search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.55k stars 383 forks source link

Rust ShellCode/Install.exe #52

Closed sa6ta6ni6c closed 7 months ago

sa6ta6ni6c commented 8 months ago

Hello r77.

I want to include the shellcode into the rust based clipper/stealer.

Do I have to use asm and compile for x64 or x86? Target systems is x64.

I also want to know the purpose of r77. Is it targeted against Power users? As you already said, it does not protect from av solutions.

Regards

bytecode77 commented 8 months ago

r77 works on Windows x86 and x64 and it supports 32-bit processes on a 64-bit OS - i.e. any combination. Install.exe and Install.shellcode are 32-bit binaries. If this was a 64-bit binary, then installation on 32-bit Windows would simply not work.

So, the shellcode can be integrated easily like in the example (using any programming language), if your process is 32-bit. If your process is x64, then you need to write your own RunPE to launch Install.exe, which is exactly what the shellcode loader does. There is even some RunPE source code in the solution (both in C++ and C#) to copy from.

Is it targeted against Power users? As you already said, it does not protect from av solutions.

I guess that an advanced user would not detect its presence, unless an AV detects r77. There are lots of AV evasion techniques, though. However, the exact binary you can download here will certainly be detected. But the whole fileless concept already goes a long way.