Мануал/Книга [BlackHat USA 2024] PyLingual: A Python Decompilation Framework for Evolving Python Versions

[weaver]

Description

Python has become a popular choice for creating malware due to its ease of development, wide user base, pre-built modules, and multi-platform compatibility. Python's popularity has induced demand for Python decompilers, but community efforts to maintain automatic Python decompilation tools have been hindered by Python's unstable bytecode specification. Every year, language features are added, code generation undergoes significant changes, and opcodes are added, deleted, and modified.

Our research aims to integrate Natural Language Processing (NLP) techniques with classical Programming Language (PL) theory to create a Python decompiler that adapts to new language features and changes to the bytecode specification with minimal human maintenance effort. PyLingual uses data-driven NLP components to automatically absorb superficial bytecode and compiler changes, while leveraging engineered programmatic components for abstract control flow reconstruction.

We demonstrate the efficacy of our approach with extensive real-world datasets of benign and malicious Python sources and their corresponding compiled PYC binaries. Our research makes three major contributions: (1) we present PyLingual, a scalable, data-driven decompilation framework with state-of-the-art support for Python versions 3.6 — 3.12; (2) we provide a Python decompiler evaluation framework that verifies decompilation results with "perfect decompilation"; and (3) we launch PyLingual as a free online service at pylingual.io, which has helped reverse engineer over 5,000 PYC binaries over the past three months.

blackhat.com/us-24/briefings/schedule/#pylingual-a-python-decompilation-framework-for-evolving-python-versions-40529

slides

http://i.blackhat.com/BH-US-24/Presentations/US24-Wiedemeier-PyLingual-A-Python-Decompilation-Framework-for-Evolving-Python-Versions-Wednesday.pdf

whitepaper

http://i.blackhat.com/BH-US-24/Presentations/US-24-Wiedemeier-PyLingual-A-Python-Decompilation-Framework-for-Evolving-Python-Versions-wp.pdf

online service

PyLingual

pylingual.io