iflow-mcp_developermode-korea_reversecore-mcp 1.0.0__py3-none-any.whl

reversecore_mcp/tools/malware/__init__.py

@@ -0,0 +1,61 @@
+"""Malware analysis tools package.
+
+Provides a unified MalwareToolsPlugin that registers all malware-related tools.
+"""
+
+from typing import Any
+
+from reversecore_mcp.core.logging_config import get_logger
+from reversecore_mcp.core.plugin import Plugin
+
+logger = get_logger(__name__)
+
+
+class MalwareToolsPlugin(Plugin):
+    """Unified plugin for all malware analysis tools."""
+
+    @property
+    def name(self) -> str:
+        return "malware_tools"
+
+    @property
+    def description(self) -> str:
+        return "Unified malware analysis tools including detection, vaccine generation, IOC extraction, and YARA scanning."
+
+    def register(self, mcp_server: Any) -> None:
+        """Register all malware tools."""
+        # Import tool functions from submodules
+        from reversecore_mcp.tools.malware.dormant_detector import dormant_detector
+        from reversecore_mcp.tools.malware.adaptive_vaccine import adaptive_vaccine
+        from reversecore_mcp.tools.malware.vulnerability_hunter import vulnerability_hunter
+        from reversecore_mcp.tools.malware.ioc_tools import extract_iocs
+        from reversecore_mcp.tools.malware.yara_tools import run_yara
+
+        # Register all tools
+        mcp_server.tool(dormant_detector)
+        mcp_server.tool(adaptive_vaccine)
+        mcp_server.tool(vulnerability_hunter)
+        mcp_server.tool(extract_iocs)
+        mcp_server.tool(run_yara)
+
+        logger.info(f"Registered {self.name} plugin with 5 malware tools")
+
+
+# Re-export submodules for convenience
+from reversecore_mcp.tools.malware import dormant_detector as dormant_detector_module
+from reversecore_mcp.tools.malware import adaptive_vaccine as adaptive_vaccine_module
+from reversecore_mcp.tools.malware import vulnerability_hunter as vulnerability_hunter_module
+from reversecore_mcp.tools.malware import ioc_tools
+from reversecore_mcp.tools.malware import yara_tools
+
+__all__ = [
+    "MalwareToolsPlugin",
+    "dormant_detector_module",
+    "adaptive_vaccine_module",
+    "vulnerability_hunter_module",
+    "ioc_tools",
+    "yara_tools",
+]
+
+# NOTE: Deprecated plugin classes (DormantDetectorPlugin, AdaptiveVaccinePlugin,
+# VulnerabilityHunterPlugin) were removed in v1.0.0. Use MalwareToolsPlugin instead.

reversecore_mcp/tools/malware/adaptive_vaccine.py

@@ -0,0 +1,579 @@
+"""
+Adaptive Vaccine: Automated Defense Generation Tool.
+
+This tool generates defensive measures against detected threats:
+1. YARA rule generation from threat patterns
+2. Binary patching (NOP injection, JMP override)
+3. Safety checks and backups
+"""
+
+import re
+import shutil
+from datetime import datetime
+from pathlib import Path
+from typing import Any
+
+import lief
+try:
+    from capstone import Cs, CS_ARCH_X86, CS_ARCH_ARM, CS_MODE_32, CS_MODE_64, CS_MODE_ARM, CS_MODE_THUMB
+except ImportError:
+    Cs = None
+
+from fastmcp import Context, FastMCP
+
+from reversecore_mcp.core.decorators import log_execution
+from reversecore_mcp.core.error_handling import handle_tool_errors
+from reversecore_mcp.core.logging_config import get_logger
+from reversecore_mcp.core.metrics import track_metrics
+from reversecore_mcp.core.result import ToolResult, failure, success
+from reversecore_mcp.core.security import validate_file_path
+from reversecore_mcp.core.audit import audit_logger, AuditAction
+
+logger = get_logger(__name__)
+
+# Validation constants for YARA rule generation
+YARA_RULE_NAME_MAX_LENGTH = 64
+YARA_META_VALUE_MAX_LENGTH = 256
+YARA_MAX_PATTERNS = 10
+YARA_MAX_STRING_LITERAL_LENGTH = 200
+
+# OPTIMIZATION: Pre-compile regex patterns used in hot paths
+_YARA_FUNCTION_NAME_CLEAN = re.compile(r"[^\w\-.]")
+_YARA_ADDRESS_PATTERN = re.compile(r"^(0x[0-9a-fA-F]+|\d+)$")
+_YARA_CONTROL_CHARS = re.compile(r"[\x00-\x1f\x7f-\x9f]")
+_YARA_RULE_NAME_CLEAN = re.compile(r"[^a-zA-Z0-9_]")
+_YARA_HEX_PATTERN = re.compile(r"0x([0-9a-fA-F]+)")
+_YARA_STRING_LITERAL = re.compile(r'"([^"]{1,200})"')
+
+
+def _escape_yara_meta(s: str) -> str:
+    """
+    Escape function for YARA meta strings.
+    
+    Escapes backslashes and quotes. Order matters: escape backslashes first.
+    Note: str.translate() cannot handle multi-character escape sequences,
+    so we use chained replace() which is appropriate for this use case.
+    
+    Args:
+        s: String to escape
+    
+    Returns:
+        Escaped string
+    """
+    # Order matters: escape backslashes first, then quotes
+    return s.replace("\\", "\\\\").replace('"', '\\"')
+
+
+def _validate_threat_report(threat_report: Any) -> dict[str, Any]:
+    """
+    Validate and sanitize threat_report input for YARA rule generation.
+
+    Args:
+        threat_report: Input to validate
+
+    Returns:
+        Validated and sanitized threat report dictionary
+
+    Raises:
+        ValueError: If validation fails
+    """
+    # Type check
+    if not isinstance(threat_report, dict):
+        raise ValueError(f"threat_report must be a dictionary, got {type(threat_report).__name__}")
+
+    # Extract and validate fields with defaults
+    validated = {}
+
+    # Function name validation
+    function_name = threat_report.get("function", "unknown")
+    if not isinstance(function_name, str):
+        function_name = str(function_name)
+    # OPTIMIZATION: Use pre-compiled regex pattern (faster)
+    function_name = _YARA_FUNCTION_NAME_CLEAN.sub("_", function_name)[:YARA_RULE_NAME_MAX_LENGTH]
+    validated["function"] = function_name
+
+    # Address validation
+    address = threat_report.get("address", "0x0")
+    if not isinstance(address, str):
+        address = str(address)
+    # OPTIMIZATION: Use pre-compiled regex pattern (faster)
+    if not _YARA_ADDRESS_PATTERN.match(address):
+        address = "0x0"
+    validated["address"] = address
+
+    # Instruction validation - sanitize for YARA meta
+    instruction = threat_report.get("instruction", "")
+    if not isinstance(instruction, str):
+        instruction = str(instruction)
+    # Escape quotes and backslashes for YARA meta
+    instruction = _escape_yara_meta(instruction)
+    instruction = instruction[:YARA_META_VALUE_MAX_LENGTH]
+    validated["instruction"] = instruction
+
+    # Reason validation - sanitize for YARA meta
+    reason = threat_report.get("reason", "Suspicious behavior detected")
+    if not isinstance(reason, str):
+        reason = str(reason)
+    # Escape quotes and backslashes for YARA meta
+    reason = _escape_yara_meta(reason)
+    reason = reason[:YARA_META_VALUE_MAX_LENGTH]
+    validated["reason"] = reason
+
+    # Refined code (optional) - just sanitize
+    refined_code = threat_report.get("refined_code", "")
+    if not isinstance(refined_code, str):
+        refined_code = str(refined_code) if refined_code else ""
+    validated["refined_code"] = refined_code
+
+    return validated
+
+
+def _sanitize_yara_string(s: str, max_length: int = YARA_MAX_STRING_LITERAL_LENGTH) -> str:
+    """
+    Sanitize a string for safe use in YARA rules.
+
+    Args:
+        s: String to sanitize
+        max_length: Maximum allowed length
+
+    Returns:
+        Sanitized string safe for YARA
+    """
+    # OPTIMIZATION: Use pre-compiled regex pattern (faster)
+    s = _YARA_CONTROL_CHARS.sub("", s)
+    # Escape quotes and backslashes for YARA
+    s = _escape_yara_meta(s)
+    # Limit length
+    return s[:max_length]
+
+
+def register_adaptive_vaccine(mcp: FastMCP) -> None:
+    """Register the Adaptive Vaccine tool with the FastMCP server."""
+    mcp.tool(adaptive_vaccine)
+
+
+@log_execution(tool_name="adaptive_vaccine")
+@track_metrics("adaptive_vaccine")
+@handle_tool_errors
+async def adaptive_vaccine(
+    threat_report: dict[str, Any],
+    action: str = "yara",
+    file_path: str | None = None,
+    dry_run: bool = True,
+    ctx: Context = None,
+) -> ToolResult:
+    """
+    Generate automated defenses against detected threats.
+
+    Actions:
+    - "yara": Generate YARA detection rule
+    - "patch": Generate binary patch (requires file_path)
+    - "both": Generate both YARA rule and patch
+
+    Args:
+        threat_report: Threat information from Ghost Trace or Trinity Defense
+                      Format: {
+                          "function": "func_name",
+                          "address": "0x401000",
+                          "instruction": "cmp eax, 0xDEADBEEF",
+                          "reason": "Magic value detected",
+                          "refined_code": "if (magic_val == 0xDEADBEEF) ..." (optional)
+                      }
+        action: Type of defense to generate
+        file_path: Path to binary (required for "patch" action)
+        dry_run: If True, only preview patch without applying
+
+    Returns:
+        ToolResult containing generated defenses
+    """
+    # Validate action parameter
+    valid_actions = {"yara", "patch", "both"}
+    if action not in valid_actions:
+        return failure(
+            "INVALID_ACTION",
+            f"Invalid action '{action}'. Must be one of: {', '.join(valid_actions)}",
+        )
+
+    # Pre-validate threat_report
+    try:
+        validated_report = _validate_threat_report(threat_report)
+    except ValueError as e:
+        return failure(
+            "INVALID_THREAT_REPORT",
+            f"Invalid threat_report: {str(e)}",
+            hint="threat_report must be a dictionary with 'function', 'address', "
+            "'instruction', and 'reason' fields",
+        )
+
+    if ctx:
+        await ctx.info(f"🛡️ Adaptive Vaccine: Generating {action} defense...")
+
+    result = {"action": action, "dry_run": dry_run}
+
+    # Detect architecture if file_path provided
+    arch = "x86"  # default
+    if file_path:
+        try:
+            validated_path = validate_file_path(file_path)
+            arch = _detect_architecture(validated_path)
+        except Exception:  # Use default if detection fails
+            pass
+
+    # Generate YARA rule
+    if action in ["yara", "both"]:
+        yara_rule = _generate_yara_rule(validated_report, arch)
+        result["yara_rule"] = yara_rule
+        result["architecture"] = arch
+        if ctx:
+            await ctx.info(f"✅ YARA rule generated (arch: {arch})")
+
+    # Generate binary patch
+    if action in ["patch", "both"]:
+        if not file_path:
+            return failure("MISSING_FILE_PATH", "file_path is required for patch action")
+
+        validated_path = validate_file_path(file_path)
+
+        try:
+            patch_info = _create_binary_patch(validated_path, threat_report, dry_run=dry_run)
+            result["patch"] = patch_info
+
+            if ctx:
+                if dry_run:
+                    await ctx.info("✅ Patch preview generated (dry-run, not applied)")
+                else:
+                    await ctx.info("✅ Patch applied successfully")
+        except Exception as e:
+            return failure("PATCH_FAILED", f"Patch generation failed: {e}")
+
+    return success(result)
+
+
+def _detect_architecture(file_path: Path) -> str:
+    """Detect binary architecture using LIEF."""
+    try:
+        binary = lief.parse(str(file_path))
+        if binary is None:
+            return "unknown"
+
+        # Detect architecture from binary type
+        if isinstance(binary, lief.PE.Binary):
+            machine = binary.header.machine
+            if machine == lief.PE.MACHINE_TYPES.I386:
+                return "x86"
+            elif machine == lief.PE.MACHINE_TYPES.AMD64:
+                return "x86_64"
+            elif machine == lief.PE.MACHINE_TYPES.ARM:
+                return "arm"
+        elif isinstance(binary, lief.ELF.Binary):
+            arch = binary.header.machine_type
+            if arch == lief.ELF.ARCH.i386:
+                return "x86"
+            elif arch == lief.ELF.ARCH.x86_64:
+                return "x86_64"
+            elif arch == lief.ELF.ARCH.ARM:
+                return "arm"
+
+        return "unknown"
+    except Exception as e:
+        logger.warning(f"Failed to detect architecture: {e}")
+        return "unknown"
+
+
+def _hex_to_yara_bytes(hex_val: str, arch: str = "x86") -> str:
+    """Convert hex value to YARA byte pattern with proper endianness."""
+    # Pad to even length
+    if len(hex_val) % 2 != 0:
+        hex_val = "0" + hex_val
+
+    try:
+        # Convert to bytes
+        byte_array = bytes.fromhex(hex_val)
+
+        # Reverse if little-endian architecture
+        # Note: ARM is typically little-endian on Android/iOS (armv7, aarch64)
+        little_endian_arches = {"x86", "x86_64", "arm", "arm64", "aarch64", "armle"}
+        if arch.lower() in little_endian_arches:
+            byte_array = byte_array[::-1]
+
+        return " ".join(f"{b:02x}" for b in byte_array)
+    except ValueError:
+        # If conversion fails, return as-is
+        return hex_val
+
+
+def _generate_yara_rule(threat_report: dict[str, Any], arch: str = "x86") -> str:
+    """
+    Generate YARA rule from threat information.
+
+    Args:
+        threat_report: Validated threat information including instruction, reason, etc.
+        arch: Target architecture for endianness handling
+
+    Returns:
+        YARA rule as string
+    """
+    function_name = threat_report.get("function", "unknown")
+    address = threat_report.get("address", "0x0")
+    instruction = threat_report.get("instruction", "")
+    reason = threat_report.get("reason", "Suspicious behavior detected")
+    refined_code = threat_report.get("refined_code", "")
+
+    # Sanitize rule name (alphanumeric and underscore only)
+    # OPTIMIZATION: Use pre-compiled regex pattern (faster)
+    rule_name = _YARA_RULE_NAME_CLEAN.sub("_", function_name)
+    # Ensure rule name starts with letter or underscore
+    if not rule_name or rule_name[0].isdigit():
+        rule_name = f"Threat_{address.replace('0x', '').replace('-', '_')}"
+    # Limit rule name length
+    rule_name = rule_name[:YARA_RULE_NAME_MAX_LENGTH]
+
+    # Extract hex patterns from instruction with validation
+    # OPTIMIZATION: Use pre-compiled regex pattern (faster)
+    hex_patterns = _YARA_HEX_PATTERN.findall(instruction)
+
+    # Build strings section with proper endianness
+    strings_section = []
+    for i, hex_val in enumerate(hex_patterns[:YARA_MAX_PATTERNS]):
+        # Validate hex pattern length (prevent extremely long patterns)
+        if len(hex_val) > 16:  # Max 8 bytes
+            hex_val = hex_val[:16]
+        byte_str = _hex_to_yara_bytes(hex_val, arch)
+        strings_section.append(f"        $hex_{i} = {{ {byte_str} }}")
+
+    # Extract string literals if present in refined code (with sanitization)
+    # OPTIMIZATION: Use pre-compiled regex pattern (faster)
+    string_literals = _YARA_STRING_LITERAL.findall(refined_code)
+    for i, literal in enumerate(string_literals[:3]):  # Limit to 3 strings
+        sanitized = _sanitize_yara_string(literal)
+        if sanitized:  # Only add non-empty strings
+            strings_section.append(f'        $str_{i} = "{sanitized}" ascii')
+
+    # Build condition
+    if strings_section:
+        condition = " or ".join([s.split(" = ")[0].strip() for s in strings_section])
+    else:
+        condition = "true  // Manual review required - no patterns extracted"
+
+    # Generate timestamp
+    timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+
+    # Build YARA rule with escaped metadata
+    yara_rule = f"""rule {rule_name} {{
+    meta:
+        description = "{reason}"
+        address = "{address}"
+        architecture = "{arch}"
+        generated = "{timestamp}"
+        source = "Reversecore TDS - Adaptive Vaccine"
+
+    strings:
+{chr(10).join(strings_section) if strings_section else "        // No patterns extracted - manual analysis required"}
+
+    condition:
+        {condition}
+}}"""
+
+    return yara_rule
+
+
+def _va_to_file_offset(file_path: Path, va: int) -> tuple[int, str]:
+    """Convert virtual address to file offset using LIEF.
+
+    Args:
+        file_path: Path to binary
+        va: Virtual address
+
+    Returns:
+        Tuple of (file_offset, section_name)
+    """
+    try:
+        binary = lief.parse(str(file_path))
+        if binary is None:
+            raise ValueError("Failed to parse binary with LIEF")
+
+        # Handle PE format
+        if isinstance(binary, lief.PE.Binary):
+            for section in binary.sections:
+                va_start = section.virtual_address + binary.optional_header.imagebase
+                va_end = va_start + section.virtual_size
+                if va_start <= va < va_end:
+                    offset = va - va_start + section.offset
+                    return offset, section.name
+
+        # Handle ELF format
+        elif isinstance(binary, lief.ELF.Binary):
+            for segment in binary.segments:
+                va_start = segment.virtual_address
+                va_end = va_start + segment.virtual_size
+                if va_start <= va < va_end:
+                    offset = va - va_start + segment.file_offset
+                    # Find section name
+                    section_name = "unknown"
+                    for section in binary.sections:
+                        if section.virtual_address <= va < section.virtual_address + section.size:
+                            section_name = section.name
+                            break
+                    return offset, section_name
+
+        raise ValueError(f"VA {hex(va)} not found in any section")
+
+    except Exception as e:
+        logger.error(f"VA to offset conversion failed: {e}")
+        raise
+
+
+def _create_binary_patch(
+    file_path: Path, threat_report: dict[str, Any], dry_run: bool = True
+) -> dict[str, Any]:
+    """
+    Create binary patch to neutralize threat.
+
+    Args:
+        file_path: Path to binary file
+        threat_report: Threat information
+        dry_run: If True, only preview without applying
+
+    Returns:
+        Dictionary with patch information
+    """
+    address_str = threat_report.get("address", "0x0")
+
+    try:
+        # Parse virtual address
+        if address_str.startswith("0x"):
+            va = int(address_str, 16)
+        else:
+            va = int(address_str)
+    except ValueError:
+        raise ValueError(f"Invalid address format: {address_str}")
+
+    # Convert VA to file offset
+    try:
+        file_offset, section_name = _va_to_file_offset(file_path, va)
+        logger.info(
+            f"Converted VA {address_str} to file offset {hex(file_offset)} (section: {section_name})"
+        )
+    except Exception as e:
+        raise ValueError(f"Failed to convert VA to file offset: {e}")
+
+    # Determine patch type based on instruction
+    instruction = threat_report.get("instruction", "").lower()
+
+    # FIX: Use Capstone to get exact instruction length
+    if Cs is None:
+        raise RuntimeError("Capstone engine not available. Cannot perform safe patching.")
+
+    # Determine Capstone mode
+    # We need to re-detect architecture slightly differently for Capstone constants
+    # _detect_architecture returns string, we need to map to Capstone constants
+    arch_str = _detect_architecture(file_path)
+    if arch_str == "x86":
+        cs_arch, cs_mode = CS_ARCH_X86, CS_MODE_32
+    elif arch_str == "x86_64":
+        cs_arch, cs_mode = CS_ARCH_X86, CS_MODE_64
+    elif arch_str == "arm":
+        cs_arch, cs_mode = CS_ARCH_ARM, CS_MODE_ARM # Simplification; real world is complex
+    else:
+        # Fallback to x86_64 if unknown
+        cs_arch, cs_mode = CS_ARCH_X86, CS_MODE_64
+
+    # Read bytes to disassemble
+    try:
+        with open(file_path, "rb") as f:
+            f.seek(file_offset)
+            # Max instruction length for x86 is 15 bytes
+            code_bytes = f.read(16)
+    except Exception as e:
+        raise ValueError(f"Failed to read file for disassembly: {e}")
+
+    try:
+        md = Cs(cs_arch, cs_mode)
+        # Disassemble one instruction at the VA
+        instrs = list(md.disasm(code_bytes, va))
+        if not instrs:
+             raise ValueError("Capstone failed to disassemble any instruction at target.")
+        
+        target_instr = instrs[0]
+        actual_length = target_instr.size
+        disasm_str = f"{target_instr.mnemonic} {target_instr.op_str}"
+        
+        logger.info(f"Disassembled at {hex(va)}: '{disasm_str}' (Size: {actual_length} bytes)")
+
+        # Verify if the disassembled instruction matches the threat report (optional safety check)
+        # implementation removed for brevity, trust the address for now.
+        
+    except Exception as e:
+        raise RuntimeError(f"Disassembly error at {hex(va)}: {e}")
+
+    # Generate Patch
+    patch_type = "NOP"
+    description = f"Safe NOP patch ({actual_length} bytes)"
+    
+    if "cmp" in instruction or "test" in instruction:
+        patch_bytes = b"\x90" * actual_length
+    elif "jne" in instruction or "je" in instruction or "jz" in instruction:
+        patch_type = "NOP_JUMP"
+        patch_bytes = b"\x90" * actual_length
+        description = f"Neutralize conditional jump ({actual_length} bytes)"
+    else:
+        # Generic NOP for whatever instruction is there
+        patch_bytes = b"\x90" * actual_length
+
+
+    patch_info = {
+        "type": patch_type,
+        "virtual_address": address_str,
+        "file_offset": hex(file_offset),
+        "section": section_name,
+        "bytes": patch_bytes.hex(),
+        "length": len(patch_bytes),
+        "description": description,
+        "applied": False,
+    }
+
+    if not dry_run:
+        # Create backup
+        backup_path = file_path.with_suffix(file_path.suffix + ".backup")
+        shutil.copy2(file_path, backup_path)
+        logger.info(f"Created backup: {backup_path}")
+
+        # Apply patch using file offset (not VA!)
+        try:
+            with open(file_path, "r+b") as f:
+                f.seek(file_offset)  # Use file offset, not VA
+                f.write(patch_bytes)
+
+            patch_info["applied"] = True
+            patch_info["backup"] = str(backup_path)
+            
+            audit_logger.log_event(
+                AuditAction.BINARY_PATCH,
+                str(file_path),
+                "SUCCESS",
+                details={
+                    "type": patch_type,
+                    "address": address_str,
+                    "file_offset": hex(file_offset),
+                    "bytes": patch_bytes.hex()
+                }
+            )
+            
+            logger.info(f"Applied patch at file offset {hex(file_offset)} (VA: {address_str})")
+        except Exception as e:
+            audit_logger.log_event(
+                AuditAction.BINARY_PATCH,
+                str(file_path),
+                "FAILURE",
+                details={"error": str(e), "address": address_str}
+            )
+            # Restore from backup
+            shutil.copy2(backup_path, file_path)
+            raise RuntimeError(f"Patch failed, restored from backup: {e}")
+
+    return patch_info
+
+
+# Note: AdaptiveVaccinePlugin has been removed.
+# The adaptive_vaccine tool is now registered via MalwareToolsPlugin in malware/__init__.py.
+