Skip to main content

Obfuscated payload extractor for malware samples

Project description

Obfuscated payload extractor for malware samples

Current build status Latest PyPI version

Overview

malcarve is a tool for detecting and extracting obfuscated, embedded content from files. In particular it is targeted at extracting malicious payloads such as those contained in malware attack documents and droppers.

A command-line utility is included alongside a simple Python API. Further, a web API is provided as an example scanning web service.

Getting Started

Install using pip:

pip install malcarve

Command-line usage:

malcarve [--extract [--output-dir <output_dir>]] <file1> <file2> ...

Example Webservice:

malcarve-web [-H <interface_address>] [-p port_number]

Config can be updated by copying malcarve/conf/malcarve.conf to ~/.malcarve/malcarve.conf and changing settings as desired.

History

Malcarve was originally written several years ago. It was predominantly targeted at extracting XOR’ed PE files from Flash, Word and PDF documents, which were commonly being exploited at the time.

After needing a similar capability again recently, I’ve started reviving the code (it’s still a bit of a mess) along with migrating to python3. This also comes with a newer focus towards macro’ed documents and embedded urls/other file types and obfuscation techniques.

This is still a work in progress but has been released in the hope that others may find it useful (no warranty given or implied).

Existing Tools

There are many great tools and published literature already in this space. malcarve borrows heavily, and is inspired from techniques discussed or available in the following:

The motivation in writing yet another deobfuscator was the need to not only detect obfuscated patterns and payloads but to also extract/carve that content automatically.

Some tools already handled this but would only perform a subset of the schemes or file types needed.

Features

  • Deobfuscation/carving of Windows PE Files, Zip and Ole2 files

  • Experimental carving of PDF and other formats (check config file)

  • Obfuscated and embedded URL extraction

  • Multibyte XOR deobfuscation

  • XOR modifiers countup, countdown, preserve nulls

  • Scans inside common stream encodings like base64 and deflate

Future Work:

More than happy for feedback, discussion and pull requests…

  • Handle various other obfuscation techniques used in VBA macros

  • Performance enhancements by overhauling pattern checks into single pass

  • Extraction of general obfuscated scripts (eg. powershell, javascript)

  • Fix poor performance of deflate and ascii based stream handling

  • Write proper documentation

Issues

Source code for malcarve is hosted on GitHub. Any bug reports or feature requests can be made using GitHub’s issues system.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

malcarve-0.3.tar.gz (152.5 kB view details)

Uploaded Source

File details

Details for the file malcarve-0.3.tar.gz.

File metadata

  • Download URL: malcarve-0.3.tar.gz
  • Upload date:
  • Size: 152.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.23.0 setuptools/54.1.1 requests-toolbelt/0.9.1 tqdm/4.59.0 CPython/3.7.6

File hashes

Hashes for malcarve-0.3.tar.gz
Algorithm Hash digest
SHA256 a00e6001f97bf68b72cf0d920f2875a87d8afbb351a7d885236bab8c2f84d13b
MD5 647b5cc433849a1e5f0d0eb8ef178ab4
BLAKE2b-256 c4fd39070eeb665c3b95c1205b1b80389e666f80d76fff88d654ad6b7e2dfa86

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page