Skip to main content

Debloat is an tool to remove excess garbage from bloated executables.

Project description

debloat

Debloat

Debloat is a GUI and CLI tool to remove excess garbage from bloated executables.

By excess garbage, I mean 100 - 800 MB of junk bytes added to a binary to keep it from going into a sandbox. This method of adding junk is called "inflating" or "pumping" a binary. Debloat currently handles the 10 most common inflation tactics.

Being built with Python, the application can easily be leveraged in other workflows. Currently, debloat is used by CCCS's AssemblyLine and CERT Polska's MWDB.

The program can be compiled for Windows, MacOS, Linux. The GUI and CLI have minimal options: it is intended to be as simple as possible and the logic within the program handles the different use cases automatically.

Compiled binaries have already been included in the Releases.

The debloat can installed using pip install debloat. Use debloat to launch the CLI and debloat-gui to launch the GUI.

For advanced users, Debloat can also be imported into other scripts and the processing functions can be called individually.

How to use the GUI?

The GUI of Debloat intends to be as intuitive as possible. When launched, you can drag and drop bloated file onto the text bar and press the "Process file" button. Some technical information will be printed to the scrolling textbox and the file without bloat will be written to the directory the file was pulled from. Sound easy? It is!

Processing files will take a few seconds.
image

How to use the CLI?

After installing using pip install debloat use the command debloat.
debloat can take two arguments. The first argument is required: the file to debloat. The second argument is optional: the output location. When no output is provided, it will be written to the same directory as the original file.

The gui can also be launched from the CLI using the command debloat-gui.

Does it always work?

Not yet. Based on my recent analysis, debloat is able to remove junk from bloated files 97.8% of the time.

In previous versions, debloat could accidentally remove too much of the binary. That is no longer the case unless you use the "--last-ditch" switch. If you ever need this switch, consider sharing the sample for additional analysis. This option has now been added to the GUI. Functionally, what the function does is it will remove the whole overlay, if there is one. In some cases this is necessary as no pattern for the junk was found---this is most commonly the case in samples that do not compress well.

Use Cases (Images from Malcat)

Full support

  • Bloat appended to the end of a Signed PE.
    In the image below, the bloat has been appended to the end of the executable.
    Screenshot 2023-02-11 at 3 32 36 PM

  • Signed or Unsigned Packed executable.
    In the image below, the bloat has been appended to the executable after packing.
    Screenshot 2023-02-11 at 3 44 10 PM

  • Signed executable includes bloat in the .rsrc section of the PE.
    In the image below, the bloat is identified as in the .rsrc section and is removed from the PE.
    Screenshot 2023-02-11 at 3 35 21 PM

  • Cases where bloat is added inside a PE Section.
    In the image below, the bloat has been included in a PE section named [0].
    Screenshot 2023-02-11 at 3 26 52 PM

  • Cases where the executable is a Nullsoft Scriptable Installer System executable (NSIS aka Nullsoft) These exe are installers that may contain one or more files. The files contained may or may not be malicious. (Sometimes actors will add files simply for increasing the file size.) All files within the installer are extracted to a new directory. The directory also contains the script for the installer which can be consulted to determine which files may be malicious. In the image below, Malcat has identified the executable as a NSIS installer. image

Partial Support

  • Cases where the junk is too random and the entropy is too high. In these cases, a switch/option called "--last-ditch"

Other use cases

There are use cases where the tool does not work. However, I plan to solve for them before publishing too much about them.

Why?

There appear to be a limited number of tools to easily process bloated executables. The two tools I have seen the most are “foremost” which is intended for recovering binaries from a disk image and “pecheck”.

Foremost works best in instances where the junk bytes are null (0x00) and it struggles when the binary has a fake or real signature. Its use in removing bloat from files is not its original purpose.

Pecheck has been developed over 14+ years and has some confusing commandline options. The option to remove bloated content is not the primary function of the script. Pecheck has to be combined with another tool (disitool) in order to handle signed executables. In my experience, there are other times where pecheck can get confused and return an executable twice the size of the original bloated executable. All these factors seem OK if you are handling a small number of binaries, but as the number of binaries and methods increase, a tool specific to removing bloat is needed.

Binary Refinery is an amazing tool. It was written with the intention of being a CyberChef of the commandline. While both tools are amazing, they both have a shortcoming that requires the user to know what formulas should be applied.

There are good solid manual methods to remove bloat from binaries, but these methods can be tedious and not all analysts have the skills to do this. This tool removes the burden of needing to know how to manually remove bloat. Additionally, it allows for better scale. The principles used in the script allow allow for better scale if automation is desired.

How to build?

Follow the build commands appropriate to your platform. The main difference between build commands is the format of the icon.
MacOS
pyinstaller --onefile --noconsole --additional-hooks-dir=./hook --icon=debloat.icns gui.py

Windows
pyinstaller --onefile --noconsole --additional-hooks-dir=./hook --icon=debloat.ico gui.py

Linux
pyinstaller --onefile --noconsole --icon=debloat.ico --collect-all tkinterdnd2 gui.py

Want to discuss?

Consider joining the debloat Discord.

Credits

Big shoutout to Jesko Hüttenhain creator of Binary Refinery. The NSIS extraction is based on his reverse engineering of the NSIS file format. Check out Binary Refinery if you have not.

Where is this project going next?

Batch processing: process all files in a directory and produce a report.

Better support for using processing methods outside of debloat.

Support for debloating without unzipping.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

debloat-1.6.1.tar.gz (43.9 kB view details)

Uploaded Source

Built Distribution

debloat-1.6.1-py3-none-any.whl (44.1 kB view details)

Uploaded Python 3

File details

Details for the file debloat-1.6.1.tar.gz.

File metadata

  • Download URL: debloat-1.6.1.tar.gz
  • Upload date:
  • Size: 43.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.10.12

File hashes

Hashes for debloat-1.6.1.tar.gz
Algorithm Hash digest
SHA256 69265585581f470b28552f6629e99e2e326a5ea55039b232c9aea9fdf3863710
MD5 44371d6e478ff519ca74d24d2112d733
BLAKE2b-256 682566d13eb03be273628d6c24ac82a983fd176754aa4a9e49b9491ef570e198

See more details on using hashes here.

File details

Details for the file debloat-1.6.1-py3-none-any.whl.

File metadata

  • Download URL: debloat-1.6.1-py3-none-any.whl
  • Upload date:
  • Size: 44.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.10.12

File hashes

Hashes for debloat-1.6.1-py3-none-any.whl
Algorithm Hash digest
SHA256 fb408303ee2340430b63e53e456e1ac9cece8a4035ec9df5c9a3378b1185361b
MD5 afc09d8556b724b85a9cb074aa4efdd2
BLAKE2b-256 607e48b7a81a64cf60969d5a41537e75578e582d0d3bd26c4372dd43fe502c09

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page