diff --git a/HASHES.txt b/HASHES.txt index e3074e1..5a5ae48 100644 --- a/HASHES.txt +++ b/HASHES.txt @@ -15,14 +15,17 @@ da10d733a8628d518a9931693761f02645eb63d8278d08d9df7f8c1d7e53108f *scanner/consol 39a2ad0f9e0335c821fc65d6f365c13305fc9da5a6b1115c5bfc48fdd97407b4 *scanner/console-rig-audit.ps1 0b680b000ecc2b500bbde276aadac5a850a8dcbc11c8990f52a96e21a11b22a1 *scanner/console-run-check.bat 065ef704012b8c3f410916e702165dc1fd197d586d852fc8473af735273b0d0b *scanner/console-setup-checklist.html -f023d3250bd536023ac13d86476bd30ad7b058d519e70d893a1df988ab204889 *scanner/forensic-common.ps1 +eae7ddba680a1791472ef554dfe64a4be0158da3c94e6df22bdc8f569dca9738 *scanner/forensic-common.ps1 605d6daec37ba3f170c9f703634e78567271f2762e9812626f7c9a897eb52d7f *scanner/forensic-scan.ps1 -671c81e911af316569e92ce162cfee0bb5efaff9c8096942c9b7c102aa809f40 *scanner/generate-visual-companion-console.ps1 -659db814bc9ee87bda9506fa613780bc8e6da3a487866e040d46c8bac59fd957 *scanner/generate-visual-companion.ps1 +d751ba1df46dad9379f88a4aa92cefbf580cf31ec0bc4e554964c7afb43ffc0b *scanner/generate-visual-companion-console.ps1 +afbffe792aa48d6f5a560c23f335ee6426e12c2548fb42579c70ae6c0f47d8e6 *scanner/generate-visual-companion.ps1 c8facb1b05abed76952cc329cc06db3fd11e34f75c68057bad69c966f2ac45ae *scanner/one-page-guide.html 4eb22872d1f12906902ecada273417e120180716d42cede4dffcb48162375fe7 *scanner/run-check.bat 7772e751a53e65606655a8883777613c74ceed2a7e3d29892dfdc3c6b8a5b815 *scanner/top-bin-explainer-offline.html bea5014e7990755b1876742bea7c579529cf2633dfae0facecfb09149c743302 *scanner/top-bin-explainer.html +f53a26a907bef93be8a721d255819bd2edd03afcc3bb761e42b2c9697d829244 *scanner/visual-companion-common.ps1 +f3e79c3acd09342608c7d37e78d04cad7577edf4bdae7d7bfc9e5908872c707a *scanner/visual_scripts.js +7af488a7bce339a492b149cc724eb33abbc35d97ca9dd18cd650ec6aede58e68 *scanner/visual_styles.css # --- python/src/alibi/ — Python parity port --- 1c57cb4a841030054b9b8300e34df3e9ab573b221efa3a0d981ca92d723cc448 *python/src/alibi/__init__.py @@ -35,15 +38,13 @@ a3dd1cbe57328f88786b644d3a2f9b7bce8fd7bc0a0e7b9a2cf5e4285f58116f *python/src/ali ac1b06f133c635435dc933adf66094c0788d0cb93e59c355a984b44ba7ab562d *python/src/alibi/recency.py 1ddde68d31bfe85bcf2a975978cc4a1789e103f93039fa8d6cdf33755c3b98f3 *python/src/alibi/reg.py b87dbf5c0382643b4a8cdeb68865ca2c253a858244f54514960a482489a54145 *python/src/alibi/reports.py -fbd30e9eb59528398619fee519292bf81c6b2b7f867d2d2301b6e295207cc27c *python/src/alibi/scanners.py +1ed8b536cbc37bb5ca5d713cb77f7a068b909730c0751b762119580ad82bca94 *python/src/alibi/scanners.py a13e61f66e80d05984b505442afd1a17f7a45d578cffc94c9d4b9a05ca76b85c *python/src/alibi/snapshots.py -af892863f0c936218ffd7690e0dcf2017a60a4ddc083551c06be84f9633e2f44 *python/src/alibi/utils.py -04e76640a682683beb4dae5ec81b855adc2c76e3c1b386984f1f0bab34be59d2 *python/src/alibi/visual_companion.py -f3e79c3acd09342608c7d37e78d04cad7577edf4bdae7d7bfc9e5908872c707a *python/src/alibi/visual_scripts.js -8bc13ff80f42ca99462203ccf28cf2453d880f1d635ad9d0fb64f6cfc3704e9b *python/src/alibi/visual_styles.css +576c2e27ba4e70c3eedad6020d48d1d5a45dcd14fbdfb54b3212ba01bcf0dd93 *python/src/alibi/utils.py +ee99a784feae23033ca496247ec772e1332bfdb36d0b31e2d6bf390e26f3c9f2 *python/src/alibi/visual_companion.py # --- repo-root attestation files --- -b278d8249a12ac4ae8d73f82b4782a0c37203b3b214da1258e01e8fc834b1b8c *README.md -8cc93207410fb81ed6b7bdcf6ffb2c0cec7aed1469fd276bf7a1252b781f8aa3 *SECURITY.md +bf0cf7f07367a8062ab175cb789d69d7c30665628c621c8a4702a796dd9c7f1a *README.md +e5e8b9a6d947a103c669abf6646a1840d234c9188c8ee77ac2912105d464eb3c *SECURITY.md 08cc5d577a2e8eafc5887c65b712c90746df4f47e4dfa8dec48af4d8436b06d6 *LICENSE 71f3f4179a8337ef32bc8bc6feddf63afeda3d2a03ab3a2eda97ac205e1f3e6f *docs/for-reviewers.md diff --git a/README.md b/README.md index 010c822..a245315 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,6 @@ Author: **Bread** — Activision ID `Bread#3266221`, GitHub [@Sutaigne](https:// ├── scanner/ ← the .ps1 scanner files (the engine) ├── python/ ← Python parity port (alternative implementation) ├── docs/ ← reviewer guide, dev history, design source -├── archive/ ← old builds, kept for provenance ├── README.md / SECURITY.md / HASHES.txt / LICENSE ``` @@ -51,6 +50,25 @@ alibi-rig Python 3.10+ required. Pure stdlib (except an opt-in `urllib` call to [loldrivers.io](https://www.loldrivers.io) for BYOVD detection). +## If the download is blocked as a virus + +`alibi` is an anti-cheat *scanner*, so by design it ships the very patterns antivirus hunts for: a plaintext list of cheat-brand names (`aimbot`, `wallhack`, `pcileech`, …) and the literal attack-command strings it looks for on a suspect machine (e.g. `iex (new-object net.webclient`). SmartScreen and some AV engines score those bytes — on a brand-new, unsigned, low-download-count file — as "suspicious," even though every file is plain, readable source. **This is a known false positive, not a real infection.** You can confirm that yourself: every shipped file's SHA256 is in [`HASHES.txt`](./HASHES.txt), and uploading the ZIP to [VirusTotal](https://www.virustotal.com) shows it clean across ~70 engines. + +Two separate things you may hit, and the fix for each: + +**1. "Virus detected" — the browser refuses to download.** This is SmartScreen reputation, not a confirmed threat. In Edge/Chrome: open the browser's **Downloads** list → the blocked item → **Keep** (Edge: ⋯ → *Keep* → *Keep anyway*). Then verify against `HASHES.txt`. + +**2. "Access to the compressed (zipped) folder is denied" when extracting.** This is the *Mark of the Web* — Windows tags every internet download, and the built-in extractor then refuses. It is unrelated to any virus, and affects clean downloads too. Remove the tag in one line: + +```powershell +Unblock-File .\alibi-main.zip # strip the internet tag +Expand-Archive .\alibi-main.zip # now extracts cleanly +``` + +Or: right-click the ZIP → **Properties** → tick **Unblock** → **OK**, then extract. (7-Zip ignores the tag entirely.) + +The full explanation — why a defensive tool trips antivirus, how to report the false positive to Microsoft, and what we do (and deliberately don't do) to reduce it — is in [`SECURITY.md`](./SECURITY.md#antivirus--smartscreen-false-positives). + ## What it detects - **22 scanners** across Prefetch, BAM, MUICache, USB history, ShimCache, services, drivers, downloads, recent files, AppData, user-folder script content, lua scripts, obscured filenames, process modules, DLL injection event timeline, network attack tools, AI-vision aimbot constellation, known hashes, DMA build artifacts, application data dirs. @@ -84,7 +102,7 @@ The `_visual.html` files are fully self-contained (inline CSS + JS, no external This kit's whole value is being readable by a reviewer who has no reason to trust the author. Therefore: - All source is plain `.ps1` / `.py` / `.css` / `.js` / `.html`. Nothing is minified, compiled, or obfuscated. -- No binaries are shipped (the historical zips in `archive/` are PowerShell source). +- No binaries are shipped, and no opaque archives — version history lives in git, not in committed ZIPs. - No external dependencies at runtime beyond Python 3.10+ stdlib (Python port) or the PowerShell that ships with Windows. - No telemetry, no analytics, no tracking. - Exactly one outbound network call (LOLDrivers BYOVD cross-reference) exists, prompts the user with Y/N before running, skipped by default with `-SkipLOLDrivers` / `--skip-loldrivers`, and is explicitly disclosed in every report. diff --git a/SECURITY.md b/SECURITY.md index a5251e5..b160e71 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -39,6 +39,39 @@ This routes the report directly to the maintainers and gives you a private chann **Acceptable also:** open a public issue if and only if the report does not include active-evasion specifics (e.g. "PowerShell-encoded payload format that slips past `$ScriptContent_HighRisk`") that would help cheaters more than it would help defenders. When in doubt, use private reporting. +## Antivirus / SmartScreen false positives + +A forensic anti-cheat scanner is, byte-for-byte, hard to tell apart from the things it hunts. `alibi` deliberately contains: + +- a plaintext database of cheat-brand, spoofer, and DMA-hardware names (`keywords.py`, `forensic-common.ps1`); +- the literal high-risk command strings it scans a suspect machine for — e.g. `powershell -encodedcommand`, `iex (new-object net.webclient`, driver-signing-bypass flags (`forensic-common.ps1`); +- `.bat` launchers that self-elevate (`-Verb RunAs`) and run unsigned PowerShell (`-ExecutionPolicy Bypass`), because a downloaded, unsigned script won't run otherwise. + +Signature and heuristic engines — and especially **SmartScreen reputation**, which blocks *new, unsigned, rarely-downloaded* files regardless of content — score those exactly as they'd score the real thing. The result is a false positive at download or extract time. + +The detection you're most likely to see is **`Trojan:Script/Wacatac.B!ml`** on the GitHub ZIP download. The `!ml` suffix means it's a cloud machine-learning verdict, not a confirmed signature — `Wacatac.B!ml` is a well-known generic ML false positive that fires on many legitimate scripts and tools. An offline Defender signature scan of the same files returns clean, which is the tell. This false positive has been reported to Microsoft for reclassification. + +None of it is an infection, and you can prove that: + +- **Hashes.** Every shipped file's SHA256 is in [`HASHES.txt`](./HASHES.txt). Compare what you received against it. +- **VirusTotal.** Upload the ZIP to [virustotal.com](https://www.virustotal.com) for a ~70-engine second opinion. +- **The source.** Everything is plain text. The "suspicious" strings are detection signatures, sitting in readable arrays you can audit line by line. + +### For people downloading the kit + +- **Browser says "Virus detected" / blocks the download.** Override it in the browser's Downloads list (Edge: ⋯ → *Keep* → *Keep anyway*; Chrome: *Keep*), then verify against `HASHES.txt`. +- **"Access to the compressed (zipped) folder is denied" on extract.** That's the *Mark of the Web*, not a virus — Windows tags all internet downloads (see [Microsoft's Attachment Manager note](https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738)). Clear it with `Unblock-File .\alibi-main.zip` (or right-click the ZIP → Properties → **Unblock**), then extract. 7-Zip ignores the tag entirely. + +### What we do about it + +- **Report false positives to the vendor.** A confirmed false positive should be submitted to Microsoft at the [Defender Security Intelligence portal](https://www.microsoft.com/en-us/wdsi/filesubmission) (mark *"I believe this file is clean"* and note it's an open-source defensive forensic tool). A reclassification there clears the verdict for everyone. If you hit a block on another vendor's engine, tell us via private reporting and we'll submit it there too. +- **Keep the trigger surface minimal.** We don't commit redundant ZIP archives or compiled blobs; the only thing in the repo is the readable source the tool needs to run. + +### What we deliberately don't do + +- **We don't obfuscate or encode the keyword database to dodge antivirus.** Runtime-decoded string blobs read as *more* malicious to heuristics, not less — and unreadable detection logic would break the kit's whole "read every line" trust model. The signatures stay in plaintext on purpose. +- **We don't Authenticode-sign** (see [What we don't do](#what-we-dont-do)). Signing would raise download reputation, but it fights the same plain-source trust model. We trade that reputation cost for auditability and lean on hashes + VirusTotal + vendor submission instead. + ## Disclosure timeline We aim for an initial response within 7 days of the report. Substantive fixes target the next minor release (typically within 2–4 weeks). Public disclosure happens after the fix ships, with credit to the reporter unless anonymity is requested. @@ -46,7 +79,7 @@ We aim for an initial response within 7 days of the report. Substantive fixes ta ## What we don't do - **We don't sign Authenticode certificates.** This is a plain-source kit; binary signing fights the "read every line" trust model. -- **We don't ship a binary that can't be audited.** Every file in the kit is plain `.ps1` / `.py` / `.html` / `.css` / `.js` / `.txt`. The `archive/` zips are historical PowerShell source, not compiled. +- **We don't ship a binary that can't be audited.** Every file in the kit is plain `.ps1` / `.py` / `.html` / `.css` / `.js` / `.txt` — no compiled binaries, and no opaque archives. Version history lives in git, not in committed ZIPs. - **We don't run a bug bounty.** This is an open community kit, not a commercial product. Credit and a `CHANGELOG.md` entry are what we have to offer. ## Authors diff --git a/archive/pc-forensic-check-05.22.2026.zip b/archive/pc-forensic-check-05.22.2026.zip deleted file mode 100644 index 448ee92..0000000 Binary files a/archive/pc-forensic-check-05.22.2026.zip and /dev/null differ diff --git a/archive/pc-forensic-check-5.22.2026.zip b/archive/pc-forensic-check-5.22.2026.zip deleted file mode 100644 index 0c538ab..0000000 Binary files a/archive/pc-forensic-check-5.22.2026.zip and /dev/null differ diff --git a/archive/pc-forensic-check.zip b/archive/pc-forensic-check.zip deleted file mode 100644 index 9954bd9..0000000 Binary files a/archive/pc-forensic-check.zip and /dev/null differ diff --git a/docs/NEXT_SESSION.md b/docs/NEXT_SESSION.md index 347763e..ec03b3e 100644 --- a/docs/NEXT_SESSION.md +++ b/docs/NEXT_SESSION.md @@ -1,114 +1,191 @@ -# NEXT SESSION — open issues from 2026-05-26 +# NEXT SESSION — open items after v4.2.0 visual companion ship -This is a fresh-session pickup doc. Two real bugs surfaced at the very end of the previous session, while Brad was field-testing `v4.1.5`. **Read this first**, then `docs/handoff.md` for full project context, then the relevant source files. +Fresh-session pickup doc. The previous session (committed in `e8ec1f3`) +landed the v4.2.0 PowerShell visual-companion port to the dark-tactical +design, added the new **Activity by pattern** lifecycle section, fixed +several rendering bugs, and tightened scanner keyword matching to drop a +class of false positives. Two carryover issues from the v4.1.5 field +test remain — one of which (Issue 1) was deliberately deferred when Brad +chose to pursue Issue 2 first. -Repo: https://github.com/Sutaigne/alibi · current tag: `v4.1.5` +**Read this first**, then `docs/handoff.md` for project context, then +`git show e8ec1f3 --stat` to see exactly what shipped. ---- - -## Issue 1 — "It ran multiple scans" +Repo: https://github.com/Sutaigne/alibi · current tip: `e8ec1f3` (untagged) -**Symptom:** Brad double-clicked `Run scan.bat` (the unified launcher at repo root) and saw the kit run **more than the expected pair** of scans (PC mode + console-rig mode). Exact count unclear. +--- -**Possible causes (ranked by likelihood):** +## Issue 1 — "It ran multiple scans" (CLOSED 2026-05-26 — not a code bug) + +**Status:** Closed. Diagnosis below. + +**Diagnostic run on Brad's Desktop on 2026-05-26** produced two recent +launches: + +- **Run 1 (5/25 23:41 → 23:56):** PC #1 (23:41:54 → 23:47:42, 572 KB) + → Rig #1 (23:47:43 → 23:53:35, 577 KB) → PC #2 (23:51:34 → 23:56:27, + 567 KB). PC #2 started 9 min 40 s after Run 1 began, **during** Rig #1. +- **Run 2 (5/26 00:18 → 00:19):** 1 PC + 1 Rig, perfectly sequential. + Clean. + +**Why the three v4.1.5-bug hypotheses are all ruled out:** + +1. *Inline fall-through (parens / echo-block parser regression).* If the + non-admin parent had run inline alongside the elevated child, PC #2 + would start at ~23:41:54, not 23:51:34. +2. *Non-admin partial scan in the parent window.* PC #2 weighs 567 KB — + essentially identical to PC #1's 572 KB. That's a full elevated scan, + not a permission-denied stub. +3. *UAC self-elevation loop.* A loop wouldn't space launches 10 minutes + apart, and each iteration would need a UAC prompt the user couldn't + miss. + +**Actual cause:** A second `Run scan.bat` launch around 23:51:30. UAC +prompted again, was approved, and a fresh elevated copy started PC #2 in +parallel with the still-running Rig #1. Whether that second launch was +an accidental re-click *or* a deliberate impatient re-launch isn't +resolvable from the data alone, and the distinction matters less than +it sounds: both point at the same latent UX defect. + +The v4.1.5 echo regression hypothesis from the earlier handoff is +falsified by this data. `Run scan.bat` is structurally sound; the cmd +parser correctly balances `(takes ~1-3 minutes)` inside the if-block, +and the byte dump showed no hidden chars. + +**Latent UX defect to consider for a future iteration.** Phase 2 +(`console-rig-audit.ps1`) emits no progress output for ~5 minutes +during the LOLDrivers fetch + filesystem walks. To a user watching the +launcher window after Phase 1's flurry of activity, the window looks +dead. That's the condition under which a reasonable person re-launches +"just in case it stalled" — exactly the failure shape this issue +reports. Two cheap mitigations, either is sufficient: + +- Periodic dot/heartbeat output from the long-running scans + (`Write-Host -NoNewline '.'` every 5–10 s during slow sections), so + the window visibly isn't dead. +- A `Run scan.bat` lockfile guard: if another scan is already running, + show "a scan is already in progress in window " and exit instead + of starting a parallel scan. + +Neither is blocking; both would prevent the only failure mode the field +test surfaced. Reopen if symptom recurs *and* matches a different +pattern (near-simultaneous launches, repeated UAC prompts, or PC #2 +weighing much less than PC #1). -1. **UAC self-elevation loop.** `Run scan.bat` checks `NET SESSION`, if non-admin it calls `powershell.exe ... Start-Process -FilePath '%~f0' -Verb RunAs` to spawn an elevated copy of itself, then `exit /b`. If the elevated copy somehow re-enters the elevation branch (e.g. `NET SESSION` failing intermittently inside the elevated process for some reason), it would re-spawn another elevated copy of itself — infinite loop possible. Worth verifying that the elevated instance reliably passes the admin check on Brad's machine. -2. **`Run scan.bat` was accidentally double-clicked.** Each click spawns its own independent UAC + scan flow. The kit doesn't prevent concurrent launches. -3. **The v4.1.5 self-elevation messaging change broke something.** v4.1.5 added a long explanatory text block before the elevation. Possible the new block contains a character that breaks cmd parsing and causes weird control flow. Worth diffing v4.1.4 vs v4.1.5 of `Run scan.bat` and looking for `&`, `(`, `)`, `|`, `^`, `>` inside the new echo block. +--- -**Diagnosis to run first in next session:** +## Issue 3 — Field test v4.2.0 on Brad's real machine (NEW) + +The v4.2.0 work is verified by unit tests + a synthetic .txt smoke test ++ a re-render of Brad's last saved `PCForensicCheck_20260525_185106.txt` +(which is from a scan run BEFORE the keyword-tightening fix landed, so +its false-positive findings are baked in). **A fresh end-to-end scan has +not been run with v4.2.0 yet.** + +**What to confirm on the fresh scan:** + +- Scanner keyword tightening actually drops the `hoic`→`CHOICE.EXE` and + `hping`→`PATHPING.EXE` `[HIGH]/[NetAttack]` findings. +- With those false positives gone, `totalCheatHigh` should drop to 0 on + Brad's machine, and the verdict tier should fall through from `CHEATS + DETECTED` (the false-positive-driven verdict in the old .txt) to + `INPUT DEVICES DETECTED` (the accurate tier for his XIM / reWASD / + HidHide stack). +- Lifecycle section should render 6 tracks (`XIM MATRIX`, `XIM (other)`, + `Cronus Zen Studio`, `reWASD`, `HidHide`, plus whatever else is + current). +- Named-items block should show ALL HIGH input-device patterns in + `main` (not `also`) because the verdict is no longer cheat-driven. +- Today-beam on the lifecycle SVG should render on the right edge + (SVG-coord fix verified in synthetic data). + +**Run:** ```powershell -# 1. Count actual report files on Brad's Desktop with timestamps -Get-ChildItem $env:USERPROFILE\Desktop -Filter 'AlibiReport_*.txt' | - Sort-Object LastWriteTime | - Select-Object Name, LastWriteTime - -Get-ChildItem $env:USERPROFILE\Desktop -Filter 'AlibiRigReport_*.txt' | - Sort-Object LastWriteTime | - Select-Object Name, LastWriteTime +# As admin +& "D:\Claude\Projects\PC Check\Run scan.bat" +# Or just the PC-mode driver if Run scan.bat is still under suspicion (Issue 1): +& "D:\Claude\Projects\PC Check\scanner\forensic-scan.ps1" ``` -If there are more than 2 files (1 PC + 1 console-rig) per scan attempt, that confirms multiple-scan execution. The timestamps will show whether they're back-to-back (=self-elevation loop) or spaced (=user clicked twice). - -**Suggested fix path:** - -- **Best:** Remove self-elevation entirely. Replace with a check at the top: if not admin, print clear "RIGHT-CLICK `Run scan.bat` AND PICK 'Run as administrator'" message, pause, exit. No `Start-Process -Verb RunAs`. No second window. No possible loop. The trade-off: one extra user action (right-click), but zero risk of re-entry and the user never sees the two-window pattern that confused them in v4.1.5. -- **Acceptable:** Keep self-elevation but add a `--already-elevated` sentinel flag that the elevated copy passes to itself, and refuse to re-elevate if that flag is set. Belt-and-suspenders. +The HTML auto-opens in the default browser. Compare against the +pre-v4.2.0 `PCForensicCheck_20260525_185106_visual_NEW.html` on the +Desktop for a before/after visual. --- -## Issue 2 — "It also ran the old UI" - -**Symptom:** The HTML companion that opened in Brad's browser at the end of the scan was rendered in the **old v3.x cream/serif design**, NOT the new dark-tactical readout (the one shipped in v4.0 from the design handoff bundle). - -**Root cause — confirmed by code inspection:** - -The new dark-tactical design was **only** ported to the Python parity port. Look at the file tree: +## Issue 4 — HASHES.txt regeneration (DONE 2026-05-26) -``` -python/src/alibi/ -├── visual_companion.py ← NEW dark-tactical renderer (v4.0) -├── visual_styles.css ← 1300 lines of design tokens -└── visual_scripts.js ← 350 lines of vanilla-JS interactivity - -scanner/ ← PowerShell side (canonical) -├── generate-visual-companion.ps1 ← STILL the v3.x design -└── generate-visual-companion-console.ps1 ← STILL the v3.x design -``` - -When `Run scan.bat` runs (the canonical PowerShell path), it calls `scanner/forensic-scan.ps1` which calls `scanner/generate-visual-companion.ps1` — that .ps1 has its own embedded HTML template using the OLD cream/serif design (the v3.x "Neon Forensics" / safety-card look). It also carries its own duplicate keyword arrays — explicitly flagged as tech debt in `docs/handoff.md`: - -> | Visual-companion .ps1 duplication | `generate-visual-companion.ps1` and `generate-visual-companion-console.ps1` each carry their own embedded keyword arrays. The v3.8 expansion added 7 more arrays that had to be hand-mirrored into the visual companion. Drift risk is growing. Next time these need updating: extract parser + SVG renderer + HTML template into `visual-companion-common.ps1` and have both visual-companion drivers dot-source it. - -That tech-debt note was written before we even started the v4.0 design work. It anticipated exactly this problem. +Regenerated against the current working tree. `sha256sum -c HASHES.txt` +verifies all 37 shipped files OK. -**Suggested fix path:** +Net changes vs the pre-v4.2.0 file: -1. Move `python/src/alibi/visual_styles.css` and `visual_scripts.js` up to `scanner/` (or a new `assets/` folder) so both PS and Python can read them as shared resources. Update the Python `_load_resource` to point at the new location. -2. Create `scanner/visual-companion-common.ps1` that: - - Reads the shared CSS + JS files at runtime - - Defines a `Render-AlibiHtml` function that mirrors `python/src/alibi/visual_companion.py :: render_html()` exactly — same section order, same finding-card markup, same timeline math, same donut math, same named-items grid - - Lives next to `forensic-common.ps1` and is dot-sourced by both `generate-visual-companion.ps1` and `generate-visual-companion-console.ps1` -3. Rewrite `generate-visual-companion.ps1` and `generate-visual-companion-console.ps1` as thin shims that parse the .txt report into the finding / process / service objects, then call `Render-AlibiHtml` and write the file. The OLD inline HTML templates get deleted. -4. Verify byte-for-byte (or near-byte-for-byte) parity between the HTML the PS side emits and what the Python side emits. The existing three reference HTMLs in `docs/design-handoff-2026-05/reports/` are the spec. - -Reference files to mirror against: -- **Design spec:** `docs/design-handoff-2026-05/README.md` (the high-fidelity handoff doc, ~28 KB) -- **Python implementation:** `python/src/alibi/visual_companion.py` (~750 lines) -- **Live preview of expected output:** https://sutaigne.github.io/alibi/ - -The Python port is the source of truth for the visual now. The PS port has been lagging. +- **Modified hashes:** `scanner/forensic-common.ps1` (bounded matching), + `scanner/generate-visual-companion.ps1` and + `scanner/generate-visual-companion-console.ps1` (60-line shims + replacing the old 800+/900+ line renderers), + `python/src/alibi/scanners.py`, `python/src/alibi/utils.py`, + `python/src/alibi/visual_companion.py`. +- **Added:** `scanner/visual-companion-common.ps1`, + `scanner/visual_styles.css`, `scanner/visual_scripts.js`. +- **Removed:** `python/src/alibi/visual_styles.css`, + `python/src/alibi/visual_scripts.js` (moved to `scanner/`). --- -## Status of this session's other shipped work — keep / build on +## What v4.2.0 shipped — keep / build on -These are stable and don't need rework: +These are stable and don't need rework unless field-test surfaces issues: -| Version | What landed | Status | -|---|---|---| -| v4.0.0 | Repo rename `pc-check` → `alibi`. Python package rename `pc_check` → `alibi`. Console scripts `alibi` / `alibi-rig`. Output filenames `AlibiReport_*.txt`. | Stable | -| v4.0.0 | `HASHES.txt`, `SECURITY.md`, `docs/for-reviewers.md`, private vulnerability reporting, GitHub Pages preview at https://sutaigne.github.io/alibi/ | Stable | -| v4.0.0 | Fix falsified "no Invoke-Web" copy in `scanner/alibi-safety-card.html` + `one-page-guide.html` + `START HERE.txt` + root `README.md` | Stable | -| v4.0.0 | README CoD-primary framing, Activision ID `Bread#3266221` labeled, timeline correction (project predates May 22 by 10+ days, original name "CheatChecks") | Stable | -| v4.1.0 | Repo restructure: `kit/` → `scanner/`, `ready-to-flash/` collapsed into repo root. Whole-tree speed pass (event log MaxEvents caps, depth limits). Per-scanner timing in `Invoke-AllScans` / `invoke_all_scans`. | Stable | -| v4.1.1 | First AIVision dep-cache exclude attempt — turned out to be incomplete, see v4.1.4 | Superseded | -| v4.1.2 | Auto-open HTML in browser at scan completion. `-SkipBrowserOpen` / `--no-open-browser` flags on individual drivers; unified launcher passes them and opens just one tab. | Mostly stable; see Issue 2 | -| v4.1.3 | Sharper FINAL SCAN SUMMARY block in both launchers. Clipboard copy of all four paths via `clip.exe`. | Stable | -| v4.1.4 | **Real** AIVision fix: new `Get-PrunedFiles` helper in `scanner/forensic-common.ps1`. .NET `DirectoryInfo.EnumerateDirectories` with name-pruning BEFORE recursing. Applied to AIVision + Lua + UserScripts + ObscuredNames + KnownHashes. Verified end-to-end: AIVision 33.87s, total 92.92s on Brad's machine. | Stable | -| v4.1.5 | Self-elevation messaging clarified. `explorer.exe` relay for browser open (avoids admin-token leak to Chrome/Edge). | **See Issue 1** — messaging may have introduced multi-scan bug; verify the .bat parses cleanly. | +| Component | Status | +|---|---| +| `scanner/visual-companion-common.ps1` (~1100 lines, parser + dark-tactical renderer mirroring `python/src/alibi/visual_companion.py`) | Stable, unit-tested | +| `scanner/generate-visual-companion.ps1` + `-console.ps1` (60-line shims; old 800+/900+ line v3.x renderers replaced) | Stable | +| Activity-by-pattern lifecycle section in both Python and PS renderers | Stable | +| Track-key fallback (`Pattern → Label → DisplayName → DeviceName`) so AppData/USB findings get their own tracks | Stable | +| Named-items verdict-aware routing (`CHEATS DETECTED` splits input to "also"; other verdicts route all HIGH to main) | Stable | +| Named-items dedup by Pattern with "+N" corroborating-source chip | Stable | +| SVG coord InvariantCulture F1 formatting (replaced `{0:N1}` that broke at X≥1000 in en-US locale) | Stable | +| `match_keyword(..., bounded=True)` / `Match-Keyword -Bounded` for short generic keywords; applied to `scan_network_attack_tools` and `scan_lua_scripts` (Python + PS) | Stable, 21 tests pass (hoic↛CHOICE, hping↛PATHPING, esp↛FDResPub, loader↛RTSSHooksLoader64, anticheat↛EasyAntiCheat) | +| Shared `scanner/visual_styles.css` and `scanner/visual_scripts.js` (moved up from `python/src/alibi/`, Python loader updated) | Stable | +| `visual-companion-common.ps1` + matching python entry in scanner self-exclusion lists | Stable | --- -## Other low-priority items still open - -These were noted in earlier session work but not addressed: - -- **Self-detection meta-quirk.** The scanner finds its OWN keyword strings (`engineowning`, `rut.gg`, etc.) embedded in `scanner/forensic-common.ps1` and `python/src/alibi/keywords.py`. When Brad runs the scan on his own dev machine, this triggers a HIGH cheat finding pointing at his repo source. Real reviewers running it on a stranger's machine won't hit this. Worth a follow-up tweak: in `Scan-UserScriptContents` and `Scan-KnownHashes`, scope-skip any directory tree containing a `scanner/forensic-common.ps1` (or any directory matching `alibi*` or `pc-check*`). -- **Auto-zip of reports** — deliberately parked. Brad's stance: the .txt should stay individually shareable. Don't ship without re-discussion. -- **Browser-history scanner.** `$CheatMarketplaceDomains` (40 reseller domains) sits inert in `forensic-common.ps1` waiting for a future `Scan-BrowserHistory` with hit-threshold logic. Design notes are in `docs/handoff.md` under "Recommended next moves." -- **`$KnownCheatHashes` backfill.** Currently 1 entry (RUT v4 launcher SHA256). More candidates worth hashing if samples are obtainable: Two2nd / Tomware / Cynical CoD launchers (Activision-C&D'd Feb 2025), DMA vendor firmware images, Aimmy / Sunone release binaries. +## Low-priority items still open + +- **Track-label truncation.** Lifecycle SVG track labels are capped at + 14 characters with `...` (so "Cronus Zen Studio" displays as + "CRONUS ZEN ST..."). Bumping to ~18 chars or sliding `left_pad` + from 180 to 220 fits common names without truncation. Minor. +- **Named-items chip cleanup.** The "InstalledSoftware +3" chip format + is informative but visually dense. Could simplify to "+3" or + "(4 sources)" as a separate sub-element. Subjective polish. +- **Reference HTMLs aren't updated.** + `docs/design-handoff-2026-05/reports/report-pc-*.html` predate v4.0's + log-scale timeline AND the new v4.2 lifecycle section. They're frozen + design specs. Regenerating from the current Python renderer would + update the spec to match what ships. Useful for parity checks, not + blocking. +- **Self-detection meta-quirk.** Scanner running on Brad's dev machine + finds its OWN keyword strings (`engineowning`, `rut.gg`, etc.) + embedded in `scanner/forensic-common.ps1` and + `python/src/alibi/keywords.py`. Triggers HIGH cheat findings pointing + at the repo source. Reviewers running on a stranger's machine won't + hit this. Worth a scope-skip in `Scan-UserScriptContents` and + `Scan-KnownHashes` for any directory tree containing + `scanner/forensic-common.ps1` (or any directory matching `alibi*` or + `pc-check*`). +- **Auto-zip of reports** — deliberately parked. Don't ship without + re-discussion. +- **Browser-history scanner.** `$CheatMarketplaceDomains` (40 reseller + domains) sits inert in `forensic-common.ps1` waiting for a future + `Scan-BrowserHistory` with hit-threshold logic. +- **`$KnownCheatHashes` backfill.** Still 1 entry (RUT v4 launcher + SHA256). More candidates worth hashing if samples are obtainable: + Two2nd / Tomware / Cynical CoD launchers (Activision-C&D'd Feb 2025), + DMA vendor firmware images, Aimmy / Sunone release binaries. --- @@ -116,11 +193,13 @@ These were noted in earlier session work but not addressed: 1. **This file** (`docs/NEXT_SESSION.md`) 2. `docs/handoff.md` — full project history, design rationale -3. `docs/for-reviewers.md` — reviewer-side workflow (what reports mean, how to verify) -4. `scanner/forensic-common.ps1` — the engine (the `Get-PrunedFiles` helper at the top is recent; understand it before touching) -5. `python/src/alibi/visual_companion.py` — the canonical new visual implementation (the PS side should be brought into parity with this) -6. `Run scan.bat` — the unified launcher; needs the most-recent attention for Issue 1 -7. `scanner/generate-visual-companion.ps1` — the PS-side HTML generator that needs to be rewritten or replaced for Issue 2 +3. `git show e8ec1f3 --stat` — what just shipped in v4.2.0 +4. `scanner/visual-companion-common.ps1` — the new shared module + (parser + renderer + scoring + bounded keyword matching) +5. `python/src/alibi/visual_companion.py` — canonical Python renderer + (the PS module mirrors this 1:1) +6. `scanner/forensic-common.ps1` — `Match-Keyword` now has a `-Bounded` + switch; `Score-NetworkBlob` and the Lua-script loop use it --- diff --git a/docs/handoff.md b/docs/handoff.md index a855c31..f04725d 100644 --- a/docs/handoff.md +++ b/docs/handoff.md @@ -57,16 +57,16 @@ D:\Claude\Projects\PC Check\ │ ├── Run scan.bat (UNIFIED launcher, no menu, runs both scans) │ └── kit\ (mirrors the live kit\ - keep in sync manually) │ -├── docs\ -│ ├── handoff.md (this file) -│ └── memory-suggested.md (draft memory entry, not yet filed) -│ -└── archive\ ← historical zips (DO NOT DELETE) - ├── pc-forensic-check.zip (oldest, ~May 20) - ├── pc-forensic-check-5.22.2026.zip (May 22, friend's tested version) - └── pc-forensic-check-05.22.2026.zip (May 22 dup naming) +└── docs\ + ├── handoff.md (this file) + └── memory-suggested.md (draft memory entry, not yet filed) ``` +> **Note (2026-05-29):** the `archive\` folder of historical zips (`pc-forensic-check*.zip`) +> was removed to cut antivirus/SmartScreen false-positive triggers — nested ZIPs of +> forensic PowerShell are a heuristic red flag, and the old versions live in git history +> anyway. See `SECURITY.md` → "Antivirus / SmartScreen false positives". + ## Architecture — current shape after the 2026-05-25 refactor ``` diff --git a/python/examples/console-rig-capture-stack.txt b/python/examples/console-rig-capture-stack.txt deleted file mode 100644 index a9d0098..0000000 --- a/python/examples/console-rig-capture-stack.txt +++ /dev/null @@ -1,160 +0,0 @@ -================================================================ - QUICK READ - START HERE -================================================================ - - VERDICT: CAPTURE STACK PRESENT - - No vision-aimbot software, input-adapter configurator, or - traditional PC cheats were detected. However, this scan found - capture-card software and/or HID-emulation drivers. - - These have legitimate uses (streaming, recording, controller - remapping via Steam or DS4Windows). They are disclosed here - because they are also components of console-MITM cheat stacks. - Their presence alone is not evidence of cheating. - - Reviewer note: if you are auditing for cheat behavior, the - absence of any aimbot or adapter software alongside the - capture-card stack is the relevant finding. - - Named items: - - [Installed] obs studio - [obs studio] OBS Studio - - [Installed] elgato - [elgato] Elgato 4K Capture Utility - - [Installed] ds4windows - [ds4windows] DS4Windows - - [Services] vigembus - [vigembus] ViGEmBus | Virtual Gamepad Emulation Bus | C:\Windows\System32\drivers\ViGEmBus.sys - - [Process] obs - obs64.exe (PID 8120) - - [Process] ds4windows - DS4Windows.exe (PID 10428) - - [Service] vigembus - ViGEmBus (Running) - -================================================================ - -================================================================ - ALIBI (CONSOLE-RIG MODE) v4.0 - CONSOLIDATED REPORT -================================================================ - - Generated: 2026-05-25 23:48:18 - Hostname: BREAD-PC - Username: BradS - OS: Windows 11 (10.0.26200) - Admin mode: False - Verdict: CAPTURE STACK PRESENT - - Read-only scan. No system state was modified. No network calls. -================================================================ - -================================================================ - SECTION 1 OF 3 - CHEAT TRACE SCAN -================================================================ - - Summary (recent, within last 180 days - verdict-relevant): - HIGH findings : 0 - MEDIUM findings : 4 - INFO items : 2 - WARN (access) : 0 - - [MEDIUM/dual-use] [Installed] [obs studio] OBS Studio - Source: OBS Studio - Pattern: obs studio - Name: OBS Studio - Publisher: OBS Project - InstallDate: 2026-02-08 - Version: 30.1.2 - - [MEDIUM/dual-use] [Installed] [elgato] Elgato 4K Capture Utility - Source: Elgato 4K Capture Utility - Pattern: elgato - Name: Elgato 4K Capture Utility - Publisher: Corsair Memory, Inc. - InstallDate: 2026-04-19 - Version: 1.6.0 - - [MEDIUM/dual-use] [Installed] [ds4windows] DS4Windows - Source: DS4Windows - Pattern: ds4windows - Name: DS4Windows - Publisher: Ryochan7 - InstallDate: 2026-01-15 - Version: 3.3.3 - - [MEDIUM/dual-use] [Services] [vigembus] ViGEmBus | Virtual Gamepad Emulation Bus | C:\Windows\System32\drivers\ViGEmBus.sys - Source: ViGEmBus - Pattern: vigembus - ServiceName: ViGEmBus - DisplayName: Virtual Gamepad Emulation Bus - ImagePath: C:\Windows\System32\drivers\ViGEmBus.sys - - [INFO/other] [ProcessModules] Scanned 6122 DLL modules across all running processes - Source: (scan) - ModulesScanned: 6122 - - [INFO/other] [RecencyDecay] Recency analysis: 4 recent, 0 historical (>180d demoted), 1 unknown-timestamp - Source: (summary) - ThresholdDays: 180 - RecentFindings: 4 - HistoricalFindings: 0 - UnknownTimestampFindings: 1 - -================================================================ - SECTION 2 OF 3 - RUNNING PROCESSES (scored) -================================================================ - - Total processes captured: 3 - HIGH: 0 - MEDIUM: 2 - LOW: 0 - CLEAN: 1 - - HIGH and MEDIUM processes (full detail): - - [MEDIUM/dual-use] obs64.exe (PID 8120) - Path: C:\Program Files\obs-studio\bin\64bit\obs64.exe - Cmd: "C:\Program Files\obs-studio\bin\64bit\obs64.exe" - Reason: matches 'obs' (dual-use tool) - Pattern: obs - - [MEDIUM/dual-use] DS4Windows.exe (PID 10428) - Path: C:\Program Files\DS4Windows\DS4Windows.exe - Cmd: "C:\Program Files\DS4Windows\DS4Windows.exe" - Reason: matches 'ds4windows' (dual-use tool) - Pattern: ds4windows - - Full processes table (sorted by suspicion score): - - MEDIUM PID 8120 obs64.exe C:\Program Files\obs-studio\bin\64bit\obs64.exe - MEDIUM PID 10428 DS4Windows.exe C:\Program Files\DS4Windows\DS4Windows.exe - CLEAN PID 4288 explorer.exe C:\Windows\explorer.exe - -================================================================ - SECTION 3 OF 3 - SERVICES (scored) -================================================================ - - Total services captured: 1 - HIGH: 0 - MEDIUM: 1 - LOW: 0 - CLEAN: 0 - - HIGH and MEDIUM services (full detail): - - [MEDIUM/dual-use] ViGEmBus (Running) - Display: Virtual Gamepad Emulation Bus - Path: C:\Windows\System32\drivers\ViGEmBus.sys - Mode: Manual - Reason: matches 'vigembus' (dual-use tool) - Pattern: vigembus - - Full services table (sorted by suspicion score): - - MEDIUM Running ViGEmBus C:\Windows\System32\drivers\ViGEmBus.sys - -================================================================ - COVERAGE LIMITATIONS -================================================================ - - - The CONSOLE itself cannot be scanned. This script can only see the Windows PC connected to the rig. A pure console + TV setup with no PC in the loop cannot be audited this way - use the visual setup checklist (console-setup-checklist.html) instead. - - DMA cheats cannot be detected at runtime by design (no PC-side footprint). This scan flags DMA development artifacts only. - - Input devices configured on a separate machine and used purely as pass-through leave no trace on this PC. - - Keyword matching only. Sophisticated cleaners can wipe most of these artifacts. - - A clean result is necessary but not sufficient. - - Report generated: 2026-05-25 23:48:18 diff --git a/python/examples/generate_example.py b/python/examples/generate_example.py index 7009ae8..2715b08 100644 --- a/python/examples/generate_example.py +++ b/python/examples/generate_example.py @@ -1,19 +1,38 @@ """Generate synthetic example reports that exercise every visual state. -Two reports are produced: +Three PC-mode reports are produced, one per verdict tier: + - pc-mode-cheats-detected.txt + _visual.html - PC mode, CHEATS DETECTED verdict, packed with HIGH cheat + input matches, - LOLDrivers BYOVD hits (malicious + vulnerable tiers), AI-vision - constellation findings, mouse-macro script content, DMA artifact, and - a Historical section showing recency decay. - - console-rig-capture-stack.txt + _visual.html - Console-rig mode, CAPTURE STACK PRESENT verdict — no cheats, just - capture-card + HID emulator dual-use findings. Shows the amber - verdict state and the streamer-disclosure quick-read shape. + Verdict: CHEATS DETECTED. Comprehensive HIGH cheat coverage — + EngineOwning prefetch, RUT launcher hash hit, pcileech DMA build + output, LOLDrivers BYOVD (vulnerable tier), AI-vision constellation + (executable + co-located ONNX model), Lua mouse-macro script, BCD + testsigning. Also carries HIGH input findings (Cronus / XIM) so the + v4.2 verdict-aware named-items routing has something to push to + "also". MEDIUM dual-use, INFO scan summaries, WARN access-denied, + and a HISTORICAL demoted prefetch entry are all present. + + - pc-mode-input-devices-detected.txt + _visual.html + Verdict: INPUT DEVICES DETECTED. The shape Brad's own machine + produces — XIM Matrix + Cronus Zen + reWASD + HidHide stack with + USB-history and AppData activity tracks, zero HIGH cheats. With no + cheats in the picture, all HIGH input findings route to "main". + This is the false-positive scenario v4.2's bounded keyword matching + was designed to land in cleanly (no more hoic→CHOICE.EXE noise). + + - pc-mode-clean.txt + _visual.html + Verdict: CLEAN. No HIGH or MEDIUM matches in the recent window. + Includes one HISTORICAL demoted entry (a long-ago XIM Manager + install) so the lifecycle section still has a track to render. The data is piped through the production formatters (reports.build_text_report and visual_companion.render_html), so the output is guaranteed to match exactly what a real scan would produce. + +The three fabricated users (Marcus / Jordan / Alex) are plausible Windows +profile names; all timestamps, hashes, file sizes, install dates, and +VID/PID pairs are made up but in the right shape that a reviewer can +read the report as if it were real. """ from __future__ import annotations @@ -27,14 +46,13 @@ if str(_SRC) not in sys.path: sys.path.insert(0, str(_SRC)) -from alibi import CONSOLE_RIG_VERSION, SCANNER_VERSION +from alibi import SCANNER_VERSION from alibi.findings import Finding, ScoredItem from alibi.keywords import RECENCY_THRESHOLD_DAYS from alibi.reports import ReportContext, ReportSpec, build_text_report, collect_named_items from alibi.utils import Engine from alibi.visual_companion import render_html, write_html from alibi.forensic_scan import _pc_quick_read, _PC_LIMITATIONS -from alibi.console_rig_audit import _console_quick_read, _CONSOLE_LIMITATIONS def _iso(dt: datetime) -> str: @@ -45,115 +63,139 @@ def _ago(days: int = 0, hours: int = 0) -> str: return _iso(datetime.now() - timedelta(days=days, hours=hours)) +# Keyword set used by all three engines. Mirrors a realistic subset of the +# production keywords.py so finding patterns reference strings that exist +# in the live scanner. +_KW_CHEAT = ["engineowning", "rut.gg", "rut v4 launcher", "aimmy", "pcileech"] +_KW_INPUT = ["cronus", "cronuszen", "xim matrix", "rewasd", "hidhide"] +_KW_MEDIUM = ["cheatengine", "vivado", "ds4windows", "vigembus", "obs studio"] +_KW_SCRIPT = ["bcdedit /set testsigning", "Disable-WindowsDefender"] +_KW_MOUSE_MACRO = ["MoveMouseRelative", "mouse_event"] + + +def _make_engine() -> Engine: + return Engine( + keywords_high_cheats=_KW_CHEAT, + keywords_high_input=_KW_INPUT, + keywords_medium=_KW_MEDIUM, + keywords_script_high=_KW_SCRIPT, + keywords_mouse_macro=_KW_MOUSE_MACRO, + ) + + # --------------------------------------------------------------------------- -# PC MODE — CHEATS DETECTED +# PC MODE — CHEATS DETECTED (fabricated user: Marcus) # --------------------------------------------------------------------------- -def build_pc_engine() -> Engine: - e = Engine( - keywords_high_cheats=["engineowning", "rut.gg"], - keywords_high_input=["cronus", "xim"], - keywords_medium=["cheatengine", "vivado"], - keywords_script_high=["bcdedit /set testsigning"], - keywords_mouse_macro=["MoveMouseRelative"], - ) +def build_cheats_engine() -> Engine: + e = _make_engine() + home = r"C:\Users\Marcus" - # --- HIGH cheat findings, multiple categories ------------------------- - e.add("Prefetch", r"C:\Windows\Prefetch\ENGINEOWNING.EXE-1A2B3C4D.pf", + # --- HIGH cheat findings, multiple categories ------------------------ + e.add("Prefetch", rf"C:\Windows\Prefetch\ENGINEOWNING.EXE-7A4C2E91.pf", "[engineowning] ENGINEOWNING", "HIGH", "cheat", - {"Pattern": "engineowning", "FirstSeen": _ago(days=14), - "LastModified": _ago(days=2)}) - e.add("MUICache", r"HKCU\...\MuiCache", - "[rut.gg] C:\\Users\\Bob\\Downloads\\RUT V4 Launcher.exe", + {"Pattern": "engineowning", + "FirstSeen": _ago(days=11), "LastModified": _ago(days=2), + "MostRecentTimestamp": _ago(days=2), + "AgeDays": 2}) + e.add("MUICache", r"HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache", + rf"[rut.gg] {home}\Downloads\RUT V4 Launcher.exe", "HIGH", "cheat", {"Pattern": "rut.gg", - "Value": "C:\\Users\\Bob\\Downloads\\RUT V4 Launcher.exe", - "Data": "RUT and RUAVT", "LastWrite": _ago(days=5)}) - e.add("DMA", r"C:\Users\Bob\source\pcileech-fpga-build\pcileech_top.bin", + "Value": rf"{home}\Downloads\RUT V4 Launcher.exe", + "Data": "RUT and RUAVT", "LastWrite": _ago(days=4), + "MostRecentTimestamp": _ago(days=4), "AgeDays": 4}) + e.add("DMA", rf"{home}\source\pcileech-fpga-build\pcileech_top.bin", "pcileech firmware build output: pcileech_top.bin", "HIGH", "cheat", - {"FileName": "pcileech_top.bin", - "FullPath": r"C:\Users\Bob\source\pcileech-fpga-build\pcileech_top.bin", - "Created": _ago(days=21)}) - e.add("KnownHashes", r"C:\Users\Bob\Downloads\RUT AND RUAVT LAUNCHER UPDATED.exe", - "[RUT AND RUAVT LAUNCHER UPDATED.exe (rut.gg)] hash match - confirmed cheat sample", + {"Pattern": "pcileech", "FileName": "pcileech_top.bin", + "FullPath": rf"{home}\source\pcileech-fpga-build\pcileech_top.bin", + "SizeBytes": 4_194_304, + "Created": _ago(days=17), "LastWrite": _ago(days=6), + "MostRecentTimestamp": _ago(days=6), "AgeDays": 6}) + e.add("KnownHashes", rf"{home}\Downloads\RUT V4 Launcher.exe", + "[RUT V4 Launcher.exe (rut.gg)] hash match - confirmed cheat sample", "HIGH", "cheat", - {"Pattern": "RUT AND RUAVT LAUNCHER UPDATED.exe (rut.gg)", + {"Pattern": "RUT V4 Launcher.exe (rut.gg)", "SHA256": "b1b89dedcff0c502d605a707e550b1565224b5949e778168ac45f01b8171160f", - "FileName": "RUT AND RUAVT LAUNCHER UPDATED.exe", - "FullPath": r"C:\Users\Bob\Downloads\RUT AND RUAVT LAUNCHER UPDATED.exe", - "SizeBytes": 8_421_376, "LastWrite": _ago(days=5), - "KnownSampleOf": "RUT AND RUAVT LAUNCHER UPDATED.exe (rut.gg)", + "FileName": "RUT V4 Launcher.exe", + "FullPath": rf"{home}\Downloads\RUT V4 Launcher.exe", + "SizeBytes": 8_421_376, "LastWrite": _ago(days=4), + "MostRecentTimestamp": _ago(days=4), "AgeDays": 4, + "KnownSampleOf": "RUT V4 Launcher.exe (rut.gg)", "HashSource": "Hybrid Analysis sandbox report"}) - # LOLDrivers BYOVD — both tiers - e.add("LOLDrivers", r"C:\Users\Bob\AppData\Local\Temp\rtcore64.sys", + # LOLDrivers BYOVD — vulnerable tier + e.add("LOLDrivers", rf"{home}\AppData\Local\Temp\rtcore64.sys", "VULNERABLE DRIVER - hash confirmed (BYOVD risk): rtcore64.sys", "HIGH", "cheat", {"DeviceName": "RTCore64", "Manufacturer": "MSI", "IsSigned": "True", "FileName": "rtcore64.sys", - "FilePath": r"C:\Users\Bob\AppData\Local\Temp\rtcore64.sys", + "FilePath": rf"{home}\AppData\Local\Temp\rtcore64.sys", "LOLDrivers_Id": "0c9b1b21-5e26-4e0e-8baa-2bbb4ce4f0bd", "LOLDrivers_Category": "vulnerable", "LOLDrivers_Tags": "rtcore64.sys,rtcore32.sys", "LOLDrivers_MatchBy": "SHA256", "SHA256": "01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd", - "LOLDrivers_URL": "https://www.loldrivers.io/drivers/0c9b1b21-5e26-4e0e-8baa-2bbb4ce4f0bd/"}) + "LOLDrivers_URL": "https://www.loldrivers.io/drivers/0c9b1b21-5e26-4e0e-8baa-2bbb4ce4f0bd/", + "MostRecentTimestamp": _ago(days=7), "AgeDays": 7}) - # USB history hit + # USB history hit + AppData activity for Cronus (HIGH input — will route + # to "also" because verdict is CHEATS DETECTED). e.add("USB", "VID_2E24&PID_1000", "[cronus] Cronus Zen", "HIGH", "input", {"Pattern": "cronus", "FriendlyName": "Cronus Zen", "VID_PID": "VID_2E24&PID_1000", - "FirstInstall": _ago(days=120), + "FirstInstall": _ago(days=87), "LastArrival": _ago(days=1), - "LastRemoval": _ago(hours=4)}) - - # HIGH input — AppData - e.add("AppData", r"C:\Users\Bob\AppData\Local\ConsoleTuner", - "Cronus / Titan - 247 files, 38 distinct days", + "LastRemoval": _ago(hours=6), + "MostRecentTimestamp": _ago(days=1), "AgeDays": 1}) + e.add("AppData", rf"{home}\AppData\Local\ConsoleTuner", + "Cronus Zen Studio - 184 files, 29 distinct days", "HIGH", "input", - {"Label": "Cronus / Titan", - "Directory": r"C:\Users\Bob\AppData\Local\ConsoleTuner", - "FileCount": 247, "DistinctActivityDays": 38, - "ActivitySpanDays": 95, - "OldestWrite": _ago(days=95), - "NewestWrite": _ago(days=1)}) + {"Pattern": "cronuszen", "Label": "Cronus Zen Studio", + "Directory": rf"{home}\AppData\Local\ConsoleTuner", + "FileCount": 184, "DistinctActivityDays": 29, + "ActivitySpanDays": 92, + "OldestWrite": _ago(days=92), + "NewestWrite": _ago(days=1), + "MostRecentTimestamp": _ago(days=1), "AgeDays": 1}) # HIGH script content - e.add("UserScripts", r"C:\Users\Bob\Desktop\setup.bat", + e.add("UserScripts", rf"{home}\Desktop\setup.bat", "[bcdedit /set testsigning] ~\\Desktop\\setup.bat - high-risk command pattern inside script", "HIGH", "cheat", {"Pattern": "bcdedit /set testsigning", "MatchKind": "high-risk command in script", "FileName": "setup.bat", - "FullPath": r"C:\Users\Bob\Desktop\setup.bat", - "SizeBytes": 412, "LastWrite": _ago(days=8)}) - - e.add("UserScripts", r"C:\Users\Bob\Documents\macros\norecoil.lua", + "FullPath": rf"{home}\Desktop\setup.bat", + "SizeBytes": 412, "LastWrite": _ago(days=8), + "MostRecentTimestamp": _ago(days=8), "AgeDays": 8}) + e.add("UserScripts", rf"{home}\Documents\macros\norecoil.lua", "[MoveMouseRelative] ~\\Documents\\macros\\norecoil.lua - mouse-macro / anti-recoil script pattern", "HIGH", "cheat", {"Pattern": "MoveMouseRelative", "MatchKind": "mouse-macro / anti-recoil script", "FileName": "norecoil.lua", - "FullPath": r"C:\Users\Bob\Documents\macros\norecoil.lua", - "SizeBytes": 1_847, "LastWrite": _ago(days=3)}) + "FullPath": rf"{home}\Documents\macros\norecoil.lua", + "SizeBytes": 2_104, "LastWrite": _ago(days=3), + "MostRecentTimestamp": _ago(days=3), "AgeDays": 3}) # AI-vision constellation - e.add("AIVision", r"C:\Users\Bob\source\aimmy\aimmy.exe", + e.add("AIVision", rf"{home}\source\aimmy\aimmy.exe", "[aimmy] AI-vision aimbot executable: aimmy.exe", "HIGH", "cheat", {"Pattern": "aimmy", "FileName": "aimmy.exe", - "FullPath": r"C:\Users\Bob\source\aimmy\aimmy.exe", + "FullPath": rf"{home}\source\aimmy\aimmy.exe", "SizeBytes": 18_223_104, - "Created": _ago(days=18), - "LastWrite": _ago(days=2)}) - e.add("AIVision", r"C:\Users\Bob\source\aimmy\yolov8n.onnx", + "Created": _ago(days=18), "LastWrite": _ago(days=2), + "MostRecentTimestamp": _ago(days=2), "AgeDays": 2}) + e.add("AIVision", rf"{home}\source\aimmy\models\yolov8n.onnx", "ONNX model co-located with AI-aimbot executable: yolov8n.onnx", "HIGH", "cheat", {"FileName": "yolov8n.onnx", - "FullPath": r"C:\Users\Bob\source\aimmy\yolov8n.onnx", + "FullPath": rf"{home}\source\aimmy\models\yolov8n.onnx", "SizeBytes": 12_405_633, - "CoLocated": r"C:\Users\Bob\source\aimmy\aimmy.exe", - "Created": _ago(days=18), - "LastWrite": _ago(days=18)}) + "CoLocated": rf"{home}\source\aimmy\aimmy.exe", + "Created": _ago(days=18), "LastWrite": _ago(days=18), + "MostRecentTimestamp": _ago(days=18), "AgeDays": 18}) # BCD flag e.add("BCD", "testsigning", @@ -165,31 +207,25 @@ def build_pc_engine() -> Engine: "[cheatengine] Cheat Engine 7.5", "MEDIUM", "dual-use", {"Pattern": "cheatengine", "Name": "Cheat Engine 7.5", "Publisher": "Dark Byte", "InstallDate": "2026-03-12", - "Version": "7.5"}) - - e.add("ObscuredNames", r"C:\Users\Bob\Downloads\deadbeef12345678.exe", - "Obscured filename: raw hex name (deadbeef12345678.exe)", + "Version": "7.5", + "MostRecentTimestamp": "2026-03-12T00:00:00", "AgeDays": 75}) + e.add("ObscuredNames", rf"{home}\Downloads\3a7b9c1e2d4f6018.exe", + "Obscured filename: raw hex name (3a7b9c1e2d4f6018.exe)", "MEDIUM", "dual-use", - {"FileName": "deadbeef12345678.exe", - "FullPath": r"C:\Users\Bob\Downloads\deadbeef12345678.exe", - "Pattern": "raw hex name (deadbeef12345678.exe)", + {"FileName": "3a7b9c1e2d4f6018.exe", + "FullPath": rf"{home}\Downloads\3a7b9c1e2d4f6018.exe", + "Pattern": "raw hex name (3a7b9c1e2d4f6018.exe)", "SizeBytes": 1_204_800, - "LastWrite": _ago(days=4)}) - - e.add("Drivers", "obscure_helper", - "UNSIGNED: obscure_helper", "MEDIUM", "dual-use", - {"DeviceName": "obscure_helper", - "Manufacturer": "Unknown", "IsSigned": "False", - "FileName": "obscure_helper.sys", - "FilePath": r"C:\Windows\System32\drivers\obscure_helper.sys"}) - + "LastWrite": _ago(days=4), + "MostRecentTimestamp": _ago(days=4), "AgeDays": 4}) e.add("DLLInject", "Sysmon EID 7", "Injector activity: xenos64.dll @ " + _ago(days=11), "MEDIUM", "dual-use", {"Source": "Sysmon EID 7", "Timestamp": _ago(days=11), - "ImageLoaded": r"C:\Users\Bob\source\xenos\xenos64.dll", - "TargetProcess": "explorer.exe", "ProcessId": "4288"}) + "ImageLoaded": rf"{home}\source\xenos\xenos64.dll", + "TargetProcess": "explorer.exe", "ProcessId": "4288", + "MostRecentTimestamp": _ago(days=11), "AgeDays": 11}) # --- INFO ------------------------------------------------------------- e.add("ProcessModules", "(scan)", @@ -198,21 +234,11 @@ def build_pc_engine() -> Engine: e.add("KnownHashes", "(scan)", "Hashed 312 executables, checked against 1 known-bad SHA256 sample(s)", "INFO", "other", {"Hashed": 312, "DatabaseSize": 1}) - e.add("AIVision", r"C:\Users\Bob\Documents\ml-class\resnet50.onnx", - "ONNX model present (no aimbot constellation): resnet50.onnx", - "INFO", "other", - {"FileName": "resnet50.onnx", - "FullPath": r"C:\Users\Bob\Documents\ml-class\resnet50.onnx", - "SizeBytes": 102_400_000, - "Created": _ago(days=42), - "LastWrite": _ago(days=40)}) e.add("RecencyDecay", "(summary)", - "Recency analysis: 19 recent, 4 historical (>180d demoted), 2 unknown-timestamp", + "Recency analysis: 19 recent, 3 historical (>180d demoted), 2 unknown-timestamp", "INFO", "other", - {"ThresholdDays": 180, - "RecentFindings": 19, - "HistoricalFindings": 4, - "UnknownTimestampFindings": 2}) + {"ThresholdDays": 180, "RecentFindings": 19, + "HistoricalFindings": 3, "UnknownTimestampFindings": 2}) # --- WARN ------------------------------------------------------------- e.add("BAM", r"HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings", @@ -222,29 +248,19 @@ def build_pc_engine() -> Engine: "Access denied", "WARN", "other", {}) # --- HISTORICAL (recency-decay demoted) ------------------------------- - # These were originally HIGH cheat — kept in report at lower severity. e.add("Prefetch", r"C:\Windows\Prefetch\OLDCHEAT.EXE-9F8E7D6C.pf", "[engineowning] OLDCHEAT (CoD MW 2019)", "MEDIUM", "cheat", {"Pattern": "engineowning", - "FirstSeen": _ago(days=720), - "LastModified": _ago(days=420), + "FirstSeen": _ago(days=720), "LastModified": _ago(days=420), "MostRecentTimestamp": _ago(days=420), - "AgeDays": 420, - "RecencyClass": "historical", + "AgeDays": 420, "RecencyClass": "historical", "OriginalSeverity": "HIGH"}) - e.add("Installed", "Old XIM Manager", - "[xim] XIM Manager 2018", "INFO", "input", - {"Pattern": "xim", "Name": "XIM Manager 2018", - "InstallDate": "2018-11-04", - "MostRecentTimestamp": "2018-11-04T00:00:00", - "AgeDays": 2_750, - "RecencyClass": "historical", - "OriginalSeverity": "MEDIUM"}) return e -def build_pc_processes() -> list[ScoredItem]: +def build_cheats_processes() -> list[ScoredItem]: + home = r"C:\Users\Marcus" return [ ScoredItem( name="ENGINEOWNING.exe", score="HIGH", kind="cheat", @@ -252,8 +268,8 @@ def build_pc_processes() -> list[ScoredItem]: reason="matches 'engineowning' (cheat keyword)", extra={"ProcessId": "9128", "ParentProcessId": "4288", "Started": _ago(hours=2), - "ExecutablePath": r"C:\Users\Bob\AppData\Local\engineowning\EO.exe", - "CommandLine": r'"C:\Users\Bob\AppData\Local\engineowning\EO.exe" --loader'}, + "ExecutablePath": rf"{home}\AppData\Local\engineowning\EO.exe", + "CommandLine": rf'"{home}\AppData\Local\engineowning\EO.exe" --loader'}, ), ScoredItem( name="cheatengine-x86_64.exe", score="MEDIUM", kind="dual-use", @@ -291,19 +307,21 @@ def build_pc_processes() -> list[ScoredItem]: ] -def build_pc_services() -> list[ScoredItem]: +def build_cheats_services() -> list[ScoredItem]: return [ ScoredItem( - name="HidHide", score="HIGH", kind="cheat", + name="HidHide", score="HIGH", kind="input", pattern="hidhide", - reason="matches 'hidhide' (cheat keyword)", + reason="matches 'hidhide' (input-device keyword)", extra={"DisplayName": "HidHide Service", "State": "Running", - "StartMode": "Auto", "PathName": r"C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideClient.exe", + "StartMode": "Auto", + "PathName": r"C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideClient.exe", "StartName": "LocalSystem", "ProcessId": "3120"}, ), ScoredItem( name="vgc", score="CLEAN", kind="other", - extra={"DisplayName": "vgc", "State": "Stopped", "StartMode": "Manual", + extra={"DisplayName": "vgc", "State": "Stopped", + "StartMode": "Manual", "PathName": r'"C:\Program Files\Riot Vanguard\vgc.exe"', "StartName": "LocalSystem", "ProcessId": "0"}, reason="standard system location", @@ -321,210 +339,241 @@ def build_pc_services() -> list[ScoredItem]: # --------------------------------------------------------------------------- -# CONSOLE RIG MODE — CAPTURE STACK PRESENT +# PC MODE — INPUT DEVICES DETECTED (fabricated user: Jordan) # --------------------------------------------------------------------------- -def build_console_engine() -> Engine: - e = Engine( - keywords_high_cheats=[], keywords_high_input=[], - keywords_medium=["obs studio", "elgato", "vigembus", "ds4windows"], - keywords_script_high=[], keywords_mouse_macro=[], - ) - - # All MEDIUM and all from capture/HID lists — that's what triggers - # CAPTURE STACK PRESENT (vs. UNSURE). +def build_input_engine() -> Engine: + e = _make_engine() + home = r"C:\Users\Jordan" + + # --- HIGH input findings — the full XIM/Cronus/HidHide/reWASD stack -- + e.add("Installed", "XIM MATRIX", + "[xim matrix] XIM MATRIX", "HIGH", "input", + {"Pattern": "xim matrix", "Name": "XIM MATRIX", + "Publisher": "XIM Technologies", + "InstallDate": "2026-02-04", + "Version": "20250118.6", + "MostRecentTimestamp": "2026-02-04T00:00:00", + "AgeDays": 111}) + e.add("Installed", "Cronus Zen Studio", + "[cronuszen] Cronus Zen Studio", "HIGH", "input", + {"Pattern": "cronuszen", "Name": "Cronus Zen Studio", + "Publisher": "Collective Minds Gaming Co.", + "InstallDate": "2025-09-22", + "Version": "2.2.10", + "MostRecentTimestamp": "2025-09-22T00:00:00", + "AgeDays": 246}) + e.add("Installed", "reWASD", + "[rewasd] reWASD", "HIGH", "input", + {"Pattern": "rewasd", "Name": "reWASD", + "Publisher": "Disc Soft Ltd", + "InstallDate": "2026-01-18", + "Version": "7.0.0.8400", + "MostRecentTimestamp": "2026-01-18T00:00:00", + "AgeDays": 128}) + e.add("Installed", "HidHide", + "[hidhide] HidHide", "HIGH", "input", + {"Pattern": "hidhide", "Name": "HidHide", + "Publisher": "Nefarius Software Solutions e.U.", + "InstallDate": "2026-01-18", + "Version": "1.5.230.0", + "MostRecentTimestamp": "2026-01-18T00:00:00", + "AgeDays": 128}) + + # USB-history hits (Cronus Zen + XIM Matrix have real VIDs) + e.add("USB", "VID_2E24&PID_1000", + "[cronus] Cronus Zen", "HIGH", "input", + {"Pattern": "cronus", "FriendlyName": "Cronus Zen", + "VID_PID": "VID_2E24&PID_1000", + "FirstInstall": _ago(days=240), + "LastArrival": _ago(hours=8), + "LastRemoval": _ago(hours=2), + "MostRecentTimestamp": _ago(hours=2), + "AgeDays": 0}) + e.add("USB", "VID_2516&PID_0140", + "[xim matrix] XIM Matrix", "HIGH", "input", + {"Pattern": "xim matrix", "FriendlyName": "XIM Matrix", + "VID_PID": "VID_2516&PID_0140", + "FirstInstall": _ago(days=110), + "LastArrival": _ago(hours=8), + "LastRemoval": _ago(hours=2), + "MostRecentTimestamp": _ago(hours=2), + "AgeDays": 0}) + + # AppData activity tracks — these populate the lifecycle section + e.add("AppData", rf"{home}\AppData\Local\XIM Matrix", + "XIM MATRIX - 312 files, 41 distinct days", + "HIGH", "input", + {"Pattern": "xim matrix", "Label": "XIM MATRIX", + "Directory": rf"{home}\AppData\Local\XIM Matrix", + "FileCount": 312, "DistinctActivityDays": 41, + "ActivitySpanDays": 110, + "OldestWrite": _ago(days=110), + "NewestWrite": _ago(hours=8), + "MostRecentTimestamp": _ago(hours=8), + "AgeDays": 0}) + e.add("AppData", rf"{home}\AppData\Local\ConsoleTuner", + "Cronus Zen Studio - 528 files, 87 distinct days", + "HIGH", "input", + {"Pattern": "cronuszen", "Label": "Cronus Zen Studio", + "Directory": rf"{home}\AppData\Local\ConsoleTuner", + "FileCount": 528, "DistinctActivityDays": 87, + "ActivitySpanDays": 240, + "OldestWrite": _ago(days=240), + "NewestWrite": _ago(hours=8), + "MostRecentTimestamp": _ago(hours=8), + "AgeDays": 0}) + e.add("AppData", rf"{home}\AppData\Roaming\reWASD", + "reWASD - 96 files, 22 distinct days", + "HIGH", "input", + {"Pattern": "rewasd", "Label": "reWASD", + "Directory": rf"{home}\AppData\Roaming\reWASD", + "FileCount": 96, "DistinctActivityDays": 22, + "ActivitySpanDays": 128, + "OldestWrite": _ago(days=128), + "NewestWrite": _ago(days=1), + "MostRecentTimestamp": _ago(days=1), "AgeDays": 1}) + + # --- MEDIUM dual-use (capture / virtual-pad) — entirely normal for a + # console-stick player who also streams. e.add("Installed", "OBS Studio", "[obs studio] OBS Studio", "MEDIUM", "dual-use", {"Pattern": "obs studio", "Name": "OBS Studio", - "Publisher": "OBS Project", - "InstallDate": "2026-02-08", "Version": "30.1.2"}) - e.add("Installed", "Elgato 4K Capture Utility", - "[elgato] Elgato 4K Capture Utility", "MEDIUM", "dual-use", - {"Pattern": "elgato", "Name": "Elgato 4K Capture Utility", - "Publisher": "Corsair Memory, Inc.", - "InstallDate": "2026-04-19", "Version": "1.6.0"}) + "Publisher": "OBS Project", "InstallDate": "2026-02-08", + "Version": "30.1.2", + "MostRecentTimestamp": "2026-02-08T00:00:00", + "AgeDays": 107}) e.add("Installed", "DS4Windows", "[ds4windows] DS4Windows", "MEDIUM", "dual-use", {"Pattern": "ds4windows", "Name": "DS4Windows", - "Publisher": "Ryochan7", - "InstallDate": "2026-01-15", "Version": "3.3.3"}) - e.add("Services", "ViGEmBus", - "[vigembus] ViGEmBus | Virtual Gamepad Emulation Bus | C:\\Windows\\System32\\drivers\\ViGEmBus.sys", - "MEDIUM", "dual-use", - {"Pattern": "vigembus", "ServiceName": "ViGEmBus", - "DisplayName": "Virtual Gamepad Emulation Bus", - "ImagePath": r"C:\Windows\System32\drivers\ViGEmBus.sys"}) + "Publisher": "Ryochan7", "InstallDate": "2026-01-15", + "Version": "3.3.3", + "MostRecentTimestamp": "2026-01-15T00:00:00", + "AgeDays": 131}) - # INFO + RecencyDecay summary + # --- INFO ------------------------------------------------------------- + e.add("ProcessModules", "(scan)", + "Scanned 7204 DLL modules across all running processes", + "INFO", "other", {"ModulesScanned": 7204}) + e.add("KnownHashes", "(scan)", + "Hashed 268 executables, checked against 1 known-bad SHA256 sample(s)", + "INFO", "other", {"Hashed": 268, "DatabaseSize": 1}) e.add("RecencyDecay", "(summary)", - "Recency analysis: 4 recent, 0 historical (>180d demoted), 1 unknown-timestamp", + "Recency analysis: 11 recent, 1 historical (>180d demoted), 1 unknown-timestamp", "INFO", "other", - {"ThresholdDays": 180, "RecentFindings": 4, - "HistoricalFindings": 0, "UnknownTimestampFindings": 1}) - e.add("ProcessModules", "(scan)", - "Scanned 6122 DLL modules across all running processes", - "INFO", "other", {"ModulesScanned": 6122}) + {"ThresholdDays": 180, "RecentFindings": 11, + "HistoricalFindings": 1, "UnknownTimestampFindings": 1}) + + # --- WARN ------------------------------------------------------------- + e.add("ShimCache", + r"HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache", + "Access denied", "WARN", "other", {}) + + # --- HISTORICAL ------------------------------------------------------- + e.add("Installed", "XIM APEX", + "[xim apex] XIM APEX (legacy)", "INFO", "input", + {"Pattern": "xim apex", "Name": "XIM APEX", + "InstallDate": "2021-06-12", + "MostRecentTimestamp": "2021-06-12T00:00:00", + "AgeDays": 1_809, "RecencyClass": "historical", + "OriginalSeverity": "MEDIUM"}) return e -def build_console_processes() -> list[ScoredItem]: +def build_input_processes() -> list[ScoredItem]: + home = r"C:\Users\Jordan" return [ - ScoredItem(name="obs64.exe", score="MEDIUM", kind="dual-use", - pattern="obs", reason="matches 'obs' (dual-use tool)", - extra={"ProcessId": "8120", "ParentProcessId": "4288", - "Started": _ago(hours=2), - "ExecutablePath": r"C:\Program Files\obs-studio\bin\64bit\obs64.exe", - "CommandLine": r'"C:\Program Files\obs-studio\bin\64bit\obs64.exe"'}), - ScoredItem(name="DS4Windows.exe", score="MEDIUM", kind="dual-use", - pattern="ds4windows", reason="matches 'ds4windows' (dual-use tool)", - extra={"ProcessId": "10428", "ParentProcessId": "4288", - "Started": _ago(hours=2), - "ExecutablePath": r"C:\Program Files\DS4Windows\DS4Windows.exe", - "CommandLine": r'"C:\Program Files\DS4Windows\DS4Windows.exe"'}), - ScoredItem(name="explorer.exe", score="CLEAN", kind="other", - extra={"ProcessId": "4288", "ParentProcessId": "4128", - "Started": _ago(days=1), - "ExecutablePath": r"C:\Windows\explorer.exe", - "CommandLine": r"C:\Windows\Explorer.EXE"}, - reason="standard system location"), + ScoredItem( + name="HidHideClient.exe", score="HIGH", kind="input", + pattern="hidhide", + reason="matches 'hidhide' (input-device keyword)", + extra={"ProcessId": "5104", "ParentProcessId": "4288", + "Started": _ago(hours=8), + "ExecutablePath": r"C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideClient.exe", + "CommandLine": r'"C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideClient.exe"'}, + ), + ScoredItem( + name="reWASDEngine.exe", score="HIGH", kind="input", + pattern="rewasdengine", + reason="matches 'rewasdengine' (input-device keyword)", + extra={"ProcessId": "6248", "ParentProcessId": "984", + "Started": _ago(hours=8), + "ExecutablePath": r"C:\Program Files\reWASD\reWASDEngine.exe", + "CommandLine": r'"C:\Program Files\reWASD\reWASDEngine.exe" --service'}, + ), + ScoredItem( + name="XIM Matrix Manager.exe", score="HIGH", kind="input", + pattern="xim matrix", + reason="matches 'xim matrix' (input-device keyword)", + extra={"ProcessId": "9320", "ParentProcessId": "4288", + "Started": _ago(hours=8), + "ExecutablePath": r"C:\Program Files (x86)\XIM Technologies\XIM Matrix Manager\XIM Matrix Manager.exe", + "CommandLine": r'"C:\Program Files (x86)\XIM Technologies\XIM Matrix Manager\XIM Matrix Manager.exe"'}, + ), + ScoredItem( + name="explorer.exe", score="CLEAN", kind="other", + extra={"ProcessId": "4288", "ParentProcessId": "4128", + "Started": _ago(days=1), + "ExecutablePath": r"C:\Windows\explorer.exe", + "CommandLine": r"C:\Windows\Explorer.EXE"}, + reason="standard system location", + ), + ScoredItem( + name="svchost.exe", score="CLEAN", kind="other", + extra={"ProcessId": "1248", "ParentProcessId": "984", + "Started": _ago(days=1), + "ExecutablePath": r"C:\Windows\System32\svchost.exe", + "CommandLine": r"C:\Windows\System32\svchost.exe -k NetworkService"}, + reason="standard system location", + ), + ScoredItem( + name="chrome.exe", score="LOW", kind="other", + extra={"ProcessId": "12384", "ParentProcessId": "4288", + "Started": _ago(hours=2), + "ExecutablePath": r"C:\Program Files\Google\Chrome\Application\chrome.exe", + "CommandLine": r'"C:\Program Files\Google\Chrome\Application\chrome.exe"'}, + reason="runs from Program Files", + ), ] -def build_console_services() -> list[ScoredItem]: +def build_input_services() -> list[ScoredItem]: return [ - ScoredItem(name="ViGEmBus", score="MEDIUM", kind="dual-use", - pattern="vigembus", reason="matches 'vigembus' (dual-use tool)", - extra={"DisplayName": "Virtual Gamepad Emulation Bus", - "State": "Running", "StartMode": "Manual", - "PathName": r"C:\Windows\System32\drivers\ViGEmBus.sys", - "StartName": "LocalSystem", "ProcessId": "4"}), + ScoredItem( + name="HidHide", score="HIGH", kind="input", + pattern="hidhide", + reason="matches 'hidhide' (input-device keyword)", + extra={"DisplayName": "HidHide Service", "State": "Running", + "StartMode": "Auto", + "PathName": r"C:\Windows\System32\drivers\HidHide.sys", + "StartName": "LocalSystem", "ProcessId": "4"}, + ), + ScoredItem( + name="ViGEmBus", score="MEDIUM", kind="dual-use", + pattern="vigembus", + reason="matches 'vigembus' (dual-use tool)", + extra={"DisplayName": "Virtual Gamepad Emulation Bus", + "State": "Running", "StartMode": "Manual", + "PathName": r"C:\Windows\System32\drivers\ViGEmBus.sys", + "StartName": "LocalSystem", "ProcessId": "4"}, + ), + ScoredItem( + name="vgc", score="CLEAN", kind="other", + extra={"DisplayName": "vgc", "State": "Stopped", + "StartMode": "Manual", + "PathName": r'"C:\Program Files\Riot Vanguard\vgc.exe"', + "StartName": "LocalSystem", "ProcessId": "0"}, + reason="standard system location", + ), ] # --------------------------------------------------------------------------- -# Driver -# --------------------------------------------------------------------------- -def emit_pc(out_dir: Path) -> None: - engine = build_pc_engine() - processes = build_pc_processes() - services = build_pc_services() - - # Verdict counts (exclude historical). - high_cheats = [f for f in engine.findings - if f.severity == "HIGH" and f.kind == "cheat" - and f.metadata.get("RecencyClass") != "historical"] - high_input = [f for f in engine.findings - if f.severity == "HIGH" and f.kind == "input" - and f.metadata.get("RecencyClass") != "historical"] - medium_any = [f for f in engine.findings - if f.severity == "MEDIUM" - and f.metadata.get("RecencyClass") != "historical"] - historical = [f for f in engine.findings - if f.metadata.get("RecencyClass") == "historical"] - historical_high = [f for f in historical - if f.metadata.get("OriginalSeverity") == "HIGH"] - - proc_high_cheat = [p for p in processes if p.score == "HIGH" and p.kind == "cheat"] - proc_high_input = [p for p in processes if p.score == "HIGH" and p.kind == "input"] - proc_medium = [p for p in processes if p.score == "MEDIUM"] - svc_high_cheat = [s for s in services if s.score == "HIGH" and s.kind == "cheat"] - svc_high_input = [s for s in services if s.score == "HIGH" and s.kind == "input"] - svc_medium = [s for s in services if s.score == "MEDIUM"] - - total_cheat_high = len(high_cheats) + len(proc_high_cheat) + len(svc_high_cheat) - total_input_high = len(high_input) + len(proc_high_input) + len(svc_high_input) - total_medium = len(medium_any) + len(proc_medium) + len(svc_medium) - - ctx = ReportContext( - engine=engine, processes=processes, services=services, - verdict="CHEATS DETECTED", - total_cheat_high=total_cheat_high, - total_input_high=total_input_high, - total_medium=total_medium, - named_cheats=collect_named_items(engine, processes, services, "cheat", "HIGH"), - named_input=collect_named_items(engine, processes, services, "input", "HIGH"), - historical_findings=historical, - historical_high=historical_high, - medium_findings=medium_any, - proc_medium=proc_medium, - svc_medium=svc_medium, - lol_db_used=True, - ) - - spec = ReportSpec( - title=f"ALIBI {SCANNER_VERSION} - CONSOLIDATED REPORT", - quick_read_block=_pc_quick_read, - limitations=_PC_LIMITATIONS, - threshold_days=RECENCY_THRESHOLD_DAYS, - ) - - text_path = out_dir / "pc-mode-cheats-detected.txt" - html_path = out_dir / "pc-mode-cheats-detected_visual.html" - text_path.write_text(build_text_report(spec, ctx), encoding="utf-8") - write_html(str(html_path), render_html( - engine=engine, processes=processes, services=services, - verdict="CHEATS DETECTED", - threshold_days=RECENCY_THRESHOLD_DAYS, - report_title=f"Alibi {SCANNER_VERSION}", - mode_label="pc-mode", - lol_db_used=True, - )) - print(f" wrote: {text_path.name}") - print(f" wrote: {html_path.name}") - - -def emit_console(out_dir: Path) -> None: - engine = build_console_engine() - processes = build_console_processes() - services = build_console_services() - - medium_any = [f for f in engine.findings if f.severity == "MEDIUM"] - proc_medium = [p for p in processes if p.score == "MEDIUM"] - svc_medium = [s for s in services if s.score == "MEDIUM"] - total_medium = len(medium_any) + len(proc_medium) + len(svc_medium) - - ctx = ReportContext( - engine=engine, processes=processes, services=services, - verdict="CAPTURE STACK PRESENT", - total_cheat_high=0, total_input_high=0, total_medium=total_medium, - named_cheats=[], named_input=[], - historical_findings=[], historical_high=[], - medium_findings=medium_any, proc_medium=proc_medium, svc_medium=svc_medium, - lol_db_used=False, - capture_or_hid_medium_count=total_medium, other_medium_count=0, - ) - - spec = ReportSpec( - title=f"ALIBI (CONSOLE-RIG MODE) {CONSOLE_RIG_VERSION} - CONSOLIDATED REPORT", - quick_read_block=_console_quick_read, - limitations=_CONSOLE_LIMITATIONS, - threshold_days=RECENCY_THRESHOLD_DAYS, - ) - - text_path = out_dir / "console-rig-capture-stack.txt" - html_path = out_dir / "console-rig-capture-stack_visual.html" - text_path.write_text(build_text_report(spec, ctx), encoding="utf-8") - write_html(str(html_path), render_html( - engine=engine, processes=processes, services=services, - verdict="CAPTURE STACK PRESENT", - threshold_days=RECENCY_THRESHOLD_DAYS, - report_title=f"Alibi (console-rig mode) {CONSOLE_RIG_VERSION}", - mode_label="console-rig", - lol_db_used=False, - )) - print(f" wrote: {text_path.name}") - print(f" wrote: {html_path.name}") - - -# --------------------------------------------------------------------------- -# PC MODE — CLEAN (with a Historical demo) +# PC MODE — CLEAN (fabricated user: Alex) # --------------------------------------------------------------------------- def build_clean_engine() -> Engine: - e = Engine( - keywords_high_cheats=[], keywords_high_input=[], keywords_medium=[], - keywords_script_high=[], keywords_mouse_macro=[], - ) - # Recent: zero MEDIUM/HIGH. Just INFO scan summaries. + e = _make_engine() + e.add("ProcessModules", "(scan)", "Scanned 6021 DLL modules across all running processes", "INFO", "other", {"ModulesScanned": 6021}) @@ -537,24 +586,20 @@ def build_clean_engine() -> Engine: {"ThresholdDays": 180, "RecentFindings": 0, "HistoricalFindings": 2, "UnknownTimestampFindings": 1}) - # Historical demo — proves the layout still reads when verdict is green - # but there's history. - e.add("Installed", "Old XIM Manager", + # WARN — typical access-denied artifact (BAM requires SYSTEM, not admin) + e.add("BAM", r"HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings", + "Access denied", "WARN", "other", {}) + + # HISTORICAL — proves the lifecycle still has a track when verdict is + # green but a long-ago artifact remains. + e.add("Installed", "XIM Manager 2018", "[xim] XIM Manager 2018", "INFO", "input", {"Pattern": "xim", "Name": "XIM Manager 2018", "InstallDate": "2018-11-04", "MostRecentTimestamp": "2018-11-04T00:00:00", "AgeDays": 2_750, "RecencyClass": "historical", "OriginalSeverity": "MEDIUM"}) - e.add("Prefetch", r"C:\Windows\Prefetch\OLDCHEAT.EXE-9F8E7D6C.pf", - "[engineowning] OLDCHEAT (CoD MW 2019)", - "MEDIUM", "cheat", - {"Pattern": "engineowning", - "FirstSeen": _ago(days=720), - "LastModified": _ago(days=420), - "MostRecentTimestamp": _ago(days=420), - "AgeDays": 420, "RecencyClass": "historical", - "OriginalSeverity": "HIGH"}) + return e @@ -572,6 +617,12 @@ def build_clean_processes() -> list[ScoredItem]: "Started": _ago(days=1), "ExecutablePath": r"C:\Windows\System32\svchost.exe", "CommandLine": r"C:\Windows\System32\svchost.exe -k NetworkService"}), + ScoredItem(name="steam.exe", score="LOW", kind="other", + reason="runs from Program Files (x86)", + extra={"ProcessId": "8472", "ParentProcessId": "4288", + "Started": _ago(hours=4), + "ExecutablePath": r"C:\Program Files (x86)\Steam\steam.exe", + "CommandLine": r'"C:\Program Files (x86)\Steam\steam.exe" -silent'}), ScoredItem(name="chrome.exe", score="LOW", kind="other", reason="runs from Program Files", extra={"ProcessId": "12384", "ParentProcessId": "4288", @@ -585,29 +636,59 @@ def build_clean_services() -> list[ScoredItem]: return [ ScoredItem(name="vgc", score="CLEAN", kind="other", reason="standard system location", - extra={"DisplayName": "vgc", "State": "Stopped", - "StartMode": "Manual", + extra={"DisplayName": "vgc", "State": "Running", + "StartMode": "Auto", "PathName": r'"C:\Program Files\Riot Vanguard\vgc.exe"'}), ] -def emit_clean(out_dir: Path) -> None: - engine = build_clean_engine() - processes = build_clean_processes() - services = build_clean_services() +# --------------------------------------------------------------------------- +# Driver +# --------------------------------------------------------------------------- +def _emit(out_dir: Path, *, basename: str, verdict: str, + engine: Engine, processes: list[ScoredItem], + services: list[ScoredItem], lol_db_used: bool) -> None: + """Shared emit path: derive verdict counts, build ctx + spec, write + both .txt and _visual.html via the production formatters.""" + high_cheats = [f for f in engine.findings + if f.severity == "HIGH" and f.kind == "cheat" + and f.metadata.get("RecencyClass") != "historical"] + high_input = [f for f in engine.findings + if f.severity == "HIGH" and f.kind == "input" + and f.metadata.get("RecencyClass") != "historical"] + medium_any = [f for f in engine.findings + if f.severity == "MEDIUM" + and f.metadata.get("RecencyClass") != "historical"] + historical = [f for f in engine.findings + if f.metadata.get("RecencyClass") == "historical"] + historical_high = [f for f in historical + if f.metadata.get("OriginalSeverity") == "HIGH"] + + proc_high_cheat = [p for p in processes if p.score == "HIGH" and p.kind == "cheat"] + proc_high_input = [p for p in processes if p.score == "HIGH" and p.kind == "input"] + proc_medium = [p for p in processes if p.score == "MEDIUM"] + svc_high_cheat = [s for s in services if s.score == "HIGH" and s.kind == "cheat"] + svc_high_input = [s for s in services if s.score == "HIGH" and s.kind == "input"] + svc_medium = [s for s in services if s.score == "MEDIUM"] + + total_cheat_high = len(high_cheats) + len(proc_high_cheat) + len(svc_high_cheat) + total_input_high = len(high_input) + len(proc_high_input) + len(svc_high_input) + total_medium = len(medium_any) + len(proc_medium) + len(svc_medium) ctx = ReportContext( engine=engine, processes=processes, services=services, - verdict="CLEAN", - total_cheat_high=0, total_input_high=0, total_medium=0, - named_cheats=[], named_input=[], - historical_findings=[f for f in engine.findings - if f.metadata.get("RecencyClass") == "historical"], - historical_high=[f for f in engine.findings - if f.metadata.get("OriginalSeverity") == "HIGH" - and f.metadata.get("RecencyClass") == "historical"], - medium_findings=[], proc_medium=[], svc_medium=[], - lol_db_used=False, + verdict=verdict, + total_cheat_high=total_cheat_high, + total_input_high=total_input_high, + total_medium=total_medium, + named_cheats=collect_named_items(engine, processes, services, "cheat", "HIGH"), + named_input=collect_named_items(engine, processes, services, "input", "HIGH"), + historical_findings=historical, + historical_high=historical_high, + medium_findings=medium_any, + proc_medium=proc_medium, + svc_medium=svc_medium, + lol_db_used=lol_db_used, ) spec = ReportSpec( @@ -617,23 +698,52 @@ def emit_clean(out_dir: Path) -> None: threshold_days=RECENCY_THRESHOLD_DAYS, ) - text_path = out_dir / "pc-mode-clean.txt" - html_path = out_dir / "pc-mode-clean_visual.html" + text_path = out_dir / f"{basename}.txt" + html_path = out_dir / f"{basename}_visual.html" text_path.write_text(build_text_report(spec, ctx), encoding="utf-8") write_html(str(html_path), render_html( engine=engine, processes=processes, services=services, - verdict="CLEAN", threshold_days=RECENCY_THRESHOLD_DAYS, + verdict=verdict, + threshold_days=RECENCY_THRESHOLD_DAYS, report_title=f"Alibi {SCANNER_VERSION}", - mode_label="pc-mode", lol_db_used=False, + mode_label="pc-mode", + lol_db_used=lol_db_used, )) print(f" wrote: {text_path.name}") print(f" wrote: {html_path.name}") +def emit_cheats(out_dir: Path) -> None: + _emit(out_dir, basename="pc-mode-cheats-detected", + verdict="CHEATS DETECTED", + engine=build_cheats_engine(), + processes=build_cheats_processes(), + services=build_cheats_services(), + lol_db_used=True) + + +def emit_input(out_dir: Path) -> None: + _emit(out_dir, basename="pc-mode-input-devices-detected", + verdict="INPUT DEVICES DETECTED", + engine=build_input_engine(), + processes=build_input_processes(), + services=build_input_services(), + lol_db_used=False) + + +def emit_clean(out_dir: Path) -> None: + _emit(out_dir, basename="pc-mode-clean", + verdict="CLEAN", + engine=build_clean_engine(), + processes=build_clean_processes(), + services=build_clean_services(), + lol_db_used=False) + + if __name__ == "__main__": out_dir = _HERE print(f"Generating synthetic examples into {out_dir}") - emit_pc(out_dir) - emit_console(out_dir) + emit_cheats(out_dir) + emit_input(out_dir) emit_clean(out_dir) print("Done.") diff --git a/python/examples/pc-mode-cheats-detected.txt b/python/examples/pc-mode-cheats-detected.txt index 7aefe52..1863856 100644 --- a/python/examples/pc-mode-cheats-detected.txt +++ b/python/examples/pc-mode-cheats-detected.txt @@ -9,9 +9,9 @@ Named items (cheat-confidence): - [Prefetch] engineowning - [engineowning] ENGINEOWNING - - [MUICache] rut.gg - [rut.gg] C:\Users\Bob\Downloads\RUT V4 Launcher.exe - - [DMA] ? - pcileech firmware build output: pcileech_top.bin - - [KnownHashes] RUT AND RUAVT LAUNCHER UPDATED.exe (rut.gg) - [RUT AND RUAVT LAUNCHER UPDATED.exe (rut.gg)] hash match - confirmed cheat sample + - [MUICache] rut.gg - [rut.gg] C:\Users\Marcus\Downloads\RUT V4 Launcher.exe + - [DMA] pcileech - pcileech firmware build output: pcileech_top.bin + - [KnownHashes] RUT V4 Launcher.exe (rut.gg) - [RUT V4 Launcher.exe (rut.gg)] hash match - confirmed cheat sample - [LOLDrivers] ? - VULNERABLE DRIVER - hash confirmed (BYOVD risk): rtcore64.sys - [UserScripts] bcdedit /set testsigning - [bcdedit /set testsigning] ~\Desktop\setup.bat - high-risk command pattern inside script - [UserScripts] MoveMouseRelative - [MoveMouseRelative] ~\Documents\macros\norecoil.lua - mouse-macro / anti-recoil script pattern @@ -19,16 +19,16 @@ - [AIVision] ? - ONNX model co-located with AI-aimbot executable: yolov8n.onnx - [BCD] ? - TEST SIGNING ENABLED - unsigned drivers can load - [Process] engineowning - ENGINEOWNING.exe (PID 9128) - - [Service] hidhide - HidHide (Running) Also detected (input devices - separate category): - [USB] cronus - [cronus] Cronus Zen - - [AppData] ? - Cronus / Titan - 247 files, 38 distinct days + - [AppData] cronuszen - Cronus Zen Studio - 184 files, 29 distinct days + - [Service] hidhide - HidHide (Running) ---------------------------------------------------------------- HISTORICAL findings (logged, did NOT affect verdict) ---------------------------------------------------------------- - 2 finding(s) older than 180 days were demoted by the + 1 finding(s) older than 180 days were demoted by the recency-decay rule. These are visible below in the full report but did not count toward the verdict above. Old artifacts from games or tools the user has long since stopped using should not make a @@ -43,7 +43,7 @@ ALIBI v4.0 - CONSOLIDATED REPORT ================================================================ - Generated: 2026-05-25 23:48:18 + Generated: 2026-05-26 02:14:11 Hostname: BREAD-PC Username: BradS OS: Windows 11 (10.0.26200) @@ -59,131 +59,151 @@ Summary (recent, within last 180 days - verdict-relevant): HIGH findings : 12 - MEDIUM findings : 4 - INFO items : 4 + MEDIUM findings : 3 + INFO items : 3 WARN (access) : 2 Summary (historical, >180 days old - logged but did NOT affect verdict): - Demoted historical findings : 2 + Demoted historical findings : 1 (Originally HIGH-severity : 1) [HIGH/cheat] [AIVision] [aimmy] AI-vision aimbot executable: aimmy.exe - Source: C:\Users\Bob\source\aimmy\aimmy.exe + Source: C:\Users\Marcus\source\aimmy\aimmy.exe Pattern: aimmy FileName: aimmy.exe - FullPath: C:\Users\Bob\source\aimmy\aimmy.exe + FullPath: C:\Users\Marcus\source\aimmy\aimmy.exe SizeBytes: 18223104 - Created: 2026-05-07T23:48:18 - LastWrite: 2026-05-23T23:48:18 + Created: 2026-05-08T02:14:11 + LastWrite: 2026-05-24T02:14:11 + MostRecentTimestamp: 2026-05-24T02:14:11 + AgeDays: 2 [HIGH/cheat] [AIVision] ONNX model co-located with AI-aimbot executable: yolov8n.onnx - Source: C:\Users\Bob\source\aimmy\yolov8n.onnx + Source: C:\Users\Marcus\source\aimmy\models\yolov8n.onnx FileName: yolov8n.onnx - FullPath: C:\Users\Bob\source\aimmy\yolov8n.onnx + FullPath: C:\Users\Marcus\source\aimmy\models\yolov8n.onnx SizeBytes: 12405633 - CoLocated: C:\Users\Bob\source\aimmy\aimmy.exe - Created: 2026-05-07T23:48:18 - LastWrite: 2026-05-07T23:48:18 - - [HIGH/input] [AppData] Cronus / Titan - 247 files, 38 distinct days - Source: C:\Users\Bob\AppData\Local\ConsoleTuner - Label: Cronus / Titan - Directory: C:\Users\Bob\AppData\Local\ConsoleTuner - FileCount: 247 - DistinctActivityDays: 38 - ActivitySpanDays: 95 - OldestWrite: 2026-02-19T23:48:18 - NewestWrite: 2026-05-24T23:48:18 + CoLocated: C:\Users\Marcus\source\aimmy\aimmy.exe + Created: 2026-05-08T02:14:11 + LastWrite: 2026-05-08T02:14:11 + MostRecentTimestamp: 2026-05-08T02:14:11 + AgeDays: 18 + + [HIGH/input] [AppData] Cronus Zen Studio - 184 files, 29 distinct days + Source: C:\Users\Marcus\AppData\Local\ConsoleTuner + Pattern: cronuszen + Label: Cronus Zen Studio + Directory: C:\Users\Marcus\AppData\Local\ConsoleTuner + FileCount: 184 + DistinctActivityDays: 29 + ActivitySpanDays: 92 + OldestWrite: 2026-02-23T02:14:11 + NewestWrite: 2026-05-25T02:14:11 + MostRecentTimestamp: 2026-05-25T02:14:11 + AgeDays: 1 [HIGH/cheat] [BCD] TEST SIGNING ENABLED - unsigned drivers can load Source: testsigning [HIGH/cheat] [DMA] pcileech firmware build output: pcileech_top.bin - Source: C:\Users\Bob\source\pcileech-fpga-build\pcileech_top.bin + Source: C:\Users\Marcus\source\pcileech-fpga-build\pcileech_top.bin + Pattern: pcileech FileName: pcileech_top.bin - FullPath: C:\Users\Bob\source\pcileech-fpga-build\pcileech_top.bin - Created: 2026-05-04T23:48:18 - - [HIGH/cheat] [KnownHashes] [RUT AND RUAVT LAUNCHER UPDATED.exe (rut.gg)] hash match - confirmed cheat sample - Source: C:\Users\Bob\Downloads\RUT AND RUAVT LAUNCHER UPDATED.exe - Pattern: RUT AND RUAVT LAUNCHER UPDATED.exe (rut.gg) + FullPath: C:\Users\Marcus\source\pcileech-fpga-build\pcileech_top.bin + SizeBytes: 4194304 + Created: 2026-05-09T02:14:11 + LastWrite: 2026-05-20T02:14:11 + MostRecentTimestamp: 2026-05-20T02:14:11 + AgeDays: 6 + + [HIGH/cheat] [KnownHashes] [RUT V4 Launcher.exe (rut.gg)] hash match - confirmed cheat sample + Source: C:\Users\Marcus\Downloads\RUT V4 Launcher.exe + Pattern: RUT V4 Launcher.exe (rut.gg) SHA256: b1b89dedcff0c502d605a707e550b1565224b5949e778168ac45f01b8171160f - FileName: RUT AND RUAVT LAUNCHER UPDATED.exe - FullPath: C:\Users\Bob\Downloads\RUT AND RUAVT LAUNCHER UPDATED.exe + FileName: RUT V4 Launcher.exe + FullPath: C:\Users\Marcus\Downloads\RUT V4 Launcher.exe SizeBytes: 8421376 - LastWrite: 2026-05-20T23:48:18 - KnownSampleOf: RUT AND RUAVT LAUNCHER UPDATED.exe (rut.gg) + LastWrite: 2026-05-22T02:14:11 + MostRecentTimestamp: 2026-05-22T02:14:11 + AgeDays: 4 + KnownSampleOf: RUT V4 Launcher.exe (rut.gg) HashSource: Hybrid Analysis sandbox report [HIGH/cheat] [LOLDrivers] VULNERABLE DRIVER - hash confirmed (BYOVD risk): rtcore64.sys - Source: C:\Users\Bob\AppData\Local\Temp\rtcore64.sys + Source: C:\Users\Marcus\AppData\Local\Temp\rtcore64.sys DeviceName: RTCore64 Manufacturer: MSI IsSigned: True FileName: rtcore64.sys - FilePath: C:\Users\Bob\AppData\Local\Temp\rtcore64.sys + FilePath: C:\Users\Marcus\AppData\Local\Temp\rtcore64.sys LOLDrivers_Id: 0c9b1b21-5e26-4e0e-8baa-2bbb4ce4f0bd LOLDrivers_Category: vulnerable LOLDrivers_Tags: rtcore64.sys,rtcore32.sys LOLDrivers_MatchBy: SHA256 SHA256: 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd LOLDrivers_URL: https://www.loldrivers.io/drivers/0c9b1b21-5e26-4e0e-8baa-2bbb4ce4f0bd/ + MostRecentTimestamp: 2026-05-19T02:14:11 + AgeDays: 7 - [HIGH/cheat] [MUICache] [rut.gg] C:\Users\Bob\Downloads\RUT V4 Launcher.exe - Source: HKCU\...\MuiCache + [HIGH/cheat] [MUICache] [rut.gg] C:\Users\Marcus\Downloads\RUT V4 Launcher.exe + Source: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache Pattern: rut.gg - Value: C:\Users\Bob\Downloads\RUT V4 Launcher.exe + Value: C:\Users\Marcus\Downloads\RUT V4 Launcher.exe Data: RUT and RUAVT - LastWrite: 2026-05-20T23:48:18 + LastWrite: 2026-05-22T02:14:11 + MostRecentTimestamp: 2026-05-22T02:14:11 + AgeDays: 4 [HIGH/cheat] [Prefetch] [engineowning] ENGINEOWNING - Source: C:\Windows\Prefetch\ENGINEOWNING.EXE-1A2B3C4D.pf + Source: C:\Windows\Prefetch\ENGINEOWNING.EXE-7A4C2E91.pf Pattern: engineowning - FirstSeen: 2026-05-11T23:48:18 - LastModified: 2026-05-23T23:48:18 + FirstSeen: 2026-05-15T02:14:11 + LastModified: 2026-05-24T02:14:11 + MostRecentTimestamp: 2026-05-24T02:14:11 + AgeDays: 2 [HIGH/input] [USB] [cronus] Cronus Zen Source: VID_2E24&PID_1000 Pattern: cronus FriendlyName: Cronus Zen VID_PID: VID_2E24&PID_1000 - FirstInstall: 2026-01-25T23:48:18 - LastArrival: 2026-05-24T23:48:18 - LastRemoval: 2026-05-25T19:48:18 + FirstInstall: 2026-02-28T02:14:11 + LastArrival: 2026-05-25T02:14:11 + LastRemoval: 2026-05-25T20:14:11 + MostRecentTimestamp: 2026-05-25T02:14:11 + AgeDays: 1 [HIGH/cheat] [UserScripts] [bcdedit /set testsigning] ~\Desktop\setup.bat - high-risk command pattern inside script - Source: C:\Users\Bob\Desktop\setup.bat + Source: C:\Users\Marcus\Desktop\setup.bat Pattern: bcdedit /set testsigning MatchKind: high-risk command in script FileName: setup.bat - FullPath: C:\Users\Bob\Desktop\setup.bat + FullPath: C:\Users\Marcus\Desktop\setup.bat SizeBytes: 412 - LastWrite: 2026-05-17T23:48:18 + LastWrite: 2026-05-18T02:14:11 + MostRecentTimestamp: 2026-05-18T02:14:11 + AgeDays: 8 [HIGH/cheat] [UserScripts] [MoveMouseRelative] ~\Documents\macros\norecoil.lua - mouse-macro / anti-recoil script pattern - Source: C:\Users\Bob\Documents\macros\norecoil.lua + Source: C:\Users\Marcus\Documents\macros\norecoil.lua Pattern: MoveMouseRelative MatchKind: mouse-macro / anti-recoil script FileName: norecoil.lua - FullPath: C:\Users\Bob\Documents\macros\norecoil.lua - SizeBytes: 1847 - LastWrite: 2026-05-22T23:48:18 + FullPath: C:\Users\Marcus\Documents\macros\norecoil.lua + SizeBytes: 2104 + LastWrite: 2026-05-23T02:14:11 + MostRecentTimestamp: 2026-05-23T02:14:11 + AgeDays: 3 - [MEDIUM/dual-use] [DLLInject] Injector activity: xenos64.dll @ 2026-05-14T23:48:18 + [MEDIUM/dual-use] [DLLInject] Injector activity: xenos64.dll @ 2026-05-15T02:14:11 Source: Sysmon EID 7 Source: Sysmon EID 7 - Timestamp: 2026-05-14T23:48:18 - ImageLoaded: C:\Users\Bob\source\xenos\xenos64.dll + Timestamp: 2026-05-15T02:14:11 + ImageLoaded: C:\Users\Marcus\source\xenos\xenos64.dll TargetProcess: explorer.exe ProcessId: 4288 - - [MEDIUM/dual-use] [Drivers] UNSIGNED: obscure_helper - Source: obscure_helper - DeviceName: obscure_helper - Manufacturer: Unknown - IsSigned: False - FileName: obscure_helper.sys - FilePath: C:\Windows\System32\drivers\obscure_helper.sys + MostRecentTimestamp: 2026-05-15T02:14:11 + AgeDays: 11 [MEDIUM/dual-use] [Installed] [cheatengine] Cheat Engine 7.5 Source: Cheat Engine 7.5 @@ -192,14 +212,18 @@ Publisher: Dark Byte InstallDate: 2026-03-12 Version: 7.5 - - [MEDIUM/dual-use] [ObscuredNames] Obscured filename: raw hex name (deadbeef12345678.exe) - Source: C:\Users\Bob\Downloads\deadbeef12345678.exe - FileName: deadbeef12345678.exe - FullPath: C:\Users\Bob\Downloads\deadbeef12345678.exe - Pattern: raw hex name (deadbeef12345678.exe) + MostRecentTimestamp: 2026-03-12T00:00:00 + AgeDays: 75 + + [MEDIUM/dual-use] [ObscuredNames] Obscured filename: raw hex name (3a7b9c1e2d4f6018.exe) + Source: C:\Users\Marcus\Downloads\3a7b9c1e2d4f6018.exe + FileName: 3a7b9c1e2d4f6018.exe + FullPath: C:\Users\Marcus\Downloads\3a7b9c1e2d4f6018.exe + Pattern: raw hex name (3a7b9c1e2d4f6018.exe) SizeBytes: 1204800 - LastWrite: 2026-05-21T23:48:18 + LastWrite: 2026-05-22T02:14:11 + MostRecentTimestamp: 2026-05-22T02:14:11 + AgeDays: 4 [WARN/other] [BAM] Access denied Source: HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings @@ -207,14 +231,6 @@ [WARN/other] [ShimCache] Access denied Source: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache - [INFO/other] [AIVision] ONNX model present (no aimbot constellation): resnet50.onnx - Source: C:\Users\Bob\Documents\ml-class\resnet50.onnx - FileName: resnet50.onnx - FullPath: C:\Users\Bob\Documents\ml-class\resnet50.onnx - SizeBytes: 102400000 - Created: 2026-04-13T23:48:18 - LastWrite: 2026-04-15T23:48:18 - [INFO/other] [KnownHashes] Hashed 312 executables, checked against 1 known-bad SHA256 sample(s) Source: (scan) Hashed: 312 @@ -224,33 +240,23 @@ Source: (scan) ModulesScanned: 8412 - [INFO/other] [RecencyDecay] Recency analysis: 19 recent, 4 historical (>180d demoted), 2 unknown-timestamp + [INFO/other] [RecencyDecay] Recency analysis: 19 recent, 3 historical (>180d demoted), 2 unknown-timestamp Source: (summary) ThresholdDays: 180 RecentFindings: 19 - HistoricalFindings: 4 + HistoricalFindings: 3 UnknownTimestampFindings: 2 ------------------------------------------------------------ HISTORICAL FINDINGS (>180 days old, did NOT affect verdict) ------------------------------------------------------------ - [INFO/input] [Installed] [HISTORICAL was MEDIUM, 2750d old] [xim] XIM Manager 2018 - Source: Old XIM Manager - Pattern: xim - Name: XIM Manager 2018 - InstallDate: 2018-11-04 - MostRecentTimestamp: 2018-11-04T00:00:00 - AgeDays: 2750 - RecencyClass: historical - OriginalSeverity: MEDIUM - [MEDIUM/cheat] [Prefetch] [HISTORICAL was HIGH, 420d old] [engineowning] OLDCHEAT (CoD MW 2019) Source: C:\Windows\Prefetch\OLDCHEAT.EXE-9F8E7D6C.pf Pattern: engineowning - FirstSeen: 2024-06-04T23:48:18 - LastModified: 2025-03-31T23:48:18 - MostRecentTimestamp: 2025-03-31T23:48:18 + FirstSeen: 2024-06-05T02:14:11 + LastModified: 2025-04-01T02:14:11 + MostRecentTimestamp: 2025-04-01T02:14:11 AgeDays: 420 RecencyClass: historical OriginalSeverity: HIGH @@ -268,8 +274,8 @@ HIGH and MEDIUM processes (full detail): [HIGH/cheat] ENGINEOWNING.exe (PID 9128) - Path: C:\Users\Bob\AppData\Local\engineowning\EO.exe - Cmd: "C:\Users\Bob\AppData\Local\engineowning\EO.exe" --loader + Path: C:\Users\Marcus\AppData\Local\engineowning\EO.exe + Cmd: "C:\Users\Marcus\AppData\Local\engineowning\EO.exe" --loader Reason: matches 'engineowning' (cheat keyword) Pattern: engineowning @@ -281,7 +287,7 @@ Full processes table (sorted by suspicion score): - HIGH PID 9128 ENGINEOWNING.exe C:\Users\Bob\AppData\Local\engineowning\EO.exe + HIGH PID 9128 ENGINEOWNING.exe C:\Users\Marcus\AppData\Local\engineowning\EO.exe MEDIUM PID 7416 cheatengine-x86_64.exe C:\Program Files\Cheat Engine 7.5\cheatengine-x86_64.exe CLEAN PID 4288 explorer.exe C:\Windows\explorer.exe CLEAN PID 1248 svchost.exe C:\Windows\System32\svchost.exe @@ -299,11 +305,11 @@ HIGH and MEDIUM services (full detail): - [HIGH/cheat] HidHide (Running) + [HIGH/input] HidHide (Running) Display: HidHide Service Path: C:\Program Files\Nefarius Software Solutions\HidHide\x64\HidHideClient.exe Mode: Auto - Reason: matches 'hidhide' (cheat keyword) + Reason: matches 'hidhide' (input-device keyword) Pattern: hidhide [MEDIUM/dual-use] ViGEmBus (Running) @@ -329,4 +335,4 @@ - Keyword matching only. Sophisticated cleaners can wipe most of these artifacts. - A clean result is necessary but not sufficient. - Report generated: 2026-05-25 23:48:18 + Report generated: 2026-05-26 02:14:11 diff --git a/python/examples/pc-mode-cheats-detected_visual.html b/python/examples/pc-mode-cheats-detected_visual.html index 3db7f13..871f338 100644 --- a/python/examples/pc-mode-cheats-detected_visual.html +++ b/python/examples/pc-mode-cheats-detected_visual.html @@ -1,7 +1,7 @@ -alibi · BREAD-PC · 2026-05-25 · CHEATS DETECTED +alibi · BREAD-PC · 2026-05-26 · CHEATS DETECTED ') + [void]$sb.AppendLine("') + [void]$sb.AppendLine('') + [void]$sb.AppendLine('
') + + [void]$sb.AppendLine((Render-DocBar $ctx $LolDbUsed)) + [void]$sb.AppendLine((Render-Verdict $ctx $state $subText $ModeLabel $recent $archived $ctx.Processes $ctx.Services $named)) + [void]$sb.AppendLine((Render-Timeline $state $recent $archived $findingIds)) + [void]$sb.AppendLine((Render-Lifecycle $recent $ctx.Processes $findingIds)) + [void]$sb.AppendLine((Render-CatMap $recent)) + [void]$sb.AppendLine((Render-Donut $recent $ctx.Processes $ctx.Services)) + [void]$sb.AppendLine((Render-FindingsSection $recent $findingIds)) + [void]$sb.AppendLine((Render-Runtime $ctx.Processes $ctx.Services $processIds $serviceIds)) + [void]$sb.AppendLine((Render-Historical $archived $script:RECENCY_THRESHOLD_DAYS)) + [void]$sb.AppendLine((Render-Coverage $coverage)) + [void]$sb.AppendLine((Render-DocFoot $LolDbUsed)) + + [void]$sb.AppendLine('
') + [void]$sb.AppendLine('') + [void]$sb.AppendLine('') + + $html = $sb.ToString() + Set-Content -Path $OutputPath -Value $html -Encoding UTF8 + + Write-Host '' + Write-Host '================================================================' -ForegroundColor Green + Write-Host ' Visual companion (dark-tactical) generated.' -ForegroundColor Green + Write-Host " Input: $InputPath" + Write-Host " Output: $OutputPath" + Write-Host " Verdict: $($ctx.Verdict)" + Write-Host " Mode: $ModeLabel" + Write-Host '================================================================' -ForegroundColor Green +} diff --git a/python/src/alibi/visual_scripts.js b/scanner/visual_scripts.js similarity index 100% rename from python/src/alibi/visual_scripts.js rename to scanner/visual_scripts.js diff --git a/python/src/alibi/visual_styles.css b/scanner/visual_styles.css similarity index 96% rename from python/src/alibi/visual_styles.css rename to scanner/visual_styles.css index 07fb9f3..4a9694a 100644 --- a/python/src/alibi/visual_styles.css +++ b/scanner/visual_styles.css @@ -1257,6 +1257,79 @@ table.runtime .meta-row td { .hist .finding-head .cat-tag { color: var(--ink-4); } .hist .finding-title { color: var(--ink-3); } .hist .sev-tag { opacity: 0.7; } + +/* ─── lifecycle (per-keyword linear timeline) ─────────────────────── */ +.lifecycle { margin-top: 28px; } +.lifecycle .lc-svg { + width: 100%; + height: auto; + display: block; + margin: 12px 0 6px; + background: var(--panel); + border: 1px solid var(--rule); + border-radius: 4px; + padding: 4px 0; +} +.lc-axis-tick { + stroke: var(--rule-2); + stroke-width: 1; + stroke-dasharray: 1 5; +} +.lc-axis-label { + fill: var(--ink-5); + font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; + font-size: 10px; + letter-spacing: 0.10em; + font-weight: 700; +} +.lc-lane-rule { + stroke: var(--rule); + stroke-width: 1; + stroke-dasharray: 1 4; +} +.lc-track-label { + fill: var(--ink-3); + font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace; + font-size: 11px; + font-weight: 700; + letter-spacing: 0.14em; +} +.lc-today line { + stroke: var(--accent, #7dd3fc); + stroke-width: 1.5; + opacity: 0.85; +} +.lc-today text { + fill: var(--accent, #7dd3fc); + font-family: ui-monospace, monospace; + font-size: 10.5px; + font-weight: 700; + letter-spacing: 0.10em; + text-transform: uppercase; +} +.lc-event { + cursor: pointer; + transition: r 0.12s ease, opacity 0.12s ease; +} +.lc-event.hi { fill: var(--hi); } +.lc-event.md { fill: var(--md); } +.lc-event:hover { r: 6; } +.lc-install { + fill: none; + stroke-width: 2; + cursor: pointer; + transition: stroke-width 0.12s ease; +} +.lc-install.hi { stroke: var(--hi); } +.lc-install.md { stroke: var(--md); } +.lc-install:hover { stroke-width: 3; } +.lc-cap { + font-size: 12.5px; + color: var(--ink-3); + line-height: 1.55; + max-width: 78ch; + margin-top: 8px; +} .hist-orig { display: inline-flex; align-items: baseline; gap: 4px; font-family: ui-monospace, monospace;