Malduck is your ducky companion in malware analysis journeys. It is mostly based on Roach project, which derives many concepts from mlib
library created by Maciej Kotowicz. The purpose of fork was to make Roach independent from Cuckoo Sandbox project, but still supporting its internal procmem
format.
Malduck provides many improvements resulting from CERT.pl codebase, making scripts written for malware analysis purposes much shorter and more powerful.
- Cryptography (AES, Blowfish, Camelie, ChaCha20, Serpent and many others)
- Compression algorithms (aPLib, gzip, LZNT1 (RtlDecompressBuffer))
- Memory model objects (work on memory dumps, PE/ELF, raw files and IDA dumps using the same code)
- Extraction engine (modular extraction framework for config extraction from files/dumps)
- Fixed integer types (like Uint64) and bitwise utilities
- String operations (chunks, padding, packing/unpacking etc)
- Hashing algorithms (CRC32, MD5, SHA1, SHA256)
from malduck import aes
key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = aes.cbc.encrypt(key, iv, plaintext)
from malduck import serpent
key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = serpent.cbc.encrypt(key, plaintext, iv)
from malduck import aplib
# Headerless compressed buffer
aplib(b'T\x00he quick\xecb\x0erown\xcef\xaex\x80jumps\xed\xe4veur`t?lazy\xead\xfeg\xc0\x00')
from malduck import DWORD
def sdbm_hash(name: bytes) -> int:
hh = 0
for c in name:
# operations on the DWORD type produce a dword, so a result
# is also a DWORD.
hh = DWORD(c) + (hh << 6) + (hh << 16) - hh
return int(hh)
from malduck import Extractor
class Citadel(Extractor):
family = "citadel"
yara_rules = ("citadel",)
overrides = ("zeus",)
@Extractor.string("briankerbs")
def citadel_found(self, p, addr, match):
log.info('[+] `Coded by Brian Krebs` str @ %X' % addr)
return True
@Extractor.string
def cit_login(self, p, addr, match):
log.info('[+] Found login_key xor @ %X' % addr)
hit = p.uint32v(addr + 4)
print(hex(hit))
if p.is_addr(hit):
return {'login_key': p.asciiz(hit)}
hit = p.uint32v(addr + 5)
print(hex(hit))
if p.is_addr(hit):
return {'login_key': p.asciiz(hit)}
from malduck import procmempe
with procmempe.from_file("notepad.exe", image=True) as p:
resource_data = p.pe.resource("NPENCODINGDIALOG")
Install it by running
pip install malduck
More documentation can be found on readthedocs.