search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.55k stars 383 forks source link

r77 pipes #80

Closed hastalamuerte closed 3 months ago

hastalamuerte commented 3 months ago

Hello thanks for you work on that project . I just starting to explore it abilities and even on start can said that it work , and work nice.

Can you plz tell is it possible to send command direct from pwsh or cmd - for example i get reverse shell or c2 on testing machine where i run Install.exe Is it possible to write someting like \.\pipe\$77control CONTROL_USER_SHELLEXEC =0x3001 PathToExecutable (maybe arguments?) . or RUNPE (also what difference between Target path and payload executable fields there?)

or only way to create some executable and inline excute it? https://github.com/bytecode77/r77-rootkit/blob/master/%24Examples/ControlPipe.cpp or .. Can you plz tell that part

also maybe it possible to add some kind of remote TestConsole support in Install. Like some kind of additional to install selfcreated persist ssh/pwsh connection to rm control. havoc have a pivot smb function, maybe it can be usefull in mine case.

bytecode77 commented 3 months ago

can you plz tell is it possible to send command direct from pwsh or cmd

Hm... Since PowerShell is basically .NET, you should in theory be able to do this by replicating the C# example in powershell code somehow. Or what you mentioned, a small executable as relay. I don't use any C2 tools so I don't know what features they have for integrating other payloads.

or RUNPE (also what difference between Target path and payload executable fields there?)

The target path is something like C:\Windows\System32\svchost.exe - any existing executable (mind the bitness!) that is used for hollowing. The target path is a thing in the Test Console, but in reality you send a byte array to the control pipe as described in the documentation. Otherwise, RunPE would make no sense, if the payload was one the disk.

also maybe it possible to add some kind of remote TestConsole support in Install.

r77 doesn't have remove control capabilities. You would need to write your own C2 plugin that resembles what the test console does. But I don't think that's necessary, because there are programmatic interfaces ($77config key, control pipe) to communicate with the rootkit locally. All you need to do is write a plugin for your C2 that utilizes these.

hastalamuerte commented 3 months ago

replicating the C# example in powershell code somehow. Or what you mentioned, a small executable as relay

ow i just realize that i need extra another fucntion of rootkit , cause getting mine exe runned through console in tests - i got system rights without possible de escalate session to user.

So can you tell plz is it possible to hide process by name or pid. just hide through the pipes? Like button hide by pid in control panel. upd found HKEY_LOCAL_MACHINE\SOFTWARE\$77config ) thx)

i was go through a bit of pain trying to compile a Control_User_SHELLEXEC (you can see it in comment changing ) )

hastalamuerte commented 3 months ago

)) I cant add any record to New-ItemProperty -Path "HKLM:\SOFTWARE\$77config\process_names" -Name "New" -Value "File.exe" -PropertyType String -Force, cant find it in regeditor , with user or admin right - with typing in pathbar same. how can i add that edit via powershell. thats 100% what i looking for . Via console all work perfect!

New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names" -Name "process_names" -Value "File.exe" -PropertyType String -Force i got error that path HKEY_LOCAL_MACHINE\SOFTWARE\process_names is not exist . pwsh just ignore that path. Maybe that nice rootkit deserve remote contol? ) Or that process name can be precompiled?

hastalamuerte commented 3 months ago

i not miss slashes in paths , even github syntax not like $77

hastalamuerte commented 3 months ago

New-ItemProperty -Path "HKLM:\SOFTWARE`$77config\process_names" -Name "New" -Value "File.exe" -PropertyType String -Force

i got it. old good ` --- big thanks to https://www.youtube.com/watch?v=y9KI-rWGOUA

hastalamuerte commented 3 months ago

anyway that niiiiiceee tool deserve a remote control , or havoc c2 deserve a module for that rootkit. I am low code skiddy with one button so can just said - thanks again.

hastalamuerte commented 3 months ago

@bytecode77 nope... i was mistaken. Only if i create with Gui some process_names reg entry - only then i can made with powershell some new entries.
but i cant create that path with New-Item -Path "HKLM:\SOFTWARE\$77config\process_names" -Force or with New-ItemProperty -Path "HKLM:\SOFTWARE`$77config\process_names" -Name "New" -Value "File.exe" -PropertyType String -Force or New-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE`$77config\process_names" -Name "process_names" -Value "File.exe" -PropertyType String -Force nothing work until gui made some one new... with that or many other tryes. help plz

hastalamuerte commented 3 months ago

ok i finish my journey and final 100% final answer is just powershell cd C:\Path; .`$77File.exe

now all perfect. All other tryes with full path without navigate to cd was fail) (here one slash missed cause crazy syntax, who need will found input place)