Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Python decompiler #1182

Open
Ana06 opened this issue Nov 29, 2024 · 3 comments
Open

Add Python decompiler #1182

Ana06 opened this issue Nov 29, 2024 · 3 comments
Assignees
Labels
🌀 FLARE-VM A package or feature to be used by FLARE-VM 🆕 package New package request/idea/PR

Comments

@Ana06
Copy link
Member

Ana06 commented Nov 29, 2024

I have had a hard time today analysing a malware sample that loads a byte-like Python code object (with marshal.loads(obj_bytes)) and executes it (with exec()). After testing several options, I found a way that worked:

  1. Save byte-like Python code object as PYC file:

    co = marshal.loads(obj_bytes)
    
    # Convert Marshall code object `co` to PYC
    # https://stackoverflow.com/a/73454818/6245337
    import importlib, sys
    pyc_data = importlib._bootstrap_external._code_to_timestamp_pyc(co)
    
    # Write PYC to file
    with open('result.pyc', 'wb') as f:
        f.write(pyc_data)
  2. Decompile the PYC file. The object had been compiled with Python 3.10 and there are not many decompilers for it. After trying several tools, these two options worked (the first one worked better than the second) to decompile the PYC file:

I propose to add both unpyc37-3.10 and pycdc.exe to FLARE-VM. Even if unpyc37-3.10 seems to work better for Python 3.10, it does not support Python >3.10 which pycdc. does. @mandiant/flare-vm should we add any other binary from https://github.com/extremecoders-re/decompyle-builds/releases/tag/build-16-Oct-2024-5e1c403 as well?

@Ana06 Ana06 added 🆕 package New package request/idea/PR 🌀 FLARE-VM A package or feature to be used by FLARE-VM labels Nov 29, 2024
@Ana06 Ana06 added this to the FLARE-VM 2024 Q4-P1 milestone Nov 29, 2024
@Ana06 Ana06 self-assigned this Nov 29, 2024
@Ana06
Copy link
Member Author

Ana06 commented Nov 29, 2024

@mandiant/flare-vm I am using Utilities as category, but I think I would have a hard time finding it there. Ideas for a better category? what about a new Python category?

@Ana06 Ana06 changed the title URL package proposal: pycdc.vm Add Python decompiler Nov 29, 2024
@Ana06
Copy link
Member Author

Ana06 commented Dec 6, 2024

I think we should be able to add pycdc.exe using automation after adding the Python category. But https://github.com/greyblue9/unpyc37-3.10 needs to be added manually.

@Ana06
Copy link
Member Author

Ana06 commented Dec 9, 2024

One of my colleagues found pycdas.exe also useful for a sample where pycdc.exe failed. I think we should then install both and then the package needs to be added manually too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🌀 FLARE-VM A package or feature to be used by FLARE-VM 🆕 package New package request/idea/PR
Projects
None yet
Development

No branches or pull requests

1 participant