This repository is the home of RoAMer, the "Robust Automatic Malware Unpacker". RoAMer has been developed by Thorsten Jenke, with code contributions by Daniel Plohmann.
It is a generic unpacker based on dynamic analysis. The paper has been presented on MALWARE 2019 and will be released soonish.
This is still a very early version. Expect updates soon :)
To run RoAMer you need to have a VirtualBox environment with a Windows Virtual Machine (VM) to unpack the malware on.
- Hardened VM: example howto
- At least Firewall and Windows Defender need to be deactivated in the VM
- Virtual Network, where the host system is able to communicate with the VM
- Python (virtual) environment (> v3.7) that satisfies:
- Python (virtual) environment (> v3.7)
- clone the git repository
- execute
compile.batin Windows CMD, this will compile the python scripts into Windows executable files - the executables can be found in unpacker/dist, pewhitelister/dist and receiver/dist
- run
PeHeaderWhitelister.exe C:\in Windows CMD in the VM and copy the resultingpe_header_whitelist.jsonfile of this script to the current VM's users home directory (C:\Users\%username%\) - Copy the file
unpacker/dist/main.exefrom the VM to the host system into$Repository/roamer/bin - start receiver ´main.exe´ in the VM within a command line terminal (cmd.exe) as an administrator
- move desktop the symbols so that the upper left corner of your desktop is free
- create a shortcut to notepad as the first icon directly below the free space (right click -> New -> Shortcut:
C:\Windows\notepad.exe) - open notepad with the new shortcut and move the notepad windows over the notepad shortcut icon, then close notepad
- create a snapshot of the VM in VirtualBox and name it e.g.
init
Screenshot how the VM should look like at the end:
- check the host's config.py and set the
SNAPSHOT_NAME(e.g.init) andVM_NAME(e.g.win7box) - Set
host_ip,host_port,guest_ip,guest_portto the correct values of your setup
Make sure that the following files are existent in your setup:
VM:
C:\Users\%username%\pe_header_whitelist.json
Host:
../RoAMer/roamer/bin/main.exe
- Adjust config.py parameters as needed. The default configuration was the most successful as determined by the Thesis' evaluation.
- Just start /run.py <path_to_sample> and RoAMer will then do its magic in the VM and respond with the identified dumps.
- The script will start the VM with the snapshot you've specified in
config.py
The unpacker is performing mouse moving and click actions, that malware is less likely to detect that it is going to be unpacked. The actions are in the left upper screen area, moving icons away prevents from starting several useless programs.
This may occur when some broken exe files are located in you AppData or Windows Update directory, remove these corrupt files, then whitelister will run through.
RoAMer was originally developed to unpack on Windows 7 systems, we monitored some issues on Windows 10 that might or might not be critical for execution. We're currently working on resolving these issues.
- The hooks have been designed with the help of https://www.apriorit.com/dev-blog/160-apihooks