search

hasherezade / pe_to_shellcode

Converts PE into a shellcode
https://www.youtube.com/watch?v=WQCiM0X11TA
BSD 2-Clause "Simplified" License
2.27k stars 423 forks source link

Access Violation with Avast AntiVirus #34

Open AnderG7221 opened 1 year ago

AnderG7221 commented 1 year ago

Hi Hasherezade I encountered a weird problem when using your project on a machine with Avast antivirus installed The ShellCode breaks soon after being run due to an issue with the stub ,, Something related to aswhook.dll which Avast injects into all running processes . The ShellCode Breaks due to Access Violation error The ShellCode works fine when tested on other machines even with other Antivirus software installed and also works fine in case Avast is paused

I would be grateful if you could help with such issue

hasherezade commented 1 year ago

Hi @AnderG7221 ! This is interesting, I will check and let you know soon. Can you just give some more information what is your Windows version, and what version of Avast do you use?

AnderG7221 commented 1 year ago

Hi Hasherezade

Thanks for your reply This is issue occurred on Windows 10 Enterprise Version:22H2 And Avast free Version 23.1.6049 (build 23.1.7883.775)

hasherezade commented 1 year ago

Hi! So, I tested it with a bit newer version of Avast - using an offline installer linked here.

avast_free

My system is Windows 10 Enterprise as well:

windows_build

Unfortunately, I wasn't able to reproduce the crash that you described. Avast have detected the runner, but everything proceeded smoothly once I let it run. And I am sure that the process of the runner was hooked during its execution.

Can you test with the following shellcodes: pe2shc_tests.zip, and let me know if they worked for you? (This is just a shellcodified version of LoadOrd.exe from Sysinternals). I wonder if they work for you.

What I found, those functions from ntdll are hooked, and redirected to aswhook.dll:

3f890;RtlQueryEnvironmentVariable->74fa25e0[74fa0000+25e0:aswhook.dll:0];5
4ddc0;LdrLoadDll->74fa2ed0[74fa0000+2ed0:aswhook.dll:0];5
da720;RtlDecompressBuffer->74fa2470[74fa0000+2470:aswhook.dll:0];5

plus, several other DLLs are hooked:

Maybe any of those hooks impact your shellcode specifically? Please let me know if this crash occurs with multiple different shellcodes, also with the ones that I shared with you - or just with one tested case.

AnderG7221 commented 1 year ago

Hi Thanks a lot for your time and efforts i will test again with the shellcode you shared and let you know about the results in the meantime please note that i tested with several shellcodes (Compilcated and minimalistic) and with custom basic runners because avast used to detect the runner as you mentioned Also it is worthy to mention that avast doesnot detect the runner or the shellcode but the shellcode execution just breaks and works fine if Avast is paused Anyway i will perform further tests and share the results with you soon