Comments (6)
There are three supported approaches:
1.) Naming the executable $77eryeryerye.exe
This will tell the r77 service to not inject the process. If this is not applicable to your project, option 2 works equally as well:
2.) Using the r77 header:
There is this image in the documentation (Section 4.1: r77 header)
This is an excerpt of an executable in memory (not on disk).
Overwrite the first two bytes of the DOS stub at compile time with R77_HELPER_SIGNATURE (0x7268)
It tells the r77 service to not inject your process. If you look at TestConsole.exe
in a hex-editor, you will see these bytes. But make sure to do it at compile time and not at runtime, as r77 is injected before your executable gets to run its main thread.
3.) Detaching the rootkit
If the first two bytes of the DOS stub in memory are R77_SIGNATURE (0x7277) it means that your process is injected with r77. The following 8 bytes are a function pointer. If you create a thread pointing to this function, r77 will detach. Note that the detach function pointer might be written there after a few milliseconds have passed.
Now, option 2 (writing the r77 header) makes more sense, I think. I just wanted to let you know all options that are available.
from r77-rootkit.
Have a look at BuildTask.R77Signature. This function takes an executable as a byte[]
and writes the 2-byte signature to a fixed offset of 64. The compiled binary BuildTask.exe
is in the post build events of other projects, such as TestConsole. This way, the TestConsole already has the R77_HELPER_SIGNATURE when it's compiled.
from r77-rootkit.
Is the already running process injected with r77 and can therefore not see the file? One way to avoid r77 being injected into a process is to use the prefix.
E.g.: $77a.exe starts $77b.exe - not sure if this example is applicable to your implementation. However, executables with the prefix won't get injected at all, while all other processes are injected before they run any of their own instructions.
If you're really stuck because r77 is running inside your process and you cannot use the prefix: One possible way to resolve this is to detach r77 from the current process. There is a function pointer (Rootkit::Detach) in the r77 header that you could call (see documentation "Implementation details"). But normally, you shouldn't need to go this far in order to get your executable up & running.
If it works with an older version, can you reproduce this? It would be really interesting...
from r77-rootkit.
here is a video showing the way to reproduce this : https://streamable.com/s7tlje
it executes fine, but after adding a delay and installing the rootkit while the program is running, it will give me an error file not found.
i did the same thing with the older version of this rootkit and seems to work fine, but that could be because the executables starting with $77 stay visible until explorer is restarted..
from r77-rootkit.
hmm interesting.. how exactly do i accomplish that in c#? i'm trying to go for the option 2 but i don't know how to do that without using a hex editor and edit it directly.
if anything i can just go with the older version of this rootkit..
from r77-rootkit.
yep, seems to work perfectly now, executes the hidden file with no problem!
adding R77_HELPER_SIGNATURE made the trick!
thank you so much!!!
from r77-rootkit.
Related Issues (20)
- Teaching lessons HOT 5
- Contact information HOT 1
- "MSB3073" Error HOT 4
- r77 rookit injects into PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON process
- Adding a .exe to startup HOT 6
- Help HOT 4
- ControlPipe using Powershell HOT 3
- Help Needed - Happy to pay consulting fees HOT 1
- Help HOT 3
- testconsole won't work HOT 5
- Hiding users (net.exe and lusrmgr.msc) HOT 11
- I discovered new rootkit vulnerability stronger than your rootkit with 0 coding (no admin required) HOT 11
- Issue with BitDefender Partial Detection of r77 and Loss of Persistence HOT 4
- Significant challenge with BitDefender AV (BD) that affects the operation of admin-level processes HOT 2
- #//~~ Long time without talk! ^- ^ [ HELP ] HOT 11
- Install.shellcode HOT 3
- r77 pipes HOT 8
- where to start ?
- [ HELP ] — How I can use the ControlPipe in C# ?? 🥴 HOT 4
- Add Support for The Use of WildCard Characters HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from r77-rootkit.