Reduce release package false positives

2026-06-03 00:29:20 +09:00
parent cba5243ce4
commit d29752a91e
17 changed files with 56 additions and 284 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -46,7 +46,7 @@ jobs:
          -c Release
          -r win-x64
          --self-contained true
-          -p:PublishSingleFile=true
+          -p:PublishSingleFile=false
          -p:PublishDir=artifacts/win-x64/
      - name: Package Windows x64
--- a/.gitignore
+++ b/.gitignore
@@ -9,5 +9,3 @@ publish/
 captures/
 artifacts/*
 !artifacts/ehwrj-win-x64.zip
 !artifacts/ehwrj-win-x64/
 !artifacts/ehwrj-win-x64/**
--- a/README.md
+++ b/README.md
@@ -74,7 +74,7 @@ dotnet restore ehwrj/Ehwrj.sln
 dotnet build ehwrj/Ehwrj.sln -c Release
 dotnet run --project ehwrj/tests/Ehwrj.Tests/Ehwrj.Tests.csproj -c Release
 dotnet publish ehwrj/src/Ehwrj.App/Ehwrj.App.csproj -c Release -r win-x64 --self-contained true \
-  -p:PublishSingleFile=true
+  -p:PublishSingleFile=false
 ```
 Or from inside the `ehwrj` folder:
--- a/artifacts/ehwrj-win-x64.zip
+++ b/artifacts/ehwrj-win-x64.zip
--- a/artifacts/ehwrj-win-x64/Ehwrj.exe
+++ b/artifacts/ehwrj-win-x64/Ehwrj.exe
--- a/artifacts/ehwrj-win-x64/LICENSE
+++ b/artifacts/ehwrj-win-x64/LICENSE
@@ -1,22 +0,0 @@
 MIT License
 Copyright (c) 2026 Ehwrj contributors
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/artifacts/ehwrj-win-x64/README.md
+++ b/artifacts/ehwrj-win-x64/README.md
@@ -1,206 +0,0 @@
 # Ehwrj
 Ehwrj is a clean-room War Thunder live map companion for Windows.
 It reads War Thunder's local map service at `http://127.0.0.1:8111`, renders a desktop map view, and can show a click-through always-on-top overlay. The code is newly written and intentionally excludes the malicious behavior found in the analyzed sample.
 ## Analyzed Malware File
 This repository does not contain the original malicious sample. The notes below summarize the static analysis used to separate the benign WT Live Map behavior from the malicious loader/clipper behavior.
 Analysis date: 2026-06-02  
 Analysis method: static analysis only; the sample was not executed.
 | File | SHA-256 | Assessment |
 | --- | --- | --- |
 | `WTLiveMap.exe` | `4dbbc21d9c2ed70dde046a2f737ee4173da807d43d5b3a6acfe447864ed6d643` | Native x64 Win32/C++ executable containing RCDATA 101 and 102. |
 | `WTLiveMap.zip` | `429e07a27e7896f75a901a1df3cd6560b43de33986920f1f22013ef155541b4c` | ZIP package containing the same suspicious executable. |
 | `resource_101.bin` | `00732b0bbc1740ebe88745424c88ab840b381475837e5e02e937a29e66df3909` | Benign WT Live Map UI/WebView-style resource. |
 | `resource_102.bin` | `03547c81562a065bcb08defa638866c8c1c79343d78b8df7a8a7e0cb827242d7` | Resource-less loader/clipper variant with the same malicious capability class as the outer EXE. |
 Key findings:
 - RCDATA 101 matches the non-virus WT Live Map behavior: it references `Warthunder LiveMap`, `map_info.json`, `map_obj.json`, `map.img`, `aces.exe`, WebView messaging, and loopback access to `127.0.0.1:8111`.
 - RCDATA 102 is not byte-identical to the outer `WTLiveMap.exe`, but it shares the suspicious import profile, hidden string structure, Windows Update disguise strings, clipboard API strings, and cryptocurrency address replacement logic.
 - The malicious path monitors clipboard text and replaces BTC, ETH, SOL, TRX, XRP, DOGE, LTC, and BCH wallet addresses with attacker-controlled addresses.
 - Persistence is disguised as Windows Update. The analyzed code builds paths similar to `%TEMP%\WindowsUpdateModule\SystemUpdateService.exe` and creates a startup shortcut named `WindowsSystemUpdate.lnk`.
 - `SHGetSpecialFolderPathW(CSIDL_STARTUP)`, Shell Link COM use, `Global\WinSysUpdateMutexV11`, and resource update APIs were observed in the malicious loader path.
 - A ZIP repackaging path uses hidden PowerShell command construction, extracts a ZIP, locates an inner EXE, reinvokes itself with `--merge-env`, injects RCDATA 101/102, and recreates the ZIP.
 - No external C2 server, IP, domain, or upload path was confirmed in static analysis. The confirmed monetization path is clipboard-based cryptocurrency address replacement.
 ## What It Implements
 - Local War Thunder API polling:
  - `/map_info.json`
  - `/map_obj.json`
  - `/map.img`
 - Optional local telemetry/message polling when available:
  - `/state`
  - `/hudmsg`
  - `/gamechat`
 - Main map preview with aircraft/object markers
 - Transparent click-through overlay
 - Configurable overlay size, position, zoom, minimap, Mach labels, and spot radar
 - Overlay controls for aircraft scale, minimum Mach filters, radar spread, vertical scale/offset, arrow size, opacity, label colors, font sizes, distance, Mach, and closure speed labels
 - English/Korean UI language selection
 - Settings persisted under `%LOCALAPPDATA%\Ehwrj\settings.json`
 - Windows build from Linux using .NET 8 and Avalonia targeting `win-x64`
 ## Explicitly Not Implemented
 The analyzed binary contained malicious behavior. Ehwrj does not implement:
 - Clipboard monitoring or cryptocurrency address replacement
 - Windows Update disguise or startup persistence
 - ZIP/EXE infection or resource injection
 - Hidden mutex-based malware lifecycle control
 - Any external C2, exfiltration, or remote upload path
 ## Build
 From Ubuntu:
 ```bash
 cd ehwrj
 scripts/bootstrap-ubuntu.sh
 ```
 The bootstrap script installs missing Ubuntu packages for .NET 8 and the safety scanner, then runs restore, build, tests, the safety scan, tool smoke checks, and Windows x64 publish.
 If the dependencies are already installed:
 ```bash
 dotnet restore ehwrj/Ehwrj.sln
 dotnet build ehwrj/Ehwrj.sln -c Release
 dotnet run --project ehwrj/tests/Ehwrj.Tests/Ehwrj.Tests.csproj -c Release
 dotnet publish ehwrj/src/Ehwrj.App/Ehwrj.App.csproj -c Release -r win-x64 --self-contained true \
  -p:PublishSingleFile=true
 ```
 Or from inside the `ehwrj` folder:
 ```bash
 scripts/publish-win-x64.sh
 ```
 The output EXE will be under:
 ```text
 ehwrj/src/Ehwrj.App/bin/Release/net8.0/win-x64/publish/
 ```
 The portable release ZIP is written to:
 ```text
 ehwrj/artifacts/ehwrj-win-x64.zip
 ```
 ## Runtime
 Run War Thunder first, then start Ehwrj on Windows. The app expects the game to expose the local map API on `127.0.0.1:8111`.
 The current coordinate and speed estimates are intentionally conservative because War Thunder's local API shape can vary by mode and vehicle. Use real `map_info.json` and `map_obj.json` captures to tune projection and spot radar math for a specific game mode.
 ## Local API Stub
 For UI development without War Thunder, run the deterministic local API stub:
 ```bash
 cd ehwrj
 scripts/run-local-api-stub.sh
 ```
 It serves:
 - `http://127.0.0.1:8111/map_info.json`
 - `http://127.0.0.1:8111/map_obj.json`
 - `http://127.0.0.1:8111/map.img`
 - `http://127.0.0.1:8111/state`
 - `http://127.0.0.1:8111/hudmsg`
 - `http://127.0.0.1:8111/gamechat`
 Use another port for endpoint testing:
 ```bash
 scripts/run-local-api-stub.sh 18111
 ```
 ## Capturing Real Local API Data
 When War Thunder is running on Windows, capture the local API into a fixture directory:
 ```bash
 cd ehwrj
 scripts/capture-local-api.sh captures/my-session
 ```
 The capture tool saves:
 - `map_info.json`
 - `map_obj.json`
 - `map.img`
 - `state.json` when `/state` is available
 - `hudmsg.json` when `/hudmsg` is available
 - `gamechat.json` when `/gamechat` is available
 - `capture-report.txt` with parser coverage, raw object field frequency, unknown object samples, replay readiness, and tuning warnings
 Validate an existing capture:
 ```bash
 scripts/validate-capture.sh captures/my-session
 ```
 Use the report to tune real game-mode support. The most useful sections are `Object field coverage`, `Unknown object samples`, and `State field names`; they show which raw War Thunder fields are present and where object classification or telemetry parsing needs adjustment.
 Replay a capture through the local API stub:
 ```bash
 scripts/run-local-api-stub.sh 8111 captures/my-session
 ```
 ## New Code Structure
 ```text
 Directory.Build.props
  shared compiler, analyzer, and Windows-targeting settings
 docs/
  architecture and feature parity notes
 scripts/
  Ubuntu bootstrap, safety scan, capture, publish, and packaging helpers
 src/Ehwrj.App/
  Avalonia desktop UI and overlay host
 src/Ehwrj.App/Models/
  UI settings, localization text, endpoint health, and render snapshots
 src/Ehwrj.App/Services/
  polling adapter and settings store
 src/Ehwrj.App/Rendering/
  main map and overlay drawing surfaces
 src/Ehwrj.App/ViewModels/
  app state and UI commands
 src/Ehwrj.App/Infrastructure/
  minimal Win32 interop for click-through overlay styles
 src/Ehwrj.Core/
  loopback API parsing, map models, telemetry models, tracking, and projection logic
 src/Ehwrj.Core/Models/
  War Thunder map object, map info, flight state, battle message, and motion tracker types
 src/Ehwrj.Core/Services/
  local WT API client, process probe, loopback guard, and capture fixture analyzer
 src/Ehwrj.Core/Geometry/
  viewport, projected point, and coordinate projection math
 tools/Ehwrj.Tools.LocalApiStub/
  deterministic local map API server and capture replay helper
 tools/Ehwrj.Tools.Capture/
  local API fixture capture and validation tool
 tests/Ehwrj.Tests/
  lightweight parser, projection, localization, settings, and safety checks
 artifacts/ehwrj-win-x64/
  committed portable Windows x64 build output, including Ehwrj.exe and checksums
 ```
 ## CI
 The repository includes a GitHub Actions workflow that restores, checks formatting, builds with warnings as errors, runs the lightweight tests, publishes a Windows x64 artifact, and uploads it as `ehwrj-win-x64`.
 ## Feature Parity
 See [docs/feature-matrix.md](docs/feature-matrix.md) for the benign WT Live Map feature parity status and remaining data gaps.
--- a/artifacts/ehwrj-win-x64/RUNNING.txt
+++ b/artifacts/ehwrj-win-x64/RUNNING.txt
@@ -1,13 +0,0 @@
 Ehwrj portable Windows x64 build
 1. Start War Thunder.
 2. Confirm the local map is available at http://127.0.0.1:8111/map_info.json.
 3. Run Ehwrj.exe.
 4. Use "Show overlay" in the left panel to enable the click-through overlay.
 Network scope:
 - Ehwrj only reads the loopback War Thunder local API.
 - It does not contact external hosts.
 Settings:
 - Saved under %LOCALAPPDATA%\Ehwrj\settings.json.
--- a/artifacts/ehwrj-win-x64/SECURITY.md
+++ b/artifacts/ehwrj-win-x64/SECURITY.md
@@ -1,23 +0,0 @@
 # Security Scope
 Ehwrj is a clean-room replacement for the benign War Thunder live map behavior observed in the analyzed sample.
 Allowed behavior:
 - Connect to `127.0.0.1:8111` only
 - Read local War Thunder map endpoints
 - Store user settings in `%LOCALAPPDATA%\Ehwrj`
 - Create an optional visible overlay window controlled by the user
 Disallowed behavior:
 - Clipboard listeners
 - Cryptocurrency wallet matching or replacement
 - Startup persistence
 - Windows Update impersonation
 - ZIP, PE, or resource modification
 - Hidden external network communication
 - Credential, cookie, wallet, browser, or messenger file collection
 Issues or pull requests that add disallowed behavior should be rejected.
--- a/artifacts/ehwrj-win-x64/SHA256SUMS.txt
+++ b/artifacts/ehwrj-win-x64/SHA256SUMS.txt
@@ -1,8 +0,0 @@
 684aaf2276f934d7aae842da81adfe46b954764e9828d5bbe9242b00cd1f5168  Ehwrj.exe
 4c1705d38ec895d4f3830165f1b061ec389da913f17d471ec97fcbe3e6cec012  LICENSE
 d71dd3bed70b3c90aa04bed6c8f47caf47888566b79e48a50e7743a6ae35f031  README.md
 866de6ec207750697e6a321ed1b8ba52ba04bdf9080c80ff929c885c9107ad27  RUNNING.txt
 266a2a8f242f274530085cca86ebeb8c11706ca73ce03684ee3b6ba61ef5e274  SECURITY.md
 9b203e40323b49dad29546a52b8b67d200bba8ff4cab9709a79cede23ba847d4  av_libglesv2.dll
 eb76238c9e8e41d44b5a5b18167c4c5b39ca5db4277af5dbe92d730f0fc14a7d  libHarfBuzzSharp.dll
 9a0d95e8caaa852c70d085af6a40a744242172ad9ea3fd6bc7599875a8a1dbcd  libSkiaSharp.dll
--- a/artifacts/ehwrj-win-x64/av_libglesv2.dll
+++ b/artifacts/ehwrj-win-x64/av_libglesv2.dll
--- a/artifacts/ehwrj-win-x64/libHarfBuzzSharp.dll
+++ b/artifacts/ehwrj-win-x64/libHarfBuzzSharp.dll
--- a/artifacts/ehwrj-win-x64/libSkiaSharp.dll
+++ b/artifacts/ehwrj-win-x64/libSkiaSharp.dll
--- a/docs/release-readme.md
+++ b/docs/release-readme.md
@@ -0,0 +1,34 @@
 # Ehwrj Portable Build
 Ehwrj is a clean-room War Thunder live map companion for Windows.
 This release package contains only the rebuilt benign application and its runtime files. It does not include the original analyzed sample.
 ## Run
 1. Start War Thunder.
 2. Confirm the local map is available at `http://127.0.0.1:8111/map_info.json`.
 3. Run `Ehwrj.exe`.
 4. Use the main window to enable or disable the overlay.
 ## Network Scope
 - Ehwrj reads War Thunder's local loopback API at `127.0.0.1:8111`.
 - Ehwrj does not contact external hosts.
 - Ehwrj does not read unrelated user files.
 ## Settings
 Settings are saved under:
 ```text
 %LOCALAPPDATA%\Ehwrj\settings.json
 ```
 ## Files
 - `Ehwrj.exe`: Windows application launcher
 - `Ehwrj.dll`: application code
 - `Ehwrj.Core.dll`: local API parsing and projection logic
 - `*.dll`, `*.json`: .NET, Avalonia, and native runtime dependencies
 - `SHA256SUMS.txt`: package file checksums
--- a/docs/release-security.md
+++ b/docs/release-security.md
@@ -0,0 +1,10 @@
 # Security Notes
 Ehwrj is a local War Thunder map companion.
 - Network access is limited to the local War Thunder API on loopback.
 - Settings are saved under the current user's local application data folder.
 - The overlay uses standard Windows window styles so mouse input can pass through it.
 - The release package contains the rebuilt application and runtime dependencies only.
 Report unexpected behavior with the exact release file hash and reproduction steps.
--- a/scripts/package-win-x64.sh
+++ b/scripts/package-win-x64.sh
@@ -24,8 +24,8 @@ while [[ $# -gt 0 ]]; do
 Usage:
  scripts/package-win-x64.sh [--publish-dir path] [--zip path]
-Creates a portable Windows x64 ZIP containing Ehwrj.exe, native DLLs,
+Creates a portable Windows x64 ZIP containing the published Ehwrj app,
-README, SECURITY, LICENSE, RUNNING.txt, and SHA256SUMS.txt.
+release README, SECURITY, LICENSE, RUNNING.txt, and SHA256SUMS.txt.
 EOF
      exit 0
      ;;
@@ -44,10 +44,10 @@ fi
 rm -rf "$PACKAGE_DIR"
 mkdir -p "$PACKAGE_DIR"
-cp "$PUBLISH_DIR/Ehwrj.exe" "$PACKAGE_DIR/"
+cp -a "$PUBLISH_DIR"/. "$PACKAGE_DIR"/
-cp "$PUBLISH_DIR"/*.dll "$PACKAGE_DIR/"
+find "$PACKAGE_DIR" -type f -name '*.pdb' -delete
-cp "$ROOT_DIR/README.md" "$PACKAGE_DIR/README.md"
+cp "$ROOT_DIR/docs/release-readme.md" "$PACKAGE_DIR/README.md"
-cp "$ROOT_DIR/SECURITY.md" "$PACKAGE_DIR/SECURITY.md"
+cp "$ROOT_DIR/docs/release-security.md" "$PACKAGE_DIR/SECURITY.md"
 cp "$ROOT_DIR/LICENSE" "$PACKAGE_DIR/LICENSE"
 cat > "$PACKAGE_DIR/RUNNING.txt" <<'EOF'
@@ -68,7 +68,9 @@ EOF
 (
  cd "$PACKAGE_DIR"
-  sha256sum * > SHA256SUMS.txt
+  find . -type f ! -name SHA256SUMS.txt -printf '%P\0' \
    | sort -z \
    | xargs -0 sha256sum > SHA256SUMS.txt
 )
 rm -f "$ZIP_PATH"
--- a/scripts/publish-win-x64.sh
+++ b/scripts/publish-win-x64.sh
@@ -14,5 +14,5 @@ dotnet publish "$ROOT_DIR/src/Ehwrj.App/Ehwrj.App.csproj" \
  -c Release \
  -r win-x64 \
  --self-contained true \
-  -p:PublishSingleFile=true
+  -p:PublishSingleFile=false
 "$ROOT_DIR/scripts/package-win-x64.sh" >/dev/null