Comments (3)
Hiding registry keys or values has medium to critical performance impact depending on how long it takes to process one item.
Let's say your registry key has 10 values, then the HookedNtEnumerateKey
hook is triggered 10 times. Each time the hook is triggered, we need to iterate through the parent registry key up until the currently enumerated value is reached. This is due to the way the NT api handles registry enumeration.
Now, there is only a string comparison for the prefix. If we added string comparison for a list of names in addition, then the cost for each iteration would bring down OS performance, because registry queries are executed thousands of times per second by many processes.
Since r77 is designed to be stealth to the user, I prioritize performance in this case. But if you like to contribute, you could take a run and try out adding a registry key/value list in the configuration system, and hiding those. The right place in the code should be fairly easy to find and modify.
By the way, scheduled tasks are hidden implicitly by hiding their files. So, finding the full path and hiding that should do the trick. But it has to be the full absolute path to the job file.
from r77-rootkit.
you can set that ability to only hide the value / key from registry editor! then system performance will not be slowed anymore
That seems like a rather special use case scenario than something that would benefit the project as a whole. The concept of r77 is to be a full rootkit, not one that hides only some entities in specific processes. I want to avoid adding too many special cases as it makes the project uncomprehensive and prone to errors.
And I always encourage developers who would like to see specific features to modify the code on their own. This is the purpose of an open source project after all, because I receive far more feature requests than I have free time to implement. I usually implement feature suggestions that are useful or commonly requested, and of course bug fixes.
For example, this line is where a registry key is hidden. It should be trivial to add string comparison against a list here. The only challenge is to retrieve the full path to the registry key without slowing down performance. Try ant let me know, if it works for you :)
if (!Rootkit::HasPrefix(KeyInformationGetName(keyInformation, keyInformationClass)))
{
newIndex++;
}
from r77-rootkit.
If we added string comparison for a list of names in addition, then the cost for each iteration would bring down OS performance, because registry queries are executed thousands of times per second by many processes.
as you know many people are using process hacker or process explorer instead of task manager
but i guess nobody uses something else instead of windows default registry editor (regedit / regedt32)
you can set that ability to only hide the value / key from registry editor!
then system performance will not be slowed anymore
from r77-rootkit.
Related Issues (20)
- Teaching lessons HOT 5
- Contact information HOT 1
- "MSB3073" Error HOT 4
- r77 rookit injects into PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON process
- Adding a .exe to startup HOT 6
- Help HOT 4
- ControlPipe using Powershell HOT 3
- Help Needed - Happy to pay consulting fees HOT 1
- Help HOT 3
- testconsole won't work HOT 5
- Hiding users (net.exe and lusrmgr.msc) HOT 11
- I discovered new rootkit vulnerability stronger than your rootkit with 0 coding (no admin required) HOT 11
- Issue with BitDefender Partial Detection of r77 and Loss of Persistence HOT 4
- Significant challenge with BitDefender AV (BD) that affects the operation of admin-level processes HOT 2
- #//~~ Long time without talk! ^- ^ [ HELP ] HOT 11
- Install.shellcode HOT 3
- r77 pipes HOT 8
- where to start ?
- [ HELP ] — How I can use the ControlPipe in C# ?? 🥴 HOT 4
- Add Support for The Use of WildCard Characters HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from r77-rootkit.