Welcome to malduck’s documentation!¶
Malduck is your ducky companion in malware analysis journeys. It is mostly based on Roach project, which derives many concepts from mlib library created by Maciej Kotowicz. The purpose of fork was to make Roach independent from Cuckoo Sandbox project, but still supporting its internal procmem format.
Main goal is to make library for malware researchers, which will be something like pwntools for CTF players.
Malduck provides many improvements resulting from CERT.pl codebase, making malware analysis scripts much shorter and more powerful.
- Static configuration extractor engine
- Memory model objects (procmem)
- x86 disassembler
- PE wrapper
- Yara wrapper
- Compression algorithms
- Hashing algorithms
- Common bitwise operations
- Fixed-integer types
- Common string operations (padding, chunks, base64)