Clone wiki

virusbattle-sdk / Unpacking

Getting Started

Accessing VirusBattle requires downloading and setting up the VirusBattle SDK. See Installation, Setup, Registration to setup.

Unpacking with VirusBattle

VirusBattle provides a fully automated generic unpacking service. All you need to do is upload PE-32 executable either as is and or as part of compressed archive. Wait for a few seconds, and download the unpacked file.

Uploading to VirusBattle

See Uploading Files for a detailed HowTo. The easiest way to upload to VirusBattle is:

    vbclient.py -a upload <path to file>

Checking Status

To find out if the uploaded file has been processed or not:

    vbclient.py -a status <sha1 of uploaded file>

You may also want to use the Query option for details

    vbclient.py -a query <sha1 of uploaded file>

Downloading Unpacked File

To download results of VirusBattle, use the Download action:

    vbclient.py -a download <sha1 of uploaded file> --enable_malware_download

This downloads VirusBattle service result files in the ./Results folder. To avoid download of results from other services-srlStatic, srlJuice etc., set the appropriate VIRUSBATTLE_SERVICE_FILTER as described below.

Generate mapping between packed and unpacked file

To generate service maps, use the map action:

    vbclient.py -a map <sha1 of uploaded file>

This creates csv map files ./Results directory containing original_file_sha1,unpacked_file_sha1

Filter Other Services

If you are only interested in unpacking, and want to filter out results from other VirusBattle services- srlJuice, srlStatic, srlSimService etc., you can filter them out setting the appropriate value for the VIRUSBATTLE_SERVICE_FILTER environment variable.

    export VIRUSBATTLE_SERVICE_FILTER="srlJuice,srlSimService,srlStatic"

The variable accepts a comma separated list of service names to filter out. You can filter out as many, or as few services as you choose.

See Also

Updated