Skip to content

Security: techlinn/WhatThePy

Security

SECURITY.md

Security Policy

Supported versions

WhatThePy targets CPython 3.10 through 3.14 on Windows. Generated artifacts are intended to run only on the same CPython minor version that built them.

Threat model

WhatThePy is a deterrence tool, not a security boundary. It is designed to:

  • reject truncated, oversized, duplicated, or tampered payloads fail-closed
  • hide literals and payload bytes behind compression, encryption, and scattering
  • detect simple pure-Python monkeypatches of core loader callables before execution
  • expose static import metadata for PyInstaller without executing those imports at startup

WhatThePy is not designed to stop:

  • a skilled reverse engineer with debugger or live process access
  • generic dynamic dumping of decrypted code objects from memory
  • native code injection, kernel hooks, or patched CPython builds
  • an attacker who controls the host before the obfuscated script starts

What the loader checks verify

Before loading a payload, generated stubs verify that:

  • marshal.loads is the built-in C implementation (with a reload fallback)
  • zlib.decompressobj is the expected built-in type
  • types.FunctionType is the expected built-in type used as the execution sink
  • hmac.compare_digest and hashlib.sha256 are the expected built-in callables

If verification fails, the loader raises RuntimeError("loader runtime modified") and exits without executing user payload code.

These checks detect common sitecustomize-style Python wrappers. They do not claim resistance to native hooks or a compromised interpreter.

Reporting a vulnerability

If you believe you found a security issue, open a private report through GitHub Security Advisories for this repository. Include:

  • affected WhatThePy version
  • CPython version and platform
  • minimal reproduction steps
  • expected vs actual behavior

Please do not open public issues for exploit details before a fix is available.

Responsible use

Do not rely on WhatThePy to protect secrets, credentials, licensing logic, or valuable intellectual property. Treat obfuscated output as harder to read, not impossible to recover.

There aren't any published security advisories