- 35
- 35 946
Pavel Yosifovich
United States
Registrace 28. 09. 2021
Short videos related (mostly) to Windows Internals and software development.
Video
Darkside Clone Demo from the webinar
zhlédnutí 884Před měsícem
just the code demo! source code: github.com/zodiacon/MalDevWorkshopWebinar
Fork/Join Parallelism
zhlédnutí 429Před 2 měsíci
For more on threads, see the course Windows System Programming 2 at training.trainsec.net/windows-system-programming-2-pavel Souce code: github.com/zodiacon/youtubecode/tree/main/PrimesCounter
Hooking Functions in a different Process
zhlédnutí 607Před 3 měsíci
Hooking Functions in a different Process
Hello Assembly!
zhlédnutí 1,2KPřed 6 měsíci
Assembly-only executable Upcoming course: scorpiosoftware.net/2023/11/02/x64-architecture-and-programming-class/
Shared Memory with Memory Mapped Files
zhlédnutí 1,3KPřed 11 měsíci
Shared Memory with Memory Mapped Files
Great video as always, what i think would be really interesting is a video about networking internals of windows because i never found a lot of information about that. Ive read Windows internals 7th edition part 1 and am currently reading part 2 but there isnt anything about networking.
got to say the one thing I appreciate the most about all of what you are doing is the dedication to digging to the exact fact i need to see to verify what you're saying is true. windows makes that very hard.
Your registry tool is using old style look and feel scroll bars. Maybe you are missing the v6 common controls XML manifest?
No, the common controls 6 manifest is there. It's the normal style I am on win 10. It looks different on win 11.
@@zodiaconOK, then something else is going on. The scroll bars are not consistent between the built-in tool and your tool.
I will say this: my tool supports dark mode and for that I had to use some hooks and subclassing, but I didn't touch the scroll bars that are built into windows (like the list view), because they are very difficult to customize.
Thank you for the great video. I am wondering if we need thread-synchronization especially for the wchar process name changed by the configurator process and used inside the compare function inside the .dll? Also what about memory barriers so that writes to pid and process name are actually flush the store buffer and can be observed by dll inside task manager? I'm a total noob on this and I am probably wrong. I would be grateful if you could add a short explanation why we don't need to care about these threading-problems in this case. Thanks a lot
In theory, you would need thread sync (a simple mutex or SRWLock will do) because the globals are read and written potentially at the same time from 2 different threads, but not really in practice, since if something is observed as partially changed, it will be picked up correctly the next time NtQuerySystemInformation is called. A memory barrier here is an alternative to synchronization - you could add a memory barrier to force the memory to be observed by other processors right after update to ensure sequential consistency, but again, from a practical perspective it's not needed, especially since the configurator exits quickly which will force store buffer flushing . And in any case, the example is non-trivial as it is without adding sync to the mix :)
can you use modular arithmetic for getting chunks?
What do you mean "modular arithmetic"?
@@zodiacon czcams.com/video/lJ3CD9M3nEQ/video.html&pp=ygUdemFjaCBzdGFydCBtb2R1bGFyIGFyaXRobWV0aWM%3D
Thanks.
Great video! Are you using an extension for syntax highlighting? If so, which one? Thanks!
I think it's what you get out of the box. But if not, there is a syntax highlight extension from Mads Kristensen
Great content. Plenty to refer to in the future. Thanks!
Recently took the Rust class. You're genuinely a wizard. Absolutely brilliant work again.
Hello, how are you? I want to ask you how to load dll from byte array
This is called Reflective loading. Look it up.
Nice! I was thinking about C++ constexpr function converting from module name and function name to a hash. Then searching the module list and export list hashing each element and comparing it to pre-computed hashes. This way you hide the strings from anti virus and from offline analyzers. But no, Pavel ecrypted the whole thing. Nice. Possible red flag would be running code that is not mapped to any file (that modified pages after decryption).
Hi Pavel, Thanks for tutorials...But all your tutorial is injected to already running process.. How about Create new process and inject in to it? My current problem is create new progress (Ex Notepad) and inject to it..but sometime it work...sometime it dont...I dont know why...just assume dll injected when nodepad process not full loaded
Usually injecting into a new process is much easier, because you have an all powerful handle to it (no need to call OpenProcess which may fail). If you create the process suspended and try to inject to it, it is likely to fail, because the process only has NtDll loaded into it.
@@zodiacon so what is solution ?
There is no "one, single" solution... do some research, try things out...
Super explanation
Очень полезное видео, но не совсем понял один момент. Каким образом новый поток с точкой входа в функции GetProcAddress() заставляет в дальнейшем исполнить LoadLibraryA(dllpath)?
Sorry, I don't read Russian very well :)
high quality content
My idea would be to split the work to fixed number of chunks, like 1024. Then spawn the same number of threads as I have number of processors. Or maybe add one or two threads more in case of some thread gets stuck on I/O for a while, so the extra threads could run in meantime. Then each thread would repeatedly take one work chunk form shared queue until the queue is empty. This is more work for the programmer, but I believe the CPU utilization will be more even. For example when the work items are part of image that needs to be processed in some way (ray casting). Or when converting video file. If some part of the image is solid color or if some part of video is still then the speedup would be still (close to) linear.
parallel_for works along similar lines, but it does not choose a fixed number, but uses the actual number of iterations, keeping the CPUs busy by throwing the next item at an idle CPU.
Thank you 4 ur videos
can ye spawn a new userinteractive session and then connect it to console?
Possibly, if you have the SeTcbPrivilege.
Waht font are you using?
Cascadia Code (Light) - download free from Microsoft (Github)
Can we expect videos based on NtAPIs instead of win32APIs ^_^ ?
I use whatever is easier and gets the job done in videos :)
Great! I learned and studied a lot from your 'Parent Process vs. Creator Process' blog post. That's a really cool code, but it would have been nice if you put the CREATE_NEW_CONSOLE flag in when calling the CreateProcess because the 0xC0000142 error occurs if the process you're trying to spoil is the console process. And some uwp apps, such as calc.exe, do not have this spoofing. Anyway, thank you so much for sharing that information through blogs and CZcams.
I am getting an error where it keeps saying hDll could be '0; this does not adhere to the specification for the function 'GetProcAddress'
Are you sure it's an error? It's probably a warning at best.
pavel will you make a video on WTL in the future?
I have a complete course on that... training.trainsec.net/gui-programming-with-wtl There are some free videos there.
@@zodiacon oh, I'll buy it then. thank you :)
You the best ❤
Dude you explained some things I didnt know and ot really helped thanks. Most youtubers ignore some important details and itsannoying
yeaah new video.
Thank you
Very useful technique. Thank you for sharing!
Where I can get local offline Help for Winapi, such as in your video?
Go to the Visual Studio 2022 installer, and add the Help Viewer component
Great video, I was trying to learn what ETW is and couldn't really understand it without examples but this video helped me a lot! Thank you :)
Sir Pavel, I would like to ask what might be a silly question and it’s out of the context of this video ... How can I verify whether something exists or not, for example, a DWORD that I added in a specific registry path that affects a certain mechanism? Secondly, is there a possibility that, by default, it doesn't exist internally in the Windows kernel in some pert of code, but changes once the respective DWORD is added? (I’m new on this part so I apologise for any misleading)
I'm not sure I understand your question, especially the second part. You can use Windows APIs like RegOpenKeyEx and RegQueryValue to find out if a key/value exists. If something changes in the Registry, you can get notifications in user mode and kernel mode. In kernel mode they are much more powerful.
Excuse me, I'll rephrase it. Let's take, for example, a registry path like "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\PriorityControl," which has some keys at this location that exist by default. However, I find some keys that are not present by default in this location. My question is how to verify if these new keys I added are indeed valid and potentially "active" or if they are as if they don't exist. I am asking this because friends send me various keys, and when I go through the process of recording the 'before and after' using xperf, comparing the execution time in DPC/ISR before and after, focusing on the driver that will be affected by the changes, I observe some differences between the before and after. I'm not sure if I am being clear, but I hope I've clarified it now. @@zodiacon
I think I understand. There is no sure way to tell. You will have to reverse the kernel code to see if some keys/values are used. But you can use the strings.exe tool from Sysinternals or some PE viewer that can show strings within the PE. You may find various key and value names, and those are most likely used by the kernel (if they exist)
Thank you very much for your time! @@zodiacon
I would like to ask one last thing, if a certain 'parameterization' or registry key does not officially exist in any Microsoft documentation, is it likely that it does not exist? @@zodiacon
Hello can anyone pls give a hint on what I'm doing wrong? I'm trying to open a handle to keyboard device, check if CAPSLOCK is on and if it's turn it off. Everything is working correct except the DeviceIoControl call to turn CAPSLOCK off. #include <Windows.h> #include <stdio.h> #include <ntddkbd.h> int main() { HANDLE hDevice = CreateFile(LR"(\\.\GlobalRoot\Device\KeyboardClass0)", GENERIC_WRITE, 0, nullptr, OPEN_EXISTING, 0, nullptr); if (hDevice == INVALID_HANDLE_VALUE) { printf("Error opening handle to file "); return 1; } KEYBOARD_INDICATOR_PARAMETERS inputBuffer; KEYBOARD_INDICATOR_PARAMETERS outputBuffer; ULONG DataLength = sizeof(KEYBOARD_INDICATOR_PARAMETERS); ULONG ReturnedLength; inputBuffer.UnitId = 0; outputBuffer.UnitId = 0; if (!DeviceIoControl(hDevice, IOCTL_KEYBOARD_QUERY_INDICATORS, &inputBuffer, sizeof(inputBuffer), &outputBuffer, sizeof(outputBuffer), &ReturnedLength, nullptr)) { printf("Error sending IOCTL "); CloseHandle(hDevice); return 1; } if (outputBuffer.LedFlags & KEYBOARD_CAPS_LOCK_ON) { printf("Caps Lock is ON "); // Turn off Caps Lock inputBuffer.LedFlags = 0x0; if (!DeviceIoControl(hDevice, IOCTL_KEYBOARD_SET_INDICATORS, &inputBuffer, sizeof(inputBuffer), nullptr, 0, &ReturnedLength, nullptr)) { printf("Error setting caps lock "); CloseHandle(hDevice); return 1; } } getchar(); CloseHandle(hDevice); return 0; } Another doubt is that I'm able to open this handle with GENERIC_WRITE permission but with GENERIC_READ it doesn't work, is this a security policy to avoid getting the keys pressed from user land? Where can I find the about device objects permissions?
Make sure you're connecting to the correct device - KeyboardClass0 might not be the right one - if you have a laptop keyboard and an external keyboard for example. In some cases you won't be able to open a handle to the device (sharing violation). Also make sure UnitId is the correct index.
Nice series :)
thank you.
Thank you.
nice. is the example on github?
It is now :)
thank you
I read the handle value from output of handle64.exe, I needed to use base 16 to get a valid handle. HANDLE handle = (HANDLE)(ULONG_PTR)strtol(strHandle.c_str(), nullptr, 16); Thank you for this video (and many others)!
dude thats cool, you should write a book or sth
:D
I have a question If I would liek to learn things about windows system I would read your book but where did you learn about windwos system? your book hasn't been released yet @@zodiacon
Many of my books have been released... checkout leanpub.com/bookstore?search=pavel%20yosifovich&type=all and www.amazon.com/stores/Pavel-Yosifovich/author/B00A2OTORO
Great content as always. Much appreciated.
@@zodiacon Dude these are great. You should plug these in your video, and put in the description so people can find them.
Very Informative, thank you pavel!
trappo is you BIGGEST fan (in weight terms)
trappo is your biggest fan! Keep up the work
+1
I hope you create another great videos
Expect a new video tomorrow!
you're a life saver man thank you so much
Setting the memory as executable later (and as read,executable) (ie not at the same time as setting it RW) to try to avoid things noticing, was clever. Worth noting you have to be admin (or have debug privileges?) to do this injection etc
No need for admin rights or debug privilege. It depends on your target process.
Ah yes, if the target process was started by (running in the context of) the current user doing the injecting, then its ok. Which is also why a normal user can debugg their own running apps. The comment was more to highlight the fact that cant inject into system processes etc without the necessary rights.
At 19:00 the ASLR address of loadlibrary in the target process is USALLY the same as in the program doing the injecting, ie common for the state of the system since the last reboot, but not guaranteed for certain dll's?
Guaranteed