The Unprotect Project is an Open Source project that aims to propose a classification about Evasion Techniques to help to understand and analyze a malware. This project is dedicated to Windows PE malware. It is licensed under APACHE License version 2.0.
The Unprotect Project contains two main parts:
- A website with a complete database and evasion techniques classification.
- A python standalone tool to detect evasion technique in a specific malware.
The standalone tool available in this repository contains the following features:
This tool is an attempt to bring a tool to the community dedicated to malware evasion techniques. It started as a side project and of course requires some improvements. Of course, it is not perfect nor magic! This version is an early prototype.
Please take notes of the following:
- This project currently works with python2.7 (it will be upgraded to python3 in next versions).
- It might have some bugs or vulnerabilities.
- This tool is currently working only with a valid PE file (support of additional format file will be added in a later version).
- There is currently no option supported, the standard output will provide you a full report.
- The analysis can take time depending of the PE size (more than 5 minutes for a PE bigger than 1MB).
- This tool has been tested on Mac OS and Linux, a Windows version can be found in the folder unprotect_windows.
You must install some packages before to start.
sudo apt-get install python-pip
sudo apt-get install build-essential libffi-dev python python-dev python-pip automake autoconf libtool
sudo apt-get install libfuzzy-dev
sudo apt-get install ssdeep
brew install virtualenv
brew install ssdeep
brew install libmagic
pip install virtualenv
Before to run the installation setup, you will need to modify the config.py files to put your own VirusTotal API. Put your Virustotal API Key in the config.py file:
APIKEY = "<enter_key>"
Additionally, the user might want to add his own Yara rules to scan a PE. This can be added in the file module/yara-rules/user_rules.yar.
The tool is currently running under Virtualenv, which creates a virtual python work environment to avoid any issue with the current OS as well with the versioning.
Create your own virtualenv:
virtualenv -p python2.7 unprotect
Enable your virtual env:
source unprotect/bin/activate
Install the dependencies:
sudo pip install -r requirements.txt
Run unprotect:
python unprotect.py
The current version of Unprotect doesn’t support any options. The simple way to use unprotect is to run it against a PE file:
python unprotect.py <PE_file>
Report example can be found here: Report
This project is licensed under the APACHE License version 2.0 - see the LICENSE.md file for details.