Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lz py installer detection #1198

Merged
merged 2 commits into from
Apr 23, 2024
Merged

Lz py installer detection #1198

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a172760
Improved detection of newer PyInstallers
Apr 17, 2024
92e2b8d
Improved detections, added empty and corrupt
Apr 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 49 additions & 21 deletions support/yara_patterns/tools/pe/x86/installers.yara
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -443,40 +443,68 @@ rule pyinstaller_27
all of them
}

rule pyinstaller_30_38
private rule pyinstaller_3x_strings
{
strings:
$s00 = "Error loading Python DLL '%s'."
$s01 = "Cannot open self %s or archive %s"
$s02 = "Cannot open PyInstaller archive from executable (%s) or external archive (%s)"
$s10 = /PyInstalle(m|r): FormatMessageW failed\./
$s11 = /PyInstalle(m|r): pyi_win32_utils_to_utf8 failed\./
condition:
pe.number_of_sections > 0 and
any of ($s0*) and
all of ($s1*)
}

private rule pyinstaller_3x_overlay
{
strings:
$s01 = { 4D 45 49 0C 0B 0A 0B 0E } // PyInstaller magic number
$s02 = /PYZ\-\d\d\.pyz/
$s03 = /python3\d{1,2}\.dll/
condition:
pe.overlay.offset > 0 and
@s02 > pe.overlay.offset and
@s03 > pe.overlay.offset and
all of them
}

rule pyinstaller_3x
{
meta:
tool = "I"
name = "PyInstaller"
version = "3.0-3.8"
version = "3.x"
strength = "high"
strings:
$s00 = "Failed to get address for PySys_SetObject"
$s01 = "Error copying %s"
$s02 = "Error loading Python DLL '%s'"
$s03 = "pyi-windows-manifest-filename"
condition:
pe.number_of_resources > 0 and
@s00 < pe.sections[2].raw_data_offset and
all of them
pyinstaller_3x_overlay and
pyinstaller_3x_strings
}

rule pyinstaller_39_plus
rule pyinstaller_3x_empty
{
meta:
tool = "I"
name = "PyInstaller"
version = "3.9+"
name = "PyInstaller (no data)"
version = "3.x"
strength = "high"
strings:
$s00 = "Failed to get address for PySys_SetObject"
$s01 = "Failed to copy %s"
$s02 = "Error loading Python DLL '%s'"
$s03 = "_PYI_ONEDIR_MODE"
condition:
pe.number_of_resources > 0 and
@s00 < pe.sections[2].raw_data_offset and
all of them
pe.overlay.size == 0 and
pyinstaller_3x_strings
}

rule pyinstaller_3x_corrupt
{
meta:
tool = "I"
name = "PyInstaller (corrupt)"
version = "3.x"
strength = "high"
condition:
pe.overlay.size > 0 and
pyinstaller_3x_strings and
not pyinstaller_3x_overlay
}

rule installanywhere_61 {
Expand Down
Loading