Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2016-05-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Python Malware - Part 2

Published: 2016-05-21
Last Updated: 2016-05-21 22:23:11 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I would have liked to create a PEiD signature for PE files created with PyInstaller, because then I could just use my pecheck tool (it's essentially a wrapper for pefile). But testing this YARA rule I created is much easier for me than testing a PEiD rule.

So I made a few changes to pecheck so that it also supports YARA rules. And overlays.

Here I use it on a PE file created with PyInstaller (together with the YARA rule to detect such PE files).

The output tells you that the PE file has an overlay (2.4 MB in size, that's 95.15% of the PE file) and that the YARA rule to detect PE files created with PyInstaller triggered (PE_File_pyinstaller).

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

0 comment(s)
Diary Archives