r77-rootkit icon indicating copy to clipboard operation
r77-rootkit copied to clipboard
verified publisher icon bytecode77

Prohibiting network access based on specific PID

Open justKing9 opened this issue 1 year ago • 8 comments

Networking can be prohibited through the process pid or process name or port, so that the playability can be better. I hope the author can adopt it.

justKing9 avatar Dec 28 '24 04:12 justKing9

I like your project very much. Can you give me a usdt wallet so that I can reward you?

justKing9 avatar Dec 28 '24 05:12 justKing9

Hey there,

can you give me a little detail here? Are you trying to disable connectivity for specific process ID's or for specific ports? And also, do you want to achieve this on one of your own computers where you can configure everything yourself, or is r77 installed at some remote location?

I might come up with a simple solution to this. By the way thank you very much for your offer! I really appreciate support for the project :) Though, I only have BTC (19FPS9C5yCtLFkGzN6zoJkHhortdKAx8MW). Again, thank you a lot for your support!

bytecode77 avatar Dec 29 '24 12:12 bytecode77

I have tried Hook, NtDeviceIoControlFile, NtWriteFile, NtReadFile, NtClose, these tcp functions to make the specified program unable to connect to the network. You can read the program name or port that needs to be disconnected through HKEY_LOCAL_MACHINE\SOFTWARE$77config.

justKing9 avatar Dec 30 '24 05:12 justKing9

You can apply for an ETH wallet, which is also more versatile and convenient. You can put it in README.md, so that we can also support your project more conveniently. All your projects provide me with rich concepts and ideas. I like it very much and will always support you.

justKing9 avatar Dec 30 '24 05:12 justKing9

you can do that by hooking NtCreateFile(). NtCreateFile( [out] PHANDLE FileHandle, [in] ACCESS_MASK DesiredAccess, [in] POBJECT_ATTRIBUTES ObjectAttributes, [out] PIO_STATUS_BLOCK IoStatusBlock, [in, optional] PLARGE_INTEGER AllocationSize, [in] ULONG FileAttributes, [in] ULONG ShareAccess, [in] ULONG CreateDisposition, [in] ULONG CreateOptions, [in] PVOID EaBuffer, [in] ULONG EaLength ); 1.check if the process name matchs the name you would like to disable the onnectivity.If so,hook NtCreateFile() 2.check if the ObjectAttributes->ObjectName in Hooked_NtCreateFile() call equal to L"\Device\Afd\Endpoint",which means create socket,just return STATUS_ACCESS_DENIED error.

hooking NtDeviceIoControlFile can do the same by return error code for AFD_CONNECT.

wineggdrop avatar Jan 02 '25 08:01 wineggdrop

Sorry for the late response, I'm being kept busy by patching the AMSI fix for Windows Defender and next thing I've realized that Windows 24H2 broke RunPE for good, for all applications that implement process hollowing :\ So I need to fix this issue fast.

Sorry to keep you waiting here.

@wineggdrop you seem to have a lot of concrete bugfix suggestions and most of them are spot on. Great work! I would say NtDeviceIoControlFile is preferrable over NtCreateFile as it's more low level.

I'll get back to you when I have the RunPE issue sorted out.

bytecode77 avatar Jan 04 '25 19:01 bytecode77

how to bypass window defender!

Telssh avatar Feb 12 '25 05:02 Telssh

1.disable script scanning 2 disable behavior monitoring 3.disable UIlockdown Do it through powershell or gpedit,need administrator privilege

wineggdrop avatar Feb 12 '25 17:02 wineggdrop