Hide custom registry Key/Value and Task Scheduler Tasks about r77-rootkit HOT 3 CLOSED

Hiding registry keys or values has medium to critical performance impact depending on how long it takes to process one item.

Let's say your registry key has 10 values, then the HookedNtEnumerateKey hook is triggered 10 times. Each time the hook is triggered, we need to iterate through the parent registry key up until the currently enumerated value is reached. This is due to the way the NT api handles registry enumeration.

Now, there is only a string comparison for the prefix. If we added string comparison for a list of names in addition, then the cost for each iteration would bring down OS performance, because registry queries are executed thousands of times per second by many processes.

Since r77 is designed to be stealth to the user, I prioritize performance in this case. But if you like to contribute, you could take a run and try out adding a registry key/value list in the configuration system, and hiding those. The right place in the code should be fairly easy to find and modify.

By the way, scheduled tasks are hidden implicitly by hiding their files. So, finding the full path and hiding that should do the trick. But it has to be the full absolute path to the job file.

from r77-rootkit.

you can set that ability to only hide the value / key from registry editor! then system performance will not be slowed anymore

That seems like a rather special use case scenario than something that would benefit the project as a whole. The concept of r77 is to be a full rootkit, not one that hides only some entities in specific processes. I want to avoid adding too many special cases as it makes the project uncomprehensive and prone to errors.

And I always encourage developers who would like to see specific features to modify the code on their own. This is the purpose of an open source project after all, because I receive far more feature requests than I have free time to implement. I usually implement feature suggestions that are useful or commonly requested, and of course bug fixes.

For example, this line is where a registry key is hidden. It should be trivial to add string comparison against a list here. The only challenge is to retrieve the full path to the registry key without slowing down performance. Try ant let me know, if it works for you :)

if (!Rootkit::HasPrefix(KeyInformationGetName(keyInformation, keyInformationClass)))
{
	newIndex++;
}

from r77-rootkit.

If we added string comparison for a list of names in addition, then the cost for each iteration would bring down OS performance, because registry queries are executed thousands of times per second by many processes.

as you know many people are using process hacker or process explorer instead of task manager
but i guess nobody uses something else instead of windows default registry editor (regedit / regedt32)
you can set that ability to only hide the value / key from registry editor!
then system performance will not be slowed anymore

from r77-rootkit.