maco 1.2.19__py3-none-any.whl → 1.2.21__py3-none-any.whl

extractor_setup/maco/cli.py

@@ -27,6 +27,7 @@ def process_file(
     pretty: bool,
     force: bool,
     include_base64: bool,
+    extracted_dir: str = "",
 ):
     """Process a filestream with the extractors and rules.
 
@@ -37,6 +38,7 @@ def process_file(
         pretty (bool): Pretty print the JSON output
         force (bool): Run all extractors regardless of YARA rule match
         include_base64 (bool): include base64'd data in output
+        extracted_dir (str): directory to write CaRTed binary data to
 
     Returns:
         (dict): The output from the extractors analyzing the sample
@@ -87,6 +89,34 @@ def process_file(
                 if include_base64:
                     # this can be large
                     row["base64"] = base64.b64encode(row["data"]).decode("utf8")
+
+                # write binary data to disk if enabled
+                if extracted_dir:
+                    # only allow writes to already existing directories with permissions
+                    if os.path.isdir(extracted_dir) and os.access(extracted_dir, os.W_OK):
+                        filepath = os.path.abspath(os.path.join(extracted_dir, f"{row['sha256']}.cart"))
+                        # don't overwrite existing files
+                        if os.path.exists(filepath):
+                            logger.debug(f"{filepath} already exists.")
+                        else:
+                            # CaRT data before writing to disk
+                            in_stream = io.BytesIO(row["data"])
+                            output_stream = io.BytesIO()
+                            try:
+                                cart.pack_stream(in_stream, output_stream)
+                            except Exception:
+                                logger.error(f"Error trying to CaRT binary output ({row['sha256']}) from {path_file}.")
+                            else:
+                                output_stream.seek(0)
+                                try:
+                                    with open(filepath, "wb") as f:
+                                        f.write(output_stream.getbuffer())
+                                    logger.debug(f"Wrote binary output to {filepath}.")
+                                except (FileNotFoundError, PermissionError, OSError):
+                                    logger.error(f"Error trying to write binary output to {filepath}")
+                    else:
+                        logger.error(f"Cannot write files to {extracted_dir}")
+
                 # do not print raw bytes to console
                 row.pop("data")
         ret[extractor_name] = resp
@@ -107,6 +137,7 @@ def process_filesystem(
     include_base64: bool,
     create_venv: bool = False,
     skip_install: bool = False,
+    extracted_dir: str = "",
 ) -> Tuple[int, int, int]:
     """Process filesystem with extractors and print results of extraction.
 
@@ -159,6 +190,7 @@ def process_filesystem(
                             pretty=pretty,
                             force=force,
                             include_base64=include_base64,
+                            extracted_dir=extracted_dir,
                         )
                         if resp:
                             num_hits += 1
@@ -194,6 +226,7 @@ def main():
         help="Include base64 encoded binary data in output "
         "(can be large, consider printing to file rather than console)",
     )
+    parser.add_argument("--binarydir", type=str, help="directory to write extracted binary data to")
     parser.add_argument("--logfile", type=str, help="file to log output")
     parser.add_argument("--include", type=str, help="comma separated extractors to run")
     parser.add_argument("--exclude", type=str, help="comma separated extractors to not run")
@@ -268,6 +301,7 @@ def main():
         include_base64=args.base64,
         create_venv=args.create_venv,
         skip_install=not args.force_install,
+        extracted_dir=args.binarydir,
     )
 
 

extractor_setup/maco/model/model.py

@@ -48,6 +48,8 @@ class Encryption(ForbidModel):
     iv: Optional[str] = None  # initialisation vector
     seed: Optional[str] = None
     nonce: Optional[str] = None
+    password: Optional[str] = None
+    salt: Optional[str] = None
     constants: List[str] = []
 
     usage: Optional[UsageEnum] = None

maco/cli.py

@@ -27,6 +27,7 @@ def process_file(
     pretty: bool,
     force: bool,
     include_base64: bool,
+    extracted_dir: str = "",
 ):
     """Process a filestream with the extractors and rules.
 
@@ -37,6 +38,7 @@ def process_file(
         pretty (bool): Pretty print the JSON output
         force (bool): Run all extractors regardless of YARA rule match
         include_base64 (bool): include base64'd data in output
+        extracted_dir (str): directory to write CaRTed binary data to
 
     Returns:
         (dict): The output from the extractors analyzing the sample
@@ -87,6 +89,34 @@ def process_file(
                 if include_base64:
                     # this can be large
                     row["base64"] = base64.b64encode(row["data"]).decode("utf8")
+
+                # write binary data to disk if enabled
+                if extracted_dir:
+                    # only allow writes to already existing directories with permissions
+                    if os.path.isdir(extracted_dir) and os.access(extracted_dir, os.W_OK):
+                        filepath = os.path.abspath(os.path.join(extracted_dir, f"{row['sha256']}.cart"))
+                        # don't overwrite existing files
+                        if os.path.exists(filepath):
+                            logger.debug(f"{filepath} already exists.")
+                        else:
+                            # CaRT data before writing to disk
+                            in_stream = io.BytesIO(row["data"])
+                            output_stream = io.BytesIO()
+                            try:
+                                cart.pack_stream(in_stream, output_stream)
+                            except Exception:
+                                logger.error(f"Error trying to CaRT binary output ({row['sha256']}) from {path_file}.")
+                            else:
+                                output_stream.seek(0)
+                                try:
+                                    with open(filepath, "wb") as f:
+                                        f.write(output_stream.getbuffer())
+                                    logger.debug(f"Wrote binary output to {filepath}.")
+                                except (FileNotFoundError, PermissionError, OSError):
+                                    logger.error(f"Error trying to write binary output to {filepath}")
+                    else:
+                        logger.error(f"Cannot write files to {extracted_dir}")
+
                 # do not print raw bytes to console
                 row.pop("data")
         ret[extractor_name] = resp
@@ -107,6 +137,7 @@ def process_filesystem(
     include_base64: bool,
     create_venv: bool = False,
     skip_install: bool = False,
+    extracted_dir: str = "",
 ) -> Tuple[int, int, int]:
     """Process filesystem with extractors and print results of extraction.
 
@@ -159,6 +190,7 @@ def process_filesystem(
                             pretty=pretty,
                             force=force,
                             include_base64=include_base64,
+                            extracted_dir=extracted_dir,
                         )
                         if resp:
                             num_hits += 1
@@ -194,6 +226,7 @@ def main():
         help="Include base64 encoded binary data in output "
         "(can be large, consider printing to file rather than console)",
     )
+    parser.add_argument("--binarydir", type=str, help="directory to write extracted binary data to")
     parser.add_argument("--logfile", type=str, help="file to log output")
     parser.add_argument("--include", type=str, help="comma separated extractors to run")
     parser.add_argument("--exclude", type=str, help="comma separated extractors to not run")
@@ -268,6 +301,7 @@ def main():
         include_base64=args.base64,
         create_venv=args.create_venv,
         skip_install=not args.force_install,
+        extracted_dir=args.binarydir,
     )
 
 

maco/model/model.py

@@ -48,6 +48,8 @@ class Encryption(ForbidModel):
     iv: Optional[str] = None  # initialisation vector
     seed: Optional[str] = None
     nonce: Optional[str] = None
+    password: Optional[str] = None
+    salt: Optional[str] = None
     constants: List[str] = []
 
     usage: Optional[UsageEnum] = None

{maco-1.2.19.dist-info → maco-1.2.21.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: maco
-Version: 1.2.19
+Version: 1.2.21
 Summary: Maco is a framework for creating and using malware configuration extractors.
 Author: sl-govau
 Maintainer: cccs-rs
@@ -22,8 +22,6 @@ Classifier: Development Status :: 5 - Production/Stable
 Classifier: Intended Audience :: Developers
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
 Classifier: License :: OSI Approved :: MIT License
-Classifier: Programming Language :: Python :: 3.8
-Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
@@ -72,6 +70,7 @@ This framework is actively being used by:
 |                                                                           [configextractor-py](https://github.com/CybercentreCanada/configextractor-py)                                                                            | A tool designed to run extractors from multiple frameworks and uses the MACO model for output harmonization                                                                                                                                                   | [![License](https://img.shields.io/github/license/CybercentreCanada/configextractor-py)](https://github.com/CybercentreCanada/configextractor-py/blob/main/LICENSE.md) |
 | <a href="https://github.com/jeFF0Falltrades/rat_king_parser"><img src="https://images.weserv.nl/?url=raw.githubusercontent.com/jeFF0Falltrades/rat_king_parser/master/.github/logo.png?v=4&h=100&w=100&fit=cover&maxage=7d"/> </a> | A robust, multiprocessing-capable, multi-family RAT config parser/extractor that is compatible with MACO                                                                                                                                                      |      [![License](https://img.shields.io/github/license/jeFF0Falltrades/rat_king_parser)](https://github.com/jeFF0Falltrades/rat_king_parser/blob/master/LICENSE)       |
 |                           <a href="https://github.com/CAPESandbox/community"><img src="https://images.weserv.nl/?url=github.com/CAPESandbox.png?v=4&h=100&w=100&fit=cover&maxage=7d0&mask=circle"/> </a>                           | A parser/extractor repository containing MACO extractors that's authored by the CAPE community but is integrated in [CAPE](https://github.com/kevoreilly/CAPEv2) deployments.<br>**Note: These MACO extractors wrap and parse the original CAPE extractors.** |                  [![License](https://img.shields.io/badge/license-GPL--3.0-informational)](https://github.com/kevoreilly/CAPEv2/blob/master/LICENSE)                   |
+|                           <a href="https://github.com/SEKOIA-IO/Community"><img src="https://images.weserv.nl/?url=github.com/SEKOIA-IO.png?v=4&h=100&w=100&fit=cover&maxage=7d0&mask=circle"/> </a>                           | A parser/extractor repository containing MACO extractors that's authored by the SEKOIA community. |                  [![License](https://img.shields.io/badge/license-DRL--1.1-informational)](https://github.com/SEKOIA-IO/Community/blob/main/LICENSE.md)                   |
 
 ## Model Example
 

{maco-1.2.19.dist-info → maco-1.2.21.dist-info}/RECORD

@@ -10,37 +10,37 @@ demo_extractors/complex/complex.py,sha256=GYKmPOD8-fyVHxwjZb-3t1IghKVMuLtdUvCs5C
 demo_extractors/complex/complex_utils.py,sha256=5kdMl-niSH9d-d3ChuItpmlPT4U-S9g-iyBZlR4tfmQ,296
 extractor_setup/maco/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 extractor_setup/maco/base_test.py,sha256=DrVE7vOazeLQpOQeIDwBYK1WtlmdJrRe50JOqP5t4Y0,3198
-extractor_setup/maco/cli.py,sha256=nrSukAJAthbstZT3-lQNPz4zOOMcBhvfYQqLh_B5Jdk,9457
+extractor_setup/maco/cli.py,sha256=jFtYWuKNlqcnSl0W4vgITctpgfd3J9kgN37IwoW3pDY,11477
 extractor_setup/maco/collector.py,sha256=I0Nidf4-xcvoe6X0bbCsAXjr66iPf00JDO6ocKkaZLc,8309
 extractor_setup/maco/exceptions.py,sha256=XBHUrs1kr1ZayPI9B_W-WejKgVmC8sWL_o4RL0b4DQE,745
 extractor_setup/maco/extractor.py,sha256=nqIfUcrc_l57FicKZc6HLtN223-_zkYWL1AYMy1WAmA,3007
 extractor_setup/maco/utils.py,sha256=yNm5CiHc9033ONX_gFwg9Lng5IYFujLDtw6FfiJkAao,23425
 extractor_setup/maco/yara.py,sha256=y141t8NqDDXHY23uE1d6BDPeNmSuUuohR6Yr_LKa7GI,4067
 extractor_setup/maco/model/__init__.py,sha256=ULdyHx8R5D2ICHZo3VoCk1YTlewTok36TYIpwx__pNY,45
-extractor_setup/maco/model/model.py,sha256=DBHTmZXMzjpVq0s2mzZv3VCzPhwPnv7sH6u_QZCTcA4,24484
+extractor_setup/maco/model/model.py,sha256=a98XB7C6P_9JHNsodzbaRomr17rLYH6J4g5clH2IERY,24550
 maco/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 maco/base_test.py,sha256=DrVE7vOazeLQpOQeIDwBYK1WtlmdJrRe50JOqP5t4Y0,3198
-maco/cli.py,sha256=nrSukAJAthbstZT3-lQNPz4zOOMcBhvfYQqLh_B5Jdk,9457
+maco/cli.py,sha256=jFtYWuKNlqcnSl0W4vgITctpgfd3J9kgN37IwoW3pDY,11477
 maco/collector.py,sha256=I0Nidf4-xcvoe6X0bbCsAXjr66iPf00JDO6ocKkaZLc,8309
 maco/exceptions.py,sha256=XBHUrs1kr1ZayPI9B_W-WejKgVmC8sWL_o4RL0b4DQE,745
 maco/extractor.py,sha256=nqIfUcrc_l57FicKZc6HLtN223-_zkYWL1AYMy1WAmA,3007
 maco/utils.py,sha256=yNm5CiHc9033ONX_gFwg9Lng5IYFujLDtw6FfiJkAao,23425
 maco/yara.py,sha256=y141t8NqDDXHY23uE1d6BDPeNmSuUuohR6Yr_LKa7GI,4067
 maco/model/__init__.py,sha256=ULdyHx8R5D2ICHZo3VoCk1YTlewTok36TYIpwx__pNY,45
-maco/model/model.py,sha256=DBHTmZXMzjpVq0s2mzZv3VCzPhwPnv7sH6u_QZCTcA4,24484
-maco-1.2.19.dist-info/licenses/LICENSE.md,sha256=gMSjshPhXvV_F1qxmeNkKdBqGWkd__fEJf4glS504bM,1478
+maco/model/model.py,sha256=a98XB7C6P_9JHNsodzbaRomr17rLYH6J4g5clH2IERY,24550
+maco-1.2.21.dist-info/licenses/LICENSE.md,sha256=gMSjshPhXvV_F1qxmeNkKdBqGWkd__fEJf4glS504bM,1478
 model_setup/maco/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 model_setup/maco/base_test.py,sha256=DrVE7vOazeLQpOQeIDwBYK1WtlmdJrRe50JOqP5t4Y0,3198
-model_setup/maco/cli.py,sha256=nrSukAJAthbstZT3-lQNPz4zOOMcBhvfYQqLh_B5Jdk,9457
+model_setup/maco/cli.py,sha256=jFtYWuKNlqcnSl0W4vgITctpgfd3J9kgN37IwoW3pDY,11477
 model_setup/maco/collector.py,sha256=I0Nidf4-xcvoe6X0bbCsAXjr66iPf00JDO6ocKkaZLc,8309
 model_setup/maco/exceptions.py,sha256=XBHUrs1kr1ZayPI9B_W-WejKgVmC8sWL_o4RL0b4DQE,745
 model_setup/maco/extractor.py,sha256=nqIfUcrc_l57FicKZc6HLtN223-_zkYWL1AYMy1WAmA,3007
 model_setup/maco/utils.py,sha256=yNm5CiHc9033ONX_gFwg9Lng5IYFujLDtw6FfiJkAao,23425
 model_setup/maco/yara.py,sha256=y141t8NqDDXHY23uE1d6BDPeNmSuUuohR6Yr_LKa7GI,4067
 model_setup/maco/model/__init__.py,sha256=ULdyHx8R5D2ICHZo3VoCk1YTlewTok36TYIpwx__pNY,45
-model_setup/maco/model/model.py,sha256=DBHTmZXMzjpVq0s2mzZv3VCzPhwPnv7sH6u_QZCTcA4,24484
+model_setup/maco/model/model.py,sha256=a98XB7C6P_9JHNsodzbaRomr17rLYH6J4g5clH2IERY,24550
 pipelines/publish.yaml,sha256=BfsbDsg2ijtXF8lhRUjzkenw3zi2mL7ESNv3KuC1cVE,1626
-pipelines/test.yaml,sha256=btJVI-R39UBeYosGu7TOpU6V9ogFW3FT3ROtWygQGQ0,1472
+pipelines/test.yaml,sha256=csfrKjSUXZ2PlRTYTuietFBwtO5oFNetf8Onv9AHugE,1370
 tests/data/example.txt.cart,sha256=j4ZdDnFNVq7lb-Qi4pY4evOXKQPKG-GSg-n-uEqPhV0,289
 tests/data/trigger_complex.txt,sha256=uqnLSrnyDGCmXwuPmZ2s8vdhH0hJs8DxvyaW_tuYY24,64
 tests/data/trigger_complex.txt.cart,sha256=Z7qF1Zi640O45Znkl9ooP2RhSLAEqY0NRf51d-q7utU,345
@@ -52,8 +52,8 @@ tests/extractors/bob/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hS
 tests/extractors/bob/bob.py,sha256=4fpqy_O6NDinJImghyW5OwYgnaB05aY4kgoIS_C3c_U,253
 tests/extractors/import_rewriting/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 tests/extractors/import_rewriting/importer.py,sha256=wqF1AG2zXXuj9EMt9qlDorab-UD0GYuFggtrCuz4sf0,289735
-maco-1.2.19.dist-info/METADATA,sha256=bcX2cXg2jbw6epAkczHoP9WOlcRTKcFtutfrVAc3mIg,15310
-maco-1.2.19.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-maco-1.2.19.dist-info/entry_points.txt,sha256=TpcwG1gedIg8Y7a9ZOv8aQpuwEUftCefDrAjzeP-o6U,39
-maco-1.2.19.dist-info/top_level.txt,sha256=xiVS11ZoyN8ChHJQGpOzTH4ZyQ3YJe1qT3Yt4gcKGUk,65
-maco-1.2.19.dist-info/RECORD,,
+maco-1.2.21.dist-info/METADATA,sha256=zotTpqbih_Px3KgNFxZLKBScIIav--wjxCoOMZ97NbE,15709
+maco-1.2.21.dist-info/WHEEL,sha256=wUyA8OaulRlbfwMtmQsvNngGrxQHAvkKcvRmdizlJi0,92
+maco-1.2.21.dist-info/entry_points.txt,sha256=TpcwG1gedIg8Y7a9ZOv8aQpuwEUftCefDrAjzeP-o6U,39
+maco-1.2.21.dist-info/top_level.txt,sha256=xiVS11ZoyN8ChHJQGpOzTH4ZyQ3YJe1qT3Yt4gcKGUk,65
+maco-1.2.21.dist-info/RECORD,,

{maco-1.2.19.dist-info → maco-1.2.21.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (80.9.0)
+Generator: setuptools (80.10.2)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

model_setup/maco/cli.py

@@ -27,6 +27,7 @@ def process_file(
     pretty: bool,
     force: bool,
     include_base64: bool,
+    extracted_dir: str = "",
 ):
     """Process a filestream with the extractors and rules.
 
@@ -37,6 +38,7 @@ def process_file(
         pretty (bool): Pretty print the JSON output
         force (bool): Run all extractors regardless of YARA rule match
         include_base64 (bool): include base64'd data in output
+        extracted_dir (str): directory to write CaRTed binary data to
 
     Returns:
         (dict): The output from the extractors analyzing the sample
@@ -87,6 +89,34 @@ def process_file(
                 if include_base64:
                     # this can be large
                     row["base64"] = base64.b64encode(row["data"]).decode("utf8")
+
+                # write binary data to disk if enabled
+                if extracted_dir:
+                    # only allow writes to already existing directories with permissions
+                    if os.path.isdir(extracted_dir) and os.access(extracted_dir, os.W_OK):
+                        filepath = os.path.abspath(os.path.join(extracted_dir, f"{row['sha256']}.cart"))
+                        # don't overwrite existing files
+                        if os.path.exists(filepath):
+                            logger.debug(f"{filepath} already exists.")
+                        else:
+                            # CaRT data before writing to disk
+                            in_stream = io.BytesIO(row["data"])
+                            output_stream = io.BytesIO()
+                            try:
+                                cart.pack_stream(in_stream, output_stream)
+                            except Exception:
+                                logger.error(f"Error trying to CaRT binary output ({row['sha256']}) from {path_file}.")
+                            else:
+                                output_stream.seek(0)
+                                try:
+                                    with open(filepath, "wb") as f:
+                                        f.write(output_stream.getbuffer())
+                                    logger.debug(f"Wrote binary output to {filepath}.")
+                                except (FileNotFoundError, PermissionError, OSError):
+                                    logger.error(f"Error trying to write binary output to {filepath}")
+                    else:
+                        logger.error(f"Cannot write files to {extracted_dir}")
+
                 # do not print raw bytes to console
                 row.pop("data")
         ret[extractor_name] = resp
@@ -107,6 +137,7 @@ def process_filesystem(
     include_base64: bool,
     create_venv: bool = False,
     skip_install: bool = False,
+    extracted_dir: str = "",
 ) -> Tuple[int, int, int]:
     """Process filesystem with extractors and print results of extraction.
 
@@ -159,6 +190,7 @@ def process_filesystem(
                             pretty=pretty,
                             force=force,
                             include_base64=include_base64,
+                            extracted_dir=extracted_dir,
                         )
                         if resp:
                             num_hits += 1
@@ -194,6 +226,7 @@ def main():
         help="Include base64 encoded binary data in output "
         "(can be large, consider printing to file rather than console)",
     )
+    parser.add_argument("--binarydir", type=str, help="directory to write extracted binary data to")
     parser.add_argument("--logfile", type=str, help="file to log output")
     parser.add_argument("--include", type=str, help="comma separated extractors to run")
     parser.add_argument("--exclude", type=str, help="comma separated extractors to not run")
@@ -268,6 +301,7 @@ def main():
         include_base64=args.base64,
         create_venv=args.create_venv,
         skip_install=not args.force_install,
+        extracted_dir=args.binarydir,
     )
 
 

model_setup/maco/model/model.py

@@ -48,6 +48,8 @@ class Encryption(ForbidModel):
     iv: Optional[str] = None  # initialisation vector
     seed: Optional[str] = None
     nonce: Optional[str] = None
+    password: Optional[str] = None
+    salt: Optional[str] = None
     constants: List[str] = []
 
     usage: Optional[UsageEnum] = None

pipelines/test.yaml

@@ -31,10 +31,6 @@ jobs:
   - job: run_test
     strategy:
       matrix:
-        Python3_8:
-          python.version: "3.8"
-        Python3_9:
-          python.version: "3.9"
         Python3_10:
           python.version: "3.10"
         Python3_11: