Dr. Christopher Kunz
christopherkunz@chaos.social
The simplest of all possible modifications to the original RoguePlanet.cpp (literally interchanging two letters in the source code) defeats the detection and re-enables the exploit in current, fully patched Windows 11 with Definition Update 1.453.20.0 installed.
2
6
0
Dr. Christopher Kunz
christopherkunz@chaos.socialMy version also works with 1.453.21.0, as far as I can tell. EDIT: Or maybe not as reliably anymore - while it's not quarantined, it currently doesn't seem to win the race anymore (stuck on "MpCleanCallbackFunction called."). But this might have to do with the contaminated state of my test machine (which already has 6 or 7 volume shadow copies for the attacked volume).
1
0
0
Dr. Christopher Kunz
christopherkunz@chaos.social@buherator So MS has been busy during the day, I'm now at definition version 1.453.25.0. And now we've gone full circle back to the earliest RedSun mitigations, it seems. During the Defender race (after accessing the Volume Shadow Copy), a defender popup tells me that " a threat could not be fully remediated", then after about another minute, the NT_AUTHORITY shell pops back up.
It could be, though, that my testing environment is contaminated from this morning's experiments, like with RedSun.
0
0
0
buherator
buherator
1
0
0
Dr. Christopher Kunz
christopherkunz@chaos.social@buherator I can verify that the exploit still works with that mpengine.dll version and the 1.453.28.0 definition update that got released 6/10/2026 6:29:20 PM. It takes more than one attempt, sometimes up to 6-7 now, where it used to be almost always one shot, but it still works.
I'm waiting for my other VM to fully update and then I'll retry there, too.
1
1
1
@christopherkunz "nt-autorität" Wann wird microsoft verstehen, dass man die command line einfach nicht übersetzt
1
0
0
