feat: simulation mode

README.md

@@ -87,6 +87,7 @@ If you have a solid security monitoring that logs all process executions, you co
 - 0.7.2 - Using abolsute paths in registry patches
 - 0.8.0 - Creates a log file with all intercepted requests and actions performed `C:\ProgramData\Raccine_log.txt`
 - 0.9.0 - Logs to Windows Eventlog by @JohnLaTwC
+- 0.10.0 - Simulation mode only
 
 ## Installation
 
@@ -96,7 +97,7 @@ If you have a solid security monitoring that logs all process executions, you co
 2. Extract it
 3. Run `raccine-installer.bat`
 
-![Windows Batch Installer](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/batch-installer.png)
+![Windows Batch Installer](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/raccine-installer.png)
 
 The batch installer includes an "uninstall" option.
 
@@ -133,6 +134,12 @@ An entry is generated by every blocking event in the `Application` eventlog.
 
 ![Eventlog](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/eventlog2.png)
 
+## Simulation Mode
+
+Since version 0.10.0, Raccine can be installed in "simulation mode", which activates all triggers, logs all actions but doesn't kill anything. This mode should be used in environments in which backup solutions or other legitimate software for a reasonable amount of time to check if Raccine would interfere with other software. The idea is to install Raccine in simulation mode, let it log for a week or month and then check the logs to see if it would have blocked legitimate software used in the organisation. 
+
+![Kill Run](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/raccine-simulation.png)
+
 ## Screenshot
 
 Run `raccine.exe` and watch the parent process tree die (screenshot of v0.1)

install-raccine.bat

@@ -45,7 +45,7 @@ IF "%PROCESSOR_ARCHITECTURE%" EQU "x86" (
 :MENU
 CLS
 ECHO.
-ECHO ..........................................................
+ECHO ..............................................................................
 :::     ___               _         
 :::    / _ \___ _________(_)__  ___ 
 :::   / , _/ _ `/ __/ __/ / _ \/ -_)
@@ -55,21 +55,21 @@ for /f "delims=: tokens=*" %%A in ('findstr /b ::: "%~f0"') do @echo(%%A
 ECHO   A Simple Ransomware and Emotet Vaccine
 ECHO   Installer by Florian Roth, October 2020  
 ECHO.                       
-ECHO ----------------------------------------------------------
+ECHO ------------------------------------------------------------------------------
 ECHO   WARNING! Raccine could break your backup solution 
-ECHO ..........................................................
+ECHO ..............................................................................
 ECHO.
-ECHO   1 - Install Raccine for all possible methods (full)
-ECHO   2 - Install Raccine for Vssadmin and BcdEdit only (soft)
-ECHO   3 - Install Raccine to block all Emotet infections only
+ECHO   1 - Install Raccine for all possible methods
+ECHO   2 - Install Raccine for all possible methods (simulation mode, logging only)
+ECHO   3 - Install Raccine for Vssadmin and BcdEdit only
 ECHO   U - Uninstall Raccine
 ECHO   E - EXIT
 ECHO.
 
 SET /P M=" Select 1, 2, 3, or E then press ENTER: "
 IF %M%==1 GOTO FULL
-IF %M%==2 GOTO SOFT
-IF %M%==3 GOTO EMOTET
+IF %M%==2 GOTO FULL_SIMU
+IF %M%==3 GOTO SOFT
 IF %M%==U GOTO UNINSTALL
 IF %M%==u GOTO UNINSTALL
 IF %M%==E GOTO EOF
@@ -94,6 +94,7 @@ ECHO Registering Eventlog Events
 eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message" 2> nul
 eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message" 2> nul
 REG.EXE ADD HKCU\Software\Raccine /v Logging /t REG_DWORD /d 2 /F
+REG.EXE ADD HKCU\Software\Raccine /v LogOnly /t REG_DWORD /d 0 /F
 ECHO Copying Raccine%ARCH%.exe to C:\Windows\Raccine.exe ...
 COPY Raccine%ARCH%.exe C:\Windows\Raccine.exe
 IF '%errorlevel%' NEQ '0' (
@@ -105,40 +106,46 @@ IF '%errorlevel%' NEQ '0' (
 TIMEOUT /t 7
 GOTO MENU
 
-:: Soft
-:SOFT 
+:: Full (Simulation Mode)
+:FULL_SIMU
 ECHO.
 ECHO Installing Registry patches ...
 REGEDIT.EXE /S raccine-reg-patch-vssadmin.reg
 IF '%errorlevel%' NEQ '0' (
     ECHO Something went wrong. Sorry.
     GOTO MENU
 )
+REGEDIT.EXE /S raccine-reg-patch-wmic.reg 
+REGEDIT.EXE /S raccine-reg-patch-wbadmin.reg
 REGEDIT.EXE /S raccine-reg-patch-bcdedit.reg
+REGEDIT.EXE /S raccine-reg-patch-powershell.reg
 ECHO Registering Eventlog Events
 eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message" 2> nul
 eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message" 2> nul
 REG.EXE ADD HKCU\Software\Raccine /v Logging /t REG_DWORD /d 2 /F
+REG.EXE ADD HKCU\Software\Raccine /v LogOnly /t REG_DWORD /d 2 /F
 ECHO Copying Raccine%ARCH%.exe to C:\Windows\Raccine.exe ...
 COPY Raccine%ARCH%.exe C:\Windows\Raccine.exe
 IF '%errorlevel%' NEQ '0' (
     ECHO Something went wrong. Sorry.
 ) ELSE (
     ECHO.
     ECHO Successfully installed. Your system has been raccinated.
+    ECHO Warning: Simulation mode only! 
 )
 TIMEOUT /t 7
 GOTO MENU
 
-:: Emotet
-:EMOTET
+:: Soft
+:SOFT 
 ECHO.
 ECHO Installing Registry patches ...
-REGEDIT.EXE /S raccine-reg-patch-powershell.reg
+REGEDIT.EXE /S raccine-reg-patch-vssadmin.reg
 IF '%errorlevel%' NEQ '0' (
     ECHO Something went wrong. Sorry.
     GOTO MENU
 )
+REGEDIT.EXE /S raccine-reg-patch-bcdedit.reg
 ECHO Registering Eventlog Events
 eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message" 2> nul
 eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message" 2> nul
@@ -149,7 +156,7 @@ IF '%errorlevel%' NEQ '0' (
     ECHO Something went wrong. Sorry.
 ) ELSE (
     ECHO.
-    ECHO Successfully installed. Your system is now immune to weaponized Emotet documents.
+    ECHO Successfully installed. Your system has been raccinated.
 )
 TIMEOUT /t 7
 GOTO MENU
@@ -161,6 +168,7 @@ ECHO Uninstalling Registry patch ...
 REGEDIT.EXE /S raccine-reg-patch-uninstall.reg
 ECHO Removing Registry key ...
 REG.EXE DELETE HKCU\Software\Raccine /F
+REG.EXE DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Raccine /F
 ECHO Removing Raccine.exe from the Windows folder ...
 DEL /Q C:\Windows\Raccine.exe
 IF '%errorlevel%' NEQ '0' (

raccine-reg-patch-uninstall.reg

@@ -9,3 +9,7 @@ Windows Registry Editor Version 5.00
 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe]
 
 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe]
+
+[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Raccine]
+
+[-HKEY_CURRENT_USER\SOFTWARE\Raccine]

raccine.cpp

@@ -25,6 +25,7 @@
 #pragma comment(lib,"advapi32.lib")
 
 BOOL g_fLogToEventLog = FALSE;
+BOOL g_fLogOnly = FALSE;
 #define RACCINE_REG_CONFIG  L"SOFTWARE\\Raccine"
 #define MAX_MESSAGE 1000
 
@@ -389,19 +390,30 @@ int wmain(int argc, WCHAR* argv[]) {
         }
     }
 
-    // Query for logging level.  A value of 1 or more indicates to log key events to the event log
+    // Registry Settings
+    // Query for logging level. A value of 1 or more indicates to log key events to the event log
+    // Query for logging only mode. A value of 1 or more indicates to suppress process kills
     HKEY hKey = NULL;
     if (ERROR_SUCCESS == RegOpenKeyEx(HKEY_CURRENT_USER, RACCINE_REG_CONFIG, 0, KEY_READ, &hKey))
     {
         DWORD dwLoggingLevel = 0;
         DWORD cbData = sizeof(dwLoggingLevel);
         if (ERROR_SUCCESS == RegQueryValueExW(hKey, L"Logging", NULL, NULL, (LPBYTE)&dwLoggingLevel, &cbData))
         {
-            if (dwLoggingLevel > 1)
+            if (dwLoggingLevel > 0)
             {
                 g_fLogToEventLog = TRUE;
             }
         }
+        DWORD dwLoggingOnly = 0;
+        DWORD cbDataLO = sizeof(dwLoggingOnly);
+        if (ERROR_SUCCESS == RegQueryValueExW(hKey, L"LogOnly", NULL, NULL, (LPBYTE)&dwLoggingOnly, &cbDataLO))
+        {
+            if (dwLoggingOnly > 0)
+            {
+                g_fLogOnly = TRUE;
+            }
+        }
         RegCloseKey(hKey);
     }
 
@@ -418,7 +430,12 @@ int wmain(int argc, WCHAR* argv[]) {
         (bPowerShell && bEncodedCommand)) {              // powershell.exe
 
         LPCWSTR lpMessage = sCommandLine.c_str();
-        StringCchPrintf(wMessage, ARRAYSIZE(wMessage), L"Raccine detected malicious activity:\n%s\n", lpMessage);
+        if (!g_fLogOnly) {
+            StringCchPrintf(wMessage, ARRAYSIZE(wMessage), L"Raccine detected malicious activity:\n%s\n", lpMessage);
+        }
+        else {
+            StringCchPrintf(wMessage, ARRAYSIZE(wMessage), L"Raccine detected malicious activity:\n%s\n(simulation mode)", lpMessage);
+        }
         WriteEventLogEntryWithId((LPWSTR)wMessage, RACCINE_EVENTID_MALICIOUS_ACTIVITY);
 
         // Collect PIDs to kill
@@ -441,13 +458,20 @@ int wmain(int argc, WCHAR* argv[]) {
 
         // Loop over collected PIDs and try to kill the processes
         for (uint8_t i = c; i > 0; --i) {
-            wprintf(L"Kill PID %d\n", pids[i - 1]);
-            killprocess(pids[i - 1], 1);
-            sListLogs.append(logFormat(pids[i - 1], sCommandLine, L"Terminated"));
+            if (!g_fLogOnly) {
+                wprintf(L"Kill PID %d\n", pids[i - 1]);
+                killprocess(pids[i - 1], 1);
+                sListLogs.append(logFormat(pids[i - 1], sCommandLine, L"Terminated"));
+            }
+            else {
+                // Simulated kill
+                wprintf(L"Simulated Kill PID %d\n", pids[i - 1]);
+                sListLogs.append(logFormat(pids[i - 1], sCommandLine, L"Terminated (Simulated)"));
+            }
         }
 
         logSend(sListLogs);
-        wprintf(L"\nRaccine v0.9.0 finished\n");
+        wprintf(L"\nRaccine v0.10.0 finished\n");
         Sleep(5000);
     }
     //