Comments (4)
Hi @AnderG7221 !
This is interesting, I will check and let you know soon.
Can you just give some more information what is your Windows version, and what version of Avast do you use?
from pe_to_shellcode.
Hi Hasherezade
Thanks for your reply
This is issue occurred on Windows 10 Enterprise
Version:22H2
And Avast free Version 23.1.6049 (build 23.1.7883.775)
from pe_to_shellcode.
Hi! So, I tested it with a bit newer version of Avast - using an offline installer linked here.
- Installer SHA256:
1d118995b6c19c469de5d2f721e3702cd8b40baf9ce35f280b219c58977c446a
- Program version: 23.2.6053 (build 23.2.7961.0)
My system is Windows 10 Enterprise as well:
Unfortunately, I wasn't able to reproduce the crash that you described. Avast have detected the runner, but everything proceeded smoothly once I let it run. And I am sure that the process of the runner was hooked during its execution.
Can you test with the following shellcodes:
pe2shc_tests.zip, and let me know if they worked for you? (This is just a shellcodified version of LoadOrd.exe from Sysinternals). I wonder if they work for you.
What I found, those functions from ntdll are hooked, and redirected to aswhook.dll
:
3f890;RtlQueryEnvironmentVariable->74fa25e0[74fa0000+25e0:aswhook.dll:0];5
4ddc0;LdrLoadDll->74fa2ed0[74fa0000+2ed0:aswhook.dll:0];5
da720;RtlDecompressBuffer->74fa2470[74fa0000+2470:aswhook.dll:0];5
plus, several other DLLs are hooked:
- kernelbase.dll
- win32u.dll
- user32.dll
- amsi.dll
- advapi32.dll
- oleaut32
- ole32.dll
- combase.dll
Maybe any of those hooks impact your shellcode specifically?
Please let me know if this crash occurs with multiple different shellcodes, also with the ones that I shared with you - or just with one tested case.
from pe_to_shellcode.
Hi
Thanks a lot for your time and efforts
i will test again with the shellcode you shared and let you know about the results
in the meantime please note that i tested with several shellcodes (Compilcated and minimalistic) and with custom basic runners because avast used to detect the runner as you mentioned
Also it is worthy to mention that avast doesnot detect the runner or the shellcode but the shellcode execution just breaks and works fine if Avast is paused
Anyway i will perform further tests and share the results with you soon
from pe_to_shellcode.
Related Issues (20)
- 64-bit programs will crash in this situation, why is this? HOT 17
- MSF support? HOT 1
- Your project can't inject to "OneDrive"! HOT 4
- access violation adding std HOT 6
- add a compress feature HOT 1
- Crash in golang HOT 2
- "Cannot open PyInstaller archive from executable" error HOT 6
- File packed with UPX crash and does not start HOT 9
- Support remote thread execution? HOT 8
- Request help, thanks HOT 2
- The PE must have relocations! HOT 2
- Generated shellcode is executable but not runnable with runshc64 HOT 4
- support exception handling
- Better readme? HOT 2
- rust x64 binary to shellcode οΌand run the shellcode error
- Hi HOT 1
- bug in code about the relocation
- How to pass the args to my executeable (shellcode) HOT 1
- Donut works but pe2shc does not HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pe_to_shellcode.