Unable to read and write $77config normally

[518651]

Hello, Mr. author, i try to read / write data to the $77config registry path, but i can't read / write successfully. is there any way i can see the hidden $77config key in the registry editor?

[bytecode77]

You can see it in RegEdit, if RegEdit is not injected with the rootkit. You can use the TestConsole to detach r77 from RegEdit.

Likewise, if the process of the code you posted is injected with r77, you will also not "see" the registry key. I would suggest you write the R77_HELPER_SIGNAUTURE to your executable at compile time, just like it is written to TestConsole.exe at compile time using the VS build events. That way, your process will never be injected by r77 and you can write to the key.

[518651]

In other words, I just need to make my process not injected by r77, and I can write it, right? Can I use testconsole Exe let r77 stop injecting into my process?

[bytecode77]

Yes, your process must not be injected by r77. That way, it can "see" hidden items. You can use the Test Console only to detact r77, but not from disabling injection.

I would suggest to look at the documentation regarding R77_HELPER_SIGNAUTURE. It's a simple build step, where you need to write 2 bytes at compile time to your executable.

[518651]

ok, i got it.

[518651]

Dear author, I was checked your code, and I have a question, do you use “BuildTask” project for the signature?Is this sighnature execute with DOS command? And this is my guess cause I don’t know c#. My c++ program need to use R77 signature, so how to connect with “BuildTask”? Or what can I do that with my c++ program?

[bytecode77]

You need to compile your executable and then modify those two bytes of your compiled file:

In the r77 solution, I use this method that is called by the VS build task post compilation:

private static byte[] R77Signature(byte[] file, ushort signature)
{
    // Write a 16-bit signature to the r77 header.
    byte[] newFile = file.ToArray();
    Buffer.BlockCopy(BitConverter.GetBytes(signature), 0, newFile, 64, 2); // The offset of the DOS stub is 64.
    return newFile;
}

But you can simply do this in C++. I recommend using VS build tasks to automate this.

As a result, the r77 service will not inject your process.