search

CERT-Polska / malduck

:duck: Malduck is your ducky companion in malware analysis journeys
GNU General Public License v3.0
318 stars 30 forks source link

Error when running karton-config-extractor in docker #116

Open winl0gon opened 11 months ago

winl0gon commented 11 months ago

I was trying to raise a container using the karton-config-extractor that exists in docker hub.

I've tried -modules /path/modules/, -modules /path/modules, karton-config-extractor -modules /path/modules, <nothing param> as arguments to the run command and always get the same error.

I think it's probably a problem on the malduck module side, so I leave it here.

2023/12/04 08:54:01 stdout  ValueError: No strings specified
2023/12/04 08:54:01 stdout      raise ValueError("No strings specified")
2023/12/04 08:54:01 stdout    File "/usr/local/lib/python3.9/site-packages/malduck/yara.py", line 121, in __init__
2023/12/04 08:54:01 stdout      return Yara(rule_paths=rule_paths)
2023/12/04 08:54:01 stdout    File "/usr/local/lib/python3.9/site-packages/malduck/yara.py", line 173, in from_dir
2023/12/04 08:54:01 stdout      self.rules: Yara = Yara.from_dir(modules_path)
2023/12/04 08:54:01 stdout    File "/usr/local/lib/python3.9/site-packages/malduck/extractor/extract_manager.py", line 93, in __init__
2023/12/04 08:54:01 stdout      self.modules = ExtractorModules(config.get("config-extractor", "modules"))
2023/12/04 08:54:01 stdout    File "/usr/local/lib/python3.9/site-packages/karton/config_extractor/config_extractor.py", line 112, in __init__
2023/12/04 08:54:01 stdout      return cls(config=config)
2023/12/04 08:54:01 stdout    File "/usr/local/lib/python3.9/site-packages/karton/core/base.py", line 201, in karton_from_args
2023/12/04 08:54:01 stdout      service = cls.karton_from_args()
2023/12/04 08:54:01 stdout    File "/usr/local/lib/python3.9/site-packages/karton/core/base.py", line 256, in main
2023/12/04 08:54:01 stdout      return self.func(owner, *args, **kwargs)
2023/12/04 08:54:01 stdout    File "/usr/local/lib/python3.9/site-packages/karton/core/utils.py", line 133, in newfunc
2023/12/04 08:54:01 stdout      sys.exit(ConfigExtractor.main())
2023/12/04 08:54:01 stdout    File "/usr/local/bin/karton-config-extractor", line 8, in <module>
2023/12/04 08:54:01 stdout  Traceback (most recent call last):
0xThiebaut commented 11 months ago

Hi @marienmare ,

It seems malduck expects the modules to be packages, meaning that the --modules directory should contain other directories as well, not an __init__.py on the first level.

In Docker, karton-config-extractor seems to operate from within the /app/service working directory and have as default module path extractor/modules. With the default Docker settings, a valid module would hence be /app/service/extractor/modules/example/__init__.py. To my understanding, a module placed within the root modules folder (/app/service/extractor/modules/__init__.py) would fail to load and hence cause YARA to error as no modules were successfully loaded.

PS: The karton-config-extractor argument syntax seems to be --modules. I'm not sure the -modules you mentioned would even be taken into account.

Hope this solves your issue!