In many cases, the analysts don't get the compiled Python modules straight away. Instead, they get a sample, which is a set of Python scripts that's been converted into an executable using either py2exe or PyInstaller solutions. So, before digging into bytecode modules themselves, we need to obtain bytecode modules. Luckily, there are several projects that are able to perform this task:
- unpy2exe.py: This script can handle samples built using py2exe.
- pyinstxtractor.py: As the name suggests, this tool can be used to extract Python modules from the executables built using the PyInstaller solution.
An open source project called python-exe-unpacker combines both of these tools and can be run against the executable sample without any extra checks.
After extracting the files that were packed using PyInstaller, there is one moment that can be quite frustrating for anybody who just started analyzing compiled Python files. In particular, the main extracted module will...