Skip to content

OALabs/UnpacMe-IDA-Byte-Search

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits

.github/workflows

.github/workflows

 
 

imgs

imgs

 
 

src

src

 
 

.gitignore

.gitignore

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

requirements.txt

requirements.txt

 
 

Repository files navigation

UnpacMe IDA Byte Search

UnpacMe Chat

A search plugin for UnpacMe to quickly find related malware samples and determine if a code block is a good candidate for a detection rule. The plugin searches both malicious files and our goodware corpus. This allows an analyst to quickly determine if the block of code belongs to a single known family, multiple families or if it is a common pattern found in goodware.

The plugin requires a valid API key for UnpacMe.

Installation

Before using the plugin you must install the following python modules your IDA environment.

Using pip:

pip install requests keyring

Searching

Select the instructions you would like to search for and right click. Then select UnpacMe Byte Search.

Example Results

Search Preview

When the Search Preview option is enabled, the plugin will display a preview of the search bytes that can be customized before searching.

Example Results

String Searching

To search for a specific string, you can either select the string within the Strings subview or the address where the string is referenced and right click to search.

String Search

You can also search for a specific string by selecting the address where the string is referenced and searching.

Results

The results window shows a summary of the search results, followed by a table of the raw results. If the pattern is a good candidate for a rule, you can quickly copy it use the Copy Pattern button. To view the analysis of a file simply click on the SHA256 hash within the table to open a new browser tab to the analysis on UnpacMe.

To copy results simply select any of the desired cells and click the Copy Selected Results button.

Example Results

Configuration

The plugin has the following configuration options that can be set via the plugin menu.

Example Results

  • API Key - Your Unpac.me API key. This can be found in your account settings on Unpac.me. We use the keyring module to store the API token within the system keyring.
  • Log Level - Set the log verbosity.
  • Search Preview - When enabled, the plugin will display a preview of the search bytes that can be edited before searching.
  • Auto Wildcard - The plugin will wildcard ?? bytes likely to change between samples. The following types are wildcarded by the plugin when set.
    • Memory References
    • Direct Memory References
    • Memory References with Displacement
    • Immediate Far Address
    • Immediate Near Address
  • Search Goodware - When set the plugin will also search the UnpacMe Goodware corpus.

Troubleshooting and Support

If you run into issues using the plugin, please let us know either via Discord or by opening an issue on this repo.

About

UnpacMe IDA Byte Search

www.unpac.me

Resources

Readme

License

BSD-3-Clause license
Activity
Custom properties

Stars

25 stars

Watchers

4 watching

Forks

3 forks
Report repository

Releases 1

UnpacMe-IDA-Byte-Search v1.0.1 Latest
Jul 4, 2023

Contributors 2

  •  
  •  

Languages