Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safety version keeps crashing #2

Open
Mario662629 opened this issue Jul 8, 2024 · 5 comments
Open

Safety version keeps crashing #2

Mario662629 opened this issue Jul 8, 2024 · 5 comments

Comments

@Mario662629
Copy link

This is a big problem. On my Windows 10 x64 computer, the x86 safety version of this malware crashes every time it reaches a certain payload. It usually stops graphical payloads during the 18th payload, and crashes completely with an access violation at the 19th or 20th payload. The program, according to Task Manager, is using 287.1 MB at the time of this crash. I haven't seen anyone else crash this early while running this malware on Windows 10 or 11. When debugging, the crash is shown in one of the graphical payloads around that time.

My computer is running Windows 10 22H2 x64 with 32GB RAM and 1TB storage.
This also happened on a Windows 7 x64 VM with 4GB RAM and 64GB storage.

In the video linked here (https://www.youtube.com/watch?v=KEfUYxk8AXY), the malware crashes a little bit later.
Due to this, you should patch your malwares to fix these problems.
@Mario662629
Copy link
Author

Mario662629 commented Jul 8, 2024
edited
Loading

Here are some more details on the exception. This is super important.

Faulting application name: APM 08279+5255.exe, version: 6.6.6.6, time stamp: 0x657d88a9
Faulting module name: APM 08279+5255.exe, version: 6.6.6.6, time stamp: 0x657d88a9
Exception code: 0xc0000005
Fault offset: 0x000045da
Faulting process id: 0x3144
Faulting application start time: 0x01dad154eb3ae526
Faulting application path: C:\Users\Windows 10\iCloudDrive\Malwares\Safe\by pankoza\Original\APM 08279+5255.exe\APM 08279+5255.exe
Faulting module path: C:\Users\Windows 10\iCloudDrive\Malwares\Safe\by pankoza\Original\APM 08279+5255.exe\APM 08279+5255.exe
Report Id: 81c07498-7624-453c-8d2a-f118ddca4e2f
Faulting package full name:
Faulting package-relative application ID:

@Mario662629
Copy link
Author

Mario662629 commented Jul 8, 2024
edited
Loading

I ran it a second time, but it suffered the exact same exception. This is really important. @pankoza2-pl really needs to patch this out!

Faulting application name: APM 08279+5255.exe, version: 6.6.6.6, time stamp: 0x657d88a9
Faulting module name: APM 08279+5255.exe, version: 6.6.6.6, time stamp: 0x657d88a9
Exception code: 0xc0000005
Fault offset: 0x000045da
Faulting process id: 0x12b8
Faulting application start time: 0x01dad1569a706ca7
Faulting application path: C:\Users\Windows 10\iCloudDrive\Malwares\Safe\by pankoza\Original\APM 08279+5255.exe\APM 08279+5255.exe
Faulting module path: C:\Users\Windows 10\iCloudDrive\Malwares\Safe\by pankoza\Original\APM 08279+5255.exe\APM 08279+5255.exe
Report Id: 312ebd55-fb00-485b-9a3f-b310a4b8d1a8
Faulting package full name:
Faulting package-relative application ID:

More details, and where the crash happens in the code:
HANDLE thread18 = CreateThread(0, 0, idk, 0, 0, 0);
sound18();
[Graphical payloads stop a little after this point]
Sleep(30000);
TerminateThread(thread18, 0);
CloseHandle(thread18);
TerminateThread(thread8dot1, 0);
CloseHandle(thread8dot1);
InvalidateRect(0, 0, 0);
HANDLE thread19 = CreateThread(0, 0, idk1, 0, 0, 0);
Sleep(30000);
TerminateThread(thread19, 0);
CloseHandle(thread19);
InvalidateRect(0, 0, 0);
HANDLE thread20 = CreateThread(0, 0, thing, 0, 0, 0);
sound19();
[The malware crashes here]
Sleep(30000);

@Mario662629
Copy link
Author

Mario662629 commented Jul 8, 2024
edited
Loading

@pankoza2-pl this is very serious! The graphical payloads stop a few seconds into the 18th payload, and the malware crashes at the 20th payload, The problem is, the malware crashes here every time I run it. I have crash reports from the last two attempts. The malware is uing 287.1 MB (according to the Task Manager) at the time of crashing. You really have to integrate patches into this malware!

Ccmputer specifications:
OS: Windows 10 Pro, version 22H2 (19045.4529)
CPU: Intel Core i5-12600KF
GPU: NVIDIA GeForce RTX 3080
RAM: 32GB
Storage: 1TB
Screen Resolution: 3440x1440 (the same crash happened at 1920x1080)

This crash also happened on a VM running Windows 7 SP1 (6.1.7601).

Here's a patch I attempted for this malware, replace .txt with .cpp.
APM 08279+5255.txt

@Mario662629
Copy link
Author

Mario662629 commented Jul 8, 2024
edited
Loading

Just added a message box to allow WER to show a notification, it looked like this.
image

When debugging, it says:
Exception thrown at 0x004247DF in APM 08279+5255 (Patched).exe: 0xC0000005: Access violation writing location 0x00000000.

Location in code, marked with "<--[HERE]":

DWORD WINAPI shader16(LPVOID lpParam) {
	HDC hdcScreen = GetDC(0), hdcMem = CreateCompatibleDC(hdcScreen);
	INT w = GetSystemMetrics(0), h = GetSystemMetrics(1);
	BITMAPINFO bmi = { 0 };
	PRGBQUAD rgbScreen = { 0 };
	bmi.bmiHeader.biSize = sizeof(BITMAPINFO);
	bmi.bmiHeader.biBitCount = 32;
	bmi.bmiHeader.biPlanes = 1;
	bmi.bmiHeader.biWidth = w;
	bmi.bmiHeader.biHeight = h;
	HBITMAP hbmTemp = CreateDIBSection(hdcScreen, &bmi, NULL, (void**)&rgbScreen, NULL, NULL);
	SelectObject(hdcMem, hbmTemp);
	for (;;) {
		hdcScreen = GetDC(0);
		BitBlt(hdcMem, 0, 0, w, h, hdcScreen, 0, 0, SRCCOPY);
		for (INT i = 0; i < w * h; i++) {
			INT x = i % w, y = i / w;
			//rgbScreen[i].g = x + y >> i;
			double fractalX = (2.5f / w);
			double fractalY = (1.90f / h);

			double cx = x * fractalX - 2.f;
			double cy = y * fractalY - 0.95f;

			double zx = 0;
			double zy = 0;

			int fx = 0;

			while (((zx * zx) + (zy * zy)) < 10 && fx < 50)
			{
				double fczx = zx * zx - zy * zy + cx;
				double fczy = 2 * zx * zy + cy;

				zx = fczx;
				zy = fczy;
				fx++;


				rgbScreen[i].b = fx; //<--[HERE] This is where the exception was thrown.
				rgbScreen[i].rgb += 255;
			}
			//rgbScreen[i].rgb += x * y ^ i;
		}
		BitBlt(hdcScreen, 0, 0, w, h, hdcMem, 0, 0, SRCCOPY);
		ReleaseDC(NULL, hdcScreen); DeleteDC(hdcScreen);
	}
}

@Mario662629
Copy link
Author

Mario662629 commented Jul 8, 2024
edited
Loading

Just did another debugging session, and identified where the program is crashing the most.
Unhandled exception at 0x004245DA in APM 08279+5255 (Patched).exe: 0xC0000005: Access violation writing location 0x00000000.

DWORD WINAPI shader15(LPVOID lpvd)
{
	HDC hdc = GetDC(NULL);
	HDC hdcCopy = CreateCompatibleDC(hdc);
	int w = GetSystemMetrics(0);
	int h = GetSystemMetrics(1);
	BITMAPINFO bmpi = { 0 };
	HBITMAP bmp;

	bmpi.bmiHeader.biSize = sizeof(bmpi);
	bmpi.bmiHeader.biWidth = w;
	bmpi.bmiHeader.biHeight = h;
	bmpi.bmiHeader.biPlanes = 1;
	bmpi.bmiHeader.biBitCount = 32;
	bmpi.bmiHeader.biCompression = BI_RGB;

	RGBQUAD* rgbquad = NULL;
	HSL hslcolor;

	bmp = CreateDIBSection(hdc, &bmpi, DIB_RGB_COLORS, (void**)&rgbquad, NULL, 0);
	SelectObject(hdcCopy, bmp);

	INT i = 0;
	int angle = 0;

	while (1)
	{
		hdc = GetDC(NULL);
		StretchBlt(hdcCopy, 0, 0, w, h, hdc, 0, 0, w, h, SRCCOPY);

		RGBQUAD rgbquadCopy;

		for (int x = 0; x < w; x++)
		{
			for (int y = 0; y < h; y++)
			{
				int index = y * w + x;

				rgbquad[index].rgbBlue = (x + i) & y; //<-- Program crashed here
			}
		}

		i++;
		//StretchBlt(hdc, 0, 0, w, h, hdcCopy, 0, 0, w, h, SRCCOPY);
		int a = 100 * tan(M_PI + angle);
		int b = 10 * cos(M_PI + angle);
		BitBlt(hdc, a, b, w, h, hdcCopy, 0, 0, SRCCOPY);
		angle += 1;
		ReleaseDC(NULL, hdc); DeleteDC(hdc);
	}

	return 0x00;
}

ChatGPT's reccomendations:

Uninitialized rgbquad pointer: You declare RGBQUAD* rgbquad = NULL; but you need to allocate memory for it before using it. The line bmp = CreateDIBSection(hdc, &bmpi, DIB_RGB_COLORS, (void**)&rgbquad, NULL, 0); allocates memory for rgbquad as part of creating the DIB section. However, you should verify that this call to CreateDIBSection is successful and that rgbquad is indeed pointing to valid memory.

Memory access bounds: Ensure that index (calculated as y * w + x) does not exceed the allocated size of rgbquad. This calculation assumes that rgbquad is properly allocated and w and h are correct dimensions.

Proper handling of device contexts (DC): You're managing hdc and hdcCopy but ensure you are correctly releasing them (ReleaseDC and DeleteDC) when done using them. Improper management can lead to resource leaks or undefined behavior.

Infinite loop: The while (1) loop suggests an infinite loop, which might be intentional for your application. However, ensure you have mechanisms in place to break out of it properly during debugging to avoid hanging your application indefinitely.
To diagnose and fix the issue:

Check CreateDIBSection return value: Verify that CreateDIBSection returns a valid HBITMAP and initializes rgbquad correctly.

Debugging pointers: Use a debugger to inspect the values of rgbquad and ensure it is not null and is properly initialized.

Bounds checking: Add checks to ensure index is within bounds before accessing rgbquad[index].

Resource management: Ensure you release all resources (hdc, hdcCopy, etc.) properly to prevent resource leaks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Mario662629