itsMe Posted December 1, 2023 Share Posted December 1, 2023 This is the hidden content, please Sign In or Sign Up Ring 3 rootkit r77 is a ring 3 Rootkit that hides the following entities from all processes: Files, directories, named pipes, scheduled tasks Processes CPU usage Registry keys & values TCP & UDP connections It is compatible with Windows 7 and Windows 10 in both x64 and x86 editions. AV/EDR evasion Several AV and EDR evasion techniques are in use: AMSI bypass: The PowerShell inline script disables AMSI by patching amsi.dll!AmsiScanBuffer to always return AMSI_RESULT_CLEAN. Polymorphism is used to evade signature detection of the AMSI bypass. DLL unhooking: Since EDR solutions monitor API calls by hooking ntdll.dll, these hooks need to be removed by loading a fresh copy of ntdll.dll from disk and restoring the original section. Otherwise, process hollowing would be detected. This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts