Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access Violation with Avast AntiVirus #34

Open
AnderG7221 opened this issue Mar 9, 2023 · 4 comments
Open

Access Violation with Avast AntiVirus #34

AnderG7221 opened this issue Mar 9, 2023 · 4 comments

Comments

@AnderG7221
Copy link

Hi Hasherezade
I encountered a weird problem when using your project on a machine with Avast antivirus installed
The ShellCode breaks soon after being run due to an issue with the stub ,, Something related to aswhook.dll which Avast injects into all running processes .
The ShellCode Breaks due to Access Violation error
The ShellCode works fine when tested on other machines even with other Antivirus software installed and also works fine in case Avast is paused

I would be grateful if you could help with such issue
@hasherezade
Copy link
Owner

Hi @AnderG7221 !
This is interesting, I will check and let you know soon.
Can you just give some more information what is your Windows version, and what version of Avast do you use?

@AnderG7221
Copy link
Author

Hi Hasherezade

Thanks for your reply
This is issue occurred on Windows 10 Enterprise
Version:22H2
And Avast free Version 23.1.6049 (build 23.1.7883.775)

@hasherezade
Copy link
Owner

Hi! So, I tested it with a bit newer version of Avast - using an offline installer linked here.

  • Installer SHA256: 1d118995b6c19c469de5d2f721e3702cd8b40baf9ce35f280b219c58977c446a
  • Program version: 23.2.6053 (build 23.2.7961.0)

avast_free

My system is Windows 10 Enterprise as well:

windows_build

Unfortunately, I wasn't able to reproduce the crash that you described. Avast have detected the runner, but everything proceeded smoothly once I let it run. And I am sure that the process of the runner was hooked during its execution.

Can you test with the following shellcodes:
pe2shc_tests.zip, and let me know if they worked for you? (This is just a shellcodified version of LoadOrd.exe from Sysinternals). I wonder if they work for you.

What I found, those functions from ntdll are hooked, and redirected to aswhook.dll:

3f890;RtlQueryEnvironmentVariable->74fa25e0[74fa0000+25e0:aswhook.dll:0];5
4ddc0;LdrLoadDll->74fa2ed0[74fa0000+2ed0:aswhook.dll:0];5
da720;RtlDecompressBuffer->74fa2470[74fa0000+2470:aswhook.dll:0];5

plus, several other DLLs are hooked:

  • kernelbase.dll
  • win32u.dll
  • user32.dll
  • amsi.dll
  • advapi32.dll
  • oleaut32
  • ole32.dll
  • combase.dll

Maybe any of those hooks impact your shellcode specifically?
Please let me know if this crash occurs with multiple different shellcodes, also with the ones that I shared with you - or just with one tested case.

@AnderG7221
Copy link
Author

Hi
Thanks a lot for your time and efforts
i will test again with the shellcode you shared and let you know about the results
in the meantime please note that i tested with several shellcodes (Compilcated and minimalistic) and with custom basic runners because avast used to detect the runner as you mentioned
Also it is worthy to mention that avast doesnot detect the runner or the shellcode but the shellcode execution just breaks and works fine if Avast is paused
Anyway i will perform further tests and share the results with you soon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hasherezade @AnderG7221