windows2012 r2 error - Githubissues

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.

https://bytecode77.com/r77-rootkit

BSD 2-Clause "Simplified" License

1.59k stars 389 forks source link

windows2012 r2 error #20

Closed x1a0zu1 closed 2 years ago

x1a0zu1 commented 2 years ago

Hidden in windows2012 r2 9600 does not work It may be a problem caused by not supporting windows8 How can I fix it?

bytecode77 commented 2 years ago

The reason why I don't support Windows 8 is because I want to reduce workload on testing and adjustments, which is huge effort in a rootkit that would decrease the overall time to spend with useful features.

I haven't tested Windows 8 at all, but with the proper changes you should be able to get it running. It requires some effort on your part in understanding the whole process of installation and injection. In particular, you need to figure out at what stage it fails: Startup, r77 service process initialization, process injection - you can check the Test Console to see whether the rootkit is running in all processes.

Or is your problem that a subset of features is not working in a particular program (Explorer, TaskMgr, etc.)? Can you provide more info so I can lead you to the right direction?

x1a0zu1 commented 2 years ago

At present, I manually inject r77-x64.dll into explorer. The good news is that some windows2012 r2 systems can be hidden But some windows 2012 r2 will not be hidden. What are the possible problems? Thanks and have a nice day

bytecode77 commented 2 years ago

So, does that mean the same version of Windows, but r77 works only on some of them?

I think you need to narrow the issue down to something that can be fixed:

Does the TestConsole detect that Explorer is injected?
Does a certain feature not work (i.e. hiding by prefix works, but by name doesn't, etc...), or does file hiding work, but not process hiding?
Can you reproduce the same issue on Windows 10? That would definitely require a bugfix from my side.

x1a0zu1 commented 2 years ago

After many days of testing, it has been found that the possible cause of the problem is: multiple instances of r77rootkit have been installed.

x1a0zu1 commented 2 years ago

a new problem has been discovered: If I try to hide the C:\233 directory after hiding C:\233\123.exe, it will fail to hide

bytecode77 commented 2 years ago

After many days of testing, it has been found that the possible cause of the problem is: multiple instances of r77rootkit have been installed.

Executing the installation process several times is supported. Install.exe will terminate the r77 service and restart it. So, this should be no problem. Does everything work by now, or do you have further questions?

a new problem has been discovered: If I try to hide the C:\233 directory after hiding C:\233\123.exe, it will fail to hide

Could you please create a new issue, since it's hard to keep track of multiple topics in one GitHub issue. Please provide the values that you stored in the configuration system and the list of files that you expect to be hidden and which ones aren't hidden. That would help a lot in narrowing down and fixing bugs.

bytecode77 commented 2 years ago

Closed due to inactivity. Please feel free to re-open, if you have new info.