damhwee/ehwrj
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d29752a91eb98469f054fb3e6e0da38d047bb48a
ehwrj/README.md
yeorinhieut d29752a91e
Some checks failed
build / build-test-publish (push) Has been cancelled
Details
Reduce release package false positives
2026-06-03 00:29:20 +09:00

207 lines
8.1 KiB
Markdown
Raw Blame History

# Ehwrj
Ehwrj is a clean-room War Thunder live map companion for Windows.
It reads War Thunder's local map service at `http://127.0.0.1:8111`, renders a desktop map view, and can show a click-through always-on-top overlay. The code is newly written and intentionally excludes the malicious behavior found in the analyzed sample.
## Analyzed Malware File
This repository does not contain the original malicious sample. The notes below summarize the static analysis used to separate the benign WT Live Map behavior from the malicious loader/clipper behavior.
Analysis date: 2026-06-02
Analysis method: static analysis only; the sample was not executed.
| File | SHA-256 | Assessment |
| --- | --- | --- |
| `WTLiveMap.exe` | `4dbbc21d9c2ed70dde046a2f737ee4173da807d43d5b3a6acfe447864ed6d643` | Native x64 Win32/C++ executable containing RCDATA 101 and 102. |
| `WTLiveMap.zip` | `429e07a27e7896f75a901a1df3cd6560b43de33986920f1f22013ef155541b4c` | ZIP package containing the same suspicious executable. |
| `resource_101.bin` | `00732b0bbc1740ebe88745424c88ab840b381475837e5e02e937a29e66df3909` | Benign WT Live Map UI/WebView-style resource. |
| `resource_102.bin` | `03547c81562a065bcb08defa638866c8c1c79343d78b8df7a8a7e0cb827242d7` | Resource-less loader/clipper variant with the same malicious capability class as the outer EXE. |
Key findings:
- RCDATA 101 matches the non-virus WT Live Map behavior: it references `Warthunder LiveMap`, `map_info.json`, `map_obj.json`, `map.img`, `aces.exe`, WebView messaging, and loopback access to `127.0.0.1:8111`.
- RCDATA 102 is not byte-identical to the outer `WTLiveMap.exe`, but it shares the suspicious import profile, hidden string structure, Windows Update disguise strings, clipboard API strings, and cryptocurrency address replacement logic.
- The malicious path monitors clipboard text and replaces BTC, ETH, SOL, TRX, XRP, DOGE, LTC, and BCH wallet addresses with attacker-controlled addresses.
- Persistence is disguised as Windows Update. The analyzed code builds paths similar to `%TEMP%\WindowsUpdateModule\SystemUpdateService.exe` and creates a startup shortcut named `WindowsSystemUpdate.lnk`.
- `SHGetSpecialFolderPathW(CSIDL_STARTUP)`, Shell Link COM use, `Global\WinSysUpdateMutexV11`, and resource update APIs were observed in the malicious loader path.
- A ZIP repackaging path uses hidden PowerShell command construction, extracts a ZIP, locates an inner EXE, reinvokes itself with `--merge-env`, injects RCDATA 101/102, and recreates the ZIP.
- No external C2 server, IP, domain, or upload path was confirmed in static analysis. The confirmed monetization path is clipboard-based cryptocurrency address replacement.
## What It Implements
- Local War Thunder API polling:
- `/map_info.json`
- `/map_obj.json`
- `/map.img`
- Optional local telemetry/message polling when available:
- `/state`
- `/hudmsg`
- `/gamechat`
- Main map preview with aircraft/object markers
- Transparent click-through overlay
- Configurable overlay size, position, zoom, minimap, Mach labels, and spot radar
- Overlay controls for aircraft scale, minimum Mach filters, radar spread, vertical scale/offset, arrow size, opacity, label colors, font sizes, distance, Mach, and closure speed labels
- English/Korean UI language selection
- Settings persisted under `%LOCALAPPDATA%\Ehwrj\settings.json`
- Windows build from Linux using .NET 8 and Avalonia targeting `win-x64`
## Explicitly Not Implemented
The analyzed binary contained malicious behavior. Ehwrj does not implement:
- Clipboard monitoring or cryptocurrency address replacement
- Windows Update disguise or startup persistence
- ZIP/EXE infection or resource injection
- Hidden mutex-based malware lifecycle control
- Any external C2, exfiltration, or remote upload path
## Build
From Ubuntu:
```bash
cd ehwrj
scripts/bootstrap-ubuntu.sh
```
The bootstrap script installs missing Ubuntu packages for .NET 8 and the safety scanner, then runs restore, build, tests, the safety scan, tool smoke checks, and Windows x64 publish.
If the dependencies are already installed:
```bash
dotnet restore ehwrj/Ehwrj.sln
dotnet build ehwrj/Ehwrj.sln -c Release
dotnet run --project ehwrj/tests/Ehwrj.Tests/Ehwrj.Tests.csproj -c Release
dotnet publish ehwrj/src/Ehwrj.App/Ehwrj.App.csproj -c Release -r win-x64 --self-contained true \
-p:PublishSingleFile=false
```
Or from inside the `ehwrj` folder:
```bash
scripts/publish-win-x64.sh
```
The output EXE will be under:
```text
ehwrj/src/Ehwrj.App/bin/Release/net8.0/win-x64/publish/
```
The portable release ZIP is written to:
```text
ehwrj/artifacts/ehwrj-win-x64.zip
```
## Runtime
Run War Thunder first, then start Ehwrj on Windows. The app expects the game to expose the local map API on `127.0.0.1:8111`.
The current coordinate and speed estimates are intentionally conservative because War Thunder's local API shape can vary by mode and vehicle. Use real `map_info.json` and `map_obj.json` captures to tune projection and spot radar math for a specific game mode.
## Local API Stub
For UI development without War Thunder, run the deterministic local API stub:
```bash
cd ehwrj
scripts/run-local-api-stub.sh
```
It serves:
- `http://127.0.0.1:8111/map_info.json`
- `http://127.0.0.1:8111/map_obj.json`
- `http://127.0.0.1:8111/map.img`
- `http://127.0.0.1:8111/state`
- `http://127.0.0.1:8111/hudmsg`
- `http://127.0.0.1:8111/gamechat`
Use another port for endpoint testing:
```bash
scripts/run-local-api-stub.sh 18111
```
## Capturing Real Local API Data
When War Thunder is running on Windows, capture the local API into a fixture directory:
```bash
cd ehwrj
scripts/capture-local-api.sh captures/my-session
```
The capture tool saves:
- `map_info.json`
- `map_obj.json`
- `map.img`
- `state.json` when `/state` is available
- `hudmsg.json` when `/hudmsg` is available
- `gamechat.json` when `/gamechat` is available
- `capture-report.txt` with parser coverage, raw object field frequency, unknown object samples, replay readiness, and tuning warnings
Validate an existing capture:
```bash
scripts/validate-capture.sh captures/my-session
```
Use the report to tune real game-mode support. The most useful sections are `Object field coverage`, `Unknown object samples`, and `State field names`; they show which raw War Thunder fields are present and where object classification or telemetry parsing needs adjustment.
Replay a capture through the local API stub:
```bash
scripts/run-local-api-stub.sh 8111 captures/my-session
```
## New Code Structure
```text
Directory.Build.props
shared compiler, analyzer, and Windows-targeting settings
docs/
architecture and feature parity notes
scripts/
Ubuntu bootstrap, safety scan, capture, publish, and packaging helpers
src/Ehwrj.App/
Avalonia desktop UI and overlay host
src/Ehwrj.App/Models/
UI settings, localization text, endpoint health, and render snapshots
src/Ehwrj.App/Services/
polling adapter and settings store
src/Ehwrj.App/Rendering/
main map and overlay drawing surfaces
src/Ehwrj.App/ViewModels/
app state and UI commands
src/Ehwrj.App/Infrastructure/
minimal Win32 interop for click-through overlay styles
src/Ehwrj.Core/
loopback API parsing, map models, telemetry models, tracking, and projection logic
src/Ehwrj.Core/Models/
War Thunder map object, map info, flight state, battle message, and motion tracker types
src/Ehwrj.Core/Services/
local WT API client, process probe, loopback guard, and capture fixture analyzer
src/Ehwrj.Core/Geometry/
viewport, projected point, and coordinate projection math
tools/Ehwrj.Tools.LocalApiStub/
deterministic local map API server and capture replay helper
tools/Ehwrj.Tools.Capture/
local API fixture capture and validation tool
tests/Ehwrj.Tests/
lightweight parser, projection, localization, settings, and safety checks
artifacts/ehwrj-win-x64/
committed portable Windows x64 build output, including Ehwrj.exe and checksums
```
## CI
The repository includes a GitHub Actions workflow that restores, checks formatting, builds with warnings as errors, runs the lightweight tests, publishes a Windows x64 artifact, and uploads it as `ehwrj-win-x64`.
## Feature Parity
See [docs/feature-matrix.md](docs/feature-matrix.md) for the benign WT Live Map feature parity status and remaining data gaps.
Reference in New Issue View Git Blame Copy Permalink