def __init__(
self,
config: Config,
identity: Optional[str],
modules: str,
result_tags: List[str],
result_attributes: Dict[str, List[str]],
) -> None:
"""
Create instance of the ConfigExtractor.
:param config: Karton configuration object
:param identity: Override the default Karton identity.
:param modules: Path to a directory with malduck modules.
:param result_tags: Tags to be applied to all produced configs.
:param result_attributes: Attributes to be applied to all produced configs.
"""
# Identity must be overriden before the super() call, because parent
# constructor uses implicit default identity (from the class field).
if identity is not None:
self.identity = identity
super().__init__(config)
self.modules = ExtractorModules(modules)
self.result_tags = result_tags
self.result_attributes = result_attributes
def test_apliebe():
modules = ExtractorModules("tests/files/modules")
p = procmem.from_file("tests/files/mal1.b64")
assert p.extract(modules) == [{
"base64": True,
"family": "apliebe",
"str_to_int_offs": [0x1000a410]
}]
def test_scan_ollydbg():
modules = ExtractorModules("tests/files/modules")
olly = procmempe.from_file("tests/files/ollydbg.exe", image=True)
cfg = olly.extract(modules)[0]
assert cfg["family"] == "ollydbg"
assert sorted(cfg["olly"]) == [
" - OllyDbg is a JIT debugger\n", " - OllyDbg is in Explorer's menu\n",
" - OllyDbg is not in Explorer's menu"
]
def analyze_dumps(self, sample, dump_dir, dumps_metadata):
manager = ExtractManager(
ExtractorModules(self.config.config["draktestd"]["modules"]))
family = None
for dump_metadata in dumps_metadata:
dump_path = os.path.join(dump_dir, dump_metadata["filename"])
va = int(dump_metadata["base_address"], 16)
with changedLogLevel(logging.getLogger(), logging.ERROR):
res = manager.push_file(dump_path, base=va)
family = family or res
return family
def test_weaky():
modules = ExtractorModules("tests/files/modules")
weaky = procmem(b"weakyx")
strongy = procmem(b"strongy")
strongyweaky = procmem(b"strongyweakyx")
assert not weaky.extract(modules)
assert strongy.extract(modules) == [{"family": "weaky"}]
assert strongyweaky.extract(modules) == [{
"family": "weaky",
"weak": True,
"weaky": True
}]
def analyze_dumps(self, sample, dump_dir):
manager = ExtractManager(
ExtractorModules(self.config.config['draktestd']['modules']))
dumps = Path(dump_dir) / "dumps"
family = None
for f in dumps.glob("*.metadata"):
with open(f, "rb") as metafile:
metadata = json.load(metafile)
va = int(metadata["DumpAddress"], 16)
name = dumps / metadata["DataFileName"]
with changedLogLevel(logging.getLogger(), logging.ERROR):
res = manager.push_file(name, base=va)
family = family or res
return family
def test_multirules():
modules = ExtractorModules("tests/files/modules")
multistring = procmem(b"FiRsT string fIrSt string"
b"SeCoNd string sEcOnD string"
b"ThIrD string tHiRd string")
assert multistring.extract(modules) == [{
'family':
'multistring',
'first':
['FiRsT string', 'fIrSt string', 'SeCoNd string', 'sEcOnD string'],
'third': ['ThIrD string']
}]
multistring_v2 = procmem(b"ThIrD stringa0a1b2b3c4c5d6d7e8e9FoUrTh string")
assert multistring_v2.extract(modules) == [{
'family': 'multistring_v2',
'matched': ['v2'],
'third': ['ThIrD string']
}]
def test_scan_base64():
modules = ExtractorModules("tests/files/modules")
assert "Unbase64" in [
extractor.__name__ for extractor in modules.extractors
]
for fname in os.listdir("tests/files"):
fpath = os.path.join("tests/files", fname)
if os.path.isfile(fpath):
extractor = ExtractManager(modules)
extractor.push_file(fpath)
if extractor.config:
assert len(extractor.config) == 1
matched_base = extractor.config[0].get("base64", False)
else:
matched_base = False
should_be_base = fname.endswith(".b64")
# To be or not to be
assert matched_base == should_be_base
except ImportError:
logging.info("Missed RATDecoders -> pip3 install git+https://github.com/kevthehermit/RATDecoders")
except Exception as e:
logging.error(e, exc_info=True)
HAVE_MALDUCK = False
if process_cfg.malduck.enabled:
try:
from lib.cuckoo.common.load_extra_modules import malduck_load_decoders
from malduck.extractor import ExtractorModules, ExtractManager
from malduck.extractor.extractor import Extractor
# from malduck.extractor.loaders import load_modules
from malduck.yara import Yara
malduck_rules = Yara.__new__(Yara)
malduck_modules = ExtractorModules.__new__(ExtractorModules)
# tmp_modules = load_modules(os.path.join(CUCKOO_ROOT, process_cfg.malduck.modules_path))
# malduck_modules_names = dict((k.split(".")[-1], v) for k, v in tmp_modules.items())
malduck_modules_names = malduck_load_decoders(CUCKOO_ROOT)
malduck_modules.extractors = Extractor.__subclasses__()
HAVE_MALDUCK = True
# del tmp_modules
except ImportError:
logging.info("Missed MalDuck -> pip3 install git+https://github.com/CERT-Polska/malduck/")
HAVE_CAPE_EXTRACTORS = False
if process_cfg.CAPE_extractors.enabled:
from lib.cuckoo.common.load_extra_modules import cape_load_decoders
cape_malware_parsers = cape_load_decoders(CUCKOO_ROOT)
if cape_malware_parsers: