#92 Ability to Add Files to Extraction

[c3rb3ru5d3d53c]

Based on #92, These changes allow us to not only extract configuration information from malware but also additional files that we may have extracted statically. This is not only great for static unpacking, but also other binary data you may wish to extract for analysis or put back into the karon queue for processing.

from malduck import Extractor
from pprint import pprint
e = Extractor(parent=None)
e.push_file(b'\x00'*4, filename='example.bin')
pprint(e.files)
{'6e340b9cffb37a989ca544e6bb780a2c78901d3fb33738768511a30617afa01d': {'data': b'\x00',
                                                                      'filename': 'hello.bin'}}

The files object is a sha256 hash uniquely representing the file then the data and an optional filename.

[psrok1]

Thanks for contribution! If you want you can easily lint your changes to pass our pipeline using https://github.com/CERT-Polska/lint-python-action tool (it's recommended to use it within virtualenv as it installs tools in specific pinned versions)

. venv/bin/activate
pip install lint-python
lint-python --install

But if you don't feel comfortable with that, don't worry, I can do this for you before merge.

[c3rb3ru5d3d53c]

Member

Hey, I made these changes let me know if they look good to you 😄

[psrok1]

Hi! Sorry that it takes so long.

Meanwhile something very similar has been implemented in #101 (based on #99). In this implementation, binaries are put directly in configuration, following the specific scheme (in binaries field https://github.com/CybercentreCanada/Maco/blob/master/maco/model/model.py#L224).

We also plan to support adding parts of config imperatively, so extractor interface will be like that:

self.config.add_binary(
    filename="example.bin",
    data=b'\0'*4

Let me know if it suits your needs. We can also implement Extractor.collected_files or ExtractManager.files helpers if needed.