GitPedia

Mal unpack

Dynamic unpacker based on PE-sieve

From hasherezadeยทUpdated June 13, 2026ยทView on GitHubยท

Dynamic unpacker based on [PE-sieve](https://github.com/hasherezade/pe-sieve.git) ( ๐Ÿ“– [Read more](https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ#pe-sieve-vs-malunpack---what-is-the-difference) ). The project is written primarily in C, distributed under the BSD 2-Clause "Simplified" License license, first published in 2018. Key topics include: libpeconv, malware-analysis, malware-unpacker, memory-forensics, pe-sieve.

Latest release: 1.0
September 13, 2025View Changelog โ†’

mal_unpack

Build status
Codacy Badge
Commit activity
Last Commit

GitHub release
GitHub release date
Github All Releases
Github Latest Release

License
Platform Badge

Dynamic unpacker based on PE-sieve ( ๐Ÿ“– Read more ).

It deploys a packed malware, waits for it to unpack the payload, dumps the payload, and kills the original process.</b>

[!CAUTION]
This unpacker deploys the original malware. Use it only on a VirtualMachine.

โš™ Usage

Basic usage:

console
mal_unpack.exe /exe <path_to_the_malware> /timeout <timeout: ms>
  • By default, it dumps implanted PEs.
  • If you want to dump shellcodes, use the option: /shellc.
  • If you want to dump modified/hooked/patched PEs, use the option /hooks.
  • If you want the unpacker to terminate on timeout, rather than on the first found implant, use /trigger T.

[!IMPORTANT]
The available arguments are documented on Wiki. They can also be listed using the argument /help.

๐Ÿ›  Helpers and utilities

Clone

Use recursive clone to get the repo together with submodules:

console
git clone --recursive https://github.com/hasherezade/mal_unpack.git

Builds

Download the latest release.

Contributors

Showing top 2 contributors by commit count.

hasherezade

hasherezade

401 commits

fr0gger

fr0gger

4 commits

View all contributors on GitHub โ†’

This article is auto-generated from hasherezade/mal_unpack via the GitHub API.Last fetched: 6/24/2026