Is it possible to disable injection into new processes but keep existing processes hidden?

[MaplerK]

Hello! Thanks for the great rootkit r77. I found some problems during using. Could u give me some advice? I'm trying to keep a particular process hidden while running other new ones. But r77 injects all new processes by default, and injection will cause some unexpected bugs in new processes. For example, when I try to open the task manager, it often reports that the program input point ImageList_CoCreatInstance cannot be located on the dynamic link library. Another problem is that my TestConsole cannot be started in administrator mode, and it crashes soon after startup. Best regards.

[bytecode77]

The crashes you describe are weird. Is there anything particular about the machine you're testing on? Can you pinpoint what's causing crashes? Might be AV or similar tools that interfere.

To avoid a process being injected, you can do either of the following:

1.) Recommended, if you can modify the executable file: Write the R77_HELPER_SIGNATURE (0x7268) at file offset 64 to your executable. When this executable starts, it will never be injected. TestConsole.exe uses this.

2.) Communicate with the r77 service using the control pipe. There's a chapter in the documentation and code examples in C++ and C#. You're looking for CONTROL_R77_PAUSE_INJECTION and CONTROL_R77_RESUME_INJECTION. Using the control pipe you can instruct the r77 service to pause injection before you do your critical tasks and then resume afterwards.

[MaplerK]

Thanks for ur reply！ I've tried the pause and resume function before, but it cannot keep the process i wanted to hide hiden.. And once the injection is resumed, r77 will also inject into the existing processes, so some unexpected errors may also occur. In other word, I want to hide only one process and leave other processes running undisturbed (no injection). So the first method you recommend may not be suitable for me, I probably can't make changes to all other executables.

[bytecode77]

You need to know that for a process to be hidden, the Task Manager needs to be injected - not the process that you want to hide. Likewise, you need to inject File Explorer to hide files. And since there are many different programs that display lists of files or processes, you need to inject all running processes.

To make an exception and not inject specific processes, you can use one of the two methods that I've mentioned. Another method you can use is to extend the PROCESS_EXCLUSION constant and recompile r77:

#define PROCESS_EXCLUSIONS                      { L"MSBuild.exe" }
// Example: { L"MSBuild.exe", L"your_app.exe", L"another_app.exe" }

Can you explain a little further what processes start what other processes - and which ones crash upon injection?

[MaplerK]

Thank you for patience! Got it. So the process I want to hide does not need to be injected. Is this understanding correct? My purpose is to hide my process to bypass the detection of a game's anti-cheat system, so the process of the anti-cheat system must be injected, right? In fact, there will be an authentication system before entering the game, and I have observed that once this authentication system is injected, it sometimes fails to pass the authentication to enter the game. And the verification system is not the same process as the anti-cheat system, so what I should do is: Add an exception to the verification system process, and inject the anti-cheat system as usual, right? Then here's a new problem, I'm not sure if this anti-cheat system has an anti-injection mechanism..... Sorry forgot to answer the admin mode question you mentioned earlier. I ran TestConsole with AV turned off, but it still crashed without displaying information. I am using win11 KB5028851. can run other processes normally in admin mode.I think there should not be anything particular in my machine?..

[bytecode77]

Depending on the game, it could have anti cheat systems that avoid injection - entirely possible...

Yes, to hide your cheat from the game, you must inject all processes that belong to the game. This includes your game, the authentication service process, etc...

You can inject these processes manually, but there will be a small window of time when that process starts and before it's injected, where it can see your cheat. That's why r77 injects processes before they start running by injecting child processes. So, it's recommended to install r77.

Try to extend the process exclusion list to avoid injection where it causes crashes. What you can also do is to de-implement certain features that you suspect cause trouble. You can do this here by commenting the InstallHook and UninstallHook of a hook that you wish to remove. Maybe that's worth a try, too... Let me know if you identified a specific hook that causes crashes. I would like to know about such issues and publish bugfixes accordingly.