Feature/sig based av (#64)

 version 0.17.10

CHANGELOG.md

@@ -381,4 +381,14 @@ Date: Tue Aug 13 05:13:55 PM -03 2024
     → Add binds inside db.json
     → Refatored shell flawless entry point
     → Fixed DOS functions
-    → Fix lint warnings
+    → Fixed lint warnings
+
+Version 0.17.10
+
+Date: Tue Aug 20 08:30:19 PM -03 2024
+
+    → Rollback signature based AV with a new backend
+    → Add directory_lookup has AV backend
+    → Small overall fixes
+    → Updated wiki
+    → Updated malware list

build.sh

@@ -16,11 +16,11 @@ fi
 
 # Install packages
 if [ "$package_manager" == "apt" ]; then
-    apt update
-    apt install -y nmap dirb dnsenum libc-bin iproute2 xxd iptables coreutils wget curl dnsutils traceroute
+    sudo apt update
+    sudo apt install -y nmap whois dirb dnsenum libc-bin iproute2 xxd iptables coreutils wget curl dnsutils traceroute openssl openssh-server xattr libimage-exiftool-perl tor foremost
 elif [ "$package_manager" == "yum" ]; then
-    yum update -y
-    yum install -y nmap dirb dnsenum glibc-utils xxd iptables-utils iproute wget curl bind-utils traceroute
+    sudo yum update -y
+    sudo yum install -y nmap dirb dnsenum glibc-utils xxd iptables-utils iproute wget curl bind-utils traceroute
 fi
 
 # Install data
@@ -33,7 +33,7 @@ sudo chown -R $(whoami):$(whoami) /var/witch_craft
 echo && echo "Cargo build"
 cargo build --release --manifest-path witch_craft/Cargo.toml
 chmod +x ./witch_craft/target/release/witch_craft
-cp -r ./witch_craft/target/release/witch_craft /bin
+sudo cp -r ./witch_craft/target/release/witch_craft /bin
 
 
 # Test and print status for each binary

witch_craft/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "witch_craft"
-version = "0.17.3"
+version = "0.17.10"
 edition = "2021"
 
 [dependencies]
@@ -9,6 +9,7 @@ regex = "1.10.6"
 reqwest = { version = "0.12.5", features = ["blocking", "json"] }
 serde = { version = "1.0.204", features = ["derive"] }
 serde_json = "1.0.122"
+sha256 = "1.5.0"
 
 [profile.release]
 codegen-units = 1

witch_craft/src/modules/binds/binds.rs

@@ -1,7 +1,10 @@
 use crate::modules::core::core::*;
 use crate::modules::core::structs::DataSet;
 use crate::modules::network::structs::*;
+use sha256::try_digest;
 use std::collections::HashMap;
+use std::fs;
+use std::path::Path;
 
 /// Revice --domain
 pub fn map_dns(argsv: &[String]) -> i32 {
@@ -41,7 +44,7 @@ pub fn map_dns(argsv: &[String]) -> i32 {
         flawless_exec(extra, argsv);
     }
 
-    return 0;
+    0
 }
 
 /// Need:
@@ -58,7 +61,7 @@ pub fn dos_simple_get_span(argsv: &[String]) -> i32 {
         let out = req.make();
         println!("{} - {}", out.url, out.status);
     }
-    return 0;
+    0
 }
 
 /// Need:
@@ -86,7 +89,7 @@ pub fn dos_long_auth_span(argsv: &[String]) -> i32 {
         let out = req.make();
         println!("{} - {}", out.url, out.status);
     }
-    return 0;
+    0
 }
 
 /// Compress and Decompress files
@@ -144,3 +147,91 @@ pub fn file_compact(argsv: Vec<String>) -> i32 {
     }
     lazy_exec(command)
 }
+
+pub fn malware_scanner(path: String) -> Vec<String> {
+    let malware_signatures: String = match fs::read_to_string(
+        "/home/cosmic/workspace/witch_craft/witch_craft/src/test/malware_list.txt",
+        // "/var/witch_craft/witch_spells/malware/malware.list",
+    ) {
+        Ok(value) => value,
+        Err(err) => {
+            raise(&format!("Error at {}", err), 0);
+            String::new()
+        }
+    };
+
+    let metadata = fs::metadata(&path).unwrap();
+    let mut malware_found = Vec::new();
+
+    if metadata.is_file() {
+        let file_path = Path::new(&path);
+        let file_sig = try_digest(file_path).unwrap();
+        if malware_signatures.contains(&file_sig) {
+            malware_found.push(file_sig);
+        }
+    }
+
+    if metadata.is_dir() {
+        let fs_path = Path::new(&path);
+        let files = directory_lookup(fs_path);
+        for file in files {
+            let file_sig = try_digest(&file).unwrap();
+            if malware_signatures.contains(&file_sig) {
+                malware_found.push(file);
+            }
+        }
+    }
+
+    malware_found
+}
+
+pub fn blackcat_av(argsv: &[String]) -> i32 {
+    let path = search_value("path", argsv);
+    let action = search_value("action", argsv);
+
+    let malware_result = malware_scanner(path.clone());
+
+    if malware_result.is_empty() {
+        raise("Nothing found! :: System may be clean", 6);
+        return 0;
+    }
+
+    let mut done: Vec<String> = Vec::new();
+    let mut gone: Vec<String> = Vec::new();
+
+    if action != "remove" {
+        let msg = format!(
+            "Malware found! RUN this command with --action remove ::\n {} ",
+            &path
+        );
+        raise(&msg, 6);
+        return 0;
+    }
+
+    for mal in malware_result {
+        let path = Path::new(&mal);
+        match fs::remove_file(path) {
+            Ok(_) => done.push(path.to_string_lossy().to_string()),
+            Err(err) => {
+                println!("{}", err);
+                gone.push(path.to_string_lossy().to_string())
+            }
+        }
+    }
+
+    for dn in done {
+        let msg = format!("Malware removed :: {}", dn);
+        raise(&msg, 2);
+    }
+
+    for gn in &gone {
+        let msg = format!("Malware founded but not removed :: {}", gn);
+        raise(&msg, 2);
+    }
+
+    if gone.is_empty() {
+        return 0;
+    }
+
+    255
+}

witch_craft/src/modules/core/core.rs

@@ -4,6 +4,8 @@ use crate::modules::core::structs::DataSet;
 use colored::*;
 use regex::Regex;
 use std::env;
+use std::fs;
+use std::path::Path;
 use std::process::{Command, Output};
 
 pub fn readargs() -> Vec<String> {
@@ -208,7 +210,7 @@ pub fn lazy_parser(meta_string: &str, argsv: &[String]) -> String {
             for c in aaaa {
                 if c.contains(TONK) {
                     let opt = c.replace(TONK, "");
-                    let val = search_value(&opt, &argsv);
+                    let val = search_value(&opt, argsv);
                     new = item.replace(c, &val);
                 }
             }
@@ -218,7 +220,7 @@ pub fn lazy_parser(meta_string: &str, argsv: &[String]) -> String {
 
         if item.contains(TONK) & !item.contains("http") {
             let opt = item.replace(TONK, "");
-            let val = search_value(&opt, &argsv);
+            let val = search_value(&opt, argsv);
             cmds = cmds.replace(item, &val);
         }
     }
@@ -301,3 +303,29 @@ pub fn flawless_exec(set: DataSet, argsv: &[String]) -> i32 {
     let cmd = lazy_parser(&set.meta, argsv);
     lazy_exec(cmd)
 }
+
+/// Recursively lists all files and directories within a given directory path.
+///
+/// Returns a vector of strings containing the absolute paths of all found files and directories.
+///
+/// # Example:
+/// ```rust
+/// use std::path::Path;
+///
+/// let path = Path::new(".");
+/// let paths = directory_lookup(path);
+/// println!("{:?}", paths);
+/// ```
+pub fn directory_lookup(dir: &Path) -> Vec<String> {
+    let mut files = Vec::new();
+    for entry in fs::read_dir(dir).unwrap() {
+        let path = entry.unwrap().path();
+        if path.is_dir() {
+            files.extend(directory_lookup(&path));
+        } else {
+            files.push(path.to_string_lossy().to_string());
+        }
+    }
+
+    files
+}

witch_craft/src/modules/shell/shell.rs

@@ -41,6 +41,7 @@ pub fn shell() -> i32 {
         "dos.longpw" => dos_long_auth_span(&argsv),
         "map.dns" => map_dns(&argsv),
         "file.cpdp" => map_dns(&argsv),
+        "blackcat.av" => blackcat_av(&argsv),
         _ => flawless_entry_point(&argsv),
     }
 }

witch_craft/src/test/malware_list.txt

@@ -0,0 +1,35 @@
+################################################################
+# MalwareBazaar full malware samples dump (SHA256 hashes)      #
+# Last updated: 2024-08-20 18:30:44 UTC                        #
+#                                                              #
+# Terms Of Use: https://bazaar.abuse.ch/faq/#tos               #
+# For questions please contact bazaar [at] abuse.ch            #
+################################################################
+#
+# sha256_hash
+8d31c82108ecfafc5d22165857de868594b5e6529d0709c279d297b50ad60fd5
+2a7a97fe1b769f2b74ebd66c447708f5b5beb60bad5a53d05d7f428770ba2f62
+41d16cf08c360bd64f59a76480ab0560e8d466011075453e17182940d93b6f24
+a61dc154af80d7c67638c50ca91d567ba0f872562c1b6c616e58abdda3bc3544
+fdb65b07bb55b2b7c0a7515a1a56081dad716678649c5345df5de33186ec5679
+21381b405bbb2d1ac38f1d908e0dc8a399fb2401d2ed1c1a300a2144626f9add
+88f5038ef6b234a60a7d26fe211e14ad488a99a5926dd4f5c1ea48d4ea551eab
+b920dc19a2317f619a9d7af0935eb05b07442d2ae77f1482bd883a086a9c0513
+b3e2fe43f3024cc479415e745cd9826752debe4e8b208e5e5b7cc510723b787d
+0f8eac72a742519dfb28cf96c917b4e82532ea5c6332ed9df105ed5adcd2f421
+74adc4039c75425ad6a2b19b4ab6ac460d9a21f30ae71bb71408b8f530907c9b
+b84c59b20bddf6db3f6feec223dacc4b194350eca67f393df64529394c1a52b4
+7bc7edf2f2fafaa8457fb596cbbcdedafd23544d75e739e777b73790965df6bb
+773fe822889cd0d959c1a672143ca552cc18406ee4c7e2f16c25b3c672d0ed8f
+fbe42f49f702bf951e4c1f4ec953db5a142481790d93190087927382d91723a0
+f961dd0541b927a01e09a97c8d371716e8d8ab35b3d7293dbcd9e93ee335b114
+24307f7e934f287415e74aa439167fa9ea677676da94deee14e42d1816312934
+790efbfa7e44ecb1f724e6babb44429c6dbb1c0e46297e7252eb6bb4d56f9c35
+1528e4f9efb7c5d50510d8c9343e793920554df874b88306758c55e420d57dbe
+f346a3c9f8d6ad626f820f1d009ca3059e9fac6f260aa63a861fdb247f7b6526
+ecba82efb819da9c18bcfd877077ef1a6500525dd7de736b3939ef337cb948a1
+343392269e2048b507fb005e66cb97ee698a13f9a1990bddcb5f6ce4ed26f8e8
+78bc22e7ab1e73308787b284f3342510c75547cb854dec4da5ba5d523979a33c
+9f68e60790c6413be7ef8776ce90b064e67cf80505126de8af9de94ec50ad70a
+d89149126795ce5c323a155792b51d7c08c2dda36be28f559dfbdab43a4e538d
+test/malware_list.txt

witch_spells/dataset/db.json

@@ -373,7 +373,7 @@
     {
       "name": "self.setup",
       "description": "Setup and install witch_craft",
-      "command": "sudo mkdir /var/backup && sudo chown $USER:$USER -R /var/backup/ && sudo apt install nmap whois dirb dnsenum libc-bin iproute2 xxd iptables coreutils wget curl dnsutils traceroute openssl openssh-server xattr libimage-exiftool-perl tor foremost"
+      "command": "sudo apt install nmap whois dirb dnsenum libc-bin iproute2 xxd iptables coreutils wget curl dnsutils traceroute openssl openssh-server xattr libimage-exiftool-perl tor foremost doas -y"
     }
   ]
 }