Malduck v4.4 releases: make library for malware researchers

Extraction tools:

• Static configuration extractor engine
  • Module interface
  • Internally used classes and routines
• Memory model objects (procmem)
  • ProcessMemory (procmem)
  • ProcessMemoryPE (procmempe)
  • ProcessMemoryELF (procmemelf)
  • CuckooProcessMemory (cuckoomem)
  • IDAProcessMemory (idamem)
• x86 disassembler
• PE wrapper
• Yara wrapper

Algorithms:

• Cryptography
  • AES
    • AES-CBC mode
    • AES-ECB mode
    • AES-CTR mode
  • Blowfish (ECB only)
  • DES/DES3 (CBC only)
  • Serpent (CBC only)
  • Rabbit
  • RC4
  • XOR
  • RSA (BLOB parser)
  • BLOB struct
• Compression algorithms
  • aPLib
  • gzip
  • lznt1 (RtlDecompressBuffer)
• Hashing algorithms
  • CRC32
  • MD5
  • SHA1
  • SHA224/256/384/512

Utilities:

• Common bitwise operations
  • Rotate left/right
  • Align up/down
• Fixed-integer types
  • Object properties
  • UInt64/UInt32/UInt16/UInt8 (QWORD/DWORD/WORD/BYTE)
  • Int64/Int32/Int16/Int8
• Common string operations (padding, chunks, base64)
  • chunks/chunks_iter
  • asciiz/utf16z
  • enhex/unhex
  • Padding (null/pkcs7)
  • Packing/unpacking (p64/p32/p16/p8, u64/u32/u16/u8, bigint)
  • IPv4 inet_ntoa

Changelog v4.4

New features and improvements:

• Make it possible to specify a base when rebuilding the PE (by @msm-code in #107)

Bugfixes:

• Fixed issues in malduck.extractor with extracting configuration from binaries that are not at the beginning of the memory dump (by @psrok1 in #100)
• Include image=True binaries in load_binaries_from_memory (by @psrok1 in #108)

Install

pip install malduck

Use

Copyright (C) 2019 CERT-Polska