Skip to content

Commit

Permalink
Merge branch 'main' of https://github.com/Neo23x0/Raccine into main
Browse files Browse the repository at this point in the history
  • Loading branch information
@Neo23x0
Neo23x0 committed Oct 17, 2020
2 parents e246bfa + beef730 commit 01a071d
Show file tree
Hide file tree
Showing 4 changed files with 117 additions and 61 deletions.
79 changes: 25 additions & 54 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,8 @@ Malicious combinations:
- `recoveryenabled` (bcedit)
- `ignoreallfailures` (bcedit)

Powershell list of encoded commands: `JAB`, `SQBFAF`, `SQBuAH`, `SUVYI`, `cwBhA`, `aWV4I`, `aQBlAHgA`

## Warning !!!

USE IT AT YOUR OWN RISK!
Expand All @@ -72,6 +74,7 @@ If you have a solid security monitoring that logs all process executions, you co
- 0.7.1 - Improvements by @JohnLaTwC
- 0.7.2 - Using abolsute paths in registry patches
- 0.8.0 - Creates a log file with all intercepted requests and actions performed `C:\ProgramData\Raccine_log.txt`
- 0.9.0 - Logs to Windows Eventlog by @JohnLaTwC

## Installation

Expand All @@ -83,38 +86,41 @@ If you have a solid security monitoring that logs all process executions, you co

![Windows Batch Installer](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/batch-installer.png)

The batch installer includes an "uninstall" option.

### Manual

1. Apply Registry Patch `raccine-reg-patch-vssadmin.reg` to intercept invocations of `vssadmin.exe`
2. Place `Raccine.exe` from the [release section](https://github.com/Neo23x0/Raccine/releases/) in the `PATH`, e.g. into `C:\Windows`

(For i386 architecture systems use `Raccine_x86.exe` and rename it to `Raccine.exe`)

### Wmic Addon (Optional)

About 10-30% of Ransomware samples use `wmic` to delete the local shadowcopies. However, `wmic` is used for administrative activity far more often than `vssadmin`. The output of wmic often gets processed by automated scripts. It is unknown how a proxied execution through Raccine affects these scripts and programs. We've removed all outputs for cases in which no malicious parameter combination gets detected, but who knows?

3. Apply the `raccine-reg-patch-wmic.reg` patch to intercept invocations of `wmic.exe`

![Kill Run](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/screen5.png)

### Wbadmin Addon (Optional)

Ransomware [often](https://www.google.com/search?q=%22wbadmin+delete+catalog+-quiet%22) uses the command `wbadmin delete catalog -quiet` to delete the backup catalog of the local computer.
2. Apply all other registry patches of applications that you'd like to intercept
3. Place `Raccine.exe` from the [release section](https://github.com/Neo23x0/Raccine/releases/) into `C:\Windows`
4. Run the following command to register Raccine as Eventlog source and set logging to enabled

```bat
eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message"
eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message"
REG.EXE ADD HKCU\Software\Raccine /v Logging /t REG_DWORD /d 2 /F
```

4. Apply the `raccine-reg-patch-wbadmin.reg` patch to intercept invocations of `wbadmin.exe`
(For systems with i386 architecture use `Raccine_x86.exe` and rename it to `Raccine.exe`)

## Uninstall
## Manual Uninstall

1. Run `raccine-reg-patch-uninstall.reg`
2. Remove `Raccine.exe` (optional)
2. Remove `Raccine.exe` from the `C:\Windows` folder
3. Run `REG.EXE DELETE HKCU\Software\Raccine /F`

## Logfile

A logfile with all interceptions and actions taken is written to `C:\ProgramData\Raccine_log.txt`

![Log File](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/logfile.png)

## Windows Eventlog

An entry is generated by every blocking event in the `Application` eventlog.

![Eventlog](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/eventlog2.png)

## Screenshot

Run `raccine.exe` and watch the parent process tree die (screenshot of v0.1)
Expand All @@ -129,41 +135,6 @@ In case that the Ransomware that your're currently handling uses a certain proce

I'd like to extend Raccine but lack the C++ coding skills, especially o the Windows platform.

### ~~1. Allow Certain Vssadmin Executions~~

***implemented by Ollie Whitehouse in v0.2.0***

Since Raccine is registered as a debugger for `vssadmin.exe` the actual command line that starts raccine.exe looks like

```bash
raccine.exe vssadmin.exe ... [params]
```

![raccine as debugger](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/screen3.png)

If we were able to process the command line options and apply filters to them, we could provide the following features:

- Only block the execution in cases in which the parameters contains `delete shadows`
- Allow all other executions by passing the original parameters to a newly created process of `vssadmin.exe` (transparent pass-through)

### 2. Whitelist Certain Parents

We could provide a config file that contains white-listed parents for `vssadmin.exe`. If such a parent is detected, it would also pass the parameters to a new process and skip killing the process tree.

### 3. Create Shim Instead of Image File Execution Options Hack

The solution is outlined in this [tweet](https://twitter.com/cyb3rops/status/1312982510746374144?s=20) and related [talk](https://www.youtube.com/watch?v=LOsesi3QkXY&feature=youtu.be).

![raccine as debugger](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/screen-tweet1.png)

## FAQs

### Why did it even kill explorer.exe during its run?

Since malware tends to inject into `explorer.exe`, we thought it would be a good idea to kill even `explorer.exe` in order to avoid malicious code performing other operations on the system. What happens in real world examples is that a user that executed the Ransomware process would loose its windows task bar and desktop, while other programs like Microsoft Word or Outlook would still be running and the user would be able to save his work and close the respective programs before calling the helpdesk or simpy reboot the system. An expericend user could bring up task manager using `CTRL+ALT+Del` and start a new `explorer.exe` or just log off.

![raccine as debugger](https://raw.githubusercontent.com/Neo23x0/Raccine/main/images/screen-explorer-injection.png)

## Other Info

The right pronounciation is "Rax-Een".
Expand All @@ -173,5 +144,5 @@ The right pronounciation is "Rax-Een".
- Florian Roth [@cyb3rops](https://twitter.com/cyb3rops)
- Ollie Whitehouse [@ollieatnccgroup](https://twitter.com/ollieatnccgroup)
- John Lambert [@JohnLaTwC](https://twitter.com/JohnLaTwC)
- Hilko Bengen [@_hillu_](https://twitter.com/_hillu_)
- Branislav Đalić [@LordOfThePies4](https://twitter.com/LordOfThePies4)
- Hilko Bengen [@_hillu_](https://twitter.com/_hillu_)
Binary file added images/eventlog2.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
14 changes: 12 additions & 2 deletions install-raccine.bat
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,8 @@ ECHO ----------------------------------------------------------
ECHO WARNING! Raccine could break your backup solution
ECHO ..........................................................
ECHO.
ECHO 1 - Install Raccine for all possible methods (radical)
ECHO 2 - Install Raccine for Vssadmin and BcdEdit only (relatively safe)
ECHO 1 - Install Raccine for all possible methods (full)
ECHO 2 - Install Raccine for Vssadmin and BcdEdit only (soft)
ECHO 3 - Uninstall Raccine
ECHO E - EXIT
ECHO.
Expand All @@ -87,6 +87,10 @@ REGEDIT.EXE /S raccine-reg-patch-wmic.reg
REGEDIT.EXE /S raccine-reg-patch-wbadmin.reg
REGEDIT.EXE /S raccine-reg-patch-bcdedit.reg
REGEDIT.EXE /S raccine-reg-patch-powershell.reg
ECHO Registering Eventlog Events
eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message" 2> nul
eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message" 2> nul
REG.EXE ADD HKCU\Software\Raccine /v Logging /t REG_DWORD /d 2 /F
ECHO Copying Raccine%ARCH%.exe to C:\Windows\Raccine.exe ...
COPY Raccine%ARCH%.exe C:\Windows\Raccine.exe
IF '%errorlevel%' NEQ '0' (
Expand All @@ -108,6 +112,10 @@ IF '%errorlevel%' NEQ '0' (
GOTO MENU
)
REGEDIT.EXE /S raccine-reg-patch-bcdedit.reg
ECHO Registering Eventlog Events
eventcreate.exe /L Application /T Information /id 1 /so Raccine /d "Raccine event message" 2> nul
eventcreate.exe /L Application /T Information /id 2 /so Raccine /d "Raccine event message" 2> nul
REG.EXE ADD HKCU\Software\Raccine /v Logging /t REG_DWORD /d 2 /F
ECHO Copying Raccine%ARCH%.exe to C:\Windows\Raccine.exe ...
COPY Raccine%ARCH%.exe C:\Windows\Raccine.exe
IF '%errorlevel%' NEQ '0' (
Expand All @@ -124,6 +132,8 @@ GOTO MENU
ECHO.
ECHO Uninstalling Registry patch ...
REGEDIT.EXE /S raccine-reg-patch-uninstall.reg
ECHO Removing Registry key ...
REG.EXE DELETE HKCU\Software\Raccine /F
ECHO Removing Raccine.exe from the Windows folder ...
DEL /Q C:\Windows\Raccine.exe
IF '%errorlevel%' NEQ '0' (
Expand Down
85 changes: 80 additions & 5 deletions raccine.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
// A Simple Ransomware Vaccine
// https://github.com/Neo23x0/Raccine
//
// Florian Roth, Ollie Whitehouse
// with help of John Lambert and Hilko Bengen
// Florian Roth, Ollie Whitehouse, Branislav Dalic, John Lambert
// with help of Hilko Bengen

#include <wchar.h>
#include <windows.h>
Expand All @@ -20,9 +20,62 @@
#include <ctime>
#include <iomanip>
#include <sstream>
#include <strsafe.h>

#pragma comment(lib,"advapi32.lib")

BOOL g_fLogToEventLog = FALSE;
#define RACCINE_REG_CONFIG L"SOFTWARE\\Raccine"
#define MAX_MESSAGE 1000

#define RACCINE_DEFAULT_EVENTID 1
#define RACCINE_EVENTID_MALICIOUS_ACTIVITY 2

/// This function will optionally log messages to the eventlog
/// To enable viewing in the eventlog run this command to create the message IDs for Raccine
/// As admin:
/// eventcreate.exe / L Application / T Information / id 1 / so Raccine / d "Raccine event message"
/// eventcreate.exe / L Application / T Information / id 2 / so Raccine / d "Raccine event message"
///
/// To configure event logging, set this registry key to 2
/// REG.EXE ADD HKCU\Software\Raccine / v Logging / t REG_DWORD / d 2
void WriteEventLogEntryWithId(LPWSTR pszMessage, DWORD dwEventId)
{
if (g_fLogToEventLog)
{
HANDLE hEventSource = NULL;
LPCWSTR lpszStrings[2] = { NULL, NULL };

hEventSource = RegisterEventSource(NULL, L"Raccine");
if (hEventSource)
{
lpszStrings[0] = pszMessage;
lpszStrings[1] = NULL;


ReportEvent(hEventSource, // Event log handle
EVENTLOG_INFORMATION_TYPE, // Event type
0, // Event category
dwEventId, // Event identifier
NULL, // No security identifier
1, // Size of lpszStrings array
0, // No binary data
lpszStrings, // Array of strings
NULL // No binary data
);

DeregisterEventSource(hEventSource);
}
}
// always print the message to the console
wprintf(pszMessage);
}

void WriteEventLogEntry(LPWSTR pszMessage)
{
WriteEventLogEntryWithId(pszMessage, RACCINE_DEFAULT_EVENTID);
}

DWORD getppid(DWORD pid) {
PROCESSENTRY32 pe32;
HANDLE hSnapshot;
Expand Down Expand Up @@ -203,7 +256,9 @@ std::wstring logFormat(int pid, const std::wstring cmdLine, const std::wstring c
void logSend(const std::wstring logStr) {
static FILE* logFile = 0;
if (logFile == 0) {
#pragma warning(suppress : 4996)
logFile = fopen("C:\\ProgramData\\Raccine_log.txt", "at");
#pragma warning(suppress : 4996)
if (!logFile) logFile = fopen("C:\\ProgramData\\Raccine_log.txt", "wt");
if (!logFile) {
wprintf(L"\nCan not open C:\\ProgramData\\Raccine_log.txt for writing.\n");
Expand Down Expand Up @@ -249,6 +304,8 @@ int wmain(int argc, WCHAR* argv[]) {
std::wstring sCommandLine = L"";

std::wstring sListLogs(L"");
WCHAR wMessage[MAX_MESSAGE] = { 0 };


for (int i = 1; i < argc; i++) sCommandLine.append(std::wstring(argv[i]).append(L" "));

Expand Down Expand Up @@ -331,7 +388,23 @@ int wmain(int argc, WCHAR* argv[]) {
}
}
}


// Query for logging level. A value of 1 or more indicates to log key events to the event log
HKEY hKey = NULL;
if (ERROR_SUCCESS == RegOpenKeyEx(HKEY_CURRENT_USER, RACCINE_REG_CONFIG, 0, KEY_READ, &hKey))
{
DWORD dwLoggingLevel = 0;
DWORD cbData = sizeof(dwLoggingLevel);
if (ERROR_SUCCESS == RegQueryValueExW(hKey, L"Logging", NULL, NULL, (LPBYTE)&dwLoggingLevel, &cbData))
{
if (dwLoggingLevel > 1)
{
g_fLogToEventLog = TRUE;
}
}
RegCloseKey(hKey);
}

// OK this is not want we want
// we want to kill the process responsible
if ((bVssadmin && bDelete && bShadow) || // vssadmin.exe
Expand All @@ -344,7 +417,9 @@ int wmain(int argc, WCHAR* argv[]) {
(bPowerShell && bwin32ShadowCopy) || // powershell.exe
(bPowerShell && bEncodedCommand)) { // powershell.exe

wprintf(L"Raccine detected malicious activity\n");
LPCWSTR lpMessage = sCommandLine.c_str();
StringCchPrintf(wMessage, ARRAYSIZE(wMessage), L"Raccine detected malicious activity:\n%s\n", lpMessage);
WriteEventLogEntryWithId((LPWSTR)wMessage, RACCINE_EVENTID_MALICIOUS_ACTIVITY);

// Collect PIDs to kill
while (c < 1024) {
Expand Down Expand Up @@ -372,7 +447,7 @@ int wmain(int argc, WCHAR* argv[]) {
}

logSend(sListLogs);
wprintf(L"\nRaccine v0.8.0 finished\n");
wprintf(L"\nRaccine v0.9.0 finished\n");
Sleep(5000);
}
//
Expand Down

0 comments on commit 01a071d

Please sign in to comment.