Merge pull request #58 from P4X-ng/Q-DEV-issue-56-1765704413

Add malware (time bomb style)

Author: P4X-ng

lib/msf/core/constants.rb

@@ -19,6 +19,7 @@ module Msf
 MODULE_PAYLOAD = 'payload'
 MODULE_POST    = 'post'
 MODULE_EVASION = 'evasion'
+MODULE_MALWARE = 'malware'
 MODULE_TYPES   =
   [
     MODULE_ENCODER,
@@ -27,7 +28,8 @@ module Msf
     MODULE_NOP,
     MODULE_POST,
     MODULE_AUX,
-    MODULE_EVASION
+    MODULE_EVASION,
+    MODULE_MALWARE
   ]
 
 #

lib/msf/core/malware.rb

@@ -0,0 +1,360 @@
+# -*- coding: binary -*-
+
+#
+# A Malware simulation module with time bomb functionality
+#
+class Msf::Malware < Msf::Module
+
+  class Complete < RuntimeError
+  end
+
+  class Failed < RuntimeError
+  end
+
+  class TimeBombExpired < RuntimeError
+  end
+
+  include Msf::PostMixin
+
+  # Track files and artifacts for cleanup
+  attr_accessor :needs_cleanup
+  attr_accessor :cleanup_artifacts
+  attr_accessor :start_time
+  attr_accessor :duration_seconds
+
+  def initialize(info = {})
+    super
+
+    # Initialize cleanup tracking
+    @cleanup_artifacts = []
+    @needs_cleanup = false
+    @start_time = nil
+    @duration_seconds = nil
+
+    # Register common malware simulation options
+    register_options([
+      OptInt.new('DURATION', [true, 'Duration in seconds before auto-cleanup (time bomb)', 300]),
+      OptBool.new('AUTO_CLEANUP', [true, 'Automatically cleanup artifacts when time expires', true]),
+      OptBool.new('SIMULATE_ONLY', [true, 'Only simulate malware behavior without actual persistence', true]),
+      OptString.new('CLEANUP_SIGNAL', [false, 'Custom signal file to trigger immediate cleanup', '']),
+    ])
+  end
+
+  def setup
+    m = replicant
+
+    if m.actions.length > 0 && !m.action
+      raise Msf::MissingActionError, "Please use: #{m.actions.collect {|e| e.name} * ", "}"
+    end
+
+    # Initialize time bomb
+    @start_time = Time.now
+    @duration_seconds = datastore['DURATION'].to_i
+    @needs_cleanup = datastore['AUTO_CLEANUP']
+
+    print_status("Malware simulation started at #{@start_time}")
+    print_status("Time bomb set for #{@duration_seconds} seconds")
+    print_warning("Auto-cleanup #{@needs_cleanup ? 'ENABLED' : 'DISABLED'}")
+
+    # Msf::Module(Msf::PostMixin)#setup
+    super
+  end
+
+  def type
+    Msf::MODULE_MALWARE
+  end
+
+  def self.type
+    Msf::MODULE_MALWARE
+  end
+
+  #
+  # Create an anonymous module not tied to a file.  Only useful for IRB.
+  #
+  def self.create(session)
+    mod = new
+    mod.instance_variable_set(:@session, session)
+    # Have to override inspect because for whatever reason, +type+ is coming
+    # from the wrong scope and i can't figure out how to fix it.
+    mod.instance_eval do
+      def inspect
+        "#<Msf::Malware anonymous>"
+      end
+    end
+    mod.class.refname = "anonymous"
+
+    mod
+  end
+
+  # This method returns the ID of the Mdm::Session that the malware module
+  # is currently running against.
+  #
+  # @return [NilClass] if there is no database record for the session
+  # @return [Integer] if there is a database record to get the id for
+  def session_db_id
+    if session.db_record
+      session.db_record.id
+    else
+      nil
+    end
+  end
+
+  # Override Msf::Module#fail_with for Msf::Simple::Malware::job_run_proc
+  def fail_with(reason, msg = nil)
+    cleanup_artifacts if @needs_cleanup
+    raise Msf::Malware::Failed, "#{reason.to_s}: #{msg}"
+  end
+
+  #
+  # Time bomb functionality
+  #
+
+  # Check if the time bomb has expired
+  def time_bomb_expired?
+    return false unless @start_time && @duration_seconds
+    (Time.now - @start_time) >= @duration_seconds
+  end
+
+  # Get remaining time in seconds
+  def time_remaining
+    return 0 unless @start_time && @duration_seconds
+    remaining = @duration_seconds - (Time.now - @start_time)
+    [remaining, 0].max
+  end
+
+  # Check for cleanup signal file
+  def cleanup_signal_present?
+    signal_file = datastore['CLEANUP_SIGNAL']
+    return false if signal_file.blank?
+    
+    begin
+      if session.type == 'meterpreter'
+        return session.fs.file.stat(signal_file) rescue false
+      elsif session.type == 'shell'
+        result = session.shell_command_token("test -f #{signal_file} && echo exists")
+        return result.include?('exists')
+      end
+    rescue
+      return false
+    end
+    false
+  end
+
+  # Check if module should terminate (time bomb or signal)
+  def should_terminate?
+    time_bomb_expired? || cleanup_signal_present?
+  end
+
+  # Add artifact for cleanup tracking
+  def register_artifact(path, type = :file)
+    @cleanup_artifacts << { path: path, type: type, created_at: Time.now }
+    print_good("Registered artifact for cleanup: #{path}")
+  end
+
+  # Cleanup all registered artifacts
+  def cleanup_artifacts
+    return unless @cleanup_artifacts && @cleanup_artifacts.any?
+
+    print_status("Time bomb expired! Cleaning up #{@cleanup_artifacts.length} artifacts...")
+    
+    @cleanup_artifacts.each do |artifact|
+      begin
+        case artifact[:type]
+        when :file
+          cleanup_file(artifact[:path])
+        when :directory
+          cleanup_directory(artifact[:path])
+        when :registry
+          cleanup_registry(artifact[:path])
+        when :service
+          cleanup_service(artifact[:path])
+        when :process
+          cleanup_process(artifact[:path])
+        else
+          print_warning("Unknown artifact type: #{artifact[:type]}")
+        end
+      rescue => e
+        print_error("Failed to cleanup #{artifact[:path]}: #{e.message}")
+      end
+    end
+
+    @cleanup_artifacts.clear
+    print_good("Malware simulation cleanup completed")
+  end
+
+  # Cleanup a file
+  def cleanup_file(path)
+    if session.type == 'meterpreter'
+      session.fs.file.rm(path)
+    elsif session.type == 'shell'
+      if session.platform == 'windows'
+        session.shell_command_token("del /f /q \"#{path}\"")
+      else
+        session.shell_command_token("rm -f \"#{path}\"")
+      end
+    end
+    print_status("Removed file: #{path}")
+  end
+
+  # Cleanup a directory
+  def cleanup_directory(path)
+    if session.type == 'meterpreter'
+      session.fs.dir.rmdir(path)
+    elsif session.type == 'shell'
+      if session.platform == 'windows'
+        session.shell_command_token("rmdir /s /q \"#{path}\"")
+      else
+        session.shell_command_token("rm -rf \"#{path}\"")
+      end
+    end
+    print_status("Removed directory: #{path}")
+  end
+
+  # Cleanup registry entry (Windows only)
+  def cleanup_registry(path)
+    return unless session.platform == 'windows'
+    
+    if session.type == 'meterpreter'
+      session.sys.registry.delete_key(path)
+    elsif session.type == 'shell'
+      session.shell_command_token("reg delete \"#{path}\" /f")
+    end
+    print_status("Removed registry key: #{path}")
+  end
+
+  # Cleanup service (placeholder)
+  def cleanup_service(name)
+    print_status("Stopping and removing service: #{name}")
+    # Implementation depends on platform and service type
+  end
+
+  # Cleanup process (placeholder)
+  def cleanup_process(pid_or_name)
+    print_status("Terminating process: #{pid_or_name}")
+    # Implementation depends on platform
+  end
+
+  #
+  # Safe simulation helpers
+  #
+
+  # Simulate file creation without actual persistence
+  def simulate_file_drop(path, content = nil)
+    if datastore['SIMULATE_ONLY']
+      print_status("SIMULATION: Would create file at #{path}")
+      return true
+    end
+
+    # Actually create the file but register for cleanup
+    content ||= generate_fake_malware_content
+    
+    if session.type == 'meterpreter'
+      session.fs.file.upload_file(path, content)
+    elsif session.type == 'shell'
+      encoded_content = Rex::Text.encode_base64(content)
+      if session.platform == 'windows'
+        session.shell_command_token("echo #{encoded_content} | certutil -decode - \"#{path}\"")
+      else
+        session.shell_command_token("echo '#{encoded_content}' | base64 -d > \"#{path}\"")
+      end
+    end
+
+    register_artifact(path, :file)
+    print_good("Created malware file: #{path}")
+    true
+  end
+
+  # Simulate registry persistence (Windows)
+  def simulate_registry_persistence(key, value, data)
+    if datastore['SIMULATE_ONLY']
+      print_status("SIMULATION: Would create registry entry #{key}\\#{value}")
+      return true
+    end
+
+    return false unless session.platform == 'windows'
+
+    if session.type == 'meterpreter'
+      session.sys.registry.set_value(key, value, data)
+    elsif session.type == 'shell'
+      session.shell_command_token("reg add \"#{key}\" /v \"#{value}\" /d \"#{data}\" /f")
+    end
+
+    register_artifact("#{key}\\#{value}", :registry)
+    print_good("Created registry persistence: #{key}\\#{value}")
+    true
+  end
+
+  # Generate fake malware content for simulation
+  def generate_fake_malware_content
+    content = "#!/bin/bash\n" if session.platform != 'windows'
+    content ||= "@echo off\n"
+    
+    content += <<~EOF
+      REM Metasploit Malware Simulation
+      REM This is a HARMLESS simulation for penetration testing
+      REM Created: #{Time.now}
+      REM Duration: #{@duration_seconds} seconds
+      REM Auto-cleanup: #{@needs_cleanup}
+      
+      echo "Malware simulation running..."
+      echo "This is NOT real malware - it's a penetration testing simulation"
+      echo "Time remaining: #{time_remaining} seconds"
+    EOF
+
+    content
+  end
+
+  # Main execution wrapper with time bomb checking
+  def run_with_time_bomb
+    begin
+      # Start the malware simulation
+      run_malware_simulation
+
+      # Monitor for time bomb expiration
+      while !should_terminate?
+        sleep(5) # Check every 5 seconds
+        
+        if time_remaining <= 30 && time_remaining > 25
+          print_warning("Time bomb warning: #{time_remaining} seconds remaining")
+        end
+      end
+
+      if time_bomb_expired?
+        print_error("Time bomb expired!")
+        raise Msf::Malware::TimeBombExpired, "Malware simulation time limit reached"
+      elsif cleanup_signal_present?
+        print_status("Cleanup signal detected")
+      end
+
+    rescue Msf::Malware::TimeBombExpired => e
+      print_error("Time bomb detonated: #{e.message}")
+    rescue => e
+      print_error("Malware simulation error: #{e.message}")
+    ensure
+      cleanup_artifacts if @needs_cleanup
+    end
+  end
+
+  # Override this method in specific malware modules
+  def run_malware_simulation
+    print_status("Base malware simulation - override this method in specific modules")
+    
+    # Example simulation behavior
+    simulate_file_drop("/tmp/malware_sim.txt") if session.platform != 'windows'
+    simulate_file_drop("C:\\temp\\malware_sim.txt") if session.platform == 'windows'
+    
+    # Simulate some activity
+    (1..10).each do |i|
+      break if should_terminate?
+      print_status("Malware simulation activity #{i}/10")
+      sleep(2)
+    end
+  end
+
+  # Main run method - calls the time bomb wrapper
+  def run
+    print_status("Starting malware simulation with time bomb functionality")
+    run_with_time_bomb
+  end
+
+end