No longer working on latest version of Windows?

[mrapxs]

Tested on a few fresh builds of Windows now, seems to no longer work on the latest version. Stager has completely stopped working I guess? And install.exe doesn't work either. Injecting manually via test console works fine though. Not sure what the problem is

[bytecode77]

Confirmed.

All versions of r77 are not working on Windows 11 24H2. However, on Windows 11 23H2, the current r77 version works fine.

I have tested 24H2 just now, as I found a machine here at home that has already updated to 24H2. Interestingly, previous versions of r77 seem to be affected as well, so this is not a new bug that I've introduced.

The stager performs RunPE seemingly successful. However, the r77 service entry point is not hit. I will need to do more analysis and find out why the recent Windows 11 update breaks r77. This issue is the #1 priority as of now.

[bytecode77]

Yep... The RunPE implementation that millions use ever since Windows XP is broken starting from 24H2 (e.g. here or here).

[mrapxs]

Oof 🥲 that sucks. Sooo what now lol

[wineggdrop]

That's why I has been looking for alternative method to inject the code.
(Still working on CreateProcessWithdll from Microsoft detours library,which very unlikely windows patch will block that method)

[bytecode77]

CreateProcessWithdll is detrimental because it requires the r77 DLL on disk.

I've had plans to implement the r77 service without using a hollowed process, but instead inject it into an existing process, such as winlogon using the reflective DLL loader that I already use for the r77 DLL.

And right now is the perfect time to implement this! Afterall, if the r77 service doesn't have its own process, then it can't be killed, and I don't have to deal with fixing RunPE when I want to switch to injection anyway.

[wineggdrop]

My design is to put 2 dll file on disk(32 bit and 64 bit),which will only serve as memory loader,and the core code still save in registry.99% of antivirus won't detect or kill that memory loader currently.
For reflective dll loader,if you inject r77 service into winlogon.exe,coz winlogon.exe is 64 bit process only,is it possible to inject code from 64 bit loader into 32 bit host?

[bytecode77]

r77 1.6.0 is now released

The r77 service is no longer created using process hollowing, but injected into winlogon using the reflective DLL loader. So, r77 is not just fileless, but processless as well. This is not a hack to circumvent issues in the current process hollowing algorithm, but rather a task that was sitting in my backlog since 2023 - making r77 processless.

---

@wineggdrop The fact that CreateProcessWithdll doesn't trigger AV is only a coincidence. It performs regular DLL injection using the CreateRemoteThread/LoadLibraryW technique. Now, I'm sure that your memory loader is very nice, but it doesn't change the fact that two DLL files are stored on the disk. And even if they only contain the loader, there will be signatures and heuristical detections for these minimal files.

I know how sensitive the file system is. In my powershell script, I coulnd't even use Add-Type with C# code, as it would call the .NET compiler and drop the compiled DLL file on the disk, immediately triggering AV. So, staying off disk is an absolute necessity and you need to do your evasion from there on - do not store files on the disk and try to make them FUD. This is the "crypter-way" of tinkering around scantime detections.