Stats
Actions
Tags
From windows-reversing
Identify whether a PE is packed, recognize the packer, and extract the unpacked payload for further static analysis — using emulation to run to the OEP when needed.
How this skill is triggered — by the user, by Claude, or both
Slash command
/windows-reversing:packer-triageThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Maps to **MITRE ATT&CK [T1027.002 Software Packing](https://attack.mitre.org/techniques/T1027/002/)** and **[T1140 Deobfuscate/Decode Files](https://attack.mitre.org/techniques/T1140/)**. capa emits these IDs natively under the `obfuscation/packer` rule family (and the corresponding **MBC [F0001 Packer](https://github.com/MBCProject/mbc-markdown/blob/master/anti-static-analysis/executable-packi...
Maps to MITRE ATT&CK T1027.002 Software Packing and T1140 Deobfuscate/Decode Files. capa emits these IDs natively under the obfuscation/packer rule family (and the corresponding MBC F0001 Packer classifiers) — pass them through to the report.
pe_info shows a single code section with entropy > 7.0.kernel32!LoadLibraryA
GetProcAddress).UPX0, UPX1, .aspack, .themida, .vmp0.pe_strings returns almost nothing recognizable.| Signal | Likely packer |
|---|---|
Sections UPX0 / UPX1 | UPX |
Section .aspack | ASPack |
Imports only kernel32!LoadLibraryA, GetProcAddress | UPX / custom |
Section .themida / .vmp0..vmp2 | Themida / VMProtect (hard) |
| Huge section, low import count, IAT built at runtime | Custom loader |
pe_capa --summary_only
Look for tags under the "anti-analysis" / "packer" families.
UPX ships a compatible upx -d unpacker. This capability does not
bundle UPX — if available on PATH, run it directly:
upx -d -o <unpacked>.exe <packed>.exe
pe_info <unpacked>.exe # now has a normal import table
The pattern is: the packed binary runs a stub that decrypts the real
code, rebuilds the IAT, then jumps to the Original Entry Point (OEP).
qiling_api_trace can catch that jump.
qiling_api_trace path=<packed> \
apis=["LoadLibraryA","LoadLibraryW","GetProcAddress","VirtualAlloc","VirtualProtect"] \
bypass_antidebug=true
VirtualProtect call before the stub stops calling
GetProcAddress is typically on the freshly-reconstructed code
section. The address and size of that region is your unpacked
payload.qiling_dump_at_api on that VirtualProtect (param index 0 =
lpAddress, 1 = dwSize) to capture the memory.Out of scope for a first-pass emulation approach. Note that it's heavy VM-based obfuscation and move on — these challenges usually want a side-channel solve (weakness in the checker, not the VM).
Once you have the unpacked payload:
pe_info — the import table should now be normal.pe_strings and pe_capa — expect new hits.ghidra_analyze for decompilation.npx claudepluginhub s3cr1z/capabilities --plugin windows-reversingCreates, edits, and optimizes skills for Claude Code, including drafting, evaluating with test prompts, iterating on performance, and improving skill descriptions for better triggering accuracy.