hasherezade
hasherezade
Ok, I see where exactly it happens. Those are the subsequent functions called: + `LdrpInitializeProcess` + `LdrpProcessMappedModule` + `RtlpInsertOfRemoveScpCfgFunctionTable` + `ZwQueryVirtualMemory` The problem lies indeed in the fact that the...
I added the patch, and it should work now. Check it out guys, and let me know what do you think.
@harunkocacaliskan - I tested it on [Windows 11 24H2](https://support.microsoft.com/en-us/topic/windows-11-version-24h2-update-history-0929c747-1815-4543-8461-0160d16f15e5), [Build 26100.2894](https://support.microsoft.com/en-us/topic/january-14-2025-kb5050009-os-build-26100-2894-d78f27bc-6405-461f-a525-2d1dc4e45759), which is the latest up to date (excluding the Preview), and both 32 and 64-bit versions worked without any...
> [@hasherezade](https://github.com/hasherezade) well, looks like both functions, `NtManageHotPatch` and `NtQueryVirtualMemory` are required a patch (32-/64-bits). I still can't figure it out: is Microsoft doing this intentionally or is it a...
@harunkocacaliskan - do I understand you correctly that the 64-bit loader: + https://ci.appveyor.com/project/hasherezade/libpeconv/build/job/3hdges29jaayyo58/artifacts runs on your machine without any changes? Also to inject 32-bit payloads? The problem is only with...
> > [@harunkocacaliskan](https://github.com/harunkocacaliskan) - do I understand you correctly that the 64-bit loader: > > > > * https://ci.appveyor.com/project/hasherezade/libpeconv/build/job/3hdges29jaayyo58/artifacts > > runs on your machine without any changes? Also to...
Ok, I managed to test it on a real machine. It seems that this error `0xC00004AC` occurs only if the Memory Integrity check is enabled in the system:  When...
I see where exactly it is coming from, indeed the simplest way to get rid of it is to patch `NtManagePatch`. 1. `LdrpQueryCurrentPatch` is called on the implant (address in...
My latest commit should finally solve this problem, for both 32- and 64-bit. Check it out, it should work on the system with Memory Integrity checks enabled + 64-bit build:...
Hi @bncdemo ! Could you please share the original file, so that I can investigate it? You can upload it and send me the link. If you don't want to...