Detecting py2exe Executables: YARA Rule

Following the release of the tool to decompile EXE files generated with py2exe, we release a YARA rule to detect such EXE files.

Imagine you receive an executable for analysis. If you go for static analysis, it’s useful to know how the executable was produced. For example, if it was “converted” from Python to EXE, decompiling it with a tool like Hex-Rays decompiler will not help you. Python converters like PyInstaller and py2exe don’t actually convert the Python code to machine instructions to create the executable, rather they generate an executable that contains Python bytecode and deploy a Python runtime environment to execute this bytecode. As such, you need to extract and decompile the bytecode to know what the executable does.

How do you know the executable was produced with py2exe? A good indicator is the presence of a resource named PYTHONSCRIPT. Using YARA rules it is possible to automate this detection:  for this purpose we created YARA rule py2exe.

20170109-104608

The idea is that you build a set of YARA rules to classify executables (another good rule to include in this set is a rule to detect PyInstaller generated executables). Then you let these rules run on your executable, and hopefully some rules will trigger and help you identify the type of executable you’re dealing with.

This rule is not an indicator of malware, it just identifies that the executable was generated with py2exe.

2 thoughts on “Detecting py2exe Executables: YARA Rule

  1. Pingback: py2exe Decompiling – Part 2, (Mon, Jan 30th) « CyberSafe NV

  2. Pingback: Overview of Content Published In January | Didier Stevens

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s