maco-extractor 1.2.18__tar.gz → 1.2.20__tar.gz

{maco_extractor-1.2.18/maco_extractor.egg-info → maco_extractor-1.2.20}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: maco-extractor
-Version: 1.2.18
+Version: 1.2.20
 Summary: This package contains the essentials for creating Maco extractors and using them at runtime.
 Author: sl-govau
 Maintainer: cccs-rs

{maco_extractor-1.2.18 → maco_extractor-1.2.20}/maco/cli.py

@@ -27,6 +27,7 @@ def process_file(
     pretty: bool,
     force: bool,
     include_base64: bool,
+    extracted_dir: str = "",
 ):
     """Process a filestream with the extractors and rules.
 
@@ -37,6 +38,7 @@ def process_file(
         pretty (bool): Pretty print the JSON output
         force (bool): Run all extractors regardless of YARA rule match
         include_base64 (bool): include base64'd data in output
+        extracted_dir (str): directory to write CaRTed binary data to
 
     Returns:
         (dict): The output from the extractors analyzing the sample
@@ -87,6 +89,34 @@ def process_file(
                 if include_base64:
                     # this can be large
                     row["base64"] = base64.b64encode(row["data"]).decode("utf8")
+
+                # write binary data to disk if enabled
+                if extracted_dir:
+                    # only allow writes to already existing directories with permissions
+                    if os.path.isdir(extracted_dir) and os.access(extracted_dir, os.W_OK):
+                        filepath = os.path.abspath(os.path.join(extracted_dir, f"{row['sha256']}.cart"))
+                        # don't overwrite existing files
+                        if os.path.exists(filepath):
+                            logger.debug(f"{filepath} already exists.")
+                        else:
+                            # CaRT data before writing to disk
+                            in_stream = io.BytesIO(row["data"])
+                            output_stream = io.BytesIO()
+                            try:
+                                cart.pack_stream(in_stream, output_stream)
+                            except Exception:
+                                logger.error(f"Error trying to CaRT binary output ({row['sha256']}) from {path_file}.")
+                            else:
+                                output_stream.seek(0)
+                                try:
+                                    with open(filepath, "wb") as f:
+                                        f.write(output_stream.getbuffer())
+                                    logger.debug(f"Wrote binary output to {filepath}.")
+                                except (FileNotFoundError, PermissionError, OSError):
+                                    logger.error(f"Error trying to write binary output to {filepath}")
+                    else:
+                        logger.error(f"Cannot write files to {extracted_dir}")
+
                 # do not print raw bytes to console
                 row.pop("data")
         ret[extractor_name] = resp
@@ -107,6 +137,7 @@ def process_filesystem(
     include_base64: bool,
     create_venv: bool = False,
     skip_install: bool = False,
+    extracted_dir: str = "",
 ) -> Tuple[int, int, int]:
     """Process filesystem with extractors and print results of extraction.
 
@@ -159,6 +190,7 @@ def process_filesystem(
                             pretty=pretty,
                             force=force,
                             include_base64=include_base64,
+                            extracted_dir=extracted_dir,
                         )
                         if resp:
                             num_hits += 1
@@ -194,6 +226,7 @@ def main():
         help="Include base64 encoded binary data in output "
         "(can be large, consider printing to file rather than console)",
     )
+    parser.add_argument("--binarydir", type=str, help="directory to write extracted binary data to")
     parser.add_argument("--logfile", type=str, help="file to log output")
     parser.add_argument("--include", type=str, help="comma separated extractors to run")
     parser.add_argument("--exclude", type=str, help="comma separated extractors to not run")
@@ -268,6 +301,7 @@ def main():
         include_base64=args.base64,
         create_venv=args.create_venv,
         skip_install=not args.force_install,
+        extracted_dir=args.binarydir,
     )
 
 

{maco_extractor-1.2.18 → maco_extractor-1.2.20}/maco/collector.py

@@ -122,6 +122,7 @@ class Collector:
                             "author": member.author,
                             "last_modified": member.last_modified,
                             "sharing": member.sharing,
+                            "result_sharing": member.result_sharing,
                             "description": member.__doc__,
                         },
                     )

{maco_extractor-1.2.18 → maco_extractor-1.2.20}/maco/extractor.py

@@ -25,7 +25,8 @@ class Extractor:
     family: Union[str, List[str]] = None  # family or families of malware that is detected by the extractor
     author: str = None  # author of the extractor (name@organisation)
     last_modified: str = None  # last modified date (YYYY-MM-DD)
-    sharing: str = "TLP:WHITE"  # who can this be shared with?
+    sharing: str = "TLP:CLEAR"  # who can this be shared with?
+    result_sharing: str = sharing  # who can the results be shared with? (defaults to sharing)
     yara_rule: str = None  # yara rule that we filter inputs with
     reference: str = None  # link to malware report or other reference information
     logger: logging.Logger = None  # logger for use when debugging

{maco_extractor-1.2.18 → maco_extractor-1.2.20/maco_extractor.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: maco-extractor
-Version: 1.2.18
+Version: 1.2.20
 Summary: This package contains the essentials for creating Maco extractors and using them at runtime.
 Author: sl-govau
 Maintainer: cccs-rs