Ludus FastMCP

"""Malware analysis and reverse engineering scenarios - safe malware research environments.""" from .base import BaseScenarioBuilder class MalwareREScenarioBuilder(BaseScenarioBuilder): """Builder for malware analysis and reverse engineering scenarios.""" def build_malware_re_lab_lite(self) -> "MalwareREScenarioBuilder": """Build lite malware analysis lab - Basic malware analysis setup. Realistic scenario: Basic malware analysis environment - Windows analysis workstation with tools - Linux analysis workstation - Isolated network for safe analysis - Basic reversing and behavioral analysis Malware analysis activities: - Static analysis (PE parsing, strings, etc.) - Basic dynamic analysis - Debugger usage (x64dbg, IDA) - Network traffic analysis - File system monitoring - Registry monitoring Resource requirements: 24GB RAM, 10 CPUs """ range_id = self.range_id # Windows Analysis Workstation self.add_vm( vm_name=f"{range_id}-malware-analysis-win11", hostname=f"{range_id}-MALWIN", # Shortened to avoid Windows 15-char limit template="win11-22h2-x64-enterprise-template", vlan=90, ip_last_octet=10, ram_gb=8, cpus=4, windows={ "chocolatey_packages": [ "ida-free", "x64dbg.portable", "dnspy", "pestudio", "wireshark", "processhacker", "regshot", "7zip", ], "chocolatey_ignore_checksums": True, }, ) # Linux Analysis Workstation (REMnux-style) self.add_vm( vm_name=f"{range_id}-malware-analysis-ubuntu22", hostname=f"{range_id}-MALWARE-LINUX", template="ubuntu-22.04-x64-server-template", # Use server template instead of desktop vlan=90, ip_last_octet=11, ram_gb=8, cpus=4, linux=True, ) # Fake internet server (for malware C2 simulation) self.add_vm( vm_name=f"{range_id}-fake-internet-ubuntu22", hostname=f"{range_id}-FAKE-INET", template="ubuntu-22.04-x64-server-template", vlan=90, ip_last_octet=50, ram_gb=4, cpus=2, linux=True, ) # Isolated network - no external access # Network rules intentionally minimal for isolation return self def build_malware_re_lab_intermediate(self) -> "MalwareREScenarioBuilder": """Build intermediate malware analysis lab - Advanced analysis with sandbox. Realistic scenario: Professional malware analysis lab - Multiple Windows targets (Win 7, 10, 11) - Linux analysis platforms - Automated sandbox environment - Network traffic capture and analysis - Victim simulation systems Malware analysis activities: - Advanced static analysis - Automated dynamic analysis - Sandbox analysis (Cuckoo-style) - API monitoring - Kernel debugging - Memory forensics - Unpacking and deobfuscation - Behavioral pattern analysis - IOC extraction Resource requirements: 64GB RAM, 24 CPUs """ range_id = self.range_id # Primary Windows Analysis Workstation self.add_vm( vm_name=f"{range_id}-analysis-primary-win11", hostname=f"{range_id}-ANALYSIS-WIN11", template="win11-22h2-x64-enterprise-template", vlan=90, ip_last_octet=10, ram_gb=12, cpus=4, windows={ "chocolatey_packages": [ "ida-free", "x64dbg.portable", "dnspy", "pestudio", "wireshark", "processhacker", "regshot", "7zip", "ghidra", ], "chocolatey_ignore_checksums": True, }, ) # Windows 10 Analysis Target self.add_vm( vm_name=f"{range_id}-analysis-win10", hostname=f"{range_id}-ANALYSIS-WIN10", template="win10-21h2-x64-enterprise-template", vlan=90, ip_last_octet=11, ram_gb=8, cpus=4, windows={ "chocolatey_packages": ["processhacker", "wireshark"], "chocolatey_ignore_checksums": True, }, ) # Linux Analysis Platform (REMnux) self.add_vm( vm_name=f"{range_id}-remnux-ubuntu22", hostname=f"{range_id}-REMNUX", template="ubuntu-22-x64-desktop-template", vlan=90, ip_last_octet=20, ram_gb=12, cpus=4, linux=True, ) # Sandbox Controller (Cuckoo-style) self.add_vm( vm_name=f"{range_id}-sandbox-ubuntu22", hostname=f"{range_id}-SANDBOX", template="ubuntu-22.04-x64-server-template", vlan=90, ip_last_octet=30, ram_gb=8, cpus=4, linux=True, ) # Network Analysis / Packet Capture self.add_vm( vm_name=f"{range_id}-netmon-ubuntu22", hostname=f"{range_id}-NETMON", template="ubuntu-22.04-x64-server-template", vlan=90, ip_last_octet=40, ram_gb=6, cpus=2, linux=True, ) # Fake C2 / Internet Simulation self.add_vm( vm_name=f"{range_id}-fakenet-ubuntu22", hostname=f"{range_id}-FAKENET", template="ubuntu-22.04-x64-server-template", vlan=90, ip_last_octet=50, ram_gb=6, cpus=2, linux=True, ) # Victim Simulation (simulates typical user machine) self.add_vm( vm_name=f"{range_id}-victim-win11", hostname=f"{range_id}-VICTIM-01", template="win11-22h2-x64-enterprise-template", vlan=90, ip_last_octet=60, ram_gb=4, cpus=2, windows={ "chocolatey_packages": ["googlechrome", "adobereader"], "chocolatey_ignore_checksums": True, }, ) # Internal network only - isolated from internet return self def build_malware_re_lab_advanced(self) -> "MalwareREScenarioBuilder": """Build advanced malware analysis lab - Enterprise malware research facility. Realistic scenario: Enterprise malware research laboratory - Multiple OS platforms (Windows 7/10/11, Linux, macOS) - Advanced sandbox infrastructure - YARA rule development environment - Threat intelligence integration - Automated analysis pipeline - Memory forensics lab - Kernel debugging stations Malware analysis activities: - Advanced reverse engineering - Exploit analysis and development - Rootkit analysis - Firmware analysis - Mobile malware analysis - Advanced persistent threat (APT) analysis - Custom unpacking and deobfuscation - YARA rule development - Automated malware triage - Threat intelligence correlation - Memory forensics and analysis - Kernel-mode debugging - Code similarity analysis - Malware family classification Resource requirements: 112GB RAM, 44 CPUs """ range_id = self.range_id # Analysis Infrastructure Network (VLAN 90) # Primary Windows 11 Analysis Station self.add_vm( vm_name=f"{range_id}-analysis-win11-primary", hostname=f"{range_id}-WIN11-ANALYSIS", template="win11-22h2-x64-enterprise-template", vlan=90, ip_last_octet=10, ram_gb=16, cpus=6, windows={ "chocolatey_packages": [ "ida-free", "x64dbg.portable", "dnspy", "pestudio", "wireshark", "processhacker", "regshot", "7zip", "ghidra", "volatility", ], "chocolatey_ignore_checksums": True, }, ) # Windows 10 Analysis Station self.add_vm( vm_name=f"{range_id}-analysis-win10", hostname=f"{range_id}-WIN10-ANALYSIS", template="win10-21h2-x64-enterprise-template", vlan=90, ip_last_octet=11, ram_gb=12, cpus=4, windows={ "chocolatey_packages": [ "x64dbg.portable", "processhacker", "wireshark", "ghidra", ], "chocolatey_ignore_checksums": True, }, ) # Windows 7 Analysis Station (legacy malware) self.add_vm( vm_name=f"{range_id}-analysis-win7", hostname=f"{range_id}-WIN7-ANALYSIS", template="win7-x64-enterprise-template", vlan=90, ip_last_octet=12, ram_gb=8, cpus=4, windows={ "chocolatey_packages": ["x64dbg.portable", "wireshark"], "chocolatey_ignore_checksums": True, }, ) # REMnux Advanced Analysis Platform self.add_vm( vm_name=f"{range_id}-remnux-advanced", hostname=f"{range_id}-REMNUX-ADV", template="ubuntu-22-x64-desktop-template", vlan=90, ip_last_octet=20, ram_gb=16, cpus=6, linux=True, ) # Malware Analysis Automation Server self.add_vm( vm_name=f"{range_id}-automation-ubuntu22", hostname=f"{range_id}-AUTO-ANALYSIS", template="ubuntu-22.04-x64-server-template", vlan=90, ip_last_octet=25, ram_gb=12, cpus=4, linux=True, ) # Sandbox Infrastructure Network (VLAN 91) # Sandbox Controller self.add_vm( vm_name=f"{range_id}-sandbox-controller", hostname=f"{range_id}-SANDBOX-CTRL", template="ubuntu-22.04-x64-server-template", vlan=91, ip_last_octet=10, ram_gb=12, cpus=4, linux=True, ) # Sandbox Guests (multiple OS versions) sandbox_vms = [ ("win11", "win11-22h2-x64-enterprise-template", 20, 6, 2), ("win10", "win10-21h2-x64-enterprise-template", 21, 6, 2), ("win7", "win7-x64-enterprise-template", 22, 4, 2), ] for name, template, ip, ram, cpu in sandbox_vms: self.add_vm( vm_name=f"{range_id}-sandbox-{name}", hostname=f"{range_id}-SB-{name.upper()}", template=template, vlan=91, ip_last_octet=ip, ram_gb=ram, cpus=cpu, ) # Network Monitoring and Traffic Analysis self.add_vm( vm_name=f"{range_id}-netmon-advanced", hostname=f"{range_id}-NETMON-ADV", template="ubuntu-22.04-x64-server-template", vlan=90, ip_last_octet=40, ram_gb=8, cpus=4, linux=True, ) # YARA Development Server self.add_vm( vm_name=f"{range_id}-yara-dev", hostname=f"{range_id}-YARA-DEV", template="ubuntu-22.04-x64-server-template", vlan=90, ip_last_octet=45, ram_gb=6, cpus=2, linux=True, ) # Threat Intelligence Platform self.add_vm( vm_name=f"{range_id}-threat-intel", hostname=f"{range_id}-THREAT-INTEL", template="ubuntu-22.04-x64-server-template", vlan=90, ip_last_octet=50, ram_gb=8, cpus=4, linux=True, ) # Fake Internet / C2 Simulation self.add_vm( vm_name=f"{range_id}-fakenet-advanced", hostname=f"{range_id}-FAKENET-ADV", template="ubuntu-22.04-x64-server-template", vlan=92, ip_last_octet=10, ram_gb=6, cpus=2, linux=True, ) # Network Rules # Analysis network can reach sandbox network self.add_network_rule( "Allow analysis to sandbox", vlan_src=90, vlan_dst=91, protocol="all", ports="all", action="ACCEPT", ) # Sandbox can reach fake internet self.add_network_rule( "Allow sandbox to fake internet", vlan_src=91, vlan_dst=92, protocol="all", ports="all", action="ACCEPT", ) # Analysis can monitor fake internet self.add_network_rule( "Allow analysis to fake internet", vlan_src=90, vlan_dst=92, protocol="all", ports="all", action="ACCEPT", ) # Sandbox to analysis (for result reporting) self.add_network_rule( "Allow sandbox to analysis", vlan_src=91, vlan_dst=90, protocol="tcp", ports="all", # Use "all" for multiple ports action="ACCEPT", ) return self