r77

Downloads
0.5.0
2017
Beta

This work in progress ring 3 rootkit hides processes, files and directories from user mode applications. Future implementation on modules, registry, services and possibly other entities is planned.

A quick visualization

Before/after rootkit is running. For sake of example, "explorer.exe" is hidden.

How it works

r77 uses MinHook, a hooking library that enables redirection of API calls from their original function to a custom one. This provides the opportunity to choose what, for instance, process enumerations should return and what should be hidden. In order to hook WinAPI functions globally, the rootkit DLL must be loaded as a thread in every running process. This can be done through AppInit_DLLs as well as DLL injection or using multiple routes. Install.exe drops the DLL to C:\r77_{GUID}.dll and registers it in AppInit_DLLs. The drop is required in this example in order to avoid file locking while testing. However, the utilizing application can use whatever route fits best, because once the DLL is loaded into the process, its payload is running.

A file named "r77.config.txt" defines which processes and file prefixes are hidden:

[process]
explorer.exe
cmd.exe

[fileprefix]
1337_

AppInit_DLLs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

A DLL registered in AppInit_DLLs is loaded into every process that is executed from this point. This also requires enabling loading by setting LoadAppInit_DLLs to 1 and additionally, RequireSignedAppInit_DLLs to 0, because rootkits are usually not signed, obviously.

Setting the registry value under HKEY_LOCAL_MACHINE requires elevated privileges. After installation, the rootkit runs in user mode, however does not require any startup logic to re-install on reboot. A ring 0 rootkit in this instance would be a kernel mode driver (*.sys file) that also requires administrator privileges when installing and not necessarily yields benefits either.

Also, because the AppInit_DLLs method is commonly used by malware, security software will likely block access to this registry value. r77 is not guaranteed to work while anti-virus software is running.

Legitimacy

Rootkits are not illegal software. However, their reputation is considered low, because rootkits are primarily used to hide malware. So, at this point, I would like to point out that this is for educational / PoC purposes and I'm not responsible for developers misusing it.

However, please also note that high quality rootkits are used by security software, like anti-virus and firewalls in order to protect them from malware. Such rootkits are always implemented in kernel mode to make it impossible for malware to undermine installed security software with their own rootkits. Maximum persistence can be achieved with ring -3 rootkits that are implemented in hardware itself. When done correctly, they cannot be removed anyhow.

ToDo

This is proof of concept. This rootkit is in its development state and is not complete. Following tasks are on the agenda, prior to final release:

  1. Installation: The installation file is written in C# and merely drops the DLL in C:\ and registers AppInit_DLLs. Injection into already running processes should be implemented as well. Also, this is an example, whereas in paractice, installation is implemented inside the application utilizing the rootkit.
  2. Deinstallation: Again, this is an exemplary application / script. It does not remove drops that are locked by running processes. Detachment logic needs to be implemented.
  3. Hiding or otherwise obscuring modules, registry keys & values, services and other entities are also primary goals.
  4. Respecting mixed x64 / x86 processes. Currently, implementation is limited to x64.
  5. Persistence: "rootkit" implies this. Therefore, my agenda also includes hiding r77's own DLL threads and denying access to AppInit_DLLs registry values. A rootkit has its own will that is to stay.