Malware Development: System Calls
Vložit
- čas přidán 5. 07. 2024
- #Malware #Development
🦠 Use code "CROW10" for 10% OFF your order when you checkout at Maldev Academy! maldevacademy.com/?ref=crow
I sincerely hope you enjoyed watching this installment of our ongoing malware development series. I know the kernel debugging portion was a bit rushed, and for that, I apologize. I had an entire segment dedicated to kernel debugging, the intricacies of MSRs as well as the incredible CPUID instruction, and all of that planned out for this video but as you could imagine, had I included that, the video would be a month-long. So instead, I'm working on a blog post that will take you into harrowing depths of that entire process, so make sure you look out for it here: www.crow.rip/
Either way, thank you so much for watching, nerds! :D
🌐 Websites/Things Mentioned + Extra Reading:
Once I finish my blog, I'll include a link to the references section which will have all of these links and a LOT more.
Intel® 64 and IA-32 Architectures Software Developer Manuals: www.intel.com/content/www/us/...
A Syscall Journey in the Windows Kernel: alice.climent-pommeret.red/po...
The Quest for the SSDTs: www.codeproject.com/Articles/...
System Service Descriptor Table - SSDT: www.ired.team/miscellaneous-r...
OS2's Free Internals Course: p.ost2.fyi/courses/course-v1:...
HellsGate: github.com/am0nsec/HellsGate/...
Direct Syscalls vs Indirect Syscalls: redops.at/en/blog/direct-sysc...
ByePg: Defeating Patchguard using Exception-hooking: blog.can.ac/2019/10/19/byepg-...
Infinity Hook: github.com/everdox/InfinityHook
GhostHook - Bypassing PatchGuard with Processor Trace Based Hooking: www.cyberark.com/resources/th...
⚠️ Disclaimer:
The information presented in this video is for educational purposes only. It is not intended to be used for illegal or malicious activities. The creator and any individuals involved in the production of this video are not responsible for any misuse of the information provided. It is the responsibility of the viewer to ensure that they comply with all relevant laws and regulations in their jurisdiction.
💖 Support My Work
/ cr0w
ko-fi.com/cr0ww
www.buymeacoffee.com/cr0w
Join this channel to get access to perks:
/ @crr0ww
🔖 My Socials
/ discord
www.crow.rip/
github.com/cr-0w
/ cr0ww_
The images and music used in this video are used under the principle of fair use for the purpose of criticism, comment, news reporting, teaching, scholarship, and research. I do not claim ownership of any of the images/music and they are used solely for the purpose of enhancing the content of the video. I respect the rights of the creators and owners of these images and will remove any image upon request by the rightful owner.
Copyright Disclaimer under section 107 of the Copyright Act of 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, education, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing.
🕰️ Timestamps:
00:00 - Intro
02:38 - Learn Malware Development
04:26 - Today's Agenda
05:07 - Recap
07:48 - Post Syscall Invocation
16:20 - Direct Syscalls
20:05 - API Hooking Demo
25:36 - Back to Direct Syscalls
37:53 - Indirect Syscalls
44:28 - Outro - Věda a technologie
📌 Use code "CROW10" for 10% off your order when you checkout at Maldev Academy or use this link: maldevacademy.com/?ref=crow
Font: Terminess Nerd Font Mono
Colourscheme: Zero (Dark Theme)
I sincerely hope you enjoyed watching this installment of our ongoing malware development series. I know the kernel debugging portion was a bit rushed, and for that, I apologize. I had an entire segment dedicated to kernel debugging, the intricacies of MSRs as well as the incredible CPUID instruction, and all of that planned out for this video but as you could imagine, had I included that, the video would be a month-long. So instead, I'm working on a blog post that will take you into harrowing depths of that entire process, so make sure you look out for it here: www.crow.rip/
ERRATA:
- I just realized after rewatching this that I was doing "CONST LPCSTR" when that's not necessary at all since LPCSTR is literally: "typedef const char* LPCSTR;" HAHAHAH LOSING MY MIND
tysm for watching, nerds. luv u all terribly
Oh mom look i made it into a crow video.
Yeah as expected 😅
:blushing_emoji:
Ohh look it is spider
Aren’t you one of the contributors to Maldev Academy?
I am a web developer, i don't understand anything, but i love these videos, keep it up!
aw thank you
Have not even made it this far in the series, but I had to show support. Keep it up, we appreciate you.
i really appreciate that! thank you so much
I literally just finished watching your Native API video and now you upload this, - literally GOD.
just came across your page by pure chance and watched your processes, handles, and threads video. headed over to your website and your statement in the faq section was very wholesome and encouraging. thank you for documenting your journey and having a positive outlook for newcomers :) deff earned my sub and a bookmark to your blog.
Hell yes another crow video! Still need to go back and catch up on the previous vid but it's great seeing more stuff from you!
omg you gave me a hart attack with the fear and hunger sound 1:25
XDD
babe wake up crow just uploaded a new malware video
WAKE BABE UP, WE HAVE MALWARE TO MAKE
Man!!! Finally a new video :D Didn't still watched it entirely but it's obviously gonna be fantastic. Ik doing this videos takes time and commitment but please do them more often ahah!
thank you so much!! yeah it's a ton of work but your response(s) make all of the grey hairs super worth it :)
Your videos are so good, my tiny brain can finally understand all this stuff. Keep it up!
I'm currently making an os and it's great to see the point of view of the userland people on the other side =)
+ I've learned some stuff, it's grealty explained, continue like that !
thank you so much! :)
I've just discovered your channel and OMG keep it up man, you're a GEMMMM
This is why we need syscall kernel interception like we do in Linux with SECCOMP.
Great video by the way!
Quality! Your channel is going to blow up.
Your LOCO❤😂 4:16 Love the content; keep up the incredible work!
I just finished my os class. Really love it haha
Yow the legend is back!!
Nice vid as always crow, thanks
thank you so much! i'm really happy you liked it :)
He's finally back after his hibernation
FINALLY A VIDEO
Man you gotta make more videos, you're the new liveoverflow but more funny and less serious.
thank you so much for your comment; I really appreciate that! liveoverflow's the GOAT tho :')
@@crr0ww yeah, he is!
But ever since he started using his face on camera his videos seem too "formal" or professional. More like John Hammond, but if he was German I guess...
NEW CROW VID?? LETS GOOO
this video taught me a lot, love it :)
ah, great!! that means i've done my job haha thank you so much for commenting
Great vid as always. What font is that ?
I love watching these even though I don't understand any of the shit that is going on lmaooo
Sos un capo cuervito. Excelente contenido ✨
Inspiring next generation of Greybeards ⚡⚡
Awesome ❤ Thanks!What a theme name in visual studio bro?
Thank you. Prob going to watch this at least 100 times.
i appreciate you, brother! thank you so so much
@@crr0ww 19:01 that API hooking/unhooking video tho... 🙏
YAYAYAYAYAYA MY GOAT UPLOADED
CROW SIR SIR CROW YESSSSSSSSSSSSSS
Welcome back ❤
Used your promo for the maldev academy baby!
Operation Tux continues 😅
He’s back!
hey!! thank you so much for commenting, brother! i LOVE your videos as well, such a unique style! keep up the GREAT work, you'll get really far I can already tell
@@crr0ww 🖤
CROW WHERE HAVE YOU BEEN
I MISS YOU LOVE
mr crow i love you
MORE TUTORIALLS WE SHALL SEE
CROW CROW CROW
LESS FUCKING GOOOOOOOOO, new crow vid
@crr0ww do you have a discord server or something similar?
A video about antivirus intrusion would be nice.
Let’s GOOOOOO 🎉🎉🎉🎉🎉🎉
What's the music at 11:50? Starts a little earlier then that but Shazam as failing me cause it's copyright free music :(
mom, look! cr0w uploaded!
that's my goat right there
HES BACKKKKK !!!!! 🎉🎉🎉🎉
finally bro
does anyone know what font he uses?
thanks crow
it's my pleasure
i would like to inject my malware into crow :3
BAHAHAHAHAHA
_
HAHAHAHA LETS GOOOOO i wrote it down on some sticky notes so I don't forget it again :')
@@crr0ww 😂♥
touching everything
😭
finally
whats your font in vs?
Nice
Crow why did you just ignore us and drop this new video asdjasdhakjdadasda ily always
Can anyone link the equivalent of this but on Mac plz 🤗
Imagine calling pantaloons trousers LuL
Aren't all variables saved in the .TEXT section either way? Why did he manually added that code at 29:00?
variables go into .data section.
if we specify to allocate in .text section then contents of our variable can be executed because .text section is executable by default
Thanks for the reply. But if I define the shellcode variable inside main(), it will be located in .TEXT and not .DATA. And after your logic, it would mean that shellcodes defined in the global section of the program (not within main) cannot be executed.
I'm probably missing something here...
ur the best
All of this just serves my point. The NT Kernel f***ing sucks balls.
Hey crow whats up man ✋
hey!! how are you :P
how to modify exploit code
Bro!!!
Holy shit! I thought yt assasinated him!
THEY GOT REALLY *REALLY* close 😓 still have more videos to make, can't stop now :')
MOB PSYCHO 100!
What do you mean ?
@@fodk7021 its anime.
@@hell0kitje yes but where is it in the video.
@@fodk7021 its in thumbail
@@hell0kitje I thought it was midoriya from my hero academia
bro.. iam from bangldesh ..plzz make more video
all your syscalls are belong to us
Lmao just thought about you yesterday
a group of crows are called a murder... are we, as your fan base... murderers?
WTF 9:56 😂😂😂😂😂😂😂😂
hot
a more in-depth video on indirect syscalls would be great, im not sure everything was covered, noob here. i can only cross check with the maldevs module.
PS. i came with the power of thousand suns, you should get exclusive rights for maldev sponsoring, why watch boring jurassic park man when crow videos exist?
lmfao please mr. d0x do this, the world will be a better place if crow becomes THE teacher. me not knowing C and low level programming well had some difficulties understanding the material but now so much has gotten clearer it's not even funny. ILY Crow
heyyo you're alive ?
YESSIR!!! :)
yo man nice nickname
thank you RAVEN, nice nickname as well, RAVEN :>
Lmao. Urien spotted.
ah yes here i am again
and i'm so happy u are
psst hey kid, wanna buy some skooma?
Thats cool but how do I get free robux
YOU THINK I'M AT *THAT* LEVEL, MIKA? THAT'S TOO ADVANCED FOR ME!1:$!$:
crow is so sexy
do you have a job?
what is it?
I don't understand what you're trying to achieve. You can't do "useful" functions such as virtualalloc or openprocess to modify processes' memory without admin access.
Inline assembly works in VS2022 just fine.
I was thinking rax is the GetProcAddress but its a special number. That makes using syscall even more pointless.
unsigned long long count = 9;
__asm {
mov rax, 31H
lea r10, count
xor edx,edx
xor r8d, r8d
xor r9d, r9d
sub rsp,40
syscall
add rsp,40
}
std::cout