help vs Unhook DLL's (EDR evasion) about r77-rootkit HOT 21 CLOSED

hi
For AV/EDR evasion

AMSI bypass: i have tested with PowerShell.exe and amsi.dll!AmsiScanBuffer and

i read src/InstallStager/Unhook.cs and
i read : r77api.h for both the C# and C++ implementation and
you say ;
For each r77 update, build the solution and take the
InstallStager.exe file from the resources of the installer project. Make sure to check
for changes in the code of Install.cpp and implement them in your project as needed.
The source code of the installer itself is fairly short and commented.

So I understand that we must use vs2019 to generate the solution and get InstallStager.exe . so I understand that we must use vs2019 to generate the solution and get InstallStager.exe . we are OK?

Yes, I think so. If you want InstallStager.exe, you will need Visual Studio and then build the project.

so I have to work with vs2019 from the clone of:
https://github.com/bytecode77/r77-rootkit.git + develop solution explorer +
InstallStager or r77.sln ?

What I did, was that I went here: https://github.com/bytecode77/r77-rootkit and clicked on "Code" in the upper right and clicked "Download zip". Then I unzipped the file, and then I opened r77.sln with Visual Studio.

if I have to work like this ,
It 's with release anyCPU InstallStager or release anyCPU testconsole

or work from with src/InstallStager/InstallStager.cs ?

You need to build it with release anyCPU (But dont click "start", because that will execute the program on your own computer). Select "release", and then in the solution explorer, right click "Solution 'r77'", and then click "Build Solution", it will build everything for you. And then you can go and grab InstallStager.exe from this location: ....\r77-rootkit-master\r77-rootkit-master\vs\Install\Resources\InstallStager.exe

For now , i bypass with powershell.exe in admin +

[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE'). GetValue('$77stager')). EntryPoint.Invoke($Null,$Null)
+
'amsi.dll! AmsiScanBuffer'
+
'AMSI_RESULT_CLEAN'
result : no errors no messages

I have created two sheduled task for both the 32-bit and the 64-bit
task : powershell.exe [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenS
ubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)

I'm working for the moment from r77rookit.rar and testconsole and Install.exe and I get well injected and inhide two process dllhost.exe

and task sheduler and bypass powershell.exe

Thanx for help

If you are trying to use r77 in your own project, I would recommend taking the easy route and execute Install.exe from memory (process hollowing) using RunPE.

from r77-rootkit.

There are two options to integrate r77 into your project (Documentation section 5 Integration Best Practices)

1.) Include Install.exe

By doing this, you don't need to do any compilation of r77 yourself. You just take the executable Install.exe as it is and include it in your project. However, you should execute Install.exe in-memory using RunPE. Of course, the file Install.exe itself should be encrypted when you store it in your main executable's resources. Otherwise, you'll get scan-time detection just for the file.

Extra homework for teacher's pets: Ideally, you should unhook ntdll in your process before you RunPE Install.exe. Of course, you can just write Install.exe to disk and run it. But it will probably be deleted by AV along the way. The reason why I recommend unhooking ntdll prior to using RunPE is because I have encountered issues with detection because of EDR hooks in ntdll.

2.) Implement installation yourself

This is the alternative option, where you basically do what Install.exe does in your own code. If you choose this approach, you do need to compile the solution and write the code of Install.exe yourself. However, I recommend option 1.) because this one is for rather advanced usage when you want more control over what's happening.

from r77-rootkit.

hi
For AV/EDR evasion

AMSI bypass: i have tested with PowerShell.exe and amsi.dll!AmsiScanBuffer and

i read src/InstallStager/Unhook.cs and
i read : r77api.h for both the C# and C++ implementation and
you say ;
For each r77 update, build the solution and take the
InstallStager.exe file from the resources of the installer project. Make sure to check
for changes in the code of Install.cpp and implement them in your project as needed.
The source code of the installer itself is fairly short and commented.

So I understand that we must use vs2019 to generate the solution and get InstallStager.exe . so I understand that we must use vs2019 to generate the solution and get InstallStager.exe . we are OK?

so I have to work with vs2019 from the clone of:
https://github.com/bytecode77/r77-rootkit.git + develop solution explorer +
InstallStager or r77.sln ?

if I have to work like this ,
It 's with release anyCPU InstallStager or release anyCPU testconsole

or work from with src/InstallStager/InstallStager.cs ?

For now , i bypass with powershell.exe in admin +

[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE'). GetValue('$77stager')). EntryPoint.Invoke($Null,$Null)
+
'amsi.dll! AmsiScanBuffer'
+
'AMSI_RESULT_CLEAN'
result : no errors no messages

I have created two sheduled task for both the 32-bit and the 64-bit
task : powershell.exe [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenS
ubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)

I'm working for the moment from r77rookit.rar and testconsole and Install.exe and I get well injected and inhide two process dllhost.exe

and task sheduler and bypass powershell.exe

Thanx for help

admin are you OK with that this for implementaion ?

And are you ok with the code powershell.exe for by pass ?

IF not what would your actions be ?

from r77-rootkit.

There are two options to integrate r77 into your project (Documentation section 5 Integration Best Practices)

1.) Include Install.exe

By doing this, you don't need to do any compilation of r77 yourself. You just take the executable Install.exe as it is and include it in your project. However, you should execute Install.exe in-memory using RunPE. Of course, the file Install.exe itself should be encrypted when you store it in your main executable's resources. Otherwise, you'll get scan-time detection just for the file.

Extra homework for teacher's pets: Ideally, you should unhook ntdll in your process before you RunPE Install.exe. Of course, you can just write Install.exe to disk and run it. But it will probably be deleted by AV along the way. The reason why I recommend unhooking ntdll prior to using RunPE is because I have encountered issues with detection because of EDR hooks in ntdll.

2.) Implement installation yourself

This is the alternative option, where you basically do what Install.exe does in your own code. If you choose this approach, you do need to compile the solution and write the code of Install.exe yourself. However, I recommend option 1.) because this one is for rather advanced usage when you want more control over what's happening.

OK (5 Integration Best Practices)

Including r77 into an existing project is simple and can be done in several ways.
5.1 Include Install.exe
Including the installer and executing it upon installation of your project is the preferred way.
Executing the installer when r77 is already installed is supported. It will not update already
injected processes; however new processes are injected with the new version of the rootkit
DLL

1 : ?? existing project ? Which one ?
and how do you do that? because it is not explained anywhere lol

you often say "your project" or existing project but I work only on yours or I do not understand anything with the translation as here ;

The installer can either be written to disk and executed, or it can be spawned using process
hollowing. The process hollowing implementation needs to be written in the language of your
project. If your project is written in C#, the process hollowing implementation of the stager
can be used as a reference. Otherwise, you have to write it yourself. It is required to perform
32-bit process hollowing, because the installer is a native 32-bit executable

2 : Executing the installer in-memory is an extra mile worth taking, because dropping the file ?? i don t unterstand this

3 :
It is a viable option to implement the installer directly into the code of your project. For this,
the behavior of Install.cpp must be replicated:

1. InstallStager.exe needs to be included in your project’s resources.
2. InstallStager.exe must be written to both the 32-bit and the 64-bit registry key.
3. Both scheduled tasks need to be created and started.

how do we do it? as uncide says?
which is a pity, because it is not explained anywhere

and
Your implementation does not require a native executable. Make sure that your code handles
Windows x86/x64 differences properly. For each r77 update, build the solution and take the
InstallStager.exe file from the resources of the installer project. Make sure to check
for changes in the code of Install.cpp and implement them in your project as needed.
The source code of the installer itself is fairly short and commented

ditto how to do ?

1.) Include Install.exe
By doing this, you don't need to do any compilation of r77 yourself. You just take the executable Install.exe as it is and include it in your project. However, you should execute Install.exe in-memory using RunPE. Of course, the file Install.exe itself should be encrypted when you store it in your main executable's resources. Otherwise, you'll get scan-time detection just for the file.

My project ?

Extra homework for teacher's pets: Ideally, you should unhook ntdll in your process before you RunPE Install.exe. Of course, you can just write Install.exe to disk and run it. But it will probably be deleted by AV along the way. The reason why I recommend unhooking ntdll prior to using RunPE is because I have encountered issues with detection because of EDR hooks in ntdll.

you should pick up ntdll yes just all my questions is for that and I thought that with the powershell commands were made to do this job

this :

i bypass with powershell.exe in admin +

[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE'). GetValue('$77stager')). EntryPoint.Invoke($Null,$Null)
+
'amsi.dll! AmsiScanBuffer'
+
'AMSI_RESULT_CLEAN'
result : no errors no messages

I have created two sheduled task for both the 32-bit and the 64-bit
task : powershell.exe [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenS
ubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)

i m lost

thanx for help

from r77-rootkit.

"your project" is referring to an implementation, were r77 is used. For example, you implement a RAT and include r77 with it. In this scenario, you would be the "integrator" and you would need to execute Install.exe when you execute "your project".

I wasn't aware that you were working on r77 itself. In this case, everything that is documented about unhooking, RunPE and the AMSI byass is already implemented. The documentation mentions what happens when Install.exe is run. i.e.: This executable creates both scheduled tasks that launch powershell with the AMSI bypass first, then the stager. The stager uses RunPE to initialize the r77 service. The two service processes then proceed to inject every process. r77 is persisted at this point.

So, now that I know that you are working on r77: What exacly is your goal? :)

from r77-rootkit.

in fact uncode Answered above for to use r77 and I was also waiting for your answer about it.

I don't understand the meaning of the word objective in C++ mode

from r77-rootkit.

What do you mean by "objective in C++ mode"? Yes, @uncidal explained well how to build the solution and the details on how to use it.

from r77-rootkit.

objective of what nature?

objective of what nature? I want to get a successful your project. on the other hand with the @uncidal work, I tested and I get InstallStager in

C:\Users\xxxx\Desktop\r77-rootkit\r77-rootkit-master\vs\Install\Resources

and after how to run Install.exe from memory (process hollowing out) using RunPE.?

from r77-rootkit.

Install.exe is the single file installer of r77. All you need to do is to run it.

Anybody who is using r77 in their own project has to use RunPE in order to execute it. If you're working on r77 directly, then Install.exe is the final product.

from r77-rootkit.

HI
j ai obtenu donc

in vs.

• C:UsersxxxxxDesktopr77-rootkitr77-rootkit-mastervsInstallStagerResources
  two Installservice 32 and 64 ok done but I'm actually nothing and run alone with install is it right?

ok you have to run install.exe but which one, I got two has different locations.

in release
C:UsersxxxxxDesktopr77-rootkitr77-rootkit-mastervsRelease
helper32
install
Installservice32
r77-x86.dll
uninstall
etc..
+

in $build
bytecodeApi.dll
bytecodeApi.UI.dll
helper32
helper64
Install
r77x64.dll
r77x86.dll
Testconsole
uninstall

and we also agree ,
when we run install.exe
runPE is then executed?

thanx for help

from r77-rootkit.

There is only one location: $Build\Install.exe. When you build the solution, all files are copied to the output directory $Build\ so nobody needs to "search" where the files are.

Install.exe already contains all required files, so you don't need the DLL's as separate files. They're all packaged into the final binary Install.exe

from r77-rootkit.

hi and thanx for the patience

well understood now, obviously it is $build.
A practical question , I know that every folder or file or .exe starting with $77 will be hidden.
are the 2 possibilities possible?
$build + install.exe
or $build + testconsole + install.exe?

from r77-rootkit.

are the 2 possibilities possible?
$build + install.exe
or $build + testconsole + install.exe?

What do you mean?

from r77-rootkit.

I would also like to use Testconsole for run install.exe, is it possible?

ps : and what to do to install stager.exe obtained here after build ? :
C:\Users\xxxx\Desktop\r77-rootkit\r77-rootkit-master\vs\Install\Resources\InstallStager.exe

and if I have to move it to another location, do I have to rebuild?

from r77-rootkit.

You can use the Test Console to run Install.exe. It's just a shortcut, though:

[...] Resources\InstallStager.exe
and if I have to move it to another location, do I have to rebuild?

When you rebuid the solution, some executables are copied to the Resources\ directory of other project. This happens automatically. You can tell by the timestamp of the files that they are copied. Basically, all you need to do when you change anything is to build the solution and everything is packaged correctly.

from r77-rootkit.

You can use the Test Console to run . It's just a shortcut, though:Install.exe
<<<<< IT S ok done

[...] Resources\InstallStager.exe
and if I have to move it to another location, do I have to rebuild?

When you rebuid the solution, some executables are copied to the directory of other project. This happens automatically. You can tell by the timestamp of the files that they are copied. Basically, all you need to do when you change anything is to build the solution and everything is packaged correctly.Resources\ ?????
<<<< i don t unterstand

you don't answer me,
yes or no, if yes or moved? and after rebuilding? at the moment I don't have rebuild

thanx for help

from r77-rootkit.

Example:

vs\Release\r77\r77-x86.dll is copied to vs\InstallService32\Resources\r77.dll

Each project has post build events. They are used to copy files to the Resources\ directory of other parts of the solution. This, way multiple files are packed into one file: Install.exe.

from r77-rootkit.

hi
in my case, I want to move InstallStager.exe here:
C:\Users\xxxx\Desktop\r77-rootkit\r77-rootkit-master\vs\Install\Resources\InstallStager.exe
I move it here C:\Users\xxxxx\Desktop\r77-rootkit\r77-rootkit-master\vs\InstallService32\Resources and
C:\Users\xxxxx\Desktop\r77-rootkit\r77-rootkit-master\vs\InstallService64\Resources it s ok ???

and how move ?

copy/paste ? OR if not what tools?

thanx for help

from r77-rootkit.

I have already said: There are post build events that automatically copy the file there. Read more on Post-Build Events.

from r77-rootkit.

You can use the Test Console to run . It's just a shortcut, though:Install.exe
<<<<< IT S ok done

[...] Resources\InstallStager.exe
and if I have to move it to another location, do I have to rebuild?

When you rebuid the solution, some executables are copied to the directory of other project. This happens automatically. You can tell by the timestamp of the files that they are copied. Basically, all you need to do when you change anything is to build the solution and everything is packaged correctly.Resources\ ?????
<<<< i don t unterstand

you don't answer me,
yes or no, if yes or moved? and after rebuilding? at the moment I don't have rebuild

thanx for help

I have already said: There are post build events that automatically copy the file there. Read more on Post-Build Events.

I look Post BUILD Events but it 's not easy for me
I tried to work with your link here (https://www.google.com/search?q=what+are+visual+studio+post+build+events
and I don't see mkdir otherwise I had created this to test :

so I believe to start it is necessary to open a command " developer
command prompt for vs2019"

mkdir $ ("C:\Users\fredo\Desktop\r77-rootkit\r77-rootkit-master$Build)"
xcopy /Y "$(C:\Users\fredo\Desktop\r77-rootkit\r77-rootkit-master\vs\Install\Resources\InstallStager)" "(C:\Users\fredo\Desktop\r77-rootkit\r77-rootkit-master\vs\InstallService32\Resources)"
echo Fxcopy/I/Y "$(C:\Users\fredo\Desktop\r77-rootkit\r77-rootkit-master\vs\Install\Resources\InstallStager.exe)" "$(C:\Users\fredo\Desktop\r77-rootkit\r77-rootkit-master\vs\InstallService32\Resources)InstallService32\Ressources\r77.dll"

thanx for help

from r77-rootkit.

copy/paste ? OR if not what tools? [...]
I look Post BUILD Events but it 's not easy for me [...]

You don't need anything. Just compile the solution... done.

These are really beginner questions. I'm sorry, but I can't help you with those. I have a full-time job, a family and I can't teach you how to program and use Visual Studio.

from r77-rootkit.