential libffi-dev python python-dev python-pip automake autoconf libtool
sudo apt-get install libfuzzy-dev
sudo apt-get install ssdeep
brew install virtualenv
brew install ssdeep
brew install libmagic
pip install virtualenv
Before to run the installation setup, you will need to modify the config.py files to put your own VirusTotal API. Put your Virustotal API Key in the config.py file:
APIKEY = "<enter_key>"
Additionally, the user might want to add his own Yara rules to scan a PE. This can be added in the file module/yara-rules/user_rules.yar.
The tool is currently running under Virtualenv, which creates a virtual python work environment to avoid any issue with the current OS as well with the versioning.
Create your own virtualenv:
virtualenv -p python2.7 unprotect
Enable your virtual env:
source unprotect/bin/activate
Install the dependencies:
sudo pip install -r requirements.txt
Run unprotect:
python unprotect.py
The current version of Unprotect doesn’t support any options. The simple way to use unprotect is to run it against a PE file:
python unprotect.py <PE_file>
Report example can be found here: Report
This project is licensed under the APACHE License version 2.0 - see the LICENSE.md file for details.