Cryptography¶
Common cryptography algorithms used in malware.
AES¶
AES (Advanced Encryption Standard) block cipher.
Supported modes: CBC, ECB, CTR.
from malduck import aes
key = b'A'*16
iv = b'B'*16
plaintext = b'data'*16
ciphertext = aes.cbc.encrypt(key, iv, plaintext)
AES-CBC mode¶
-
malduck.aes.cbc.
encrypt
(key: bytes, iv: bytes, data: bytes) → bytes¶ Encrypts buffer using AES algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
iv (bytes) – Initialization vector
data (bytes) – Buffer to be encrypted
- Returns
Encrypted data
- Return type
bytes
-
malduck.aes.cbc.
decrypt
(key: bytes, iv: bytes, data: bytes) → bytes¶ Decrypts buffer using AES algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
iv (bytes) – Initialization vector
data (bytes) – Buffer to be decrypted
- Returns
Decrypted data
- Return type
bytes
AES-ECB mode¶
-
malduck.aes.ecb.
encrypt
(key: bytes, data: bytes) → bytes¶ Encrypts buffer using AES algorithm in ECB mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
data (bytes) – Buffer to be encrypted
- Returns
Encrypted data
- Return type
bytes
-
malduck.aes.ecb.
decrypt
(key: bytes, data: bytes) → bytes¶ Decrypts buffer using AES algorithm in ECB mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
data (bytes) – Buffer to be decrypted
- Returns
Decrypted data
- Return type
bytes
AES-CTR mode¶
-
malduck.aes.ctr.
encrypt
(key: bytes, nonce: bytes, data: bytes) → bytes¶ Encrypts buffer using AES algorithm in CTR mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
nonce (bytes) – Initial counter value, big-endian encoded
data (bytes) – Buffer to be encrypted
- Returns
Encrypted data
- Return type
bytes
-
malduck.aes.ctr.
decrypt
(key: bytes, nonce: bytes, data: bytes) → bytes¶ Decrypts buffer using AES algorithm in CTR mode.
- Parameters
key (bytes) – Cryptographic key (128, 192 or 256 bits)
nonce (bytes) – Initial counter value, big-endian encoded
data (bytes) – Buffer to be decrypted
- Returns
Decrypted data
- Return type
bytes
Blowfish (ECB only)¶
Blowfish block cipher.
Supported modes: ECB.
from malduck import blowfish
key = b'blowfish'
plaintext = b'data'*16
ciphertext = blowfish.ecb.encrypt(key, plaintext)
-
malduck.blowfish.ecb.
encrypt
(key: bytes, data: bytes) → bytes¶ Encrypts buffer using Blowfish algorithm in ECB mode.
- Parameters
key (bytes) – Cryptographic key (4 to 56 bytes)
data (bytes) – Buffer to be encrypted
- Returns
Encrypted data
- Return type
bytes
-
malduck.blowfish.ecb.
decrypt
(key: bytes, data: bytes) → bytes¶ Decrypts buffer using Blowfish algorithm in ECB mode.
- Parameters
key (bytes) – Cryptographic key (4 to 56 bytes)
data (bytes) – Buffer to be decrypted
- Returns
Decrypted data
- Return type
bytes
DES/DES3 (CBC only)¶
Triple DES block cipher.
Fallbacks to single DES for 8 byte keys.
Supported modes: CBC.
from malduck import des3
key = b'des3des3'
iv = b'3des3des'
plaintext = b'data'*16
ciphertext = des3.cbc.decrypt(key, plaintext)
-
malduck.des3.cbc.
encrypt
(key: bytes, iv: bytes, data: bytes) → bytes¶ Encrypts buffer using DES/DES3 algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (16 or 24 bytes, 8 bytes for single DES)
iv (bytes) – Initialization vector
data (bytes) – Buffer to be encrypted
- Returns
Encrypted data
- Return type
bytes
-
malduck.des3.cbc.
decrypt
(key: bytes, iv: bytes, data: bytes) → bytes¶ Decrypts buffer using DES/DES3 algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (16 or 24 bytes, 8 bytes for single DES)
iv (bytes) – Initialization vector
data (bytes) – Buffer to be decrypted
- Returns
Decrypted data
- Return type
bytes
Serpent (CBC only)¶
Serpent block cipher.
Supported modes: CBC
from malduck import serpent
key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = serpent.cbc.encrypt(key, plaintext, iv=iv)
-
malduck.serpent.cbc.
encrypt
(key: bytes, data: bytes, iv: Optional[bytes] = None) → bytes¶ Encrypts buffer using Serpent algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (4-32 bytes, must be multiple of four)
data (bytes) – Buffer to be encrypted
iv (bytes, optional) – Initialization vector (defaults to b”” * 16)
- Returns
Encrypted data
- Return type
bytes
-
malduck.serpent.cbc.
decrypt
(key: bytes, data: bytes, iv: Optional[bytes] = None) → bytes¶ Decrypts buffer using Serpent algorithm in CBC mode.
- Parameters
key (bytes) – Cryptographic key (4-32 bytes, must be multiple of four)
data (bytes) – Buffer to be decrypted
iv (bytes, optional) – Initialization vector (defaults to b”” * 16)
- Returns
Decrypted data
- Return type
bytes
Rabbit¶
Rabbit stream cipher.
from malduck import rabbit
key = b'a'*16
iv = b'b'*16
plaintext = b'data'*16
ciphertext = rabbit(key, iv, plaintext)
-
malduck.
rabbit
(key: bytes, iv: bytes, data: bytes) → bytes[source]¶ Encrypts/decrypts buffer using Rabbit algorithm
- Parameters
key (bytes) – Cryptographic key (16 bytes)
iv (bytes) – Initialization vector (8 bytes)
data (bytes) – Buffer to be encrypted/decrypted
- Returns
Encrypted/decrypted data
- Return type
bytes
RC4¶
RC4 stream cipher.
from malduck import rc4
key = b'a'*16
plaintext = b'data'*16
ciphertext = rc4(key, plaintext)
XOR¶
XOR “stream cipher”.
from malduck import xor
key = b'a'*16
xored = b'data'*16
unxored = xor(key, xored)
RSA (BLOB parser)¶
-
malduck.
rsa
¶ alias of
malduck.crypto.rsa.RSA
-
class
malduck.crypto.rsa.
RSA
[source]¶ -
static
export_key
(n: int, e: int, d: Optional[int] = None, p: Optional[int] = None, q: Optional[int] = None, crt: Optional[int] = None) → bytes[source]¶ Constructs key from tuple of RSA components
- Parameters
n – RSA modulus n
e – Public exponent e
d – Private exponent d
p – First factor of n
q – Second factor of n
crt – CRT coefficient q
- Returns
RSA key in PEM format
- Return type
bytes
-
static
import_key
(data: bytes) → Optional[bytes][source]¶ Extracts key from buffer containing
PublicKeyBlob
orPrivateKeyBlob
data- Parameters
data (bytes) – Buffer with BLOB structure data
- Returns
RSA key in PEM format
- Return type
bytes
-
static
BLOB struct¶
-
class
malduck.crypto.winhdr.
BLOBHEADER
[source]¶ Windows BLOBHEADER structure
See also
BLOBHEADER structure description (Microsoft Docs): https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/ns-wincrypt-publickeystruc
-
class
malduck.crypto.aes.
PlaintextKeyBlob
[source]¶ BLOB object (PLAINTEXTKEYBLOB) for CALG_AES
See also
malduck.crypto.BLOBHEADER