Back to projects
Dec 07, 2024
3 min read

Decoy - Anti-Malware Protection Tool

A lightweight security tool that deploys dummy processes to deter malware execution
See Repository

Decoy is a lightweight Windows utility that launches many “dummy” processes named after common analysis/debugging tools (e.g., Procmon, Wireshark). This creates a decoy environment that can deter basic malware that refuses to run when these tools appear active.

Key Capabilities

  • Mimics well-known analysis/debugging programs via renamed copies of a minimal dummy.exe
  • Very low overhead (~0.3 MB RAM per dummy process, no console window)
  • Interactive menu for start/terminate/restart; or one-shot CLI flags for automation
  • Built-in safety: a version-resource UUID ensures only Decoy-owned processes are terminated

Architecture Overview

  • Argument parser: detects -S/-s (start), -T/-t (terminate), -Q/-q (quiet)
  • Process control: creates a processes/ folder, copies dummy.exe for each target name, starts/terminates all
  • Utility layer: quiet logging, file existence checks, safe kill-by-name helpers
  • Optional interactive UI: simple banner/menu for S/T/R/Q in a loop

Process Lifecycle

  1. Ensure directory and copies: create processes/ and copy dummy.exeprocesses/<name>.exe
  2. Start: launch each copy with CreateProcessA and no console window
  3. Terminate: prefer stored process handles; otherwise fall back to kill-by-name
  4. Restart: terminate → ensure copies → start

CLI Usage

  • -S / -s: Start all decoy processes and exit
  • -T / -t: Terminate all decoy processes and exit
  • -Q / -q: Quiet mode (suppresses output). When combined, quiet start is implied

Example (quiet start):

decoy-manager.exe -Q -S

Safety Guard (Version Identifier)

  • Each dummy copy embeds a unique identifier in version resources: 0193b58d-cf59-703c-afda-a8c62c43f6b0
  • Before terminating by name, Decoy checks this identifier to avoid killing legitimate processes that happen to share the same filename

Build & Run

  • CMake-based build produces two binaries: decoy-manager (controller) and dummy.exe (minimal sleeping process)
  • On MSVC, the manager links Version.lib and Psapi.lib to read version resources and enumerate processes
  • Runtime layout: the manager creates processes/ and populates it with renamed copies of dummy.exe, then launches them

Adding New Dummy Names

  1. Edit the process names array in src/process_control.c (e.g., add "newtool.exe")
  2. Rebuild; processCount derives automatically from the array size
  3. Run the manager; the new copy appears under processes/newtool.exe and will be managed like the others
Prev
Kestral Dark Theme for VS Code
Next
QuickPaste