debloat 1.4.2

Debloat is an tool to remove excess garbage from bloated executables.

Debloat

Debloat is a GUI and CLI tool to remove excess garbage from bloated executables.

By excess garbage, I mean 300 - 800MB of junk bytes added to a binary to keep it from going into a sandbox.

Being built with Python, the code and logic is easily accessible for others to take the concepts and apply them to their own tools. The program can be compiled for Windows, MacOS, Linux. The GUI removes any need for remembering commandline options and reading through CLI manuals: it is intended to be as simple as possible. The logic within the program handles the different use cases automatically.

Compiled binaries have already been included in the Releases.

The debloat can installed using pip install debloat. Use debloat to launch the CLI and debloat-gui to launch the GUI.

For advanced users, Debloat can also be imported into other scripts and the processing functions can be called individually.

How to use the GUI?

The GUI of Debloat intends to be as intuitive as possible. When launched, you can drag and drop bloated file onto the text bar and press the "Process file" button. Some technical information will be printed to the scrolling textbox and the file without bloat will be written to the directory the file was pulled from. Sound easy? It is!

Running the program should debloat the binary in 30-40 second on average.

How to use the CLI?

After installing using pip install debloat use the command debloat.
debloat can take two arguments. The first argument is required: the file to debloat. The second argument is optional: the output location. When no output is provided, it will be written to the same directory as the original file.

The gui can also be launched from the CLI using the command debloat-gui.

Does it always work?

Not yet. My unscientific guess is that it should work for every 7 of 8 binaries. There are specific usecases I know where it does not work and I am working to implement solutions for those usecases. In previous versions, debloat could accidentally remove too much of the binary. That is no longer the case unless you use the "-unsafe" switch. If you ever need this switch, consider sharing the sample for additional analysis.

Use Cases (Images from Malcat)

Full support

• Bloat appended to the end of a Signed PE.
  In the image below, the bloat has been appended to the end of the executable.
  

• Signed or Unsigned Packed executable.
  In the image below, the bloat has been appended to the executable after packing.
  

• Signed executable includes bloat in the .rsrc section of the PE.
  In the image below, the bloat is identified as in the .rsrc section and is removed from the PE.
  

• Cases where bloat is added inside a PE Section.
  In the image below, the bloat has been included in a PE section named [0].
  

Partial Support

• Some packer detection for instances where the binary simply cannot be debloated. For example, NullSoft installers. These can be unpacked with UniExtract2 and do not need debloated.

Other use cases

There are use cases where the tool does not work. However, I plan to solve for them before publishing too much about them.

Why?

There appear to be a limited number of tools to easily process bloated executables. The two tools I have seen the most are “foremost” which is intended for recovering binaries from a disk image and “pecheck”.

Foremost works best in instances where the junk bytes are null (0x00) and it struggles when the binary has a fake or real signature. Its use in removing bloat from files is not its original purpose.

Pecheck has been developed over 14+ years and has some confusing commandline options. The option to remove bloated content is not the primary function of the script. Pecheck has to be combined with another tool (disitool) in order to handle signed executables. In my experience, there are other times where pecheck can get confused and return an executable twice the size of the original bloated executable. All these factors seem OK if you are handling a small number of binaries, but as the number of binaries and methods increase, a tool specific to removing bloat is needed.

There are good solid manual methods to remove bloat from binaries, but these methods can be tedious and not all analysts have the skills to do this. This tool removes the burden of needing to know how to manually remove bloat. Additionally, it allows for better scale. The principles used in the script allow allow for better scale if automation is desired.*

* Note: If automation is desired, I recommend re-writing these concepts in C/C++ and not Python.

How to build?

Follow the build commands appropriate to your platform. The main difference between build commands is the format of the icon.
MacOS
pyinstaller --onefile --noconsole --additional-hooks-dir=./hook --icon=debloat.icns gui.py

Windows
pyinstaller --onefile --noconsole --additional-hooks-dir=./hook --icon=debloat.ico gui.py

Linux
~/.local/bin/pyinstaller --onefile --noconsole --icon=debloat.ico --additional-hooks-dir=./hook --add-binary "/home/redacted/.local/lib/python3.10/site-packages/:." gui.py

• I'm not sure why the same hook didn't work on Linux and pointing to the site-packages directory is not preferred. For some unknown reason, it would not find the binary if I pointed to the specific tkinterdnd2 or tkdnd directories.

Where is this project going next?

Batch processing: process all files in a directory and produce a report.

Better support for using processing methods outside of debloat.

Support for debloating without unzipping.