A library for extracting malware configurations across multiple frameworks
Project description
ConfigExtractor
Maintainer: @cccs-rs
Python Library for performing configuration extraction across multiple extraction frameworks (ie. Maco, MWCP, etc.). This tool is actively used in the Assemblyline project as a service.
The code found in this repository contains a command line interface that acts as a wrapper for popular malware configuration data decoders from:
- Maco [MIT license]
- MWCP [MIT license]
- CAPE Sandbox [GPL license] via CAPE-parsers fork [MIT License]
- many thanks to @kevoreilly and the CAPESandbox community for releasing so many open source parsers.
MWCFG : https://github.com/c3rb3ru5d3d53c/mwcfg [BSD 3-Clause License]
Installation Guide
Running in a Container
docker container run \
-v /path/to/parsers:/mnt/parsers \
-v /path/to/samples:/mnt/samples \
cccs/assemblyline-service-configextractor \
"cx -p /mnt/parsers -s /mnt/samples"
Usage
Command-line
You can use configextractor or cx to make use of the CLI:
Usage: cx [OPTIONS] PARSERS_PATH SAMPLE_PATH
Options:
--block_list TEXT Comma-delimited list of parsers to ignore
--help Show this message and exit.
Python
from configextractor.main import ConfigExtractor
import logging
# Create a logger to track ongoings
logger = logging.getLogger()
logger.handlers = [logging.StreamHandler()]
logger.setLevel('DEBUG')
# Instantiate instance of class with path(s) to extractors
# Attaching a logger will allow some insight into what's going on if parser detection is the issue
cx = ConfigExtractor(["/path/to/extractors/"], logger=logger)
# List all parsers actively detected and loaded into instance
# cx.parsers.keys() lists all the relative module paths to the parsers
# The value of each key is an Extractor object containing details for running the extractor (ie. venv location, YARA rule, etc.)
print([cx.get_details(p)['name'] for p in cx.parsers.values()])
# Run all loaded parsers against sample
results = cx.run_parsers('/path/to/sample')
# Output raw results to stdout, each should be organized by the parsers that generated an output
print(results)
Adding a new Parser Framework
- Inherit from the base
Frameworkclass and implement class accordingly - Add new framework to the ConfigExtractor class'
FRAMEWORK_LIBRARY_MAPPING
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file configextractor_py-1.1.16.tar.gz.
File metadata
- Download URL: configextractor_py-1.1.16.tar.gz
- Upload date:
- Size: 24.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
22ddc9f48c6e65e489aa5f677ccc77bbdcb0b051d65060a1eac0fba239ce1661
|
|
| MD5 |
72e2149c065d1bd53cd8524d1490da7a
|
|
| BLAKE2b-256 |
2c201eae43e4d824e05f45631ebf0534effcd0b6c048eca273be0537872e12ff
|
File details
Details for the file configextractor_py-1.1.16-py3-none-any.whl.
File metadata
- Download URL: configextractor_py-1.1.16-py3-none-any.whl
- Upload date:
- Size: 27.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3274f18e82d66db23d808c84193515b512db082d66e49c6aadaa7b8c52c0fe62
|
|
| MD5 |
1ddbfc0492e064e9f91702e41eee5338
|
|
| BLAKE2b-256 |
ef2970cc3a5b9491005082dbf66dd04c4591e2c81d1893dfe73cc474cccde338
|
