📌 Use code "CROW10" for 10% off your order when you checkout at Maldev Academy FOR A LIMITED TIME! ---> maldevacademy.com/?ref=crow Font: DinaRemasterII Theme: Zero (Dark Theme)
Best part of using native APIs in usermode is the things you can do that you would never be able to achieve with using just win APIs. Of course native APIs add a lot more code but the amount of flexibility and control you can achieve is just pure gold.
It was 1 AM and yet I clicked. Was not disappointed, and *genuinely* enjoyed the jokes, and knowledge shared (thanks to knowing the non-WinAPI parts in advance, I guess!). Thank you, crow!
I thank the universe for putting your video on my feed, it was so well explained and you kept my attention at all times with the memes and jokes. Thank you Crow!
as soon as i saw you posted a new video i got so excited, you’re my favourite youtuber. malware development is so fascinating when coming from a software dev background
saw your videos yesterday and all i have to say is ... please never stop doing what you are doing. you are really talented and good at explaining. i really like that your teaching method is not possessed by elitism which as you said (and i agree) is one of the biggest problems in this field. you never take anything for granted and you are willing to explain even the slightest thing to your "students". subscribed, of course :)
Hi, thanks for the video. for the Object_attributes, the doc says "For standard processes, all fields of ObjectAttributes should be NULL", how can we know that we'll need the size of the struct and not just follow the doc ? Thanks!
i actually found out a weird thing with object_attributes. the length member is optional on some functions, but required on others. but the interesting thing with that is with e.g. NtOpenProcess the lengh can be 0, but the actual pointer to the object attributes can't be nullptr/NULL/0, otherwise the function will fail.
well, you could make your own shellcode (which is recommended, but for beginners might be too difficult at first) or you could use a shellcode-generating tool, the most popular of which is called "msfvenom". although, be warned that msfvenom has been heavily scrutinized and documented so pretty much all of its shellcode will get caught by windows defender. now, you could get past this by encrypting the shellcode, or for this example, since we're not doing anything malicious, you can set an exclusion path for windows defender so that your program can run and not get thanos snapped out of existence. hope that helps
@@crr0ww could I make an exe that starts calculator with system(“calculator.exe”) then try to get the bytes from a disassembler? Btw, I got into this with game hacking stuff like assault cube and your channel now has gotten me into the more general area of malware. I like how you present the information in an entertaining way instead of speed running code with subtitles. Really makes it enjoyable 👍🏼.
@@gregandark8571 well, windows is the most popular platform that people use, so it's natural that most malware is made for it! that isn't to say that there isn't malware for linux, there's a lot out there too (some really really cool techniques as well!) dont worry, i have something planned for linux-based malware development too :) all in due time. thank you so much for commenting!
im not sure if shitposting has finally caught up to my refined, god-like tastes and humor, or if I have just been too stupid to hang with the cool kids this whole time? either way: ooh la la.
Not DIRECTLY. There are certain NTAPI functions (as talked about in the video) that don't actually result in a syscall/int 2eh/sysenter instruction. Those NTAPI that do however, will end up invoking these instructions. so, when we call an NTAPI function, yeah, we will eventually have it perform a syscall, but we're not using syscalls directly, moreso transitively using them through the NTAPI. Using syscalls directly/indirectly is going to be main focus point of the next video, but just remember that when we use syscalls, we're ushering them out directly (typically through our own defined assembly stubs) and not having the NTAPI do it for us! Hope that helps! :)
if it's something you care about (i.e., you don't want to get signatured, taken apart, and analyzed), then yeah, don't upload your malware to virustotal. VT will share these samples for the sole purpose of taking it apart and documenting it. it says the following in their historic privacy policy statement: "We share the raw data underlying Samples uploaded to the Services as well as information relating to the submitter (ciphered ID, city, and country) of the Sample, as follows: With our security partners. When you upload a Sample to VirusTotal in order to receive a report about the potential maliciousness of its content, we store it in the Corpus and share it with our partners in the anti-malware and security industry. Partners that participate in VirusTotal are bound by contract to only use the Samples for internal security purposes in compliance with our Terms of Use to detect malicious code and to improve their antivirus engines. All partners receive Samples that their antivirus engines did not detect as potentially harmful if the same Sample was detected as malicious by at least one other partner’s antivirus engine. This information sharing helps correct potential vulnerabilities across the security industry." tl;dr if you care about this malware, something you made for engagements and you want to increase its shelf life, don't upload it to VT. there are alternatives that you can upload your malware to, to see what defensive solutions get triggered by your malware which i can't remember off the top of my head unfortunately, but yeah! i hope that helps! :D
Bro, I absolutely love your content! My book recommendation for anyone trying to understand more about this topic is: Windows Internals by Pavel Yosifovich
>disappears for a month >uploads maldev 2, apologizes for not being active >continues to not be active >drops this absolute masterpiece 2 months later, talks on discord for a bit, leaves never change
45 minutes to be able to open Calculator from CMD 😆 Just joking... But for real, I had to skip most parts of the video since I'm in a hurry right now. What is the main achievement here? You still need to be able to run your own exe (or modded exe) on the PC to be able to inject anything. Where is the malware part here? 🙂 Please give us a summary of the achievement of this video. Thanks!
📌 Use code "CROW10" for 10% off your order when you checkout at Maldev Academy FOR A LIMITED TIME! ---> maldevacademy.com/?ref=crow
Font: DinaRemasterII
Theme: Zero (Dark Theme)
I can't find the theme, could you give me the link for it
if possible could you please also cover these videos in rust?
this man is the best teacher I've ever seen, strictly on his use of comedy and 4th wall breaks, while being detailed and informative
i appreciate that so much! thank you :')
I thought I was crazy for thinking that too. Something about the way he explains things just works for my mush-brain.
Man, I literally have been watching your buffer overflow video right now, and just noticed an upload! What a timing
This man is one of a kind. Seriously, so informative, but keeping it fun and cool! So much love, looking forward for the next episode ❤
thank you so much! that's so kind of you
Best part of using native APIs in usermode is the things you can do that you would never be able to achieve with using just win APIs. Of course native APIs add a lot more code but the amount of flexibility and control you can achieve is just pure gold.
agreed! it's also just a lot of fun to see how everything comes together! thank you so much for commenting!
LETS GOOO HES BACK, I HOPE YOU GET SOME REST CROW!!! I SEE THE EFFORT!! THANKS FOR ALWAYS PUTTING OUT LEGIT CONTENT!!
ILY LEGEND
It was 1 AM and yet I clicked. Was not disappointed, and *genuinely* enjoyed the jokes, and knowledge shared (thanks to knowing the non-WinAPI parts in advance, I guess!). Thank you, crow!
it's my pleasure! thank you so much for commenting
I thank the universe for putting your video on my feed, it was so well explained and you kept my attention at all times with the memes and jokes. Thank you Crow!
That coding montage at 4:30 is so smooth. Could have that playing in the background while I work/study.
as soon as i saw you posted a new video i got so excited, you’re my favourite youtuber. malware development is so fascinating when coming from a software dev background
saw your videos yesterday and all i have to say is ... please never stop doing what you are doing.
you are really talented and good at explaining.
i really like that your teaching method is not possessed by elitism which as you said (and i agree) is one of the biggest problems in this field.
you never take anything for granted and you are willing to explain even the slightest thing to your "students".
subscribed, of course :)
I swear ur the best teacher out there!! Glad i stumbled upon ur channel even tho im not into malware dev im learning a lot.
bro this is actually so much enternaining thanks for your work boss
Wooooooowww..... Maldev academy is literally what I've been looking for for years ..!!!!
yay, our beloved malware man crow is back
I've been waiting for your new teaching
Recently discovered your channel and the content is great. Thanks man.
thank you so much!
nice channel, will watch all today
thought i was losing it seeing a crow notification
Thanks
idk why it only typed out thanks im gonna cry
I love you crow, your videos are really simple but interesting, thanks so much!!!
aw thank you so much, that's so heartwarming to hear
Oh wow look my favourite bird is back
YES ANOTHER CROW VIDEO!!!
10:54 Damn I remember reading that from that book
awesome video, thanks for addressing the goto statement, immediately started having flashbacks to uni...
In love with crow's humour
Hi, thanks for the video.
for the Object_attributes, the doc says "For standard processes, all fields of ObjectAttributes should be NULL", how can we know that we'll need the size of the struct and not just follow the doc ?
Thanks!
i actually found out a weird thing with object_attributes. the length member is optional on some functions, but required on others. but the interesting thing with that is with e.g. NtOpenProcess the lengh can be 0, but the actual pointer to the object attributes can't be nullptr/NULL/0, otherwise the function will fail.
ayyee, crow's back to the crew w/ anotha motha video bout maldev series. love ya homie
Another fantastic video, keep it up, legend
How do you generate the shellcode for starting the calculator?
well, you could make your own shellcode (which is recommended, but for beginners might be too difficult at first) or you could use a shellcode-generating tool, the most popular of which is called "msfvenom". although, be warned that msfvenom has been heavily scrutinized and documented so pretty much all of its shellcode will get caught by windows defender. now, you could get past this by encrypting the shellcode, or for this example, since we're not doing anything malicious, you can set an exclusion path for windows defender so that your program can run and not get thanos snapped out of existence. hope that helps
@@crr0ww could I make an exe that starts calculator with system(“calculator.exe”) then try to get the bytes from a disassembler? Btw, I got into this with game hacking stuff like assault cube and your channel now has gotten me into the more general area of malware. I like how you present the information in an entertaining way instead of speed running code with subtitles. Really makes it enjoyable 👍🏼.
BABE WAKE UP NEW CROW DROPPED
I LOVE YOU CROW!! hope youre doing well!
ILYT THANK YOU TRINTLER, SAME TO YOU HOMIE
@@crr0ww
I was and i'm always wondering - why theres 0 content like this for linux?
@@gregandark8571 well, windows is the most popular platform that people use, so it's natural that most malware is made for it! that isn't to say that there isn't malware for linux, there's a lot out there too (some really really cool techniques as well!)
dont worry, i have something planned for linux-based malware development too :) all in due time. thank you so much for commenting!
@@crr0ww
Awesome!
return of the -king- crow
don’t care who says what this man needs and 100k play button
I'm trying to play mapleatory with Crow. Also this was so dope
wow so informative crow i love you
THANK YOU SM LOVE
Awesome video!!! What font are you using? It's great (the pixel art font, not iosevka)
thank you so much!! :D it's called "DinaRemasterII"
i hope bro keeps getting butterflies after referring to past videos. goatttt
idk when I'll have time to try this but it looks fun af
im not sure if shitposting has finally caught up to my refined, god-like tastes and humor, or if I have just been too stupid to hang with the cool kids this whole time? either way: ooh la la.
HAHAHA i'm glad to hear that xD thank you so much for commenting
Yo this is like spooky Christmas
i love your visual identity
HE HAS RETURNED
ALL HAIL
ALL HAIL
THE KING IS BACK
great video, loved it very much. please do more!
What font is that on vscode? it's pretty cool
What visual studio theme is that?
Is Ntapi using is same of using syscalls?
Not DIRECTLY. There are certain NTAPI functions (as talked about in the video) that don't actually result in a syscall/int 2eh/sysenter instruction. Those NTAPI that do however, will end up invoking these instructions. so, when we call an NTAPI function, yeah, we will eventually have it perform a syscall, but we're not using syscalls directly, moreso transitively using them through the NTAPI. Using syscalls directly/indirectly is going to be main focus point of the next video, but just remember that when we use syscalls, we're ushering them out directly (typically through our own defined assembly stubs) and not having the NTAPI do it for us! Hope that helps! :)
13:44 jyuugatsu 👀
はい!そうですね~ peppiさんの日本語本当に上手ですね。:)コメントありがとうございます!
What font is that?
already know its a banger
Best recourse ever !!
Sick new intro mate
thank you so much!
Especially you, slouching in your chair. I feel personally attacked
HES ALIVEEE
IM ALIVEEEE
How true is the legendary, "Do not upload to VT"?
if it's something you care about (i.e., you don't want to get signatured, taken apart, and analyzed), then yeah, don't upload your malware to virustotal. VT will share these samples for the sole purpose of taking it apart and documenting it.
it says the following in their historic privacy policy statement: "We share the raw data underlying Samples uploaded to the Services as well as information relating to the submitter (ciphered ID, city, and country) of the Sample, as follows: With our security partners. When you upload a Sample to VirusTotal in order to receive a report about the potential maliciousness of its content, we store it in the Corpus and share it with our partners in the anti-malware and security industry. Partners that participate in VirusTotal are bound by contract to only use the Samples for internal security purposes in compliance with our Terms of Use to detect malicious code and to improve their antivirus engines. All partners receive Samples that their antivirus engines did not detect as potentially harmful if the same Sample was detected as malicious by at least one other partner’s antivirus engine. This information sharing helps correct potential vulnerabilities across the security industry."
tl;dr if you care about this malware, something you made for engagements and you want to increase its shelf life, don't upload it to VT. there are alternatives that you can upload your malware to, to see what defensive solutions get triggered by your malware which i can't remember off the top of my head unfortunately, but yeah! i hope that helps! :D
@@crr0ww thanks for the input. How risky is it to upload it during the development phase?
Any tips on how to test the effectivity of your malware?
DROP another Banger please 🤝
amazing video
What theam you using in Visual stedio
Zero (dark theme)
@@crr0ww thank you crow
Great video !
What font do you use ?
DinaRemasterII
crow ur the best
Finally let's goo
13:52 osu reference 👀👀
SHIT I'VE BEEN MADE
YOU GOT A SPONSOR
!!!!!!!!!
Bro, I absolutely love your content! My book recommendation for anyone trying to understand more about this topic is: Windows Internals by Pavel Yosifovich
Great Video!
>disappears for a month
>uploads maldev 2, apologizes for not being active
>continues to not be active
>drops this absolute masterpiece 2 months later, talks on discord for a bit, leaves
never change
LMAOOO
Yoooo. Your font looks great mind sharing the name of it ?
sure, it's called "DinaRemasterII"
What is accomplished with a goto that couldn’t just have been a function?
Crow10 crow10 crow10 !
make videos on EDR Evasion
what font are you using
nvm
What's your theme
it's called zero (dark theme): marketplace.visualstudio.com/items?itemName=AgitoReiKen.zerovstheme
appreciate it so pleasing on the eye @@crr0ww
you could also just do if !Buf if it equals null, good video though
Crow evenly spaces his code 😱😱😱😱😱😱
:GASP: !!! xD tysm for commenting brother
@@crr0ww
good video, you and cazz should collab
Good video
happy halloween
happy (late) halloween!!
Man you're cool
crows rat 🐀 4 grams protein I’m gonna nomnomnomnom
[crow's rat WILL remember this]
hola desde españa
hola! thank you for commenting
Noice
Marry me !
penith
nah its a black cat they wouldve shot it before locking it up lmfao
i want meet you so bad 😭
haha maybe one day, brother
gotos are great, old people are just bad at comprehension that dont like gotos.
lmao
GET OUT YOUR COZY BED RIGHT NOW AND MAKE A TUTORIAL ON REFLECTIVE DLL INJECTION CODE BOI
45 minutes to be able to open Calculator from CMD 😆 Just joking... But for real, I had to skip most parts of the video since I'm in a hurry right now. What is the main achievement here? You still need to be able to run your own exe (or modded exe) on the PC to be able to inject anything. Where is the malware part here? 🙂 Please give us a summary of the achievement of this video. Thanks!