Sample staging and detonation utility

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for doomedraven from gravatar.com doomedraven

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v3 (GPLv3) (GPL-3.0-only)
  • Author: Hatching B.V.
  • Tags sflock , unarchive
  • Requires: Python <4.0, >=3.10
  • Provides-Extra: linux , shellcode , windows
Classifiers
Report project as malware

Project description

sflock

example workflow

Sample staging & detonation utility to be used as unpacking engine for other analysis tools. Since version 0.3.14 sflock is compatible with Python >= 3.6

Birds tend to move around in flocks, therefore the sflock utility can digest a flock of samples, but also inverse flocks, i.e., sflock unpacks various archive file formats to extract embedded samples.

Simply put, sflock provides a staging area where binary data is investigated and split into one or more files to be analyzed further by other tools. In particular sflock focuses on integration and usage with Cuckoo Sandbox.

Installation

As-is sflock has been designed to be used to its full extent on Ubuntu/Debian-like systems. For optimal usage it is recommended to install the following packages alongside sflock. It is currently not possible to run the unpackers that require native tooling support on non-Linux platforms.

$ sudo apt-get install rar unace-nonfree cabextract lzip libjpeg8-dev zlib1g-dev zpaq gnupg

Installation of sflock itself may be done as follows.

$ sudo pip install -U "sflock2[linux]"

Or in a virtualenv environment.

(venv)$ pip install -U "sflock2[linux]"

Supported archives

SFlock supports a number of (semi-)archive types, sorted by extension:

  • .7z (7-Zip archive, requires native tooling)
  • .ace (ACE archive, requires native tooling)
  • .bup (McAfee quarantine files)
  • .cab (Microsoft Cabinet archive, requires native tooling)
  • .daa (PowerISO, requires included Linux native tooling)
  • .eml (MIME RFC 822 email representation)
  • .gzip (gzip compressed data, requires native tooling)
  • .iso (ISO file container, requires native tooling)
  • .lzh (LZH/LHA archive, requires native tooling)
  • .lz (Lzip compressed data, requires native tooling)
  • .msg (Outlook mail message)
  • .mso (Microsoft Office Macro reference file)
  • .pdf (Attachments embedded in PDF files)
  • .rar (RAR archive, requires native tooling)
  • .tar (Unix file archive)
  • .tar.bz2 (bzip2 compressed Unix file archive)
  • .tar.gz (gzip compressed Unix file archive)
  • .zip (ZIP archive)
  • .win (Windows imaging (WIM) image)

Security

Due to its nature of unpacking malicious archives with, depending on the extension, native tools (i.e., .7z, .ace, .cab, .daa, .gzip, .iso, .lzh, and .rar), it is important that such operations happen securely. SFlock therefore wraps execution of the native tools in zipjail, a usermode sandbox written exactly for this purpose.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for doomedraven from gravatar.com doomedraven

Unverified details

These details have not been verified by PyPI
Meta
  • License: GNU General Public License v3 (GPLv3) (GPL-3.0-only)
  • Author: Hatching B.V.
  • Tags sflock , unarchive
  • Requires: Python <4.0, >=3.10
  • Provides-Extra: linux , shellcode , windows
Classifiers

Release history Release notifications | RSS feed

This version

0.3.76

0.3.74 yanked

0.3.72 yanked

0.3.71 yanked

Reason this release was yanked:

bad poetry entry

0.3.69

0.3.68

0.3.67

0.3.66

0.3.65

0.3.64

0.3.62

0.3.61

0.3.60

0.3.59

0.3.58

0.3.57

0.3.56

0.3.55

0.3.53

0.3.52

0.3.51

0.3.50

0.3.49

0.3.48

0.3.47

0.3.46

0.3.45

0.3.44

0.3.43

0.3.42

0.3.41

0.3.40

0.3.39

0.3.38

0.3.37

0.3.36

0.3.35

0.3.34

0.3.33

0.3.32

0.3.31

0.3.30

0.3.29

0.3.28

0.3.27

0.3.26

0.3.25

0.3.24

0.3.23

0.3.22

0.3.21

0.3.20

0.3.18

0.3.17

0.3.16

0.3.15

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sflock2-0.3.76.tar.gz (3.6 MB view details)

Uploaded Source

Built Distribution

sflock2-0.3.76-py3-none-any.whl (3.7 MB view details)

Uploaded Python 3

File details

Details for the file sflock2-0.3.76.tar.gz.

File metadata

  • Download URL: sflock2-0.3.76.tar.gz
  • Upload date:
  • Size: 3.6 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for sflock2-0.3.76.tar.gz
Algorithm Hash digest
SHA256 eed75b32adf3c82a60d9339fda63a151355f9be7639d7d583de8f43ea6604e4c
MD5 ccf03f31a7a044048a2b91077c254b1e
BLAKE2b-256 bfb091428d79c97c62aa0b2564db1e55ab5b2b4a1c12b6a2ad98163c1b6559a6

See more details on using hashes here.

Provenance

The following attestation bundles were made for sflock2-0.3.76.tar.gz:

Publisher: publish.yml on CAPESandbox/sflock

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sflock2-0.3.76-py3-none-any.whl.

File metadata

  • Download URL: sflock2-0.3.76-py3-none-any.whl
  • Upload date:
  • Size: 3.7 MB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for sflock2-0.3.76-py3-none-any.whl
Algorithm Hash digest
SHA256 3d989d142fc49ebd049f75eb8d402451fcd20148cf27aaa20c540ac95a9c81ff
MD5 a4fc7ebc238652100c12c8d97b9868ed
BLAKE2b-256 569b9303f8268955d858f5151a38495b3f39201bb98d645c319b066f5cbdda6c

See more details on using hashes here.

Provenance

The following attestation bundles were made for sflock2-0.3.76-py3-none-any.whl:

Publisher: publish.yml on CAPESandbox/sflock

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page