Problem with custom Extractor module

[frank2411]

Good morning.

My problem is simple.

I'm trying to create a custom Extractor to get shellcodes, olefiles etc from a rtf file.

If I didn't get it wrong from the code, it seems that an extractor triggers its handle_yara method when, a yara rule in yara_rules variable, is matched. I took example from the community OleStream extractor.

I know that after the extraction cuckoo try to match other yaras recursively.

So if everything I understood is right, my extractor, even if my custom yara rule is matched, doesn't even init ( In a sort of despair I've also tried to overwrite the init method ).

With rtfobj and from shell I've tried to extract file from my rtf and they are there.

What am I doing wrong ? Do I have to register somewhere the extractor ?

Here's my extractor code.

from oletools.rtfobj import RtfObjParser
from cuckoo.common.abstracts import Extractor

class RTFShellcode(Extractor):
    yara_rules = "RTFShellcode"
    minimum = "2.0.5"

    def handle_yara(self, filepath, match):
        rtf_stream = open(filepath, 'rb').read()
        rtfp = RtfObjParser(rtf_stream)
        rtfp.parse()

        for rtf_extracted in rtfp.objects:
            self.push_blob(rtf_extracted.rawdata, "binaries", None, {})

[jbremer]

On a first view, your Extractor plugin looks fine. Could you share the Yara rule & sample(s)?

[frank2411]

Yes, off course.

This is my ( I took it on the internet but it suits ) yara rule:

// This rule have beed improved by Javier Rascon
rule RTFShellcode {
    meta:

        author = "RSA-IR – Jared Greenhill"
        date = "01/21/13"
        description = "identifies RTF's with potential shellcode"
            filetype = "RTF"

    strings:
        $rtfmagic={7B 5C 72 74 66}
        /* $scregex=/[39 30]{2,20}/ */
        $scregex=/(90){2,20}/

    condition:

        ($rtfmagic at 0) and ($scregex)
}

I've put it into cwd/yara/binaries/ because if I put it in cwd/yara/office/ cuckoo sees the signature but doesn't trigger it ( I don't know why ).

And there's my sample zipped.

Fire.zip

I don't know if this info will be of any use: I've installed cuckoo in development mode.

Thank you

[frank2411]

Hi,

sorry for bothering. Have you got any news?

Can I give you a hand ? If you tell me where cuckoo loads the extractors ( files etc..), I can try to resolve the issue and then send you a pull request.

Thanks

[doomedraven]

check community repo

[frank2411]

What I have to check precisely ?

I opened this issue due to a "possible" bug.

And, if you read the jbremer answer, my code is fine because I've already checked the community repo, and the cuckoo repo ( My extractor is based on the OleStream extractor ).

Without doing that, seen the lack of documentation, It wouldn't be possible for me to write correct code.

So, I rewrite the question, where, in the cuckoo core, do you load the extractors ? Why, even if my code and my signature are correct, my extractor still doesn't load ?

If you think that this is a problem located in the community files, then address me.

Otherwise let me help you solve the problem, event if this implies to modify the core code.

[frank2411]

@jbremer Hi any news ? Have you had the time to read the last mail I've sended you with the requested infos ? Thank you and sorry for bother