A helper script for unpacking and decompiling EXEs compiled from python code.
Author: In Ming Loh ([email protected] - @tantaryu)
Company: Countercept (@countercept)
Website: https://www.countercept.com
A script that helps researcher to unpack and decompile executable written in python. However, right now this only supports executable created with py2exe and pyinstaller.
This script glues together several tools available to the community. Hopefully, this can help people in their daily job. Several YARA rules are available to determine if the executable is written in python (This script also confirms if the executable is created with either py2exe or pyinstaller).
pip2 install --user -r requirements.txt
sudo pip2 install -r requirements.txt
python python_exe_unpack.py -i [malware.exe]
-rw-rw-r-- 1 testuser testuser 70K Nov 14 13:08 bz2.pyd
-rw-rw-r-- 1 testuser testuser 993K Nov 14 13:08 _hashlib.pyd
-rw-rw-r-- 1 testuser testuser 111 Nov 14 13:08 hello
-rw-rw-r-- 1 testuser testuser 1009 Nov 14 13:08 hello.exe.manifest
-rw-rw-r-- 1 testuser testuser 1.1K Nov 14 13:08 Microsoft.VC90.CRT.manifest
-rw-rw-r-- 1 testuser testuser 220K Nov 14 13:08 msvcm90.dll
-rw-rw-r-- 1 testuser testuser 557K Nov 14 13:08 msvcp90.dll
-rw-rw-r-- 1 testuser testuser 638K Nov 14 13:08 msvcr90.dll
-rw-rw-r-- 1 testuser testuser 628K Nov 14 13:08 out00-PYZ.pyz
drwxrwxr-x 2 testuser testuser 12K Nov 14 13:08 out00-PYZ.pyz_extracted
-rw-rw-r-- 1 testuser testuser 5.2K Nov 14 13:08 pyiboot01_bootstrap
-rw-rw-r-- 1 testuser testuser 2.5K Nov 14 13:08 pyimod01_os_path
-rw-rw-r-- 1 testuser testuser 12K Nov 14 13:08 pyimod02_archive
-rw-rw-r-- 1 testuser testuser 22K Nov 14 13:08 pyimod03_importers
-rw-rw-r-- 1 testuser testuser 0 Nov 14 13:08 pyi-windows-manifest-filename hello.exe.manifest
-rw-rw-r-- 1 testuser testuser 2.6M Nov 14 13:08 python27.dll
-rw-rw-r-- 1 testuser testuser 10K Nov 14 13:08 select.pyd
-rw-rw-r-- 1 testuser testuser 234 Nov 14 13:08 struct
-rw-rw-r-- 1 testuser testuser 671K Nov 14 13:08 unicodedata.pyd
python python_exe_unpack.py -p [pyc file]