I discovered new rootkit vulnerability stronger than your rootkit with 0 coding (no admin required)

[GrudgeInfection]

yep, the title is correct, i have discovered a rootkit vulnerability that hides my app from task manager and from explorer but the problem is.. it is useless if i can't figure out how to make it spread quick as same as wannacrypt/wannacry with higher anti-analysis technique.. first of all i would like to show you a video regarding it, lemme know if you're interested. (it requires no admin !)

[GrudgeInfection]

While I'm waiting for your reply, I will create a stager RAT that checks for sandbox and if though it will delete itself to avoid this vulnerability from getting exposed.

[bytecode77]

So... What would you like to show me?

[GrudgeInfection]

give me a 20 minutes, I'm going to record it

[GrudgeInfection]

Before everything I need to say that this vulnerability is totally f*** up and each and every day I discover new thing regarding the vulnerability.. for example if you used a payload/RAT/malware that has been wrote in python or any other interpreter languages they will not work with this vulnerability without administrator, but instead I tried cpp and it worked very fine with no interruption🔥, so I used a payload from Metasploit and I made a very simple reverse_tcp exe in cpp and both worked instantly, now yesterday while I was working on it for some reason that I'm ignorant of works for both explorer and task manager and hides successfully.. but on a VM it seems to work only on explorer..

and I tested it out it seems that it also helps in bypassing windows defender or in other words making it excluded file I'm still checking this and it worked for a payload from Metasploit without any obfuscate or modifications on the payload

https://github.com/bytecode77/r77-rootkit/assets/139581967/50c21bbf-f4b2-4100-8280-6ffd752282de

[GrudgeInfection]

1% tells me to report this to Microsoft to patch it.. and 99% I want to consume it

[bytecode77]

That's interesting... Can't really say anything about it, but I would recommend not sharing it online, also not with me. If it's really what it seems to be, I'd recommend checking whether it falls into Microsoft's bug bounty program, or just sell it somewhere.

[sa6ta6ni6c]

That's not a cve man, It's just Registry Hidden and Superhidden values

[bytecode77]

I'm going to close this issue, since there's no ongoing discussion.

@xst4 Please don't post into another open issue. Although you might expect to gain more visibility that way, your problem won't be solved faster.

But still, regarding your problem I'm gonna give it a short answer here: If you want to integrate r77 into your existing code base, you're expected to have solid programming skills - otherwise I'd recommend not to use advanced techniques.

[GrudgeInfection]

First of all i would love from mr.bytecode77 to reopen the issue because i believe that there are things that are way greater than i thought awaits, i have discovered why this vulnerability only works with non-interpreter programming languages such as Python and etc. So simply is because they leave temp files behind in Temp folder inside of C:\Windows\Temp directory which requires admin and high privilege.. but cpp creates a normal temp files in AppData "C:\Users\Hate\AppData\Local\Temp" and if you asked me why i probably would say i don't f***en know.. all i know and needs to be fixed is to use this trick as a backdoor and a portal to pass all information through.. End of story: 1- I discovered that this vulnerability is fully undetectable and leaves no traces for explorer or task manager on my real machine even when downloading very obvious and famous Malwares and doesn't get caught

2- Last but not least.. in Malware runtime when i delete the Grudge.exe file it keeps running and i tried to make it pass its location to me on my GUI app it gives the exact location but i tried to f*** around to make it visible but still hidden

3- I'm currently testing it out on my brother's machine without him knowing to check if it would leave any evidence of its existence or any traces to WindowsDefender in case my laptop is a toaster :)

[bytecode77]

So, do you have a PoC of your vulnerability? So far you said that it's possible to write into C:\Windows\Temp, which I find potentially leveregable. The programming language itself usually never enables you to do privileged writes, or elevate privileges. By default, C++ binaries don't create any termp files, unless you implement writing to the temp folder. I also don't think that it's trivially possible to delete a file when the process is still running - but this would be yet another exploit.

So, I guess it's your turn to post a PoC that demonstrates what you want to demonstrate ;)