Cryptography

Common cryptography algorithms used in malware.

AES

AES (Advanced Encryption Standard) block cipher.

Supported modes: CBC, ECB, CTR.

from malduck import aes

key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = aes.cbc.encrypt(key, iv, plaintext)

AES-CBC mode

malduck.aes.cbc.encrypt(key, iv, data)

Encrypts buffer using AES algorithm in CBC mode.

Parameters

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be encrypted

Returns

Encrypted data

Return type

bytes

malduck.aes.cbc.decrypt(key, iv, data)

Decrypts buffer using AES algorithm in CBC mode.

Parameters

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be decrypted

Returns

Decrypted data

Return type

bytes

AES-ECB mode

malduck.aes.ecb.encrypt(key, data)

Encrypts buffer using AES algorithm in ECB mode.

Parameters

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • data (bytes) – Buffer to be encrypted

Returns

Encrypted data

Return type

bytes

malduck.aes.ecb.decrypt(key, data)

Decrypts buffer using AES algorithm in ECB mode.

Parameters

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • data (bytes) – Buffer to be decrypted

Returns

Decrypted data

Return type

bytes

AES-CTR mode

malduck.aes.ctr.encrypt(key, nonce, data)

Encrypts buffer using AES algorithm in CTR mode.

Parameters

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • nonce (bytes) – Initial counter value, big-endian encoded

  • data (bytes) – Buffer to be encrypted

Returns

Encrypted data

Return type

bytes

malduck.aes.ctr.decrypt(key, nonce, data)

Decrypts buffer using AES algorithm in CTR mode.

Parameters

  • key (bytes) – Cryptographic key (128, 192 or 256 bits)

  • nonce (bytes) – Initial counter value, big-endian encoded

  • data (bytes) – Buffer to be decrypted

Returns

Decrypted data

Return type

bytes

Blowfish (ECB only)

Blowfish block cipher.

Supported modes: ECB.

from malduck import blowfish

key = b'blowfish'
plaintext = b'data'*16
ciphertext = blowfish.ecb.encrypt(key, plaintext)
malduck.blowfish.ecb.encrypt(key, data)

Encrypts buffer using Blowfish algorithm in ECB mode.

Parameters

  • key (bytes) – Cryptographic key (4 to 56 bytes)

  • data (bytes) – Buffer to be encrypted

Returns

Encrypted data

Return type

bytes

malduck.blowfish.ecb.decrypt(key, data)

Decrypts buffer using Blowfish algorithm in ECB mode.

Parameters

  • key (bytes) – Cryptographic key (4 to 56 bytes)

  • data (bytes) – Buffer to be decrypted

Returns

Decrypted data

Return type

bytes

DES/DES3 (CBC only)

Triple DES block cipher.

Fallbacks to single DES for 8 byte keys.

Supported modes: CBC.

from malduck import des3

key = b'des3des3'
iv = b'3des3des'
plaintext = b'data'*16
ciphertext = des3.cbc.decrypt(key, plaintext)
malduck.des3.cbc.encrypt(key, iv, data)

Encrypts buffer using DES/DES3 algorithm in CBC mode.

Parameters

  • key (bytes) – Cryptographic key (16 or 24 bytes, 8 bytes for single DES)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be encrypted

Returns

Encrypted data

Return type

bytes

malduck.des3.cbc.decrypt(key, iv, data)

Decrypts buffer using DES/DES3 algorithm in CBC mode.

Parameters

  • key (bytes) – Cryptographic key (16 or 24 bytes, 8 bytes for single DES)

  • iv (bytes) – Initialization vector

  • data (bytes) – Buffer to be decrypted

Returns

Decrypted data

Return type

bytes

Serpent (CBC only)

Serpent block cipher.

Supported modes: CBC

from malduck import serpent

key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = serpent.cbc.encrypt(key, plaintext, iv=iv)
malduck.serpent.cbc.encrypt(key, data, iv=None)

Encrypts buffer using Serpent algorithm in CBC mode.

Parameters

  • key (bytes) – Cryptographic key (4-32 bytes, must be multiple of four)

  • data (bytes) – Buffer to be encrypted

  • iv (bytes, optional) – Initialization vector (defaults to b”” * 16)

Returns

Encrypted data

Return type

bytes

malduck.serpent.cbc.decrypt(key, data, iv=None)

Decrypts buffer using Serpent algorithm in CBC mode.

Parameters

  • key (bytes) – Cryptographic key (4-32 bytes, must be multiple of four)

  • data (bytes) – Buffer to be decrypted

  • iv (bytes, optional) – Initialization vector (defaults to b”” * 16)

Returns

Decrypted data

Return type

bytes

Rabbit

Rabbit stream cipher.

from malduck import rabbit

key = b'a'*16
plaintext = b'data'*16
ciphertext = rabbit(key, plaintext)
malduck.rabbit(key, iv, data)

Encrypts/decrypts buffer using Rabbit algorithm

Parameters

  • key (bytes) – Cryptographic key (16 bytes)

  • iv (bytes) – Initialization vector (8 bytes)

  • data (bytes) – Buffer to be encrypted/decrypted

Returns

Encrypted/decrypted data

Return type

bytes

RC4

RC4 stream cipher.

from malduck import rc4

key = b'a'*16
plaintext = b'data'*16
ciphertext = rc4(key, plaintext)
malduck.rc4(key, data)

Encrypts/decrypts buffer using RC4 algorithm

Parameters

  • key (bytes) – Cryptographic key (from 3 to 256 bytes)

  • data (bytes) – Buffer to be encrypted/decrypted

Returns

Encrypted/decrypted data

Return type

bytes

XOR

XOR “stream cipher”.

from malduck import xor

key = b'a'*16
xored = b'data'*16
unxored = xor(key, xor)
malduck.xor(key, data)

XOR encryption/decryption

Parameters

  • key (int (single byte) or bytes) – Encryption key

  • data (bytes) – Buffer containing data to decrypt

Returns

Encrypted/decrypted data

Return type

bytes

RSA (BLOB parser)

malduck.rsa

alias of malduck.crypto.rsa.RSA

class malduck.crypto.rsa.RSA[source]
static export_key(n, e, d=None, p=None, q=None, crt=None)[source]

Constructs key from tuple of RSA components

Parameters

  • n – RSA modulus n

  • e – Public exponent e

  • d – Private exponent d

  • p – First factor of n

  • q – Second factor of n

  • crt – CRT coefficient q

Returns

RSA key in PEM format

Return type

bytes

static import_key(data)[source]

Extracts key from buffer containing PublicKeyBlob or PrivateKeyBlob data

Parameters

data (bytes) – Buffer with BLOB structure data

Returns

RSA key in PEM format

Return type

bytes

BLOB struct

class malduck.crypto.winhdr.BLOBHEADER[source]

Windows BLOBHEADER structure

See also

BLOBHEADER structure description (Microsoft Docs): https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc

class malduck.crypto.aes.PlaintextKeyBlob[source]

BLOB object (PLAINTEXTKEYBLOB) for CALG_AES

See also

malduck.crypto.BLOBHEADER

export_key()[source]

Exports key from structure

Returns

Tuple (algorithm, key). Algorithm is one of: “AES-128”, “AES-192”, “AES-256”

Return type

Tuple[str, bytes]

parse(buf)[source]

Parse structure from buffer

Parameters

buf (io.BytesIO) – Buffer with structure data

class malduck.crypto.rsa.PublicKeyBlob[source]
class malduck.crypto.rsa.PrivateKeyBlob[source]