NotCapengeR

icon company Null icon location Undefined icon location Here we go again.

Results 10 comments of NotCapengeR

64bit run_pe load 64bit payload not working on windows 11 24H2

Starting from Windows 11 24H2, Microsoft has implemented a new [Control Flow Guard or CFG](https://ynwarcs.github.io/Win11-24H2-CFG) system, which should limit the places where the application can execute code. You can read...

64bit run_pe load 64bit payload not working on windows 11 24H2

So, I did get an Ntdll sample from Windows 11 24H2. The `RtlpInsertOrRemoveScpCfgFunctionTable` function is not exported, so patching it by offset is not a good idea, but I found...

64bit run_pe load 64bit payload not working on windows 11 24H2

> @NotCapengeR I have, too, realized, that Windows 24H2 broke RunPE, so I stumbled upon your suggestion. I tried it (with `VirtualProtectEx` before `WriteProcessMemory`), but without success, yet. I will...

64bit run_pe load 64bit payload not working on windows 11 24H2

> Hi, finally I've got some time, and access to Windows 11 24H2, and started to check it. > > First of all, in this variant of RunPE, there is...

64bit run_pe load 64bit payload not working on windows 11 24H2

> RtlpInsertOrRemoveScpCfgFunctionTable has no effect on the enablement of CFG. The only thing it does is to add exception handlers to handle any exception happening in the CFG function, if...

64bit run_pe load 64bit payload not working on windows 11 24H2

> > [@harunkocacaliskan](https://github.com/harunkocacaliskan) - I tested it on [Windows 11 24H2](https://support.microsoft.com/en-us/topic/windows-11-version-24h2-update-history-0929c747-1815-4543-8461-0160d16f15e5), [Build 26100.2894](https://support.microsoft.com/en-us/topic/january-14-2025-kb5050009-os-build-26100-2894-d78f27bc-6405-461f-a525-2d1dc4e45759), which is the latest up to date (excluding the Preview), and both 32 and 64-bit versions worked...

64bit run_pe load 64bit payload not working on windows 11 24H2

@hasherezade well, looks like both functions, `NtManageHotPatch` and `NtQueryVirtualMemory` are required a patch (32-/64-bits). I still can't figure it out: is Microsoft doing this intentionally or is it a side-effect...

64bit run_pe load 64bit payload not working on windows 11 24H2

> I see where exactly it is coming from, indeed the simplest way to get rid of it is to patch `NtManagePatch`. > > 1. `LdrpQueryCurrentPatch` is called on the...

How to pass arguments to main payload in run-PE (or any program written by libPeConv)?

You need to hook `GetCommandLineW` & `GetCommandLineA` functions; CRT uses them for initialize the globals: `__p___argc`, `__p___argv` and `__p___wargv`: ![image](https://github.com/user-attachments/assets/7ab76dee-d68e-4f0e-9bda-b64c5ded79e2) Btw, some programs prefer not to use CRT, but to...

Build faile on arm64, error C2100: you cannot dereference an operand of type 'unsigned __int64'

You can try to use `NtCurrentPeb` macro: ```cpp inline PPEB get_peb() { return NtCurrentPeb(); } ```