Add py2exe detection to DiE and YARA rules

Added a header comment to the Py2exe.1.sg rule file for clarity. Introduced a new YARA rule to detect py2exe-packed PE files by checking for the 'PyArg_ParseTuple' export.
2026-06-24 01:54:08 +00:00 · 2025-10-01 23:55:58 +03:00 · 2025-10-01 23:55:58 +03:00 · 9ae7963fa9
commit 9ae7963fa9
parent bd235ceaa9
2 changed files with 10 additions and 0 deletions
--- a/db/PE/Py2exe.1.sg
+++ b/db/PE/Py2exe.1.sg
@ -1,3 +1,5 @@
+// Detect It Easy: detection rule file
+
 meta("packer", "py2exe");

 function detect() {
--- a/yara_rules/DiE_InterestingThings_by_DosX.yar
+++ b/yara_rules/DiE_InterestingThings_by_DosX.yar
@ -133,6 +133,14 @@ rule Packer__SimplePack {
        )
 }

+rule Packer__py2exe {
+    condition:
+        IsPE and
+        IsNative and
+        not IsDll and
+        pe.exports("PyArg_ParseTuple")
+}
+
 rule Protection__obfus_h {
    condition:
        IsPE and