A search plugin for UnpacMe to quickly find related malware samples and determine if a code block is a good candidate for a detection rule. The plugin searches both malicious files and our goodware corpus. This allows an analyst to quickly determine if the block of code belongs to a single known family, multiple families or if it is a common pattern found in goodware.
The plugin requires a valid API key for UnpacMe.
Before using the plugin you must install the following python modules your IDA environment.
Using pip:
pip install requests keyring
Select the instructions you would like to search for and right click. Then select UnpacMe Byte Search.
When the Search Preview option is enabled, the plugin will display a preview of the search bytes that can be customized before searching.
To search for a specific string, you can either select the string within the Strings subview or the address where the string is referenced and right click to search.
You can also search for a specific string by selecting the address where the string is referenced and searching.
The results window shows a summary of the search results, followed by a table of the raw results. If the pattern is a
good candidate for a rule, you can quickly copy it use the Copy Pattern button. To view the analysis of a file simply
click on the SHA256 hash within the table to open a new browser tab to the analysis on UnpacMe.
To copy results simply select any of the desired cells and click the Copy Selected Results button.
The plugin has the following configuration options that can be set via the plugin menu.
- API Key - Your Unpac.me API key. This can be found in your account settings on Unpac.me. We use the keyring module to store the API token within the system keyring.
- Log Level - Set the log verbosity.
- Search Preview - When enabled, the plugin will display a preview of the search bytes that can be edited before searching.
- Auto Wildcard - The plugin will wildcard
??bytes likely to change between samples. The following types are wildcarded by the plugin when set.- Memory References
- Direct Memory References
- Memory References with Displacement
- Immediate Far Address
- Immediate Near Address
- Search Goodware - When set the plugin will also search the UnpacMe Goodware corpus.
If you run into issues using the plugin, please let us know either via Discord or by opening an issue on this repo.