Skip to main content

A library for extracting malware configurations across multiple frameworks

Project description

ConfigExtractor

Latest Stable Release License

Maintainer: @cccs-rs

Python Library for performing configuration extraction across multiple extraction frameworks (ie. Maco, MWCP, etc.). This tool is actively used in the Assemblyline project as a service.

The code found in this repository contains a command line interface that acts as a wrapper for popular malware configuration data decoders from:

Installation Guide

Running in a Container

docker container run \
  -v /path/to/parsers:/mnt/parsers \
  -v /path/to/samples:/mnt/samples \
  cccs/assemblyline-service-configextractor \
  "cx -p /mnt/parsers -s /mnt/samples"

Usage

Command-line

You can use configextractor or cx to make use of the CLI:

Usage: cx [OPTIONS] PARSERS_PATH SAMPLE_PATH

Options:
  --block_list TEXT  Comma-delimited list of parsers to ignore
  --help             Show this message and exit.

Python

from configextractor.main import ConfigExtractor
import logging

# Create a logger to track ongoings
logger = logging.getLogger()
logger.handlers = [logging.StreamHandler()]
logger.setLevel('DEBUG')

# Instantiate instance of class with path(s) to extractors
# Attaching a logger will allow some insight into what's going on if parser detection is the issue
cx = ConfigExtractor(["/path/to/extractors/"], logger=logger)

# List all parsers actively detected and loaded into instance
# cx.parsers.keys() lists all the relative module paths to the parsers
# The value of each key is an Extractor object containing details for running the extractor (ie. venv location, YARA rule, etc.)
print([cx.get_details(p)['name'] for p in cx.parsers.values()])

# Run all loaded parsers against sample
results = cx.run_parsers('/path/to/sample')

# Output raw results to stdout, each should be organized by the parsers that generated an output
print(results)

Adding a new Parser Framework

  1. Inherit from the base Framework class and implement class accordingly
  2. Add new framework to the ConfigExtractor class' FRAMEWORK_LIBRARY_MAPPING

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

configextractor_py-1.1.17.tar.gz (24.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

configextractor_py-1.1.17-py3-none-any.whl (27.6 kB view details)

Uploaded Python 3

File details

Details for the file configextractor_py-1.1.17.tar.gz.

File metadata

  • Download URL: configextractor_py-1.1.17.tar.gz
  • Upload date:
  • Size: 24.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.15

File hashes

Hashes for configextractor_py-1.1.17.tar.gz
Algorithm Hash digest
SHA256 ee740efa4a73a0d235997a266d714c26023fd7f37936c647331b30cb6a33bf25
MD5 265b9c6d24c7aaeac3c08fd015413b5b
BLAKE2b-256 07d50d152bbd0f9fe21dac6c37aacb3745134ed8c2bc4ffa27d3b5e6ab67ae62

See more details on using hashes here.

File details

Details for the file configextractor_py-1.1.17-py3-none-any.whl.

File metadata

File hashes

Hashes for configextractor_py-1.1.17-py3-none-any.whl
Algorithm Hash digest
SHA256 9e04cadf8053b39ea0b6d062c7ab47e6dfebf6eee0278bb49ee859bae2b06131
MD5 c8d5da77a579ef05252b0bc32bec9ee9
BLAKE2b-256 9cd004a1c1033697c8c6e6c3a0cca80690102f4fd4ea8d611a436d73305d1459

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page