PyArmor Obfuscation

PyArmor is a Python obfuscation and licensing toolkit that encrypts Python source code or bytecode and decrypts it at runtime via a compiled C extension (pyarmor_runtime.pyd). It is commonly abused by malware authors to protect payloads distributed inside PyInstaller binaries.

How It Works

1. The developer runs pyarmor gen against Python source.
2. PyArmor renames the script, injects a runtime bootstrap, and generates a C-extension wrapper.
3. The extension is bundled into the PyInstaller archive.
4. At runtime, the extension decrypts the payload in memory and passes control to the CPython interpreter.

Detection / Fingerprint

• Strings: pyarmor_runtime_000000, __pyarmor__, pyarmor_runtime.pyd
• The .pyd file is a compiled Python extension (like a DLL) that handles decryption.
• Standard Python module names (socket, urllib, etc.) may still be visible in the PyInstaller TOC because they are import names, not payload strings.

Defensive Countermeasures

• Extract the PyInstaller archive with pyinstxtractor.
• Look for the .pyd and attempt to load it in a controlled Python environment to dump decrypted bytecode.
• Memory forensics: the decrypted bytecode exists in the Python interpreter's heap at runtime; dump python313.dll process memory.

Pages Where Observed

• /intel/analyses/d297973f8d1bb330dc7a7d7538bfbe97ea4608aee040b48122da39a2562ddf4c.html
• pyinstaller-pyarmor-dropper