search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.61k stars 392 forks source link

how to change perfix $77 to my own keyword #62

Closed DARK-DEVIL-66 closed 8 months ago

DARK-DEVIL-66 commented 9 months ago

Hi Bro

i want to know How to Change and whare to change $77 to my own Perfix ?

wich visual studio is supported ?

bytecode77 commented 9 months ago

When you search for the string literal "$77", you will find it in r77def.h and R77Const.cs - as described in the documentation. Then, you only need to replace both occurrences and recompile.

DARK-DEVIL-66 commented 9 months ago

actually my payload name is services.exe so i want to add except to inject that payload what i need to do that ?

bytecode77 commented 9 months ago

In that case, you don't need to change the $77 prefix at all, since your exeutable name isn't $77services.exe.

You can write the helper signature at compile time to your executable. That way it will never be injected. There's a chapter in the documentation which you can find on the main page that describes how to write the helper signature. It's just a modification of two bytes of your executable.

DARK-DEVIL-66 commented 9 months ago

your project contine install.exe so can i use it for $77services.exe

bytecode77 commented 9 months ago

You don't need the $77 prefix. Just change your services.exe file.

See Documentation section 4.9 r77 Header:

You need to write 0x7277 (0x7727 in little endian) at file offset 64 in services.exe. If you are interested why that is, there's more on that topic in that chapter.

DARK-DEVIL-66 commented 9 months ago

but i dont"t have services.exe source code

bytecode77 commented 9 months ago

Are you sure you have read the page about the r77 header? You can literally change 2 bytes in your executable file and make it non-injectable (see my previous message).

DARK-DEVIL-66 commented 9 months ago

ok let say i changed 0x7277 but wic exe i need to execute in client pc $77services.exe and install.exe i am right ?

bytecode77 commented 9 months ago

You allways need to use Install.exe to install the rootkit. Your service.exe doesn't need to be named $77services.exe. All you need to do is write the helper signature (0x7277) to services.exe.

bytecode77 commented 8 months ago

I assume that your question is answered, so I'm going to cose this issue. But feel free to re-open if you still have questions...

Telssh commented 8 months ago

when i change the prefix with my word like abc it does not work for hidding tcp connetion i can find by using netstat -ano