$77 How can a non-interactive SYSTEM permission process use ShellExecuteW so that its child processes can be interactive

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.

https://bytecode77.com/r77-rootkit

BSD 2-Clause "Simplified" License

1.55k stars 383 forks source link

$77 How can a non-interactive SYSTEM permission process use ShellExecuteW so that its child processes can be interactive #55

Closed saoye-dve closed 7 months ago

saoye-dve commented 8 months ago

$77 How can a non-interactive SYSTEM permission process use ShellExecuteW so that its child processes can be interactive

bytecode77 commented 8 months ago

That's impersonation what you're looking for. This question on SO is about exactly that. Although r77 is not a service, it is still non-interactive, so you need to impersonate in your case.

bytecode77 commented 7 months ago

Closing this issue, because I assume that your question is answered. In case it isn't, feel free to re-open.