A modular Karton Framework service that unpacks common packers like UPX, MPress and others using the Qilling Framework.
Project description
Unpacker Karton Service
A modular Karton Framework service that unpacks common packers like UPX and others using the Qilling Framework.
This project is FREE as in FREE :beer:, use it commercially, privately or however you see fit.
If you like this project and wish to donate :moneybag: to support the fight against malware...
Buy me a :tea:, as I don't drink :beer:, by sending me some ₿ to 16oXesi7uv3jdPZxxwarHSD2f3cNMpaih9
calc.exe shellcode from tests/shellcode.exe
Consumes:
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "win32"
},
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "win64"
},
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "linux"
}
{
"type": "sample",
"kind": "runnable",
"stage": "recognized"
"payload": {
"sample": <Resource>,
"parent": <Resource>,
}
}
Usage
Make sure you have setup the core system: https://github.com/CERT-Polska/karton
Install from PyPi:
$ pip install karton-unpacker
$ git clone https://github.com/c3rb3ru5d3d53c/karton-unpacker-modules.git modules/
$ find modules/ -name "requirements.txt" | while read i; do pip install -r $i; done
$ git clone --recursive https://github.com/qilingframework/qiling.git
# Due to distribution restriction, Qiling Framework will not bundle Microsoft Windows DLL files and registry.
# Please use the script qiling/examples/scripts/dllscollector.bat on your Windows machine to collect the required DLLS for the rootfs
# Once the required DLLs have been collected copy them in the rootfs
$ karton-unpacker --config-file /home/karton/karton.ini --modules modules/ --rootfs qiling/examples/rootfs/ --debug
Install from Source:
$ git clone --recursive https://github.com/c3rb3ru5d3d53c/karton-unpacker.git
$ cd karton-unpacker/
$ virtualenv venv/
$ source venv/bin/activate
$ pip install .
$ git clone --recursive https://github.com/qilingframework/qiling.git
# Due to distribution restriction, Qiling Framework will not bundle Microsoft Windows DLL files and registry.
# Please use the script qiling/examples/scripts/dllscollector.bat on your Windows machine to collect the required DLLS for the rootfs
# Once the required DLLs have been collected copy them in the rootfs
$ karton-unpacker --config-file /home/karton/karton.ini --modules modules/ --rootfs qiling/examples/rootfs/ --debug
Testing Your Installation
Once you have completed installing karton-unpacker, try uploading the file tests/shellcode.exe to mwdb.
If successful, you will see an file in relations with the name unpacked, this is the extracted shellcode to spawn cmd.exe.
Contributing
If you wish to contribute your own modules to automatically unpack malware, please refer to CONTRIBUTING.md
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for karton_unpacker-1.1.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 5e8caeef939dc045d955d11e86a4690621c0268962df9834681f65de656e0bef |
|
| MD5 | 4ec546e60febbc0dbbfb5bada4527bf9 |
|
| BLAKE2b-256 | 470863f6abec9687c3c51cc9f48cfaf59d75437c281f37d922d71c62f1d4892d |
