How Does Malware Know It's Being Monitored?
ฝัง
- เผยแพร่เมื่อ 23 ส.ค. 2023
- jh.live/maldevacademy || Learn how to write modern 64-bit Windows malware and more anti-debugging techniques with Maldev Academy! For a limited time you can use code 'HAMMOND10' to save 10%: jh.live/maldevacademy
Previous videos mentioned:
1. Classic Shellcode Loader in Nim: • How Hackers Write Malw...
2. Using Sliver for Command & Control: • How Hackers Use netsh....
3. Permanently Disable Windows Defender: • PERMANENTLY TURN OFF W...
4. Spoof Parent Process ID & CreateToolhelp32Snapshot: • How Hackers & Malware ...
🔥 TH-cam ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
"hippity hoppity your code is now my property" 😂
Is that a Dani reference?
@@the_god_killahprobably
Nice. :3😊
Out a day ago. I'm watching it rn. Hell yeah to try to hide it. XD 💀😅🐀👨💻🤝🤓💪🏻👁️🔥 Polymorphic malware. Encrypted malware. Etc.
Red teams. Blue teams. Fighting corrupt government. Etc.
His videos tend to be so good and informative that I am able to reuse some of the concepts for CTF challenges and training for our staff. He makes everything so easily accessible
Very informative thanks, I have been interested in learning how to craft shellcode recently.
One extra trick: check for a file you placed somewhere else on the filesystem.
If it does not exist, your executable is running on another computer or inside a sandbox.
(But it does NOT protect against debugging though. You need something else for that)
this would require the program to be launched twice
@@fuckit563 No?
If you have initial access to a system, you place the executable and schedule it, then you create the canary file and just wait.
When your program can't find the file, you know *for sure* that you aren't running on the system you wanted to run on and should nope the hell out.
Any AV that doesn't do in-place analysis or copies the canary file too would have a hard time doing any run-time analysis.
This would obstruct any external analysis, including virustotal or similar services.
Problem is the windows api calls CreateFile for not just creating files and is signatured and looked for: Ransomware note or to write obfuscated code to a file.
MalwareJake's red team village 101 malware analysis cover this and other api calls
@@fredwright4423 You don't need windows API or anything like that. You could even make this in Java.
Point is that a file somewhere else on the filesystem won't get copied for external analysis. Especially if they are in a totally different directory.
You n danooct1 have been an inspiration for me to do CySec, still going through what I wanna focus mainly on, but I love both red/blue team jazz, so time will tell, mby I go purple team c:
Thank you again, John, hope all good happens in your life
9:00 remember, if you've got procmon rename it to prankmin or something, same for x64dbg, make it x69dgb or something, ida can be ide, something you'll remember but won't match a blacklist.
Always got great videos
It strikes me that checking the time delta as a quick way of determining if the software is sandboxed would lead to a perverse incentive, where old and slow computers (and VMs or containers without many resources) can't get infected because the shellcode stager thinks it's a sandbox
thanks cuz of u i bring some 66G db logs u deserve that ❤️
This is amazing man, what a great video
Hey John, How it's going with OSEE, can you make a video about it?
Good to know about new tools and techniques
From India love you sir❤❤❤
The GOAT strikes again ❤
8:10 - Nice, mine did the same too, but I think it's because you have submitted a debug build, cause if I compile it with “-s -O3” options the detection falls to just 1.
Edit 1:
I also tried submitting unoptimized bin with just “puts” and other stdio functions - and virus-total seems to flag it with the same 6 flags, so most of the problem are from submitting debug builds.
Sounds good 💯
Thank You John !! :)
Anyone got resource recommendations for learning the Sysinternals tools and WinDbg? Maybe John can start a series on them.
Is your correction in 14:07, correct? Previously in the video, at 12:06 it says "__readfsdword" for 32 bit.
Ah! I apparently missed that too. Good catch!
Which is the best course for malware development
Sector7 OR MalDevAcademy
Let’s make a malware just for fun 😂
for science
Or to attack tech support scammers
@@LittleRainGames if u think its a big threat stop youtube, just try to post content of world in north korea intranet it will be more usefull
John The way i see you
You are one in a million ❤❤
Can you do full course about sliver c2 framework from zero? Thank you❤
Hey John I enjoy watching your videos. They are informative. There's a new malware called whiffy recon which infects vulnerable windows devices by wi-fi access point by scanning every 60 seconds and tries to triangulate a device's location.
if you can find a sample code could you please do some analysis
Damn Grey hats I love you
john please stop looking at me so scarily in these thumbnails
Hi John I'm I want get the maldev academy course but they don't have account security 2fa or any paying 500$ with no account security
I sent them a massage with no response
I like to hear that out track song fearless.
Hey Mr.John! I am a beginner in the field of cybersecurity. Could you please help me with some resources which help to start my career in offensive security. Thanks in advance!
There is so many free resources available on TH-cam and the internet. Just do some research and you’ll definitely find something that suits your needs.
I have the sektor7 malware development course!
could you not use this kind of behavior to spoof and make believe maleware that its inside a debug enviroment so it doesn‘t fire on a regular system?
If you want malware to not fire on a regular system, the same rules apply as when you are debugging it. Just don’t run the fully compiled program or any malicious code with administrator privileges if you don’t know EXACTLY what it does 😂
Idiotproofing is impossible, as long as there is malicious code that can be run, there will be someone dumb enough to run it, regardless of any failsafes. If you made a malware that tries to avoid execution, someone will find a way to get it to run 😂
@@johndeaux8815 true i was thinking of this in a similar way of some russian ransomeware a while ago that would not fire if you had the russian language pack installed on your system 😂
just some extra safety net that also abuses the fact that most malware devs want to keep their code hidden / hard to analyse but i agree that you can‘t protect against the human factor and thats usually the weakest point in any security anyway😅
@@mnarath8376 ah true, that reminds me of an idea I had a while back where you make a virus that swaps the code for i to the cyrillic i in someones language pack so they cant code lol
Well, if I would be a blue-teamer, I'd just Ghidra into the binary and reverse the If statement. I can run it with a debugger attached but it can't run standalone. ^^
What is the lib is loaded dynamically with loadliba using obfuscated strings
try all debug detction methods in virustotal (don't include malware, just `if(isdebugged())puts("debugged");`)
good
How to convert it to useable shell code?
I hope we don't get put on a list by watching these sort of videos...
If ur watching these kind of videos, it’s likely that your already on some kind of watchlist. For example, just for downloading and using TOR. But it doesn’t matter, because with all the data they have, they are able to differentiate between someone who’s doing it for education, and one who has malicious intends.
Nice :D
NICEE
Do you also have a casio clock? Same as me if you say yes :P
K, this has nothing to do with this video but figured this was the community to help answer a question.
Seems Facebook has a phishing scam circulating thats proposed as a post on someones wall with a "guess whose died" car crash headline thats provides a link. Apparently, as John has shown/demoed, its the whole fake signin spoof workflow where your creds will then go to 💀. My question though is, all times Ive seen this the link has clearly been a vercel application which A) makes me think the jerkoff mastermind apparently has backend skills about as sophisticated as mine but more importantly B) wouldnt/shouldnt Vercel sniff this transparent nonsense out and put a quick rm -rf on things?
And certainly, if anyone reads this and decides to phish the phisher, well, i applaud and respect da skills. But ya, mainly just seems weirder an apparent 'prod' malware thats breached FB would still carry a transparent vercel domain.
Your thumbnail predicted the Trump mugshot
insider info?? 😂
This won't work, exe files are always checked if they are from a trusted publisher or not, UAC will probably block it if it runs on a different machine, even if the defender is turned off.
YEA BOOOOOIIIII!!!!
Same
6:56 9:10
c and c++ can determine the array size if you initialize it in the same line. that said, bare arrays are deprecated. Use std:array.
Why are you using boolean macros instead of the proper types? And why don't you just "return pPeb->BeingDebugged == 1;"
nerd
lmao when malware know to make blacklist on its own
\tell us how to hack the Fed
i clearly dont know what is going on
If john notices this comment [heart or comment]. Im convincing my mom to give my laptop back for cybersecurity and personally loves these videos. I regret using a chromebook. Luckily i have linux
You often talk too quickly.
Couldn't you just read your own memory and look for soft breakpoints?
Sounds good 💯