Explorer.exe - Child Processes about r77-rootkit HOT 10 CLOSED

If you need a solution right now, I would suggest looking at this function:

BOOL InjectDll(DWORD processId, LPBYTE dll, DWORD dllSize, BOOL fast)

This is called to inject a specific process ID. Within that function, look up the name of this process based on the specified PID, and if that name is donotinject.exe, simply return false. Either use "client.exe", or "explorer.exe" based on your specific needs.

from r77-rootkit.

What do you mean by "not running correctly"?

• Does it affect all child processes of explorer.exe, or only specific processes?
• Are child processes injected?
• Are they crashing / not starting up?

Just note that child process hooking is only active, when the r77 service is installed. If explorer.exe (x64) starts file.exe (x86), then it requires a named pipe communication between the rootkit inside explorer.exe and the r77 service to build a "bridge" between x86 and x64,

from r77-rootkit.

Thank you for the quick reply.

Its affecting all child processes of explorer.exe, I am trying to run some external cheats for COD and its stopping the files from running. But when I detach the explorer the cheat program runs.

from r77-rootkit.

Let me upload some screenshots for you.

from r77-rootkit.

With the rootkit enabled, Client.exe wont run as you can see it injects it to client and i don't want it to.

from r77-rootkit.

And in this image if you look its injected into Client.exe and its running fine (How it should) and i dethatched explorer.exe which allows it to run. So i would like it to not hook the child processes of explorer. If you could help me with that please.

from r77-rootkit.

Looks like client.exe is detecting that it's injected and really doesn't like it... That has nothing to do with child process injection in general and more with specific processes that should not be injected.

In issue #25, a similar problem was described. There is a feature request to specify an exclusion list of processes to not be injected. For example: [ "client.exe", "steam.exe" ]. It's on the ToDo list for the next release, which I will start working on next month. Does that solve your issue?

from r77-rootkit.

Oh okay thank you.

Is there any simple work around for this at the minute because I can detach explorer.exe and it will run fine.

Like another exe that gets the PID of explorer.exe and detaches the rootkit. on each log on of the user something like that.

from r77-rootkit.

As of now, there is a new feature to exclude processes from being injected. It's only on the dev branch, so you have do download the code from there and compile. To add a process name to the exclusion list, modify the contents of PROCESS_EXCLUSIONS and recompile.

This is the dev branch. Downloadable binaries and documentation will follow with the next release, as well as other features on the ToDo list.

from r77-rootkit.

r77 version 1.3.0 is released

It contains a hardcoded process exclusion list. The advantage over the configuration system in your specific case is that r77 will never inject these processes. Previously, these would get injected prior to the configuration system being loaded.

You need to modify the code here and compile r77:

/// <summary>
/// Specifies a list of processes that will not be injected.
/// By default, this list includes processes that are known to cause problems.
/// To customize this list, add custom entries and recompile.
/// </summary>
#define PROCESS_EXCLUSIONS						{ L"MSBuild.exe" }
// Example: { L"MSBuild.exe", L"your_app.exe", L"another_app.exe" }

from r77-rootkit.