VS2022 compilation

[cecio]

Hey, first of all a big thank you for your work on this project, it is awesome.

Then, coming to my question: I downloaded the binaries for the latest release 4.17. They work fine out of the box, so I can run shellcodes and whatever.

Then I tried to recompile with VS2022 (14.34.31933) some of the shellcodes. For example, trying wx64_pskill.ksh, I followed the instruction given in the comment and I was able to create a new ksh, which is running fine. Then I tried do recompile wx64_pscreate and here I see an error:

the two cl.exe are working fine:

cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_WIN7_COMPAT wx64_pscreate.c

running the linking

ml64 wx64_common_a.asm /Fewx64_pscreate.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_pscreate.obj wx64_common.obj

I see an error:

wx64_pscreate.obj : error LNK2019: unresolved external symbol memcpy referenced in function IntializeUserModeCode
wx64_pscreate.exe : fatal error LNK1120: 1 unresolved externals

So, I tried to add vcruntime.lib at the end of ml64 command, and now I was able to link. Then extracted the shellcode with the shellcode64.exe command and I tried to run the new compiled shellcode, but in this case I get an hang:

sudo ./pcileech  wx64_pscreate -s 'C:\windows\system32\cmd.exe' -0 0x1968  -kmd 0x7ffff000

[+] using FTDI device: 0403:601f (bus 1, device 13)
[+] FTDIFTDI SuperSpeed-FIFO Bridge000000000001 

At this point the target OS stops responding and the pcileech never returns until I hit CTRL-C.

Then I started to play with the compile options and I realized that if I compile wx64_pscreate.c without /O1, everything seems fine:

cl.exe /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel /D_WIN7_COMPAT wx64_pscreate.c

At this point the linking does not return any error and I can link without adding vcruntime.lib. But, it still does not work: when I try to execute the new shellcode, I don't see any error, but the process creation is simply not working (the parent process crashes).

The interesting thing is that if I use the wx64_pscreate.ksh available in the original package, it works fine, so it seems that the recompile action is not correct in some ways. Could you confirm the version and option used to compile the shellcode examples? Any idea on what could be wrong on my side?

Thanks so much!

[ufrisk]

To be honest I only recompile the .ksh kernel modules whenever I make a change in them.

If Microsoft changed things around it may very well be that they broke.

It's something I'd have to look into when I'm back home in the next year. Until then it seems like you resolved your issue. I'll mark this as a bug until I've had time to check it out and possibly update the documentation should it be needed.

Many thanks for reporting :)

[cecio]

Thanks to you, if you need any test from my side, just let me know :)