Add Ehwrj clean-room live map
Some checks failed
build / build-test-publish (push) Has been cancelled
Some checks failed
build / build-test-publish (push) Has been cancelled
This commit is contained in:
207
README.md
207
README.md
@@ -1,3 +1,206 @@
|
||||
# ehwrj
|
||||
# Ehwrj
|
||||
|
||||
썬평ㅋㅋ
|
||||
Ehwrj is a clean-room War Thunder live map companion for Windows.
|
||||
|
||||
It reads War Thunder's local map service at `http://127.0.0.1:8111`, renders a desktop map view, and can show a click-through always-on-top overlay. The code is newly written and intentionally excludes the malicious behavior found in the analyzed sample.
|
||||
|
||||
## Analyzed Malware File
|
||||
|
||||
This repository does not contain the original malicious sample. The notes below summarize the static analysis used to separate the benign WT Live Map behavior from the malicious loader/clipper behavior.
|
||||
|
||||
Analysis date: 2026-06-02
|
||||
Analysis method: static analysis only; the sample was not executed.
|
||||
|
||||
| File | SHA-256 | Assessment |
|
||||
| --- | --- | --- |
|
||||
| `WTLiveMap.exe` | `4dbbc21d9c2ed70dde046a2f737ee4173da807d43d5b3a6acfe447864ed6d643` | Native x64 Win32/C++ executable containing RCDATA 101 and 102. |
|
||||
| `WTLiveMap.zip` | `429e07a27e7896f75a901a1df3cd6560b43de33986920f1f22013ef155541b4c` | ZIP package containing the same suspicious executable. |
|
||||
| `resource_101.bin` | `00732b0bbc1740ebe88745424c88ab840b381475837e5e02e937a29e66df3909` | Benign WT Live Map UI/WebView-style resource. |
|
||||
| `resource_102.bin` | `03547c81562a065bcb08defa638866c8c1c79343d78b8df7a8a7e0cb827242d7` | Resource-less loader/clipper variant with the same malicious capability class as the outer EXE. |
|
||||
|
||||
Key findings:
|
||||
|
||||
- RCDATA 101 matches the non-virus WT Live Map behavior: it references `Warthunder LiveMap`, `map_info.json`, `map_obj.json`, `map.img`, `aces.exe`, WebView messaging, and loopback access to `127.0.0.1:8111`.
|
||||
- RCDATA 102 is not byte-identical to the outer `WTLiveMap.exe`, but it shares the suspicious import profile, hidden string structure, Windows Update disguise strings, clipboard API strings, and cryptocurrency address replacement logic.
|
||||
- The malicious path monitors clipboard text and replaces BTC, ETH, SOL, TRX, XRP, DOGE, LTC, and BCH wallet addresses with attacker-controlled addresses.
|
||||
- Persistence is disguised as Windows Update. The analyzed code builds paths similar to `%TEMP%\WindowsUpdateModule\SystemUpdateService.exe` and creates a startup shortcut named `WindowsSystemUpdate.lnk`.
|
||||
- `SHGetSpecialFolderPathW(CSIDL_STARTUP)`, Shell Link COM use, `Global\WinSysUpdateMutexV11`, and resource update APIs were observed in the malicious loader path.
|
||||
- A ZIP repackaging path uses hidden PowerShell command construction, extracts a ZIP, locates an inner EXE, reinvokes itself with `--merge-env`, injects RCDATA 101/102, and recreates the ZIP.
|
||||
- No external C2 server, IP, domain, or upload path was confirmed in static analysis. The confirmed monetization path is clipboard-based cryptocurrency address replacement.
|
||||
|
||||
## What It Implements
|
||||
|
||||
- Local War Thunder API polling:
|
||||
- `/map_info.json`
|
||||
- `/map_obj.json`
|
||||
- `/map.img`
|
||||
- Optional local telemetry/message polling when available:
|
||||
- `/state`
|
||||
- `/hudmsg`
|
||||
- `/gamechat`
|
||||
- Main map preview with aircraft/object markers
|
||||
- Transparent click-through overlay
|
||||
- Configurable overlay size, position, zoom, minimap, Mach labels, and spot radar
|
||||
- Overlay controls for aircraft scale, minimum Mach filters, radar spread, vertical scale/offset, arrow size, opacity, label colors, font sizes, distance, Mach, and closure speed labels
|
||||
- English/Korean UI language selection
|
||||
- Settings persisted under `%LOCALAPPDATA%\Ehwrj\settings.json`
|
||||
- Windows build from Linux using .NET 8 and Avalonia targeting `win-x64`
|
||||
|
||||
## Explicitly Not Implemented
|
||||
|
||||
The analyzed binary contained malicious behavior. Ehwrj does not implement:
|
||||
|
||||
- Clipboard monitoring or cryptocurrency address replacement
|
||||
- Windows Update disguise or startup persistence
|
||||
- ZIP/EXE infection or resource injection
|
||||
- Hidden mutex-based malware lifecycle control
|
||||
- Any external C2, exfiltration, or remote upload path
|
||||
|
||||
## Build
|
||||
|
||||
From Ubuntu:
|
||||
|
||||
```bash
|
||||
cd ehwrj
|
||||
scripts/bootstrap-ubuntu.sh
|
||||
```
|
||||
|
||||
The bootstrap script installs missing Ubuntu packages for .NET 8 and the safety scanner, then runs restore, build, tests, the safety scan, tool smoke checks, and Windows x64 publish.
|
||||
|
||||
If the dependencies are already installed:
|
||||
|
||||
```bash
|
||||
dotnet restore ehwrj/Ehwrj.sln
|
||||
dotnet build ehwrj/Ehwrj.sln -c Release
|
||||
dotnet run --project ehwrj/tests/Ehwrj.Tests/Ehwrj.Tests.csproj -c Release
|
||||
dotnet publish ehwrj/src/Ehwrj.App/Ehwrj.App.csproj -c Release -r win-x64 --self-contained true \
|
||||
-p:PublishSingleFile=true
|
||||
```
|
||||
|
||||
Or from inside the `ehwrj` folder:
|
||||
|
||||
```bash
|
||||
scripts/publish-win-x64.sh
|
||||
```
|
||||
|
||||
The output EXE will be under:
|
||||
|
||||
```text
|
||||
ehwrj/src/Ehwrj.App/bin/Release/net8.0/win-x64/publish/
|
||||
```
|
||||
|
||||
The portable release ZIP is written to:
|
||||
|
||||
```text
|
||||
ehwrj/artifacts/ehwrj-win-x64.zip
|
||||
```
|
||||
|
||||
## Runtime
|
||||
|
||||
Run War Thunder first, then start Ehwrj on Windows. The app expects the game to expose the local map API on `127.0.0.1:8111`.
|
||||
|
||||
The current coordinate and speed estimates are intentionally conservative because War Thunder's local API shape can vary by mode and vehicle. Use real `map_info.json` and `map_obj.json` captures to tune projection and spot radar math for a specific game mode.
|
||||
|
||||
## Local API Stub
|
||||
|
||||
For UI development without War Thunder, run the deterministic local API stub:
|
||||
|
||||
```bash
|
||||
cd ehwrj
|
||||
scripts/run-local-api-stub.sh
|
||||
```
|
||||
|
||||
It serves:
|
||||
|
||||
- `http://127.0.0.1:8111/map_info.json`
|
||||
- `http://127.0.0.1:8111/map_obj.json`
|
||||
- `http://127.0.0.1:8111/map.img`
|
||||
- `http://127.0.0.1:8111/state`
|
||||
- `http://127.0.0.1:8111/hudmsg`
|
||||
- `http://127.0.0.1:8111/gamechat`
|
||||
|
||||
Use another port for endpoint testing:
|
||||
|
||||
```bash
|
||||
scripts/run-local-api-stub.sh 18111
|
||||
```
|
||||
|
||||
## Capturing Real Local API Data
|
||||
|
||||
When War Thunder is running on Windows, capture the local API into a fixture directory:
|
||||
|
||||
```bash
|
||||
cd ehwrj
|
||||
scripts/capture-local-api.sh captures/my-session
|
||||
```
|
||||
|
||||
The capture tool saves:
|
||||
|
||||
- `map_info.json`
|
||||
- `map_obj.json`
|
||||
- `map.img`
|
||||
- `state.json` when `/state` is available
|
||||
- `hudmsg.json` when `/hudmsg` is available
|
||||
- `gamechat.json` when `/gamechat` is available
|
||||
- `capture-report.txt` with parser coverage, raw object field frequency, unknown object samples, replay readiness, and tuning warnings
|
||||
|
||||
Validate an existing capture:
|
||||
|
||||
```bash
|
||||
scripts/validate-capture.sh captures/my-session
|
||||
```
|
||||
|
||||
Use the report to tune real game-mode support. The most useful sections are `Object field coverage`, `Unknown object samples`, and `State field names`; they show which raw War Thunder fields are present and where object classification or telemetry parsing needs adjustment.
|
||||
|
||||
Replay a capture through the local API stub:
|
||||
|
||||
```bash
|
||||
scripts/run-local-api-stub.sh 8111 captures/my-session
|
||||
```
|
||||
|
||||
## New Code Structure
|
||||
|
||||
```text
|
||||
Directory.Build.props
|
||||
shared compiler, analyzer, and Windows-targeting settings
|
||||
docs/
|
||||
architecture and feature parity notes
|
||||
scripts/
|
||||
Ubuntu bootstrap, safety scan, capture, publish, and packaging helpers
|
||||
src/Ehwrj.App/
|
||||
Avalonia desktop UI and overlay host
|
||||
src/Ehwrj.App/Models/
|
||||
UI settings, localization text, endpoint health, and render snapshots
|
||||
src/Ehwrj.App/Services/
|
||||
polling adapter and settings store
|
||||
src/Ehwrj.App/Rendering/
|
||||
main map and overlay drawing surfaces
|
||||
src/Ehwrj.App/ViewModels/
|
||||
app state and UI commands
|
||||
src/Ehwrj.App/Infrastructure/
|
||||
minimal Win32 interop for click-through overlay styles
|
||||
src/Ehwrj.Core/
|
||||
loopback API parsing, map models, telemetry models, tracking, and projection logic
|
||||
src/Ehwrj.Core/Models/
|
||||
War Thunder map object, map info, flight state, battle message, and motion tracker types
|
||||
src/Ehwrj.Core/Services/
|
||||
local WT API client, process probe, loopback guard, and capture fixture analyzer
|
||||
src/Ehwrj.Core/Geometry/
|
||||
viewport, projected point, and coordinate projection math
|
||||
tools/Ehwrj.Tools.LocalApiStub/
|
||||
deterministic local map API server and capture replay helper
|
||||
tools/Ehwrj.Tools.Capture/
|
||||
local API fixture capture and validation tool
|
||||
tests/Ehwrj.Tests/
|
||||
lightweight parser, projection, localization, settings, and safety checks
|
||||
artifacts/ehwrj-win-x64/
|
||||
committed portable Windows x64 build output, including Ehwrj.exe and checksums
|
||||
```
|
||||
|
||||
## CI
|
||||
|
||||
The repository includes a GitHub Actions workflow that restores, checks formatting, builds with warnings as errors, runs the lightweight tests, publishes a Windows x64 artifact, and uploads it as `ehwrj-win-x64`.
|
||||
|
||||
## Feature Parity
|
||||
|
||||
See [docs/feature-matrix.md](docs/feature-matrix.md) for the benign WT Live Map feature parity status and remaining data gaps.
|
||||
|
||||
Reference in New Issue
Block a user