How to start a a program hidden by $77

[dethlux]

I have a program that runs routinely and I was wondering how to start and end the program hidden by $77 (eg. 77$Program) and does this bypass kernel check?

[bytecode77]

There is a registry key $77config\startup to put in paths to files that should be started by r77 on startup. Your file would then run with SYSTEM privileges (see documentation: 2.7.8 Startup Paths)

Do you want to dynamically launch and kill that process - or do you want to just have it start up when the machine boots?

does this bypass kernel check?

In general, not. r77 is a ring3 rootkit. What kernel checks do you mean?

[dethlux]

I have compile the project and everything says completed with no errors but when I run install nothing happens? I have downloaded the pre-compiled version you uploaded but it does the exact same thing? And I go and look in registry and I don't see r77config/startup?

Thank you for replying to me :)

What I ment by kernel check is if there is an anti-virus that has a kernel driver that starts at boot will it detect using r77?

And yes I would love for a program to start when the machine boots?

If what I asked isn't possible do you have any recommendations? I am a coder myself limited in certain fields.

[bytecode77]

when I run install nothing happens?

Open Test Console, you should see most processes being marked as "Injected". This means the rootkit is installed. Also, the file $77-Example.exe should no longer be visible when you refresh Explorer.

$77config is hidden, unless you use the Test Console to detach the rootkit from regedit.exe. The subkey startup is not present, you need to create it yourself and add a value that contains the path to your executable that you want to start up. Just note that your application will be running under the SYSTEM user and does not interact with the desktop. So, MessageBoxes, etc. will not be shown, but the process is there. You will not see it in TaskMgr, because it is hidden, but the Test Console will show it.

if there is an anti-virus that has a kernel driver that starts at boot will it detect using r77

r77 is user-mode. So, antivirus could detect it.

[dethlux]

All is working. Was in the wrong file lol

r77 is user-mode I know but do you have any suggestions against kernel? I have been busy with my project for about a year now.

[bytecode77]

do you have any suggestions against kernel?

r77 is a user mode rootkit, not a kernel mode rootkit. Certainly, kernel rootkits are superior in many terms. However, Windows only allows to only install drivers that are signed, or if you configure Windows to allow self signed drivers. The latter is typical for development environments.

Since r77 is designed to be deployable anywhere, I've decided to make it user-mode. If you want to install the rootkit on your own machine for any reason, then of course the code signing restriction is not relevant for you. However, a kernel mode rootkit is an entirely different thing than a user mode rootkit.