Cryptography

Common cryptography algorithms used in malware.

AES

AES (Advanced Encryption Standard) block cipher.

Supported modes: CBC, ECB, CTR.

from malduck import aes

key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = aes.cbc.encrypt(key, iv, plaintext)

AES-CBC mode

malduck.aes.cbc.encrypt(key: bytes, iv: bytes, data: bytes) bytes

Encrypts buffer using AES algorithm in CBC mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be encrypted

Returns:

Encrypted data

Return type:

bytes

malduck.aes.cbc.decrypt(key: bytes, iv: bytes, data: bytes) bytes

Decrypts buffer using AES algorithm in CBC mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be decrypted

Returns:

Decrypted data

Return type:

bytes

AES-ECB mode

malduck.aes.ecb.encrypt(key: bytes, data: bytes) bytes

Encrypts buffer using AES algorithm in ECB mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • data (bytes) – Buffer to be encrypted

Returns:

Encrypted data

Return type:

bytes

malduck.aes.ecb.decrypt(key: bytes, data: bytes) bytes

Decrypts buffer using AES algorithm in ECB mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • data (bytes) – Buffer to be decrypted

Returns:

Decrypted data

Return type:

bytes

AES-CTR mode

malduck.aes.ctr.encrypt(key: bytes, nonce: bytes, data: bytes) bytes

Encrypts buffer using AES algorithm in CTR mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • nonce (bytes) – Initial counter value, big-endian encoded

  • data (bytes) – Buffer to be encrypted

Returns:

Encrypted data

Return type:

bytes

malduck.aes.ctr.decrypt(key: bytes, nonce: bytes, data: bytes) bytes

Decrypts buffer using AES algorithm in CTR mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • nonce (bytes) – Initial counter value, big-endian encoded

  • data (bytes) – Buffer to be decrypted

Returns:

Decrypted data

Return type:

bytes

Blowfish (ECB only)

Blowfish block cipher.

Supported modes: ECB.

from malduck import blowfish

key = b'blowfish'
plaintext = b'data'*16
ciphertext = blowfish.ecb.encrypt(key, plaintext)
malduck.blowfish.ecb.encrypt(key: bytes, data: bytes) bytes

Encrypts buffer using Blowfish algorithm in ECB mode.

Parameters:

  • key (bytes) – Cryptographic key (4 to 56 bytes)

  • data (bytes) – Buffer to be encrypted

Returns:

Encrypted data

Return type:

bytes

malduck.blowfish.ecb.decrypt(key: bytes, data: bytes) bytes

Decrypts buffer using Blowfish algorithm in ECB mode.

Parameters:

  • key (bytes) – Cryptographic key (4 to 56 bytes)

  • data (bytes) – Buffer to be decrypted

Returns:

Decrypted data

Return type:

bytes

Camellia

Camellia block cipher.

Supported modes: ECB, CBC, CTR, CFB, OFB.

from malduck import camellia

key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = camellia.ecb.encrypt(key, iv, plaintext)

Camellia-ECB mode

malduck.camellia.ecb.encrypt(key: bytes, data: bytes) bytes

Encrypts buffer using Camellia algorithm in ECB mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • data (bytes) – Buffer to be encrypted

Returns:

Encrypted data

Return type:

bytes

malduck.camellia.ecb.decrypt(key: bytes, data: bytes) bytes

Decrypts buffer using Camellia algorithm in ECB mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • data (bytes) – Buffer to be decrypted

Returns:

Decrypted data

Return type:

bytes

Camellia-CBC mode

malduck.camellia.cbc.encrypt(key: bytes, iv: bytes, data: bytes) bytes

Encrypts buffer using Camellia algorithm in CBC mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be encrypted

Returns:

Encrypted data

Return type:

bytes

malduck.camellia.cbc.decrypt(key: bytes, iv: bytes, data: bytes) bytes

Decrypts buffer using Camellia algorithm in CBC mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be decrypted

Returns:

Decrypted data

Return type:

bytes

Camellia-CTR mode

malduck.camellia.ctr.encrypt(key: bytes, nonce: bytes, data: bytes) bytes

Encrypts buffer using Camellia algorithm in CTR mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • nonce (bytes) – Initial counter value, big-endian encoded

  • data (bytes) – Buffer to be encrypted

Returns:

Encrypted data

Return type:

bytes

malduck.camellia.ctr.decrypt(key: bytes, nonce: bytes, data: bytes) bytes

Decrypts buffer using Camellia algorithm in CTR mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • nonce (bytes) – Initial counter value, big-endian encoded

  • data (bytes) – Buffer to be decrypted

Returns:

Decrypted data

Return type:

bytes

Camellia-CFB mode

malduck.camellia.cfb.encrypt(key: bytes, iv: bytes, data: bytes) bytes

Encrypts buffer using Camellia algorithm in CFB mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be encrypted

Returns:

Encrypted data

Return type:

bytes

malduck.camellia.cfb.decrypt(key: bytes, iv: bytes, data: bytes) bytes

Decrypts buffer using Camellia algorithm in CFB mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be decrypted

Returns:

Decrypted data

Return type:

bytes

Camellia-OFB mode

malduck.camellia.ofb.encrypt(key: bytes, iv: bytes, data: bytes) bytes

Encrypts buffer using Camellia algorithm in OFB mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be encrypted

Returns:

Encrypted data

Return type:

bytes

malduck.camellia.ofb.decrypt(key: bytes, iv: bytes, data: bytes) bytes

Decrypts buffer using Camellia algorithm in OFB mode.

Parameters:

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be decrypted

Returns:

Decrypted data

Return type:

bytes

ChaCha20

ChaCha20 stream cipher.

Assumes empty nonce if none given.

from malduck import chacha20

key = b'chachaKeyHereNow' * 2
nonce = b'\x01\x02\x03\x04\x05\0x6\0x7'
plaintext = b'data'*16
ciphertext = chacha20.decrypt(key, plaintext, nonce)
malduck.chacha20.encrypt(key: bytes, data: bytes, nonce: bytes | None = None) bytes

Encrypts buffer using ChaCha20 algorithm.

Parameters:

  • key (bytes) – Cryptographic key (32 bytes)

  • data (bytes) – Buffer to be encrypted

  • nonce (bytes, optional) – Nonce value (8/12 bytes, defaults to b”\x00”*8 )

Returns:

Encrypted data

Return type:

bytes

malduck.chacha20.decrypt(key: bytes, data: bytes, nonce: bytes | None = None) bytes

Decrypts buffer using ChaCha20 algorithm.

Parameters:

  • key (bytes) – Cryptographic key (32 bytes)

  • data (bytes) – Buffer to be decrypted

  • nonce (bytes, optional) – Nonce value (8/12 bytes, defaults to b”\x00”*8 )

Returns:

Decrypted data

Return type:

bytes

DES/DES3 (CBC only)

Triple DES block cipher.

Fallbacks to single DES for 8 byte keys.

Supported modes: CBC.

from malduck import des3

key = b'des3des3'
iv = b'3des3des'
plaintext = b'data' * 16
ciphertext = des3.cbc.encrypt(key, plaintext)
malduck.des3.cbc.encrypt(key: bytes, iv: bytes, data: bytes) bytes

Encrypts buffer using DES/DES3 algorithm in CBC mode.

Parameters:

  • key (bytes) – Cryptographic key (16 or 24 bytes, 8 bytes for single DES)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be encrypted

Returns:

Encrypted data

Return type:

bytes

malduck.des3.cbc.decrypt(key: bytes, iv: bytes, data: bytes) bytes

Decrypts buffer using DES/DES3 algorithm in CBC mode.

Parameters:

  • key (bytes) – Cryptographic key (16 or 24 bytes, 8 bytes for single DES)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be decrypted

Returns:

Decrypted data

Return type:

bytes

Salsa20

Salsa20 stream cipher.

Assumes empty nonce if none given.

from malduck import salsa20

key = b'salsaFTW' * 4
nonce = b'\x01\x02\x03\x04\x05\0x6\0x7'
plaintext = b'data' * 16
ciphertext = salsa20.decrypt(key, plaintext, nonce)
malduck.salsa20.encrypt(key: bytes, data: bytes, nonce: bytes | None = None) bytes

Encrypts buffer using Salsa20 algorithm.

Parameters:

  • key (bytes) – Cryptographic key (16/32 bytes)

  • data (bytes) – Buffer to be encrypted

  • nonce (bytes, optional) – Nonce value (8 bytes, defaults to b”\x00”*8 )

Returns:

Encrypted data

Return type:

bytes

malduck.salsa20.decrypt(key: bytes, data: bytes, nonce: bytes | None = None) bytes

Decrypts buffer using Salsa20 algorithm.

Parameters:

  • key (bytes) – Cryptographic key (16/32 bytes)

  • data (bytes) – Buffer to be decrypted

  • nonce (bytes, optional) – Nonce value (8 bytes, defaults to b”\x00”*8 )

Returns:

Decrypted data

Return type:

bytes

Serpent (CBC only)

Serpent block cipher.

Supported modes: CBC

from malduck import serpent

key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = serpent.cbc.encrypt(key, plaintext, iv=iv)
malduck.serpent.cbc.encrypt(key: bytes, data: bytes, iv: bytes | None = None) bytes

Encrypts buffer using Serpent algorithm in CBC mode.

Parameters:

  • key (bytes) – Cryptographic key (4-32 bytes, must be multiple of four)

  • data (bytes) – Buffer to be encrypted

  • iv (bytes, optional) – Initialization vector (defaults to b”\x00” * 16)

Returns:

Encrypted data

Return type:

bytes

malduck.serpent.cbc.decrypt(key: bytes, data: bytes, iv: bytes | None = None) bytes

Decrypts buffer using Serpent algorithm in CBC mode.

Parameters:

  • key (bytes) – Cryptographic key (4-32 bytes, must be multiple of four)

  • data (bytes) – Buffer to be decrypted

  • iv (bytes, optional) – Initialization vector (defaults to b”\x00” * 16)

Returns:

Decrypted data

Return type:

bytes

Rabbit

Rabbit stream cipher.

from malduck import rabbit

key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = rabbit(key, iv, plaintext)
malduck.rabbit(key: bytes, iv: bytes, data: bytes) bytes[source]

Encrypts/decrypts buffer using Rabbit algorithm

Parameters:

  • key (bytes) – Cryptographic key (16 bytes)

  • iv (bytes) – Initialization vector (8 bytes)

  • data (bytes) – Buffer to be encrypted/decrypted

Returns:

Encrypted/decrypted data

Return type:

bytes

RC4

RC4 stream cipher.

from malduck import rc4

key = b'a'*16
plaintext = b'data'*16
ciphertext = rc4(key, plaintext)
malduck.rc4(key: bytes, data: bytes) bytes[source]

Encrypts/decrypts buffer using RC4 algorithm

Parameters:

  • key (bytes) – Cryptographic key (from 3 to 256 bytes)

  • data (bytes) – Buffer to be encrypted/decrypted

Returns:

Encrypted/decrypted data

Return type:

bytes

XOR

XOR β€œstream cipher”.

from malduck import xor

key = b'a'*16
xored = b'data'*16
unxored = xor(key, xored)
malduck.xor(key: int | bytes, data: bytes) bytes[source]

XOR encryption/decryption

Parameters:

  • key (int (single byte) or bytes) – Encryption key

  • data (bytes) – Buffer containing data to decrypt

Returns:

Encrypted/decrypted data

Return type:

bytes

RSA (BLOB parser)

malduck.rsa

alias of RSA

class malduck.crypto.rsa.RSA[source]
static export_key(n: int, e: int, d: int | None = None, p: int | None = None, q: int | None = None, crt: int | None = None) bytes[source]

Constructs key from tuple of RSA components

Parameters:

  • n – RSA modulus n

  • e – Public exponent e

  • d – Private exponent d

  • p – First factor of n

  • q – Second factor of n

  • crt – CRT coefficient q

Returns:

RSA key in PEM format

Return type:

bytes

static import_key(data: bytes) bytes | None[source]

Extracts key from buffer containing PublicKeyBlob or PrivateKeyBlob data

Parameters:

data (bytes) – Buffer with BLOB structure data

Returns:

RSA key in PEM format

Return type:

bytes

BLOB struct

class malduck.crypto.winhdr.BLOBHEADER[source]

Windows BLOBHEADER structure

See also

BLOBHEADER structure description (Microsoft Docs): https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc

class malduck.crypto.aes.PlaintextKeyBlob[source]

BLOB object (PLAINTEXTKEYBLOB) for CALG_AES

See also

malduck.crypto.BLOBHEADER

export_key() Tuple[str, bytes] | None[source]

Exports key from structure or returns None if no key was imported

Returns:

Tuple (algorithm, key). Algorithm is one of: β€œAES-128”, β€œAES-192”, β€œAES-256”

Return type:

Tuple[str, bytes]

parse(buf: BytesIO) None[source]

Parse structure from buffer

Parameters:

buf (io.BytesIO) – Buffer with structure data

class malduck.crypto.rsa.PublicKeyBlob[source]
class malduck.crypto.rsa.PrivateKeyBlob[source]