3.3.0.10 Alpha

 - Unlocked the ability to remove services with Microsoft-signed executable.
 - Added company and SHA1 hash output for files with damaged digital signature, marked as "(invalid sign)".
 - The allowed file size for hash verification has been increased to 300 MiB. If the check exceeds or fails, this will be indicated in the log.
 - Improved digital signature verification: for Win 8+, the secondary signature (of the manufacturer) is displayed, if the primary signature by Microsoft.
 - Bugs of the previous build have been fixed.

README.md

@@ -15,7 +15,7 @@ _(this is alpha-version - major changes are in progress; some functions may work
 
 At the moment, it is a step-by-step 100% rewritten source code of the original engine, aimed to provide a full compatiblity with the most recent Windows OS and a balance beetween compiling very fast results in logfile and combatting with the most popular malware, inluding the one not known to other antiviruses.
 
-It is made by Alex Dragokas - a lawyer, security observer and malware researcher from Ukraine ([Chernobyl](https://en.wikipedia.org/wiki/Chernobyl_disaster), [Na'Vi](https://en.wikipedia.org/wiki/Natus_Vincere), [Щедрик](https://www.youtube.com/watch?v=ZZEMvVcf5-Q), Male slavery, nazism, fascism, [concentration camp](https://www.youtube.com/watch?v=3ASp9tr_-DQ), War of money, authority and blackmail, USA Bio-labs, [radioactive contamination from British](https://www.youtube.com/watch?v=ajY4qcc4OWc), Bombs, drones, whores and crazy people, Colony of USA). Yankee go home! F\*ck Russia, F\*ck Ukraine, F\*ck USA, F\*ck all the world giving weapon for killing the people, imposing sanctions against Ukrainian people in Crimea. F\*cking ukrainophobs, rusophobs and castrated negrophobes, provoking genocide of Ukrainian people with hundred tons of "free" cluster and nuclear weapon, exploding at our land like your own polygon.
+It is made by Alex Dragokas - a lawyer, security observer and malware researcher from Ukraine.
 
 ## Overview
 

src/HiJackThis-update-test.txt

@@ -1 +1 @@
-3.3.0.9
+3.3.0.10

src/HiJackThis-update.txt

@@ -1 +1 @@
-3.3.0.9
+3.3.0.10

src/_3_AV_Check.cmd

@@ -0,0 +1,140 @@
+@rem For stand-alone updated version, refer to:
+@rem https://www.safezone.cc/resources/virustotal-console-checker.233/
+@rem https://github.com/VirusTotal/vt-cli/releases
+@echo off
+SetLocal EnableExtensions
+pushd "%~dp0"
+::title VirusTotal Console Checker v1.3
+echo VirusTotal check ... & echo.
+
+set vt_cli=tools\VirusTotal\vt.exe
+set "filepath=%~f1"
+if "%filepath%"=="" set "filepath=%~DP0HiJackThis.exe"
+set "hash="
+
+if not exist "%vt_cli%" (
+  echo vt.exe doesn't found!
+  echo Download it at: https://github.com/VirusTotal/vt-cli/releases
+  pause & goto :eof
+)
+if not exist "%UserProfile%\.vt.toml" %vt_cli% init
+
+:enter_path
+  if not defined filepath (set /p "filepath=Enter file path to check on VT: " & goto enter_path)
+  if not exist "%filepath%" (echo Cannot found file: "%filepath%" & set "filepath=" & goto enter_path)
+  echo.
+  echo Checking file: "%filepath%" ...
+
+:: if the file already verified, vt.exe file returns detailed data
+:: so we can use hash+date submission directly in call to vt.exe analysis
+call :gethash "%filepath%" hash
+"%vt_cli%" file %hash% 1> details.log 2> err.log
+<err.log find /i "not found" && goto scan
+
+echo Found result
+for /f "tokens=1,2 delims=: " %%a in (details.log) do if "%%~a"=="last_analysis_date" set "date_analysis=%%b"
+set id=f-%hash%-%date_analysis%
+goto analysis
+
+:scan
+  del details.log
+  echo Send ...
+  echo.
+  for /f "delims=" %%a in ('%vt_cli% scan file "%filepath%"') do set "result=%%a"
+:getid
+  for /f "tokens=1* delims= " %%a in ("%result%") do set "result=%%b" & if not defined result (set id=%%a) else (goto getid)
+  echo Got file ID: "%id%"
+
+::in case file already scanned
+:analysis
+  del err.log
+  ::echo id=%id%
+  %vt_cli% analysis %id% > vt.log
+  < vt.log find /i "completed" && goto parse
+  < vt.log find /i "status:"
+  echo Waiting for analysis ...
+
+timeout /t 20 >NUL
+
+:wait_queue
+  timeout /t 5 >NUL
+  %vt_cli% analysis %id% > vt.log
+  < vt.log find /i "queued" && goto wait_queue
+
+:parse
+set "is_malicious="
+set "is_suspicious="
+set "is_failure="
+set "is_timeout="
+set "is_stats="
+echo.
+for /f tokens^=1^,2*^ delims^=^"^  %%a in (vt.log) do call :t_line "%%a" "%%b"
+del vt.log
+
+:sel
+  echo.
+  echo 1. Open logfile with extended info
+  echo 2. Open VirusTotal link to file
+  echo 3. Exit
+  choice /C 123 /N
+  if %errorlevel%==1 call :details
+  if %errorlevel%==2 call :vt_open
+  if %errorlevel%==3 (popd & goto :eof)
+goto sel
+
+:t_line
+  if defined is_malicious (
+	if "%~1"=="engine_name:" set "engine_name=%~2"
+	if "%~1"=="engine_update:" set "engine_update=%~2"
+	if "%~1"=="engine_version:" set "engine_version=%~2"
+	if "%~1"=="result:" (
+	  echo ! MALICIOUS: %engine_name%: "%~2"   ^(%engine_update%, %engine_version%^)
+	  set "is_malicious="
+	)
+  )
+  if defined is_suspicious (
+    if "%~1"=="engine_name:" set "engine_name=%~2"
+	if "%~1"=="engine_update:" set "engine_update=%~2"
+	if "%~1"=="engine_version:" set "engine_version=%~2"
+	if "%~1"=="result:" (
+	  echo ! SUSPICIOUS: %engine_name%: "%~2"   ^(%engine_update%, %engine_version%^)
+	  set "is_suspicious="
+	)
+  )
+  if defined is_timeout (
+    if "%~1"=="engine_name:" (echo %~2 ^(timeout^)& set "is_timeout=")
+  )
+  if defined is_failure (
+    if "%~1"=="engine_name:" (echo %~2 ^(failure^)& set "is_failure=")
+  )
+  if defined is_stats echo %~1 %~2
+  if "%~1"=="category:" if "%~2"=="malicious" set "is_malicious=true"
+  if "%~1"=="category:" if "%~2"=="suspicious" set "is_suspicious=true"
+  if "%~1"=="category:" if "%~2"=="failure" set "is_failure=true"
+  if "%~1"=="category:" if "%~2"=="timeout" set "is_timeout=true"
+  if "%~1"=="category:" if "%~2"=="confirmed-timeout" set "is_timeout=true"
+  if "%~1"=="stats:" (set "is_stats=true" & echo.)
+exit /b
+
+:details
+  if exist details.log goto show_details
+  call :gethash "%filepath%" hash
+  "%vt_cli%" file %hash% > details.log
+:show_details
+  start "" details.log
+  echo details.log is created and opened.
+exit /b
+
+:vt_open
+  if not defined hash call :gethash "%filepath%" hash
+  set vt_link=https://www.virustotal.com/gui/file/%hash%/detection
+  echo VirusTotal link: %vt_link%
+  start "" "%vt_link%"
+exit /b
+
+:gethash [file] [out_var]
+  for /f "delims=" %%a in ('certutil -hashfile "%~1" SHA256 ^| find /v "hash"') do set "t=%%a"
+  set "t=%t: =%"
+  ::echo Checksum SHA256: "%t%"
+  set "%~2=%t%"
+exit /b

src/_ChangeLog_en.txt

@@ -11,6 +11,13 @@ Version history:
 |||||       1. HiJackThis: changelog         |||||
 ==================================================
 
+[3.3.0.10 Alpha] - Dec 18, 2023
+ - Unlocked the ability to remove services with Microsoft-signed executable.
+ - Added company and SHA1 hash output for files with damaged digital signature, marked as "(invalid sign)".
+ - The allowed file size for hash verification has been increased to 300 MiB. If the check exceeds or fails, this will be indicated in the log.
+ - Improved digital signature verification: for Win 8+, the secondary signature (of the manufacturer) is displayed, if the primary signature by Microsoft.
+ - Bugs of the previous build have been fixed.
+
 [3.3.0.9 Alpha] - Dec 15, 2023
  - Added detection of autorun Null-values.
  - Added the database of LolBin files with updates from lolbas-project.github.io service (thanks to @oddvarmoe, @bohops, @xenosCR, @ConsciousHacker, @liamsomerville, @Wietze, @_josehelps)

src/_ChangeLog_ru.txt

@@ -11,6 +11,13 @@
 |||||       1. HiJackThis: список изменений         |||||
 =========================================================
 
+[3.3.0.10 Alpha] - 18.12.2023
+ - Разблокирована возможность удалять службы с подписью Microsoft у исполняемого файла.
+ - Добавлен вывод компании и SHA1 хеша для файлов, у которых ЭЦП повреждена, помеченные как "(invalid sign)".
+ - Допустимый размер файла для проверки хеша увеличен до 300 MiB. В случае превышения или неудачи проверки, это будет обозначено в логе.
+ - Улучшена проверка ЭЦП: для Win 8+ выводится вторичная подпись (производителя), если первичная - от Microsoft.
+ - Исправлены ошибки предыдущей сборки.
+
 [3.3.0.9 Alpha] - 15.12.2023
  - Добавлено обнаружение Null-параметров автозапуска.
  - Добавлена обновляемая база LolBin файлов на основе сервиса lolbas-project.github.io (спасибо @oddvarmoe, @bohops, @xenosCR, @ConsciousHacker, @liamsomerville, @Wietze, @_josehelps)

src/_HijackThis.vbp

@@ -90,7 +90,7 @@ Description="Creates a report of non-standard parameters of registry and file sy
 CompatibleMode="0"
 MajorVer=3
 MinorVer=3
-RevisionVer=9
+RevisionVer=10
 AutoIncrementVer=0
 ServerSupportFiles=0
 VersionCompanyName="Alex Dragokas & Trend Micro Inc."

src/clsRegistry.cls

@@ -2414,7 +2414,7 @@ Public Function ExportKeyToVariable( _
                     End If
                 End If
 
-                DeleteFilePtr (StrPtr(sTempFile))
+                DeleteFileEx sTempFile
             End If
         End If
         m_StatusCode = Proc.StatusCode
@@ -2467,7 +2467,7 @@ Public Function KeyExportToBinary(hHive As ENUM_REG_HIVE, ByVal KeyName$, destFi
     lret = RegOpenKeyEx(hHive, StrPtr(KeyName), 0&, KEY_QUERY_VALUE Or (bIsWOW64 And KEY_WOW64_64KEY And Not bUseWow64), hKey)
     If ERROR_SUCCESS = lret Then
 
-        If FileExists(destFile) Then DeleteFilePtr (StrPtr(destFile))
+        If FileExists(destFile) Then DeleteFileEx destFile
 
         'Required privilege "SeBackupPrivilege"
         lret = RegSaveKeyEx(hKey, StrPtr(destFile), ByVal 0&, IIf(OSver.MajorMinor < 5.1, REG_STANDARD_FORMAT, REG_LATEST_FORMAT))

src/clsScript.cls

@@ -201,7 +201,7 @@ End Sub
 
 Public Function HasFixInClipboard() As Boolean
     m_FixInfo.Raw = ClipboardGetText() 'precache
-    HasFixInClipboard = (0 <> InStr(1, Left$(m_FixInfo.Raw, 300), "Start::", vbTextCompare))
+    HasFixInClipboard = (0 <> InStr(1, Left$(m_FixInfo.Raw, 300), "Start>>", vbTextCompare))
     If Not HasFixInClipboard Then
         m_FixInfo.Raw = vbNullString
     End If

src/database/DriverMapped.txt

@@ -17,6 +17,7 @@
 %SystemRoot%\System32\Drivers\DUMP_FTOIIS.SYS
 %SystemRoot%\System32\Drivers\dump_dumpstorport.sys
 %SystemRoot%\System32\Drivers\dump_stornvme.sys
+%SystemRoot%\System32\Drivers\dump_iaStorAC.sys
 %SystemRoot%\System32\Drivers\dump_iaStorVD.sys
 %SystemRoot%\System32\Drivers\dump_iaStor.sys
 %SystemRoot%\System32\Drivers\dump_nvstor.sys