Thursday, June 13, 2013

Symantec Quarantined VBN file decoder

pyqextract.py will decode Symantec quarantined vbn files.  Like many others I couldn't get qextract.exe to work so I wrote my own.  This decoder removes the magic bytes Symantec adds to each file that is quarantined.  The "magic bytes" break the IAT, data/code segments by offsetting everything in the executable.

Usage: $ python pyqextract.py 5BB7429F.VBN  out.exe

Updated version: 6/26/14 
Download pyqextract.py

at

7 comments:

  1. AnonymousJune 5, 2015 at 9:50 AM

    Hi Jamaal! I'm attempting to test a Symantec VBN and receive the following error - failed: substring not found

    ReplyDelete
  2. KJune 16, 2015 at 10:10 AM

    Did you get my message? I sent you a link to the older version. Let me know if that works

    ReplyDelete
  3. AnonymousJune 29, 2015 at 11:19 AM

    I did not receive the messages. Please send again.

    ReplyDelete
    Replies
    1. KJuly 28, 2015 at 9:05 AM

      Older version is here: https://code.google.com/p/jamaal-re-tools/source/browse/pyqextract/pyqextract.py?r=0ab6872f922abdd8bc92e9e958f8a8639c8784bf

      Delete
  4. Saravan Kumar SJuly 28, 2015 at 7:52 AM

    Hi Jamaal! I'm attempting to test a Symantec VBN and receive the following error - failed: substring not found
    Could you please send me the download link for older version.

    ReplyDelete
  5. KJuly 28, 2015 at 9:03 AM

    https://code.google.com/p/jamaal-re-tools/source/browse/pyqextract/pyqextract.py?r=0ab6872f922abdd8bc92e9e958f8a8639c8784bf

    ReplyDelete
  6. KJuly 28, 2015 at 9:04 AM

    If this doesn't work please let me know. I will write a new decoder. I'll just need a VBN file.

    ReplyDelete