Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - Internet Security | DShield Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Python Malware - Part 4

Published: 2016-07-25
Last Updated: 2016-07-25 11:17:31 UTC
by Didier Stevens (Version: 1)
0 comment(s)

You don't always get a text file with source code when you extract Python code from a PyInstaller-produced EXE.

I produced the following Python code including shellcode, and generated an EXE with PyInstaller:

Then I extract the Python code:

This time, the extracted shellcode file doesn't contain Python source code:

It's actually compiled Python bytecode.

Add the following 8 bytes to the beginning of the file and save it as shellcode.pyc:

Now you can use a Python bytecode decompiler like Easy Python Decompiler:

Here is the recovered source code (shellcode.pyc_dis):

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: malware python
0 comment(s)
ISC Stormcast For Monday, July 25th 2016 http://isc.sans.edu/podcastdetail.html?id=5095

If you have more information or corrections regarding our diary, please share.

Recent Diaries

It Is Our Policy
1 day ago by Russell (0 comments)

The life of an IT Manager
2 days ago by Deborah (3 comments)

Practice ntds.dit File
3 days ago by DidierStevens (1 comment)

Guest Diary, Etay Nir: Flipping the Economy of a Hacker
4 days ago by Richard (5 comments)

ASN.1 Anyone? CVE-2016-5080
5 days ago by Richard (0 comments)

Office Maldoc: Let's Focus on the VBA Macros Later...
5 days ago by DidierStevens (6 comments)

HTTP Proxy Header Vulnerability ("httpoxy")
1 week ago by Dr. J. (2 comments)

View All Diaries →

Latest Discussions

Firefox to banish hidden Flash files – and kill off sneaky ad snoopers
created 1 day ago by Russell (0 replies)

BGP forums/discussion
created 6 days ago by Anonymous (0 replies)

Security Policies
created 1 week ago by Anonymous (0 replies)

Security Principle - Don't trust logs from the host in question.
created 1 week ago by Anonymous (4 replies)

Tracking EoL Software
created 1 month ago by SaltedSecurity (2 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
5 months ago by Dr. J. (25 comments)

An Approach to Vulnerability Management
1 month ago by Russell (13 comments)

The life of an IT Manager
2 days ago by Deborah (3 comments)

CryptXXX ransomware updated
2 weeks ago by Brad (0 comments)

Guest Diary, Etay Nir: Flipping the Economy of a Hacker
4 days ago by Richard (5 comments)