Skip to main content

Malduck is your ducky companion in malware analysis journeys

Project description

:duck: Malduck

Installation ⚙️ | Docs 📚


Malduck is your ducky companion in malware analysis journeys. It is mostly based on Roach project, which derives many concepts from mlib library created by Maciej Kotowicz. The purpose of fork was to make Roach independent from Cuckoo Sandbox project, but still supporting its internal procmem format.

Malduck provides many improvements resulting from CERT.pl codebase, making scripts written for malware analysis purposes much shorter and more powerful.

Features

  • Cryptography (AES, Blowfish, Camelie, ChaCha20, Serpent and many others)
  • Compression algorithms (aPLib, gzip, LZNT1 (RtlDecompressBuffer))
  • Memory model objects (work on memory dumps, PE/ELF, raw files and IDA dumps using the same code)
  • Extraction engine (modular extraction framework for config extraction from files/dumps)
  • Fixed integer types (like Uint64) and bitwise utilities
  • String operations (chunks, padding, packing/unpacking etc)
  • Hashing algorithms (CRC32, MD5, SHA1, SHA256)

Usage examples

AES

from malduck import aes

key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = aes.cbc.encrypt(key, iv, plaintext)

Serpent

from malduck import serpent

key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = serpent.cbc.encrypt(key, plaintext, iv)

APLib decompression

from malduck import aplib

# Headerless compressed buffer
aplib(b'T\x00he quick\xecb\x0erown\xcef\xaex\x80jumps\xed\xe4veur`t?lazy\xead\xfeg\xc0\x00')

Fixed integer types

from malduck import DWORD

def sdbm_hash(name: bytes) -> int:
    hh = 0
    for c in name:
        # operations on the DWORD type produce a dword, so a result
        # is also a DWORD.
        hh = DWORD(c) + (hh << 6) + (hh << 16) - hh
    return int(hh)

Extractor engine - module example

from malduck import Extractor

class Citadel(Extractor):
    family = "citadel"
    yara_rules = ("citadel",)
    overrides = ("zeus",)

    @Extractor.string("briankerbs")
    def citadel_found(self, p, addr, match):
        log.info('[+] `Coded by Brian Krebs` str @ %X' % addr)
        return True

    @Extractor.string
    def cit_login(self, p, addr, match):
        log.info('[+] Found login_key xor @ %X' % addr)
        hit = p.uint32v(addr + 4)
        print(hex(hit))
        if p.is_addr(hit):
            return {'login_key': p.asciiz(hit)}

        hit = p.uint32v(addr + 5)
        print(hex(hit))
        if p.is_addr(hit):
            return {'login_key': p.asciiz(hit)}

Memory model objects

from malduck import procmempe

with procmempe.from_file("notepad.exe", image=True) as p:
    resource_data = p.pe.resource("NPENCODINGDIALOG")

How to start

Install it by running

pip install malduck

More documentation can be found on readthedocs.

Co-financed by the Connecting Europe Facility by of the European Union

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

malduck-4.3.2-py3-none-any.whl (92.0 kB view details)

Uploaded Python 3

File details

Details for the file malduck-4.3.2-py3-none-any.whl.

File metadata

  • Download URL: malduck-4.3.2-py3-none-any.whl
  • Upload date:
  • Size: 92.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.8.17

File hashes

Hashes for malduck-4.3.2-py3-none-any.whl
Algorithm Hash digest
SHA256 22eb7efba050a78327cefd07bb82ecf030fcbf8d97d0545a776d44c82f8dabe4
MD5 02b399b78d45ad3909eddaa6d55c2ebc
BLAKE2b-256 77592beab8f745098ed5b2d0b6b90c9a23323e75740a3ca64649e3af9571ea59

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page