From aac0110fe7cafbcd5bc1cf370774181244fe01ab Mon Sep 17 00:00:00 2001
From: c3rb3ru5d3d53c <c3rb3ru5d3d53c@gmail.com>
Date: Wed, 14 Jun 2023 22:31:10 -0300
Subject: [PATCH 1/3] files

---
 malduck/extractor/extract_manager.py |  1 +
 malduck/extractor/extractor.py       | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/malduck/extractor/extract_manager.py b/malduck/extractor/extract_manager.py
index 2bf70bf..2c0841c 100644
--- a/malduck/extractor/extract_manager.py
+++ b/malduck/extractor/extract_manager.py
@@ -291,6 +291,7 @@ def __init__(self, parent: ExtractManager) -> None:
         self.globals: Dict[str, Any] = {}
         self.parent = parent  #: Bound ExtractManager instance
         self.family = None  #: Matched family
+        self.files = {}
 
     def on_extractor_error(
         self, exc: Exception, extractor: Extractor, method_name: str
diff --git a/malduck/extractor/extractor.py b/malduck/extractor/extractor.py
index c15be80..5ec8f2b 100644
--- a/malduck/extractor/extractor.py
+++ b/malduck/extractor/extractor.py
@@ -2,6 +2,7 @@
 import inspect
 import logging
 from typing import List, cast
+from hashlib import sha256
 
 from ..procmem import ProcessMemory, ProcessMemoryELF, ProcessMemoryPE
 
@@ -329,6 +330,7 @@ def is_it_really_evil(self, p):
     yara_rules = ()  #: Names of Yara rules for which handle_match is called
     family = None  #: Extracted malware family, automatically added to "family" key for strong extraction methods
     overrides = []  #: Family match overrides another match e.g. citadel overrides zeus
+    files = {}
 
     def __init__(self, parent):
         self.parent = parent
@@ -352,6 +354,15 @@ def push_config(self, config):
         """
         return self.parent.push_config(config, self)
 
+    def push_file(self, data: bytes, filename=''):
+        """
+        Push file to files object
+        """
+        self.files[sha256(data).hexdigest()] = {
+            'filename': filename,
+            'data': data
+        }
+
     @property
     def matched(self):
         """
@@ -361,6 +372,14 @@ def matched(self):
         """
         return self.parent.family is not None
 
+    @property
+    def collected_files(self):
+        """
+        Shows collected files so far (useful in "final" extractors)
+        :rtype: dict
+        """
+        return self.parent.files
+
     @property
     def collected_config(self):
         """

From b2dbf23928f35c53675023f2b389118b0afa6145 Mon Sep 17 00:00:00 2001
From: c3rb3ru5 <79795199+c3rb3ru5d3d53c@users.noreply.github.com>
Date: Tue, 20 Jun 2023 22:36:55 -0300
Subject: [PATCH 2/3] Update malduck/extractor/extractor.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Paweł Srokosz <psrok1@gmail.com>
---
 malduck/extractor/extractor.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/malduck/extractor/extractor.py b/malduck/extractor/extractor.py
index 5ec8f2b..0390a26 100644
--- a/malduck/extractor/extractor.py
+++ b/malduck/extractor/extractor.py
@@ -358,7 +358,7 @@ def push_file(self, data: bytes, filename=''):
         """
         Push file to files object
         """
-        self.files[sha256(data).hexdigest()] = {
+        self.parent.files[sha256(data).hexdigest()] = {
             'filename': filename,
             'data': data
         }

From 45953da45f3c49aeb6ee0bab0e179f7e2594dab5 Mon Sep 17 00:00:00 2001
From: c3rb3ru5d3d53c <c3rb3ru5d3d53c@gmail.com>
Date: Tue, 20 Jun 2023 22:42:20 -0300
Subject: [PATCH 3/3] files

---
 malduck/extractor/extract_manager.py | 2 +-
 malduck/extractor/extractor.py       | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/malduck/extractor/extract_manager.py b/malduck/extractor/extract_manager.py
index 2c0841c..63f9f33 100644
--- a/malduck/extractor/extract_manager.py
+++ b/malduck/extractor/extract_manager.py
@@ -291,7 +291,7 @@ def __init__(self, parent: ExtractManager) -> None:
         self.globals: Dict[str, Any] = {}
         self.parent = parent  #: Bound ExtractManager instance
         self.family = None  #: Matched family
-        self.files = {}
+        self.files: Dict[str, Dict] = {}
 
     def on_extractor_error(
         self, exc: Exception, extractor: Extractor, method_name: str
diff --git a/malduck/extractor/extractor.py b/malduck/extractor/extractor.py
index 0390a26..edd81a2 100644
--- a/malduck/extractor/extractor.py
+++ b/malduck/extractor/extractor.py
@@ -1,8 +1,8 @@
 import functools
 import inspect
 import logging
-from typing import List, cast
 from hashlib import sha256
+from typing import List, cast
 
 from ..procmem import ProcessMemory, ProcessMemoryELF, ProcessMemoryPE
 
@@ -354,13 +354,13 @@ def push_config(self, config):
         """
         return self.parent.push_config(config, self)
 
-    def push_file(self, data: bytes, filename=''):
+    def push_file(self, data: bytes, filename=""):
         """
         Push file to files object
         """
         self.parent.files[sha256(data).hexdigest()] = {
-            'filename': filename,
-            'data': data
+            "filename": filename,
+            "data": data,
         }
 
     @property