bytecode77.com Open in urlscan Pro
185.189.229.232  Public Scan

Form analysis
0 forms found in the DOM

Text Content

bytecode77
 * Solutions
   r77 Rootkit
   
   Fileless ring 3 rootkit with installer
   
   PEunion
   
   Crypter, binder & downloader
   
   Living Off The Land
   
   Fileless attack with persistence
   
   Self-Morphing C# Binary
   
   Executable that mutates its own code

 * Frameworks
   BytecodeApi
   
   Framework for C# development

 * Exploits


menu to close 2
bytecode77
 * Solutions
   * r77 Rootkit
   * PEunion
   * Living Off The Land
   * Self-Morphing C# Binary
 * Frameworks
   * BytecodeApi
 * Exploits

 * GitHub
 * Contact
 * Imprint
 * Privacy


R77 ROOTKIT

Version
1.5.0
Release
2023
License
BSD
GitHub
r77-rootkit
Download
r77Rootkit 1.5.0.zip
Help
Technical Documentation


FILELESS RING 3 ROOTKIT

r77 is a ring 3 rootkit that hides everything:

 * Files, directories
 * Processes & CPU usage
 * Registry keys & values
 * Services
 * TCP & UDP connections
 * Junctions, named pipes, scheduled tasks


HIDING BY PREFIX

Everything that starts with "$77" is hidden.




CONFIGURATION SYSTEM

The dynamic configuration system allows to hide processes by PID and by name,
file system items by full path, TCP & UDP connections of specific ports, etc.



The configuration is located in HKEY_LOCAL_MACHINE\SOFTWARE\$77config and is
writable by any process without elevated privileges. The DACL of this key is set
to grant full access to any user.

In addition, the $77config key is hidden by the rootkit.


INSTALLER

The deployment of r77 requires only one file: Install.exe. Execution persists
r77 on the system and injects all running processes.

Uninstall.exe removes r77 from the system completely, and gracefully.

Install.shellcode is the shellcode equivalent of the installer. This way, the
installation can be integrated without dropping Install.exe. The shellcode can
simply be loaded into memory, casted to a function pointer, and executed:



int main()
{
	// 1. Load Install.shellcode from resources or from a BYTE[]
	// Ideally, encrypt the file and decrypt it here to avoid scantime detection.
	LPBYTE shellCode = ...

	// 2. Make the shellcode RWX.
	DWORD oldProtect;
	VirtualProtect(shellCode, shellCodeSize, PAGE_EXECUTE_READWRITE, &oldProtect);

	// 3. Cast the buffer to a function pointer and execute it.
	((void(*)())shellCode)();

	// This is the fileless equivalent to executing Install.exe.

	return 0;
}




EXECUTION FLOW

The rootkit resides in the system memory and does not write any files to the
disk. This is achieved in multiple stages.

This graph shows each stage from the execution of the installer all the way down
to the rootkit DLL running in every process. The documentation has a chapter
with extensive detail about the implementation of each stage.




AV/EDR EVASION

Several AV and EDR evasion techniques are in use:

 * AMSI bypass: The PowerShell inline script disables AMSI by patching
   amsi.dll!AmsiScanBuffer to always return AMSI_RESULT_CLEAN. Polymorphism is
   used to evade signature detection of the AMSI bypass.
 * DLL unhooking: Since EDR solutions monitor API calls by hooking ntdll.dll,
   these hooks need to be removed by loading a fresh copy of ntdll.dll from disk
   and restoring the original section. Otherwise, process hollowing would be
   detected.


TEST ENVIRONMENT

The Test Console is a useful tool to inject r77 into individual processes and to
test drive the configuration system.




TECHNICAL DOCUMENTATION

Please read the technical documentation to get a comprehensive and full overview
of r77 and its internals, and how to deploy and integrate it.

 * GitHub
 * Contact
 * Imprint
 * Privacy

© bytecode77, 2006-2023.