{"id":7391,"library":"malduck","title":"Malduck","description":"Malduck is a Python utility library designed for malware researchers, offering a comprehensive suite of tools for malware analysis. It provides functionalities for cryptography, compression, memory model objects (for PE/ELF/raw files and IDA dumps), a modular extraction engine for configuration, fixed integer types, and string operations. Currently at version 4.4.1, the project is actively maintained with frequent updates addressing bugfixes and introducing new features.","status":"active","version":"4.4.1","language":"en","source_language":"en","source_url":"https://github.com/CERT-Polska/malduck","tags":["malware analysis","cybersecurity","reverse engineering","cryptography","compression","PE parsing","ELF parsing","YARA","forensics"],"install":[{"cmd":"pip install malduck","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"CLI functionality","package":"click","optional":false},{"reason":"PE parsing; requires >=2022.5.30 since malduck v4.3.0","package":"pefile","optional":false},{"reason":"ELF parsing","package":"pyelftools","optional":false},{"reason":"Core cryptography functions; requires >=3.8.2","package":"pycryptodomex","optional":false},{"reason":"Disassembly engine; requires >=4.0.1","package":"capstone","optional":false},{"reason":"YARA rules integration; had compatibility issues with v4.3.0, fixed in later malduck versions","package":"yara-python","optional":false},{"reason":"Type hinting support; requires >=4.0.0","package":"typing-extensions","optional":false},{"reason":"Additional cryptography functions; requires >=3.1","package":"cryptography","optional":false},{"reason":".NET PE parsing; requires >=0.15.0, strict pin removed in v4.3.2","package":"dnfile","optional":false}],"imports":[{"symbol":"aes","correct":"from malduck import aes"},{"symbol":"aplib","correct":"from malduck import aplib"},{"symbol":"DWORD","correct":"from malduck import DWORD"},{"note":"Most core modules are directly importable from 'malduck' due to how it's structured, avoiding deeper submodule imports unless specifically needed.","wrong":"from malduck.extractor import Extractor","symbol":"Extractor","correct":"from malduck import Extractor"},{"symbol":"procmempe","correct":"from malduck import procmempe"},{"symbol":"Yara","correct":"from malduck.yara import Yara"}],"quickstart":{"code":"from malduck import aes\n\nkey = b'\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\t\\n\\x0b\\x0c\\r\\x0e\\x0f\\x10'\niv = b'\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f\\x20'\nplaintext = b'This is a secret message.'\n\nciphertext = aes.cbc.encrypt(key, iv, plaintext)\ndecrypted_text = aes.cbc.decrypt(key, iv, ciphertext)\n\nprint(f\"Original Plaintext: {plaintext}\")\nprint(f\"Ciphertext (hex): {ciphertext.hex()}\")\nprint(f\"Decrypted Text: {decrypted_text}\")","lang":"python","description":"Demonstrates basic AES-CBC encryption and decryption using Malduck's built-in cryptography functions. This is a common task in malware analysis for handling encrypted configuration data."},"warnings":[{"fix":"Upgrade Python environment to 3.8 or newer. Malduck recommends Python 3.8+ due to EOL of older versions.","message":"Minimum Python version changed from 3.6 to 3.8. Users on older Python versions will encounter installation or runtime errors.","severity":"breaking","affected_versions":">=4.3.1"},{"fix":"For Malduck v4.3.1, manually install `yara-python==4.2.3`. For Malduck versions >=4.3.2, ensure `yara-python` is updated to a compatible version (e.g., `pip install --upgrade yara-python`).","message":"Compatibility issues with `yara-python` version 4.3.0. Malduck v4.3.1 strictly pinned `yara-python` to `4.2.3` but later versions fixed compatibility with `>=v4.3.0`.","severity":"gotcha","affected_versions":"v4.3.1 - v4.3.2"},{"fix":"Review the `malduck.extractor` documentation for the specific version being used. Ensure extractor methods are correctly decorated as per the new API (e.g., `@Extractor.string(\"string_identifier\")`).","message":"Extractor methods in `malduck.extractor` require explicit decorators (e.g., `@Extractor.extractor`, `@Extractor.string`) prior to v4.0.0. After v4.0.0, the decorator application order and arguments changed.","severity":"breaking","affected_versions":">=4.0.0"},{"fix":"Ensure `pefile` is updated to `2022.5.30` or newer: `pip install --upgrade pefile`.","message":"The `pefile` dependency was bumped to `>=2022.5.30` in v4.3.0, and a `FastPE` patch for `pefile.PE` was removed. Older `pefile` versions might cause unexpected behavior or missing functionality.","severity":"gotcha","affected_versions":">=4.3.0"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"If using Malduck v4.3.1, downgrade `yara-python` to `4.2.3` (`pip install \"yara-python==4.2.3\"`). If using a newer Malduck version, ensure `yara-python` is updated (`pip install --upgrade yara-python`).","cause":"An incompatibility between the installed `malduck` version and your `yara-python` version, especially around `yara-python 4.3.0`.","error":"YaraError: rules are not compatible with this version of YARA-Python"},{"fix":"Upgrade `malduck` to version 4.4.1 or later to get the fix: `pip install --upgrade malduck`.","cause":"The `dnpe` module's typing or dependencies were incorrectly defined or fixed in a patch release.","error":"AttributeError: module 'malduck.dnpe' has no attribute 'dnfile'"},{"fix":"Ensure your custom `Extractor` class inherits from `malduck.Extractor` and its methods are decorated correctly (e.g., `@Extractor.string('rule_name')`). Consult the official Malduck extractor documentation for the correct method signatures and decorator usage for your specific version.","cause":"When defining custom extractor modules, the class or its methods are not correctly initialized or decorated according to `malduck.extractor` API changes in v4.0.0.","error":"TypeError: __init__() missing 1 required positional argument: 'parent' (or similar errors with Extractor decorators)"}]}