Maintainer: @cccs-rs
Python Library for performing configuration extraction across multiple extraction frameworks (ie. Maco, MWCP, etc.). This tool is actively used in the Assemblyline project as a service.
The code found in this repository contains a command line interface that acts as a wrapper for popular malware configuration data decoders from:
- Maco [MIT license]
- MWCP [MIT license]
- CAPE Sandbox via Maco wrappers [GPL license]
- many thanks to @kevoreilly for releasing so many open source parsers.
MWCFG : [BSD 3-Clause License]
docker container run \
-v /path/to/parsers:/mnt/parsers \
-v /path/to/samples:/mnt/samples \
cccs/assemblyline-service-configextractor \
"cx -p /mnt/parsers -s /mnt/samples"
You can use configextractor
or cx
to make use of the CLI:
--block_list TEXT Comma-delimited list of parsers to ignore
--help Show this message and exit.
from configextractor.main import ConfigExtractor
import logging
# Create a logger to track ongoings
logger = logging.getLogger()
logger.handlers = [logging.StreamHandler()]
# Instantiate instance of class with path(s) to extractors
# Attaching a logger will allow some insight into what's going on if parser detection is the issue
cx = ConfigExtractor(["/path/to/extractors/"], logger=logger)
# List all parsers actively detected and loaded into instance
# cx.parsers.keys() lists all the relative module paths to the parsers
# The value of each key is an Extractor object containing details for running the extractor (ie. venv location, YARA rule, etc.)
print([cx.get_details(p)['name'] for p in cx.parsers.values()])
# Run all loaded parsers against sample
results = cx.run_parsers('/path/to/sample')
# Output raw results to stdout, each should be organized by the parsers that generated an output
- Inherit from the base
class and implement class accordingly - Add new framework to the ConfigExtractor class'