I've started watching your malware playlist and I must say that you're great at explaining these concepts. I understood this video very well, and it's a great resource. Keep it up
nice work teacher Cosmo, i´m learning too much, i'm new to malware and seeing thus type of content motivates me to continue learning; greetings to México
Damn, making a trojan seemed so extraterestial to me, even though I am a CS student and I learned Assembly.(16 and 32 bits)They didnt rlly showcased us the power of it, only showed us how it works. Now making a trojan seems easier than ever xD. Love your videos
Really appreciate your malware development courses. If you could make more free videos please do! Aspiring malware developers like me would strongly appreciate. You earned a sub bro, keep up the great work!
hey thanks for creating this series! there's not a lot especially here on youtube, as a beginner its nice to see things like this, if you got any other resources you used while you were trying to branch into malware development I would love you forever
Wow! I’m learning how to develop malware as a project for school currently, it was originally supposed to be on rootkits/boot kits but I couldn’t make it that far I basically just made a bad shellcode injector, I’m wondering if you have made or have any plans on rootkit/boot kits? Great video tho! I’m gonna play around with it asap!
I have a question (it might be a dumb question ) but since the modified program wait for the shellcode to act before executing the program, will it still work for another kind of malware like a reverse shell that use for loops or something (without blocking the original executable)? Also i love your videos it teaches so many things. Thank you.
I actually have no idea. You should try it and see how it goes!! If it ends up looping and not letting the main executable run, then have the shellcode execute a new *hidden* process for the revshell👍🏽
@@DuckyChannel It's as i thought it will keep executing the injected shellcode. To avoid that i made so that the shellcode i inject reach another file and start a process/Thread (equivalent of "start" in the cmd ).
Is it possible to maker code cave bigger? (add more null bytes). Ofc it will increase file size, which doesnt mater for me, my cmd function is just too long to fit
Just found your channel! Subscribed really good content! Thanks for sharing. I am not gonna lie I BBQ m very noob in this subject. I would appreciate beginners content 😊
Thanks for the video but i have a question. Since downloading that metasploit program is pretty impossible and annoying on windows, how can i generate the binary file from the shell command manually?
Awesome video and channel! I've been messing with the zoomit part for days, and I can't get it to run. I go step by step, do the same thing as you in the video, and the mf gives me a last chance exception and terminates (in the debugger). What am I doing wrong?
Great videos thank you! a question, I used vs insider and MinGW-w64 toolchain , and I don't see the eros/NOP at the end, which compiler I need to use? what am I missing? thank you!
Sup!! U should ue clangd, it should be preinstalled with visual studio and accessible via the native tools cmd prompt (also installed with visual studio). My video covering tools for maldev can help you with this as well 🤙🏽
Pushad and pushfd are NOT recognized in x64 architecture. I tried as you do but it doesn't work. After the shellcode I inserted a jmp instruction to the head of the disassemble, where the call to display the messagge is. Moreover the entry point in my case is not identified with a jmp instruction but with a call.
Hey!… did u watch the video😭? I had to have said “32bit” at least eight times…we pulled out a 32bit architecture manual to showcase pushfd/ad and popfd/ad..and we put that jmp instruction there..🙈
a question though, in my xdbg i can't find the entry point - weird - am using x64dbg And i dont have jmp address like you do in the video - is it because am using a 64 bit windows machine and not a 32 bit? thanks
@@CosmodiumCS hey man, thanks for the reply ✌🏻 I was reading Microsoft documentation and they recommended not to use ANSI encoding functions only Unicode UTF-16, in this video, are the functions still relevant to use? As their explanation was for global language compilation if am not mistaken
yo! the pushad/fd popad/fd with MSF generated shellcode is likely flagged. so you will have to throw some arbitrary assembly instrucions betweent he pushes and pops as well as writing better shellcode
Could you explain about how to obfuscate shellcode and how after embeding into program decrypt it? I have created few programs on C# for crypt encrypt shellcode so It works without problems, but in your guide, I can't understand if you embed clean shellcode without obfuscation etc. that will be detecteble in AV so that's why I'm asking.
Yes, I have AV disabled in my development environment. However it usually goes undetected, especially if you don’t utilize metasploit generated shellcode. You may also want to add some additional instructions as there could be detections for the pushad/fd and popad/fd instructions being used as they are
I would say yes. Utilizing the code cave makes it so that the trojan looks as close to the original file as possible. While the batch converted exe would load both, it could still be detected as malware as it doesn’t have any functionality past the loading of those executables👍
@@CosmodiumCS I tried to recreate your steps for an Elf. As soon as I attempt the JMP to the code cave I get a segmentation fault. Also attempted with only push/pop and no shell code (it's like the code cave is read only or something) :(
Yeah, for the sake of simplicity i used metasploit to demonstrate the concept. Using something like donut or writing ur own shellcode is far more ideal
I've started watching your malware playlist and I must say that you're great at explaining these concepts. I understood this video very well, and it's a great resource. Keep it up
Glad it was helpful! Hope the malware journey goes well! You can always reach out on discord if you have any questions🤙🏽
nice work teacher Cosmo, i´m learning too much, i'm new to malware and seeing thus type of content motivates me to continue learning; greetings to México
Greetings!!👋😄
I've been doing sektor7 courses on malware development and your videos have really helped, thank you!!!
Ayy! Always happy to this stuff helps out🙏🏽🕺🏽
Hey, can you help me get the courses, please?
Best Course, Appreciate your Efforts, Attended the Sector 7 Training, Your Explaination is best. Keep it Up Bro...
Thanks a ton!!
Damn, making a trojan seemed so extraterestial to me, even though I am a CS student and I learned Assembly.(16 and 32 bits)They didnt rlly showcased us the power of it, only showed us how it works. Now making a trojan seems easier than ever xD. Love your videos
Love to hear that man!! I’m putting together some more assembly material don’t worry ;)
Really appreciate your malware development courses. If you could make more free videos please do! Aspiring malware developers like me would strongly appreciate. You earned a sub bro, keep up the great work!
hey thanks for creating this series! there's not a lot especially here on youtube, as a beginner its nice to see things like this, if you got any other resources you used while you were trying to branch into malware development I would love you forever
Hey thanks! Not much that i have used personally, but the discord community is pretty helpful and could be a good resource for people to learn from
GOATT!! appreciate for the video i love it
amazing content man, thanks so much. Greetings from Argentina
Argentinwhaaa!?!? That’s awesome ha!! Thanks so much:)
Super interesting, thanks for the video!
Glad you liked it!
Cool. Liked, commented and subbed 👍🏼
Thanks!!
Wow! I’m learning how to develop malware as a project for school currently, it was originally supposed to be on rootkits/boot kits but I couldn’t make it that far I basically just made a bad shellcode injector, I’m wondering if you have made or have any plans on rootkit/boot kits? Great video tho! I’m gonna play around with it asap!
I have a question (it might be a dumb question ) but since the modified program wait for the shellcode to act before executing the program, will it still work for another kind of malware like a reverse shell that use for loops or something (without blocking the original executable)?
Also i love your videos it teaches so many things. Thank you.
I actually have no idea. You should try it and see how it goes!! If it ends up looping and not letting the main executable run, then have the shellcode execute a new *hidden* process for the revshell👍🏽
@@CosmodiumCSThankf for responding, i'll try and post a comment if it worked
@@xenoas1er197 How did it go?
@@DuckyChannel
It's as i thought it will keep executing the injected shellcode.
To avoid that i made so that the shellcode i inject reach another file and start a process/Thread (equivalent of "start" in the cmd ).
only one word to say: COOOOOOOOOOOOOOOL!!! :D Thanks bro.😁😁😁
No problem 😊
Thanksss for the perfect malware development videos
Thanks for watching them :D
Is it possible to maker code cave bigger? (add more null bytes). Ofc it will increase file size, which doesnt mater for me, my cmd function is just too long to fit
Dude you are really awesome!
Haha thank ya!
is it possible to instead of using a hex editor to just fill in the hex bytes itself that equal jmp etc. ?
Just found your channel! Subscribed really good content! Thanks for sharing. I am not gonna lie I BBQ m very noob in this subject. I would appreciate beginners content 😊
Ay thanks for the sub! Glad u enjoy the vid. I’ll be sure to start introducing some more beginner friendly content in this subject 👍
I wish i could watch this right now but i am busy for the rest of the day so i hope that i will get to it when i have time tommorow.
No worries at all dude, appreciate the support!🤙
hi, when i attempt to patch the code, I get 147/202 patches applied. I believe it might be the shell code but i was wondering if you had any pointers
did u found any fix? i get 90/202
my x32dbg apply only 80/203 patches...
did you find a fix for this? i get 200/215 ....
Heyy how do compile the 32bit code in vs code ??
Well Done!
Ayy thank ya bro!!
Thanks for the video but i have a question. Since downloading that metasploit program is pretty impossible and annoying on windows, how can i generate the binary file from the shell command manually?
Hey! Yes you cannot install msf on windows. Look into WSL or setting up a vm
@@CosmodiumCS is there an alternative method for windows?
Yes..LOOK INTO WSL OR A VM GAHHHHH!!!
but NX is disabled?
Really dope
Awesome video and channel! I've been messing with the zoomit part for days, and I can't get it to run. I go step by step, do the same thing as you in the video, and the mf gives me a last chance exception and terminates (in the debugger). What am I doing wrong?
Would it be too hard to generate my own custom shellcode instead of generating it with Metasploit?
Depends on what you consider hard😏. You can write it in raw assembly
Great videos thank you! a question, I used vs insider and MinGW-w64 toolchain , and I don't see the eros/NOP at the end, which compiler I need to use? what am I missing? thank you!
Sup!! U should ue clangd, it should be preinstalled with visual studio and accessible via the native tools cmd prompt (also installed with visual studio). My video covering tools for maldev can help you with this as well 🤙🏽
Pushad and pushfd are NOT recognized in x64 architecture. I tried as you do but it doesn't work. After the shellcode I inserted a jmp instruction to the head of the disassemble, where the call to display the messagge is. Moreover the entry point in my case is not identified with a jmp instruction but with a call.
Hey!… did u watch the video😭? I had to have said “32bit” at least eight times…we pulled out a 32bit architecture manual to showcase pushfd/ad and popfd/ad..and we put that jmp instruction there..🙈
@@CosmodiumCS the executable I found in your GitHub is x64
If I compile my own x86, the entry point is call instruction and not a jmp. I adopted another approach to do so. Thank you the same.
@@CosmodiumCS but how can we do that in x64 then
a question though, in my xdbg i can't find the entry point - weird - am using x64dbg
And i dont have jmp address like you do in the video - is it because am using a 64 bit windows machine and not a 32 bit? thanks
go into options > set entry break point :)
@@CosmodiumCS hey man, thanks for the reply ✌🏻
I was reading Microsoft documentation and they recommended not to use ANSI encoding functions only Unicode UTF-16, in this video, are the functions still relevant to use?
As their explanation was for global language compilation if am not mistaken
it says 91/201 patches applied, can u help?
were you able to fix it ?
Awesome, i really want to learn from you, can you let me know how to connect to you personally?please
Yep! Discord link in description 🫡
great video
Does these stuff work against EDRs and defender? Or will it be flagged?
yo! the pushad/fd popad/fd with MSF generated shellcode is likely flagged. so you will have to throw some arbitrary assembly instrucions betweent he pushes and pops as well as writing better shellcode
Could you explain about how to obfuscate shellcode and how after embeding into program decrypt it? I have created few programs on C# for crypt encrypt shellcode so It works without problems, but in your guide, I can't understand if you embed clean shellcode without obfuscation etc. that will be detecteble in AV so that's why I'm asking.
Yeah, i can totally do a video on that. It’s relatively simple to do. As you can pull down the decrypted shellcode from memory
@@CosmodiumCS this would be cool )
Ihave a question did u set MS defender out?
Yes, I have AV disabled in my development environment. However it usually goes undetected, especially if you don’t utilize metasploit generated shellcode. You may also want to add some additional instructions as there could be detections for the pushad/fd and popad/fd instructions being used as they are
Is this method preferred over creating a batch file that loads both programs, and then converting it to exe?
I would say yes. Utilizing the code cave makes it so that the trojan looks as close to the original file as possible. While the batch converted exe would load both, it could still be detected as malware as it doesn’t have any functionality past the loading of those executables👍
@@CosmodiumCS Thank you!
Does this work for Linux? Having trouble making a POC
Elf files are a bit different than exe’s, but conceptually speaking I don’t really see why it couldn’t work
@@CosmodiumCS I tried to recreate your steps for an Elf. As soon as I attempt the JMP to the code cave I get a segmentation fault. Also attempted with only push/pop and no shell code (it's like the code cave is read only or something) :(
can trojans be used with documents too?
Yes! But ur usually better of with macros or some sort of polyglot
Subbed
Surely that shellcode will be detected
Yeah, for the sake of simplicity i used metasploit to demonstrate the concept. Using something like donut or writing ur own shellcode is far more ideal
I don't want to seem like I am nagging but can you please put the wallpaper you use on the cyber store or give it to me in discord?
My bad, totally forgot. Just added it!
Execute fake genuine valid process