r77-rootkit
r77-rootkit copied to clipboard
bytecode77
[ HELP ] — How I can use the ControlPipe in C# ?? 🥴
Hey! How you doing @bytecode77!! 🧡 🔥
I'd need you to give me a hand, because I'm going crazy, really... 🥴 😅 🥴
I want control the rootkit using PIPES, but Im trying to connect him to send the UNINSTALL command as a function, as its likely impossible 😭 😭
The code you post as an example is this one ( C++ ) : PS __ Bit Modified, Changed The Pipe Code for Uninstall R77. 🧐
#include <Windows.h>
#define CONTROL_USER_UNNISTALL 0x1002
using System.Reflection.Metadata;
using System;
int main()
{
HANDLE pipe = CreateFileW(L"\\\\.\\pipe\\$r77", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (pipe != INVALID_HANDLE_VALUE)
{
DWORD controlCode = CONTROL_USER_SHELLEXEC;
WCHAR shellExecPath[] = L"C:\\Windows\\System32\\notepad.exe";
WCHAR shellExecCommandline[] = L"mytextfile.txt";
DWORD bytesWritten;
WriteFile(pipe, &controlCode, sizeof(DWORD), &bytesWritten, NULL);
WriteFile(pipe, shellExecPath, (lstrlenW(shellExecPath) + 1) * 2, &bytesWritten, NULL);
WriteFile(pipe, shellExecCommandline, (lstrlenW(shellExecCommandline) + 1) * 2, &bytesWritten, NULL);
CloseHandle(pipe);
}
return 0;
}
And I try to translate the code into a C# but dont works 🤔🤔 I hope you can help me a bit, how I can made it work that! 🙏 🙏
The C# version I translate it :
using System;
using System.IO.Pipes;
using System.Runtime.InteropServices;
using System.Text;
class Program
{
private const int CONTROL_USER_UNNISTALL = 0x1002;
static void Main()
{
using (NamedPipeClientStream pipe = new NamedPipeClientStream(".", "$r77", PipeDirection.InOut))
{
pipe.Connect();
int controlCode = CONTROL_USER_UNNISTALL;
string shellExecPath = @"C:\Windows\System32\notepad.exe";
string shellExecCommandline = "mytextfile.txt";
byte[] controlCodeBytes = BitConverter.GetBytes(controlCode);
byte[] shellExecPathBytes = Encoding.Unicode.GetBytes(shellExecPath + "\0");
byte[] shellExecCommandlineBytes = Encoding.Unicode.GetBytes(shellExecCommandline + "\0");
pipe.Write(controlCodeBytes, 0, controlCodeBytes.Length);
pipe.Write(shellExecPathBytes, 0, shellExecPathBytes.Length);
pipe.Write(shellExecCommandlineBytes, 0, shellExecCommandlineBytes.Length);
}
}
}
I am trying to find something like this:
private async void QUIT_Click(object sender, RoutedEventArgs e)
{
using (NamedPipeClientStream pipe = new NamedPipeClientStream(".", "$r77", PipeDirection.InOut))
{
pipe.Connect();
int controlCode = CONTROL_USER_UNNISTALL;
string shellExecPath = @"C:\Windows\System32\notepad.exe";
string shellExecCommandline = "mytextfile.txt";
byte[] controlCodeBytes = BitConverter.GetBytes(controlCode);
byte[] shellExecPathBytes = Encoding.Unicode.GetBytes(shellExecPath + "\0");
byte[] shellExecCommandlineBytes = Encoding.Unicode.GetBytes(shellExecCommandline + "\0");
pipe.Write(controlCodeBytes, 0, controlCodeBytes.Length);
pipe.Write(shellExecPathBytes, 0, shellExecPathBytes.Length);
pipe.Write(shellExecCommandlineBytes, 0, shellExecCommandlineBytes.Length);
}
}
📋 📋 [ UPDATE ] — 30/04/2024 | 20:57
I found the error, the error, was the name of the pipe, its rlly strange cause If I change the name of the pipe to another thing than PREFIX + "control" then I cant connect to PIPE.
But when the name is PREFIX + "control" then works nice! 🧡 🔥
How I can change the PIPE name @bytecode77 ? 🤔 🤔
Yeah, the name of the pipe was simply wrong. Also, you only need to send the two bytes of CONTROL_USER_UNNISTALL without the other parameters, they will be ignored.
Check out 4.10 Compile Time Constants in the documentation if you want to change the name of the pipe or other constants.
✔ ✔ [ SOLVED ] — 03/05/2024 | 03:25
Sure, now I understand, thank you @bytecode77, as always you're the best! 🧡🔥
The solution was in the definitions, I really don't know why I didn't see it before, sometimes the things that you have closer, are the ones that are more difficult to discern. 🥴