Cryptographyο
Common cryptography algorithms used in malware.
AESο
AES (Advanced Encryption Standard) block cipher.
Supported modes: CBC, ECB, CTR.
from malduck import aes
key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = aes.cbc.encrypt(key, iv, plaintext)
AES-CBC modeο
- malduck.aes.cbc.encrypt(key: bytes, iv: bytes, data: bytes) bytes ο
Encrypts buffer using AES algorithm in CBC mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
iv (bytes) β Initialization vector
data (bytes) β Buffer to be encrypted
- Returns:
Encrypted data
- Return type:
bytes
- malduck.aes.cbc.decrypt(key: bytes, iv: bytes, data: bytes) bytes ο
Decrypts buffer using AES algorithm in CBC mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
iv (bytes) β Initialization vector
data (bytes) β Buffer to be decrypted
- Returns:
Decrypted data
- Return type:
bytes
AES-ECB modeο
- malduck.aes.ecb.encrypt(key: bytes, data: bytes) bytes ο
Encrypts buffer using AES algorithm in ECB mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
data (bytes) β Buffer to be encrypted
- Returns:
Encrypted data
- Return type:
bytes
- malduck.aes.ecb.decrypt(key: bytes, data: bytes) bytes ο
Decrypts buffer using AES algorithm in ECB mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
data (bytes) β Buffer to be decrypted
- Returns:
Decrypted data
- Return type:
bytes
AES-CTR modeο
- malduck.aes.ctr.encrypt(key: bytes, nonce: bytes, data: bytes) bytes ο
Encrypts buffer using AES algorithm in CTR mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
nonce (bytes) β Initial counter value, big-endian encoded
data (bytes) β Buffer to be encrypted
- Returns:
Encrypted data
- Return type:
bytes
- malduck.aes.ctr.decrypt(key: bytes, nonce: bytes, data: bytes) bytes ο
Decrypts buffer using AES algorithm in CTR mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
nonce (bytes) β Initial counter value, big-endian encoded
data (bytes) β Buffer to be decrypted
- Returns:
Decrypted data
- Return type:
bytes
Blowfish (ECB only)ο
Blowfish block cipher.
Supported modes: ECB.
from malduck import blowfish
key = b'blowfish'
plaintext = b'data'*16
ciphertext = blowfish.ecb.encrypt(key, plaintext)
- malduck.blowfish.ecb.encrypt(key: bytes, data: bytes) bytes ο
Encrypts buffer using Blowfish algorithm in ECB mode.
- Parameters:
key (bytes) β Cryptographic key (4 to 56 bytes)
data (bytes) β Buffer to be encrypted
- Returns:
Encrypted data
- Return type:
bytes
- malduck.blowfish.ecb.decrypt(key: bytes, data: bytes) bytes ο
Decrypts buffer using Blowfish algorithm in ECB mode.
- Parameters:
key (bytes) β Cryptographic key (4 to 56 bytes)
data (bytes) β Buffer to be decrypted
- Returns:
Decrypted data
- Return type:
bytes
Camelliaο
Camellia block cipher.
Supported modes: ECB, CBC, CTR, CFB, OFB.
from malduck import camellia
key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = camellia.ecb.encrypt(key, iv, plaintext)
Camellia-ECB modeο
- malduck.camellia.ecb.encrypt(key: bytes, data: bytes) bytes ο
Encrypts buffer using Camellia algorithm in ECB mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
data (bytes) β Buffer to be encrypted
- Returns:
Encrypted data
- Return type:
bytes
- malduck.camellia.ecb.decrypt(key: bytes, data: bytes) bytes ο
Decrypts buffer using Camellia algorithm in ECB mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
data (bytes) β Buffer to be decrypted
- Returns:
Decrypted data
- Return type:
bytes
Camellia-CBC modeο
- malduck.camellia.cbc.encrypt(key: bytes, iv: bytes, data: bytes) bytes ο
Encrypts buffer using Camellia algorithm in CBC mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
iv (bytes) β Initialization vector
data (bytes) β Buffer to be encrypted
- Returns:
Encrypted data
- Return type:
bytes
- malduck.camellia.cbc.decrypt(key: bytes, iv: bytes, data: bytes) bytes ο
Decrypts buffer using Camellia algorithm in CBC mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
iv (bytes) β Initialization vector
data (bytes) β Buffer to be decrypted
- Returns:
Decrypted data
- Return type:
bytes
Camellia-CTR modeο
- malduck.camellia.ctr.encrypt(key: bytes, nonce: bytes, data: bytes) bytes ο
Encrypts buffer using Camellia algorithm in CTR mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
nonce (bytes) β Initial counter value, big-endian encoded
data (bytes) β Buffer to be encrypted
- Returns:
Encrypted data
- Return type:
bytes
- malduck.camellia.ctr.decrypt(key: bytes, nonce: bytes, data: bytes) bytes ο
Decrypts buffer using Camellia algorithm in CTR mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
nonce (bytes) β Initial counter value, big-endian encoded
data (bytes) β Buffer to be decrypted
- Returns:
Decrypted data
- Return type:
bytes
Camellia-CFB modeο
- malduck.camellia.cfb.encrypt(key: bytes, iv: bytes, data: bytes) bytes ο
Encrypts buffer using Camellia algorithm in CFB mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
iv (bytes) β Initialization vector
data (bytes) β Buffer to be encrypted
- Returns:
Encrypted data
- Return type:
bytes
- malduck.camellia.cfb.decrypt(key: bytes, iv: bytes, data: bytes) bytes ο
Decrypts buffer using Camellia algorithm in CFB mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
iv (bytes) β Initialization vector
data (bytes) β Buffer to be decrypted
- Returns:
Decrypted data
- Return type:
bytes
Camellia-OFB modeο
- malduck.camellia.ofb.encrypt(key: bytes, iv: bytes, data: bytes) bytes ο
Encrypts buffer using Camellia algorithm in OFB mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
iv (bytes) β Initialization vector
data (bytes) β Buffer to be encrypted
- Returns:
Encrypted data
- Return type:
bytes
- malduck.camellia.ofb.decrypt(key: bytes, iv: bytes, data: bytes) bytes ο
Decrypts buffer using Camellia algorithm in OFB mode.
- Parameters:
key (bytes) β Cryptographic key (128, 192 or 256 bits)
iv (bytes) β Initialization vector
data (bytes) β Buffer to be decrypted
- Returns:
Decrypted data
- Return type:
bytes
ChaCha20ο
ChaCha20 stream cipher.
Assumes empty nonce if none given.
from malduck import chacha20
key = b'chachaKeyHereNow' * 2
nonce = b'\x01\x02\x03\x04\x05\0x6\0x7'
plaintext = b'data'*16
ciphertext = chacha20.decrypt(key, plaintext, nonce)
- malduck.chacha20.encrypt(key: bytes, data: bytes, nonce: bytes | None = None) bytes ο
Encrypts buffer using ChaCha20 algorithm.
- Parameters:
key (bytes) β Cryptographic key (32 bytes)
data (bytes) β Buffer to be encrypted
nonce (bytes, optional) β Nonce value (8/12 bytes, defaults to bβ\x00β*8 )
- Returns:
Encrypted data
- Return type:
bytes
- malduck.chacha20.decrypt(key: bytes, data: bytes, nonce: bytes | None = None) bytes ο
Decrypts buffer using ChaCha20 algorithm.
- Parameters:
key (bytes) β Cryptographic key (32 bytes)
data (bytes) β Buffer to be decrypted
nonce (bytes, optional) β Nonce value (8/12 bytes, defaults to bβ\x00β*8 )
- Returns:
Decrypted data
- Return type:
bytes
DES/DES3 (CBC only)ο
Triple DES block cipher.
Fallbacks to single DES for 8 byte keys.
Supported modes: CBC.
from malduck import des3
key = b'des3des3'
iv = b'3des3des'
plaintext = b'data' * 16
ciphertext = des3.cbc.encrypt(key, plaintext)
- malduck.des3.cbc.encrypt(key: bytes, iv: bytes, data: bytes) bytes ο
Encrypts buffer using DES/DES3 algorithm in CBC mode.
- Parameters:
key (bytes) β Cryptographic key (16 or 24 bytes, 8 bytes for single DES)
iv (bytes) β Initialization vector
data (bytes) β Buffer to be encrypted
- Returns:
Encrypted data
- Return type:
bytes
- malduck.des3.cbc.decrypt(key: bytes, iv: bytes, data: bytes) bytes ο
Decrypts buffer using DES/DES3 algorithm in CBC mode.
- Parameters:
key (bytes) β Cryptographic key (16 or 24 bytes, 8 bytes for single DES)
iv (bytes) β Initialization vector
data (bytes) β Buffer to be decrypted
- Returns:
Decrypted data
- Return type:
bytes
Salsa20ο
Salsa20 stream cipher.
Assumes empty nonce if none given.
from malduck import salsa20
key = b'salsaFTW' * 4
nonce = b'\x01\x02\x03\x04\x05\0x6\0x7'
plaintext = b'data' * 16
ciphertext = salsa20.decrypt(key, plaintext, nonce)
- malduck.salsa20.encrypt(key: bytes, data: bytes, nonce: bytes | None = None) bytes ο
Encrypts buffer using Salsa20 algorithm.
- Parameters:
key (bytes) β Cryptographic key (16/32 bytes)
data (bytes) β Buffer to be encrypted
nonce (bytes, optional) β Nonce value (8 bytes, defaults to bβ\x00β*8 )
- Returns:
Encrypted data
- Return type:
bytes
- malduck.salsa20.decrypt(key: bytes, data: bytes, nonce: bytes | None = None) bytes ο
Decrypts buffer using Salsa20 algorithm.
- Parameters:
key (bytes) β Cryptographic key (16/32 bytes)
data (bytes) β Buffer to be decrypted
nonce (bytes, optional) β Nonce value (8 bytes, defaults to bβ\x00β*8 )
- Returns:
Decrypted data
- Return type:
bytes
Serpent (CBC only)ο
Serpent block cipher.
Supported modes: CBC
from malduck import serpent
key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = serpent.cbc.encrypt(key, plaintext, iv=iv)
- malduck.serpent.cbc.encrypt(key: bytes, data: bytes, iv: bytes | None = None) bytes ο
Encrypts buffer using Serpent algorithm in CBC mode.
- Parameters:
key (bytes) β Cryptographic key (4-32 bytes, must be multiple of four)
data (bytes) β Buffer to be encrypted
iv (bytes, optional) β Initialization vector (defaults to bβ\x00β * 16)
- Returns:
Encrypted data
- Return type:
bytes
- malduck.serpent.cbc.decrypt(key: bytes, data: bytes, iv: bytes | None = None) bytes ο
Decrypts buffer using Serpent algorithm in CBC mode.
- Parameters:
key (bytes) β Cryptographic key (4-32 bytes, must be multiple of four)
data (bytes) β Buffer to be decrypted
iv (bytes, optional) β Initialization vector (defaults to bβ\x00β * 16)
- Returns:
Decrypted data
- Return type:
bytes
Rabbitο
Rabbit stream cipher.
from malduck import rabbit
key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = rabbit(key, iv, plaintext)
- malduck.rabbit(key: bytes, iv: bytes, data: bytes) bytes [source]ο
Encrypts/decrypts buffer using Rabbit algorithm
- Parameters:
key (bytes) β Cryptographic key (16 bytes)
iv (bytes) β Initialization vector (8 bytes)
data (bytes) β Buffer to be encrypted/decrypted
- Returns:
Encrypted/decrypted data
- Return type:
bytes
RC4ο
RC4 stream cipher.
from malduck import rc4
key = b'a'*16
plaintext = b'data'*16
ciphertext = rc4(key, plaintext)
XORο
XOR βstream cipherβ.
from malduck import xor
key = b'a'*16
xored = b'data'*16
unxored = xor(key, xored)
RSA (BLOB parser)ο
- class malduck.crypto.rsa.RSA[source]ο
- static export_key(n: int, e: int, d: int | None = None, p: int | None = None, q: int | None = None, crt: int | None = None) bytes [source]ο
Constructs key from tuple of RSA components
- Parameters:
n β RSA modulus n
e β Public exponent e
d β Private exponent d
p β First factor of n
q β Second factor of n
crt β CRT coefficient q
- Returns:
RSA key in PEM format
- Return type:
bytes
- static import_key(data: bytes) bytes | None [source]ο
Extracts key from buffer containing
PublicKeyBlob
orPrivateKeyBlob
data- Parameters:
data (bytes) β Buffer with BLOB structure data
- Returns:
RSA key in PEM format
- Return type:
bytes
BLOB structο
- class malduck.crypto.winhdr.BLOBHEADER[source]ο
Windows BLOBHEADER structure
See also
BLOBHEADER structure description (Microsoft Docs): https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc
- class malduck.crypto.aes.PlaintextKeyBlob[source]ο
BLOB object (PLAINTEXTKEYBLOB) for CALG_AES
See also
malduck.crypto.BLOBHEADER