Closed jindaxia closed 2 months ago
Hello! The PyInstaller (.exe) detection is already in the database. Do you have samples that are not detected?
I will add a version for Linux in the near future. Thank you!
YES, try to detect this one https://cowtransfer.com/s/8eb623f5459b41
Hello! The PyInstaller (.exe) detection is already in the database. Do you have samples that are not detected?
I will add a version for Linux in the near future. Thank you!
I think the Linux version has some texts like "MEIPASS"
YES, try to detect this one
Heuristic analysis of Detect It Easy indicates that the file is packed with modified UPX. Unfortunately, this makes static analysis impossible to determine PyInstaller. You can try to unpack the file yourself and scan the dump
like Exes and Elfs
PyInstaller detection for Linux added. Please update the database 👌
UPD: I analyzed the Yara algorithm that you showed as an example. There, detection is based on the icon. Yes, this can be done. And I'll do it. Thank you!
If the Pyinstaller has a specific signature (not ZIP-archive) for data in the overlay/resources/elsewhere, then we can create a detect based on this data, regardless of what the executable file is packed with. But it seems to me that is a ZIP-archive there.
I only have a sample size of one, but perhaps it could detect PYZ-00.pyz
near the end of the file.
https://pyinstaller.org/en/v4.8/usage.html#using-upx
PyInstaller looks for UPX on the execution path or the path specified with the --upx-dir option. If UPX exists, PyInstaller applies it to the final executable, unless the --noupx option was given. UPX has been used with PyInstaller output often, usually with no problems.
I think my example is packed by pyinstaller with upx compressed
I think this magic number helps MAGIC = b"MEI\014\013\012\013\016" # Magic number which identifies pyinstaller
I update the detection code, please review, just tested on both the exe and elf files
Feature request: Add support to dectct pyinstall packed executeble files like Exes and Elfs
I think this yara rule will help:
https://github.com/bartblaze/Yara-rules/blob/5f4961049d0d510b11250d5628383398889fc881/rules/generic/PyInstaller.yar