{"id":27129,"library":"maco","title":"Maco","description":"Maco is a framework for creating and using malware configuration extractors. It provides a modular approach to extract configuration data from malware samples. Current version is 1.2.26, with regular updates.","status":"active","version":"1.2.26","language":"python","source_language":"en","source_url":"https://github.com/CybercentreCanada/Maco","tags":["malware","configuration-extractor","forensics","reverse-engineering"],"install":[{"cmd":"pip install maco","lang":"bash","label":"Default install"}],"dependencies":[{"reason":"Required for YARA rule support in extractors","package":"yara-python","optional":true},{"reason":"Used for ELF parsing","package":"pyelftools","optional":true},{"reason":"Used for PE parsing","package":"pefile","optional":true}],"imports":[{"note":"The base class is at maco level, not in maco.model.","wrong":"from maco.model import Extractor","symbol":"Extractor","correct":"from maco import Extractor"},{"note":"YaraConfigExtractor is a built-in extractor in maco.extractors.yara_extractor.","wrong":"from maco import YaraConfigExtractor","symbol":"YaraConfigExtractor","correct":"from maco.extractors.yara_extractor import YaraConfigExtractor"}],"quickstart":{"code":"from maco import Extractor\n\nclass MyExtractor(Extractor):\n    family = \"my_family\"\n    author = \"me\"\n    minimum_maco_version = \"1.0.0\"\n\n    def run(self, path):\n        with open(path, 'rb') as f:\n            data = f.read()\n        config = {}\n        if b'config' in data:\n            config['string'] = 'example'\n        return config\n","lang":"python","description":"Define a custom extractor by subclassing Extractor and implementing the run method."},"warnings":[{"fix":"Update extractor subclasses to use the new run() method signature (path argument instead of file-like object).","message":"Maco v1.0 introduced a new base class signature. Earlier versions used a different interface. Extensions written for v0.x must be updated.","severity":"breaking","affected_versions":"<1.0"},{"fix":"Ensure returned config contains only basic types (str, int, list, dict).","message":"The run() method must return a dict-like object that serializes to JSON. Non-serializable types will cause errors when collecting results.","severity":"gotcha","affected_versions":">=1.0"},{"fix":"Use `from maco import Extractor` instead of `from maco.model import Extractor`.","message":"The `maco.model` module is deprecated. New code should import from `maco` directly.","severity":"deprecated","affected_versions":">=1.2"}],"env_vars":null,"last_verified":"2026-04-27T00:00:00.000Z","next_check":"2026-07-26T00:00:00.000Z","problems":[{"fix":"Run `pip install maco`.","cause":"Maco is not installed.","error":"ModuleNotFoundError: No module named 'maco'"},{"fix":"Use `from maco import Extractor`. Ensure maco version >=1.0.","cause":"Incorrect import path or outdated installation.","error":"ImportError: cannot import name 'Extractor' from 'maco' (unknown location)"},{"fix":"Update maco to v1.0+ and change `def run(self, file)` to `def run(self, path)`.","cause":"Using a version of maco that expects a file-like object (v0.x).","error":"TypeError: run() got an unexpected keyword argument 'path'"}],"ecosystem":"pypi","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}