Malduckify

.gitignore

@@ -1,7 +1,9 @@
 .idea/
-roach.egg-info/
 .cache/
 .coverage
 dist/
 .pytest_cache/
 *.pyc
+build/
+malduck.egg-info/
+venv/

MANIFEST.in

@@ -1,4 +1,4 @@
-graft roach
+graft malduck
 recursive-exclude * *.pyc *.pyo
 include roach/native/components/aplib-32.dll
 include roach/native/components/aplib-32.so

roach/__init__.py → malduck/__init__.py

@@ -1,37 +1,37 @@
 # Copyright (C) 2018 Jurriaan Bremer.
 # Copyright (C) 2018 Hatching B.V.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
-from roach.bits import rol, ror
-from roach.crypto.xor import xor
-from roach.disasm import disasm
-from roach.hash.crc import crc32
-from roach.hash.sha import md5, sha1, sha224, sha384, sha256, sha512
-from roach.string.inet import ipv4
-from roach.string.ops import asciiz, utf16z, chunks, hex, unhex, uleb128
-from roach.structure import Structure
+from .bits import rol, ror
+from .crypto.xor import xor
+from .disasm import disasm
+from .hash.crc import crc32
+from .hash.sha import md5, sha1, sha224, sha384, sha256, sha512
+from .string.inet import ipv4
+from .string.ops import asciiz, utf16z, chunks, hex, unhex, uleb128
+from .structure import Structure
 
-from roach.pe import pe2cuckoo
+from .pe import pe2cuckoo
 
-from roach.procmem import (
+from .procmem import (
     PAGE_READONLY, PAGE_READWRITE, PAGE_WRITECOPY, PAGE_EXECUTE,
     PAGE_EXECUTE_READ, PAGE_EXECUTE_READWRITE, PAGE_EXECUTE_WRITECOPY
 )
 
-from roach.short import (
+from .short import (
     aes, blowfish, des3, rc4, pe, aplib, gzip, procmem, procmempe, cuckoomem, pad, unpad,
     insn, rsa, verify, base64, rabbit
 )
 
-from roach.string.bin import (
+from .string.bin import (
     uint8, uint16, uint32, uint64,
     u8, u16, u32, u64,
     p8, p16, p32, p64,
     bigint, pack, unpack
 )
 
-from roach.ints import (
+from .ints import (
     QWORD, DWORD, WORD, BYTE, CHAR,
     UInt64, UInt32, UInt16, UInt8,
     Int64, Int32, Int16, Int8

roach/bits.py → malduck/bits.py

@@ -1,11 +1,13 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
+
 def rol(value, count, bits=32):
     count = (bits - 1) & count
     value = (value << count) | ((2**count - 1) & (value >> (bits - count)))
     return value % 2**bits
 
+
 def ror(value, count, bits=32):
     return rol(value, bits - count, bits)

malduck/compression/aplib.py

@@ -0,0 +1,8 @@
+from ..native.aplib import unpack
+
+
+class aPLib(object):
+    def decompress(self, buf, length=None):
+        return unpack(buf, length)
+
+    __call__ = decompress

roach/compression/gzip.py → malduck/compression/gzip.py

@@ -1,13 +1,10 @@
-# Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
-# See the file 'docs/LICENSE.txt' for copying permission.
-
 from __future__ import absolute_import
 
 import gzip
 import io
 import zlib
 
+
 class Gzip(object):
     def decompress(self, data):
         # TODO Is this non-strict enough (it's what Python's gzip accepts)?

roach/crypto/__init__.py → malduck/crypto/__init__.py

@@ -1,3 +1,3 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.

roach/crypto/aes.py → malduck/crypto/aes.py

@@ -1,14 +1,14 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import io
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
 
-from roach.crypto.winhdr import BLOBHEADER, BaseBlob
-from roach.string.bin import uint32
+from .winhdr import BLOBHEADER, BaseBlob
+from ..string.bin import uint32
 
 class PlaintextKeyBlob(BaseBlob):
     types = {

roach/crypto/blowfish.py → malduck/crypto/blowfish.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 from cryptography.hazmat.backends import default_backend

roach/crypto/des3.py → malduck/crypto/des3.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 from cryptography.hazmat.backends import default_backend

roach/crypto/rabbit.py → malduck/crypto/rabbit.py

@@ -1,10 +1,10 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import struct
 
-from roach.crypto.xor import xor
+from .xor import xor
 
 def rotl(v,n):
     return (((v<<n)&0xffffffff) | ((v>>(32-n))&0xffffffff))

roach/crypto/rc.py → malduck/crypto/rc.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 from Crypto.Cipher import ARC4

roach/crypto/rsa.py → malduck/crypto/rsa.py

@@ -1,13 +1,13 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import io
 
 from Crypto.PublicKey.RSA import RSAImplementation
 
-from roach.crypto.winhdr import BLOBHEADER, BaseBlob
-from roach.string.bin import uint32, bigint
+from .winhdr import BLOBHEADER, BaseBlob
+from ..string.bin import uint32, bigint
 
 class PublicKeyBlob(BaseBlob):
     magic = "RSA1"

roach/crypto/winhdr.py → malduck/crypto/winhdr.py

@@ -1,9 +1,9 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
-from roach.ints import UInt8, UInt16, UInt32
-from roach.structure import Structure
+from ..ints import UInt8, UInt16, UInt32
+from ..structure import Structure
 
 class BLOBHEADER(Structure):
     _pack_ = 1

roach/crypto/xor.py → malduck/crypto/xor.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 from Crypto.Cipher import XOR

roach/disasm.py → malduck/disasm.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import collections
@@ -8,6 +8,7 @@
     "Memory", ("size", "base", "scale", "index", "disp")
 )
 
+
 class Operand(object):
     # These are initializes the first time disasm() is called, see also below.
     _x86_op_imm = None

roach/hash/__init__.py → malduck/hash/__init__.py

@@ -1,3 +1,3 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.

roach/hash/crc.py → malduck/hash/crc.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import zlib

roach/hash/sha.py → malduck/hash/sha.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import hashlib

roach/main.py → malduck/main.py

@@ -1,10 +1,10 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import click
 
-from roach import cuckoomem
+from .procmem import CuckooProcessMemory
 
 
 @click.group()
@@ -15,7 +15,7 @@ def main():
 @main.command("cuckoomem.list")
 @click.argument("mempath", type=click.Path(exists=True))
 def cuckoomem_list(mempath):
-    with cuckoomem.from_file(mempath) as p:
+    with CuckooProcessMemory.from_file(mempath) as p:
         for region in p.regions:
             print "0x%08x .. 0x%08x" % (region.addr, region.addr + region.size),
             print repr(p.readv(region.addr, 16))

roach/native/__init__.py → malduck/native/__init__.py

@@ -1,3 +1,3 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.

roach/native/aplib.py → malduck/native/aplib.py

@@ -1,10 +1,10 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import ctypes
 
-from roach.native.common import load_library
+from .common import load_library
 
 try:
     aplib = load_library("aplib")

roach/native/common.py → malduck/native/common.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import ctypes

roach/pe.py → malduck/pe.py

@@ -1,6 +1,6 @@
 # Copyright (C) 2018 Jurriaan Bremer.
 # Copyright (C) 2018 Hatching B.V.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import pefile
@@ -26,7 +26,7 @@ def __init__(self, memory, fast_load):
     def map_offset(self, offs):
         if not hasattr(self, "pe") or not self.pe.sections:
             return self.memory.imgbase + offs
-        return self.memory.imgbase + self.pe.get_rva_from_offset(offs)
+        return self.memory.imgbase + (self.pe.get_rva_from_offset(offs) or offs)
 
     def __len__(self):
         r = self.memory.regions[-1]
@@ -41,6 +41,9 @@ def __getitem__(self, item):
             stop = start + 1
         return self.memory.readv(start, stop - start)
 
+    def find(self, str, beg=0, end=None):
+        return next(self.memory.regexv(str, self.memory.imgbase + beg, end-beg))
+
 
 class PE(object):
     """Wrapper around pefile.PE; accepts either a string (raw file contents) or Memoryinstance """

roach/procmem.py → malduck/procmem.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2018 Jurriaan Bremer.
-# This file is part of Roach - https://github.com/jbremer/roach.
+# This file is part of Roach - https://github.com/jbremer/malduck.
 # See the file 'docs/LICENSE.txt' for copying permission.
 
 import mmap
@@ -12,9 +12,9 @@
 except ImportError:
     HAVE_LIEF = False
 
-from roach.disasm import disasm
-from roach.string.ops import utf16z
-from roach.string.bin import uint8, uint16, uint32, uint64
+from .disasm import disasm
+from .string.ops import utf16z
+from .string.bin import uint8, uint16, uint32, uint64
 
 PAGE_READONLY = 0x00000002
 PAGE_READWRITE = 0x00000004
@@ -361,7 +361,7 @@ def from_memory(cls, memory, base=None, image=False):
         return copied
 
     def _load_image(self):
-        from roach.pe import PE
+        from .pe import PE
         # Load PE data from imgbase offset
         offset = self.v2p(self.imgbase)
         self.m = self.m[offset:]
@@ -387,7 +387,7 @@ def _load_image(self):
     @property
     def pe(self):
         if not self._pe:
-            from roach.pe import PE
+            from .pe import PE
             self._pe = PE(self)
         return self._pe