Heaventools

   English English  Deutsch Deutsch  Русский Русский

home  products  pe explorer  feature tour

UPX UNPACKER PLUG-IN

Automatic UPX Unpacking

PE Explorer ships with the UPX Unpacker plug-in, a start-up processing plug-in for unpacking files compressed with UPX. All versions of UPX are supported, from the obsolete early versions (prior to 0.80) up to the latest 3.0x versions.

In addition, PE Explorer supports for files modified with many UPX scramblers such as Advanced UPX Scrambler, UPoLyX, UPX Lock, and even more: now it supports for Upack and NSPack.

Now you can open files compressed with UPX even without knowing that!

When you open a file with PE Explorer, the UPX Unpacker plug-in detects whether the file is packed with UPX, and then your file will be unpacked automatically. The resulted file will also be saved unpacked.

PE Explorer does not re-pack the previously packed files back to the exact original size. That is why the original file size may be increased after you open and save the executable WITHOUT making ANY changes to it in PE Explorer.

The UPX Unpacker displays lines of messages in the bottom log window as follows:

UPX Unpacker

See also: Upack Unpacker    What are packers?


Unpacking Malicious Software

The UPX Unpacker plug-in works on packed malware executables and can handle a file even if it has been packed with UPX and modified manually so that UPX cannot be used directly to unpack the file, because internal structures have been modified, for example the names of the sections have been changed from UPX to XYZ, or the version number of the UPX format has been changed from 1.20 to 3.21. This technique often is used by malware authors to make unpacking and reverse engineering harder.

Previously, you had to run the executable and dump the packed segments right after the executable had been completely unpacked in memory. Now you can open these obfuscated files even without knowing that: your file will be unpacked automatically!

The UPX Unpacker attempts to recover a file, even when an original PE file header entry is no longer available after unpacking. Previously, losing the PE file header rendered the executable completely inoperable and unrepairable. Now you have good chances to analyze packed malware executables and extract hidden data.

Plug-in Manager

Selecting Plug-in Manager from the Tools menu will display the Plug-in Manager dialog.

The Plug-in Manager lists all the plug-ins that PE Explorer has. When this is open, you can set priority for a selected plug-in. Larger values have greater priority, zero disables the plug-in and marks it red.

Plug-in Manager

Please note that the Plug-in Manager currently does not support for plug-in chains (i.e. plug-in processing stops after 1 successfull pass, and other plug-ins are not called). PE Explorer loads the next plug-in only if the previous plug-in returns FALSE after execution.

Write Your Own Custom Plug-ins

The PE Explorer Unpacker plug-ins unpack only files compressed with UPX, Upack and NSPack. Consult the PE Explorer help for the plug-in API: you can write your own custom start-up processing plug-in for crypted files handling or unpacking the packed files.

Within the PE Explorer directory there must be a subdirectory named PLUGINS. All plug-ins (DLLs) should be placed in this folder.

The plug-in API will be extended, therefore when writing custom plug-ins, it is important to pay special attention to the remarks made in the description of Functions and Types (see the PE Explorer Help file), and abide by them. Following these guidelines will keep your coding compatible with future versions of PE Explorer.

The plug-in API can be found in the Help within the PE Explorer package.

 

Feature Tour  
 prev | next 

 

 

PE Explorer

View Screenshots

Download a 30 day trial version of PE Explorer Buy the Full Version