Description:

malduck 4.4.1

:duck: Malduck
Installation ⚙️ | Docs 📚

Malduck is your ducky companion in malware analysis journeys. It is mostly based on Roach project, which derives many concepts from mlib
library created by Maciej Kotowicz. The purpose of fork was to make Roach independent from Cuckoo Sandbox project, but still supporting its internal procmem format.
Malduck provides many improvements resulting from CERT.pl codebase, making scripts written for malware analysis purposes much shorter and more powerful.
Features

Cryptography (AES, Blowfish, Camelie, ChaCha20, Serpent and many others)
Compression algorithms (aPLib, gzip, LZNT1 (RtlDecompressBuffer))
Memory model objects (work on memory dumps, PE/ELF, raw files and IDA dumps using the same code)
Extraction engine (modular extraction framework for config extraction from files/dumps)
Fixed integer types (like Uint64) and bitwise utilities
String operations (chunks, padding, packing/unpacking etc)
Hashing algorithms (CRC32, MD5, SHA1, SHA256)

Usage examples
AES
from malduck import aes

key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = aes.cbc.encrypt(key, iv, plaintext)

Serpent
from malduck import serpent

key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = serpent.cbc.encrypt(key, plaintext, iv)

APLib decompression
from malduck import aplib

# Headerless compressed buffer
aplib(b'T\x00he quick\xecb\x0erown\xcef\xaex\x80jumps\xed\xe4veur`t?lazy\xead\xfeg\xc0\x00')

Fixed integer types
from malduck import DWORD

def sdbm_hash(name: bytes) -> int:
hh = 0
for c in name:
# operations on the DWORD type produce a dword, so a result
# is also a DWORD.
hh = DWORD(c) + (hh << 6) + (hh << 16) - hh
return int(hh)

Extractor engine - module example
from malduck import Extractor

class Citadel(Extractor):
family = "citadel"
yara_rules = ("citadel",)
overrides = ("zeus",)

@Extractor.string("briankerbs")
def citadel_found(self, p, addr, match):
log.info('[+] `Coded by Brian Krebs` str @ %X' % addr)
return True

@Extractor.string
def cit_login(self, p, addr, match):
log.info('[+] Found login_key xor @ %X' % addr)
hit = p.uint32v(addr + 4)
print(hex(hit))
if p.is_addr(hit):
return {'login_key': p.asciiz(hit)}

hit = p.uint32v(addr + 5)
print(hex(hit))
if p.is_addr(hit):
return {'login_key': p.asciiz(hit)}

Memory model objects
from malduck import procmempe

with procmempe.from_file("notepad.exe", image=True) as p:
resource_data = p.pe.resource("NPENCODINGDIALOG")

How to start
Install it by running
pip install malduck

More documentation can be found on readthedocs.

License

For personal and professional use. You cannot resell or redistribute these repositories in their original state.

Share

• Share on Facebook
• Share on Twitter