Cryptography¶
Common cryptography algorithms used in malware.
AES¶
AES (Advanced Encryption Standard) block cipher.
Supported modes: CBC, ECB, CTR.
from malduck import aes
key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = aes.cbc.encrypt(key, iv, plaintext)
AES-CBC mode¶
-
malduck.aes.cbc.
encrypt
(key, iv, data)¶ Encrypts buffer using AES algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
iv (bytes) – Initialization vector
data (bytes) – Buffer to be encrypted
- Returns
Encrypted data
- Return type
bytes
-
malduck.aes.cbc.
decrypt
(key, iv, data)¶ Decrypts buffer using AES algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
iv (bytes) – Initialization vector
data (bytes) – Buffer to be decrypted
- Returns
Decrypted data
- Return type
bytes
AES-ECB mode¶
-
malduck.aes.ecb.
encrypt
(key, data)¶ Encrypts buffer using AES algorithm in ECB mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
data (bytes) – Buffer to be encrypted
- Returns
Encrypted data
- Return type
bytes
-
malduck.aes.ecb.
decrypt
(key, data)¶ Decrypts buffer using AES algorithm in ECB mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
data (bytes) – Buffer to be decrypted
- Returns
Decrypted data
- Return type
bytes
AES-CTR mode¶
-
malduck.aes.ctr.
encrypt
(key, nonce, data)¶ Encrypts buffer using AES algorithm in CTR mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
nonce (bytes) – Initial counter value, big-endian encoded
data (bytes) – Buffer to be encrypted
- Returns
Encrypted data
- Return type
bytes
-
malduck.aes.ctr.
decrypt
(key, nonce, data)¶ Decrypts buffer using AES algorithm in CTR mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
nonce (bytes) – Initial counter value, big-endian encoded
data (bytes) – Buffer to be decrypted
- Returns
Decrypted data
- Return type
bytes
Blowfish (ECB only)¶
Blowfish block cipher.
Supported modes: ECB.
from malduck import blowfish
key = b'blowfish'
plaintext = b'data'*16
ciphertext = blowfish.ecb.encrypt(key, plaintext)
-
malduck.blowfish.ecb.
encrypt
(key, data)¶ Encrypts buffer using Blowfish algorithm in ECB mode.
- Parameters
key (bytes) – Cryptographic key (4 to 56 bytes)
data (bytes) – Buffer to be encrypted
- Returns
Encrypted data
- Return type
bytes
-
malduck.blowfish.ecb.
decrypt
(key, data)¶ Decrypts buffer using Blowfish algorithm in ECB mode.
- Parameters
key (bytes) – Cryptographic key (4 to 56 bytes)
data (bytes) – Buffer to be decrypted
- Returns
Decrypted data
- Return type
bytes
DES/DES3 (CBC only)¶
Triple DES block cipher.
Fallbacks to single DES for 8 byte keys.
Supported modes: CBC.
from malduck import des3
key = b'des3des3'
iv = b'3des3des'
plaintext = b'data'*16
ciphertext = des3.cbc.decrypt(key, plaintext)
-
malduck.des3.cbc.
encrypt
(key, iv, data)¶ Encrypts buffer using DES/DES3 algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (16 or 24 bytes, 8 bytes for single DES)
iv (bytes) – Initialization vector
data (bytes) – Buffer to be encrypted
- Returns
Encrypted data
- Return type
bytes
-
malduck.des3.cbc.
decrypt
(key, iv, data)¶ Decrypts buffer using DES/DES3 algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (16 or 24 bytes, 8 bytes for single DES)
iv (bytes) – Initialization vector
data (bytes) – Buffer to be decrypted
- Returns
Decrypted data
- Return type
bytes
Serpent (CBC only)¶
Serpent block cipher.
Supported modes: CBC
from malduck import serpent
key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = serpent.cbc.encrypt(key, plaintext, iv=iv)
-
malduck.serpent.cbc.
encrypt
(key, data, iv=None)¶ Encrypts buffer using Serpent algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (4-32 bytes, must be multiple of four)
data (bytes) – Buffer to be encrypted
iv (bytes, optional) – Initialization vector (defaults to b”” * 16)
- Returns
Encrypted data
- Return type
bytes
-
malduck.serpent.cbc.
decrypt
(key, data, iv=None)¶ Decrypts buffer using Serpent algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (4-32 bytes, must be multiple of four)
data (bytes) – Buffer to be decrypted
iv (bytes, optional) – Initialization vector (defaults to b”” * 16)
- Returns
Decrypted data
- Return type
bytes
Rabbit¶
Rabbit stream cipher.
from malduck import rabbit
key = b'a'*16
plaintext = b'data'*16
ciphertext = rabbit(key, plaintext)
-
malduck.
rabbit
(key, iv, data)¶ Encrypts/decrypts buffer using Rabbit algorithm
- Parameters
key (bytes) – Cryptographic key (16 bytes)
iv (bytes) – Initialization vector (8 bytes)
data (bytes) – Buffer to be encrypted/decrypted
- Returns
Encrypted/decrypted data
- Return type
bytes
RC4¶
RC4 stream cipher.
from malduck import rc4
key = b'a'*16
plaintext = b'data'*16
ciphertext = rc4(key, plaintext)
-
malduck.
rc4
(key, data)¶ Encrypts/decrypts buffer using RC4 algorithm
- Parameters
key (bytes) – Cryptographic key (from 3 to 256 bytes)
data (bytes) – Buffer to be encrypted/decrypted
- Returns
Encrypted/decrypted data
- Return type
bytes
XOR¶
XOR “stream cipher”.
from malduck import xor
key = b'a'*16
xored = b'data'*16
unxored = xor(key, xor)
-
malduck.
xor
(key, data)¶ XOR encryption/decryption
- Parameters
key (int (single byte) or bytes) – Encryption key
data (bytes) – Buffer containing data to decrypt
- Returns
Encrypted/decrypted data
- Return type
bytes
RSA (BLOB parser)¶
-
malduck.
rsa
¶ alias of
malduck.crypto.rsa.RSA
-
class
malduck.crypto.rsa.
RSA
[source]¶ -
static
export_key
(n, e, d=None, p=None, q=None, crt=None)[source]¶ Constructs key from tuple of RSA components
- Parameters
n – RSA modulus n
e – Public exponent e
d – Private exponent d
p – First factor of n
q – Second factor of n
crt – CRT coefficient q
- Returns
RSA key in PEM format
- Return type
bytes
-
static
import_key
(data)[source]¶ Extracts key from buffer containing
PublicKeyBlob
orPrivateKeyBlob
data- Parameters
data (bytes) – Buffer with BLOB structure data
- Returns
RSA key in PEM format
- Return type
bytes
-
static
BLOB struct¶
-
class
malduck.crypto.winhdr.
BLOBHEADER
[source]¶ Windows BLOBHEADER structure
See also
BLOBHEADER structure description (Microsoft Docs): https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc