Skip to main content

A library for extracting malware configurations across multiple frameworks

Project description

ConfigExtractor

Latest Stable Release

Maintainer: @cccs-rs

Python Library for performing configuration extraction across multiple extraction frameworks (ie. Maco, MWCP, etc.). This tool is actively used in the Assemblyline project as a service.

The code found in this repository contains a command line interface that acts as a wrapper for popular malware configuration data decoders from:

Installation Guide

Setup YARA on Host

sudo apt-get update && sudo apt-get install -y git libssl-dev libmagic-dev automake libtool make gcc wget libjansson-dev pkg-config
export YARA_VERSION=4.1.3
wget -O /tmp/yara.tar.gz https://github.com/VirusTotal/yara/archive/v${YARA_VERSION}.tar.gz
tar -zxf /tmp/yara.tar.gz -C /tmp
cd /tmp/yara-${YARA_VERSION}
./bootstrap.sh
./configure --enable-magic --enable-dotnet --with-crypto --prefix /tmp/yara_install
make
make install
pip install  --global-option="build" --global-option="--enable-dotnet" --global-option="--enable-magic" yara-python==$YARA_VERSION

Running in a Container

docker container run \
  -v /path/to/parsers:/mnt/parsers \
  -v /path/to/samples:/mnt/samples \
  cccs/assemblyline-service-configextractor \
  "cx -p /mnt/parsers -s /mnt/samples"

Usage

Command-line

You can use configextractor or cx to make use of the CLI:

Usage: cx [OPTIONS] PARSERS_PATH SAMPLE_PATH

Options:
  --block_list TEXT  Comma-delimited list of parsers to ignore
  --help             Show this message and exit.

Python

from configextractor.main import ConfigExtractor
import logging

# Create a logger to track ongoings
logger = logging.getLogger()
logger.handlers = [logging.StreamHandler()]
logger.setLevel('DEBUG')

# Instantiate instance of class with path(s) to extractors
# Attaching a logger will allow some insight into what's going on if parser detection is the issue
cx = ConfigExtractor(["/path/to/extractors/"], logger=logger)

# List all parsers actively detected and loaded into instance
# cx.parsers.keys() lists all the relative module paths to the parsers
# The value of each key is an Extractor object containing details for running the extractor (ie. venv location, YARA rule, etc.)
print([cx.get_details(p)['name'] for p in cx.parsers.values()])

# Run all loaded parsers against sample
results = cx.run_parsers('/path/to/sample')

# Output raw results to stdout, each should be organized by the parsers that generated an output
print(results)

Adding a new Parser Framework

  1. Inherit from the base Framework class and implement class accordingly
  2. Add new framework to the ConfigExtractor class' FRAMEWORK_LIBRARY_MAPPING

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

configextractor_py-1.1.8.tar.gz (18.3 kB view details)

Uploaded Source

Built Distribution

configextractor_py-1.1.8-py3-none-any.whl (14.3 kB view details)

Uploaded Python 3

File details

Details for the file configextractor_py-1.1.8.tar.gz.

File metadata

  • Download URL: configextractor_py-1.1.8.tar.gz
  • Upload date:
  • Size: 18.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.1.1 CPython/3.9.20

File hashes

Hashes for configextractor_py-1.1.8.tar.gz
Algorithm Hash digest
SHA256 90d0e9d4d14c3fc1ef9c54cb131305b7b3089940976bb2b969e079c25e3d885d
MD5 fd79033e97c362452aae1bcb34e5df1c
BLAKE2b-256 e8b78b15d5bb37c2fd10afbbf8f4e5aa8e6762ed9653e17dc8398d520d8b8d91

See more details on using hashes here.

File details

Details for the file configextractor_py-1.1.8-py3-none-any.whl.

File metadata

File hashes

Hashes for configextractor_py-1.1.8-py3-none-any.whl
Algorithm Hash digest
SHA256 30cab5839cab7fc8a2fe529d0bd6cb9fe2b6b7fae015414d9ee4af516a9f1ff5
MD5 1d0f99aa3f411bdc8941c6463ec627b5
BLAKE2b-256 235704bf62e5d980a5b8ebe711ad520442603c73b5bbfe63a2c83c05e26e63bc

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page