iflow-mcp_developermode-korea_reversecore-mcp 1.0.0__py3-none-any.whl

reversecore_mcp/tools/malware/vulnerability_hunter.py

@@ -0,0 +1,519 @@
+"""
+Vulnerability Hunter: Automated Vulnerability Discovery Tool.
+
+This tool combines multiple analysis techniques to automatically discover
+potential security vulnerabilities in binary files:
+
+1. Dangerous API Detection - Finds calls to unsafe functions
+2. Backtrace Analysis - Traces execution paths to dangerous calls
+3. Light Taint Analysis - Identifies user-controllable inputs
+4. Report Generation - Creates vulnerability reports with YARA rules
+
+This is a signature tool that combines: decompilation, xrefs, signature_tools, dormant_detector
+"""
+
+from __future__ import annotations
+
+import re
+from functools import lru_cache
+from pathlib import Path
+from typing import Any
+
+from async_lru import alru_cache
+from fastmcp import Context, FastMCP
+
+from reversecore_mcp.core import json_utils as json
+from reversecore_mcp.core.config import get_config
+from reversecore_mcp.core.decorators import log_execution
+from reversecore_mcp.core.error_handling import handle_tool_errors
+from reversecore_mcp.core.execution import execute_subprocess_async
+from reversecore_mcp.core.logging_config import get_logger
+from reversecore_mcp.core.metrics import track_metrics
+from reversecore_mcp.core.r2_helpers import calculate_dynamic_timeout
+from reversecore_mcp.core.result import ToolResult, failure, success
+from reversecore_mcp.core.security import validate_file_path
+
+logger = get_logger(__name__)
+
+DEFAULT_TIMEOUT = get_config().default_tool_timeout
+
+# =============================================================================
+# Dangerous API Database
+# =============================================================================
+
+# Categorized dangerous APIs with severity and description
+DANGEROUS_APIS: dict[str, dict[str, Any]] = {
+    # Memory Corruption - Critical
+    "strcpy": {"severity": "critical", "category": "buffer_overflow", "description": "Unbounded string copy"},
+    "strcat": {"severity": "critical", "category": "buffer_overflow", "description": "Unbounded string concatenation"},
+    "sprintf": {"severity": "critical", "category": "buffer_overflow", "description": "Unbounded formatted string"},
+    "gets": {"severity": "critical", "category": "buffer_overflow", "description": "Unbounded input read"},
+    "scanf": {"severity": "high", "category": "buffer_overflow", "description": "Potentially unbounded input"},
+    "vsprintf": {"severity": "critical", "category": "buffer_overflow", "description": "Unbounded formatted string (va)"},
+
+    # Format String
+    "printf": {"severity": "medium", "category": "format_string", "description": "Format string if user-controlled"},
+    "fprintf": {"severity": "medium", "category": "format_string", "description": "Format string if user-controlled"},
+    "syslog": {"severity": "medium", "category": "format_string", "description": "Format string in logging"},
+
+    # Command Injection - Critical
+    "system": {"severity": "critical", "category": "command_injection", "description": "Shell command execution"},
+    "popen": {"severity": "critical", "category": "command_injection", "description": "Shell command with pipe"},
+    "execve": {"severity": "critical", "category": "command_injection", "description": "Process execution"},
+    "execl": {"severity": "critical", "category": "command_injection", "description": "Process execution"},
+    "execlp": {"severity": "critical", "category": "command_injection", "description": "Process execution (PATH)"},
+    "execvp": {"severity": "critical", "category": "command_injection", "description": "Process execution (PATH)"},
+    "ShellExecute": {"severity": "critical", "category": "command_injection", "description": "Windows shell execution"},
+    "ShellExecuteA": {"severity": "critical", "category": "command_injection", "description": "Windows shell execution"},
+    "ShellExecuteW": {"severity": "critical", "category": "command_injection", "description": "Windows shell execution"},
+    "WinExec": {"severity": "critical", "category": "command_injection", "description": "Windows process execution"},
+    "CreateProcess": {"severity": "high", "category": "command_injection", "description": "Windows process creation"},
+    "CreateProcessA": {"severity": "high", "category": "command_injection", "description": "Windows process creation"},
+    "CreateProcessW": {"severity": "high", "category": "command_injection", "description": "Windows process creation"},
+
+    # Memory Management
+    "malloc": {"severity": "low", "category": "memory", "description": "Dynamic allocation (check for integer overflow)"},
+    "realloc": {"severity": "medium", "category": "memory", "description": "Reallocation (check for size)"},
+    "free": {"severity": "medium", "category": "memory", "description": "Free (check for double-free/UAF)"},
+    "VirtualAlloc": {"severity": "low", "category": "memory", "description": "Windows memory allocation"},
+    "HeapAlloc": {"severity": "low", "category": "memory", "description": "Windows heap allocation"},
+
+    # File Operations
+    "fopen": {"severity": "low", "category": "file_access", "description": "File open (check path)"},
+    "open": {"severity": "low", "category": "file_access", "description": "File open (check path)"},
+    "CreateFile": {"severity": "low", "category": "file_access", "description": "Windows file open"},
+    "CreateFileA": {"severity": "low", "category": "file_access", "description": "Windows file open"},
+    "CreateFileW": {"severity": "low", "category": "file_access", "description": "Windows file open"},
+    "unlink": {"severity": "medium", "category": "file_access", "description": "File deletion"},
+    "remove": {"severity": "medium", "category": "file_access", "description": "File deletion"},
+    "DeleteFile": {"severity": "medium", "category": "file_access", "description": "Windows file deletion"},
+
+    # Network
+    "recv": {"severity": "high", "category": "network_input", "description": "Network receive (user input source)"},
+    "recvfrom": {"severity": "high", "category": "network_input", "description": "Network receive (user input source)"},
+    "read": {"severity": "medium", "category": "input", "description": "Read (potential user input)"},
+    "fread": {"severity": "medium", "category": "input", "description": "File read (potential user input)"},
+    "fgets": {"severity": "low", "category": "input", "description": "Bounded string read"},
+    "getenv": {"severity": "medium", "category": "input", "description": "Environment variable (user-controlled)"},
+
+    # Dangerous Windows APIs
+    "LoadLibrary": {"severity": "high", "category": "code_execution", "description": "DLL loading"},
+    "LoadLibraryA": {"severity": "high", "category": "code_execution", "description": "DLL loading"},
+    "LoadLibraryW": {"severity": "high", "category": "code_execution", "description": "DLL loading"},
+    "GetProcAddress": {"severity": "medium", "category": "code_execution", "description": "Dynamic function resolution"},
+    "WriteProcessMemory": {"severity": "critical", "category": "code_injection", "description": "Process memory write"},
+    "VirtualAllocEx": {"severity": "high", "category": "code_injection", "description": "Remote memory allocation"},
+    "CreateRemoteThread": {"severity": "critical", "category": "code_injection", "description": "Remote thread creation"},
+
+    # Crypto (weak)
+    "rand": {"severity": "medium", "category": "weak_crypto", "description": "Weak random number generator"},
+    "srand": {"severity": "low", "category": "weak_crypto", "description": "Weak RNG seed"},
+    "MD5": {"severity": "medium", "category": "weak_crypto", "description": "Weak hash algorithm"},
+    "SHA1": {"severity": "low", "category": "weak_crypto", "description": "Deprecated hash algorithm"},
+}
+
+# User input sources for taint analysis
+USER_INPUT_SOURCES = frozenset({
+    "recv", "recvfrom", "read", "fread", "fgets", "gets", "scanf",
+    "getenv", "argv", "fopen", "open", "accept", "listen",
+    "ReadFile", "InternetReadFile", "HttpQueryInfo",
+})
+
+# Pre-compiled pattern for hex addresses
+_HEX_PATTERN = re.compile(r"0x[0-9a-fA-F]+")
+
+
+def _extract_json_safely(output: str) -> Any | None:
+    """Extract JSON from radare2 output using robust state-machine parser.
+    
+    Delegates to r2_helpers.parse_json_output which uses O(n) algorithm
+    instead of fragile regex patterns.
+    """
+    if not output or not output.strip():
+        return None
+
+    try:
+        from reversecore_mcp.core.r2_helpers import parse_json_output
+        return parse_json_output(output)
+    except Exception:
+        return None
+
+
+async def _run_r2_cmd(file_path: str | Path, cmd: str, timeout: int | None = None) -> str:
+    """Execute radare2 command."""
+    effective_timeout = timeout or calculate_dynamic_timeout(str(file_path), base_timeout=30)
+    full_cmd = ["radare2", "-q", "-c", cmd, str(file_path)]
+    output, _ = await execute_subprocess_async(full_cmd, timeout=effective_timeout)
+    return output
+
+
+@log_execution(tool_name="vulnerability_hunter")
+@track_metrics("vulnerability_hunter")
+@handle_tool_errors
+async def vulnerability_hunter(
+    file_path: str,
+    max_depth: int = 3,
+    severity_filter: str = "all",
+    generate_yara: bool = True,
+    timeout: int = 300,
+    ctx: Context = None,
+) -> ToolResult:
+    """
+    Automated vulnerability discovery combining multiple analysis techniques.
+
+    This tool performs a comprehensive security analysis:
+    1. Scans for dangerous API calls (buffer overflow, command injection, etc.)
+    2. Traces back to find how each dangerous call is reached
+    3. Identifies if inputs are user-controllable (light taint analysis)
+    4. Generates vulnerability report with YARA detection rules
+
+    Args:
+        file_path: Path to the binary file to analyze
+        max_depth: Maximum backtrace depth for call chain analysis (default: 3)
+        severity_filter: Filter by severity - "all", "critical", "high", "medium" (default: "all")
+        generate_yara: Generate YARA rules for detected vulnerabilities (default: True)
+        timeout: Analysis timeout in seconds (default: 300)
+
+    Returns:
+        ToolResult containing:
+        - vulnerabilities: List of detected vulnerabilities with details
+        - call_chains: Execution paths leading to vulnerabilities
+        - taint_sources: Identified user input sources
+        - yara_rules: Generated YARA detection rules (if enabled)
+        - summary: Statistics and risk assessment
+
+    Example:
+        vulnerability_hunter("/path/to/binary.exe", severity_filter="critical")
+    """
+    validated_path = validate_file_path(file_path)
+
+    if ctx:
+        await ctx.info("🔍 Vulnerability Hunter: Starting comprehensive analysis...")
+
+    # Phase 1: Analyze and get function list
+    if ctx:
+        await ctx.report_progress(10, 100)
+        await ctx.info("📊 Phase 1: Analyzing binary and enumerating functions...")
+
+    file_size = validated_path.stat().st_size
+    analysis_cmd = "aa" if file_size > 5_000_000 else "aaa"
+
+    output = await _run_r2_cmd(validated_path, f"{analysis_cmd}; aflj", timeout=timeout)
+    functions = _extract_json_safely(output)
+
+    if not functions or not isinstance(functions, list):
+        return failure(
+            "ANALYSIS_ERROR",
+            "Failed to analyze binary or extract function list",
+            hint="Try increasing timeout or check if the binary is valid"
+        )
+
+    # Phase 2: Find dangerous API calls
+    if ctx:
+        await ctx.report_progress(25, 100)
+        await ctx.info("⚠️ Phase 2: Scanning for dangerous API calls...")
+
+    vulnerabilities = []
+    dangerous_calls = []
+
+    # Build function name index for faster lookup
+    func_by_name = {f.get("name", ""): f for f in functions}
+    func_by_addr = {f.get("offset", 0): f for f in functions}
+
+    # Find imports that match dangerous APIs
+    imports_output = await _run_r2_cmd(validated_path, "iij", timeout=60)
+    imports = _extract_json_safely(imports_output) or []
+
+    for imp in imports:
+        imp_name = imp.get("name", "")
+        # Extract base function name (remove sym.imp. prefix and library suffix)
+        base_name = imp_name.replace("sym.imp.", "").split("@")[0]
+
+        if base_name in DANGEROUS_APIS:
+            api_info = DANGEROUS_APIS[base_name]
+
+            # Apply severity filter
+            if severity_filter != "all":
+                severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3}
+                filter_level = severity_order.get(severity_filter, 3)
+                api_level = severity_order.get(api_info["severity"], 3)
+                if api_level > filter_level:
+                    continue
+
+            dangerous_calls.append({
+                "dangerous_api_name": base_name,
+                "import_symbol_full_name": imp_name,
+                "plt_address": hex(imp.get("plt", 0) or imp.get("vaddr", 0)),
+                "vulnerability_category": api_info["category"],
+                "severity_level": api_info["severity"],
+                "risk_description": api_info["description"],
+            })
+
+    if ctx:
+        await ctx.info(f"   Found {len(dangerous_calls)} dangerous API calls")
+
+    # Phase 3: Backtrace analysis for each dangerous call
+    if ctx:
+        await ctx.report_progress(40, 100)
+        await ctx.info("🔙 Phase 3: Analyzing call chains (backtrace)...")
+
+    call_chains = []
+    taint_sources = []
+
+    for i, dangerous in enumerate(dangerous_calls[:20]):  # Limit for performance
+        if ctx and i % 5 == 0:
+            await ctx.report_progress(40 + int((i / min(len(dangerous_calls), 20)) * 30), 100)
+
+        api_plt_address = dangerous["plt_address"]
+
+        # Get cross-references TO this function
+        xrefs_output = await _run_r2_cmd(validated_path, f"axtj @ {api_plt_address}", timeout=30)
+        xrefs = _extract_json_safely(xrefs_output) or []
+
+        chain_results = []
+        for xref in xrefs[:10]:  # Limit xrefs per function
+            caller_addr = xref.get("from", 0)
+            caller_func = None
+
+            # Find which function contains this caller
+            for func in functions:
+                func_start = func.get("offset", 0)
+                func_size = func.get("size", 0)
+                if func_start <= caller_addr < func_start + func_size:
+                    caller_func = func
+                    break
+
+            if caller_func:
+                func_name = caller_func.get("name", "unknown")
+
+                # Check if this function receives user input (light taint analysis)
+                is_tainted = False
+                taint_source = None
+
+                # Get function disassembly to check for input sources
+                func_addr = caller_func.get("offset", 0)
+                disasm_output = await _run_r2_cmd(
+                    validated_path, f"pdfj @ {hex(func_addr)}", timeout=30
+                )
+                func_disasm = _extract_json_safely(disasm_output)
+
+                if func_disasm and "ops" in func_disasm:
+                    for op in func_disasm.get("ops", []):
+                        disasm = op.get("disasm", "")
+                        for source in USER_INPUT_SOURCES:
+                            # Use word boundary to avoid false positives
+                            # e.g., "pthread" should not match "read"
+                            if re.search(rf"\b{re.escape(source)}\b", disasm):
+                                is_tainted = True
+                                taint_source = source
+                                if source not in [t["input_source_api"] for t in taint_sources]:
+                                    taint_sources.append({
+                                        "input_source_api": source,
+                                        "found_in_function": func_name,
+                                        "instruction_address": hex(op.get("offset", 0))
+                                    })
+                                break
+
+                chain_results.append({
+                    "calling_function_name": func_name,
+                    "call_instruction_address": hex(caller_addr),
+                    "user_input_reaches_here": is_tainted,
+                    "input_source_if_tainted": taint_source,
+                    "reference_type": xref.get("type", "unknown")
+                })
+
+            call_chains.append({
+                "dangerous_api_name": dangerous["dangerous_api_name"],
+                "api_plt_address": dangerous["plt_address"],
+                "severity_level": dangerous["severity_level"],
+                "vulnerability_category": dangerous["vulnerability_category"],
+                "functions_that_call_this_api": chain_results,
+                "total_call_sites_found": len(xrefs)
+            })
+
+            # Create vulnerability entry for tainted paths
+            tainted_callers = [c for c in chain_results if c["user_input_reaches_here"]]
+            if tainted_callers:
+                vulnerabilities.append({
+                    "vulnerability_type": dangerous["vulnerability_category"],
+                    "severity_level": dangerous["severity_level"],
+                    "dangerous_api_name": dangerous["dangerous_api_name"],
+                    "api_plt_address": dangerous["plt_address"],
+                    "risk_description": dangerous["risk_description"],
+                    "is_exploitable": True,
+                    "exploitation_reason": f"User input from {tainted_callers[0]['input_source_if_tainted']} reaches {dangerous['dangerous_api_name']}",
+                    "vulnerable_functions": [c["calling_function_name"] for c in tainted_callers],
+                    "fix_recommendation": _get_recommendation(dangerous["vulnerability_category"])
+                })
+            elif chain_results:
+                vulnerabilities.append({
+                    "vulnerability_type": dangerous["vulnerability_category"],
+                    "severity_level": dangerous["severity_level"],
+                    "dangerous_api_name": dangerous["dangerous_api_name"],
+                    "api_plt_address": dangerous["plt_address"],
+                    "risk_description": dangerous["risk_description"],
+                    "is_exploitable": "needs_verification",
+                    "exploitation_reason": f"Dangerous API {dangerous['dangerous_api_name']} called from {len(chain_results)} locations (taint not confirmed)",
+                    "vulnerable_functions": [c["calling_function_name"] for c in chain_results[:5]],
+                    "fix_recommendation": _get_recommendation(dangerous["vulnerability_category"])
+                })
+
+    # Phase 4: Generate YARA rules
+    yara_rules = []
+    if generate_yara and vulnerabilities:
+        if ctx:
+            await ctx.report_progress(85, 100)
+            await ctx.info("📝 Phase 4: Generating YARA detection rules...")
+
+        yara_rules = _generate_vulnerability_yara_rules(
+            vulnerabilities,
+            validated_path.name,
+            dangerous_calls
+        )
+
+    # Phase 5: Generate summary
+    if ctx:
+        await ctx.report_progress(95, 100)
+        await ctx.info("📋 Generating vulnerability report...")
+
+    severity_counts = {"critical": 0, "high": 0, "medium": 0, "low": 0}
+    for vuln in vulnerabilities:
+        sev = vuln.get("severity_level", "low")
+        severity_counts[sev] = severity_counts.get(sev, 0) + 1
+
+    exploitable_count = sum(1 for v in vulnerabilities if v.get("is_exploitable") is True)
+
+    risk_score = (
+        severity_counts["critical"] * 10 +
+        severity_counts["high"] * 5 +
+        severity_counts["medium"] * 2 +
+        severity_counts["low"] * 1
+    )
+
+    if risk_score >= 20:
+        risk_level = "CRITICAL"
+    elif risk_score >= 10:
+        risk_level = "HIGH"
+    elif risk_score >= 5:
+        risk_level = "MEDIUM"
+    else:
+        risk_level = "LOW"
+
+    if ctx:
+        await ctx.report_progress(100, 100)
+        await ctx.info(f"✅ Analysis complete. Risk Level: {risk_level}")
+
+    return success({
+        "analysis_summary": {
+            "total_vulnerabilities_found": len(vulnerabilities),
+            "confirmed_exploitable_count": exploitable_count,
+            "overall_risk_level": risk_level,
+            "risk_score_0_to_100": risk_score,
+            "vulnerabilities_by_severity": severity_counts,
+            "dangerous_imports_detected": len(dangerous_calls),
+            "user_input_sources_found": len(taint_sources),
+        },
+        "detected_vulnerabilities": vulnerabilities,
+        "call_chain_analysis": call_chains,
+        "user_input_sources": taint_sources,
+        "generated_yara_rules": yara_rules if generate_yara else None,
+        "prioritized_recommendations": _generate_recommendations(vulnerabilities),
+    })
+
+
+def _get_recommendation(category: str) -> str:
+    """Get security recommendation for vulnerability category."""
+    recommendations = {
+        "buffer_overflow": "Use bounded alternatives (strncpy, snprintf) and validate buffer sizes",
+        "format_string": "Never use user input as format string. Use printf(\"%s\", user_input)",
+        "command_injection": "Avoid shell commands. Use exec* with explicit arguments, sanitize inputs",
+        "memory": "Check allocation sizes for integer overflow, use RAII/smart pointers",
+        "file_access": "Validate and sanitize file paths, use allowlists",
+        "network_input": "Validate all network input, use bounded reads with size limits",
+        "input": "Validate and sanitize all user input before use",
+        "code_execution": "Validate DLL/library paths, use signed code where possible",
+        "code_injection": "This is typical malware behavior - investigate thoroughly",
+        "weak_crypto": "Use cryptographically secure random (getrandom, CryptGenRandom)",
+    }
+    return recommendations.get(category, "Review and validate all inputs to this function")
+
+
+def _generate_recommendations(vulnerabilities: list[dict]) -> list[str]:
+    """Generate prioritized recommendations based on vulnerabilities."""
+    recommendations = []
+    categories_seen = set()
+
+    # Sort by severity
+    severity_order = {"critical": 0, "high": 1, "medium": 2, "low": 3}
+    sorted_vulns = sorted(vulnerabilities, key=lambda v: severity_order.get(v.get("severity", "low"), 3))
+
+    for vuln in sorted_vulns:
+        cat = vuln.get("vulnerability_type", "unknown")
+        if cat not in categories_seen:
+            categories_seen.add(cat)
+            rec = _get_recommendation(cat)
+            severity = vuln.get("severity_level", "medium").upper()
+            recommendations.append(f"[{severity}] {cat}: {rec}")
+
+    if not recommendations:
+        recommendations.append("No critical vulnerabilities detected. Continue regular security review.")
+
+    return recommendations[:10]  # Limit to top 10
+
+
+def _generate_vulnerability_yara_rules(
+    vulnerabilities: list[dict],
+    filename: str,
+    dangerous_calls: list[dict]
+) -> list[str]:
+    """Generate YARA rules for detected vulnerabilities."""
+    rules = []
+
+    # Sanitize filename for rule name
+    safe_name = re.sub(r"[^a-zA-Z0-9]", "_", filename)
+
+    # Group by category
+    categories = {}
+    for vuln in vulnerabilities:
+        cat = vuln.get("vulnerability_type", "unknown")
+        if cat not in categories:
+            categories[cat] = []
+        categories[cat].append(vuln)
+
+    for category, vulns in categories.items():
+        if category in ["buffer_overflow", "command_injection", "code_injection"]:
+            apis = list(set(v.get("dangerous_api_name", "") for v in vulns))
+
+            rule = f'''rule vuln_{safe_name}_{category} {{
+    meta:
+        description = "Detects {category} vulnerability pattern in {filename}"
+        severity = "{vulns[0].get('severity', 'medium')}"
+        author = "Vulnerability Hunter (auto-generated)"
+        category = "{category}"
+
+    strings:
+        {_generate_yara_strings(apis)}
+
+    condition:
+        uint16(0) == 0x5A4D or uint32(0) == 0x464c457f and any of them
+}}'''
+            rules.append(rule)
+
+    return rules
+
+
+def _generate_yara_strings(apis: list[str]) -> str:
+    """Generate YARA string definitions for APIs."""
+    strings = []
+    for i, api in enumerate(apis[:10]):  # Limit to 10
+        # ASCII version
+        strings.append(f'$api{i}_a = "{api}" ascii')
+        # Wide version (Windows)
+        strings.append(f'$api{i}_w = "{api}" wide')
+
+    return "\n        ".join(strings)
+
+
+# Note: VulnerabilityHunterPlugin has been removed.
+# The vulnerability_hunter tool is now registered via MalwareToolsPlugin in malware/__init__.py.
+