Local Transform Architecture

Overview

Local transforms are pieces of code that run on the same machine which the client application is. These are very useful for integrating in machine specific tasks (such as running an application that's locally on the machine- like nmap OR a task that is dependent on a setup on the machine such as accessing data over a VPN). These transforms can be written in any language (yes, *any* language) and merely rely on output to be sent via STDOUT (think a command line application).

Transform Overview

Transforms should be thought of as tiny pieces of code that take one type of information to another. It is very important to write transforms in such a way that they are extensible (transforms can add on to others) and get the smallest pieces of information out rather than large blocks at a time. The reason we emphasize small pieces of information is that it means we can harness the power of Maltego's link analysis. Take the two images below for example (they merely show IP addresses as well as ports and banners):

   


How local transforms work

Local transforms are called from the command line and interacted with via STDIN and STDOUT. When you right click on an entity and execute a transform it sends through the following to the executable (your transform):
  • Entity Value (what is displayed on the graph) -- this is the first argument.
  • Entity Fields (the fields contained in the entity), these are separated by #'s and each field is separated - name and value by an '=' sign.
For example, if you had a person entity of 'Andrew MacPherson' (as displayed on the graph), it would have the fields:

Display Name (in details) Variable Name Value
Full Name person.fullname Andrew MacPherson
First Names person.firstnames Andrew
Surname person.lastname MacPherson

(These fields can all be found by clicking on Manage entities under the Manage tab, finding the entity in question and click on the (...) next to its name and navigating to the Additional Properties tab)

Execution
The execution of a transform on the above entity would be as follows (if i was running a python script called 'personTransform.py' in /home/andrew/localTransforms):

andrew@devBox3: /home/andrew/localTransforms/# /usr/bin/python personTransform.py "Andrew MacPherson" person.fullname=Andrew MacPherson#person.firstnames=Andrew#person.lastname=MacPherson
At a minimum a transform needs to simply return valid XML (this is all covered in the Specification above) via STDOUT, something like:



	
		
			Hello Transform World
		
	


						

In the above you can see that we are returning just a single entity which is a Phrase and has a value of 'Hello Transform World'. If I had specified it to run on a domain and executed it I would have got the following within the client:



Local transforms are really *that* simple, just return valid XML and you can do anything with them from running external applications to integrating with APIs..