The simplest of all possible modifications to the original RoguePlanet.cpp (literally interchanging two letters in the source code) defeats the detection and re-enables the exploit in current, fully patched Windows 11 with Definition Update 1.453.20.0 installed.

My version also works with 1.453.21.0, as far as I can tell. EDIT: Or maybe not as reliably anymore - while it's not quarantined, it currently doesn't seem to win the race anymore (stuck on "MpCleanCallbackFunction called."). But this might have to do with the contaminated state of my test machine (which already has 6 or 7 volume shadow copies for the attacked volume).

Yup, here we go.

@christopherkunz what is the version of your mpengine.dll?