Motivation

In recent years, there has been an increase in malware attacks employing Nuitka. However, there aren't many resources available online to deal with this issue. Hence, I decided to write this article to help bridge the knowledge gap and lack of tooling for Nuitka binaries.

Preamble

Before diving into Nuitka, it would be beneficial to revisit the basics of Python reversing:

Python

Introduction

• Python-to-C Compiler
  • 2 versions — Standard & Commercial
    • Commercial version obfuscates strings & data files
• Statically translates Python to C w/o adding or reducing features for maximum compatibility
  • Code objects, stack frame etc. are preserved
    • Python byte code (i.e. co_code), however, gets erased
• Uses libpython and static C files of its own to execute in the same way as CPython does
  • Binary relies on python3XX.dll as a dependency
  • Nuitka & CPython library code gets embedded into the binary
    • Problematic since it adds clutter to the decompiler output

Usage

pip install nuitka
python -m nuitka <.py> [--onefile/--standalone]

• --standalone: outputs a directory containing the executable & its dependencies
• --onefile: outputs a single binary that unpacks before executing
  • Default path is "%TEMP%/onefile_%PID%_%TIME%”

Analysis

I will be using flake.exe from Flare-On 10 to illustrate my analysis process. It is a stripped Nuitka binary that is compiled using the --onefile flag.

Identification

‣ (DIE) works well.

Get Compiler Version