{"id":13681063,"url":"https://github.com/TeamT5/MalCfgParser","last_synced_at":"2025-04-30T03:30:30.999Z","repository":{"id":215062562,"uuid":"218310195","full_name":"TeamT5/MalCfgParser","owner":"TeamT5","description":"A Lightweight Malware Configuration Parsing Tool","archived":false,"fork":false,"pushed_at":"2019-11-06T07:53:19.000Z","size":116,"stargazers_count":15,"open_issues_count":0,"forks_count":2,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-11-12T00:36:18.786Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TeamT5.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2019-10-29T14:43:50.000Z","updated_at":"2024-01-06T09:57:56.000Z","dependencies_parsed_at":"2024-01-02T10:15:30.896Z","dependency_job_id":null,"html_url":"https://github.com/TeamT5/MalCfgParser","commit_stats":null,"previous_names":["teamt5/malcfgparser"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TeamT5%2FMalCfgParser","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TeamT5%2FMalCfgParser/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TeamT5%2FMalCfgParser/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TeamT5%2FMalCfgParser/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TeamT5","download_url":"https://codeload.github.com/TeamT5/MalCfgParser/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251634994,"owners_count":21619122,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:01:25.718Z","updated_at":"2025-04-30T03:30:30.708Z","avatar_url":"https://github.com/TeamT5.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# MalCfgParser\n\n![](https://github.com/teamt5/malcfgparser/raw/master/logo.png)\n\nMalCfgParser is a malware configuration parser that:\n\n- Brute-forcely parses memory -- No need to decode and specify the configuration size!\n- Accepts the PID or use process dump files\n- Easy to implement your parser by adding yara and malware configuration structs\n\n## Requirements\n### Local machine\n- VMWare\n- python3\n- yara-python\n\u003e For Windows, the installers are put under `requirements`\n\n### Remote machine: Windows7 on VMware\n- python (Any version is OK)\n\n## Configuration\nIn default.cfg, set up:\n```\nvmrun=\u003cPath to vmrun\u003e\nvmx=\u003cPath to vmx file of remote machine\u003e\nvm_user=\u003cUsername of remote machine\u003e\nvm_password=\u003cPassword of remote machine\u003e\nwork_folder=\u003cWorkspace in remote machine, work_folder=C:\\MalCfgParser by default\u003e\ndump_files_folder=\u003cFolder to save the memory dump files in local machine\u003e\n```\n\n## Usage\n### Parse by PID in running machine\n```\n\u003e python3 main.py \u003cpid\u003e\n```\n\nExample: \n```\n\u003e python3 main.py 6264\n[+] work_folder C:\\MalCfgParser was already in VM\n[+] memdumper.py is transmitted to VM\n[+] Memory dump 6264 is OK in VM\n[+] Memory dump files from VM are retreived\n[+] Detect: phantomivy\npassword: Ib@1ie\ncnc0_type: 0\ncnc0_port: 80\ncnc0_host: 5.189.173.32\ncnc1_type: 0\ncnc1_port: 8081\ncnc1_host: 5.189.173.32\nmutex: C^Xe3(@Yx\n```\n\n### Parse by memory dump file\n```\n\u003e python3 main.py \u003cmemory dump file\u003e\n```\n\nExample:\n```\n\u003e python3 main.py test/malware/plugx_0x2d58/memdump/iexplore.exe_0x300000-0x2a000.bin\n[+] Detect: plugx_0x724\nflag: 1000\ninstallname: Microsoft Malware ProtectionoYS\ncnc0_proto: TCP\ncnc0_port: 80\ncnc0_host: update.olk4.com\ncnc1_proto: TCP\ncnc1_port: 8080\ncnc1_host: update.olk4.com\ncnc2_proto: TCP\ncnc2_port: 80\ncnc2_host: www.olk4.com\ncnc3_proto: TCP\ncnc3_port: 8080\ncnc3_host: www.olk4.com\n```\n\n## Add Your Malware Configuration Parser\n- Add yara signature for the malware to `yara.txt`\n- Use Kaitai (https://ide.kaitai.io) to parse the configuration\n- Generate the python file for structure parsing by `kaitai-struct-compiler --target python \u003cmalware_name\u003e.ksy`\n- Move `\u003cmalware_name\u003e.py` to `/structs`\n- Add `\u003cmalware_name\u003e.py`  to `/parsers`\n\n### Design of Parser\n```\nclass MalParser(MalParserBase):\n\tdef __init__(self):\n\t\tsuper().__init__()\n\t\tself.cfg_structs = \u003cThe structure parsing file name\u003e\n\t\tself.magic = \u003cSignature to help identify the start of configuration\u003e\n\t\tself.cfg_start_offset = \u003cThe offset of the magic to configuration\u003e\n\t\tself.cfg_size = \u003cConfiguration size\u003e\n\t\tself.json_key = \u003cA list cotains the key to print in json format\u003e\n\n\tdef make_json(self):\n\t   # (Required) Implement the parse result shown in json format \n\t   pass\n\n\tdef validate(self):\n\t   # (Required) To validate the parse result is correct or not\n\t   pass\n\t   \n\tdef decode(self):\n\t   # (Optional) Additional decode on the configuration block\n\t   pase\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTeamT5%2FMalCfgParser","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FTeamT5%2FMalCfgParser","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FTeamT5%2FMalCfgParser/lists"}