bytecode77 / r77-rootkit

Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.
https://bytecode77.com/r77-rootkit
BSD 2-Clause "Simplified" License
1.66k stars 398 forks source link

This script contains malicious content and has been blocked by your antivirus software. #94

Closed error0x1337 closed 1 month ago

error0x1337 commented 1 month ago

Hello again. service cant run at startup bro. av is blocking it. At line:1 char:1

Any suggestions?

error0x1337 commented 1 month ago

I think its not working properly after reboot. i manually ran service64.exe and it only hide explorer.exe but everything is visible everywhere. like services task schedulers and regedit names

error0x1337 commented 1 month ago

Oh. mb i run it with uac and it worked. srsry. (but startup pw command is still detected. by wd)

venkovisual commented 1 month ago

its not fud dumbass its malware

error0x1337 commented 1 month ago

its not fud dumbass its malware

im not saying its fud u brain fucked

error0x1337 commented 1 month ago

image THATS WHY U A BRAINFUCKED <3 bro made a rootkit removal

bytecode77 commented 1 month ago

Not sure whether Windows Defender starts detecting r77 again after it didn't detect it for the past 6 months.

Either way, open source solutions will never be FUD. And I can't help you either, because I can't be fixing detection issues all day long. All I can do is to implement the installation process in such a way that it's entirely fileless and easy to FUD it yourself, if you need to.

error0x1337 commented 1 month ago

@bytecode77 and can you tell me why testconsole throws this error ? image

venkovisual commented 1 month ago

basically u fucked up code and u need to fix it

error0x1337 commented 1 month ago

basically u fucked up code and u need to fix it

i didnt do anything lol

bytecode77 commented 1 month ago

Guys... Please stop fighting. Let's be constructive:

@error0x1337 I can't say anything about the error message, because I didn't encounter it. If I did, it would have been fixed long ago...

And from experience I can tell that you made no attempt to debug it. The professional way to handle it is to debug the issue before posting. That way, you may even be able to fix it immediately yourself. The "premium behavior" in the open source world would be to post the issue and cause so that I can fix it for future users.

Anyway, please debug the issue, otherwise this is just one of a dozen posts / emails I receive throughout the week. I simply can't respond to 100% of them.

venkovisual commented 1 month ago

Okay, AMSI has been updated on Defender 11 not sure about 10 but im sure it will be coming soon enough so the reason it's detected is because the AMSI Module has been updated meaning AMSI Bypass is most likely broken and/or getting detected

bytecode77 commented 1 month ago

Yes, of course any bypass will eventually be broken. From time to time I look into the reasons why a bypass no longer works. Although I don't bother with signature based detection on the Powershell snippet, I do implement fundamental evasion techniques, such as the polymorphism on the Powershell, which kept Windows Defender away for a whopping year...