How Hackers Evade Program Allowlists with DLLs

I love that Nim is in this picture. It is such a nice little language that sadly gets attention by bad actors

yes please, more nim content. thank you for your service

Your videos feels like 5 minute long. Your method of explaining is so much interesting and captivating, sure do love to see more nim action.

I'm a Python guy, so seeing that style of syntax used on lower level winapi stuff is sick! I'd love to see more Nim stuff in the future. So unfortunate a powerful lang with a familiar syntax has a bad rep.

Nim deserves more community attention. Although I don't think they would be happy to hear they are again being used to develop malware. Anti-malwares are already flagging them as malware because so many people are using it to that end :D

Yes! We want more Nim. I've never used it, and would like to know more about it and how it's being used in the security space. 😊

I've been interested in learning Nim, so I'm definitely interested in seeing more

Thank you! Absolutely need more cool stuff in NIM.

That Right of Boom shirt though... IYKYK

Why do people use Nim instead of Python? First time I've ever heard of Nim and am curious

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters]
"AutodialDLL"="C:\\Windows\\System32\
asadhlp.dll"
Change the file to your dll which u want to inject, start the program and it will inject in every process with system rights. I use this this to inject the ReverseKit into highly obfuscated malwares/loaders. After your injection just set the old dll

Why on earth have I never heard about Nim???

very nice and easy to understand, thank you

Thx for new video!😊

John, you are just firing off videos here lately, I love it. Thanks!!

It's the first time I even heard from nim. Looks easy to have fun with. But dll sideloading is hard, for most apps you have to be able to write into a directory of the app, but it's a possible way. But this is hard compared to just start an exe and then, you filter out script kiddie attacks.

This was cool, but I was hopping for an explanation on how to find applications that are vulnerable to dll hijacking

Would love to see more stuff on nim and DLLs!

And now using Nim language, John, you now have my full attention.

More nim please

Its how roblox gets hacked non stop by using dll

I weep for the day when all my Nim payloads get flagged. Every other week it seems like more and more effort is required to keep them working, pre-obfuscation.

ah yeah deff had my first dll fk my pc up back in 2004. unforgetable.

Nice. Next video on some type of SQLi, maybe🤷😉

I know C++ and rust quite well. Should i learn nim for offensiveNim or ofRust, OfCpp will do the work?

Thanks for your daily Tutorial

yes pls, more bim stuff

I love your content my Friends thanck tou men for best channel.

Great video.. make some more fun Nim video's 👍

Not using Rust/10. :P I bet if you tried hard enough, you could do this in Python, too.

Great content

I would love to learn more about nim and how it can be used to hack.

Isn't there a program out there that can scan all the .dll files on a system or in a folder, checking them for malicious activities?

Super neat! 🤓

So this is a persistence mechanism, not an initial access vector?

I created an entire undetected reverse shell via DLL Sideloading on an official windows application.

Stay watch.. 🍿

yes

More NIM wouldn’t be horrible.

Can Windows trigger SystemRestorePlatform.exe as System user?
Its running as standard user in this tutorial.

Learning is hai movement more

Beginner positional to explaining middle option for you explain

🤓

cant believe im this early lol

I'd love to play with Nim more, but last time I messed around with it and was just starting out doing "hello world", EDRs flagged it just because it was Nim.... it was Hello World.... :(

sir can you crush or bypass some apps

literally you are teaching hackers how to compromise victims :)))

Hackers can employ various techniques to evade program allowlists using dynamic-link libraries (DLLs). Here are a few common methods:
DLL Side-Loading: This technique involves exploiting the way Windows loads DLLs for an application. Hackers identify a trusted DLL that is allowed by the program's allowlist and replace it with a malicious DLL having the same name. When the program is executed, the malicious DLL is loaded instead of the legitimate one, allowing the hacker to bypass the allowlist.
DLL Hijacking: In this method, hackers identify programs that load DLLs using a relative path or search order. They place a malicious DLL in a directory that is searched before the intended DLL location. When the program is launched, it unknowingly loads the malicious DLL, bypassing the allowlist.
Reflective DLL Injection: This technique involves injecting a DLL into a running process without writing the DLL to the disk. Hackers load the malicious DLL directly into the process memory and execute it from there. Since the DLL is not written to the disk, it can evade allowlists that check for file presence or file hashes.
DLL Proxying: In this method, hackers intercept calls to legitimate DLLs by creating a proxy DLL. The proxy DLL loads the original DLL and performs the intended functionality while also executing malicious actions. This way, the hacker can bypass the allowlist by ensuring that the proxy DLL is allowed while the original DLL may be restricted.
DLL Load Order Hijacking: Hackers take advantage of the DLL search order used by Windows. By manipulating the order in which DLLs are loaded, they can force a program to load a malicious DLL before the legitimate one. This way, the malicious DLL can override the legitimate DLL's functionality and evade allowlists.
To mitigate these evasion techniques, organizations should consider the following countermeasures:
Regularly update and patch applications to prevent known DLL vulnerabilities.
Implement strong allowlisting mechanisms that validate DLL signatures, hashes, or secure file paths.
Employ secure coding practices to prevent DLL hijacking vulnerabilities in applications.
Monitor DLL loading activities and detect any anomalous behavior.
Implement behavior-based security solutions that can identify and block malicious activities performed by DLLs.
Apply the principle of least privilege by ensuring that applications and users have the minimum required permissions to reduce the impact of any successful DLL attacks.
It's important to note that the effectiveness of these techniques can vary depending on the security measures in place and the sophistication of the attackers. Staying updated with the latest security practices and maintaining a strong defense-in-depth strategy is crucial in mitigating DLL-based attacks.

Nim pleeease!

Early. :3

Gief more nim plz

PE LOADER

Dll more explain 😡🤖🚩

Ptp , elements ip /update/ ecppt exam
Oscp

Nim limn moor explain deep class the little bit understanding how to explain in the "full file"explain what video

Jesus Christ the pronunciation 😂

Meanwhile windows calc why are you making look bad to people what i did to you 🤣

Llmnr

“allowlist” in whitelist in cuckspeak btw

Very cool stuff, I've never even heard of nim until now lol
Given that he used SystemResetPlatform.exe to lauch calc.exe, could this be potentially used to make a persistent malware that wipes files or makes the system unbootable when a system reset is attempted? That would be really cool to see.

Nim is awesome

+/dll mind moor explain deep class+/-/cylekytr