Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-07-25 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Python Malware - Part 4

Published: 2016-07-25
Last Updated: 2016-07-25 11:17:31 UTC
by Didier Stevens (Version: 1)
0 comment(s)

You don't always get a text file with source code when you extract Python code from a PyInstaller-produced EXE.

I produced the following Python code including shellcode, and generated an EXE with PyInstaller:

Then I extract the Python code:

This time, the extracted shellcode file doesn't contain Python source code:

It's actually compiled Python bytecode.

Add the following 8 bytes to the beginning of the file and save it as shellcode.pyc:

Now you can use a Python bytecode decompiler like Easy Python Decompiler:

Here is the recovered source code (shellcode.pyc_dis):

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: malware python
0 comment(s)
ISC Stormcast For Monday, July 25th 2016 http://isc.sans.edu/podcastdetail.html?id=5095
Diary Archives