A modular Karton Framework service that unpacks common packers like UPX, MPress and others using the Qilling Framework.
Project description
Unpacker Karton Service
A modular Karton Framework service that unpacks common packers like UPX and others using the Qilling Framework.
This project is FREE as in FREE :beer:, use it commercially, privately or however you see fit.
If you like this project and wish to donate :moneybag: to support the fight against malware...
Buy me a :tea:, as I don't drink :beer:, by sending me some ₿ to 16oXesi7uv3jdPZxxwarHSD2f3cNMpaih9
Figure 1: Example of UPX Unpacked Children
Figure 2: Qiling Framework Unpacking
calc.exe
shellcode from tests/shellcode.exe
Consumes:
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "win32"
},
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "win64"
},
{
"type": "sample",
"stage": "recognized",
"kind": "runnable",
"platform": "linux"
}
{
"type": "sample",
"kind": "runnable",
"stage": "recognized"
"payload": {
"sample": <Resource>,
"parent": <Resource>,
}
}
Usage
Make sure you have setup the core system: https://github.com/CERT-Polska/karton
Install from PyPi:
$ pip install karton-unpacker
$ git clone https://github.com/c3rb3ru5d3d53c/karton-unpacker-modules.git modules/
$ find modules/ -name "requirements.txt" | while read i; do pip install -r $i; done
$ git clone --recursive https://github.com/qilingframework/qiling.git
# Due to distribution restriction, Qiling Framework will not bundle Microsoft Windows DLL files and registry.
# Please use the script qiling/examples/scripts/dllscollector.bat on your Windows machine to collect the required DLLS for the rootfs
# Once the required DLLs have been collected copy them in the rootfs
$ karton-unpacker --config-file /home/karton/karton.ini --modules modules/ --rootfs qiling/examples/rootfs/ --debug
Install from Source:
$ git clone --recursive https://github.com/c3rb3ru5d3d53c/karton-unpacker.git
$ cd karton-unpacker/
$ virtualenv venv/
$ source venv/bin/activate
$ pip install .
$ git clone --recursive https://github.com/qilingframework/qiling.git
# Due to distribution restriction, Qiling Framework will not bundle Microsoft Windows DLL files and registry.
# Please use the script qiling/examples/scripts/dllscollector.bat on your Windows machine to collect the required DLLS for the rootfs
# Once the required DLLs have been collected copy them in the rootfs
$ karton-unpacker --config-file /home/karton/karton.ini --modules modules/ --rootfs qiling/examples/rootfs/ --debug
Testing Your Installation
Once you have completed installing karton-unpacker
, try uploading the file tests/shellcode.exe
to mwdb.
If successful, you will see an file in relations with the name unpacked
, this is the extracted shellcode to spawn cmd.exe
.
Contributing
If you wish to contribute your own modules to automatically unpack malware, please refer to CONTRIBUTING.md
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for karton_unpacker-1.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5e8caeef939dc045d955d11e86a4690621c0268962df9834681f65de656e0bef |
|
MD5 | 4ec546e60febbc0dbbfb5bada4527bf9 |
|
BLAKE2b-256 | 470863f6abec9687c3c51cc9f48cfaf59d75437c281f37d922d71c62f1d4892d |