search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.55k stars 382 forks source link

Detect $77 process in python ? #86

Closed Evaexe117 closed 4 weeks ago

Evaexe117 commented 4 weeks ago

Hello

I'm working on a monitoring and watchdog system in Python, and I need to detect processes that are hidden by the r77 rootkit. This rootkit uses advanced techniques to conceal certain processes, making standard monitoring tools ineffective.

My goal is straightforward: I want to write a Python script that can list all currently running processes, including those hidden by the r77 rootkit, without using the rootkit's Test Console.

Here's what challenges me:

The rootkit uses hooks and a "control pipe" for interactions, which hides processes from typical system queries.
I need a way to bypass or emulate the functionality of the rootkit's Test Console, which is capable of listing these hidden processes.

Questions:

How can I access in Python to detect hidden processes?
Evaexe117 commented 4 weeks ago

After thorough investigation and experimentation, I've discovered two viable approaches to interact with the r77 rootkit in a way that allows a Python script to list processes hidden by the rootkit. Here are the details of each method:

Compiling Python Script into an Executable with a Helper Signature:
    The first approach involves compiling the Python script into an executable using tools like PyInstaller. After the script is compiled, modify the binary to include the R77HelperSignature (0x7268). This signature marks the executable as a "helper" process. According to the r77 rootkit's documentation, it does not inject into helper processes. By incorporating this signature into the executable, the Python script is effectively shielded from rootkit injections, ensuring it runs without interference.

Using the $77 Prefix:
    The second method is also based on compiling the Python script into an executable. However, instead of modifying the signature post-compilation, this approach involves naming the executable with the $77 prefix, which is recognized by the rootkit as a signal to avoid injection. By naming the compiled Python executable with this prefix, the rootkit automatically excludes it from its injection processes. This allows the script to operate normally and list all processes, including those hidden by the rootkit.
WilleLX1 commented 3 weeks ago

Hello! I know this issue is already closed but I wanted to give one more option based on my experience.

So another potential solution to consider is to continuously unload the R77 DLL file from the watchdog system by checking modules on the process. This approach is based on the observation that the R77 rootkit appears to inject processes automatically only when they are created. By regularly unloading the DLL, you might be able to prevent the rootkit from injecting its code into newly spawned processes, thereby allowing you to detect and list them without interference.