You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have had a hard time today analysing a malware sample that loads a byte-like Python code object (with marshal.loads(obj_bytes)) and executes it (with exec()). After testing several options, I found a way that worked:
Save byte-like Python code object as PYC file:
co=marshal.loads(obj_bytes)
# Convert Marshall code object `co` to PYC# https://stackoverflow.com/a/73454818/6245337importimportlib, syspyc_data=importlib._bootstrap_external._code_to_timestamp_pyc(co)
# Write PYC to filewithopen('result.pyc', 'wb') asf:
f.write(pyc_data)
Decompile the PYC file. The object had been compiled with Python 3.10 and there are not many decompilers for it. After trying several tools, these two options worked (the first one worked better than the second) to decompile the PYC file:
@mandiant/flare-vm I am using Utilities as category, but I think I would have a hard time finding it there. Ideas for a better category? what about a new Python category?
Ana06
changed the title
URL package proposal: pycdc.vm
Add Python decompiler
Nov 29, 2024
One of my colleagues found pycdas.exe also useful for a sample where pycdc.exe failed. I think we should then install both and then the package needs to be added manually too.
I have had a hard time today analysing a malware sample that loads a byte-like Python code object (with
marshal.loads(obj_bytes)
) and executes it (withexec()
). After testing several options, I found a way that worked:Save byte-like Python code object as PYC file:
Decompile the PYC file. The object had been compiled with Python 3.10 and there are not many decompilers for it. After trying several tools, these two options worked (the first one worked better than the second) to decompile the PYC file:
I propose to add both unpyc37-3.10 and pycdc.exe to FLARE-VM. Even if unpyc37-3.10 seems to work better for Python 3.10, it does not support Python >3.10 which pycdc. does. @mandiant/flare-vm should we add any other binary from https://github.com/extremecoders-re/decompyle-builds/releases/tag/build-16-Oct-2024-5e1c403 as well?
The text was updated successfully, but these errors were encountered: