Comments (10)
If you need a solution right now, I would suggest looking at this function:
BOOL InjectDll(DWORD processId, LPBYTE dll, DWORD dllSize, BOOL fast)
This is called to inject a specific process ID. Within that function, look up the name of this process based on the specified PID, and if that name is donotinject.exe
, simply return false
. Either use "client.exe", or "explorer.exe" based on your specific needs.
from r77-rootkit.
What do you mean by "not running correctly"?
- Does it affect all child processes of explorer.exe, or only specific processes?
- Are child processes injected?
- Are they crashing / not starting up?
Just note that child process hooking is only active, when the r77 service is installed. If explorer.exe (x64) starts file.exe (x86), then it requires a named pipe communication between the rootkit inside explorer.exe and the r77 service to build a "bridge" between x86 and x64,
from r77-rootkit.
Thank you for the quick reply.
Its affecting all child processes of explorer.exe, I am trying to run some external cheats for COD and its stopping the files from running. But when I detach the explorer the cheat program runs.
from r77-rootkit.
Let me upload some screenshots for you.
from r77-rootkit.
With the rootkit enabled, Client.exe wont run as you can see it injects it to client and i don't want it to.
from r77-rootkit.
And in this image if you look its injected into Client.exe and its running fine (How it should) and i dethatched explorer.exe which allows it to run. So i would like it to not hook the child processes of explorer. If you could help me with that please.
from r77-rootkit.
Looks like client.exe is detecting that it's injected and really doesn't like it... That has nothing to do with child process injection in general and more with specific processes that should not be injected.
In issue #25, a similar problem was described. There is a feature request to specify an exclusion list of processes to not be injected. For example: [ "client.exe", "steam.exe" ]
. It's on the ToDo list for the next release, which I will start working on next month. Does that solve your issue?
from r77-rootkit.
Oh okay thank you.
Is there any simple work around for this at the minute because I can detach explorer.exe and it will run fine.
Like another exe that gets the PID of explorer.exe and detaches the rootkit. on each log on of the user something like that.
from r77-rootkit.
As of now, there is a new feature to exclude processes from being injected. It's only on the dev branch, so you have do download the code from there and compile. To add a process name to the exclusion list, modify the contents of PROCESS_EXCLUSIONS
and recompile.
This is the dev branch. Downloadable binaries and documentation will follow with the next release, as well as other features on the ToDo list.
from r77-rootkit.
r77 version 1.3.0 is released
It contains a hardcoded process exclusion list. The advantage over the configuration system in your specific case is that r77 will never inject these processes. Previously, these would get injected prior to the configuration system being loaded.
You need to modify the code here and compile r77:
/// <summary>
/// Specifies a list of processes that will not be injected.
/// By default, this list includes processes that are known to cause problems.
/// To customize this list, add custom entries and recompile.
/// </summary>
#define PROCESS_EXCLUSIONS { L"MSBuild.exe" }
// Example: { L"MSBuild.exe", L"your_app.exe", L"another_app.exe" }
from r77-rootkit.
Related Issues (20)
- Teaching lessons HOT 5
- Contact information HOT 1
- "MSB3073" Error HOT 4
- r77 rookit injects into PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON process
- Adding a .exe to startup HOT 6
- Help HOT 4
- ControlPipe using Powershell HOT 3
- Help Needed - Happy to pay consulting fees HOT 1
- Help HOT 3
- testconsole won't work HOT 5
- Hiding users (net.exe and lusrmgr.msc) HOT 11
- I discovered new rootkit vulnerability stronger than your rootkit with 0 coding (no admin required) HOT 11
- Issue with BitDefender Partial Detection of r77 and Loss of Persistence HOT 4
- Significant challenge with BitDefender AV (BD) that affects the operation of admin-level processes HOT 2
- #//~~ Long time without talk! ^- ^ [ HELP ] HOT 11
- Install.shellcode HOT 3
- r77 pipes HOT 8
- where to start ?
- [ HELP ] — How I can use the ControlPipe in C# ?? 🥴 HOT 4
- Add Support for The Use of WildCard Characters HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from r77-rootkit.