guarddog icon indicating copy to clipboard operation
guarddog copied to clipboard

Published 20 hours ago verified publisher icon DataDog

Detect pyArmor obfuscation

Open christophetd opened this issue 9 months ago • 1 comments

e.g. https://github.com/tucommenceapousser/CVE-2023-24489-PoC/blob/34a1ef0eba9bec14067efdd255680b028d954432/CVE-2023-24489-RCE.py

perhaps just "very long hex string" is good enough and more generic than matching on a pyarmor import?

christophetd avatar Feb 27 '25 15:02 christophetd

You can think about using this Yara rule: https://unprotect.it/detection-rule/yara_susp_obf_pyarmor/ The downside: it also matches PyArmor package itself

kam193 avatar Mar 08 '25 10:03 kam193