Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Python Malware - Part 2 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Python Malware - Part 2

I would have liked to create a PEiD signature for PE files created with PyInstaller, because then I could just use my pecheck tool (it's essentially a wrapper for pefile). But testing this YARA rule I created is much easier for me than testing a PEiD rule.

So I made a few changes to pecheck so that it also supports YARA rules. And overlays.

Here I use it on a PE file created with PyInstaller (together with the YARA rule to detect such PE files).

The output tells you that the PE file has an overlay (2.4 MB in size, that's 95.15% of the PE file) and that the YARA rule to detect PE files created with PyInstaller triggered (PE_File_pyinstaller).

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

DidierStevens

339 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!