bytecode77 / r77-rootkit Goto Github PK

so the r77 is really cool, but i couldn't find an option in it to run tasks as soon as windows starts, because when i have files with parameter $77 they are hidden, but they don't run when windows starts, because it doesn't can you find the file to run, is there any method in r77 to start processes with windows?

so i have a executable file in temporary folder named $77name.exe, I created a new project in c# and executed that file with ProcessStartInfo and it executed just fine, but if an already running process tries to execute that file with the exact same method i get a "Windows cannot find $77name.exe", i'm not 100% sure but i think it works just fine with the older version of this rootkit.

How to use rootkit on the discord rat

Hello man ,

You think it is possible to do a simple poc or add on your r77 any code to force the deletion of a file/folder (example, I can kill some Av with a vuln driver) but the best would be to delete the installation folder after killing

Hidden in windows2012 r2 9600 does not work
It may be a problem caused by not supporting windows8
How can I fix it?

hi
For AV/EDR evasion

AMSI bypass: i have tested with PowerShell.exe and amsi.dll!AmsiScanBuffer and

i read src/InstallStager/Unhook.cs and
i read : r77api.h for both the C# and C++ implementation and
you say ;
For each r77 update, build the solution and take the
InstallStager.exe file from the resources of the installer project. Make sure to check
for changes in the code of Install.cpp and implement them in your project as needed.
The source code of the installer itself is fairly short and commented.

So I understand that we must use vs2019 to generate the solution and get InstallStager.exe . so I understand that we must use vs2019 to generate the solution and get InstallStager.exe . we are OK?

so I have to work with vs2019 from the clone of:
https://github.com/bytecode77/r77-rootkit.git + develop solution explorer +
InstallStager or r77.sln ?

if I have to work like this ,
It 's with release anyCPU InstallStager or release anyCPU testconsole

or work from with src/InstallStager/InstallStager.cs ?

For now , i bypass with powershell.exe in admin +

[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE'). GetValue('$77stager')). EntryPoint.Invoke($Null,$Null)
+
'amsi.dll! AmsiScanBuffer'
+
'AMSI_RESULT_CLEAN'
result : no errors no messages

I have created two sheduled task for both the 32-bit and the 64-bit
task : powershell.exe [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenS
ubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)

I'm working for the moment from r77rookit.rar and testconsole and Install.exe and I get well injected and inhide two process dllhost.exe

and task sheduler and bypass powershell.exe

Thanx for help

The problem is in the header, but i have a one qustion: how can i hide registry keys, what api need to be hooked for this, is this possible in ring 3? Will you add this in the future?

p.s Good work!

I run the Install.exe file on a Windows 10 laptop and it doesn't hide anything, I tried it on another PC and it works.
So I don't understand why it doesn't work on my laptop.

How can i combine the process tohide, the hider, and the dll in to one file

thanks bud,this software is owesome! Can you add a function to hide GPU use,this is so good .thanks

Hi, i appreciate your project

for install the rootkit

i need only the install.exe file or i need the dll's r77-x64 & r77-x86 on the same folder?

In fact this is my code

#include <Windows.h>
#include "install.h"
int main()
{
	LPBYTE shellCode = rawData;

	DWORD oldProtect;
	VirtualProtect(shellCode, 166296, PAGE_EXECUTE_READWRITE, &oldProtect);

	((void(*)())shellCode)();

	return 0;
}

In the documentation it said that i have to compile it as x86 which gave me a error, so i compiled into x64 which gave me no error but it didnt work. i have my shellcode in a seperate Install.h file, its just a shellcode version of install.shellcode that ive hexed with hxd. Looks pretty like that

unsigned char rawData[166296] = {
	0xE8, 0x0D, 0x00, 0x00, 0x00, 0x8D, 0x80, 0x98, 0x03, 0x00, 0x00, 0x50,
}

just with 166296 hex characters

Im checking out the $77 Example and the $77 Test Console, after running the file the $77 Console didnt show the R77 Rootkit as running and the $77 Example also wasnt hidden.

Can you compile TestConsole to be able to run without .NET Framework 4
In Windows 7 / Windows Server 2008 can't run it without installing .NET Framework 4

Hello Bytecode77,

Just like to say thank you prior to any suggestion!
I love r77 so much, really neat and clever fileless design.

now I would like to open a new issue publicly, so more and more users will join this topic.

Up to now, I did many tests upon this rootkit and happy to see almost all functions are correct as you described in the documentation, amazing!

I would like r77 to help me hide those specific items maybe files, directories, or registries that are random in names.

I could hide "myprocess" via "test console", I was soooo happy! thereafter, i reboot the OS and found "myprocess", which was hidden before rebooting, now appeared again!
I tried to write the PID into the registry under $77**, but it didn't work, because processID kept changing every reboot.

And also, I would like to hide some of my specified files and directories, I didn't know how to do it, because I couldn't find a place to input the names of files or names of directories.

So, I have to rename the files or directories that begin with "$77", they hid! but this also causes execution wrong for wrong names of files.

Hope these desired abilities be available soon.

Thank you guys anyway, the r77 is amazing!

Injection seemed to crash the whole system :/
It started to first crash every application and lastly the whole vm crashed

I've tried this using the examples provided.
the PE is in resources

	HANDLE pipe = CreateFileW(L"\\\\.\\pipe\\$77control", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
	if (pipe != INVALID_HANDLE_VALUE)
	{
		LPBYTE pe;
		DWORD peSize;
		if (!GetResource(IDR_R72, "EXE", &pe, &peSize)) return 0;

		DWORD controlCode = CONTROL_USER_RUNPE;
		WCHAR shellExecPath[] = L"C:\\Windows\\System32\\notepad.exe";
		// Write control code (DWORD)
		DWORD bytesWritten;
		WriteFile(pipe, &controlCode, sizeof(DWORD), &bytesWritten, NULL);

		// Write the path for ShellExec (unicode string including null terminator)
		WriteFile(pipe, shellExecPath, (lstrlenW(shellExecPath) + 1) * 2, &bytesWritten, NULL);

		// Write arguments for size
		WriteFile(pipe, peSize, sizeof(DWORD), &bytesWritten, NULL);

		// Write arguments for bytes
		WriteFile(pipe, pe, peSize, &bytesWritten, NULL);

		CloseHandle(pipe);
}

but the PE does not execute.

I have a C# program which installs rootkit and add itself in r77's autorun. After restarting my c# application starts as System and I can't access user's desktop and start files as user. Is in r77 a option, to start the file as user (or administrator (will be better)), not as system?

hi, the is any way to hide app icon from taskbar ?
( when i inject explorer its just hide app from folder and still show running apps icon on taskbar)

Hello!
This is most likely a simple question, but I desperately need assistance. So I know that the rootkit starts a pipe and that any data I send to it is executed. The only issue here is that I have no idea how or what data I should send. Any assistance would be greatly appreciated.
Regards WilleLX1

Hiding a process by process name "under key, process_names" doesn't seem to work for me? how do i hide a process name using the name of the process instead of the pid?

Can you edit a configuration for me?
exename=calc.exe

Bro can you please check auto injection is not working in 1.4.0
Or in 1.3.0 have issue with opening some exe app it is blocking them to start
Is any way i can stop auto injection of dll in some spacific apps

Hey, so I downloaded the master branch and tried to compile it (in visual studio right clicking the solution and clicking build solution), under compiling there was no errors, but the Install.exe file is very big (2,178KB), compared to the one I installed from bytecode77.com (311kb).
And whenever I open the Install.exe I compiled I always get Application Errors from other applications saying something like "The instruction at 0x*** referenced memory at 0x***. The memory could not be read." and a lot of applications close, like visual studio, PerfWatson2.exe and my own program if its open (I get these errors both when I run it with RunPE and if I run it from file explorer). (But after those applications have closed and the Errors are done I am pretty sure it does what its supposed to).

The Install.exe I got from bytecode77.com always runs fine, I can run it with your RunPE code in another program with no problems, I can also run it straight from file explorer. Never had any issues with it. But when I compile it myself it is not the same, I don't have a lot of experience using other peoples projects, so there might be something I missed. I didn't change anything, just download it and opened in visual studio and compiled.

Where is the prefix located in the code? I want to change the prefix so it hides files that start with ÷77 or smth like that

Hello r77.

I want to include the shellcode into the rust based clipper/stealer.

Do I have to use asm and compile for x64 or x86?
Target systems is x64.

I also want to know the purpose of r77. Is it targeted against Power users? As you already said, it does not protect from av solutions.

Regards

As the rootkit checks it's config from registry every n seconds
add ability detach and prevent injecting an specified process using it's pid/process name-
by creating a key/value in it's configs
and also ability to temporary disabling and self uninstalling it using same way

Hi,

just found a new bug: hidden files.exe failed to load to process.
I tried to hide the process with the config system, and in the meantime, the files /directory were hidden, but found failed to load to process.
Remove the file hidden, then it can be loaded to process normally, and also the process can be hidden.

Windows 10 Home version 20H2, OS build 19042.928

hope my report helps.
thanks!

Спасибо за ваше творчество)

Hello I am having some issues with the rootkit hooking explorer.exe as this is causing any program to run as a child from explorer to not run correctly.
As it is getting hooked, How can I stop it from hooking explorer process that's all I need.

Thank you

I have a program that runs routinely and I was wondering how to start and end the program hidden by $77 (eg. 77$Program) and does this bypass kernel check?

hello
To start Bravo for this beautiful work.

I wanted to test an application with $$77, it has disappeared from task manager and process explorer but impossible to recover it. By restarting I found the application.
How to recover it without restarting?
I was for a file but the impossible to recover even by restarting.

on the other hand as I have not seen anywhere how to install your project $77.
So I created a folder at the root c Hidden_config ,
and I tested with TestConsole to hide a program and it works .
Hide from task manager and process explorer .
On the other hand it does not create in regedit $77config
Thanx for help
i have w10 x 6 bits

Hello! Thanks for the great rootkit r77. I found some problems during using. Could u give me some advice?
I'm trying to keep a particular process hidden while running other new ones.
But r77 injects all new processes by default, and injection will cause some unexpected bugs in new processes.
For example, when I try to open the task manager, it often reports that the program input point ImageList_CoCreatInstance cannot be located on the dynamic link library.
Another problem is that my TestConsole cannot be started in administrator mode, and it crashes soon after startup.
Best regards.

Hello, Mr. author. Do you only need to add installstager.exe, r77-86ro64.dll, install.cpp, install. H, r77api. H and other files to integrate your project scheme into my project? I can't compile successfully with / MTD release x86

hi,
when login with an other user the renamed files are clearly showing in (explorer/taskmgr)

Hey, so I have 2 questions:

1. I have noticed that even when a file is hidden by prefix, Windows Defender is still able to find and detect the file, which was expected, but does the same apply to other external AVs? Like BitDefender, Avast, MalwareBytes, Norton, etc?
   To avoid the issue above, my program automatically adds exclusions in Windows Defender to these locations to prevent it from scanning them using cmd and powershell, which leads me to the next question.
2. I am pretty sure that Windows Defender does not detect the r77 stager startup, but if it somehow manages to detect it in the future, what application, or what directory should I add to the Windows Defender exclusions? I assume it would be to the powershell.exe location, or the dllhost.exe location, or the winlogon.exe location, but I am not sure.

Hello! When I launch Install.exe HKLM in registry just tells me no data available. Just wondering if this is something that's not right and if it isn't let me know. Any reply's would be appreciated.

Regards WilleLX1!

Please I would like to know if there is any way for remotely controling the rootkit?

Hi,

I have been clicking on Install for 50th time but it wont still install, can you help me ?

example:

r77rootkit.exe -hide 'processID' or 'process name'

Is it possible to inject the Rootkit with C# natively or in some other way, without using PowerShell?
I say this, because the injection with PowerShell, is detected by many AV's. :://

email me at [email protected]

Best Regards, Evan

Hi
i made registry key/value and task in task scheduler without $77 in their names
i was not able to hide them by adding their path to "HKLM\SOFTWARE$77config\paths"

as you know there is some keys in registry that can't name them ourselves
but we maybe want to hide them (without losing their functionality)

will this be possible in future updates?

When I install install service 64, this screen meets why?

After installing it, I get these errors on task manager,
any idea how to fix this?

Hello, Mr. author, i try to read / write data to the $77config registry path, but i can't read / write successfully. is there any way i can see the hidden $77config key in the registry editor?

hey, thank you very much for the Best rootkit
after installed install.exe
bro i am facing a issue during open my examshield.it is showing intenal error 00000012 can you please help me to resolve it.
hope you will reply soon
the app i want to open that is examshield of peoplcert
please help me
will provide you screenshot

Hello, First i want to thank you for this great rootkit, can you please make a Demo or a Poc using cobaltstrike or meterpreter shellcode.

Hello!
Can you convert this in C# Please?
Regards

Hi, first of all, thanks for the great project - I can't wait to get it all set up so I can dig into it at length.

I seem to be running into an issue when attempting to compile the project - using Visual Studio 2022 with the necessary .NET framework developer package (which I believe was 4.7, Visual Studio stopped giving me import warnings after this so I'm assuming install worked correctly. I'm able to compile the beginning stages of the project (up to this point) but solution fails at Installer stage.

I get a file not found: Resources\Stager.exe (possibly because Stager creation is failing). Upon trying to manually build the Stager project, I get back:

I'm hoping I can get some assistance, please feel free to ask me for any additional info if necessary to help you out, I'm sure I'm messing this up somehow since I am a bit of a VS noob :)

Hi, please tell me how I can compile r77 again with the constants, I need the injections not to affect explorer.exe and bash.exe .
Which programs or commands are needed for compilation and how can I do it in general (step by step, im beginner)?
thank you very much for your help