This repository contains the code for GeMU, the generic malware unpacker. This unpacker was presented at the WORMA workshop in 2025. Please note that this is still a very early version. If you have any questions, suggestions, or feedback please reach out to us!
Citation: Jenke, T., Ufer, M., Blatt, M., Kohler, L., Padilla, E., & Bruckschen, L. (2025, June). Democratizing Generic Malware Unpacking. In 2025 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 30-38). IEEE.
-
Make sure requirements to build QEMU are installed. E.g. for Ubuntu 22.04:
sudo apt-get install git libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build
If you have problems building gemu check the official QEMU instructions
-
Make sure additional dependencies for GeMU are installed:
sudo apt-get install lsof genisoimage
-
Make sure the Python requirements are installed, by running this from the cloned repository folder.
cd gemu pip install -r requirements.txt
Similar to regular QEMU build, but with some extra configure arguments.
mkdir build
cd build
../configure --target-list=x86_64-softmmu --disable-werror
make -j`nproc`Note, that the the NFS support is broken on ArchLinux, thus this needs to be disabled for the build to succeed.
mkdir build
cd build
../configure --target-list=x86_64-softmmu --disable-werror --disable-libnfs
make -j`nproc`- GeMU requires a QEMU image of Windows 7 or Windows 10.
- For faster installation, install Windows 7 or Windows 10 using VirtualBox or KVM
- Convert the virtualbox harddrive image to a QCOW2
qemu-img convert -O qcow2 win10-disk001.vdi win10.qcow
- Launch the VM and build a snapshot in which an administrator CMD window is opened in the foreground with english locals
GeMU requires a symbol mapping that has to be created for the exact VM image used by GeMU.
- This step requires mounting of the VM image, which can be done e.g. by
guestmount, provided on Ubuntu by thelibguestfs-toolspackage. guestmountrequires the specification of a partition. When the main partition holdingC:\is e.g. the second one, set it to/dev/sda2.- This has to be repeated for each Windows version before starting the sandboxing.
cd gemu
mkdir /path/to/a/mountpoint
sudo guestmount -o allow_other -a /path/to/VM_Image.qcow -m /dev/sda2 --ro /path/to/a/mountpoint
python3 generate_symbol_mapping.py --path /path/to/a/mountpoint --outfile ~/.gemu/symbol_mapping.txt
sudo guestunmount /path/to/a/mountpoint
rmdir /path/to/a/mountpointYou need to enter the VM details in a config file:
cd gemu/gemuinteractor
cp config.py.template config.py
# Edit as required
$EDITOR config.pyGeMU comes with two scripts to:
- unpack single files
- unpack multiple files
Below are simple example uses of these two scripts.
To learn more about all available options and parameters, try the --help flag.
Make sure you are in the right directory:
cd gemupython3 unpack_single_file.py --sample path/to/binary --time 60You can add support for new file types yourself by writing a custom GeMU Recipe and passing it via --recipe <path>.
Examples of recipes can be found in <gemu-repo-dir>/gemu/gemuinteractor/recipes.
python3 unpack_multiple_file.py --samples folder/with/samples --malpediamode
python3 unpack_multiple_file.py --samples samples_list.txt --yararules rules.yar
python3 unpack_multiple_file.py --samples sample_folders_list.txt --allowduplicateruns- per-thread matching of syscall/sysret pairs
- prevent unpacking from failing when mounting takes longer than expected
- PE-carving
- improve .NET unpacking capabilities