One question about r77-rootkit HOT 10 CLOSED

If I am understanding you, r77 runs on startup, but its just your program that starts with $77 does not start?
Are you sure it does not run? I am not the developer, but I am pretty sure it should run if you add it to regedit startup locations, or if you add it to task scheduler.
Try to run task scheduler, on the right side click create basic task, when you select a name, you can start the name with $77 to hide the startup from a normal user (it will still startup, just hard to remove), in trigger select When the computer starts, in action select start a program, and in start a program write in the location to the file.
You can also try changing the Userinit key, open regedit as admin, and go to this location:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
On the right you should see a list of many keys, you can change userinit and add the location to the file after the comma sign, and it will startup when the computer turns on. (So the value of Userinit should be something like "C:\Windows\system32\userinit.exe, C:*INSERT YOUR LOCATION TO FILE HERE*")

from r77-rootkit.

Prefixed files cannot be "seen" by Windows and therefore don't start up. There have been several such reports and I can confirm this.

I'm currently considering a key under $77config where startup files can be defined. They could then even start up under the SYSTEM accont.

Currently, however, I can only offer a workaround. You could try to not use the prefix, but instead write the process ID to the list of hidden PID's after your process started. That way, at least the process is not visible, however the file is. In my previous attempts, hiding the parent directory unfortunately also prohibits startup of the containing file.

This issue is on the top of the ToDo list for the next release.

from r77-rootkit.

Version 1.2.2 is available.

This issue was addressed in the new version that is now available for download.

Section 2.8 of the documentation:

The issue: If you set up a hidden file for startup, for example using the HKCU...\Run key,
Windows cannot not find the file (because it is hidden) and therefore it does not start.

The solution: r77 is in charge of starting hidden files. This comes with several advantages:

1. Your file will start under the SYSTEM account with system integrity.
2. Your file will start before the first user is logged on.
3. You can add files to startup with non-elevated privileges and they will start up with
   system integrity.

If you want your process to be run under a specific user account, you have to perform
impersonation. This is required in case you need access to the user’s desktop.

Note: Just by adding the file to $77config\startup, it is not implicitly hidden. The same rules
apply: The file has to have the prefix, or it has to be hidden by the configuration system. If you
want the file to not be injected by r77, then writing the helper signature to the executable file
will avoid injection (see section 4.1).

from r77-rootkit.

Good morning mate.
So I created the folder $77config/startup inside the path HKEY_LOCAL_MACHINE\SOFTWARE/$77config\startup.
inside I created the hidden file type REG_SZ and passed its path in value. after that I installed r77 with install, restarted the machine, but it didn't start the program. I tested it with the path inside a hidden folder with $77 and without the $77.
So what do you think about it?
Best Regards
Kenji.

from r77-rootkit.

\ **

from r77-rootkit.

Can you show me a screenshot of RegEdit that shows the entry? (You need to detach r77 from regedit.exe using the TestConsole to see the key.)

• Is the application you want to startup intended to work under the SYSTEM account?
• If it's a GUI application, then you won't see any windows, unless you impersonate a user account. But you should see it in TaskMgr
• If the application tries to access the user's desktop, it might just crash, because the SYSTEM account does not have a desktop. Note, that the SYSTEM user also doesn't have a HKCU\ key.
• Have you tried creating an entry with just "notepad" as the string for your startup applicaion? Could you please try that and confirm whether or not notepad.exe shows up in TaskMgr?

from r77-rootkit.

from r77-rootkit.

Notepad then runs but $77test.exe is not run

from r77-rootkit.

I see two potential issues that could be causing this:

1.) The path is being redirected to C:\Windows\SysWOW64\.... You can verify whether this is the cause by using a path that does not have redirection, e.g. C:\. If that works, then redirection is at fault. In this case, you need to put your file into the SYSWOW64 directory. Note, that Windows path redirections can be very tricky and misleading.

2.) The executable is having trouble because it's run under the SYSTEM account. This can happen, if you try to access the desktop, etc... Can you try replacing $77test.exe with a very basic executable that just does Sleep(1000000)? If this works, then your executable does for some reason not work under the SYSTEM account. In this case, you could try to temporarily implement logging to see where exactly it crashes.

Yep, startup failures are impossible to debug... It's always this kind of trial and error ;)

Edit: One more thing: You could kill the r77 service process and then run Install.exe. It saves you a reboot.

from r77-rootkit.

Good morning friend, this worked for me, After this update the bug was fixed. Thanks !

from r77-rootkit.