Explorer.exe - Child Processes

[legitloganpauler]

Hello I am having some issues with the rootkit hooking explorer.exe as this is causing any program to run as a child from explorer to not run correctly. As it is getting hooked, How can I stop it from hooking explorer process that's all I need.

Thank you

[bytecode77]

What do you mean by "not running correctly"?

• Does it affect all child processes of explorer.exe, or only specific processes?
• Are child processes injected?
• Are they crashing / not starting up?

Just note that child process hooking is only active, when the r77 service is installed. If explorer.exe (x64) starts file.exe (x86), then it requires a named pipe communication between the rootkit inside explorer.exe and the r77 service to build a "bridge" between x86 and x64,

[legitloganpauler]

Thank you for the quick reply.

Its affecting all child processes of explorer.exe, I am trying to run some external cheats for COD and its stopping the files from running. But when I detach the explorer the cheat program runs.

[legitloganpauler]

Let me upload some screenshots for you.

[legitloganpauler]

With the rootkit enabled, Client.exe wont run as you can see it injects it to client and i don't want it to.

[legitloganpauler]

And in this image if you look its injected into Client.exe and its running fine (How it should) and i dethatched explorer.exe which allows it to run. So i would like it to not hook the child processes of explorer. If you could help me with that please.

[bytecode77]

Looks like client.exe is detecting that it's injected and really doesn't like it... That has nothing to do with child process injection in general and more with specific processes that should not be injected.

In issue #25, a similar problem was described. There is a feature request to specify an exclusion list of processes to not be injected. For example: [ "client.exe", "steam.exe" ]. It's on the ToDo list for the next release, which I will start working on next month. Does that solve your issue?

[legitloganpauler]

Oh okay thank you.

Is there any simple work around for this at the minute because I can detach explorer.exe and it will run fine.

Like another exe that gets the PID of explorer.exe and detaches the rootkit. on each log on of the user something like that.

[bytecode77]

If you need a solution right now, I would suggest looking at this function:

BOOL InjectDll(DWORD processId, LPBYTE dll, DWORD dllSize, BOOL fast)

This is called to inject a specific process ID. Within that function, look up the name of this process based on the specified PID, and if that name is donotinject.exe, simply return false. Either use "client.exe", or "explorer.exe" based on your specific needs.

[bytecode77]

As of now, there is a new feature to exclude processes from being injected. It's only on the dev branch, so you have do download the code from there and compile. To add a process name to the exclusion list, modify the contents of PROCESS_EXCLUSIONS and recompile.

This is the dev branch. Downloadable binaries and documentation will follow with the next release, as well as other features on the ToDo list.

[bytecode77]

r77 version 1.3.0 is released

It contains a hardcoded process exclusion list. The advantage over the configuration system in your specific case is that r77 will never inject these processes. Previously, these would get injected prior to the configuration system being loaded.

You need to modify the code here and compile r77:

/// <summary>
/// Specifies a list of processes that will not be injected.
/// By default, this list includes processes that are known to cause problems.
/// To customize this list, add custom entries and recompile.
/// </summary>
#define PROCESS_EXCLUSIONS                      { L"MSBuild.exe" }
// Example: { L"MSBuild.exe", L"your_app.exe", L"another_app.exe" }