Was method 34 patched?

Question

Was method 34 patched?

Signum21 opened this issue a year ago · comments

Signum21 commented a year ago

It doesn't seem to work.
I dont't get any error or UAC request.
Defender is disabled.

I followed the instructions for compilation, method 69 works with UAC set to always notify.

My PC:
Windows 10 Home 22H2
Build 19045.3031
64 Bit

hfiref0x commented a year ago

Okay, nvm

hfiref0x · Answer 1 · Fri Jun 09 2023 07:31:12 GMT+0800 (China Standard Time)

Does your system still has IE?

Signum21 · Answer 2 · Fri Jun 09 2023 07:39:36 GMT+0800 (China Standard Time)

If by IE you mean Internet Explorer, no, I don't have it installed.

hfiref0x · Answer 3 · Fri Jun 09 2023 08:13:56 GMT+0800 (China Standard Time)

I've tested it on 19044, full patch, it still works.

Reason why it is failing for you is probably because you have compiled exe with invalid payload dlls.
The correct compilation described here #120 (comment)

Signum21 · Answer 4 · Fri Jun 09 2023 09:03:48 GMT+0800 (China Standard Time)

I followed that thread.
Here are my steps:

Downloaded latest release from Github

Compiled in Release:
Akatsuki(x64)
Fubuki(x64)
Fubuki(Win32)
Naka(x64)
Naka(Win32)

Copied to .\Naka\output\x64\Release and executed Naka64.exe on:
Akatsuki64.dll
Fubuki64.dll
Kamikaze.msc

Copied to .\Naka\output\Win32\Release and executed Naka32.exe on:
Fubuki32.dll

Copied to .\Naka\output\x64\Release:
Fubuki32.cd
Fubuki32.key

Executed Naka64.exe --stable (Also tried using Naka32.exe to generate secret32.bin)
Removed empty files from .\Akagi\bin

Copied to \Akagi\bin:
Akatsuki64.cd
Fubuki64.cd
Fubuki32.cd
Kamikaze.cd
secrets32.bin
secrets64.bin

Compiled entire project in Release x64

Do you notice any wrong step?
Is it possible they fixed it in 19045?

Edit:
I tried using my compiled Akagi on a remote virtual machine with an old version of windows (17763), it works, that means the compilation was correct.
If my pc is not broken the only thing that comes to mind is that they just fixed it in 19045.

hfiref0x · Answer 5 · Fri Jun 09 2023 21:57:24 GMT+0800 (China Standard Time)

Ohh, I somehow misread your topic title method 34 as method 64 :) That is why I was asking about Internet Explorer.

It seems you are right and there was a silent fix for this.

Well, this patch (if there is a patch and this is not a collateral damage of some unrelated changes) seems propagated to all supported Win10 versions since I observe these results on LTSC 19044.

It took them ~6 years to fix, better than never.

Signum21 · Answer 6 · Fri Jun 09 2023 22:01:11 GMT+0800 (China Standard Time)

Thanks for verifying it.

hfiref0x · Answer 7 · Fri Jun 09 2023 22:10:16 GMT+0800 (China Standard Time)

Btw, which KB fixed it? Was it May 2023 update? KB5026361? Just to clarify state of fix for readme.

Signum21 · Answer 8 · Fri Jun 09 2023 22:19:15 GMT+0800 (China Standard Time)

I'm sorry, I have no idea and no way to verify it.

Didier Stevens · Answer 9 · Fri Feb 02 2024 01:48:43 GMT+0800 (China Standard Time)

FYI: I looked into this very same issue too.

This stopped to work after the Windows patches of January 2023.
I have a VM that I update every month & preserve with a snapshot.
After the updates of December 2022, method 34 still works, after the updates of January 2023 it no longer works.