Comments (21)
hi
For AV/EDR evasionAMSI bypass: i have tested with PowerShell.exe and amsi.dll!AmsiScanBuffer and
i read src/InstallStager/Unhook.cs and
i read : r77api.h for both the C# and C++ implementation and
you say ;
For each r77 update, build the solution and take the
InstallStager.exe file from the resources of the installer project. Make sure to check
for changes in the code of Install.cpp and implement them in your project as needed.
The source code of the installer itself is fairly short and commented.So I understand that we must use vs2019 to generate the solution and get InstallStager.exe . so I understand that we must use vs2019 to generate the solution and get InstallStager.exe . we are OK?
Yes, I think so. If you want InstallStager.exe, you will need Visual Studio and then build the project.
so I have to work with vs2019 from the clone of:
https://github.com/bytecode77/r77-rootkit.git + develop solution explorer +
InstallStager or r77.sln ?
What I did, was that I went here: https://github.com/bytecode77/r77-rootkit and clicked on "Code" in the upper right and clicked "Download zip". Then I unzipped the file, and then I opened r77.sln with Visual Studio.
if I have to work like this ,
It 's with release anyCPU InstallStager or release anyCPU testconsoleor work from with src/InstallStager/InstallStager.cs ?
You need to build it with release anyCPU (But dont click "start", because that will execute the program on your own computer). Select "release", and then in the solution explorer, right click "Solution 'r77'", and then click "Build Solution", it will build everything for you. And then you can go and grab InstallStager.exe from this location: ....\r77-rootkit-master\r77-rootkit-master\vs\Install\Resources\InstallStager.exe
For now , i bypass with powershell.exe in admin +
[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE'). GetValue('$77stager')). EntryPoint.Invoke($Null,$Null)
+
'amsi.dll! AmsiScanBuffer'
+
'AMSI_RESULT_CLEAN'
result : no errors no messagesI have created two sheduled task for both the 32-bit and the 64-bit
task : powershell.exe [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenS
ubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)I'm working for the moment from r77rookit.rar and testconsole and Install.exe and I get well injected and inhide two process dllhost.exe
and task sheduler and bypass powershell.exe
Thanx for help
If you are trying to use r77 in your own project, I would recommend taking the easy route and execute Install.exe from memory (process hollowing) using RunPE.
from r77-rootkit.
There are two options to integrate r77 into your project (Documentation section 5 Integration Best Practices)
1.) Include Install.exe
By doing this, you don't need to do any compilation of r77 yourself. You just take the executable Install.exe
as it is and include it in your project. However, you should execute Install.exe
in-memory using RunPE. Of course, the file Install.exe
itself should be encrypted when you store it in your main executable's resources. Otherwise, you'll get scan-time detection just for the file.
Extra homework for teacher's pets: Ideally, you should unhook ntdll in your process before you RunPE Install.exe
. Of course, you can just write Install.exe
to disk and run it. But it will probably be deleted by AV along the way. The reason why I recommend unhooking ntdll prior to using RunPE is because I have encountered issues with detection because of EDR hooks in ntdll.
2.) Implement installation yourself
This is the alternative option, where you basically do what Install.exe
does in your own code. If you choose this approach, you do need to compile the solution and write the code of Install.exe
yourself. However, I recommend option 1.) because this one is for rather advanced usage when you want more control over what's happening.
from r77-rootkit.
hi
For AV/EDR evasionAMSI bypass: i have tested with PowerShell.exe and amsi.dll!AmsiScanBuffer and
i read src/InstallStager/Unhook.cs and
i read : r77api.h for both the C# and C++ implementation and
you say ;
For each r77 update, build the solution and take the
InstallStager.exe file from the resources of the installer project. Make sure to check
for changes in the code of Install.cpp and implement them in your project as needed.
The source code of the installer itself is fairly short and commented.So I understand that we must use vs2019 to generate the solution and get InstallStager.exe . so I understand that we must use vs2019 to generate the solution and get InstallStager.exe . we are OK?
so I have to work with vs2019 from the clone of:
https://github.com/bytecode77/r77-rootkit.git + develop solution explorer +
InstallStager or r77.sln ?if I have to work like this ,
It 's with release anyCPU InstallStager or release anyCPU testconsoleor work from with src/InstallStager/InstallStager.cs ?
For now , i bypass with powershell.exe in admin +
[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE'). GetValue('$77stager')). EntryPoint.Invoke($Null,$Null)
+
'amsi.dll! AmsiScanBuffer'
+
'AMSI_RESULT_CLEAN'
result : no errors no messagesI have created two sheduled task for both the 32-bit and the 64-bit
task : powershell.exe [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenS
ubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)I'm working for the moment from r77rookit.rar and testconsole and Install.exe and I get well injected and inhide two process dllhost.exe
and task sheduler and bypass powershell.exe
Thanx for help
admin are you OK with that this for implementaion ?
And are you ok with the code powershell.exe for by pass ?
IF not what would your actions be ?
from r77-rootkit.
There are two options to integrate r77 into your project (Documentation section 5 Integration Best Practices)
1.) Include Install.exe
By doing this, you don't need to do any compilation of r77 yourself. You just take the executable
Install.exe
as it is and include it in your project. However, you should executeInstall.exe
in-memory using RunPE. Of course, the fileInstall.exe
itself should be encrypted when you store it in your main executable's resources. Otherwise, you'll get scan-time detection just for the file.Extra homework for teacher's pets: Ideally, you should unhook ntdll in your process before you RunPE
Install.exe
. Of course, you can just writeInstall.exe
to disk and run it. But it will probably be deleted by AV along the way. The reason why I recommend unhooking ntdll prior to using RunPE is because I have encountered issues with detection because of EDR hooks in ntdll.2.) Implement installation yourself
This is the alternative option, where you basically do what
Install.exe
does in your own code. If you choose this approach, you do need to compile the solution and write the code ofInstall.exe
yourself. However, I recommend option 1.) because this one is for rather advanced usage when you want more control over what's happening.
OK (5 Integration Best Practices)
Including r77 into an existing project is simple and can be done in several ways.
5.1 Include Install.exe
Including the installer and executing it upon installation of your project is the preferred way.
Executing the installer when r77 is already installed is supported. It will not update already
injected processes; however new processes are injected with the new version of the rootkit
DLL
1 : ?? existing project ? Which one ?
and how do you do that? because it is not explained anywhere lol
you often say "your project" or existing project but I work only on yours or I do not understand anything with the translation as here ;
The installer can either be written to disk and executed, or it can be spawned using process
hollowing. The process hollowing implementation needs to be written in the language of your
project. If your project is written in C#, the process hollowing implementation of the stager
can be used as a reference. Otherwise, you have to write it yourself. It is required to perform
32-bit process hollowing, because the installer is a native 32-bit executable
2 : Executing the installer in-memory is an extra mile worth taking, because dropping the file ?? i don t unterstand this
3 :
It is a viable option to implement the installer directly into the code of your project. For this,
the behavior of Install.cpp must be replicated:
- InstallStager.exe needs to be included in your project’s resources.
- InstallStager.exe must be written to both the 32-bit and the 64-bit registry key.
- Both scheduled tasks need to be created and started.
how do we do it? as uncide says?
which is a pity, because it is not explained anywhere
and
Your implementation does not require a native executable. Make sure that your code handles
Windows x86/x64 differences properly. For each r77 update, build the solution and take the
InstallStager.exe file from the resources of the installer project. Make sure to check
for changes in the code of Install.cpp and implement them in your project as needed.
The source code of the installer itself is fairly short and commented
ditto how to do ?
1.) Include Install.exe
By doing this, you don't need to do any compilation of r77 yourself. You just take the executable Install.exe as it is and include it in your project. However, you should execute Install.exe in-memory using RunPE. Of course, the file Install.exe itself should be encrypted when you store it in your main executable's resources. Otherwise, you'll get scan-time detection just for the file.
My project ?
Extra homework for teacher's pets: Ideally, you should unhook ntdll in your process before you RunPE Install.exe. Of course, you can just write Install.exe to disk and run it. But it will probably be deleted by AV along the way. The reason why I recommend unhooking ntdll prior to using RunPE is because I have encountered issues with detection because of EDR hooks in ntdll.
you should pick up ntdll yes just all my questions is for that and I thought that with the powershell commands were made to do this job
this :
i bypass with powershell.exe in admin +
[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE'). GetValue('$77stager')). EntryPoint.Invoke($Null,$Null)
+
'amsi.dll! AmsiScanBuffer'
+
'AMSI_RESULT_CLEAN'
result : no errors no messages
I have created two sheduled task for both the 32-bit and the 64-bit
task : powershell.exe [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenS
ubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)
i m lost
thanx for help
from r77-rootkit.
"your project" is referring to an implementation, were r77 is used. For example, you implement a RAT and include r77 with it. In this scenario, you would be the "integrator" and you would need to execute Install.exe
when you execute "your project".
I wasn't aware that you were working on r77 itself. In this case, everything that is documented about unhooking, RunPE and the AMSI byass is already implemented. The documentation mentions what happens when Install.exe
is run. i.e.: This executable creates both scheduled tasks that launch powershell with the AMSI bypass first, then the stager. The stager uses RunPE to initialize the r77 service. The two service processes then proceed to inject every process. r77 is persisted at this point.
So, now that I know that you are working on r77: What exacly is your goal? :)
from r77-rootkit.
in fact uncode Answered above for to use r77 and I was also waiting for your answer about it.
I don't understand the meaning of the word objective in C++ mode
from r77-rootkit.
What do you mean by "objective in C++ mode"? Yes, @uncidal explained well how to build the solution and the details on how to use it.
from r77-rootkit.
objective of what nature?
objective of what nature? I want to get a successful your project. on the other hand with the @uncidal work, I tested and I get InstallStager in
C:\Users\xxxx\Desktop\r77-rootkit\r77-rootkit-master\vs\Install\Resources
and after how to run Install.exe from memory (process hollowing out) using RunPE.?
from r77-rootkit.
Install.exe
is the single file installer of r77. All you need to do is to run it.
Anybody who is using r77 in their own project has to use RunPE in order to execute it. If you're working on r77 directly, then Install.exe
is the final product.
from r77-rootkit.
HI
j ai obtenu donc
in vs.
- C:UsersxxxxxDesktopr77-rootkitr77-rootkit-mastervsInstallStagerResources
two Installservice 32 and 64 ok done but I'm actually nothing and run alone with install is it right?
ok you have to run install.exe but which one, I got two has different locations.
in release
C:UsersxxxxxDesktopr77-rootkitr77-rootkit-mastervsRelease
helper32
install
Installservice32
r77-x86.dll
uninstall
etc..
+
in $build
bytecodeApi.dll
bytecodeApi.UI.dll
helper32
helper64
Install
r77x64.dll
r77x86.dll
Testconsole
uninstall
and we also agree ,
when we run install.exe
runPE is then executed?
thanx for help
from r77-rootkit.
There is only one location: $Build\Install.exe. When you build the solution, all files are copied to the output directory $Build\ so nobody needs to "search" where the files are.
Install.exe
already contains all required files, so you don't need the DLL's as separate files. They're all packaged into the final binary Install.exe
from r77-rootkit.
hi and thanx for the patience
well understood now, obviously it is $build.
A practical question , I know that every folder or file or .exe starting with $77 will be hidden.
are the 2 possibilities possible?
$build + install.exe
or $build + testconsole + install.exe?
from r77-rootkit.
are the 2 possibilities possible?
$build + install.exe
or $build + testconsole + install.exe?
What do you mean?
from r77-rootkit.
I would also like to use Testconsole for run install.exe, is it possible?
ps : and what to do to install stager.exe obtained here after build ? :
C:\Users\xxxx\Desktop\r77-rootkit\r77-rootkit-master\vs\Install\Resources\InstallStager.exe
and if I have to move it to another location, do I have to rebuild?
from r77-rootkit.
You can use the Test Console to run Install.exe
. It's just a shortcut, though:
[...] Resources\InstallStager.exe
and if I have to move it to another location, do I have to rebuild?
When you rebuid the solution, some executables are copied to the Resources\
directory of other project. This happens automatically. You can tell by the timestamp of the files that they are copied. Basically, all you need to do when you change anything is to build the solution and everything is packaged correctly.
from r77-rootkit.
You can use the Test Console to run . It's just a shortcut, though:
Install.exe
<<<<< IT S ok done[...] Resources\InstallStager.exe
and if I have to move it to another location, do I have to rebuild?When you rebuid the solution, some executables are copied to the directory of other project. This happens automatically. You can tell by the timestamp of the files that they are copied. Basically, all you need to do when you change anything is to build the solution and everything is packaged correctly.
Resources\
?????
<<<< i don t unterstand
you don't answer me,
yes or no, if yes or moved? and after rebuilding? at the moment I don't have rebuild
thanx for help
from r77-rootkit.
Example:
vs\Release\r77\r77-x86.dll
is copied to vs\InstallService32\Resources\r77.dll
Each project has post build events. They are used to copy files to the Resources\
directory of other parts of the solution. This, way multiple files are packed into one file: Install.exe
.
from r77-rootkit.
hi
in my case, I want to move InstallStager.exe here:
C:\Users\xxxx\Desktop\r77-rootkit\r77-rootkit-master\vs\Install\Resources\InstallStager.exe
I move it here C:\Users\xxxxx\Desktop\r77-rootkit\r77-rootkit-master\vs\InstallService32\Resources and
C:\Users\xxxxx\Desktop\r77-rootkit\r77-rootkit-master\vs\InstallService64\Resources it s ok ???
and how move ?
copy/paste ? OR if not what tools?
thanx for help
from r77-rootkit.
I have already said: There are post build events that automatically copy the file there. Read more on Post-Build Events.
from r77-rootkit.
You can use the Test Console to run . It's just a shortcut, though:
Install.exe
<<<<< IT S ok done
[...] Resources\InstallStager.exe
and if I have to move it to another location, do I have to rebuild?When you rebuid the solution, some executables are copied to the directory of other project. This happens automatically. You can tell by the timestamp of the files that they are copied. Basically, all you need to do when you change anything is to build the solution and everything is packaged correctly.
Resources\
?????
<<<< i don t unterstandyou don't answer me,
yes or no, if yes or moved? and after rebuilding? at the moment I don't have rebuildthanx for help
I have already said: There are post build events that automatically copy the file there. Read more on Post-Build Events.
I look Post BUILD Events but it 's not easy for me
I tried to work with your link here (https://www.google.com/search?q=what+are+visual+studio+post+build+events
and I don't see mkdir otherwise I had created this to test :
so I believe to start it is necessary to open a command " developer
command prompt for vs2019"
mkdir $ ("C:\Users\fredo\Desktop\r77-rootkit\r77-rootkit-master$Build)"
xcopy /Y "$(C:\Users\fredo\Desktop\r77-rootkit\r77-rootkit-master\vs\Install\Resources\InstallStager)" "(C:\Users\fredo\Desktop\r77-rootkit\r77-rootkit-master\vs\InstallService32\Resources)"
echo Fxcopy/I/Y "$(C:\Users\fredo\Desktop\r77-rootkit\r77-rootkit-master\vs\Install\Resources\InstallStager.exe)" "$(C:\Users\fredo\Desktop\r77-rootkit\r77-rootkit-master\vs\InstallService32\Resources)InstallService32\Ressources\r77.dll"
thanx for help
from r77-rootkit.
copy/paste ? OR if not what tools? [...]
I look Post BUILD Events but it 's not easy for me [...]
You don't need anything. Just compile the solution... done.
These are really beginner questions. I'm sorry, but I can't help you with those. I have a full-time job, a family and I can't teach you how to program and use Visual Studio.
from r77-rootkit.
Related Issues (20)
- $77 How can a non-interactive SYSTEM permission process use ShellExecuteW so that its child processes can be interactive HOT 2
- How to start executable files hidden by r77rookit? HOT 7
- Removal tool HOT 1
- resources HOT 7
- How to exclude specific processes from installation? HOT 2
- How to use shellcode? HOT 7
- how to change perfix $77 to my own keyword HOT 11
- Teaching lessons HOT 5
- Contact information HOT 1
- "MSB3073" Error HOT 4
- r77 rookit injects into PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON process
- Adding a .exe to startup HOT 6
- Help HOT 4
- ControlPipe using Powershell HOT 3
- Help Needed - Happy to pay consulting fees HOT 1
- Help HOT 3
- testconsole won't work HOT 5
- Hiding users (net.exe and lusrmgr.msc) HOT 11
- I discovered new rootkit vulnerability stronger than your rootkit with 0 coding (no admin required) HOT 11
- Issue with BitDefender Partial Detection of r77 and Loss of Persistence HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from r77-rootkit.