search

horsicq / Detect-It-Easy

Program for determining types of files for Windows, Linux and MacOS.
http://ntinfo.biz
MIT License
6.95k stars 695 forks source link

Support pyinstaller packer exe with builtin upx compressed #196

Closed jindaxia closed 2 months ago

jindaxia commented 2 months ago

Feature request: Add support to dectct pyinstall packed executeble files like Exes and Elfs

I think this yara rule will help:

https://github.com/bartblaze/Yara-rules/blob/5f4961049d0d510b11250d5628383398889fc881/rules/generic/PyInstaller.yar

DosX-dev commented 2 months ago

Hello! The PyInstaller (.exe) detection is already in the database. Do you have samples that are not detected?

I will add a version for Linux in the near future. Thank you!

jindaxia commented 2 months ago

YES, try to detect this one https://cowtransfer.com/s/8eb623f5459b41

jindaxia commented 2 months ago

Hello! The PyInstaller (.exe) detection is already in the database. Do you have samples that are not detected?

I will add a version for Linux in the near future. Thank you!

I think the Linux version has some texts like "MEIPASS"

DosX-dev commented 2 months ago

YES, try to detect this one

Heuristic analysis of Detect It Easy indicates that the file is packed with modified UPX. Unfortunately, this makes static analysis impossible to determine PyInstaller. You can try to unpack the file yourself and scan the dump

like Exes and Elfs

PyInstaller detection for Linux added. Please update the database 👌

UPD: I analyzed the Yara algorithm that you showed as an example. There, detection is based on the icon. Yes, this can be done. And I'll do it. Thank you!

hypn0chka commented 2 months ago

If the Pyinstaller has a specific signature (not ZIP-archive) for data in the overlay/resources/elsewhere, then we can create a detect based on this data, regardless of what the executable file is packed with. But it seems to me that is a ZIP-archive there.

adoxa commented 2 months ago

I only have a sample size of one, but perhaps it could detect PYZ-00.pyz near the end of the file.

jindaxia commented 2 months ago

https://pyinstaller.org/en/v4.8/usage.html#using-upx

PyInstaller looks for UPX on the execution path or the path specified with the --upx-dir option. If UPX exists, PyInstaller applies it to the final executable, unless the --noupx option was given. UPX has been used with PyInstaller output often, usually with no problems.

I think my example is packed by pyinstaller with upx compressed

jindaxia commented 2 months ago

https://github.com/pyinstxtractor/pyinstxtractor-ng/blob/09eb74bcbb3f443401babbaf94629714b58c543e/pyinstxtractor-ng.py#L52

I think this magic number helps MAGIC = b"MEI\014\013\012\013\016" # Magic number which identifies pyinstaller

DosX-dev commented 2 months ago

pyinstall packed executeble files

Done. (click)

jindaxia commented 2 months ago

I update the detection code, please review, just tested on both the exe and elf files