NSPack Unpacker Plug-In
Automatic NSPack Unpacking
PE Explorer ships with the NsPack Unpacker plug-in, a start-up processing plug-in for unpacking files compressed with NsPack by NorthStar/Liu Xing Ping. NsPack is a Chinese written, commercial Win64/32/.NET executable file compressor, capable of reducing the file size of 64-bit and 32-bit Windows programs by as much as 60% without noticable performance change. NsPack is quite a common packer used in malware.
The NsPack Unpacker re-creates an executable file in its original form, before it was packed. This allows you to perform static analysis on the now unpacked data.
When you open a file with PE Explorer, the NsPack Unpacker plug-in detects whether this file is packed with NsPack and if so, unpacks it automatically. The resulted file will also be saved unpacked. PE Explorer does not re-pack the previously packed files back to the exact original size.
Now, once it's opened and unpacked, you can continue with import analysis in EXE Import Viewer, then check out all referenced text strings and function calls in Disassembler. You can rapidly analyze the procedures and libraries a malware executable uses without ever activating the executable itself - a great advantage over debuggers where malicious code needs to be run to be analyzed.
Write Your Own Custom Plug-ins
The NsPack Unpacker plug-in unpacks only files compressed with NsPack. Consult the PE Explorer help for the plug-in API: you can write your own custom start-up processing plug-in for crypted files handling or unpacking the packed files. Using the Plug-in Manager, you can set priority of executing plug-ins: Menu Tools | Plug-in Manager.
Within the PE Explorer directory there must be a subdirectory named PLUGINS. All plug-ins (DLLs) should be placed in this folder.
The plug-in API will be extended, therefore when writing custom plug-ins, it is important to pay special attention to the remarks made in the description of Functions and Types (see the PE Explorer Help file), and abide by them. Following these guidelines will keep your coding compatible with future versions of PE Explorer.
The plug-in API can be found in the Help within the PE Explorer package.