Generic plugin - Unpacker

[gheorghitamutu]

We need a generic plugin that unpacks (a buffer, binary, file, etc) and opens it in a new window (with the possibility of dropping on disk the unpacked data).

[gheorghitamutu]

Examples:

• aplib / M8Z
  • https://github.com/herrcore/aplib-ripper
  • https://medium.com/@RussianPanda/squirrelwaffle-not-exactly-a-waffle-analysis-7c18b5e752c1
  • https://muha2xmad.github.io/malware-analysis/fullHancitor
  • https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up
  • https://www.cybereason.com/blog/research/cybereason-vs.-clop-ransomware
• AutoIT Decompiler
  • https://research.checkpoint.com/2020/how-to-de-obfuscate-a-huge-autoit-script-in-less-than-two-minutes
  • http://domoticx.com/autoit3-decompiler-exe2aut (Exe2Aut might cause malicious scripts to get executed. Although this is unlikely to happen, we strongly advise you to always run Exe2Aut within a virtual environment.)
  • https://github.com/fossabot/myAut2Exe
  • https://github.com/nazywam/AutoIt-Ripper (along with AutoIT version comparison)
  • https://blog.talosintelligence.com/get-a-loda-this
  • https://www.trendmicro.com/en_us/research/18/k/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor.html (using HIEW)
  • https://r3mrum.wordpress.com/2017/07/10/autoit-malware-from-compiled-binary-to-plain-text-script
  • https://labs.vipre.com/autoit-script-containing-nanocore-rat-found-in-fake-hr-spam-email
  • https://doc.malcat.fr/ui/views/decompiler.html
  • https://lifeinhex.com/deobfuscating-autoit-scripts/
• Base64 Decoder (and maybe more?)
• LZMA
• LZMAT
• NSIS
• ZLIB
• Py2Exe extractor
• LZXPRESS (prefetch)

[gheorghitamutu]

An initial Base64 implementation has been created in https://github.com/gdt050579/GView/issues/192.