diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b03fe62..085826e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -46,7 +46,7 @@ jobs: -c Release -r win-x64 --self-contained true - -p:PublishSingleFile=true + -p:PublishSingleFile=false -p:PublishDir=artifacts/win-x64/ - name: Package Windows x64 diff --git a/.gitignore b/.gitignore index cc6eac2..245a3bf 100644 --- a/.gitignore +++ b/.gitignore @@ -9,5 +9,3 @@ publish/ captures/ artifacts/* !artifacts/ehwrj-win-x64.zip -!artifacts/ehwrj-win-x64/ -!artifacts/ehwrj-win-x64/** diff --git a/README.md b/README.md index e75a110..54087ca 100644 --- a/README.md +++ b/README.md @@ -74,7 +74,7 @@ dotnet restore ehwrj/Ehwrj.sln dotnet build ehwrj/Ehwrj.sln -c Release dotnet run --project ehwrj/tests/Ehwrj.Tests/Ehwrj.Tests.csproj -c Release dotnet publish ehwrj/src/Ehwrj.App/Ehwrj.App.csproj -c Release -r win-x64 --self-contained true \ - -p:PublishSingleFile=true + -p:PublishSingleFile=false ``` Or from inside the `ehwrj` folder: diff --git a/artifacts/ehwrj-win-x64.zip b/artifacts/ehwrj-win-x64.zip index 63408d4..92642dc 100644 Binary files a/artifacts/ehwrj-win-x64.zip and b/artifacts/ehwrj-win-x64.zip differ diff --git a/artifacts/ehwrj-win-x64/Ehwrj.exe b/artifacts/ehwrj-win-x64/Ehwrj.exe deleted file mode 100755 index a27efac..0000000 Binary files a/artifacts/ehwrj-win-x64/Ehwrj.exe and /dev/null differ diff --git a/artifacts/ehwrj-win-x64/LICENSE b/artifacts/ehwrj-win-x64/LICENSE deleted file mode 100644 index 08f2ed7..0000000 --- a/artifacts/ehwrj-win-x64/LICENSE +++ /dev/null @@ -1,22 +0,0 @@ -MIT License - -Copyright (c) 2026 Ehwrj contributors - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. - diff --git a/artifacts/ehwrj-win-x64/README.md b/artifacts/ehwrj-win-x64/README.md deleted file mode 100644 index e75a110..0000000 --- a/artifacts/ehwrj-win-x64/README.md +++ /dev/null @@ -1,206 +0,0 @@ -# Ehwrj - -Ehwrj is a clean-room War Thunder live map companion for Windows. - -It reads War Thunder's local map service at `http://127.0.0.1:8111`, renders a desktop map view, and can show a click-through always-on-top overlay. The code is newly written and intentionally excludes the malicious behavior found in the analyzed sample. - -## Analyzed Malware File - -This repository does not contain the original malicious sample. The notes below summarize the static analysis used to separate the benign WT Live Map behavior from the malicious loader/clipper behavior. - -Analysis date: 2026-06-02 -Analysis method: static analysis only; the sample was not executed. - -| File | SHA-256 | Assessment | -| --- | --- | --- | -| `WTLiveMap.exe` | `4dbbc21d9c2ed70dde046a2f737ee4173da807d43d5b3a6acfe447864ed6d643` | Native x64 Win32/C++ executable containing RCDATA 101 and 102. | -| `WTLiveMap.zip` | `429e07a27e7896f75a901a1df3cd6560b43de33986920f1f22013ef155541b4c` | ZIP package containing the same suspicious executable. | -| `resource_101.bin` | `00732b0bbc1740ebe88745424c88ab840b381475837e5e02e937a29e66df3909` | Benign WT Live Map UI/WebView-style resource. | -| `resource_102.bin` | `03547c81562a065bcb08defa638866c8c1c79343d78b8df7a8a7e0cb827242d7` | Resource-less loader/clipper variant with the same malicious capability class as the outer EXE. | - -Key findings: - -- RCDATA 101 matches the non-virus WT Live Map behavior: it references `Warthunder LiveMap`, `map_info.json`, `map_obj.json`, `map.img`, `aces.exe`, WebView messaging, and loopback access to `127.0.0.1:8111`. -- RCDATA 102 is not byte-identical to the outer `WTLiveMap.exe`, but it shares the suspicious import profile, hidden string structure, Windows Update disguise strings, clipboard API strings, and cryptocurrency address replacement logic. -- The malicious path monitors clipboard text and replaces BTC, ETH, SOL, TRX, XRP, DOGE, LTC, and BCH wallet addresses with attacker-controlled addresses. -- Persistence is disguised as Windows Update. The analyzed code builds paths similar to `%TEMP%\WindowsUpdateModule\SystemUpdateService.exe` and creates a startup shortcut named `WindowsSystemUpdate.lnk`. -- `SHGetSpecialFolderPathW(CSIDL_STARTUP)`, Shell Link COM use, `Global\WinSysUpdateMutexV11`, and resource update APIs were observed in the malicious loader path. -- A ZIP repackaging path uses hidden PowerShell command construction, extracts a ZIP, locates an inner EXE, reinvokes itself with `--merge-env`, injects RCDATA 101/102, and recreates the ZIP. -- No external C2 server, IP, domain, or upload path was confirmed in static analysis. The confirmed monetization path is clipboard-based cryptocurrency address replacement. - -## What It Implements - -- Local War Thunder API polling: - - `/map_info.json` - - `/map_obj.json` - - `/map.img` -- Optional local telemetry/message polling when available: - - `/state` - - `/hudmsg` - - `/gamechat` -- Main map preview with aircraft/object markers -- Transparent click-through overlay -- Configurable overlay size, position, zoom, minimap, Mach labels, and spot radar -- Overlay controls for aircraft scale, minimum Mach filters, radar spread, vertical scale/offset, arrow size, opacity, label colors, font sizes, distance, Mach, and closure speed labels -- English/Korean UI language selection -- Settings persisted under `%LOCALAPPDATA%\Ehwrj\settings.json` -- Windows build from Linux using .NET 8 and Avalonia targeting `win-x64` - -## Explicitly Not Implemented - -The analyzed binary contained malicious behavior. Ehwrj does not implement: - -- Clipboard monitoring or cryptocurrency address replacement -- Windows Update disguise or startup persistence -- ZIP/EXE infection or resource injection -- Hidden mutex-based malware lifecycle control -- Any external C2, exfiltration, or remote upload path - -## Build - -From Ubuntu: - -```bash -cd ehwrj -scripts/bootstrap-ubuntu.sh -``` - -The bootstrap script installs missing Ubuntu packages for .NET 8 and the safety scanner, then runs restore, build, tests, the safety scan, tool smoke checks, and Windows x64 publish. - -If the dependencies are already installed: - -```bash -dotnet restore ehwrj/Ehwrj.sln -dotnet build ehwrj/Ehwrj.sln -c Release -dotnet run --project ehwrj/tests/Ehwrj.Tests/Ehwrj.Tests.csproj -c Release -dotnet publish ehwrj/src/Ehwrj.App/Ehwrj.App.csproj -c Release -r win-x64 --self-contained true \ - -p:PublishSingleFile=true -``` - -Or from inside the `ehwrj` folder: - -```bash -scripts/publish-win-x64.sh -``` - -The output EXE will be under: - -```text -ehwrj/src/Ehwrj.App/bin/Release/net8.0/win-x64/publish/ -``` - -The portable release ZIP is written to: - -```text -ehwrj/artifacts/ehwrj-win-x64.zip -``` - -## Runtime - -Run War Thunder first, then start Ehwrj on Windows. The app expects the game to expose the local map API on `127.0.0.1:8111`. - -The current coordinate and speed estimates are intentionally conservative because War Thunder's local API shape can vary by mode and vehicle. Use real `map_info.json` and `map_obj.json` captures to tune projection and spot radar math for a specific game mode. - -## Local API Stub - -For UI development without War Thunder, run the deterministic local API stub: - -```bash -cd ehwrj -scripts/run-local-api-stub.sh -``` - -It serves: - -- `http://127.0.0.1:8111/map_info.json` -- `http://127.0.0.1:8111/map_obj.json` -- `http://127.0.0.1:8111/map.img` -- `http://127.0.0.1:8111/state` -- `http://127.0.0.1:8111/hudmsg` -- `http://127.0.0.1:8111/gamechat` - -Use another port for endpoint testing: - -```bash -scripts/run-local-api-stub.sh 18111 -``` - -## Capturing Real Local API Data - -When War Thunder is running on Windows, capture the local API into a fixture directory: - -```bash -cd ehwrj -scripts/capture-local-api.sh captures/my-session -``` - -The capture tool saves: - -- `map_info.json` -- `map_obj.json` -- `map.img` -- `state.json` when `/state` is available -- `hudmsg.json` when `/hudmsg` is available -- `gamechat.json` when `/gamechat` is available -- `capture-report.txt` with parser coverage, raw object field frequency, unknown object samples, replay readiness, and tuning warnings - -Validate an existing capture: - -```bash -scripts/validate-capture.sh captures/my-session -``` - -Use the report to tune real game-mode support. The most useful sections are `Object field coverage`, `Unknown object samples`, and `State field names`; they show which raw War Thunder fields are present and where object classification or telemetry parsing needs adjustment. - -Replay a capture through the local API stub: - -```bash -scripts/run-local-api-stub.sh 8111 captures/my-session -``` - -## New Code Structure - -```text -Directory.Build.props - shared compiler, analyzer, and Windows-targeting settings -docs/ - architecture and feature parity notes -scripts/ - Ubuntu bootstrap, safety scan, capture, publish, and packaging helpers -src/Ehwrj.App/ - Avalonia desktop UI and overlay host -src/Ehwrj.App/Models/ - UI settings, localization text, endpoint health, and render snapshots -src/Ehwrj.App/Services/ - polling adapter and settings store -src/Ehwrj.App/Rendering/ - main map and overlay drawing surfaces -src/Ehwrj.App/ViewModels/ - app state and UI commands -src/Ehwrj.App/Infrastructure/ - minimal Win32 interop for click-through overlay styles -src/Ehwrj.Core/ - loopback API parsing, map models, telemetry models, tracking, and projection logic -src/Ehwrj.Core/Models/ - War Thunder map object, map info, flight state, battle message, and motion tracker types -src/Ehwrj.Core/Services/ - local WT API client, process probe, loopback guard, and capture fixture analyzer -src/Ehwrj.Core/Geometry/ - viewport, projected point, and coordinate projection math -tools/Ehwrj.Tools.LocalApiStub/ - deterministic local map API server and capture replay helper -tools/Ehwrj.Tools.Capture/ - local API fixture capture and validation tool -tests/Ehwrj.Tests/ - lightweight parser, projection, localization, settings, and safety checks -artifacts/ehwrj-win-x64/ - committed portable Windows x64 build output, including Ehwrj.exe and checksums -``` - -## CI - -The repository includes a GitHub Actions workflow that restores, checks formatting, builds with warnings as errors, runs the lightweight tests, publishes a Windows x64 artifact, and uploads it as `ehwrj-win-x64`. - -## Feature Parity - -See [docs/feature-matrix.md](docs/feature-matrix.md) for the benign WT Live Map feature parity status and remaining data gaps. diff --git a/artifacts/ehwrj-win-x64/RUNNING.txt b/artifacts/ehwrj-win-x64/RUNNING.txt deleted file mode 100644 index 5a3a3f3..0000000 --- a/artifacts/ehwrj-win-x64/RUNNING.txt +++ /dev/null @@ -1,13 +0,0 @@ -Ehwrj portable Windows x64 build - -1. Start War Thunder. -2. Confirm the local map is available at http://127.0.0.1:8111/map_info.json. -3. Run Ehwrj.exe. -4. Use "Show overlay" in the left panel to enable the click-through overlay. - -Network scope: -- Ehwrj only reads the loopback War Thunder local API. -- It does not contact external hosts. - -Settings: -- Saved under %LOCALAPPDATA%\Ehwrj\settings.json. diff --git a/artifacts/ehwrj-win-x64/SECURITY.md b/artifacts/ehwrj-win-x64/SECURITY.md deleted file mode 100644 index 3af5748..0000000 --- a/artifacts/ehwrj-win-x64/SECURITY.md +++ /dev/null @@ -1,23 +0,0 @@ -# Security Scope - -Ehwrj is a clean-room replacement for the benign War Thunder live map behavior observed in the analyzed sample. - -Allowed behavior: - -- Connect to `127.0.0.1:8111` only -- Read local War Thunder map endpoints -- Store user settings in `%LOCALAPPDATA%\Ehwrj` -- Create an optional visible overlay window controlled by the user - -Disallowed behavior: - -- Clipboard listeners -- Cryptocurrency wallet matching or replacement -- Startup persistence -- Windows Update impersonation -- ZIP, PE, or resource modification -- Hidden external network communication -- Credential, cookie, wallet, browser, or messenger file collection - -Issues or pull requests that add disallowed behavior should be rejected. - diff --git a/artifacts/ehwrj-win-x64/SHA256SUMS.txt b/artifacts/ehwrj-win-x64/SHA256SUMS.txt deleted file mode 100644 index 113483e..0000000 --- a/artifacts/ehwrj-win-x64/SHA256SUMS.txt +++ /dev/null @@ -1,8 +0,0 @@ -684aaf2276f934d7aae842da81adfe46b954764e9828d5bbe9242b00cd1f5168 Ehwrj.exe -4c1705d38ec895d4f3830165f1b061ec389da913f17d471ec97fcbe3e6cec012 LICENSE -d71dd3bed70b3c90aa04bed6c8f47caf47888566b79e48a50e7743a6ae35f031 README.md -866de6ec207750697e6a321ed1b8ba52ba04bdf9080c80ff929c885c9107ad27 RUNNING.txt -266a2a8f242f274530085cca86ebeb8c11706ca73ce03684ee3b6ba61ef5e274 SECURITY.md -9b203e40323b49dad29546a52b8b67d200bba8ff4cab9709a79cede23ba847d4 av_libglesv2.dll -eb76238c9e8e41d44b5a5b18167c4c5b39ca5db4277af5dbe92d730f0fc14a7d libHarfBuzzSharp.dll -9a0d95e8caaa852c70d085af6a40a744242172ad9ea3fd6bc7599875a8a1dbcd libSkiaSharp.dll diff --git a/artifacts/ehwrj-win-x64/av_libglesv2.dll b/artifacts/ehwrj-win-x64/av_libglesv2.dll deleted file mode 100755 index 487d711..0000000 Binary files a/artifacts/ehwrj-win-x64/av_libglesv2.dll and /dev/null differ diff --git a/artifacts/ehwrj-win-x64/libHarfBuzzSharp.dll b/artifacts/ehwrj-win-x64/libHarfBuzzSharp.dll deleted file mode 100755 index 2bb6849..0000000 Binary files a/artifacts/ehwrj-win-x64/libHarfBuzzSharp.dll and /dev/null differ diff --git a/artifacts/ehwrj-win-x64/libSkiaSharp.dll b/artifacts/ehwrj-win-x64/libSkiaSharp.dll deleted file mode 100755 index 3f8c6f2..0000000 Binary files a/artifacts/ehwrj-win-x64/libSkiaSharp.dll and /dev/null differ diff --git a/docs/release-readme.md b/docs/release-readme.md new file mode 100644 index 0000000..69bc2f3 --- /dev/null +++ b/docs/release-readme.md @@ -0,0 +1,34 @@ +# Ehwrj Portable Build + +Ehwrj is a clean-room War Thunder live map companion for Windows. + +This release package contains only the rebuilt benign application and its runtime files. It does not include the original analyzed sample. + +## Run + +1. Start War Thunder. +2. Confirm the local map is available at `http://127.0.0.1:8111/map_info.json`. +3. Run `Ehwrj.exe`. +4. Use the main window to enable or disable the overlay. + +## Network Scope + +- Ehwrj reads War Thunder's local loopback API at `127.0.0.1:8111`. +- Ehwrj does not contact external hosts. +- Ehwrj does not read unrelated user files. + +## Settings + +Settings are saved under: + +```text +%LOCALAPPDATA%\Ehwrj\settings.json +``` + +## Files + +- `Ehwrj.exe`: Windows application launcher +- `Ehwrj.dll`: application code +- `Ehwrj.Core.dll`: local API parsing and projection logic +- `*.dll`, `*.json`: .NET, Avalonia, and native runtime dependencies +- `SHA256SUMS.txt`: package file checksums diff --git a/docs/release-security.md b/docs/release-security.md new file mode 100644 index 0000000..0ee13fa --- /dev/null +++ b/docs/release-security.md @@ -0,0 +1,10 @@ +# Security Notes + +Ehwrj is a local War Thunder map companion. + +- Network access is limited to the local War Thunder API on loopback. +- Settings are saved under the current user's local application data folder. +- The overlay uses standard Windows window styles so mouse input can pass through it. +- The release package contains the rebuilt application and runtime dependencies only. + +Report unexpected behavior with the exact release file hash and reproduction steps. diff --git a/scripts/package-win-x64.sh b/scripts/package-win-x64.sh index c79e807..56a6327 100755 --- a/scripts/package-win-x64.sh +++ b/scripts/package-win-x64.sh @@ -24,8 +24,8 @@ while [[ $# -gt 0 ]]; do Usage: scripts/package-win-x64.sh [--publish-dir path] [--zip path] -Creates a portable Windows x64 ZIP containing Ehwrj.exe, native DLLs, -README, SECURITY, LICENSE, RUNNING.txt, and SHA256SUMS.txt. +Creates a portable Windows x64 ZIP containing the published Ehwrj app, +release README, SECURITY, LICENSE, RUNNING.txt, and SHA256SUMS.txt. EOF exit 0 ;; @@ -44,10 +44,10 @@ fi rm -rf "$PACKAGE_DIR" mkdir -p "$PACKAGE_DIR" -cp "$PUBLISH_DIR/Ehwrj.exe" "$PACKAGE_DIR/" -cp "$PUBLISH_DIR"/*.dll "$PACKAGE_DIR/" -cp "$ROOT_DIR/README.md" "$PACKAGE_DIR/README.md" -cp "$ROOT_DIR/SECURITY.md" "$PACKAGE_DIR/SECURITY.md" +cp -a "$PUBLISH_DIR"/. "$PACKAGE_DIR"/ +find "$PACKAGE_DIR" -type f -name '*.pdb' -delete +cp "$ROOT_DIR/docs/release-readme.md" "$PACKAGE_DIR/README.md" +cp "$ROOT_DIR/docs/release-security.md" "$PACKAGE_DIR/SECURITY.md" cp "$ROOT_DIR/LICENSE" "$PACKAGE_DIR/LICENSE" cat > "$PACKAGE_DIR/RUNNING.txt" <<'EOF' @@ -68,7 +68,9 @@ EOF ( cd "$PACKAGE_DIR" - sha256sum * > SHA256SUMS.txt + find . -type f ! -name SHA256SUMS.txt -printf '%P\0' \ + | sort -z \ + | xargs -0 sha256sum > SHA256SUMS.txt ) rm -f "$ZIP_PATH" diff --git a/scripts/publish-win-x64.sh b/scripts/publish-win-x64.sh index e9ab49d..90ce8da 100755 --- a/scripts/publish-win-x64.sh +++ b/scripts/publish-win-x64.sh @@ -14,5 +14,5 @@ dotnet publish "$ROOT_DIR/src/Ehwrj.App/Ehwrj.App.csproj" \ -c Release \ -r win-x64 \ --self-contained true \ - -p:PublishSingleFile=true + -p:PublishSingleFile=false "$ROOT_DIR/scripts/package-win-x64.sh" >/dev/null