CRITICAL_PROCESS_DIED

[4L4XXaBjUxgk8Es3UCLVpEeri23HRZTTNDUpyUV]

Injection seemed to crash the whole system :/ It started to first crash every application and lastly the whole vm crashed

[bytecode77]

This looks like a system process was injected and crashed while it was in a critical section. A critical section must complete before the process exits or causes any exceptions.

Do you know, which process caused the crash, or can you tell from the EventViewer?

[4L4XXaBjUxgk8Es3UCLVpEeri23HRZTTNDUpyUV]

Cant really look into the problem because of the persistence it crashes the system when trying to log in im gonna remove the persistence and test it and send u the logs

[bytecode77]

Thank you very much in advance for making the effort in restoring logfiles from your VM!

[4L4XXaBjUxgk8Es3UCLVpEeri23HRZTTNDUpyUV]

I removed the persistence and windows left an dump file from the crash named GWIdlMon.exe.17312.dmp i assume that the application GWIdlMon.exe caused the crash in the event viewer these were the warnings & errors before the crash

1.[Warning] Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications. Please visit http://support.microsoft.com/kb/197571 for more information.

2.[Critical] A problem has occurred with one or more user-mode drivers and the hosting process has been terminated. This may temporarily interrupt your ability to access the devices.

3.[Critical] The device HID-compliant headset (location (unknown)) is offline due to a user-mode driver crash. Windows will attempt to restart the device 5 more times. Please contact the device manufacturer for more information about this problem.

4. The process C:\Windows\system32\winlogon.exe (RESEARCH-VM03) has initiated the restart of computer RESEARCH-VM03 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x500ff Shutdown Type: restart Comment:

5. [Information] The kernel power manager has initiated a shutdown transition. Shutdown Reason: Kernel API

[bytecode77]

"Custom dynamic link libraries are being loaded for every application" looks like DLL's are registered in AppInit_DLLs. Is there any DLL that's loaded this way? It would be interesting to see what happens, when two rootkits hook the same functions.

Also, what operating system and bitness do you have in your VM? Are there any specific applications that perform hooking? Is it a fresh OS install, or are there other applications installed that may opearate on a lower level?

[4L4XXaBjUxgk8Es3UCLVpEeri23HRZTTNDUpyUV]

The Reason for "Custom dynamic link libraries are being loaded for every application" is probably because i have LoadAppInit_DLLs on but don't have anything in AppInit_DLLs and also have RequiredSignedAppInit_DLLs off

its a 64bit Windows 10 Home Edition Version 1909 Installed on 20/5/2020 Pretty old VM mostly used it for your rootkit

It has glasswire for analysing network traffic And it does have malwarebytes idk why i probably installed it some point for scanning Malwarebytes did create 2 kernel drivers MBAMSwissArmy MBAMCharmeleon

[bytecode77]

Thank you for all the information! I will try to reproduce the error and find the underlaying cause of the issue. Once a fix is available, I will notify you and close the issue. This may take some time, but I will definitely look into this, as r77 is not supposed to brick an OS.

[bytecode77]

Apparently, injecting critical processes is a bad idea. I cannot reproduce the crash, even though I tried everything to set up Windows in the same way you did.

In Version 1.0.1, I have changed injection to exclude critical processes (in particluar smss, csrss and wininit). These processes do not contribute in hiding anything from the user anyway.

This should hopefully fix the issue, but if it's still present with 1.0.1, please re-open this issue. Thank you very much for your contribution!