Am 27.12.2013 18:44, schrieb Lance Johnson: > I'm doing malware analysis on a file which uses pyinstaller. I've > extracted the PYZ file and am trying to pull out the .py file. When I > run archive_viewer on the PYZ, the only names that are listed are > either default python libraries, or freely available scripts (i.e. I > can google and find them). I know by observing the behavior that the > file does bad stuff, but I don't see any files in the PYZ which appear > to be responsible for this behavior. I know it is possible that they > are using a name of a common library to hide the "bad stuff", but > based on the lack of sophistication, I highly doubt it.
The PYZ only contains the imported modules. In your case, these seam to
not be important. The "main script" is not part of the PYZ, but on the
"top level":
$ utils/archive_viewer.py
test/libraries/dist/test_python_makefile/test_python_makefile
pos, length, uncompressed, iscompressed, type,
name
[(0, 1050978, 1050978, 0, 'z',
'out00-PYZ.pyz'),
(1050978, 174, 239, 1, 'm',
'struct'),
(1051152, 1131, 2543, 1, 'm',
'pyi_os_path'),
(1052283, 4468, 11840, 1, 'm',
'pyi_archive'),
(1056751, 4031, 13360, 1, 'm',
'pyi_importers'),
(1060782, 1800, 4228, 1, 's', '_pyi_bootstrap'),
(1062582, 4336, 13676, 1, 's', 'pyi_carchive'),
(1066918, 460, 975, 1, 's', 'test_python_makefile')]
?
In this case, "test_python_makefile" is the main script.
--
Schönen Gruß
Hartmut Goebel
Dipl.-Informatiker (univ), CISSP, CSSLP
Information Security Management, Security Governance, Secure Software
Development
Goebel Consult, Landshut
http://www.goebel-consult.de
Monatliche Kolumne:
http://www.cissp-gefluester.de/2011-08-horrorszenario-bring-your-own-device
Blog:
http://www.goebel-consult.de/blog/trustcenter.de-nimmt-es-mit-der-sicherheit-nicht-mehr-so-genau
Goebel Consult ist Mitglied bei http://www.7-it.de/
smime.p7s
Description: S/MIME Cryptographic Signature
