Access Violation with Avast AntiVirus

[AnderG7221]

Hi Hasherezade
I encountered a weird problem when using your project on a machine with Avast antivirus installed
The ShellCode breaks soon after being run due to an issue with the stub ,, Something related to aswhook.dll which Avast injects into all running processes .
The ShellCode Breaks due to Access Violation error
The ShellCode works fine when tested on other machines even with other Antivirus software installed and also works fine in case Avast is paused

I would be grateful if you could help with such issue

[hasherezade]

Hi @AnderG7221 !
This is interesting, I will check and let you know soon.
Can you just give some more information what is your Windows version, and what version of Avast do you use?

[AnderG7221]

Hi Hasherezade

Thanks for your reply
This is issue occurred on Windows 10 Enterprise
Version:22H2
And Avast free Version 23.1.6049 (build 23.1.7883.775)

[hasherezade]

Hi! So, I tested it with a bit newer version of Avast - using an offline installer linked here.

• Installer SHA256: 1d118995b6c19c469de5d2f721e3702cd8b40baf9ce35f280b219c58977c446a
• Program version: 23.2.6053 (build 23.2.7961.0)

My system is Windows 10 Enterprise as well:

Unfortunately, I wasn't able to reproduce the crash that you described. Avast have detected the runner, but everything proceeded smoothly once I let it run. And I am sure that the process of the runner was hooked during its execution.

Can you test with the following shellcodes:
pe2shc_tests.zip, and let me know if they worked for you? (This is just a shellcodified version of LoadOrd.exe from Sysinternals). I wonder if they work for you.

What I found, those functions from ntdll are hooked, and redirected to aswhook.dll:

3f890;RtlQueryEnvironmentVariable->74fa25e0[74fa0000+25e0:aswhook.dll:0];5
4ddc0;LdrLoadDll->74fa2ed0[74fa0000+2ed0:aswhook.dll:0];5
da720;RtlDecompressBuffer->74fa2470[74fa0000+2470:aswhook.dll:0];5

plus, several other DLLs are hooked:

• kernelbase.dll
• win32u.dll
• user32.dll
• amsi.dll
• advapi32.dll
• oleaut32
• ole32.dll
• combase.dll

Maybe any of those hooks impact your shellcode specifically?
Please let me know if this crash occurs with multiple different shellcodes, also with the ones that I shared with you - or just with one tested case.

[AnderG7221]

Hi
Thanks a lot for your time and efforts
i will test again with the shellcode you shared and let you know about the results
in the meantime please note that i tested with several shellcodes (Compilcated and minimalistic) and with custom basic runners because avast used to detect the runner as you mentioned
Also it is worthy to mention that avast doesnot detect the runner or the shellcode but the shellcode execution just breaks and works fine if Avast is paused
Anyway i will perform further tests and share the results with you soon