Add Python decompiler

[Ana06]

I have had a hard time today analysing a malware sample that loads a byte-like Python code object (with marshal.loads(obj_bytes)) and executes it (with exec()). After testing several options, I found a way that worked:

1. Save byte-like Python code object as PYC file:

   co = marshal.loads(obj_bytes)
   
   # Convert Marshall code object `co` to PYC
   # https://stackoverflow.com/a/73454818/6245337
   import importlib, sys
   pyc_data = importlib._bootstrap_external._code_to_timestamp_pyc(co)
   
   # Write PYC to file
   with open('result.pyc', 'wb') as f:
       f.write(pyc_data)

2. Decompile the PYC file. The object had been compiled with Python 3.10 and there are not many decompilers for it. After trying several tools, these two options worked (the first one worked better than the second) to decompile the PYC file:

   • https://github.com/greyblue9/unpyc37-3.10
   • The compiled pycdc.exe from https://github.com/extremecoders-re/decompyle-builds/releases/tag/build-16-Oct-2024-5e1c403

I propose to add both unpyc37-3.10 and pycdc.exe to FLARE-VM. Even if unpyc37-3.10 seems to work better for Python 3.10, it does not support Python >3.10 which pycdc. does. @mandiant/flare-vm should we add any other binary from https://github.com/extremecoders-re/decompyle-builds/releases/tag/build-16-Oct-2024-5e1c403 as well?

[Ana06]

@mandiant/flare-vm I am using Utilities as category, but I think I would have a hard time finding it there. Ideas for a better category? what about a new Python category?

[Ana06]

I think we should be able to add pycdc.exe using automation after adding the Python category. But https://github.com/greyblue9/unpyc37-3.10 needs to be added manually.

[Ana06]

One of my colleagues found pycdas.exe also useful for a sample where pycdc.exe failed. I think we should then install both and then the package needs to be added manually too.