How can I fix my code to spwn a shellcode (spawn a shell), and fixing the access violation cause the encryption function?
The best way to write self-modifying code is writing one that works (this is the secret!). If you’re getting an access violation, it means that it’s access or writing data where it’s not allowed. Have you checked that the page where TestFunction executes has the executable protection? If it does, then I assume some instructions are triggering the violation. Check that the instructions are correct and whatever data you are accessing actually exists.
Let me tell you something about the ACCESS VIOLATION, Access violation is not related to protection or anything, It always happens when the shell code size or bytes or incorrect, So either your encryption makes your shell code corrupted or the size or datatype of shell code is not correct. When your program want to access the shell code it just don’t understand it and throws this error.
From MSDN’s AccessViolationException Class for .NET:
or, from Wikipedia’s Segmentation Fault:
or, from a random Quora question titled “What does unhandled exception 0xC0000005: Access Violation mean in a C/Embedded C code?”:
Yep it’s basicaly a Segfault, the best way is to run the code in valgrind if you are on linux, and check memory alocation and size that you write. It could just be that you went too far in your
unsigned char buff[17];
Valgrind is your friend, if you need help pm me
Error #1: UNADDRESSABLE ACCESS beyond heap bounds: reading 0x00e4064c-0x00e40650 4 byte(s)
0 atcuf32.dll!? +0x0 (0x688477f7 <atcuf32.dll+0x77f7>)
1 atcuf32.dll!? +0x0 (0x68842ccc <atcuf32.dll+0x2ccc>)
2 KERNELBASE.dll!StrRChrA +0x66e (0x75cdaf9f <KERNELBASE.dll+0x10af9f>)
3 KERNELBASE.dll!StrRChrA +0x66e (0x75cdaf9f <KERNELBASE.dll+0x10af9f>)
4 KERNELBASE.dll!StrRChrA +0x7d9 (0x75cdb10a <KERNELBASE.dll+0x10b10a>)
5 KERNELBASE.dll!GetNamedLocaleHashNode+0x65 (0x75cda886 <KERNELBASE.dll+0x10a886>)
6 KERNELBASE.dll!InternalLcidToName +0x1b7 (0x75cddd08 <KERNELBASE.dll+0x10dd08>)
7 KERNELBASE.dll!GetUserDefaultLCID +0x7d (0x75cdefde <KERNELBASE.dll+0x10efde>)
8 gdi32full.dll!GetTextFaceW +0x57f (0x77994610 <gdi32full.dll+0xa4610>)
9 gdi32full.dll!GetTextExtentPoint32W +0x680 (0x77999f01 <gdi32full.dll+0xa9f01>)
10 gdi32full.dll!GdiGetCharDimensions +0x132 (0x77996733 <gdi32full.dll+0xa6733>)
11 USER32.dll!gapfnScSendMessage +0x1cadc (0x7776e0ad <USER32.dll+0x1e0ad>)
12 USER32.dll!SoftModalMessageBox +0x208 (0x777d25d9 <USER32.dll+0x825d9>)
13 USER32.dll!DrawStateA +0x1406 (0x777d1987 <USER32.dll+0x81987>)
14 USER32.dll!MessageBoxTimeoutW +0x164 (0x777d2375 <USER32.dll+0x82375>)
15 USER32.dll!MessageBoxTimeoutA +0x7a (0x777d21db <USER32.dll+0x821db>)
16 USER32.dll!MessageBoxA +0x19 (0x777d1f8a <USER32.dll+0x81f8a>)
17 TestFunction [malware.cpp:42]
18 main [malware.cpp:97]
Note: @0:00:00.594 in thread 19212
Note: instruction: mov 0x04(%edi,%eax,8) -> %ebx
Error #1083: UNADDRESSABLE ACCESS: reading 0xcfcca44d-0xcfcca451 4 byte(s)
0 ILT+800(?TestFunctionYAXXZ)
1 main [malware.cpp:99]
Note: @0:00:12.168 in thread 19212
Note: instruction: cmp %esp 0xcfcca44d(,%ecx,2)
The first error came more than a 1000 times
Modify the code segment attribute of the pe file after compilation.
Lol @ your lab. Whatever happened to debugging? I guess the errors are clearly stated during compile time, did you actually code this?.
I’m no expert on windows, i m really more proeficient on linux. But i know that there are many security features for memory on currents OS. The only time i managed to play with self modifying code was on Fedora with all features deactivated to bypass adress randomization etc …
This topic was automatically closed after 30 days. New replies are no longer allowed.