Home

Awesome

debloat

Debloat

Debloat is a GUI and CLI tool to remove excess garbage from bloated executables.

By excess garbage, I mean 100 - 800 MB of junk bytes added to a binary to keep it from going into a sandbox. This method of adding junk is called "inflating" or "pumping" a binary. Debloat currently handles the 10 most common inflation tactics.

Being built with Python, the application can easily be leveraged in other workflows. Currently, debloat is used by CCCS's AssemblyLine and CERT Polska's MWDB.

The program can be compiled for Windows, MacOS, Linux. The GUI and CLI have minimal options: it is intended to be as simple as possible and the logic within the program handles the different use cases automatically.

Compiled binaries have already been included in the Releases.

The debloat can installed using pip install debloat. Use debloat to launch the CLI and debloat-gui to launch the GUI.

For advanced users, Debloat can also be imported into other scripts and the processing functions can be called individually.

How to use the GUI?

The GUI of Debloat intends to be as intuitive as possible. When launched, you can drag and drop bloated file onto the text bar and press the "Process file" button. Some technical information will be printed to the scrolling textbox and the file without bloat will be written to the directory the file was pulled from. Sound easy? It is!

Processing files will take a few seconds.<br> image

How to use the CLI?

After installing using pip install debloat use the command debloat.<br> debloat can take two arguments. The first argument is required: the file to debloat. The second argument is optional: the output location. When no output is provided, it will be written to the same directory as the original file.

The gui can also be launched from the CLI using the command debloat-gui.

Does it always work?

Not yet. Based on my recent analysis, debloat is able to remove junk from bloated files 97.8% of the time.

In previous versions, debloat could accidentally remove too much of the binary. That is no longer the case unless you use the "--last-ditch" switch. If you ever need this switch, consider sharing the sample for additional analysis. This option has now been added to the GUI. Functionally, what the function does is it will remove the whole overlay, if there is one. In some cases this is necessary as no pattern for the junk was found---this is most commonly the case in samples that do not compress well.

Use Cases (Images from Malcat)

Full support

Partial Support

Other use cases

There are use cases where the tool does not work. However, I plan to solve for them before publishing too much about them.

Why?

There appear to be a limited number of tools to easily process bloated executables. The two tools I have seen the most are “foremost” which is intended for recovering binaries from a disk image and “pecheck”.

Foremost works best in instances where the junk bytes are null (0x00) and it struggles when the binary has a fake or real signature. Its use in removing bloat from files is not its original purpose.

Pecheck has been developed over 14+ years and has some confusing commandline options. The option to remove bloated content is not the primary function of the script. Pecheck has to be combined with another tool (disitool) in order to handle signed executables. In my experience, there are other times where pecheck can get confused and return an executable twice the size of the original bloated executable. All these factors seem OK if you are handling a small number of binaries, but as the number of binaries and methods increase, a tool specific to removing bloat is needed.

Binary Refinery is an amazing tool. It was written with the intention of being a CyberChef of the commandline. While both tools are amazing, they both have a shortcoming that requires the user to know what formulas should be applied.

There are good solid manual methods to remove bloat from binaries, but these methods can be tedious and not all analysts have the skills to do this. This tool removes the burden of needing to know how to manually remove bloat. Additionally, it allows for better scale. The principles used in the script allow allow for better scale if automation is desired.

How to build?

Follow the build commands appropriate to your platform. The main difference between build commands is the format of the icon. <br> MacOS<br> pyinstaller --onefile --noconsole --additional-hooks-dir=./hook --icon=debloat.icns gui.py

Windows<br> pyinstaller --onefile --noconsole --additional-hooks-dir=./hook --icon=debloat.ico gui.py

Linux<br> pyinstaller --onefile --noconsole --icon=debloat.ico --collect-all tkinterdnd2 gui.py

Want to discuss?

Consider joining the debloat Discord.

Credits

Big shoutout to Jesko Hüttenhain creator of Binary Refinery. The NSIS extraction is based on his reverse engineering of the NSIS file format. Check out Binary Refinery if you have not.

Where is this project going next?

Batch processing: process all files in a directory and produce a report.

Better support for using processing methods outside of debloat.

Support for debloating without unzipping.