Git Product home page Git Product logo

pe_unmapper's Introduction

pe_unmapper

Build status GitHub release Github All Releases

Small tool to convert beteween the PE alignments (raw and virtual).

Allows for easy PE unmapping: useful in recovering executables dumped from the memory.

Usage:

Args:

Required: 
/in	: Input file name

Optional: 
/base	: Base address where the image was loaded: in hex
/out	: Output file name
/mode	: Choose the conversion mode:
	 U: UNMAP (Virtual to Raw) [DEFAULT]
	 M: MAP (Raw to Virtual)
	 R: REALIGN (Virtual to Raw, where: Raw == Virtual)

Example:

pe_unmapper.exe /in _02660000.mem /base 02660000 /out payload.dll

pe_unmapper's People

Contributors

hasherezade avatar

Stargazers

yofriendfromschool1 avatar BiggerThanBigger avatar avatar Mohamed A Sattar avatar Kr0ff avatar Brandon Schmidt avatar avatar Tomashu avatar Ross avatar RiskyDissonance avatar Tran Duy Nam avatar David Carboveanu avatar Icefrog2000 avatar unknown avatar Vithor avatar Lukasz Taczuk avatar avatar Idan Maman avatar 550W avatar avatar MorganTaraum avatar Bory avatar robbert1978 avatar Perry The Duck avatar n3r0_ avatar avatar avatar come2arkside avatar avatar avatar avatar avatar 奶瓶 avatar avatar k1nd0ne avatar avatar Þ4ŊD³m¹©BøY avatar k1ng-h0w1e avatar avatar WtZ avatar avatar Gamous avatar avatar avatar WHOLETTHEDOG-OUT avatar ajtap avatar avatar Squiblydoo avatar Ryota Sakai avatar Raymond Dubisky avatar VietDo avatar winterknife avatar 5l1v3r1 avatar Asatistic avatar xitan avatar Jamie Sparks avatar Florian Stosse avatar Aan avatar avatar Asuka avatar Still / Azaka avatar Kağan IŞILDAK avatar Yeah9782 avatar Corvo avatar Life avatar RBWDenny avatar Huy Doan avatar Aaron avatar BlueSide_StrongSide avatar InvokeThreatGuy avatar

Watchers

James Cloos avatar avatar avatar avatar

Forkers

ba0f3 gmh5225 fengjixuchui ntquerysysteminformation 5l1v3r1 lizhuowu opat-naiping tamatahyt yaelahrip crackercat

pe_unmapper's Issues

The use of `pe_unmapper` on an already unmapped PE corrupts the file

Expected behavior

On an already unmapped PE, pe_unmapper should report there's nothing to unmap and exit.

Observed behavior

pe_unmapper proceeds to unmap the already unmapped PE and corrupts it.

Steps to reproduce the issue

  1. Download packed Locky from VirusTotal (SHA256: 21a0201874af80436dc0a36e5cbaf7da9b75217b3e39b712f3850729cf47deb6)
  2. Dump out memory right after unpacking
  3. Use pe_unmapper the first time to unmap the memory dump.
  4. Use pe_unmapper again on the the unmapped PE.
  5. Use PE-bear to observe the corrupted file.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.