Releases: D7EAD/mkPIVM
Releases · D7EAD/mkPIVM
2.0.0
added a bunch of polymorphism improvements.
added --rx. produces a blob that runs from PAGE_EXECUTE_READ memory, no
RWX needed. data island stays encrypted at rest and gets decrypted in-place
at state_init via VirtualProtect-RW/decrypt/VirtualProtect-RX.
two ways to get the VirtualProtect pointer, see /examples for basic example loaders:
- default: in-blob PEB walker resolves it,
gs:[0x60]-> Ldr -> kernel32 by
BaseDllName hash, then EAT walk for VirtualProtect by name hash. per-seed
salt on the hash so the embedded constants vary per build. --rx-loader-vp: loader passes it in as the blob's first arg.rcxon x64,
__cdecl [esp+4]on x86. smaller blob, no PEB-walk fingerprint.
still no linux tests, will do later in 2.1.0.
1.1.0
1.0.1
v1.0.1:
- runtime nonce used to live in VMState which dies with the host stack between range entries, so entry 2+ was XORing the handler table with whatever shit was sitting on the stack. moved it to a blob slot like a dumbass shouldve done from the start.
- lifter now drops a JMP_NATIVE at the end of the last cfg block when nothing else terminates it. before this dispatch_tail kept fetching past the end of bytecode and landing on garbage handlers.
- added --range-leak-nvs opt-in. blasts VMState NV slots back over the prologue stack saves on JMP_NATIVE imm exit so lifted writes to ebx/ebp/esi/edi and r12-r15 actually make it to the surrounding native bytes. dont flip this on function-shaped ranges or mid-flow escapes will trash the caller's nvs.
- ranges mode is fucking finicky. cobalt stagers and stageless choke on it because they pull a
call X; X: pop regrip-via-call stunt to fish out their own runtime addr, and CALL_VM pushes a trampoline_addr instead of the real ret_va, so the pop reads dog shit. use --pack or default for those, they work end-to-end.
tl;dr fixed a lot of bugs. --range works fine for some shellcode, not so much for others. if you have issues, prefer default mode or --pack. still investigating the issue with ranged mode.