hidden file failed to execute

[FZKiritsugu]

so i have a executable file in temporary folder named $77name.exe, I created a new project in c# and executed that file with ProcessStartInfo and it executed just fine, but if an already running process tries to execute that file with the exact same method i get a "Windows cannot find $77name.exe", i'm not 100% sure but i think it works just fine with the older version of this rootkit.

[bytecode77]

Is the already running process injected with r77 and can therefore not see the file? One way to avoid r77 being injected into a process is to use the prefix.

E.g.: $77a.exe starts $77b.exe - not sure if this example is applicable to your implementation. However, executables with the prefix won't get injected at all, while all other processes are injected before they run any of their own instructions.

If you're really stuck because r77 is running inside your process and you cannot use the prefix: One possible way to resolve this is to detach r77 from the current process. There is a function pointer (Rootkit::Detach) in the r77 header that you could call (see documentation "Implementation details"). But normally, you shouldn't need to go this far in order to get your executable up & running.

If it works with an older version, can you reproduce this? It would be really interesting...

[FZKiritsugu]

here is a video showing the way to reproduce this : https://streamable.com/s7tlje it executes fine, but after adding a delay and installing the rootkit while the program is running, it will give me an error file not found.

i did the same thing with the older version of this rootkit and seems to work fine, but that could be because the executables starting with $77 stay visible until explorer is restarted..

[bytecode77]

There are three supported approaches:

1.) Naming the executable $77eryeryerye.exe

This will tell the r77 service to not inject the process. If this is not applicable to your project, option 2 works equally as well:

2.) Using the r77 header:

There is this image in the documentation (Section 4.1: r77 header)

This is an excerpt of an executable in memory (not on disk).

Overwrite the first two bytes of the DOS stub at compile time with R77_HELPER_SIGNATURE (0x7268)

It tells the r77 service to not inject your process. If you look at TestConsole.exe in a hex-editor, you will see these bytes. But make sure to do it at compile time and not at runtime, as r77 is injected before your executable gets to run its main thread.

3.) Detaching the rootkit

If the first two bytes of the DOS stub in memory are R77_SIGNATURE (0x7277) it means that your process is injected with r77. The following 8 bytes are a function pointer. If you create a thread pointing to this function, r77 will detach. Note that the detach function pointer might be written there after a few milliseconds have passed.

Now, option 2 (writing the r77 header) makes more sense, I think. I just wanted to let you know all options that are available.

[FZKiritsugu]

hmm interesting.. how exactly do i accomplish that in c#? i'm trying to go for the option 2 but i don't know how to do that without using a hex editor and edit it directly.

if anything i can just go with the older version of this rootkit..

[bytecode77]

Have a look at BuildTask.R77Signature. This function takes an executable as a byte[] and writes the 2-byte signature to a fixed offset of 64. The compiled binary BuildTask.exe is in the post build events of other projects, such as TestConsole. This way, the TestConsole already has the R77_HELPER_SIGNATURE when it's compiled.

[FZKiritsugu]

yep, seems to work perfectly now, executes the hidden file with no problem! adding R77_HELPER_SIGNATURE made the trick! thank you so much!!!