Skip to content

Custom Modules

Jump to bottom
nheijmans edited this page Mar 30, 2018 · 1 revision

Custom modules

What

Custom modules can be added to Malzoo for quick extension of the analysis being done on malware samples. Instead of having to modify the core code, it makes it easier to enrich samples or add a specific filetype analysis.

How

Malzoo 2.1 comes with a module worker that will pick up all modules in the malzoo/modules folder that are enabled and push the sample package to each module. It will check at startup which modules are enabled to run.

Create a custom module

To create a custom module, the default template needs to be used in order to run correctly.

"""
describe the malzoo module
"""

from malzoo.common.abstract import CustomModule

class YourModuleName(CustomModule):
    name = ‘name of the module’
    version = '0.1'
    enabled = True

    def custom_func(self, data):
        try:
            code(if using a additional func)
        except Exception as e:
            self.log('{0} - {1} - {2}'.format('custom module',self.name,e))
        finally:
            return

    def run(self):
        try:
            print self.name, 'is running'
            YOURCUSTOMCODEHERE
        except Exception as e:
            self.log('{0} - {1} - {2}'.format('custom module',self.name,e))
        finally:
            return

The template is pretty straight forward. The module takes all the features of the CustomModule class to get access to logging features and storing your precious analysis results. Next, the name,version and if the module is enabled are set. in the function run() you can start adding analysis code for samples or enrich them with external sources like VirusTotal or submit to Cuckoo.

The following core features are available to use:

self.log	the logging feature of malzoo, saving any debug information to the debug.log if enabled in the configuration

self.share_data	sends your results to the configured output. Don't forget to enable logging in the config file!

if you want to use certain tool code (malzoo/core/tools/) you can import the one desired like this (example of the hasher tool to calculate md5, sha-1 etc.):

import malzoo.core.tools.hashes

Add custom modules from the community

To add the custom modules, you can download the repository malzoo-community and put the Python scripts in the folder malzoo/modules/. The VirusTotal and Cuckoo are in the folder by default to get started.

And now

Unleash your creativity :) and if you think “well, this could be useful for the rest of the community” share it! the repository malzoo-community is created to share modules between users and makes sure that the core code of Malzoo is unchanged so that everyone can stay on the same version for easy updating.

A few modules have already been added (usual suspects) to start off:

  • VirusTotal enrichment (watch your API calls!)
  • Cuckoo file submit

And working on a few new ones:

  • ClamAV scan
  • ThreatCrowd
Clone this wiki locally