Malduck: make library for malware researchers
Malduck
Malduck is your ducky companion in malware analysis journeys. It is mostly based on the Roach project, which derives many concepts from mlib library created by Maciej Kotowicz. The purpose of the fork was to make Roach independent from the Cuckoo Sandbox project but still supporting its internal procmem format.
Malduck provides many improvements resulting from the CERT.pl codebase, making scripts written for malware analysis purposes much shorter and more powerful.
Improvements
- Support for (non)memory-mapped PE images without header fix-up.
- Searching for wildcarded byte sequences
- Support for x64 disassembly
- Fixed-precision integer types
- Many improvements in ProcessMemory
Extraction tools:
- Static configuration extractor engine
- Module interface
- Internally used classes and routines
- Memory model objects (procmem)
- ProcessMemory (procmem)
- ProcessMemoryPE (procmempe)
- ProcessMemoryELF (procmemelf)
- CuckooProcessMemory (cuckoomem)
- IDAProcessMemory (idamem)
- x86 disassembler
- PE wrapper
- Yara wrapper
Algorithms:
- Cryptography
- AES
- AES-CBC mode
- AES-ECB mode
- AES-CTR mode
- Blowfish (ECB only)
- DES/DES3 (CBC only)
- Serpent (CBC only)
- Rabbit
- RC4
- XOR
- RSA (BLOB parser)
- BLOB struct
- AES
- Compression algorithms
- aPLib
- gzip
- lznt1 (RtlDecompressBuffer)
- Hashing algorithms
- CRC32
- MD5
- SHA1
- SHA224/256/384/512
Utilities:
- Common bitwise operations
- Rotate left/right
- Align up/down
- Fixed-integer types
- Object properties
- UInt64/UInt32/UInt16/UInt8 (QWORD/DWORD/WORD/BYTE)
- Int64/Int32/Int16/Int8
- Common string operations (padding, chunks, base64)
- chunks/chunks_iter
- asciiz/utf16z
- enhex/unhex
- Padding (null/pkcs7)
- Packing/unpacking (p64/p32/p16/p8, u64/u32/u16/u8, bigint)
- IPv4 inet_ntoa
Install
pip install malduck
Use
Copyright (C) 2019 CERT-Polska
