search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.61k stars 392 forks source link

Install.Shellcode wont load into memory and install #48

Closed ACDiamond closed 11 months ago

ACDiamond commented 1 year ago

In fact this is my code

#include <Windows.h>
#include "install.h"
int main()
{
    LPBYTE shellCode = rawData;

    DWORD oldProtect;
    VirtualProtect(shellCode, 166296, PAGE_EXECUTE_READWRITE, &oldProtect);

    ((void(*)())shellCode)();

    return 0;
}

In the documentation it said that i have to compile it as x86 which gave me a error, so i compiled into x64 which gave me no error but it didnt work. i have my shellcode in a seperate Install.h file, its just a shellcode version of install.shellcode that ive hexed with hxd. Looks pretty like that

unsigned char rawData[166296] = {
    0xE8, 0x0D, 0x00, 0x00, 0x00, 0x8D, 0x80, 0x98, 0x03, 0x00, 0x00, 0x50,
}

just with 166296 hex characters

Im checking out the $77 Example and the $77 Test Console, after running the file the $77 Console didnt show the R77 Rootkit as running and the $77 Example also wasnt hidden.

bytecode77 commented 1 year ago

Yes, you need to compile with x86, since Install.shellcode is 32-bit assembly.

Did you run the code with elevated privileges? Since Install.exe has a UAC manifest, it can enforce admin rights, but the shellcode can't. You can do this by launching VS with elevated privileges.

ACDiamond commented 1 year ago

There is no way to execute this out of a x64 assembly? How is it for C#, will it work with AnyCPU or 32bit only?

bytecode77 commented 1 year ago

First some background: r77 supports both x64 and x86 operating systems. It would be a poor design choice to exclude x86 operating systems, just because it's the minority. And for this reason, Install.exe is a 32-bit executable - so that it can run on all OS (32 or 64 bit). From that point forward, bitness is carefully considered throughout all the features.

But you chose a 64-bit executable, because you don't care about 32-bit OS. That's fine, but you may need to do some adjustments:

  1. Change the project Install to compile to x64, not x86. I haven't tested this, so make sure you do!
  2. The shellcode needs to be rewritten in x64 assembly, which is a pain. Alternatively, you can do what the shellcode is doing in C# or C++. The shellcode is doing nothing more than a RunPE on Install.exe. It's a "deployment simplification" so to speak. And there are some RunPE functions in my source code. You can just copy them int you C# or C++ code and then RunPE the Install.exe file.

By the way, AnyCPU usually means x64, since you rarely encounter an x86 OS.

bytecode77 commented 11 months ago

Closed due to inactivity.