Introducing PE_unmapper

Recently I wrote a small tool, that can be used as a helper in malware analysis.
Various malware types unpack their core modules in memory, load them and run.
In order to unpack them fast, we can let the malware do all the operations and then just dump the result. However, the dumps are in virtual format – so, we may have problems running them independently and viewing by typical tools.
PE_unmapper allows to convert those dumps into their raw format. The tool is totally independent, so it is up to you by which way you prefer to make dumps. You only need to know the base where the module was loaded, in order to relocate it properly.

download-icon-png-5 The tool is open-source, available on my github

youtube-512 See it in action on YouTube:


About hasherezade

Programmer and researcher, interested in InfoSec.
This entry was posted in Malware, Tools, Tutorial and tagged , . Bookmark the permalink.

1 Response to Introducing PE_unmapper

  1. Pingback: Week 48 – 2016 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s