Error FAILED to allocate memory in the current process, exiting: c000000d

[hawaii67]

Hey. For me only ProcessHollow works as shellcode execution method.

For all the other methods I receive an error while running the generated exe.

Generating:

python Shhhloader.py  -p notepad.exe    Payload.raw   -v

┳┻|
┻┳|
┳┻|
┻┳|
┳┻| _
┻┳| •.•)  - Shhhhh, AV might hear us!
┳┻|⊂ﾉ
┻┳|
[+] ICYGUIDER'S CUSTOM SYSWHISPERS SHELLCODE LOADER
[+] Using notepad.exe for QueueUserAPC injection
[+] Randomizing syscall names
[+] Verbose messages enabled
[+] Saved new stub to stub.cpp
[+] Compiling new stub...
[!] a.exe has been compiled successfully!

Running:

Please wait 60 seconds...
Sandbox checks passed
hiqPjIRXkVUORsAylux FAILED to allocate memory in the current process, exiting: c000000d

:-(

Injecting in explorer.exe or notepad.exe doesn't make a difference.

Edit:

I traced it down to syscall to NtAllocateVirtualMemory. The return value is:

RAX 00000000C000000D STATUS_INVALID_PARAMETER

Please help!

[icyguider]

Hi @hawaii67. To help debug your issue, can you please provide the following information?

1. What are the different shellcode payloads you have tried? Does all shellcode cause this error, or only ones generated by specific tools?
2. What is the build version of Windows you are testing the output files on?

I went ahead and did verify that the QueueUserAPC, CurrentThread, RemoteThreadContext, and RemoteThreadSuspended execution methods are working for me with the following payloads:

• x64 Reverse TCP Meterpreter (Staged & Stageless)
• Cobalt Strike 4.5 HTTPS Beacon (Staged & Stageless)

However, I WAS able to replicate the exact same error you are getting when trying to use any of these execution methods with the shellcode from Mythic's Apollo Agent. My initial guess for why this is happening is that the stub is not correctly programmed to handle larger shellcode sizes (Apollo being 1.3 MB). This is why it'd be good to know what payload is failing for you and if any of the above ones that work for me also work for you.

[hawaii67]

Hi, I used only windows/x64/meterpreter/reverse_https payload. It is a syscall thinggy I think. On Win 10 20H2 19042 everything works fine, on 21H2 19044 not.

Here are the tests with 2 different windows versions:

[icyguider]

I tried that specific payload on a Windows 21H2 Virtual Machine and it seems to be working as expected for me. Here's a quick video of me demonstrating this: https://www.youtube.com/watch?v=j_dWQs2xMvI

Based on your screenshot, It looks like you are building the exes on a Windows host? Perhaps that may be causing the issue you are seeing. I have always used this tool on Linux and I'm a bit surprised it even works on windows lol. Other than that I'm not quite sure what the issue could be as I tested this payload on 21H2, 21H1, 20H2 without any issues. If you could try compiling the exes on Linux and then test it again, you might have better success hopefully.

Also in my last post I said I was getting the same error as you with larger shellcodes, but I was mistaken. It was actually an error for the NtWriteVirtualMemory syscall. I fixed that issue last week and pushed the update to GitHub. Just wanted to clear that up since I was mistaken, but that shouldn't have affected the issue you're seeing regardless.

[hawaii67]

Aaah, here we go! You are right, generating the binary on Linux (Kali) is the way to go. Awesome! Grmpf.....now I feel a little bit stupid :-) But at least we know it partly works on Windows :-) Thanks for your time.

[icyguider]

Yeah the tool was designed to only work with Linux so it's cool to see that it kinda works with windows lol.

Glad we figured out the problem though. Will be closing this issue. :)