System.AccessViolationException for unsafe code

Question

I'm trying to run shellcode from C# and used the stub below to do so (example I found on Github). However everytime I run the application I get a System.AccessViolationException occurred in ConsoleApplication1.exeresulting from the callwindowproc function.

I'm not very familiar with calling unsafe code, I'm assuming this might be a memory protection (e.g. like DEP), but I am not sure. Can anyone provide some more insight?

using System;
using System.Runtime.InteropServices;

namespace ConsoleApplication1
{
    class Program
    {

        [DllImport("user32")]
        private static extern int CallWindowProc
            (int lpPrevWndFunc, int hWnd, int Msg, int wParam, int lParam);


        public static unsafe int shl(int x)
        {
            //8B45 0C        MOV EAX,DWORD PTR SS:[EBP+12]
            //D1E0           SHL EAX,1
            //C2 10 00       RETN 10h
            byte[] b = { 0x8B, 0x45, 0x0C, 0xD1, 0xE0, 0xC2, 0x10, 0x00 };
            fixed (byte* bb = &b[0])
            {
                int bi = (int)bb;
                return CallWindowProc(bi, x, 0, 0, 0);
            }
        }

        public static unsafe int shr(int x)
        {
            //8B45 0C        MOV EAX,DWORD PTR SS:[EBP+12]
            //D1E8           SHR EAX,1
            //C2 10 00       RETN 10h
            byte[] b = { 0x8B, 0x45, 0x0C, 0xD1, 0xE8, 0xC2, 0x10, 0x00 };
            fixed (byte* bb = &b[0])
            {
                int bi = (int)bb;
                return CallWindowProc(bi, x, 0, 0, 0);
            }
        }

        public static unsafe void CallShellcode()
        {

            byte[] calc_shellcode = { //skylined calc shellcode from google code
                0x31, 0xF6, 0x56, 0x64, 0x8B, 0x76, 0x30, 0x8B, 0x76, 0x0C, 0x8B,
                0x76, 0x1C, 0x8B, 0x6E, 0x08, 0x8B, 0x36, 0x8B, 0x5D, 0x3C, 0x8B,
                0x5C, 0x1D, 0x78, 0x01, 0xEB, 0x8B, 0x4B, 0x18, 0x67, 0xE3, 0xEC,
                0x8B, 0x7B, 0x20, 0x01, 0xEF, 0x8B, 0x7C, 0x8F, 0xFC, 0x01, 0xEF,
                0x31, 0xC0, 0x99, 0x32, 0x17, 0x66, 0xC1, 0xCA, 0x01, 0xAE, 0x75,
                0xF7, 0x66, 0x81, 0xFA, 0x10, 0xF5, 0xE0, 0xE2, 0x75, 0xCC, 0x8B,
                0x53, 0x24, 0x01, 0xEA, 0x0F, 0xB7, 0x14, 0x4A, 0x8B, 0x7B, 0x1C,
                0x01, 0xEF, 0x03, 0x2C, 0x97, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68,
                0x63, 0x61, 0x6C, 0x63, 0x54, 0x87, 0x04, 0x24, 0x50, 0xFF, 0xD5,
                0xC3
            };

            try
            {
                fixed (byte* bb = &calc_shellcode[0])
                {
                    int bi = (int)bb;
                    CallWindowProc(bi, 0, 0, 0, 0);
                }
            }
            catch (Exception e) { }

        }

        static void Main(string[] args)
        {

            int a = shl(4);
            int b = shr(4);
            Console.WriteLine("shl(4)=" + a + " shr(4)=" + b);
            Console.WriteLine("Press any key to call skylines calc shellcode");
            Console.ReadKey();
            CallShellcode();


        }
    }
}

Answer 1

CallWindowProc takes a function pointer and window handle as its first two arguments. In shl, for example, you're passing it the first 32 bits of an x86 instruction sequence (i.e. a garbage pointer value) and the hardcoded integer 4 as the first two parameters. It's no wonder the code crashes shortly after.

What exactly are you trying to accomplish? What does CallWindowProc have to do with this? It looks like you want to execute arbitrary x86 instructions generated at runtime, which has absolutely nothing to do with CallWindowProc if you read its documentation.

This question might be helpful.