Anti-Obfuscation

The Problem问题

🔒 Heavy Packing重度加壳

Multi-layer packers (Themida, VMProtect, custom) encrypt code sections, making disassembly impossible. 多层加壳器（Themida、VMProtect、自定义）加密代码段，使反汇编无法进行。

🌀 Code Obfuscation代码混淆

Control-flow flattening, opaque predicates, MBA transforms, dead code insertion destroy static CFG. 控制流平坦化、不透明谓词、MBA变换、死代码插入破坏静态CFG。

🔑 String Encryption字符串加密

All meaningful strings encrypted, dynamically decrypted at runtime. FLOSS/static extraction finds nothing. 所有有意义的字符串被加密，运行时动态解密。FLOSS/静态提取无法获取。

Architecture架构

Three new plugins provide a dynamic-first analysis pipeline — when static analysis fails, fall back to runtime observation: 三个新插件提供动态优先分析流水线 — 当静态分析失败时，回退到运行时观察：

┌─────────────────┐     ┌──────────────────────┐     ┌────────────────────┐
│  deep-unpack    │     │ runtime-deobfuscate  │     │  behavior-first    │
│                 │     │                      │     │                    │
│ deep.unpack     │     │ deobf.strings        │     │ behavior.capture   │
│   .pipeline     │────▶│ deobf.api_resolve    │────▶│ behavior.ioc       │
│ deep.unpack     │     │ deobf.cfg_trace      │     │ behavior.network   │
│   .pe_reconstruct│    │ deobf.dotnet         │     │                    │
│ deep.unpack     │     │                      │     │                    │
│   .dump_scan    │     │                      │     │                    │
└─────────────────┘     └──────────────────────┘     └────────────────────┘
       ▲                         ▲                            ▲
       │                         │                            │
  ┌────┴────┐              ┌─────┴─────┐               ┌─────┴──────┐
  │ Docker  │              │  Docker   │               │  Docker    │
  │ UPX     │              │  Frida    │               │  Frida     │
  │ Speakeasy│             │  Wine     │               │  Wine      │
  │ Qiling  │              │  de4dot   │               │            │
  │ Wine    │              │           │               │            │
  └─────────┘              └───────────┘               └────────────┘

Plugin 1: deep-unpack

Multi-strategy deep unpacking with PE reconstruction. Goes beyond basic unpack.auto (3-layer UPX/Speakeasy/Qiling) with unlimited layers, memory carving, and IAT fixing. 多策略深度脱壳与PE重建。超越基础 unpack.auto（3层UPX/Speakeasy/Qiling），支持无限层、内存雕刻和IAT修复。

Tools工具

Tool	Description描述	Key Parameters关键参数
`deep.unpack.pipeline`	Multi-strategy pipeline: UPX → Speakeasy → Qiling → memory carve. Auto-detects completion via entropy analysis. 多策略流水线：UPX → Speakeasy → Qiling → 内存雕刻。通过熵分析自动检测完成。	`max_layers` (1-10), `strategies`, `timeout`
`deep.unpack.pe_reconstruct`	Rebuild PE from memory dump: fix sections, headers, IAT, checksum. 从内存转储重建PE：修复段、头、IAT、校验和。	`api_trace`, `image_base`, `oep_rva`
`deep.unpack.dump_scan`	Scan memory dump for embedded PE images. Validates MZ/PE signatures, extracts PE images. 扫描内存转储中的嵌入PE镜像。验证MZ/PE签名，提取PE镜像。	`sample_id`

Unpacking Strategies脱壳策略

Strategy策略	Engine引擎	Best For最适合	Speed速度
`upx`	UPX CLI	UPX-compressed binariesUPX压缩的二进制	⚡ Fast快
`speakeasy`	Speakeasy	Custom PE packers, shellcode自定义PE加壳、Shellcode	🔶 Medium中
`qiling`	Qiling Framework	Complex packers, anti-debug, multi-arch复杂加壳、反调试、多架构	🔴 Slow慢
`memory_carve`	Wine + /proc	Process hollowing, RunPE, custom loaders进程镂空、RunPE、自定义加载器	🔶 Medium中

Example Usage使用示例

// Step 1: Deep unpack
{
  "tool": "deep.unpack.pipeline",
  "args": {
    "sample_id": "sha256:abc123...",
    "max_layers": 5,
    "strategies": ["upx", "speakeasy", "qiling", "memory_carve"],
    "timeout": 120
  }
}

// Step 2: Fix PE if needed
{
  "tool": "deep.unpack.pe_reconstruct",
  "args": {
    "sample_id": "sha256:def456...",
    "api_trace": [
      {"address": "0x7FFE1234", "name": "CreateFileW", "module": "kernel32.dll"},
      {"address": "0x7FFE5678", "name": "RegOpenKeyExW", "module": "advapi32.dll"}
    ],
    "oep_rva": "0x1000"
  }
}

// Step 3: Re-ingest unpacked binary
{
  "tool": "unpack.reingest",
  "args": { "sample_id": "sha256:abc123...", "artifact_id": "..." }
}

Plugin 2: runtime-deobfuscate

Runtime deobfuscation via Frida instrumentation. When static analysis shows only encrypted strings and flattened control flow, execute the binary and observe what it actually does. 通过Frida插桩进行运行时去混淆。当静态分析只能看到加密字符串和平坦化控制流时，执行二进制文件并观察其实际行为。

Tools工具

Tool	Description描述	HooksHook点
`deobf.strings`	Runtime string decryption: hooks crypto APIs, XOR loops, VirtualAlloc. Captures decrypted strings as they appear. 运行时字符串解密：Hook加密API、XOR循环、VirtualAlloc。捕获解密后的字符串。	CryptDecrypt, VirtualAlloc, WriteProcessMemory, XOR patterns
`deobf.api_resolve`	Capture dynamically resolved APIs. Builds IAT map for PE reconstruction. 捕获动态解析的API。构建IAT映射用于PE重建。	GetProcAddress, LdrGetProcedureAddress, LoadLibrary*
`deobf.cfg_trace`	CFG recovery via Frida Stalker. Records all executed basic blocks, defeats control-flow flattening. 通过Frida Stalker恢复CFG。记录所有执行的基本块，击败控制流平坦化。	Stalker (compile, block events)
`deobf.dotnet`	.NET deobfuscation via de4dot: string decryption, CF deobfuscation, delegate restoration. 通过de4dot进行.NET去混淆：字符串解密、控制流去混淆、委托恢复。	ConfuserEx, .NET Reactor, Dotfuscator, Babel, Eazfuscator, SmartAssembly

Example: String Decryption + API Resolution Pipeline示例：字符串解密 + API解析流水线

// 1. Capture decrypted strings
{ "tool": "deobf.strings", "args": { "sample_id": "sha256:...", "timeout": 60 } }
// → Returns: unique_strings: 142, strings: [{value: "http://c2.evil.com", ...}, ...]

// 2. Capture resolved APIs
{ "tool": "deobf.api_resolve", "args": { "sample_id": "sha256:...", "timeout": 60 } }
// → Returns: iat_map: [{name: "CreateFileW", module: "kernel32.dll", ...}, ...]

// 3. Recover actual CFG
{ "tool": "deobf.cfg_trace", "args": { "sample_id": "sha256:...", "timeout": 60 } }
// → Returns: unique_blocks: 847, edges: [{from: "0x1000", to: "0x1020"}, ...]

// 4. Feed API trace into PE reconstruction
{ "tool": "deep.unpack.pe_reconstruct", "args": {
    "sample_id": "sha256:...",
    "api_trace": [...iat_map from step 2...],
    "oep_rva": "0x1000"
  }
}

Plugin 3: behavior-first

When even unpacking and deobfuscation fail, observe what the binary does rather than what it is. Full behavioral capture with automated classification. 当脱壳和去混淆都失败时，观察二进制文件的行为而非其本身。完整行为捕获与自动分类。

Tools工具

Tool	Description描述	Monitors监控项
`behavior.capture`	Full behavioral capture in Docker sandbox. Generates behavioral profile with risk score. 在Docker沙箱中进行完整行为捕获。生成带风险评分的行为画像。	CreateFile, RegOpenKey, connect, send, CreateProcess, VirtualAllocEx, NtCreateThreadEx
`behavior.ioc`	Extract IOCs from behavioral data: IPs, domains, URLs, dropped files, registry keys. 从行为数据中提取IOC：IP、域名、URL、释放文件、注册表键。	—
`behavior.network`	Deep network analysis: connection patterns, DNS, HTTP, C2 detection heuristics. 深度网络分析：连接模式、DNS、HTTP、C2检测启发式。	—

Behavioral Profile Tags行为画像标签

Tag	Meaning含义	Risk风险
`persistence`	Writes to Run/RunOnce/Services registry keys写入Run/RunOnce/Services注册表键	+25
`process_injection`	VirtualAllocEx + WriteProcessMemory into remote processVirtualAllocEx + WriteProcessMemory到远程进程	+30
`remote_thread_creation`	NtCreateThreadEx in remote process在远程进程中NtCreateThreadEx	+30
`anti_debug`	IsDebuggerPresent / NtQueryInformationProcessIsDebuggerPresent / NtQueryInformationProcess	+15
`network_connections`	Outbound TCP connections出站TCP连接	+15
`drops_files`	Creates/writes files to disk创建/写入文件到磁盘	+10
`http_communication`	HTTP/HTTPS requests via WinINet通过WinINet发起HTTP/HTTPS请求	+10

Recommended Workflow推荐工作流

For a heavily packed/obfuscated binary, follow this escalation path: 对于高度加壳/混淆的二进制文件，请遵循以下升级路径：

Step 1: Standard Analysis (may fail quickly)第1步：标准分析（可能快速失败）
  → packer.detect         Identify packer/obfuscator识别加壳器/混淆器
  → pe.fingerprint        Check entropy, imports检查熵值、导入表
  → strings.extract       Try static strings (likely empty)尝试静态字符串（可能为空）

Step 2: Deep Unpacking第2步：深度脱壳
  → deep.unpack.pipeline  Multi-strategy, multi-layer unpack多策略、多层脱壳
  → deep.unpack.dump_scan Find PE images in memory dumps在内存转储中查找PE镜像
  → deep.unpack.pe_reconstruct Fix IAT, headers, alignment修复IAT、头、对齐

Step 3: Runtime Deobfuscation第3步：运行时去混淆
  → deobf.strings         Capture decrypted strings捕获解密字符串
  → deobf.api_resolve     Capture resolved APIs → feed to pe_reconstruct捕获解析的API → 输入pe_reconstruct
  → deobf.cfg_trace       Recover actual CFG恢复实际CFG
  → deobf.dotnet          .NET specific (if applicable).NET特定（如适用）

Step 4: Behavioral Analysis (last resort)第4步：行为分析（最后手段）
  → behavior.capture      What does it DO?它做了什么？
  → behavior.ioc          Extract indicators提取指标
  → behavior.network      Network behavior + C2 detection网络行为 + C2检测

Docker SetupDocker配置

These plugins are Docker-priority — they work best in the Docker container with all backends pre-installed. The plugin systemDeps declarations drive automatic Docker image generation: 这些插件是Docker优先的 — 在预装所有后端的Docker容器中效果最佳。插件 systemDeps 声明驱动自动Docker镜像生成：

Dependency依赖	dockerFeature	Used By使用者	Docker PathDocker路径
UPX 5.1.1	`upx`	deep-unpack	`/usr/local/bin/upx`
Speakeasy	—	deep-unpack	pip packagepip包
Qiling 1.4.6	`qiling`	deep-unpack	`/opt/qiling-venv/bin/python`
Wine	`wine`	deep-unpack, runtime-deobfuscate, behavior-first	`/usr/bin/wine`
Frida 17.8.0	`frida`	runtime-deobfuscate, behavior-first	pip packagepip包
de4dot	`de4dot`	runtime-deobfuscate	`/opt/de4dot/de4dot.exe`
pefile	—	deep-unpack	pip packagepip包

# Generate Docker image with all anti-obfuscation backends# 生成包含所有反混淆后端的Docker镜像
npm run docker:generate

# Or include specific plugins only# 或仅包含特定插件
npm run docker:generate -- --profile=full --include=deep-unpack,runtime-deobfuscate,behavior-first

# Build and start# 构建并启动
docker compose --env-file .docker-runtime.env -f docker-compose.yml up -d --build mcp-server

Python WorkersPython Workers

Each plugin delegates to dedicated Python workers via stdin/stdout JSON protocol: 每个插件通过stdin/stdout JSON协议委托给专用Python worker：

Worker	Commands命令	Key Dependencies关键依赖
`deep_unpack_worker.py`	`deep_unpack`, `pe_reconstruct`, `dump_scan`	pefile, speakeasy, qiling, UPX CLI, Wine
`deobfuscate_worker.py`	`strings_runtime`, `api_resolve`, `cfg_trace`, `dotnet_deobfuscate`	frida, de4dot
`behavior_worker.py`	`capture`, `ioc_extract`, `network_analyze`	frida

Complete Tool Reference完整工具参考

Tool	Plugin	Description描述	Docker Required需要Docker
`deep.unpack.pipeline`	deep-unpack	Multi-strategy deep unpacking (up to 10 layers)多策略深度脱壳（最多10层）	Recommended推荐
`deep.unpack.pe_reconstruct`	deep-unpack	PE reconstruction from dump (IAT fix, header fix)从转储重建PE（IAT修复、头部修复）	No (needs pefile)否（需要pefile）
`deep.unpack.dump_scan`	deep-unpack	Scan dump for PE images扫描转储中的PE镜像	No (needs pefile)否（需要pefile）
`deobf.strings`	runtime-deobfuscate	Runtime string decryption via Frida通过Frida运行时字符串解密	Yes (Frida+Wine)是（Frida+Wine）
`deobf.api_resolve`	runtime-deobfuscate	Dynamic API resolution capture动态API解析捕获	Yes (Frida+Wine)是（Frida+Wine）
`deobf.cfg_trace`	runtime-deobfuscate	CFG recovery from Stalker trace从Stalker跟踪恢复CFG	Yes (Frida+Wine)是（Frida+Wine）
`deobf.dotnet`	runtime-deobfuscate	.NET deobfuscation via de4dot通过de4dot进行.NET去混淆	Recommended (mono+de4dot)推荐（mono+de4dot）
`behavior.capture`	behavior-first	Full behavioral capture完整行为捕获	Yes (Frida+Wine)是（Frida+Wine）
`behavior.ioc`	behavior-first	IOC extraction from behavior data从行为数据中提取IOC	No否
`behavior.network`	behavior-first	Network behavior + C2 detection网络行为 + C2检测	No否

Anti-Obfuscation Plugins反混淆插件

The Problem问题

🔒 Heavy Packing重度加壳

🌀 Code Obfuscation代码混淆

🔑 String Encryption字符串加密

Architecture架构

Plugin 1: deep-unpack

Tools工具

Unpacking Strategies脱壳策略

Example Usage使用示例

Plugin 2: runtime-deobfuscate

Tools工具

Example: String Decryption + API Resolution Pipeline示例：字符串解密 + API解析流水线

Plugin 3: behavior-first

Tools工具

Behavioral Profile Tags行为画像标签

Recommended Workflow推荐工作流

Docker SetupDocker配置

Python WorkersPython Workers

Complete Tool Reference完整工具参考