diff --git a/README.md b/README.md index e0604c2..3c427c8 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,7 @@ If you have a solid security monitoring that logs all process executions, you co - 0.7.2 - Using abolsute paths in registry patches - 0.8.0 - Creates a log file with all intercepted requests and actions performed `C:\ProgramData\Raccine_log.txt` - 0.9.0 - Logs to Windows Eventlog by @JohnLaTwC +- 0.10.0 - Simulation mode only ## Installation @@ -96,7 +97,7 @@ If you have a solid security monitoring that logs all process executions, you co 2. Extract it 3. Run `raccine-installer.bat` -![Windows Batch Installer](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/batch-installer.png) +![Windows Batch Installer](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/raccine-installer.png) The batch installer includes an "uninstall" option. @@ -133,6 +134,12 @@ An entry is generated by every blocking event in the `Application` eventlog. ![Eventlog](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/eventlog2.png) +## Simulation Mode + +Since version 0.10.0, Raccine can be installed in "simulation mode", which activates all triggers, logs all actions but doesn't kill anything. This mode should be used in environments in which backup solutions or other legitimate software for a reasonable amount of time to check if Raccine would interfere with other software. The idea is to install Raccine in simulation mode, let it log for a week or month and then check the logs to see if it would have blocked legitimate software used in the organisation. + +![Kill Run](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/raccine-simulation.png) + ## Screenshot Run `raccine.exe` and watch the parent process tree die (screenshot of v0.1) diff --git a/images/raccine-installer.png b/images/raccine-installer.png new file mode 100644 index 0000000..cef368c Binary files /dev/null and b/images/raccine-installer.png differ diff --git a/images/raccine-simulation.png b/images/raccine-simulation.png new file mode 100644 index 0000000..afffa77 Binary files /dev/null and b/images/raccine-simulation.png differ diff --git a/install-raccine.bat b/install-raccine.bat index e0c6632..924deef 100644 --- a/install-raccine.bat +++ b/install-raccine.bat @@ -45,7 +45,7 @@ IF "%PROCESSOR_ARCHITECTURE%" EQU "x86" ( :MENU CLS ECHO. -ECHO .......................................................... +ECHO .............................................................................. ::: ___ _ ::: / _ \___ _________(_)__ ___ ::: / , _/ _ `/ __/ __/ / _ \/ -_) @@ -55,21 +55,21 @@ for /f "delims=: tokens=*" %%A in ('findstr /b ::: "%~f0"') do @echo(%%A ECHO A Simple Ransomware and Emotet Vaccine ECHO Installer by Florian Roth, October 2020 ECHO. -ECHO ---------------------------------------------------------- +ECHO ------------------------------------------------------------------------------ ECHO WARNING! Raccine could break your backup solution -ECHO .......................................................... +ECHO .............................................................................. ECHO. -ECHO 1 - Install Raccine for all possible methods (full) -ECHO 2 - Install Raccine for Vssadmin and BcdEdit only (soft) -ECHO 3 - Install Raccine to block all Emotet infections only +ECHO 1 - Install Raccine for all possible methods +ECHO 2 - Install Raccine for all possible methods (simulation mode, logging only) +ECHO 3 - Install Raccine for Vssadmin and BcdEdit only ECHO U - Uninstall Raccine ECHO E - EXIT ECHO. SET /P M=" Select 1, 2, 3, or E then press ENTER: " IF %M%==1 GOTO FULL -IF %M%==2 GOTO SOFT -IF %M%==3 GOTO EMOTET +IF %M%==2 GOTO FULL_SIMU +IF %M%==3 GOTO SOFT IF %M%==U GOTO UNINSTALL IF %M%==u GOTO UNINSTALL IF %M%==E GOTO EOF @@ -94,6 +94,7 @@ ECHO Registering Eventlog Events eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message" 2> nul eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message" 2> nul REG.EXE ADD HKCU\Software\Raccine /v Logging /t REG_DWORD /d 2 /F +REG.EXE ADD HKCU\Software\Raccine /v LogOnly /t REG_DWORD /d 0 /F ECHO Copying Raccine%ARCH%.exe to C:\Windows\Raccine.exe ... COPY Raccine%ARCH%.exe C:\Windows\Raccine.exe IF '%errorlevel%' NEQ '0' ( @@ -105,8 +106,8 @@ IF '%errorlevel%' NEQ '0' ( TIMEOUT /t 7 GOTO MENU -:: Soft -:SOFT +:: Full (Simulation Mode) +:FULL_SIMU ECHO. ECHO Installing Registry patches ... REGEDIT.EXE /S raccine-reg-patch-vssadmin.reg @@ -114,11 +115,15 @@ IF '%errorlevel%' NEQ '0' ( ECHO Something went wrong. Sorry. GOTO MENU ) +REGEDIT.EXE /S raccine-reg-patch-wmic.reg +REGEDIT.EXE /S raccine-reg-patch-wbadmin.reg REGEDIT.EXE /S raccine-reg-patch-bcdedit.reg +REGEDIT.EXE /S raccine-reg-patch-powershell.reg ECHO Registering Eventlog Events eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message" 2> nul eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message" 2> nul REG.EXE ADD HKCU\Software\Raccine /v Logging /t REG_DWORD /d 2 /F +REG.EXE ADD HKCU\Software\Raccine /v LogOnly /t REG_DWORD /d 2 /F ECHO Copying Raccine%ARCH%.exe to C:\Windows\Raccine.exe ... COPY Raccine%ARCH%.exe C:\Windows\Raccine.exe IF '%errorlevel%' NEQ '0' ( @@ -126,19 +131,21 @@ IF '%errorlevel%' NEQ '0' ( ) ELSE ( ECHO. ECHO Successfully installed. Your system has been raccinated. + ECHO Warning: Simulation mode only! ) TIMEOUT /t 7 GOTO MENU -:: Emotet -:EMOTET +:: Soft +:SOFT ECHO. ECHO Installing Registry patches ... -REGEDIT.EXE /S raccine-reg-patch-powershell.reg +REGEDIT.EXE /S raccine-reg-patch-vssadmin.reg IF '%errorlevel%' NEQ '0' ( ECHO Something went wrong. Sorry. GOTO MENU ) +REGEDIT.EXE /S raccine-reg-patch-bcdedit.reg ECHO Registering Eventlog Events eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message" 2> nul eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message" 2> nul @@ -149,7 +156,7 @@ IF '%errorlevel%' NEQ '0' ( ECHO Something went wrong. Sorry. ) ELSE ( ECHO. - ECHO Successfully installed. Your system is now immune to weaponized Emotet documents. + ECHO Successfully installed. Your system has been raccinated. ) TIMEOUT /t 7 GOTO MENU @@ -161,6 +168,7 @@ ECHO Uninstalling Registry patch ... REGEDIT.EXE /S raccine-reg-patch-uninstall.reg ECHO Removing Registry key ... REG.EXE DELETE HKCU\Software\Raccine /F +REG.EXE DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Raccine /F ECHO Removing Raccine.exe from the Windows folder ... DEL /Q C:\Windows\Raccine.exe IF '%errorlevel%' NEQ '0' ( diff --git a/raccine-reg-patch-uninstall.reg b/raccine-reg-patch-uninstall.reg index 96abbca..d1d107b 100644 --- a/raccine-reg-patch-uninstall.reg +++ b/raccine-reg-patch-uninstall.reg @@ -9,3 +9,7 @@ Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe] [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe] + +[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Raccine] + +[-HKEY_CURRENT_USER\SOFTWARE\Raccine] \ No newline at end of file diff --git a/raccine.cpp b/raccine.cpp index d21a1da..2c7d5f4 100644 --- a/raccine.cpp +++ b/raccine.cpp @@ -25,6 +25,7 @@ #pragma comment(lib,"advapi32.lib") BOOL g_fLogToEventLog = FALSE; +BOOL g_fLogOnly = FALSE; #define RACCINE_REG_CONFIG L"SOFTWARE\\Raccine" #define MAX_MESSAGE 1000 @@ -389,7 +390,9 @@ int wmain(int argc, WCHAR* argv[]) { } } - // Query for logging level. A value of 1 or more indicates to log key events to the event log + // Registry Settings + // Query for logging level. A value of 1 or more indicates to log key events to the event log + // Query for logging only mode. A value of 1 or more indicates to suppress process kills HKEY hKey = NULL; if (ERROR_SUCCESS == RegOpenKeyEx(HKEY_CURRENT_USER, RACCINE_REG_CONFIG, 0, KEY_READ, &hKey)) { @@ -397,11 +400,20 @@ int wmain(int argc, WCHAR* argv[]) { DWORD cbData = sizeof(dwLoggingLevel); if (ERROR_SUCCESS == RegQueryValueExW(hKey, L"Logging", NULL, NULL, (LPBYTE)&dwLoggingLevel, &cbData)) { - if (dwLoggingLevel > 1) + if (dwLoggingLevel > 0) { g_fLogToEventLog = TRUE; } } + DWORD dwLoggingOnly = 0; + DWORD cbDataLO = sizeof(dwLoggingOnly); + if (ERROR_SUCCESS == RegQueryValueExW(hKey, L"LogOnly", NULL, NULL, (LPBYTE)&dwLoggingOnly, &cbDataLO)) + { + if (dwLoggingOnly > 0) + { + g_fLogOnly = TRUE; + } + } RegCloseKey(hKey); } @@ -418,7 +430,12 @@ int wmain(int argc, WCHAR* argv[]) { (bPowerShell && bEncodedCommand)) { // powershell.exe LPCWSTR lpMessage = sCommandLine.c_str(); - StringCchPrintf(wMessage, ARRAYSIZE(wMessage), L"Raccine detected malicious activity:\n%s\n", lpMessage); + if (!g_fLogOnly) { + StringCchPrintf(wMessage, ARRAYSIZE(wMessage), L"Raccine detected malicious activity:\n%s\n", lpMessage); + } + else { + StringCchPrintf(wMessage, ARRAYSIZE(wMessage), L"Raccine detected malicious activity:\n%s\n(simulation mode)", lpMessage); + } WriteEventLogEntryWithId((LPWSTR)wMessage, RACCINE_EVENTID_MALICIOUS_ACTIVITY); // Collect PIDs to kill @@ -441,13 +458,20 @@ int wmain(int argc, WCHAR* argv[]) { // Loop over collected PIDs and try to kill the processes for (uint8_t i = c; i > 0; --i) { - wprintf(L"Kill PID %d\n", pids[i - 1]); - killprocess(pids[i - 1], 1); - sListLogs.append(logFormat(pids[i - 1], sCommandLine, L"Terminated")); + if (!g_fLogOnly) { + wprintf(L"Kill PID %d\n", pids[i - 1]); + killprocess(pids[i - 1], 1); + sListLogs.append(logFormat(pids[i - 1], sCommandLine, L"Terminated")); + } + else { + // Simulated kill + wprintf(L"Simulated Kill PID %d\n", pids[i - 1]); + sListLogs.append(logFormat(pids[i - 1], sCommandLine, L"Terminated (Simulated)")); + } } logSend(sListLogs); - wprintf(L"\nRaccine v0.9.0 finished\n"); + wprintf(L"\nRaccine v0.10.0 finished\n"); Sleep(5000); } //