Refactoring

bytecode77 · bytecode77 · commit a1bd69424ed0 · 2023-06-25T21:59:18.000+02:00
diff --git a/BuildTask/BuildTask.csproj b/BuildTask/BuildTask.csproj
@@ -41,6 +41,9 @@
     <Compile Include="..\Global\GlobalAssemblyInfo.cs">
       <Link>Properties\GlobalAssemblyInfo.cs</Link>
     </Compile>
+    <Compile Include="..\Global\R77Const.cs">
+      <Link>Properties\R77Const.cs</Link>
+    </Compile>
     <Compile Include="BuildTask.cs" />
   </ItemGroup>
   <ItemGroup />
diff --git a/Example/Example.csproj b/Example/Example.csproj
@@ -62,6 +62,9 @@
     <Compile Include="..\Global\GlobalAssemblyInfo.cs">
       <Link>Properties\GlobalAssemblyInfo.cs</Link>
     </Compile>
+    <Compile Include="..\Global\R77Const.cs">
+      <Link>Properties\R77Const.cs</Link>
+    </Compile>
     <Compile Include="Properties\AssemblyInfo.cs" />
     <Page Include="MainWindow.xaml">
       <Generator>MSBuild:Compile</Generator>
diff --git a/Global/GlobalAssemblyInfo.cs b/Global/GlobalAssemblyInfo.cs
@@ -2,16 +2,4 @@
 
 [assembly: AssemblyVersion("1.4.3")]
 [assembly: AssemblyFileVersion("1.4.3")]
-[assembly: AssemblyCopyright("© bytecode77, 2023.")]
-
-namespace Global
-{
-	// These constants must match the preprocessor definitions in r77def.h
-	public static class Config
-	{
-		public const string HidePrefix = "$77";
-		public const ushort R77ServiceSignature = 0x7273;
-		public const ushort R77HelperSignature = 0x7268;
-		public const string ControlPipeName = HidePrefix + "control";
-	}
-}
+[assembly: AssemblyCopyright("© bytecode77, 2023.")]
diff --git a/Global/R77Const.cs b/Global/R77Const.cs
@@ -0,0 +1,11 @@
+﻿namespace Global
+{
+	// These constants must match the preprocessor definitions in r77def.h
+	public static class Config
+	{
+		public const string HidePrefix = "$77";
+		public const ushort R77ServiceSignature = 0x7273;
+		public const ushort R77HelperSignature = 0x7268;
+		public const string ControlPipeName = HidePrefix + "control";
+	}
+}
diff --git a/Service/ProcessListener.h b/Service/ProcessListener.h
@@ -27,9 +27,6 @@ typedef struct _NEW_PROCESS_LISTENER
 /// </summary>
 /// <param name="interval">The interval, in milliseconds, between each enumeration of running processes.</param>
 /// <param name="callback">The function that is called, when a process is found that was not present in the previous enumeration.</param>
-/// <returns>
-/// A pointer to the newly created NEW_PROCESS_LISTENER structure.
-/// </returns>
 VOID NewProcessListener(DWORD interval, PROCESSIDCALLBACK callback);
 static DWORD WINAPI NewProcessListenerThread(LPVOID parameter);
 
diff --git a/Stager/Helper.cs b/Stager/Helper.cs
@@ -25,8 +25,7 @@ public static bool Is64BitOperatingSystem()
 		{
 			using (Process process = Process.GetCurrentProcess())
 			{
-				bool wow64;
-				if (IsWow64Process(process.Handle, out wow64))
+				if (IsWow64Process(process.Handle, out bool wow64))
 				{
 					return wow64;
 				}
diff --git a/Stager/RunPE.cs b/Stager/RunPE.cs
@@ -110,7 +110,10 @@ public static void Run(string path, string commandLine, byte[] payload, int pare
 					// If the current attempt failed, terminate the created process to not have suspended "leftover" processes.
 					Process.GetProcessById(processId).Kill();
 				}
-				catch { }
+				catch
+				{
+				}
+
 				continue;
 			}
 
diff --git a/Stager/Stager.csproj b/Stager/Stager.csproj
@@ -38,6 +38,10 @@
   <PropertyGroup>
     <StartupObject />
   </PropertyGroup>
+  <PropertyGroup />
+  <PropertyGroup>
+    <Win32Resource>A:\Code\GitHub\r77-rootkit\Stager\Stager.res</Win32Resource>
+  </PropertyGroup>
   <ItemGroup>
     <Reference Include="System" />
   </ItemGroup>
@@ -64,6 +68,9 @@
   <ItemGroup>
     <None Include="Resources\Service64.exe" />
   </ItemGroup>
+  <ItemGroup>
+    <Content Include="Stager.res" />
+  </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <PropertyGroup>
     <PostBuildEvent>xcopy /Y "$(TargetPath)" "$(SolutionDir)Install\Resources"</PostBuildEvent>
diff --git a/Stager/Stager.res b/Stager/Stager.res
diff --git a/TestConsole/TestConsole.csproj b/TestConsole/TestConsole.csproj
@@ -67,6 +67,9 @@
     <Compile Include="..\Global\GlobalAssemblyInfo.cs">
       <Link>Properties\GlobalAssemblyInfo.cs</Link>
     </Compile>
+    <Compile Include="..\Global\R77Const.cs">
+      <Link>Properties\R77Const.cs</Link>
+    </Compile>
     <Compile Include="Controller\ConfigSystemEntry.cs" />
     <Compile Include="Controller\ConfigSystemDirectory.cs" />
     <Compile Include="Controller\ConfigSystem.cs" />
diff --git a/r77.sln b/r77.sln
@@ -1,4 +1,4 @@
-﻿
+
 Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 17
 VisualStudioVersion = 17.1.32328.378
@@ -55,6 +55,7 @@ EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Global", "Global", "{054A9EE5-7740-4460-A561-D0AC8CF051EF}"
 	ProjectSection(SolutionItems) = preProject
 		Global\GlobalAssemblyInfo.cs = Global\GlobalAssemblyInfo.cs
+		Global\R77Const.cs = Global\R77Const.cs
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InstallShellcode", "InstallShellcode\InstallShellcode.vcxitems", "{DEAB25FD-2042-4BD6-BF4B-0802DCCC70F5}"
diff --git a/r77api/r77def.h b/r77api/r77def.h
@@ -1,7 +1,7 @@
 #ifndef _R77DEF_H
 #define _R77DEF_H
 
-// These preprocessor definitions must match the constants in GlobalAssemblyInfo.cs
+// These preprocessor definitions must match the constants in r77Const.cs
 
 /// <summary>
 /// The prefix for name based hiding (e.g. processes, files, etc...).
diff --git a/r77api/r77win.c b/r77api/r77win.c
@@ -684,10 +684,10 @@ BOOL IsExecutable64Bit(LPBYTE image, LPBOOL is64Bit)
 	{
 		switch (ntHeaders->OptionalHeader.Magic)
 		{
-			case 0x10b:
+			case IMAGE_NT_OPTIONAL_HDR32_MAGIC:
 				*is64Bit = FALSE;
 				return TRUE;
-			case 0x20b:
+			case IMAGE_NT_OPTIONAL_HDR64_MAGIC:
 				*is64Bit = TRUE;
 				return TRUE;
 		}
@@ -786,10 +786,20 @@ BOOL RunPE(LPCWSTR path, LPBYTE payload)
 DWORD GetExecutableFunction(LPBYTE image, LPCSTR functionName)
 {
 	BOOL is64Bit;
-	if (IsExecutable64Bit(image, &is64Bit) && BITNESS(is64Bit ? 64 : 32))
+	if (IsExecutable64Bit(image, &is64Bit))
 	{
-		PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)(image + ((PIMAGE_DOS_HEADER)image)->e_lfanew);
-		PIMAGE_EXPORT_DIRECTORY exportDirectory = (PIMAGE_EXPORT_DIRECTORY)(image + RvaToOffset(image, ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress));
+		PIMAGE_EXPORT_DIRECTORY exportDirectory;
+		if (is64Bit)
+		{
+			PIMAGE_NT_HEADERS64 ntHeaders = (PIMAGE_NT_HEADERS64)(image + ((PIMAGE_DOS_HEADER)image)->e_lfanew);
+			exportDirectory = (PIMAGE_EXPORT_DIRECTORY)(image + RvaToOffset(image, ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress));
+		}
+		else
+		{
+			PIMAGE_NT_HEADERS32 ntHeaders = (PIMAGE_NT_HEADERS32)(image + ((PIMAGE_DOS_HEADER)image)->e_lfanew);
+			exportDirectory = (PIMAGE_EXPORT_DIRECTORY)(image + RvaToOffset(image, ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress));
+		}
+
 		LPDWORD nameDirectory = (LPDWORD)(image + RvaToOffset(image, exportDirectory->AddressOfNames));
 		LPWORD nameOrdinalDirectory = (LPWORD)(image + RvaToOffset(image, exportDirectory->AddressOfNameOrdinals));
 

Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,7 @@ public static bool Is64BitOperatingSystem()`
`25`	`25`	`{`
`26`	`26`	`using (Process process = Process.GetCurrentProcess())`
`27`	`27`	`{`
`28`		`- bool wow64;`
`29`		`- if (IsWow64Process(process.Handle, out wow64))`
	`28`	`+ if (IsWow64Process(process.Handle, out bool wow64))`
`30`	`29`	`{`
`31`	`30`	`return wow64;`
`32`	`31`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,10 @@ public static void Run(string path, string commandLine, byte[] payload, int pare`
`110`	`110`	`// If the current attempt failed, terminate the created process to not have suspended "leftover" processes.`
`111`	`111`	`Process.GetProcessById(processId).Kill();`
`112`	`112`	`}`
`113`		`- catch { }`
	`113`	`+ catch`
	`114`	`+ {`
	`115`	`+ }`
	`116`	`+`
`114`	`117`	`continue;`
`115`	`118`	`}`
`116`	`119`