damhwee/ehwrj
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Reduce release package false positives
Some checks failed
build / build-test-publish (push) Has been cancelled
Details

Browse Source
This commit is contained in:
yeorinhieut
2026-06-03 00:29:20 +09:00
parent cba5243ce4
commit d29752a91e
17 changed files with 56 additions and 284 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/build.yml vendored
View File

@@ -46,7 +46,7 @@ jobs:
-c Release
-r win-x64
--self-contained true
-p:PublishSingleFile=true
-p:PublishSingleFile=false
-p:PublishDir=artifacts/win-x64/
- name: Package Windows x64

2
.gitignore vendored
View File

@@ -9,5 +9,3 @@ publish/
captures/
artifacts/*
!artifacts/ehwrj-win-x64.zip
!artifacts/ehwrj-win-x64/
!artifacts/ehwrj-win-x64/**

2
README.md
View File

@@ -74,7 +74,7 @@ dotnet restore ehwrj/Ehwrj.sln
dotnet build ehwrj/Ehwrj.sln -c Release
dotnet run --project ehwrj/tests/Ehwrj.Tests/Ehwrj.Tests.csproj -c Release
dotnet publish ehwrj/src/Ehwrj.App/Ehwrj.App.csproj -c Release -r win-x64 --self-contained true \
-p:PublishSingleFile=true
-p:PublishSingleFile=false
```
Or from inside the `ehwrj` folder:

BIN
artifacts/ehwrj-win-x64.zip
View File

Binary file not shown.

BIN
artifacts/ehwrj-win-x64/Ehwrj.exe
View File

Binary file not shown.

22
artifacts/ehwrj-win-x64/LICENSE
View File

@@ -1,22 +0,0 @@
MIT License
Copyright (c) 2026 Ehwrj contributors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

206
artifacts/ehwrj-win-x64/README.md
View File

@@ -1,206 +0,0 @@
# Ehwrj
Ehwrj is a clean-room War Thunder live map companion for Windows.
It reads War Thunder's local map service at `http://127.0.0.1:8111`, renders a desktop map view, and can show a click-through always-on-top overlay. The code is newly written and intentionally excludes the malicious behavior found in the analyzed sample.
## Analyzed Malware File
This repository does not contain the original malicious sample. The notes below summarize the static analysis used to separate the benign WT Live Map behavior from the malicious loader/clipper behavior.
Analysis date: 2026-06-02
Analysis method: static analysis only; the sample was not executed.
| File | SHA-256 | Assessment |
| --- | --- | --- |
| `WTLiveMap.exe` | `4dbbc21d9c2ed70dde046a2f737ee4173da807d43d5b3a6acfe447864ed6d643` | Native x64 Win32/C++ executable containing RCDATA 101 and 102. |
| `WTLiveMap.zip` | `429e07a27e7896f75a901a1df3cd6560b43de33986920f1f22013ef155541b4c` | ZIP package containing the same suspicious executable. |
| `resource_101.bin` | `00732b0bbc1740ebe88745424c88ab840b381475837e5e02e937a29e66df3909` | Benign WT Live Map UI/WebView-style resource. |
| `resource_102.bin` | `03547c81562a065bcb08defa638866c8c1c79343d78b8df7a8a7e0cb827242d7` | Resource-less loader/clipper variant with the same malicious capability class as the outer EXE. |
Key findings:
- RCDATA 101 matches the non-virus WT Live Map behavior: it references `Warthunder LiveMap`, `map_info.json`, `map_obj.json`, `map.img`, `aces.exe`, WebView messaging, and loopback access to `127.0.0.1:8111`.
- RCDATA 102 is not byte-identical to the outer `WTLiveMap.exe`, but it shares the suspicious import profile, hidden string structure, Windows Update disguise strings, clipboard API strings, and cryptocurrency address replacement logic.
- The malicious path monitors clipboard text and replaces BTC, ETH, SOL, TRX, XRP, DOGE, LTC, and BCH wallet addresses with attacker-controlled addresses.
- Persistence is disguised as Windows Update. The analyzed code builds paths similar to `%TEMP%\WindowsUpdateModule\SystemUpdateService.exe` and creates a startup shortcut named `WindowsSystemUpdate.lnk`.
- `SHGetSpecialFolderPathW(CSIDL_STARTUP)`, Shell Link COM use, `Global\WinSysUpdateMutexV11`, and resource update APIs were observed in the malicious loader path.
- A ZIP repackaging path uses hidden PowerShell command construction, extracts a ZIP, locates an inner EXE, reinvokes itself with `--merge-env`, injects RCDATA 101/102, and recreates the ZIP.
- No external C2 server, IP, domain, or upload path was confirmed in static analysis. The confirmed monetization path is clipboard-based cryptocurrency address replacement.
## What It Implements
- Local War Thunder API polling:
- `/map_info.json`
- `/map_obj.json`
- `/map.img`
- Optional local telemetry/message polling when available:
- `/state`
- `/hudmsg`
- `/gamechat`
- Main map preview with aircraft/object markers
- Transparent click-through overlay
- Configurable overlay size, position, zoom, minimap, Mach labels, and spot radar
- Overlay controls for aircraft scale, minimum Mach filters, radar spread, vertical scale/offset, arrow size, opacity, label colors, font sizes, distance, Mach, and closure speed labels
- English/Korean UI language selection
- Settings persisted under `%LOCALAPPDATA%\Ehwrj\settings.json`
- Windows build from Linux using .NET 8 and Avalonia targeting `win-x64`
## Explicitly Not Implemented
The analyzed binary contained malicious behavior. Ehwrj does not implement:
- Clipboard monitoring or cryptocurrency address replacement
- Windows Update disguise or startup persistence
- ZIP/EXE infection or resource injection
- Hidden mutex-based malware lifecycle control
- Any external C2, exfiltration, or remote upload path
## Build
From Ubuntu:
```bash
cd ehwrj
scripts/bootstrap-ubuntu.sh
```
The bootstrap script installs missing Ubuntu packages for .NET 8 and the safety scanner, then runs restore, build, tests, the safety scan, tool smoke checks, and Windows x64 publish.
If the dependencies are already installed:
```bash
dotnet restore ehwrj/Ehwrj.sln
dotnet build ehwrj/Ehwrj.sln -c Release
dotnet run --project ehwrj/tests/Ehwrj.Tests/Ehwrj.Tests.csproj -c Release
dotnet publish ehwrj/src/Ehwrj.App/Ehwrj.App.csproj -c Release -r win-x64 --self-contained true \
-p:PublishSingleFile=true
```
Or from inside the `ehwrj` folder:
```bash
scripts/publish-win-x64.sh
```
The output EXE will be under:
```text
ehwrj/src/Ehwrj.App/bin/Release/net8.0/win-x64/publish/
```
The portable release ZIP is written to:
```text
ehwrj/artifacts/ehwrj-win-x64.zip
```
## Runtime
Run War Thunder first, then start Ehwrj on Windows. The app expects the game to expose the local map API on `127.0.0.1:8111`.
The current coordinate and speed estimates are intentionally conservative because War Thunder's local API shape can vary by mode and vehicle. Use real `map_info.json` and `map_obj.json` captures to tune projection and spot radar math for a specific game mode.
## Local API Stub
For UI development without War Thunder, run the deterministic local API stub:
```bash
cd ehwrj
scripts/run-local-api-stub.sh
```
It serves:
- `http://127.0.0.1:8111/map_info.json`
- `http://127.0.0.1:8111/map_obj.json`
- `http://127.0.0.1:8111/map.img`
- `http://127.0.0.1:8111/state`
- `http://127.0.0.1:8111/hudmsg`
- `http://127.0.0.1:8111/gamechat`
Use another port for endpoint testing:
```bash
scripts/run-local-api-stub.sh 18111
```
## Capturing Real Local API Data
When War Thunder is running on Windows, capture the local API into a fixture directory:
```bash
cd ehwrj
scripts/capture-local-api.sh captures/my-session
```
The capture tool saves:
- `map_info.json`
- `map_obj.json`
- `map.img`
- `state.json` when `/state` is available
- `hudmsg.json` when `/hudmsg` is available
- `gamechat.json` when `/gamechat` is available
- `capture-report.txt` with parser coverage, raw object field frequency, unknown object samples, replay readiness, and tuning warnings
Validate an existing capture:
```bash
scripts/validate-capture.sh captures/my-session
```
Use the report to tune real game-mode support. The most useful sections are `Object field coverage`, `Unknown object samples`, and `State field names`; they show which raw War Thunder fields are present and where object classification or telemetry parsing needs adjustment.
Replay a capture through the local API stub:
```bash
scripts/run-local-api-stub.sh 8111 captures/my-session
```
## New Code Structure
```text
Directory.Build.props
shared compiler, analyzer, and Windows-targeting settings
docs/
architecture and feature parity notes
scripts/
Ubuntu bootstrap, safety scan, capture, publish, and packaging helpers
src/Ehwrj.App/
Avalonia desktop UI and overlay host
src/Ehwrj.App/Models/
UI settings, localization text, endpoint health, and render snapshots
src/Ehwrj.App/Services/
polling adapter and settings store
src/Ehwrj.App/Rendering/
main map and overlay drawing surfaces
src/Ehwrj.App/ViewModels/
app state and UI commands
src/Ehwrj.App/Infrastructure/
minimal Win32 interop for click-through overlay styles
src/Ehwrj.Core/
loopback API parsing, map models, telemetry models, tracking, and projection logic
src/Ehwrj.Core/Models/
War Thunder map object, map info, flight state, battle message, and motion tracker types
src/Ehwrj.Core/Services/
local WT API client, process probe, loopback guard, and capture fixture analyzer
src/Ehwrj.Core/Geometry/
viewport, projected point, and coordinate projection math
tools/Ehwrj.Tools.LocalApiStub/
deterministic local map API server and capture replay helper
tools/Ehwrj.Tools.Capture/
local API fixture capture and validation tool
tests/Ehwrj.Tests/
lightweight parser, projection, localization, settings, and safety checks
artifacts/ehwrj-win-x64/
committed portable Windows x64 build output, including Ehwrj.exe and checksums
```
## CI
The repository includes a GitHub Actions workflow that restores, checks formatting, builds with warnings as errors, runs the lightweight tests, publishes a Windows x64 artifact, and uploads it as `ehwrj-win-x64`.
## Feature Parity
See [docs/feature-matrix.md](docs/feature-matrix.md) for the benign WT Live Map feature parity status and remaining data gaps.

13
artifacts/ehwrj-win-x64/RUNNING.txt
View File

@@ -1,13 +0,0 @@
Ehwrj portable Windows x64 build
1. Start War Thunder.
2. Confirm the local map is available at http://127.0.0.1:8111/map_info.json.
3. Run Ehwrj.exe.
4. Use "Show overlay" in the left panel to enable the click-through overlay.
Network scope:
- Ehwrj only reads the loopback War Thunder local API.
- It does not contact external hosts.
Settings:
- Saved under %LOCALAPPDATA%\Ehwrj\settings.json.

23
artifacts/ehwrj-win-x64/SECURITY.md
View File

@@ -1,23 +0,0 @@
# Security Scope
Ehwrj is a clean-room replacement for the benign War Thunder live map behavior observed in the analyzed sample.
Allowed behavior:
- Connect to `127.0.0.1:8111` only
- Read local War Thunder map endpoints
- Store user settings in `%LOCALAPPDATA%\Ehwrj`
- Create an optional visible overlay window controlled by the user
Disallowed behavior:
- Clipboard listeners
- Cryptocurrency wallet matching or replacement
- Startup persistence
- Windows Update impersonation
- ZIP, PE, or resource modification
- Hidden external network communication
- Credential, cookie, wallet, browser, or messenger file collection
Issues or pull requests that add disallowed behavior should be rejected.

8
artifacts/ehwrj-win-x64/SHA256SUMS.txt
View File

@@ -1,8 +0,0 @@
684aaf2276f934d7aae842da81adfe46b954764e9828d5bbe9242b00cd1f5168 Ehwrj.exe
4c1705d38ec895d4f3830165f1b061ec389da913f17d471ec97fcbe3e6cec012 LICENSE
d71dd3bed70b3c90aa04bed6c8f47caf47888566b79e48a50e7743a6ae35f031 README.md
866de6ec207750697e6a321ed1b8ba52ba04bdf9080c80ff929c885c9107ad27 RUNNING.txt
266a2a8f242f274530085cca86ebeb8c11706ca73ce03684ee3b6ba61ef5e274 SECURITY.md
9b203e40323b49dad29546a52b8b67d200bba8ff4cab9709a79cede23ba847d4 av_libglesv2.dll
eb76238c9e8e41d44b5a5b18167c4c5b39ca5db4277af5dbe92d730f0fc14a7d libHarfBuzzSharp.dll
9a0d95e8caaa852c70d085af6a40a744242172ad9ea3fd6bc7599875a8a1dbcd libSkiaSharp.dll

BIN
artifacts/ehwrj-win-x64/av_libglesv2.dll
View File

Binary file not shown.

BIN
artifacts/ehwrj-win-x64/libHarfBuzzSharp.dll
View File

Binary file not shown.

BIN
artifacts/ehwrj-win-x64/libSkiaSharp.dll
View File

Binary file not shown.

34
docs/release-readme.md Normal file
View File

@@ -0,0 +1,34 @@
# Ehwrj Portable Build
Ehwrj is a clean-room War Thunder live map companion for Windows.
This release package contains only the rebuilt benign application and its runtime files. It does not include the original analyzed sample.
## Run
1. Start War Thunder.
2. Confirm the local map is available at `http://127.0.0.1:8111/map_info.json`.
3. Run `Ehwrj.exe`.
4. Use the main window to enable or disable the overlay.
## Network Scope
- Ehwrj reads War Thunder's local loopback API at `127.0.0.1:8111`.
- Ehwrj does not contact external hosts.
- Ehwrj does not read unrelated user files.
## Settings
Settings are saved under:
```text
%LOCALAPPDATA%\Ehwrj\settings.json
```
## Files
- `Ehwrj.exe`: Windows application launcher
- `Ehwrj.dll`: application code
- `Ehwrj.Core.dll`: local API parsing and projection logic
- `*.dll`, `*.json`: .NET, Avalonia, and native runtime dependencies
- `SHA256SUMS.txt`: package file checksums

10
docs/release-security.md Normal file
View File

@@ -0,0 +1,10 @@
# Security Notes
Ehwrj is a local War Thunder map companion.
- Network access is limited to the local War Thunder API on loopback.
- Settings are saved under the current user's local application data folder.
- The overlay uses standard Windows window styles so mouse input can pass through it.
- The release package contains the rebuilt application and runtime dependencies only.
Report unexpected behavior with the exact release file hash and reproduction steps.

16
scripts/package-win-x64.sh
View File

@@ -24,8 +24,8 @@ while [[ $# -gt 0 ]]; do
Usage:
scripts/package-win-x64.sh [--publish-dir path] [--zip path]
Creates a portable Windows x64 ZIP containing Ehwrj.exe, native DLLs,
README, SECURITY, LICENSE, RUNNING.txt, and SHA256SUMS.txt.
Creates a portable Windows x64 ZIP containing the published Ehwrj app,
release README, SECURITY, LICENSE, RUNNING.txt, and SHA256SUMS.txt.
EOF
exit 0
;;
@@ -44,10 +44,10 @@ fi
rm -rf "$PACKAGE_DIR"
mkdir -p "$PACKAGE_DIR"
cp "$PUBLISH_DIR/Ehwrj.exe" "$PACKAGE_DIR/"
cp "$PUBLISH_DIR"/*.dll "$PACKAGE_DIR/"
cp "$ROOT_DIR/README.md" "$PACKAGE_DIR/README.md"
cp "$ROOT_DIR/SECURITY.md" "$PACKAGE_DIR/SECURITY.md"
cp -a "$PUBLISH_DIR"/. "$PACKAGE_DIR"/
find "$PACKAGE_DIR" -type f -name '*.pdb' -delete
cp "$ROOT_DIR/docs/release-readme.md" "$PACKAGE_DIR/README.md"
cp "$ROOT_DIR/docs/release-security.md" "$PACKAGE_DIR/SECURITY.md"
cp "$ROOT_DIR/LICENSE" "$PACKAGE_DIR/LICENSE"
cat > "$PACKAGE_DIR/RUNNING.txt" <<'EOF'
@@ -68,7 +68,9 @@ EOF
(
cd "$PACKAGE_DIR"
sha256sum * > SHA256SUMS.txt
find . -type f ! -name SHA256SUMS.txt -printf '%P\0' \
| sort -z \
| xargs -0 sha256sum > SHA256SUMS.txt
)
rm -f "$ZIP_PATH"

2
scripts/publish-win-x64.sh
View File

@@ -14,5 +14,5 @@ dotnet publish "$ROOT_DIR/src/Ehwrj.App/Ehwrj.App.csproj" \
-c Release \
-r win-x64 \
--self-contained true \
-p:PublishSingleFile=true
-p:PublishSingleFile=false
"$ROOT_DIR/scripts/package-win-x64.sh" >/dev/null