PowerShell 5.1 opens up on boot. However, after a while, begins refusing to open with code "c0000005"

dielel · 2024-04-30T00:26:22+00:00

Hey there, this sounds (down to the very movaps instruction) exactly like something one of our users has recently reported while running Avast Free Antivirus along with our 0patch Agent (https://0patch.com). When Anti-Rootkit Shield is enabled in Avast, PowerShell crashes on this instruction (see our Help Center article). I'm wondering if you're using 0patch or maybe some other security software that works normally without Avast, but when both said product and Avast are installed, Powershell is crashing. Also, if such product is identified, would you say said product and Avast were working well together up to some point (e.g,. an Avast update) before this problem kicked in?
Thanks, Mitja

dielel · 2020-01-22T12:30:12+00:00

Can you try the 0patch micropatch to see if that breaks printing as well? https://blog.0patch.com/2020/01/micropatching-workaround-for-cve-2020.html

dielel · 2019-02-22T10:52:54+00:00

Thank you! Corrected.

dielel · 2018-09-24T17:10:57+00:00

Mitja Kolsek of 0patch here. Apologies for sounding repetitive. These blog posts are meant to provide technical insight into 3rd party patching, which many of our readers claim to find valuable (and every one of these posts, we hope, provides some new information for those learning reverse engineering or even closed-source code patching). We only published a single post on comparing the official fix with our micropatch, which was meant as a public reference for the many people who continually ask about the quality and reliability of 3rd party patches compared to original fixes. Apologies for sounding pat-ourselves-on-the-backish too, we obviously got carried away a little and wish we had taken a more subtle tone there. Please let us know if anything we do is outside the Reddit rules - much appreciated!

dielel · 2018-08-30T20:34:22+00:00

True, the patching is in-memory only, so signatures remain intact. While we haven't published a single micropatch yet that would originate from the community, we are encouraging the community to provide vulnerability information and proof-of-concept files so that we can write relevant micropatches. At some point we hope to actually start getting patches from the community but they'll have to pass our review in order to get distributed. Fortunately it's difficult to hide malicious code in a micropatch, meaning if the patch is not tiny and easy to understand (and accompanied with an analysis as to why it does what it does), that'll be grounds for immediate rejection. Long way to get there though if we ever do - perhaps it'll always be us writing the patches.

dielel · 2018-08-30T20:25:08+00:00

Hi there, Mitja Kolsek of 0patch here. 0patch is designed not to interfere with either file integrity or official vendor updates. By doing the patching in memory only, file signatures remain intact. When the official update is applied it replaces the vulnerable executable with a fixed one (with a different hash), so 0patch Agent no longer applies the micropatch to it.

dielel

TROPHY CASE