A library for extracting malware configurations across multiple frameworks
Project description
ConfigExtractor
Maintainer: @cccs-rs
Python Library for performing configuration extraction across multiple extraction frameworks (ie. Maco, MWCP, etc.). This tool is actively used in the Assemblyline project as a service.
The code found in this repository contains a command line interface that acts as a wrapper for popular malware configuration data decoders from:
- Maco [MIT license]
- MWCP [MIT license]
- CAPE Sandbox via Maco wrappers [GPL license]
- many thanks to @kevoreilly for releasing so many open source parsers.
MWCFG : https://github.com/c3rb3ru5d3d53c/mwcfg [BSD 3-Clause License]
Installation Guide
Setup YARA on Host
sudo apt-get update && sudo apt-get install -y git libssl-dev libmagic-dev automake libtool make gcc wget libjansson-dev pkg-config
export YARA_VERSION=4.1.3
wget -O /tmp/yara.tar.gz https://github.com/VirusTotal/yara/archive/v${YARA_VERSION}.tar.gz
tar -zxf /tmp/yara.tar.gz -C /tmp
cd /tmp/yara-${YARA_VERSION}
./bootstrap.sh
./configure --enable-magic --enable-dotnet --with-crypto --prefix /tmp/yara_install
make
make install
pip install --global-option="build" --global-option="--enable-dotnet" --global-option="--enable-magic" yara-python==$YARA_VERSION
Running in a Container
docker container run \
-v /path/to/parsers:/mnt/parsers \
-v /path/to/samples:/mnt/samples \
cccs/assemblyline-service-configextractor \
"cx -p /mnt/parsers -s /mnt/samples"
Usage
Command-line
You can use configextractor
or cx
to make use of the CLI:
Usage: cx [OPTIONS] PARSERS_PATH SAMPLE_PATH
Options:
--block_list TEXT Comma-delimited list of parsers to ignore
--help Show this message and exit.
Python
from configextractor.main import ConfigExtractor
import logging
# Create a logger to track ongoings
logger = logging.getLogger()
logger.handlers = [logging.StreamHandler()]
logger.setLevel('DEBUG')
# Instantiate instance of class with path(s) to extractors
# Attaching a logger will allow some insight into what's going on if parser detection is the issue
cx = ConfigExtractor(["/path/to/extractors/"], logger=logger)
# List all parsers actively detected and loaded into instance
# cx.parsers.keys() lists all the relative module paths to the parsers
# The value of each key is an Extractor object containing details for running the extractor (ie. venv location, YARA rule, etc.)
print([cx.get_details(p)['name'] for p in cx.parsers.values()])
# Run all loaded parsers against sample
results = cx.run_parsers('/path/to/sample')
# Output raw results to stdout, each should be organized by the parsers that generated an output
print(results)
Adding a new Parser Framework
- Inherit from the base
Framework
class and implement class accordingly - Add new framework to the ConfigExtractor class'
FRAMEWORK_LIBRARY_MAPPING
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
configextractor_py-1.1.8.tar.gz
(18.3 kB
view details)
Built Distribution
File details
Details for the file configextractor_py-1.1.8.tar.gz
.
File metadata
- Download URL: configextractor_py-1.1.8.tar.gz
- Upload date:
- Size: 18.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 90d0e9d4d14c3fc1ef9c54cb131305b7b3089940976bb2b969e079c25e3d885d |
|
MD5 | fd79033e97c362452aae1bcb34e5df1c |
|
BLAKE2b-256 | e8b78b15d5bb37c2fd10afbbf8f4e5aa8e6762ed9653e17dc8398d520d8b8d91 |
File details
Details for the file configextractor_py-1.1.8-py3-none-any.whl
.
File metadata
- Download URL: configextractor_py-1.1.8-py3-none-any.whl
- Upload date:
- Size: 14.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 30cab5839cab7fc8a2fe529d0bd6cb9fe2b6b7fae015414d9ee4af516a9f1ff5 |
|
MD5 | 1d0f99aa3f411bdc8941c6463ec627b5 |
|
BLAKE2b-256 | 235704bf62e5d980a5b8ebe711ad520442603c73b5bbfe63a2c83c05e26e63bc |