Maco
raw JSON → 1.2.26 verified Mon Apr 27 auth: no python
Maco is a framework for creating and using malware configuration extractors. It provides a modular approach to extract configuration data from malware samples. Current version is 1.2.26, with regular updates.
pip install maco Common errors
error ModuleNotFoundError: No module named 'maco' ↓
cause Maco is not installed.
fix
Run
pip install maco. error ImportError: cannot import name 'Extractor' from 'maco' (unknown location) ↓
cause Incorrect import path or outdated installation.
fix
Use
from maco import Extractor. Ensure maco version >=1.0. error TypeError: run() got an unexpected keyword argument 'path' ↓
cause Using a version of maco that expects a file-like object (v0.x).
fix
Update maco to v1.0+ and change
def run(self, file) to def run(self, path). Warnings
breaking Maco v1.0 introduced a new base class signature. Earlier versions used a different interface. Extensions written for v0.x must be updated. ↓
fix Update extractor subclasses to use the new run() method signature (path argument instead of file-like object).
gotcha The run() method must return a dict-like object that serializes to JSON. Non-serializable types will cause errors when collecting results. ↓
fix Ensure returned config contains only basic types (str, int, list, dict).
deprecated The `maco.model` module is deprecated. New code should import from `maco` directly. ↓
fix Use `from maco import Extractor` instead of `from maco.model import Extractor`.
Imports
- Extractor wrong
from maco.model import Extractorcorrectfrom maco import Extractor - YaraConfigExtractor wrong
from maco import YaraConfigExtractorcorrectfrom maco.extractors.yara_extractor import YaraConfigExtractor
Quickstart
from maco import Extractor
class MyExtractor(Extractor):
family = "my_family"
author = "me"
minimum_maco_version = "1.0.0"
def run(self, path):
with open(path, 'rb') as f:
data = f.read()
config = {}
if b'config' in data:
config['string'] = 'example'
return config