search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.55k stars 383 forks source link

Hiding users (net.exe and lusrmgr.msc) #74

Open MaggieKong opened 3 months ago

MaggieKong commented 3 months ago

would you add local user hidden from net.exe,net1.exe and lusrmgr.msc in the future?

bytecode77 commented 3 months ago

A user has lots of traces all over the system, such as its files, an entire registry hive, etc. etc... What's your intention? Why do you consider net.exe to be enough to hide a user's activity? Maybe I can help you better when I understand your intensions a bit better.

MaggieKong commented 3 months ago

windows has RDP service and control over RDP service required Admin User.the most obvious way to list all local users is net.exe,net1.exe and lusrmgr.msc. hooking NetUserEnum can hide users from "net.exe user" and "net1.exe user" command,but it can't hide users from "net.exe localgroup administrators" command hooking netapi32 api seems like no effect on lusrmgr.msc

bytecode77 commented 3 months ago

Thanks for doing some research upfront. I've checked what this function is doing. It eventually calls NdrClientCall3, which is a RPC.

Call stack: netapi32.dll!NetUserEnum calls samcli.dll!NetUserEnum, which calls samlib.dll!SamEnumerateUsersInDomain

This is the call to NdrClientCall3.

    if ( v15 )
    {
      if ( v15 != 1 )
        return 3221225659i64;
      LODWORD(v27) = v11;
      LODWORD(v25) = v12;
      LODWORD(v24) = v31;
      v16.Pointer = NdrClientCall3(
                      (MIDL_STUBLESS_PROXY_INFO *)&pProxyInfo,
                      0x48u,
                      0i64,
                      v28.Simple,
                      a3,
                      v24,
                      v25,
                      &hMem,
                      v27,
                      v14).Pointer;
      v17 = (unsigned int)v16.Pointer;
      v28.Pointer = v16.Pointer;
    }
    else
    {
      LODWORD(v26) = v11;
      LODWORD(v24) = v31;
      v29.Pointer = NdrClientCall3(
                      (MIDL_STUBLESS_PROXY_INFO *)&pProxyInfo,
                      0xDu,
                      0i64,
                      v28.Simple,
                      a3,
                      v24,
                      &hMem,
                      v26,
                      v14).Pointer;
      v17 = (unsigned int)v29.Pointer;
    }

I've done only some quick research, but didn't check where this RPC is going. It would be best to hook the function at the remote endpoint (on the local computer of course). If this is not possible, hooking NdrClientCall3 may do it. I've googled and this function seems to be a popular target to hook.

I think this function is filling an array with the users. Would you like to hook it and inspect the output?

MaggieKong commented 3 months ago

hooking NetUserEnum would do the trick about(net.exe user or net1.exe user),but not for "net.exe localgroup administrators" or "net1.exe localgroup administrators" command.trying NetGroupGetUsers,NetLocalGroupGetMembers and NetQueryDisplayInformation,but no luck.

bytecode77 commented 3 months ago

Have you tried hooking NdrClientCall3? I didn't try, but I think it's always called, regardless of which app. You always want to hook the lowest level, not the higher level WinAPI functions.

MaggieKong commented 3 months ago

I will try

MaggieKong commented 3 months ago

there is an issue by hook NdrClientCall3 CLIENT_CALL_RETURN RPC_VAR_ENTRY NdrClientCall3( MIDL_STUBLESS_PROXY_INFO pProxyInfo, unsigned long nProcNum, void pReturnValue, ...
);

static CLIENT_CALL_RETURN RPC_VAR_ENTRY HookedNdrClientCall3(MIDL_STUBLESS_PROXY_INFO pProxyInfo, unsigned long nProcNum, void pReturnValue, ...) { va_list args; va_start(args, pReturnValue); CLIENT_CALL_RETURN dwResult = OriginalNdrClientCall3(pProxyInfo, nProcNum, pReturnValue,args); va_end(args);

return dwResult;

}

try hooking like this,NdrClientCall3 get trigged but result in The binding handle is invalid when use net.exe user command.no sure how to call the original api based on that api defination.

bytecode77 commented 3 months ago

I've disassembled rpcrt4.dll and found the function definition:

CLIENT_CALL_RETURN NdrClientCall3(MIDL_STUBLESS_PROXY_INFO *pProxyInfo, unsigned int nProcNum, void *pReturnValue, ...)

So first, nProcNumis an int, which is 4 bytes in a 32-bit process and 8 bytes in a 64-bit process. You have a long there, which is always 4 bytes. This might break the following parameters in x64.

I also wondered that such a low level function acutally uses argument lists, but it does. However, it calls NdrpClientCall3 after doing some parameter checking and converting the argument list to an array. It's worth hooking and looking at calls to this function, I guess.

Just to let you know, it's perfectly normal to spend weeks on figuring out one silly function. I've spent ages on figuring out the NT_NSI_PARAM struct. There is no documentation on that struct other than what I have figured out myself. That's why every single feature of a rootkit takes ages to implement, because 95% of the time I've spent in IDA.

MaggieKong commented 3 months ago

the NdrClientCall3 definetion is from rpcndr.h NdrpClientCall3 is not exported in any dll. still lwarning how to use IDA .

bytecode77 commented 3 months ago

IDA is a nice thing to learn, if you regularly work with hooks, exploits, etc...

You can hook a function that isn't exported, as long as you know the function pointer. You can get it using GetFunction, which I use to retrieve functions that are not exported, such as in R77_NtCreateThreadEx.

Dunno, if NdrpClientCall3 is the relevant function to hook, though.

MaggieKong commented 3 months ago

found an issue today.After install the rootkit, "net.exe localgroup" will always return the error "System error 234 has occurred.More data is available." It occurs in all Windows Server,but Windows 10 works fine BTW,r77 probably not compatable with windows server 2008,once the rootkit installed,the system acting weird.