search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.59k stars 389 forks source link

Hide custom registry Key/Value and Task Scheduler Tasks #24

Closed APT-ZERO closed 2 years ago

APT-ZERO commented 2 years ago

Hi i made registry key/value and task in task scheduler without $77 in their names i was not able to hide them by adding their path to "HKLM\SOFTWARE\$77config\paths"

as you know there is some keys in registry that can't name them ourselves but we maybe want to hide them (without losing their functionality)

will this be possible in future updates?

bytecode77 commented 2 years ago

Hiding registry keys or values has medium to critical performance impact depending on how long it takes to process one item.

Let's say your registry key has 10 values, then the HookedNtEnumerateKey hook is triggered 10 times. Each time the hook is triggered, we need to iterate through the parent registry key up until the currently enumerated value is reached. This is due to the way the NT api handles registry enumeration.

Now, there is only a string comparison for the prefix. If we added string comparison for a list of names in addition, then the cost for each iteration would bring down OS performance, because registry queries are executed thousands of times per second by many processes.

Since r77 is designed to be stealth to the user, I prioritize performance in this case. But if you like to contribute, you could take a run and try out adding a registry key/value list in the configuration system, and hiding those. The right place in the code should be fairly easy to find and modify.

By the way, scheduled tasks are hidden implicitly by hiding their files. So, finding the full path and hiding that should do the trick. But it has to be the full absolute path to the job file.

APT-ZERO commented 2 years ago

If we added string comparison for a list of names in addition, then the cost for each iteration would bring down OS performance, because registry queries are executed thousands of times per second by many processes.

as you know many people are using process hacker or process explorer instead of task manager but i guess nobody uses something else instead of windows default registry editor (regedit / regedt32) you can set that ability to only hide the value / key from registry editor! then system performance will not be slowed anymore

bytecode77 commented 2 years ago

you can set that ability to only hide the value / key from registry editor! then system performance will not be slowed anymore

That seems like a rather special use case scenario than something that would benefit the project as a whole. The concept of r77 is to be a full rootkit, not one that hides only some entities in specific processes. I want to avoid adding too many special cases as it makes the project uncomprehensive and prone to errors.

And I always encourage developers who would like to see specific features to modify the code on their own. This is the purpose of an open source project after all, because I receive far more feature requests than I have free time to implement. I usually implement feature suggestions that are useful or commonly requested, and of course bug fixes.

For example, this line is where a registry key is hidden. It should be trivial to add string comparison against a list here. The only challenge is to retrieve the full path to the registry key without slowing down performance. Try ant let me know, if it works for you :)

if (!Rootkit::HasPrefix(KeyInformationGetName(keyInformation, keyInformationClass)))
{
    newIndex++;
}