Closed WilleLX1 closed 1 year ago
bytecode77
commented
1 year ago What exact operating system are you using? Can you show me a screenshot of regedit that shows the error message and the selected registry key?
I'll try to reproduce it here then.
WilleLX1
commented
1 year ago I am using Windows 10 as operating system on my main computer. But as always I use a virtual machine to run and test malware. That VM is factory reset and windows 10. Here is the problem, or not. I can't get the error anymore, and that is good.
If I get it again I'll screenshot and post it here.
Regards WilleLX1
WilleLX1
commented
1 year ago Hello again. I got the error when I tried to open HKLM with Quasar RAT. The .exe to the RAT starts with $77 if that has anything to do with it. The weird thing is that I got the error when I tried when I tested this on my other computer, then I restarted and it worked fine. But on my VM it does not work even after reboot. Here is a screenshot of the error: 
Any answer's will be appreciated. Regards WilleLX1
bytecode77
commented
1 year ago So, is this correct?
regedit, not in your RATWhat would really interest me is what causes this issue. Because on a plain vanilla installation of Windows 10 x64 or x86, this error does not ocurr for me. Does the error also not ocurr on your side and only starts to ocurr after you have done specific modifications to the OS, such as installing a RAT?
That's something where you can help me, since I can only guess on my side. If the error does not ocurr on plain vanilla OS, then it would be interesting when and why it starts to appear. Let me know if you can pinpoint that moment...
WilleLX1
commented
1 year ago Thank you for the long and interesting answer.
I haven't gotten the testConsole.exe to work in VM, I guess it's a anti VM installed in the application. So I don't really have a choice if I want to edit $77config, because it's hidden from the user. But with a RAT that is not injected, that starts with $77. If I am not wrong I should be able to see $77config through the RAT's registry editor with this method, but that's were I get this error message.
On my second computer I also get this error, but it works after a restart perfectly. But on my VM it's not fixed after a restart.
Any answer's will be appreciated. Regards WilleLX1
bytecode77
commented
1 year ago So, you're using the RAT's interface to get access to the registry, since you cannot detach r77 from the regedit process, because the Test Console won't start? (By the way, you need to install .NET Framework 4.7 in the VM to launch the Test Console.)
Am I guessing correctly that the RAT is using .NET Microsoft.Win32.Registry class to access the registry? Maybe it's injected and doesn't work correctly. Do you have a minimal example, i.e. a C#/VB.NET code snipped that demonstrates registry access in the same way that your RAT is doing it - and that stops working correctly once r77 is injected into that .NET process?
WilleLX1
commented
1 year ago It may very well be. I will now install .NET Framework 4.7 in the VM. Yes, the RAT is indeed a .NET assemble and registry HKLM stops working when r77 is installed.
Regards WilleLX1
bytecode77
commented
1 year ago Do you have anything particular for me to test this bug against? When writing a small .NET app that reads HKLM key & value names, I could not make it crash with r77. I have no idea what the RAT is doing when this error ocurrs. Any chance that you can extract the registry access functionality from the RAT by using a .NET decompiler to see what it does and write down a simple piece of code that when compiled into an executable and injected with r77 - crashes?
WilleLX1
commented
1 year ago Maybe I could find another way of controlling the rootkit? I have other RAT's that doesn't do anything with the rootkit. And it does not even see $77config.
How can I control it with for example cmd, or what is the best way for controlling the rootkit? From what I've understood it has do with pipes, and I have close to no knowledge of them.
bytecode77
commented
1 year ago I have other RAT's that doesn't do anything with the rootkit. And it does not even see $77config.
That's probably because the RAT itself is injected with r77 and cannot see the hidden files.
From what I've understood it has do with pipes
The control pipe is to send commands to the rootkit. the $77config registry key is to write into the configuration system.
What you really want is to not inject the RAT with r77. You can do this by one of the following:
R77_HELPER_SIGNATURE. That way, it will never be injected with r77 and this should be the preferred way. Go th "r77 Header" in the documentation, there you will see what value to write at that what file offset.PROCESS_EXCLUSIONS and add the name of the RAT's process, then recompile the rootkit. It should then ignore that process. This only works if the process name is not e.g. "explorer.exe", of course...WilleLX1
commented
1 year ago Okay, thank you for all the help I've gotten. I will try this as son as I can.
Regards WilleLX1
Hello! When I launch Install.exe HKLM in registry just tells me no data available. Just wondering if this is something that's not right and if it isn't let me know. Any reply's would be appreciated.
Regards WilleLX1!