Jump to content

All Activity

This stream auto-updates

  1. Past hour
  2. funstyle
    Thank You
  3. Today
  4. warsn
    (Not my tool) Download r77 Rootkit Fileless ring 3 rootkit r77 is a ring 3 rootkit that hides everything: Files, directories Processes & CPU/GPU usage Registry keys & values Services TCP & UDP connections Junctions, named pipes, scheduled tasks Hiding by prefix Everything that starts with "$77" is hidden. Configuration System The dynamic configuration system allows to hide processes by PID and by name, file system items by full path, TCP & UDP connections of specific ports, etc. The configuration is located in HKEY_LOCAL_MACHINE\SOFTWARE\$77config and is writable by any process without elevated privileges. The DACL of this key is set to grant full access to any user. In addition, the $77config key is hidden by the rootkit. Installer The deployment of r77 requires only one file: Install.exe. Execution persists r77 on the system and injects all running processes. Uninstall.exe removes r77 from the system completely, and gracefully. Install.shellcode is the shellcode equivalent of the installer. This way, the installation can be integrated without dropping Install.exe. The shellcode can simply be loaded into memory, casted to a function pointer, and executed: int main() { // 1. Load Install.shellcode from resources or from a BYTE[] // Ideally, encrypt the file and decrypt it here to avoid scantime detection. LPBYTE shellCode = ... // 2. Make the shellcode RWX. DWORD oldProtect; VirtualProtect(shellCode, shellCodeSize, PAGE_EXECUTE_READWRITE, &oldProtect); // 3. Cast the buffer to a function pointer and execute it. ((void(*)())shellCode)(); // This is the fileless equivalent to executing Install.exe. return 0; } Execution flow The rootkit resides in the system memory and does not write any files to the disk. This is achieved in multiple stages. This graph shows each stage from the execution of the installer all the way down to the rootkit DLL running in every process. The documentation has a chapter with extensive detail about the implementation of each stage. AV/EDR evasion Several AV and EDR evasion techniques are in use: AMSI bypass: The PowerShell inline script disables AMSI by patching amsi.dll!AmsiScanBuffer to always return AMSI_RESULT_CLEAN. Polymorphism is used to evade signature detection of the AMSI bypass. DLL unhooking: Since EDR solutions monitor API calls by hooking ntdll.dll, these hooks need to be removed by loading a fresh copy of ntdll.dll from disk and restoring the original section. Otherwise, process hollowing would be detected. Test environment The Test Console is a useful tool to inject r77 into individual processes and to test drive the configuration system. Technical Documentation Please read the technical documentation to get a comprehensive and full overview of r77 and its internals, and how to deploy and integrate it.
  5. warsn
    🙄
  6. MoneeWafe started following Zoso.ro & Arhiblog.ro Hacked + DB Dump (all comment Emails, Logins etc)
  7. Yesterday
  8. UnixDevel
    Deci de unde se poate lua ?
  9. 14pe
    Cică au spart ăștia situ' și-au furat toată baza de date, frațiooor! Stați așa că vine bomba: parolele lu' fraieri erau băgate la liber, niciun fel de criptare, nimic! Să moară mă-sa dacă mint! Păi cum naiba în 2024 să ții parolele așa la vedere? E ca și cum ai lăsa portofelul pe bancă-n parc și te-ai duce la un 5 minute să iei o șaorma. Acu' orice puțoi ucrainean cu un pic de skill ne poate sparge toate conturile unde-am băgat aceeași parolă. Mișto, ce să zic! Hackerii 1 - Zoso 0 Și cine știe ce alte fițuici personale or mai fi pus ăștia la bătaie? CNP-uri, adrese, poze cu nevasta-n chiloți? Ferească sfântu'! E clar că ăia care se ocupă de site habar n-au ce fac. Probabil că și acu' se scarpină-n cap și se-ntreabă ce dracu' s-a-ntâmplat, în timp ce noi ne facem cruce și schimbăm parole de zici că-i Black Friday. Zoso, coaie, dacă citești asta, sper c-ai învățat ceva. Nu te joci cu securitatea, bă! Să vedem acu' cum gestionezi căcatu' ăsta. Bag mâna-n foc că o să dea vina pe "atacuri sofisticate" când de fapt era ca și cum ar fi lăsat ușa de la lift blocată. Voi ce ziceți? E nasol rău? V-au futut conturile? Hai să dăm cu părerea, că d-aia-i forumu'!
  10. 14pe
    Scuze, din reflex l-am mototolit pe @sefu9581 (Laviniu) si bagat in buzunar, e putin murdar, totusi a mai ramas un colt din el nepatat de rahat.
  11. Zatarra
    Astia cu bani mulÈ›, care-mi baga si mie 100 pe Revolut?
  12. JonhRozj started following Zoso.ro & Arhiblog.ro Hacked + DB Dump (all comment Emails, Logins etc)
  13. Noriega
    M-am cacat si nu am cu ce sa ma sterg la cur. Stie cineva pe unde e @sefu9581?
  14. caesarB
    thank you friend
  15. TrueRumbu
    Thank you
  16. Silviu
    Își bat ăștia bătrâni pla de voi într-un mod magistral
  17. Codex.exe
    Codex.exe changed their profile photo
  18. zazau
  19. banciucatalin96 started following Zoso.ro & Arhiblog.ro Hacked + DB Dump (all comment Emails, Logins etc)
  20. banciucatalin96
    deci astia aveau parolele de la useri in text clar ?
  21. banciucatalin96
    Thank You
  22. nbv920b2
    Thank you
  23. nbv920b2
    why no download?
  24. shep86
    Thank You
  25. Ben
    Ben changed their profile photo
  26. veloci
    Thank You
  27. thebob
    Thank You, am download. Mother of god. 🙀
  28. MackenzieG started following Zoso.ro & Arhiblog.ro Hacked + DB Dump (all comment Emails, Logins etc)
  29. IamDaveJ
    Thank you
  30. IamDaveJ
    Booyakasha
  31. Titikaka
    Mare troll de post. Pentru o secunda chiar am crezut :))))
  32. arhibl0g
    Thank You
  33. robertutzu
    5head
  34. johnnyJohn
    Thank You
  1. Load more activity
×
×
  • Create New...