Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Python Malware - Part 2 SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Python Malware - Part 2

I would have liked to create a PEiD signature for PE files created with PyInstaller, because then I could just use my pecheck tool (it's essentially a wrapper for pefile). But testing this YARA rule I created is much easier for me than testing a PEiD rule.

So I made a few changes to pecheck so that it also supports YARA rules. And overlays.

Here I use it on a PE file created with PyInstaller (together with the YARA rule to detect such PE files).

The output tells you that the PE file has an overlay (2.4 MB in size, that's 95.15% of the PE file) and that the YARA rule to detect PE files created with PyInstaller triggered (PE_File_pyinstaller).

Didier Stevens
SANS ISC Handler
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
IT Security consultant at Contraste Europe.

DidierStevens

494 Posts
ISC Handler
May 21st 2016

Sign Up for Free or Log In to start participating in the conversation!