maco 1.2.10__py3-none-any.whl → 1.2.12__py3-none-any.whl

demo_extractors/requirements.txt

@@ -1 +1,4 @@
 httpx
+
+# Install maco from source for testing
+../

demo_extractors/terminator.py

@@ -0,0 +1,17 @@
+from io import BytesIO
+from typing import List, Optional
+
+from maco import extractor, model, yara
+from maco.exceptions import AnalysisAbortedException
+
+
+class Terminator(extractor.Extractor):
+    """Terminates early during extraction"""
+
+    family = "terminator"
+    author = "skynet"
+    last_modified = "1997-08-29"
+
+    def run(self, stream: BytesIO, matches: List[yara.Match]) -> Optional[model.ExtractorModel]:
+        # Terminate early and indicate I can't run on this sample
+        raise AnalysisAbortedException("I can't run on this sample")

maco/cli.py

@@ -3,18 +3,20 @@
 import argparse
 import base64
 import binascii
+import cart
 import hashlib
 import io
 import json
 import logging
 import os
 import sys
-from typing import BinaryIO, List, Tuple
 
-import cart
+from importlib.metadata import version
+from typing import BinaryIO, List, Tuple
 
 from maco import collector
 
+
 logger = logging.getLogger("maco.lib.cli")
 
 
@@ -92,6 +94,7 @@ def process_filesystem(
     force: bool,
     include_base64: bool,
     create_venv: bool = False,
+    skip_install: bool = False,
 ) -> Tuple[int, int, int]:
     """Process filesystem with extractors and print results of extraction.
 
@@ -99,7 +102,9 @@ def process_filesystem(
     """
     if force:
         logger.warning("force execute will cause errors if an extractor requires a yara rule hit during execution")
-    collected = collector.Collector(path_extractors, include=include, exclude=exclude, create_venv=create_venv)
+    collected = collector.Collector(
+        path_extractors, include=include, exclude=exclude, create_venv=create_venv, skip_install=skip_install
+    )
 
     logger.info(f"extractors loaded: {[x for x in collected.extractors.keys()]}\n")
     for _, extractor in collected.extractors.items():
@@ -191,6 +196,18 @@ def main():
         "This runs much slower than the alternative but may be necessary "
         "when there are many extractors with conflicting dependencies.",
     )
+    parser.add_argument(
+        "--force_install",
+        action="store_true",
+        help="Force installation of Python dependencies for extractors (in both host and virtual environments).",
+    )
+    parser.add_argument(
+        "--version",
+        action="version",
+        version=f"version: {version('maco')}",
+        help="Show version of MACO",
+    )
+
     args = parser.parse_args()
     inc = args.include.split(",") if args.include else []
     exc = args.exclude.split(",") if args.exclude else []
@@ -236,6 +253,7 @@ def main():
         force=args.force,
         include_base64=args.base64,
         create_venv=args.create_venv,
+        skip_install=not args.force_install,
     )
 
 

maco/collector.py

@@ -13,6 +13,7 @@ from multiprocess import Manager, Process, Queue
 from pydantic import BaseModel
 
 from maco import extractor, model, utils, yara
+from maco.exceptions import AnalysisAbortedException
 
 
 class ExtractorLoadError(Exception):
@@ -67,6 +68,7 @@ class Collector:
         include: List[str] = None,
         exclude: List[str] = None,
         create_venv: bool = False,
+        skip_install: bool = False,
     ):
         """Discover and load extractors from file system."""
         # maco requires the extractor to be imported directly, so ensure they are available on the path
@@ -135,6 +137,7 @@ class Collector:
                     root_directory=path_extractors,
                     scanner=yara.compile(source=utils.MACO_YARA_RULE),
                     create_venv=create_venv and os.path.isdir(path_extractors),
+                    skip_install=skip_install,
                 ),
             )
             p.start()
@@ -189,6 +192,9 @@ class Collector:
                         venv=extractor["venv"],
                     )
                 )
+        except AnalysisAbortedException:
+            # Extractor voluntarily aborted analysis of sample
+            return
         except Exception:
             # caller can deal with the exception
             raise

maco/exceptions.py

@@ -0,0 +1,3 @@
+# Can be raised by extractors to abort analysis of a sample
+# ie. Can abort if preliminary checks at start of run indicate the file shouldn't be analyzed by extractor
+class AnalysisAbortedException(Exception): ...

maco/utils.py

@@ -34,6 +34,7 @@ from uv import find_uv_bin
 
 from maco import model
 from maco.extractor import Extractor
+from maco.exceptions import AnalysisAbortedException
 
 logger = logging.getLogger("maco.lib.utils")
 
@@ -450,9 +451,19 @@ def run_extractor(
         key = f"{module_name}_{extractor_class}"
         if key not in _loaded_extractors:
             # dynamic import of extractor
-            mod = importlib.import_module(module_name)
-            extractor_cls = mod.__getattribute__(extractor_class)
-            extractor = extractor_cls()
+            try:
+                # Add the correct directory to the PATH before attempting to load the extractor
+                import_path = module_path[: -4 - len(module_name)]
+                sys.path.insert(1, import_path)
+                mod = importlib.import_module(module_name)
+                extractor_cls = mod.__getattribute__(extractor_class)
+                extractor = extractor_cls()
+
+                # Add to cache
+                _loaded_extractors[key] = extractor
+            finally:
+                sys.path.pop(1)
+
         else:
             # retrieve cached extractor
             extractor = _loaded_extractors[key]
@@ -504,9 +515,15 @@ def run_extractor(
                     exception = stderr
                     if delim in exception:
                         exception = f"{delim}{exception.split(delim, 1)[1]}"
-                    # print extractor logging at error level
-                    logger.error(f"maco extractor raised exception, stderr:\n{stderr}")
-                    raise Exception(exception) from e
+                    if "maco.exceptions.AnalysisAbortedException" in exception:
+                        # Extractor voluntarily terminated, re-raise exception to be handled by collector
+                        raise AnalysisAbortedException(
+                            exception.split("maco.exceptions.AnalysisAbortedException: ")[-1]
+                        )
+                    else:
+                        # print extractor logging at error level
+                        logger.error(f"maco extractor raised exception, stderr:\n{stderr}")
+                        raise Exception(exception) from e
                 # ensure that extractor logging is available
                 logger.info(f"maco extractor stderr:\n{stderr}")
     return loaded

{maco-1.2.10.dist-info → maco-1.2.12.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: maco
-Version: 1.2.10
+Version: 1.2.12
 Author: sl-govau
 Maintainer: cccs-rs
 License: MIT License

{maco-1.2.10.dist-info → maco-1.2.12.dist-info}/RECORD

@@ -2,26 +2,29 @@ demo_extractors/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 demo_extractors/elfy.py,sha256=Jo_GKExCeFOKGENJnNM_9ONfJO7LQFucCNz0ryTAo9U,765
 demo_extractors/limit_other.py,sha256=BWjeyOxB75kw4eRla5zvSzdcXtELOS8R6hc71rLPh1s,1295
 demo_extractors/nothing.py,sha256=MNPlb0IsBjrlU5e438JlJ4DIKoBpBRAaYY3JhD3yHqk,601
-demo_extractors/requirements.txt,sha256=E0tD6xBZldq6sQGTHng6k88lBeASOhmLJcdcjpcqBNE,6
+demo_extractors/requirements.txt,sha256=nD7BPNv7YEPUr9MDcaKYNs2UfHtxvN8FOKKesgC_L5g,50
 demo_extractors/shared.py,sha256=2P1cyuRbHDvM9IRt3UZnwdyhxx7OWqNC83xLyV8Y190,305
+demo_extractors/terminator.py,sha256=G1AQHL1JGI8iMa4-H55nWwLzOlPicWH-2HiADw4aE9M,552
 demo_extractors/complex/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 demo_extractors/complex/complex.py,sha256=tXrzj_zWIXbTOwj7Lezapk-qkrM-lfwcyjd5m-BYzdg,2322
 demo_extractors/complex/complex_utils.py,sha256=aec8kJsYUrMPo-waihkVLt-0QpiOPkw7dDqfT9MNuHk,123
 maco/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 maco/base_test.py,sha256=cjGLEy2c69wl9sjn74QFz7X-VxWOfdin4W8MvYsXc4Q,2718
-maco/cli.py,sha256=pPS8euWaLV-6csBCCzT1Mtc7GwP7a_RikDjfUYxoxU8,8415
-maco/collector.py,sha256=cBZEHx5qjFwf-EfAgEmXlu4kT4rWZkcDE926gBrOoN8,7493
+maco/cli.py,sha256=K9gjsyGXcmSqBSkRkertVTH-Z4mwGFVk7TQxx8Y2mXo,8937
+maco/collector.py,sha256=T1tGibakx-yfgHzrHC4mqY-G2Y-VhDz8Qx1KoXa7l0g,7752
+maco/exceptions.py,sha256=aUbkX9CZfgp1aZFTEa98Uwge6MeQcQ3LbYkgNOwWaCg,214
 maco/extractor.py,sha256=uGSGiCQ4jd8jFmfw2T99BGcY5iQJzXHcG_RoTIxClTE,2802
-maco/utils.py,sha256=Tjop6lfnb5LtkS0QruUzIO1NVnNkYi0i1I94CyjHL1Q,20895
+maco/utils.py,sha256=bD2z6xZeR-MNhM834w2vQi4IP-kpQSXL-l71vmGweAU,21726
 maco/yara.py,sha256=8RVaGyeUWY5f8_wfQ25lDX1bcXsb_VoSja85ZC2SqGw,2913
 maco/model/__init__.py,sha256=ULdyHx8R5D2ICHZo3VoCk1YTlewTok36TYIpwx__pNY,45
 maco/model/model.py,sha256=4uY88WphbP3iu-L2WjuYwtgZCS_wNul_hr0bAVuTpvc,23740
 model_setup/maco/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 model_setup/maco/base_test.py,sha256=cjGLEy2c69wl9sjn74QFz7X-VxWOfdin4W8MvYsXc4Q,2718
-model_setup/maco/cli.py,sha256=pPS8euWaLV-6csBCCzT1Mtc7GwP7a_RikDjfUYxoxU8,8415
-model_setup/maco/collector.py,sha256=cBZEHx5qjFwf-EfAgEmXlu4kT4rWZkcDE926gBrOoN8,7493
+model_setup/maco/cli.py,sha256=K9gjsyGXcmSqBSkRkertVTH-Z4mwGFVk7TQxx8Y2mXo,8937
+model_setup/maco/collector.py,sha256=T1tGibakx-yfgHzrHC4mqY-G2Y-VhDz8Qx1KoXa7l0g,7752
+model_setup/maco/exceptions.py,sha256=aUbkX9CZfgp1aZFTEa98Uwge6MeQcQ3LbYkgNOwWaCg,214
 model_setup/maco/extractor.py,sha256=uGSGiCQ4jd8jFmfw2T99BGcY5iQJzXHcG_RoTIxClTE,2802
-model_setup/maco/utils.py,sha256=Tjop6lfnb5LtkS0QruUzIO1NVnNkYi0i1I94CyjHL1Q,20895
+model_setup/maco/utils.py,sha256=bD2z6xZeR-MNhM834w2vQi4IP-kpQSXL-l71vmGweAU,21726
 model_setup/maco/yara.py,sha256=8RVaGyeUWY5f8_wfQ25lDX1bcXsb_VoSja85ZC2SqGw,2913
 model_setup/maco/model/__init__.py,sha256=ULdyHx8R5D2ICHZo3VoCk1YTlewTok36TYIpwx__pNY,45
 model_setup/maco/model/model.py,sha256=4uY88WphbP3iu-L2WjuYwtgZCS_wNul_hr0bAVuTpvc,23740
@@ -36,9 +39,9 @@ tests/extractors/basic_longer.py,sha256=1ClU2QD-Y0TOl_loNFvEqIEpTR5TSVJ6zg9ZmC-E
 tests/extractors/test_basic.py,sha256=FLKekfSGM69HaiF7Vu_7D7KDXHZko-9hZkMO8_DoyYA,697
 tests/extractors/bob/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tests/extractors/bob/bob.py,sha256=G5aOoz58J0ZQK2_lA7HRxAzeLzBxssWxBTZcv1pSbi8,176
-maco-1.2.10.dist-info/LICENSE.md,sha256=gMSjshPhXvV_F1qxmeNkKdBqGWkd__fEJf4glS504bM,1478
-maco-1.2.10.dist-info/METADATA,sha256=FtHe8aMGg8ij5Z9RQ1alHpGYUA2hkCnPetwhKnVh8cE,15893
-maco-1.2.10.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
-maco-1.2.10.dist-info/entry_points.txt,sha256=TpcwG1gedIg8Y7a9ZOv8aQpuwEUftCefDrAjzeP-o6U,39
-maco-1.2.10.dist-info/top_level.txt,sha256=iMRwuzmrHA3zSwiSeMIl6FWhzRpn_st-I4fAv-kw5_o,49
-maco-1.2.10.dist-info/RECORD,,
+maco-1.2.12.dist-info/LICENSE.md,sha256=gMSjshPhXvV_F1qxmeNkKdBqGWkd__fEJf4glS504bM,1478
+maco-1.2.12.dist-info/METADATA,sha256=fQa29RHfFtLo3isR5emR5qEtpeTTTHwBk4EN1CWzyRs,15893
+maco-1.2.12.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
+maco-1.2.12.dist-info/entry_points.txt,sha256=TpcwG1gedIg8Y7a9ZOv8aQpuwEUftCefDrAjzeP-o6U,39
+maco-1.2.12.dist-info/top_level.txt,sha256=iMRwuzmrHA3zSwiSeMIl6FWhzRpn_st-I4fAv-kw5_o,49
+maco-1.2.12.dist-info/RECORD,,

model_setup/maco/cli.py

@@ -3,18 +3,20 @@
 import argparse
 import base64
 import binascii
+import cart
 import hashlib
 import io
 import json
 import logging
 import os
 import sys
-from typing import BinaryIO, List, Tuple
 
-import cart
+from importlib.metadata import version
+from typing import BinaryIO, List, Tuple
 
 from maco import collector
 
+
 logger = logging.getLogger("maco.lib.cli")
 
 
@@ -92,6 +94,7 @@ def process_filesystem(
     force: bool,
     include_base64: bool,
     create_venv: bool = False,
+    skip_install: bool = False,
 ) -> Tuple[int, int, int]:
     """Process filesystem with extractors and print results of extraction.
 
@@ -99,7 +102,9 @@ def process_filesystem(
     """
     if force:
         logger.warning("force execute will cause errors if an extractor requires a yara rule hit during execution")
-    collected = collector.Collector(path_extractors, include=include, exclude=exclude, create_venv=create_venv)
+    collected = collector.Collector(
+        path_extractors, include=include, exclude=exclude, create_venv=create_venv, skip_install=skip_install
+    )
 
     logger.info(f"extractors loaded: {[x for x in collected.extractors.keys()]}\n")
     for _, extractor in collected.extractors.items():
@@ -191,6 +196,18 @@ def main():
         "This runs much slower than the alternative but may be necessary "
         "when there are many extractors with conflicting dependencies.",
     )
+    parser.add_argument(
+        "--force_install",
+        action="store_true",
+        help="Force installation of Python dependencies for extractors (in both host and virtual environments).",
+    )
+    parser.add_argument(
+        "--version",
+        action="version",
+        version=f"version: {version('maco')}",
+        help="Show version of MACO",
+    )
+
     args = parser.parse_args()
     inc = args.include.split(",") if args.include else []
     exc = args.exclude.split(",") if args.exclude else []
@@ -236,6 +253,7 @@ def main():
         force=args.force,
         include_base64=args.base64,
         create_venv=args.create_venv,
+        skip_install=not args.force_install,
     )
 
 

model_setup/maco/collector.py

@@ -13,6 +13,7 @@ from multiprocess import Manager, Process, Queue
 from pydantic import BaseModel
 
 from maco import extractor, model, utils, yara
+from maco.exceptions import AnalysisAbortedException
 
 
 class ExtractorLoadError(Exception):
@@ -67,6 +68,7 @@ class Collector:
         include: List[str] = None,
         exclude: List[str] = None,
         create_venv: bool = False,
+        skip_install: bool = False,
     ):
         """Discover and load extractors from file system."""
         # maco requires the extractor to be imported directly, so ensure they are available on the path
@@ -135,6 +137,7 @@ class Collector:
                     root_directory=path_extractors,
                     scanner=yara.compile(source=utils.MACO_YARA_RULE),
                     create_venv=create_venv and os.path.isdir(path_extractors),
+                    skip_install=skip_install,
                 ),
             )
             p.start()
@@ -189,6 +192,9 @@ class Collector:
                         venv=extractor["venv"],
                     )
                 )
+        except AnalysisAbortedException:
+            # Extractor voluntarily aborted analysis of sample
+            return
         except Exception:
             # caller can deal with the exception
             raise

model_setup/maco/exceptions.py

@@ -0,0 +1,3 @@
+# Can be raised by extractors to abort analysis of a sample
+# ie. Can abort if preliminary checks at start of run indicate the file shouldn't be analyzed by extractor
+class AnalysisAbortedException(Exception): ...

model_setup/maco/utils.py

@@ -34,6 +34,7 @@ from uv import find_uv_bin
 
 from maco import model
 from maco.extractor import Extractor
+from maco.exceptions import AnalysisAbortedException
 
 logger = logging.getLogger("maco.lib.utils")
 
@@ -450,9 +451,19 @@ def run_extractor(
         key = f"{module_name}_{extractor_class}"
         if key not in _loaded_extractors:
             # dynamic import of extractor
-            mod = importlib.import_module(module_name)
-            extractor_cls = mod.__getattribute__(extractor_class)
-            extractor = extractor_cls()
+            try:
+                # Add the correct directory to the PATH before attempting to load the extractor
+                import_path = module_path[: -4 - len(module_name)]
+                sys.path.insert(1, import_path)
+                mod = importlib.import_module(module_name)
+                extractor_cls = mod.__getattribute__(extractor_class)
+                extractor = extractor_cls()
+
+                # Add to cache
+                _loaded_extractors[key] = extractor
+            finally:
+                sys.path.pop(1)
+
         else:
             # retrieve cached extractor
             extractor = _loaded_extractors[key]
@@ -504,9 +515,15 @@ def run_extractor(
                     exception = stderr
                     if delim in exception:
                         exception = f"{delim}{exception.split(delim, 1)[1]}"
-                    # print extractor logging at error level
-                    logger.error(f"maco extractor raised exception, stderr:\n{stderr}")
-                    raise Exception(exception) from e
+                    if "maco.exceptions.AnalysisAbortedException" in exception:
+                        # Extractor voluntarily terminated, re-raise exception to be handled by collector
+                        raise AnalysisAbortedException(
+                            exception.split("maco.exceptions.AnalysisAbortedException: ")[-1]
+                        )
+                    else:
+                        # print extractor logging at error level
+                        logger.error(f"maco extractor raised exception, stderr:\n{stderr}")
+                        raise Exception(exception) from e
                 # ensure that extractor logging is available
                 logger.info(f"maco extractor stderr:\n{stderr}")
     return loaded