search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.55k stars 382 forks source link

Installation problem #42

Closed josefredohd closed 1 year ago

josefredohd commented 1 year ago

I run the Install.exe file on a Windows 10 laptop and it doesn't hide anything, I tried it on another PC and it works. So I don't understand why it doesn't work on my laptop.

bytecode77 commented 1 year ago

Most likely due to AV detection. If AV detects the installation and blocks it, nothing is hidden. You can check using the Test Console whether installation was successful. If you turn off AV, it will definitely work.

Although the fileless concept along with many evasion techniques made r77 undetectable on the day of release, it certainly cannot keep AV vendors from creating signatures for existing releases. So, you probably need to do some adjustments if you want it to be FUD.

josefredohd commented 1 year ago

I have disabled my antivirus and Windows defender, but still it does not install, it does not hide files or processes

josefredohd commented 1 year ago

I have found out why this is happening. The reason is because the laptop must be connected with the power cable, I was trying to install the rootkit but there was no success, so by chance I connected the charger to the laptop and the rootkit was installed out of nowhere. And now it works correctly. I tried it with another laptop and the same thing happened. Is this a bug?

bytecode77 commented 1 year ago

Now this is new... I need to test this on a notebook with the power cable unplugged. If there is such a bug, I will release a new version with a fix right away. I'll do some testing...

bytecode77 commented 1 year ago

Confirmed.

The installation worked up until the scheduled tasks were created. However they do not start when unplugged. I will need to fix this in CreateScheduledTask.

image

bytecode77 commented 1 year ago

Fortunately, the bugfix was pretty straight forward. The scheduled task needs to be created with DisallowStartIfOnBatteries set to FALSE.

settings->lpVtbl->put_DisallowStartIfOnBatteries(settings, VARIANT_FALSE);

Maybe TRUE is the default value, since OS vendors try to be more eco friendly...

Version 1.4.3 is available for download.

By the way, I wanted to thank you for trying to isolate the issue. Too many times, I get bug reports that simply state that there is an error, but many GitHub users are unwilling to make the effort in trying to isolate the issue. You did that and for that reason I could fix the bug.