Martin Fischer

This is really just a PoC to get an idea on how to implement fileless persistence, not a ready made toolkit. Your actual implementation might look different, also based on...

I updated Windows 11 on my VM to the version that you tested with, however, TaskMgr and Edge don't cause any crashes, even with Windows Defender on. Of course the...

That's really a bummer when a bug is obviously there but can't be reproduced :( You mind doing some trial & erroring with me? That way I can hopefully get...

Thanks for testing removing the hooks! What about 3.) uncommenting one of the injection routes - how does this play out?

The issue with the implementation is that `NtEnumerateKey` uses an index parameter to access sub keys. The way this function is used is by iterating over a key, by incrementing...

I've done some prototyping so far. Would you like to assist me with the testing? I simply stored the previously accessed key and index, and the number of hidden keys...

I have created a [new branch here](https://github.com/bytecode77/r77-rootkit/tree/RegistryEnumCache) with the above implementation, but using TLS. I see that sfc /scannow doesn't work at all with the current release, but it does...

I'll still look into the issue with event viewer some time soon. In the mean time, you can grab the source code from the branch and use it. I'll post...

Happy new year! Sorry to keep you waiting for so long... I was especially occupied with updates to some Windows Defender detections and EDR bypasses (see changelog). However, I have...

That is for the EDR unhooking module. Because the real `NtCreateFile` is monitored by antivirus software, it cannot be called because it would trigger a detection. That's why unhooking uses...