trym-s/pyinstaller-YARA

# PyInstaller Bootloader False-Positive Reduction This repository documents an experiment around reducing false-positive detections in legitimate Windows executables produced with PyInstaller. The work focuses on rebuilding and modifying PyInstaller bootloader C sources, understanding which static strings and packaging artifacts can trigger YARA-style rules, and documenting a reproducible build flow for internal tools that were incorrectly flagged by scanners such as VirusTotal. ## Security Context This project is not intended for malware evasion or bypassing security controls. It focuses on false-positive reduction for legitimate internal applications packaged with PyInstaller, where generic PyInstaller signatures can create noisy detections even when the application itself is benign. ## What Was Changed - Rebuilt the PyInstaller bootloader from source instead of relying only on the prebuilt bootloader binaries. - Modified bootloader-level C source artifacts that contributed to generic PyInstaller/YARA detections. - Documented a repeatable build process for producing application executables from the rebuilt bootloader. - Captured packaging constraints around ``_internal`` runtime files and DLL placement for Windows distribution. ## Rebuild the Bootloader Navigate to the PyInstaller bootloader directory: .. code-block:: bash cd path/to/pyinstaller/bootloader Clean, configure, and rebuild the bootloader: .. code-block:: bash python waf distclean python waf configure python waf all ## Build an Executable After the bootloader is rebuilt, return to the PyInstaller root directory: .. code-block:: bash cd path/to/pyinstaller Build the target application from its spec file: .. code-block:: bash python -m PyInstaller path/to/your/app.spec The generated executable will be written under ``dist/``. ## Runtime DLL Layout If the executable fails at runtime because DLL files are missing, copy the runtime files from the generated ``_internal`` directory into the main application directory next to the executable. This keeps the packaged application layout compatible with the way the modified bootloader resolves runtime dependencies. ## Notes This repository is primarily a packaging and binary-build experiment. It is useful for understanding PyInstaller internals, Windows executable packaging, bootloader compilation, and the difference between real malicious behavior and generic static signatures that can cause false positives.