0

I allocated an RWX (PAGE_EXECUTE_READWRITE) memory region inside LSASS.exe (i tried a RX codecave), then wrote my shellcode there.

After that, I tried to execute my shellcode via NtQueueApcThread → directly pointing to the shellcode. I verified in WinDbg that there are alertable threads inside LSASS.exe.

Initially, I assumed Control Flow Guard (CFG) might be blocking this, so I switched to a different technique: NtQueueApcThread → NtContinue → shellcode, where I set up a CONTEXT structure with Rip pointing to my shellcode and queued a user APC to NtContinue with this context.

However, none of these attempts succeeded — each time, the target thread would immediately crash into an int 29h (STATUS_STACK_BUFFER_OVERRUN) exception even before reaching NtContinue or my shellcode.

Worth mentioning: PPL protection was not present on this LSASS instance.

Possible reasons I suspect:

Control Flow Guard (CFG) still validating APC routine addresses inside system processes like LSASS.exe, even without PPL.

Stack misalignment or corrupt CONTEXT being detected before APC delivery.

APC routine address failing validation against LSASS CFG bitmap.

If anyone has reliable experience with APC injection into LSASS or other protected processes on recent Windows builds (10/11+), would appreciate feedback or working approaches for bypassing these obstacles.

Code screenshot

Should i post registers values when thread drops in int 29?

Improve this question
New contributor
Muhamba is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
2
  • I assume you also have disabled the Windows 10/11 lsass protection via Hyper-V? It is called System Integrity Protection/Core Isolation and in my understanding can be activated with disabled PPL. But it would be enabled I doubt that you would be able to create a memory region inside LSASS.exe.
    – Robert
    Commented 2 days ago
  • Solved! It was CFG. NtContinue method works. But kernel checks rip that you provide to CONTEXT.Rip. I have used debugger and seen that after syscall return value is STATUS_DATATYPE_MISALIGNMENT.
    – Muhamba
    Commented 2 days ago

1 Answer 1

Reset to default
0

Solved! It was CFG. NtContinue method works. But kernel checks rip that you provide to CONTEXT.Rip. I have used debugger and seen that after syscall return value is STATUS_DATATYPE_MISALIGNMENT. Just NtContinue does not works cause there are many CFG checks before user-side ntdll stub NtContinue. And it crash int 29. I think it is in NtQueueApcThread or KeInsertQueueApc. And i asssume there are kernel-side checks too RtlGuardCheckLongJumpTarget and LdrControlFlowGuardEnforced. But it does not matter anymore. If you interested to bypass it you should deceive CFG checks or patch it. But patching may call Code Integrity check and BSOD INVALID_KERNEL_HANDLE.

Improve this answer
New contributor
Muhamba is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.