Static configuration extractor engine¶
Module interface¶
-
class
malduck.extractor.Extractor(parent)[source]¶ Base class for extractor modules
Following parameters need to be defined:
family(seeextractor.ExtractorBase.family)overrides(optional, seeextractor.ExtractorBase.overrides)
Example extractor code for Citadel:
from ripper import Extractor class Citadel(Extractor): family = "citadel" yara_rules = ["citadel"] overrides = ["zeus"] @Extractor.extractor("briankerbs") def citadel_found(self, p, addr): log.info('[+] `Coded by Brian Krebs` str @ %X' % addr) return True @Extractor.extractor def cit_login(self, p, addr): log.info('[+] Found login_key xor @ %X' % addr) hit = p.uint32v(addr + 4) print(hex(hit)) if p.is_addr(hit): return {'login_key': p.asciiz(hit)} hit = p.uint32v(addr + 5) print(hex(hit)) if p.is_addr(hit): return {'login_key': p.asciiz(hit)}
-
@extractor[source]¶ Decorator for string-based extractor methods. Method is called each time when string with the same identifier as method name has matched
Extractor can be called for many number-suffixed strings e.g. $keyex1 and $keyex2 will call keyex method.
-
@extractor(string_or_method, final=False)[source] Specialized @extractor variant
- Parameters
string_or_method (str) – If method name doesn’t match the string identifier pass yara string identifier as decorator argument
final (bool) – Extractor will be called whenever Yara rule has been matched, but always after string-based extractors
-
@final[source]¶ Decorator for final extractors, called after regular extraction methods.
from ripper import Extractor class Evil(Extractor): yara_rules = ["evil"] family = "evil" ... @Extractor.needs_pe @Extractor.final def get_config(self, p): cfg = {"urls": self.get_cncs_from_rsrc(p)} if "role" not in self.collected_config: cfg["role"] = "loader" return cfg
-
@weak[source]¶ Use this decorator for extractors when successful extraction is not sufficient to mark family as matched.
All “weak configs” will be flushed when “strong config” appears.
-
@needs_pe[source]¶ Use this decorator for extractors that need PE instance. (
malduck.procmem.ProcessMemoryPE)
-
@needs_elf[source]¶ Use this decorator for extractors that need ELF instance. (
malduck.procmem.ProcessMemoryELF)
-
property
collected_config¶ Shows collected config so far (useful in “final” extractors)
- Return type
dict
-
property
globals¶ Container for global variables associated with analysis
- Return type
dict
-
handle_yara(p, match)[source]¶ Override this if you don’t want to use decorators and customize ripping process (e.g. yara-independent, brute-force techniques)
- Parameters
p (
malduck.procmem.ProcessMemory) – ProcessMemory objectmatch (List[
malduck.yara.YaraMatch]) – Found yara matches for this family
-
property
log¶ Logger instance for Extractor methods
- Returns
logging.Logger
-
property
matched¶ Returns True if family has been matched so far
- Return type
bool
-
on_error(exc, method_name)[source]¶ Handler for all Exception’s throwed by extractor methods.
- Parameters
exc (
Exception) – Exception objectmethod_name (str) – Name of method which throwed exception
-
push_config(config)¶ Push partial config (used by
Extractor.handle_yara())- Parameters
config (dict) – Partial config element
-
push_procmem(procmem, **info)¶ Push procmem object for further analysis
- Parameters
procmem (
malduck.procmem.ProcessMemory) – ProcessMemory objectinfo – Additional info about object
-
yara_rules= ()¶ Names of Yara rules for which handle_yara is called
-
class
malduck.extractor.ExtractManager(modules)[source]¶ Multi-dump extraction context. Handles merging configs from different dumps, additional dropped families etc.
- Parameters
modules (
ExtractorModules) – Object with loaded extractor modules
-
property
config¶ Extracted configuration (list of configs for each extracted family)
-
property
extractors¶ Bound extractor modules :rtype: List[Type[
malduck.extractor.Extractor]]
-
on_error(exc, extractor)[source]¶ Handler for all Exception’s thrown by
Extractor.handle_yara().Deprecated since version 2.1.0: Look at
ExtractManager.on_extractor_error()instead.- Parameters
exc (
Exception) – Exception objectextractor (
malduck.extractor.Extractor) – Extractor object which throwed exception
-
on_extractor_error(exc, extractor, method_name)[source]¶ Handler for all Exception’s thrown by extractor methods (including
Extractor.handle_yara()).Override this method if you want to set your own error handler.
- Parameters
exc (
Exception) – Exception objectextractor (
extractor.Extractor) – Extractor instancemethod_name (str) – Name of method which throwed exception
-
push_file(filepath, base=0)[source]¶ Pushes file for extraction. Config extractor entrypoint.
- Parameters
filepath (str) – Path to extracted file
base (int) – Memory dump base address
- Returns
Family name if ripped successfully and provided better configuration than previous files. Returns None otherwise.
-
push_procmem(p, rip_binaries=False)[source]¶ Pushes ProcessMemory object for extraction
- Parameters
p (
malduck.procmem.ProcessMemory) – ProcessMemory objectrip_binaries – Look for binaries (PE, ELF) in provided ProcessMemory and try to perform extraction using
specialized variants (ProcessMemoryPE, ProcessMemoryELF) :type rip_binaries: bool (default: False) :return: Family name if ripped successfully and provided better configuration than previous procmems.
Returns None otherwise.
-
property
rules¶ Bound Yara rules :rtype:
malduck.yara.Yara
Internally used classes and routines¶
-
class
malduck.extractor.extract_manager.ProcmemExtractManager(parent)[source]¶ Single-dump extraction context (single family)
-
collected_config= None¶ Collected configuration so far (especially useful for “final” extractors)
-
property
config¶ Returns collected config, but if family is not matched - returns empty dict. Family is not included in config itself, look at
ProcmemExtractManager.family.
-
family= None¶ Matched family
-
on_extractor_error(exc, extractor, method_name)[source]¶ Handler for all Exception’s throwed by extractor methods.
- Parameters
exc (
Exception) – Exception objectextractor (
extractor.Extractor) – Extractor instancemethod_name (str) – Name of method which throwed exception
-
parent= None¶ Bound ExtractManager instance
-
push_config(config, extractor)[source]¶ Pushes new partial config
If strong config provides different family than stored so far and that family overrides stored family - set stored family Example: citadel overrides zeus
- Parameters
config (dict) – Partial config object
extractor (
malduck.extractor.Extractor) – Extractor object reference
-
push_procmem(p, _matches=None)[source]¶ Pushes ProcessMemory object for extraction
- Parameters
p (
malduck.procmem.ProcessMemory) – ProcessMemory object_matches (
malduck.yara.YaraMatches) – YaraMatches object (used internally)
-
-
class
malduck.extractor.extractor.ExtractorBase(parent)[source]¶ -
property
collected_config¶ Shows collected config so far (useful in “final” extractors)
- Return type
dict
-
family= None¶ Extracted malware family, automatically added to “family” key for strong extraction methods
-
property
globals¶ Container for global variables associated with analysis
- Return type
dict
-
property
log¶ Logger instance for Extractor methods
- Returns
logging.Logger
-
property
matched¶ Returns True if family has been matched so far
- Return type
bool
-
overrides= []¶ Family match overrides another match e.g. citadel overrides zeus
-
parent= None¶ ProcmemExtractManager instance
-
property