How Hackers Exploit Vulnerable Drivers
Vložit
- čas přidán 4. 10. 2023
- jh.live/maldevacademy || Learn to develop modern malware and more BYOVD techniques with Maldev Academy! For a limited time you can use code 'HAMMOND10' to save 10%: jh.live/maldevacademy
Free Cybersecurity Education and Ethical Hacking
🔥CZcams ALGORITHM ➡ Like, Comment, & Subscribe!
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
One of my favorite topics so glad to see you do some deep dives on it love the content man
Nice video, John!
Great content John
Finally Was Waiting For This Video
I just got an ad with John at the start and thought the video had already started lmao
This is scary. Great video !
Thanx for sharing John...sweeeet shirt!!
Funny seeing an ad before this video with you in it 😂
So impressive, THX bro.
Note - The interesting stuff (loading the driver etc) needs to be done as admin. However the driver etc then allows you to do things that even having admin wouldnt be possible or easy.
How would attacker get privilege escalation in first place??
@@ytg6663 There are different aproaches, most users are simply dumb and will click on "yes" if the system asks for it...
@@ytg6663 Cause windows already uses a lot of drivers and often these have vulnerabilites.
@@ytg6663 @stephencole9289
actually this method is first and mostly used by game hackers for bypassing kernel level anticheats by loading their cheats or anticheat bypass mechanisms on kernel level, i didnt saw it being used or exploited by a threat actor in the post exploitation phase after "gaining initial access to victim systems", so yeah you can say that the whole point of this hack is just to get some ring 0 access on systems to do other shenanegans (though u can use it as a post expllitation tool to do some other shit as well)
@@ytg6663 hmmm.. the user doing it
Professor, if I don't understand this course where I do have to start?
Could you give me advice from basic step? I have empty brain in IT area.
Didn't expect to see good ol' UC in the video
Nice video!
But wouldn't you see the executed comands at 22:10 in an EDR under the msmpeng process tree? Or will comands executed on a kernel level not be visible on an EDR?
This video doesn't test against EDR only against AV. If you try to inject into EDR then this would still work and you would successully be injected into EDR process but it will also trigger an alert and create events because EDRs also use kernel drivers for monitoring and protection of its own user mode process. The proper approach would be removing EDRs callbacks before trying to inject the payload because in the kernel you are a lot more exposed then in user space in regards to visiblity.
Also, the driver is the only component here that runs in the kernel. The injected shellcode runs in user space and not it the kernel.
Unbelievable tool I've never seen
Anyone else get the synk ctf ad from the prevideo ads?
Where do I get one of those shirts?
Would have liked to see the network and security event logs when you ran commands after the system was vulnerable.
DIY...
What if it patched the Event viewer 🙂
Thanks you
Great job but be cool to have all your sources
Nice shirt john hammond
Hi, thanks for the great video. I have a question.
How the shellcode is decrypted and which component will decrypt it?
The encrypted shellcode basically decrypts itself during runtime
@@tanvorn9323 cool. Thanks
Wow Respekt 👍👍
Havoc is a fork from Villain right? Just with some extra functions
Villain was written in python. Havoc is Go/C/C++. So I doubt it.
Does anyone know how to exit graphical mode in Linux Parrot 5.0?
now this is a cool content I always wanted to see
u m8 are mind blowing :)
I love synk ;-)
love you
I can't find the kernlLdr
Nice stuff but too expensive for a hobby!
Hey John, 🎉
Great work 🎉🎉
cool
Oh now?! Why are you launching cmd?!
Unbelievable man, how long have you been hacking for?
He sooooo should have played with KDU, its mind blowing cause kdmapped is way old
maldev is the best shit i have come across to learn malware development but their price is just a bit high
All of their content is free and leaked as soon as it gets posted. U just need to know where to find it
I like kernel ;-) salam dari indonesia anonym
😄
Is there a way to make me stop hating windows hacking? Could you make a video about this issue? It seems loads of people are in this state of mind
Bruh that’s what I’m thinking every day. Feel it.
Mission complete > enjoyment until then
Tell us about MBR Bootkits😅
LoL
is this binary exploitaion
Well, without digital signature if you try to run any executable defender will flag it. It worked because it is compiled on the same machine where it was executed. Else I don't see anyway around it.
what are you talking about? Defender wont flag any executable but it will just throw a security warning for the exe, and ask the user if he really wants to run it
also i dont know if you know but other files exist besides executables
Digital Signature blocks unsigned drivers and on windows 10 and 11 there is also driver blacklist which will stop from loading any vulnerable drivers that are known for being abused. However, if you load a signed driver that is not present in blacklist then you could use it to load another unsiged driver into kernel which then you can call by your client application. Defender & EDRs won't stop you unless you are trying to load something that has been already signatured.
@@nero2k619 you can pay to have your drivers signed, or you can manually map your drivers with open source tools
@@nero2k619are you talking about using a signed driver to turn off windows DSE?
I bet all those cheaters on Warzone, or R6 Siege, all have a vulnerable driver installed on their system, to get around the anti-cheat. 🤔
Usually kernel anti-cheats require a driver so in order to bypass the anti-cheat you also need a driver to abuse it.
@@nero2k619 that is literally what this is...
@@nero2k619 also, this is highly dependent on the developers to implement the anticheat properly, whether it's in house or third party, into their game.
But the two games that I mentioned do require kdmapper, or another tool, to install and use a vulnerable driver and load your own driver.
@nordgaren2358 I think you misunderstood me. I know how this all works and how cheat devs bypass anti cheats.
@@nero2k619 Same. That's why I mentioned that they all have left themselves open, which is nice to think about, because cheaters in those games are extremely frustrating.
Big problem with newer tech, though. There's been aim-bots that work off output from a capture card, for a few years, now. I've also heard, recently, that hardware memory access using an adapter and an external PC, is starting to become a method for skirting the anti-cheat.
And then there's companies that don't read the manual, and integrate the anti-cheat into their game in a manner that just requires the user emulate the anti-cheat on the client side, and send a few packets every now and then.
But the easiest way, by far, is to install a vulnerable driver, and, that is just a bad idea. I'm sure WinPEAS would pick it up, easily.
If you have Cloud Delivered Protection off 90% chance your malware wont get flagged lol.
hey, that's where script kiddies are made
250$ for a few months access.................. this feels very seedy
You were already admin when running that shellcode, there’s a million ways to to do shit like become a system or execute c2 payload
Kinda pointless if you need admin priv to do it. Might as well use token impersonation technique if you have admin priv to escalate to system which is also less complicated
Revoked driver certificates is a thing. Microsoft is working to defend its users.
Shill
lol
@@nezu_ccYou can actually disable the msft driver block list programmaticly, my program ksDumper 11 does this as a pre-req to leveraging KDU to load the ksDumper driver
comments like this make me want to switch to linux
@@zaki_flif you do make sure you use UFW (its not on by default in some distros), SELinux or Apparmor rules and Lynis for audits and you should be fine unless your motherboard UEFI has a critical CVE
So I just learned about Havoc LMAO.... SOOOOOO since Havoc doesn't seem to have any "auto-pwn" features, is it OSCP-friendly?
You don't need a c2 for anything on the oscp.
@@somerandomwithacat750 Netcat gets boring lol... I can see the benefit of to use it as way to manage rshells. Seems to automatically upgrades to a 'smart' shell, thats nifty; extendability!! I realize you can do it straight on the terminal but why not? I need to play around with it some more.
I am unreasonably angry that they called it "demon" and not "daemon"
This topic is way over hambone's skillset.
😂😂😂
A « mind-blowing » technic that requires to be admin of the machine in the first place. Lol. That’s cool but just when you want to play at home. This is not how it goes in real life within big companies. Hackers are using way more efficient and straightforward procedures.
you speak so fast that I have to slow down the video to 0.75
John, how much coffee or caffeine did you have before you made this video. You talk so fast. Slow down bro.
Bro....quit sharing our community with skids.
I have an investigation that might make an interesting video. How can I contact u
You can contact him with his details under the video.