-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PyInstaller with built in Cythonize option and _MEIxxxx on Memory #7584
Comments
There was a tentative and low-priority plan, but based on #6999 (comment) and subsequent comments, it seems rather unlikely now.
Why bother? The format of executable-embedded archive is not exactly a secret and can be read using the PyInstaller-provided I get that you're trying to push for a code obfuscation/protection solution, but PyInstaller is not a code obfuscation and protection tool, and does not intend to become one. If you need a solution for that, you're in the wrong place. |
Even if Cython was incorporated into PyInstaller, it still wouldn't be much easier. It's compiled code so to make it ABI compatible with more than just newer versions of your own OS, you'd need to get gcc, python, your project, your dependencies and umpteen -devel packages, all in a docker container and build in there. I'd be reluctant even to document this into an example because the bottom line would be, if you're not already comfortable with Cython and with distributing compiled code across distributions (i.e. you don't need an example from us) then you shouldn't be attempting it. |
Thanks to everyone ! Why I needed PyInstaller ? Million of thanks to PyInstaller team ! But again I say I am not an expert like you guys. And please don't think security is not improtant to protect the source code/credentials/APIKeys etc. Thanks again ! |
May be yes ! Few community may not bother to secure their source code but most of other do. I agree adding security on to the PyInstaller may not be your interest. We will wait for the "CyInstaller" to come soon ! |
Just to clarify - if there's anything we can do to make it easier to bundle Cython-compiled modules into PyInstaller or similar tools I'd be happy to look at it. There's plenty of good reasons people might want to do that. (I don't personally know how well it works right now). The main thing we're not really interested in is being an obfuscation tool, so feature requests purely around that are likely to be rejected. |
Which already I made in 3 days time called "CyInstaller"
My work is still going on to hide the string information from cythonized *.so files. NOTE: |
One must know why securing source code is higly improtant now a days. |
And in 30 seconds and two lines of code I can run: import OriginalMain
print(OriginalMain.API_KEY) Just avoiding writing strings in plain text isn't going to stop anyone armed with more than just a hexdump. Your attackers are going to be able to load your libraries, run your code with a debugger or tracer attached and scrape all its variables and |
Boss ! you are always great ! I never challenge real crackers, I first bother about student level attackers. Right now for PyInstaller binaries no need for that students too. There are several layers is security.
This is how our security level is there by the experts who develops compilers. Usually patching is easy with JE/JNE/JMP, but if you keep 20 hotspots, then more delay. That's why I get upset with all our compilers exposes these strings to the world. I learnt cracking 20 years back and that's why I am surviving to safe my products. Please let me know if you come accross some tips on the topics. |
|
My point is locking the street gate, tying an alsatian, locking front gate, locking the main gate, But still I expect a good lock for my street gate first. |
Thank you so much to open my eyes. By the way, can I understand executables are safer than the libraries ? Please give me some tips on this security. |
After all discussion, are you still somehow hoping for an answer that is not a "no"? :) Assuming I know your executable is made with PyInstaller, I can use PyInstaller's And if you use the built-in bytecode encryption (the |
@rokm
I am sorry I didn't explaing on this before. So I need to produce my executable and libaries as a native binary, which can't be reversed to original human readable source code. May be using cython.
Thanks again ! |
Well, you're in a wrong place then. PyInstaller is not a code obfuscation and protection tool, and it does not intend to become one. And we are not in obfuscation/protection business, so we cannot do much more than tell you that PyInstaller is not the tool to address your concerns.
Yes, we do require an entry-point script (that can be minimal load-and-run some obfuscated module or compiled extension program). But that makes no difference in the grand scheme of things. Your byte-compiled entry-point script, byte-compiled pure-python modules (.pyc), and binary extension modules (.so; either cythonized modules or original binary extensions) are all collected in the frozen application and can be extracted one way or another (either from PKG archive or PYZ archive). So it makes no difference if you need
There's no Cython involved in PyInstaller. We use pre-built bootloader executable (that's written in C), to which we append the archive containing data, binaries, etc. When you run the assembled executable, it scans itself for the embedded-archive, extracts its contents (if onefile), sets up embedded python interpreter, and runs your entry-point script.
PYZ contains byte-compiled pure-python modules. So those are, at least in theory, cross-platform. But yes, if you cythonized everything, there would be no .pyc modules in the PYZ. But the cythonized .so files could still be extracted (from the parent PKG archive) and loaded under the same python version on Raspberry Pi. Either for analysis or re-use in counterfeit application.
I don't know, you'll have to look around yourself. Or, in all likelihood, you'll have to make your own.
Is Themida really applicable here? From what I remember, you can protect blocks of C++ code using special macros and whatever magic it does then presumably gets applied during program compilation. And even if you can post-process whole executable in some other protection mode, this will likely corrupt PyInstaller's embedded archive detection (unless it also unpacks the original executable and runs it). You might want to check out |
@rokm |
Is there any plan to incorporate built in Cython conversion on PyInstaller ?
I am trying some readymade samples which throw lot of errors and no success.
I am not an expert on Linux and Python to fix those errors.
You are the best team to add this feature, Cythonizing most of the files on PyInstaller itself.
And bunding as a single exe.
That would be faster and secured.
Is there any way to extract _MEIxxxx temp folder on Memory (ramdisk) ?
That too hidden to the normal eyes ?
--runtime-tmpdir /mnt/.pyinst
A dot prefix can not be so clear idea to hide. Any better idea in linux ?
Note:
Mean while, please suggest any simple tutorial to bundle the python/flask project with
Cython and PyInstaller
Thanks in advance !
System:
PyInstaller 5.10.1
Raspberry Pi 4
Linux Buster 32bit
The text was updated successfully, but these errors were encountered: