-
Notifications
You must be signed in to change notification settings - Fork 87
hiding process and startup icon and pools #211
Comments
If you want to use the r77 rootkit then you'll have to bind it together with the miner using any file binder (like UnamBinder), you'll also have to edit things in the code so that the files start with $77 and things like that, it's not the easiest to set up. If you want to lower the payout then you need to enter things into the "Wallet Address" field in this format |
if i were to edit the code how would i successfully do that? (if you feel like explaining) |
Simplest things would be to rename the watchdog in the code to $77_sihost32.exe and then in the builder also choose the "Startup" "Filename" as $77_services32.exe (or whatever you want it as) to hide the loaders. Hiding the miner processes is a lot harder since you'd need to either compile your own version of the r77-rootkit or modify the $77 registry before it's started. And yes that is correct, on nanopool you will need to enter mypassword to change the minimum payout. |
how can i edit he watchdog and builder? |
To change the watchdog name download the code and change this line SilentETHMiner/SilentETHMiner/Codedom.vb Line 338 in 50cd177
If you want to hide the miner process with r77-rootkit you will have to download the code, change it so that it hides things beginning with the name like nslookup instead of $77 and then compile and use that. Then in the miner you would have to change so that the miner process (and the shellcode injector) inject into nslookup.exe. Then all the processes will be hidden. |
i changed the Sihost string https://anonfiles.com/Jdfb23N8u9/Screenshot_113_png |
Yes, unless you intend to make it hide everything instead. Changing the rootkit can be difficult if you don't have much experience, you can find the documentation here: https://bytecode77.com/downloads/r77%20Rootkit%20Technical%20Documentation.pdf, you'd have to change the HIDE_PREFIX constant (section 4.2) to nslookup (or whatever process that you inject into that you want to hide). You can find the Visual Studio files inside the vs folder. |
so once i save the change i made in the sihost string, i open the r77.sln file in the vs file from the github, and i replace all the hide_prefix to nslookup? the main thing i wanna do is hide any startup and processes that can appear |
HIDE_PREFIX is a constant that you have to change in both the Then in my builder don't change any sihost string, just change this: SilentETHMiner/SilentETHMiner/Codedom.vb Line 213 in 50cd177
Then add nslookup_ before the entry names on this row and the one below it: SilentETHMiner/SilentETHMiner/Codedom.vb Line 339 in 50cd177
""" + Path. to ""nslookup_" + Path. )
And then finally when you build the miner select nslookup.exe in the "Inject Into" selection. |
since i already saved in codedom in your code $77_sihost32 do i remove the and is the correct form to replace the conhost.exe too? https://anonfiles.com/zaDf2fN9u2/sys32conhost_change_png in r77 files do i have to change every single hide_prefix to nslookup theres also a code part named HIDE_PREFIX_LENGTH do i change that to? theres quite a bunch of these hide_prefixes https://anonfiles.com/P3D12eNcu1/Screenshot_114_png |
Yes revert the sihost32 part, since the actual running watchdog (sihost32) will be injected into nslookup. The conhost.exe replacement is correct. For the HIDE_PREFIX only change the L"$77" to L"nslookup" and that will be all there, and then change it inside the GlobalAssemblyInfo.cs file as well. |
so this is correct? https://anonfiles.com/L8H721Nfua/Screenshot_115_png |
Yes exactly. |
this right? there is no L before the line https://anonfiles.com/D7K62fN3u8/Screenshot_116_png |
Sorry for the late response, but yeah those are correct, change it to "Release" and build it through the "Build" menu at the top. |
which "build option do i press? |
Press the "Build Solution", it should build all of them. Then in my miner change it from "Debug" to "Release" and it should build fine. |
i just built the miner, is it supposed to be in the Bin file under release? |
Yes it will be in Bin\Release. You'd need to bind the rootkit and miner (that you build) with something like a file binder, it's technically theoretically possible to use the miner to inject the rootkit with process hollowing (or dropping it and executing it) though that's too much to change for it to be able to write it down really. Your errors look like you don't have enough space left (or no permissions) or something similar. |
so would the errors affect the rootkit? i have enough space and permissions |
Yes the "Install.exe" file is the rootkit, and then you'd bind that with the miner that you build. If the "Install.exe" file is there then you can probably ignore the errors since it still compiled the rootkit installer. Though the two last errors are a bit worrying. |
could you see if it works? https://tmpfiles.org/dl/135723/minernostealth.exe |
Yes that miner works correctly. The folders are normal since they are required to build it, the "Compilers" folder contains the C and resource compilers and the shellcode converter, the "Includes" folder contains the header and assembler files necessary to map the direct system calls. They are only there to compile everything and can be deleted or whatever after it's been built. |
so the process is hidden and it all works fine? |
Your miner works correctly but not your rootkit. |
so i have to rebuild the rootkit all over agian? |
r77-rootkit-nslookup.zip |
https://tmpfiles.org/dl/135731/nos33.exe |
Only the miner started, are you sure you bound it? I tried binding it myself and it worked for me. |
https://tmpfiles.org/dl/135738/bound100.exe |
Yes that one works, I can't see the processes, startup entry nor the traffic from the miner. |
so is stealth needed anymore? |
It would be good to use it for games so that it pauses during them for less lag (mainly to reduce the VRAM usage since most games need a lot), it would extend the lifetime of the miner immensely since it reduces the chance of the user thinking that something is wrong with their computer. There is a community collection here with a few iterations: #122. |
if i bind a actual program with the miner while it has the rootkit on, will the miner or rootkit stop working, or will the process show up? |
No, everything would still work like it should. |
alright thanks for the long help |
i saw that https://github.com/bytecode77/r77-rootkit was linked in an issue and i want to know how to put that in the miner so the process is hidden.
also do these settings look good if im trying to lower the amount of euth i have to mine before i get a payout from nanopool
https://anonfiles.com/748dz2N4uf/Screenshot_112_png
https://anonfiles.com/9485zdNeu9/Screenshot_113_png
do i have to put anything in the password if im mining from nanopool and i want to lower the amount i have to mine to get a payout like monero?
The text was updated successfully, but these errors were encountered: