{"id":13840074,"url":"https://github.com/bytecode77/r77-rootkit","last_synced_at":"2025-05-14T10:10:01.713Z","repository":{"id":39717886,"uuid":"114536731","full_name":"bytecode77/r77-rootkit","owner":"bytecode77","description":"Fileless ring 3 rootkit with installer and persistence that hides processes, files, network connections, etc.","archived":false,"fork":false,"pushed_at":"2025-03-25T17:59:20.000Z","size":5325,"stargazers_count":1865,"open_issues_count":9,"forks_count":423,"subscribers_count":43,"default_branch":"master","last_synced_at":"2025-04-04T11:40:32.962Z","etag":null,"topics":["av-evasion","fileless","rootkit"],"latest_commit_sha":null,"homepage":"https://bytecode77.com/r77-rootkit","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bytecode77.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-12-17T13:04:14.000Z","updated_at":"2025-04-04T08:18:17.000Z","dependencies_parsed_at":"2022-07-13T12:20:32.489Z","dependency_job_id":"3dd6b06e-5bdc-4682-9e98-63862e92ee63","html_url":"https://github.com/bytecode77/r77-rootkit","commit_stats":{"total_commits":83,"total_committers":2,"mean_commits":41.5,"dds":0.07228915662650603,"last_synced_commit":"b3dc393a55134ae3c775ddf30fb4a6701ca8c73f"},"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bytecode77%2Fr77-rootkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bytecode77%2Fr77-rootkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bytecode77%2Fr77-rootkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bytecode77%2Fr77-rootkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bytecode77","download_url":"https://codeload.github.com/bytecode77/r77-rootkit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248448371,"owners_count":21105285,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["av-evasion","fileless","rootkit"],"created_at":"2024-08-04T17:00:41.578Z","updated_at":"2025-04-11T17:24:17.413Z","avatar_url":"https://github.com/bytecode77.png","language":"C","readme":"# r77 Rootkit\r\n\r\n## Fileless ring 3 rootkit\r\n\r\nr77 is a ring 3 rootkit that hides everything:\r\n\r\n - Files, directories\r\n - Processes \u0026 CPU/GPU usage\r\n - Registry keys \u0026 values\r\n - Services\r\n - TCP \u0026 UDP connections\r\n - Junctions, named pipes, scheduled tasks\r\n\r\n## Hiding by prefix\r\n\r\nEverything that starts with `\"$77\"` is hidden.\r\n\r\n![](https://bytecode77.com/images/pages/r77-rootkit/hiding.webp)\r\n\r\n## Configuration System\r\n\r\nThe dynamic configuration system allows to hide processes by **PID** and by **name**, file system items by **full path**, TCP \u0026 UDP connections of specific ports, etc.\r\n\r\n![](https://bytecode77.com/images/pages/r77-rootkit/config.webp)\r\n\r\nThe configuration is located in `HKEY_LOCAL_MACHINE\\SOFTWARE\\$77config` and is writable by any process without elevated privileges. The DACL of this key is set to grant full access to any user.\r\n\r\nIn addition, the `$77config` key is hidden by the rootkit.\r\n\r\n## Installer\r\n\r\nThe deployment of r77 requires only one file: `Install.exe`. Execution persists r77 on the system and injects all running processes.\r\n\r\n`Uninstall.exe` removes r77 from the system completely, and gracefully.\r\n\r\n`Install.shellcode` is the shellcode equivalent of the installer. This way, the installation can be integrated without dropping `Install.exe`. The shellcode can simply be loaded into memory, casted to a function pointer, and executed:\r\n\r\n```\r\nint main()\r\n{\r\n\t// 1. Load Install.shellcode from resources or from a BYTE[]\r\n\t// Ideally, encrypt the file and decrypt it here to avoid scantime detection.\r\n\tLPBYTE shellCode = ...\r\n\r\n\t// 2. Make the shellcode RWX.\r\n\tDWORD oldProtect;\r\n\tVirtualProtect(shellCode, shellCodeSize, PAGE_EXECUTE_READWRITE, \u0026oldProtect);\r\n\r\n\t// 3. Cast the buffer to a function pointer and execute it.\r\n\t((void(*)())shellCode)();\r\n\r\n\t// This is the fileless equivalent to executing Install.exe.\r\n\r\n\treturn 0;\r\n}\r\n```\r\n\r\n## Execution flow\r\n\r\nThe rootkit resides in the system memory and does not write any files to the disk. This is achieved in multiple stages.\r\n\r\nThis graph shows each stage from the execution of the installer all the way down to the rootkit DLL running in every process. The [documentation](https://docs.bytecode77.com/r77-rootkit/Technical%20Documentation.pdf) has a chapter with extensive detail about the implementation of each stage.\r\n\r\n![](https://bytecode77.com/images/pages/r77-rootkit/execution-flow-light.webp)\r\n\r\n## AV/EDR evasion\r\n\r\nSeveral AV and EDR evasion techniques are in use:\r\n\r\n- **AMSI bypass:** The PowerShell inline script disables AMSI by patching `amsi.dll!AmsiScanBuffer` to always return `AMSI_RESULT_CLEAN`. Polymorphism is used to evade signature detection of the AMSI bypass.\r\n- **DLL unhooking:** Since EDR solutions monitor API calls by hooking `ntdll.dll`, these hooks need to be removed by loading a fresh copy of `ntdll.dll` from disk and restoring the original section. Otherwise, process injection would be detected.\r\n\r\n## Test environment\r\n\r\nThe Test Console is a useful tool to inject r77 into individual processes and to test drive the configuration system.\r\n\r\n![](https://bytecode77.com/images/pages/r77-rootkit/testconsole.webp)\r\n\r\n## Technical Documentation\r\n\r\nPlease read the [technical documentation](https://docs.bytecode77.com/r77-rootkit/Technical%20Documentation.pdf) to get a comprehensive and full overview of r77 and its internals, and how to deploy and integrate it.\r\n\r\n## Downloads\r\n\r\n[![](https://bytecode77.com/public/fileicons/zip.png) r77 Rootkit 1.7.0.zip](https://downloads.bytecode77.com/r77Rootkit%201.7.0.zip)\r\n(**ZIP Password:** bytecode77)\u003cbr /\u003e\r\n[![](https://bytecode77.com/public/fileicons/pdf.png) Technical Documentation](https://docs.bytecode77.com/r77-rootkit/Technical%20Documentation.pdf)\r\n\r\n## Project Page\r\n\r\n[![](https://bytecode77.com/public/favicon16.png) bytecode77.com/r77-rootkit](https://bytecode77.com/r77-rootkit)","funding_links":[],"categories":["C (286)","C"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbytecode77%2Fr77-rootkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbytecode77%2Fr77-rootkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbytecode77%2Fr77-rootkit/lists"}