PyInstaller Bootloader
A small C or Win32 PE executable produced by PyInstaller --onefile. At runtime it:
- Locates the CFFI archive appended past the PE sections (the "overlay").
- Decompresses members with zlib/inflate to a temporary directory, typically
%TEMP%\_MEI<XXXX>. - Loads an embedded Python DLL from that directory.
- Resolves CPython C API functions via
GetProcAddressand boots the interpreter. - Unmarshals and executes the embedded
__main__.pybytecode.
From a defender's perspective, the outer binary is benign infrastructure with standard imports (KERNEL32, shell APIs, Python DLL). Threat activity is entirely inside the extracted Python payload.
Variants
- One-file mode: single PE with CFFI archive appended (this analysis).
- One-directory mode: a folder containing the bootloader plus already-extracted files; no overlay.
- Packed with UPX: some actors UPX the PyInstaller binary after build, adding another layer.
Cross-references
- python-packed-payload — the threat logic that lives inside the overlay
- coinminer — family that commonly uses this distribution method