search

bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.55k stars 383 forks source link

22:14:14 Injection of (process) (PID [REDACTED[) failed. Sandboxes are not supported #89

Open PROMPTYLOL opened 2 weeks ago

PROMPTYLOL commented 2 weeks ago

im encountering this issue when I attempt to inject into processes like backgroundtaskhost, opera.exe process, the "backiee.exe" app from microsoft store (the wallpaper thing), one process of discord.exe (other discord processes are injected), fontdrvhost.exe, one of the "Messenger" app processes (there are 2), msedge.exe, etc

bytecode77 commented 2 weeks ago

I'm not sure on what integrity level Discord.exe runs with, but more than likely it's a sandbox (low integrity level). Injecting sandboxes has always been troublesome. Afterall, these processes usually communicate to their "masters", so to speak, so they typically never list directories, or processes. Many times, sandboxed processes don't have those privileges anyway.

Here is the location in the code responsible for not injecting sandboxed processes:

// Sandboxes tend to crash when injecting shellcode. Only inject medium IL and above.
DWORD integrityLevel;
if (GetProcessIntegrityLevel(process, &integrityLevel) && integrityLevel >= SECURITY_MANDATORY_MEDIUM_RID)
{
    ...

image