Skip to main content

Malduck is your ducky companion in malware analysis journeys

Project description

:duck: Malduck

Installation ⚙️ | Docs 📚


Malduck is your ducky companion in malware analysis journeys. It is mostly based on Roach project, which derives many concepts from mlib library created by Maciej Kotowicz. The purpose of fork was to make Roach independent from Cuckoo Sandbox project, but still supporting its internal procmem format.

Malduck provides many improvements resulting from CERT.pl codebase, making scripts written for malware analysis purposes much shorter and more powerful.

Features

  • Cryptography (AES, Blowfish, Camelie, ChaCha20, Serpent and many others)
  • Compression algorithms (aPLib, gzip, LZNT1 (RtlDecompressBuffer))
  • Memory model objects (work on memory dumps, PE/ELF, raw files and IDA dumps using the same code)
  • Extraction engine (modular extraction framework for config extraction from files/dumps)
  • Fixed integer types (like Uint64) and bitwise utilities
  • String operations (chunks, padding, packing/unpacking etc)
  • Hashing algorithms (CRC32, MD5, SHA1, SHA256)

Usage examples

AES

from malduck import aes

key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = aes.cbc.encrypt(key, iv, plaintext)

Serpent

from malduck import serpent

key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = serpent.cbc.encrypt(key, plaintext, iv)

APLib decompression

from malduck import aplib

# Headerless compressed buffer
aplib(b'T\x00he quick\xecb\x0erown\xcef\xaex\x80jumps\xed\xe4veur`t?lazy\xead\xfeg\xc0\x00')

Fixed integer types

from malduck import DWORD

def sdbm_hash(name: bytes) -> int:
    hh = 0
    for c in name:
        # operations on the DWORD type produce a dword, so a result
        # is also a DWORD.
        hh = DWORD(c) + (hh << 6) + (hh << 16) - hh
    return int(hh)

Extractor engine - module example

from malduck import Extractor

class Citadel(Extractor):
    family = "citadel"
    yara_rules = ("citadel",)
    overrides = ("zeus",)

    @Extractor.string("briankerbs")
    def citadel_found(self, p, addr, match):
        log.info('[+] `Coded by Brian Krebs` str @ %X' % addr)
        return True

    @Extractor.string
    def cit_login(self, p, addr, match):
        log.info('[+] Found login_key xor @ %X' % addr)
        hit = p.uint32v(addr + 4)
        print(hex(hit))
        if p.is_addr(hit):
            return {'login_key': p.asciiz(hit)}

        hit = p.uint32v(addr + 5)
        print(hex(hit))
        if p.is_addr(hit):
            return {'login_key': p.asciiz(hit)}

Memory model objects

from malduck import procmempe

with procmempe.from_file("notepad.exe", image=True) as p:
    resource_data = p.pe.resource("NPENCODINGDIALOG")

How to start

Install it by running

pip install malduck

More documentation can be found on readthedocs.

Co-financed by the Connecting Europe Facility by of the European Union

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

malduck-4.3.0-py3-none-any.whl (91.9 kB view details)

Uploaded Python 3

File details

Details for the file malduck-4.3.0-py3-none-any.whl.

File metadata

  • Download URL: malduck-4.3.0-py3-none-any.whl
  • Upload date:
  • Size: 91.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.8.14

File hashes

Hashes for malduck-4.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6f9df1639985a75e7a04a9d57075a9678a075dcfdf76b6e19f61716cf784e784
MD5 38ef4eee33cfa959b5363c762a53e37f
BLAKE2b-256 3847c5d8347fb9ab7a08823b885dedb5d0b42ae1cd654ac32dc6d9707e10e5cd

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page