search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.55k stars 383 forks source link

[ ‎ HELP ‎ ]‎ ‎ ‎ ‎ —‎ ‎ ‎ ‎ How‎‎ I‎ can ‎ use‎ the‎ ControlPipe ‎ in‎ C# ?? 🥴 #82

Closed fSociety-Protected closed 2 months ago

fSociety-Protected commented 2 months ago

Hey! How you doing @bytecode77!! 🧡 🔥

I'd need you to give me a hand, ‎ ‎ ‎ ‎ ‎ because I'm going crazy, really... 🥴 😅 🥴

‎ ‎ ‎ ‎ ‎ I want control the rootkit using PIPES, but Im trying to connect him to send the ‎ ‎ ‎ ‎ ‎UNINSTALL command as a function, as its likely impossible 😭 😭

The code you post as an example is this one ( C++ ) : PS __ Bit Modified, Changed The Pipe Code for Uninstall R77. 🧐

 #include <Windows.h>

#define CONTROL_USER_UNNISTALL 0x1002 

using System.Reflection.Metadata;
using System;

int main()
{
    HANDLE pipe = CreateFileW(L"\\\\.\\pipe\\$r77", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
    if (pipe != INVALID_HANDLE_VALUE)
    {
        DWORD controlCode = CONTROL_USER_SHELLEXEC;
        WCHAR shellExecPath[] = L"C:\\Windows\\System32\\notepad.exe";
        WCHAR shellExecCommandline[] = L"mytextfile.txt";

        DWORD bytesWritten;
        WriteFile(pipe, &controlCode, sizeof(DWORD), &bytesWritten, NULL);

        WriteFile(pipe, shellExecPath, (lstrlenW(shellExecPath) + 1) * 2, &bytesWritten, NULL);

        WriteFile(pipe, shellExecCommandline, (lstrlenW(shellExecCommandline) + 1) * 2, &bytesWritten, NULL);

        CloseHandle(pipe);
    }

    return 0;
}

And I try to translate the code into a C# but dont works 🤔🤔 I hope you can help me a bit, how I can made it work that! 🙏 🙏

The C# version I translate it :

using System;
using System.IO.Pipes;
using System.Runtime.InteropServices;
using System.Text;

class Program
{
    private const int CONTROL_USER_UNNISTALL = 0x1002;

    static void Main()
    {
        using (NamedPipeClientStream pipe = new NamedPipeClientStream(".", "$r77", PipeDirection.InOut))
        {
            pipe.Connect();

            int controlCode = CONTROL_USER_UNNISTALL;
            string shellExecPath = @"C:\Windows\System32\notepad.exe";
            string shellExecCommandline = "mytextfile.txt";

            byte[] controlCodeBytes = BitConverter.GetBytes(controlCode);
            byte[] shellExecPathBytes = Encoding.Unicode.GetBytes(shellExecPath + "\0");
            byte[] shellExecCommandlineBytes = Encoding.Unicode.GetBytes(shellExecCommandline + "\0");

            pipe.Write(controlCodeBytes, 0, controlCodeBytes.Length);
            pipe.Write(shellExecPathBytes, 0, shellExecPathBytes.Length);
            pipe.Write(shellExecCommandlineBytes, 0, shellExecCommandlineBytes.Length);
        }
    }
}
fSociety-Protected commented 2 months ago

I am trying to find something like this:


    private async void QUIT_Click(object sender, RoutedEventArgs e)
    {

            using (NamedPipeClientStream pipe = new NamedPipeClientStream(".", "$r77", PipeDirection.InOut))
            {
                    pipe.Connect();

                int controlCode = CONTROL_USER_UNNISTALL;
                    string shellExecPath = @"C:\Windows\System32\notepad.exe";
                    string shellExecCommandline = "mytextfile.txt";

                    byte[] controlCodeBytes = BitConverter.GetBytes(controlCode);
                    byte[] shellExecPathBytes = Encoding.Unicode.GetBytes(shellExecPath + "\0");
                    byte[] shellExecCommandlineBytes = Encoding.Unicode.GetBytes(shellExecCommandline + "\0");

                pipe.Write(controlCodeBytes, 0, controlCodeBytes.Length);
                    pipe.Write(shellExecPathBytes, 0, shellExecPathBytes.Length);
                    pipe.Write(shellExecCommandlineBytes, 0, shellExecCommandlineBytes.Length);
        }
    }
fSociety-Protected commented 2 months ago

‎ ‎ ‎ ‎ 📋‎ ‎ 📋‎ ‎ ‎ ‎ ‎ ‎ [‎ ‎ ‎ UPDATE‎ ‎ ‎ ]‎ ‎ ‎ ‎ —‎ ‎ ‎ ‎ 30/04/2024‎ ‎ ‎ ‎ |‎ ‎ ‎ ‎ 20:57

I found the error, the error, was the name of the pipe, its rlly strange cause If ‎ ‎ I change the name of the pipe to another thing than PREFIX + "control" then I cant connect to PIPE.

But when the name is PREFIX + "control" then works nice! 🧡 🔥

How I can change the PIPE name @bytecode77 ? 🤔 🤔

bytecode77 commented 2 months ago

Yeah, the name of the pipe was simply wrong. Also, you only need to send the two bytes of CONTROL_USER_UNNISTALL without the other parameters, they will be ignored.

Check out 4.10 Compile Time Constants in the documentation if you want to change the name of the pipe or other constants.

fSociety-Protected commented 2 months ago

‎ ‎ ‎ ‎ ✔‎ ‎ ✔ ‎ ‎ ‎ ‎ ‎ [‎ ‎ ‎ SOLVED‎ ‎ ‎ ]‎ ‎ ‎ ‎ —‎ ‎ ‎ ‎ 03/05/2024‎ ‎ ‎ ‎ |‎ ‎ ‎ ‎ 03:25

Sure, now I understand, thank you @bytecode77, as always you're the best! 🧡🔥

The solution was in the definitions, I really don't know why I didn't see it before, ‎ ‎ ‎ ‎ sometimes the things that you have closer, are the ones that are more difficult to discern. 🥴