ShellExec injection with Windows 10

[tklengyel]

ShellExec injection seems to be broken now under recent versions of Windows 10. Used to work fine with a version from ~2017.

[mdolmen]

Can you post your logs? I couldn't reproduced, I have done the last windows update and everything works fine.

[tklengyel]

1538594829.739911   ShellExecuteA @ 0x7ffae1450c80
Starting injection loop
1538594829.739946 Started DRAKVUF loop
1538594829.745137 CR3 cb on vCPU 1: 0x30420000
CR3 changed to 0x30420000
1538594829.745438 CR3 cb on vCPU 3: 0x23274000
CR3 changed to 0x23274000
Thread @ 0xffff900ed2ac8480. ThreadID: 4616
1538594829.745718 Breakpoint VA 0x7ffadf8b96e4 -> PA 0x1771d6e4
1538594829.745753 Physmap populated? 0
1538594829.745817 Copied trapped page to new location
1538594829.745832 Activating remapped gfns in the altp2m views!
1538594829.745981       Trap added @ PA 0x1771d6e4 RPA 0x10d0916e4 Page 96029 for entry.
Got return address 0x7ffadf8b96e4 from trapframe and it's now trapped!
INT3 Callback @ 0x7ffadf8b96e4. CR3 0x1c273000.
INT3 received but CR3 (0x1c273000) doesn't match target process (0x23274000)
INT3 received from PID: 1064 [\Device\HarddiskVolume4\Windows\explorer.exe]

.. and then it's just keep looping never receiving the target CR3

[tklengyel]

It looks like right after the first injection the CR3 of the target process changes and because of that mismatch things go sideways.

[manorit2001]

is it still reproducible?