rootkit applied only for the current user

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.

https://bytecode77.com/r77-rootkit

BSD 2-Clause "Simplified" License

1.59k stars 389 forks source link

rootkit applied only for the current user #1

Closed chekamarue closed 6 years ago

chekamarue commented 6 years ago

hi, when login with an other user the renamed files are clearly showing in (explorer/taskmgr)

bytecode77 commented 6 years ago

Hi,

The installer, which is just for demonstration purposes, writes into AppInitDLLs and therefore, only application which are restarted are affected. As mentioned, in a productive scenario, you would additionally inject every already running process along with AppInitDLLs. I didn’t want to include this in the PoC installer. Do these files also show up when your other user restarts TaskMgr?

Regards, Martin

chekamarue commented 6 years ago

Hi Indeed when executed with elevated privilege ! it worked for all logged users after restarting explorer and taskmgr but doesn't affect disconnected users or new created users still, the rootkit help a lot ,thank you

Regards, yacine

bytecode77 commented 6 years ago

Yes, installing a rootkit requires elevated privileges. Otherwise, you could only inject into medium IL processes.

To summarize the productive scenario: Installation usually requires high IL. Persistence can either be achieved through AppInitDLLs + Injection into every process, or, only injection as AppInitDLLs is not liked by AV software.