- 50
- 71 232
Pavel Yosifovich
United States
Приєднався 28 вер 2021
Short videos related (mostly) to Windows Internals and software development.
Відео
Shell Icon Handler extension
Переглядів 537Місяць тому
Change the icon of a DLL in Explorer based on its "bitness" (A simpler and more correct code for checking bitness is shown at the end of the video)
CreateProcessAsUser vs. CreateProcessWithTokenW
Переглядів 964Місяць тому
CreateProcessAsUser vs. CreateProcessWithTokenW
Simple RPC Client/Server
Переглядів 1,3 тис.3 місяці тому
Demonstrates building a very simple RPC client /server from scratch.
Darkside Clone Demo from the webinar
Переглядів 1,2 тис.9 місяців тому
Darkside Clone Demo from the webinar
Create Process with Alternate Parent
Переглядів 48510 місяців тому
Create Process with Alternate Parent
Hooking Functions in a different Process
Переглядів 1,4 тис.10 місяців тому
Hooking Functions in a different Process
I love your teaching style. The fact that you go into the "why" things are that way, and some of the history/lineage behind things, makes it much easier to understand and retain the knowledge being shared. It's very rare to find videos that give multiple viewpoints using multiple tools - like you did here showing how the various services information is exposed through service manager, registry editor, task manager, process explorer, and even command line sc. I've been in IT for over 25 years and have used all those utilities extensively, and even I've come away learning a bit and now have a better understanding of services and how/why they are executed these ways. Awesome job! Earned a new subscriber :)
great video, you conviced me to purchase one of trainsec courses
awesome, thanks !!👏👏👏
you need to set primary screen to have dialogs pop up into video..
I know, but the screen I'm using is more convenient for me.
Please can you make video about windbg I couldn't find any resources that is easy I need you to cover both kernel and user debugger
There is my "Mastering WinDbg" course on Trainsec (training.trainsec.net/mastering-windbg)
want winapi or drivers look at his books theyre magic i promise
@zodiacon can you make an video about running an Service DLL in Svchost?
sir, what is your Visual Studio theme and font name?
Theme is standard "Dark", font is Cascadia Code (download free from MS github)
Does this technique work if the injector app is 64bit but target process and dll are 32bit? Or do i need to use a proxy 32bit process?
It can't work with different DLL/process "bitness". You need a 32-bit version of the DLL to be injected into a 32-bit process.
@@zodiacon Yes, i know that. I ask if i can inject 32bit DLL into 32bit process with 64bit injector, using this technique. Actualy i tried and it not gives any error but DLL is not injected. Maybe i miss something. Upd: oh, because kernel32 has not same address in 32bit and 64bit process memory space
Correct. You need another way to find the address of the 32-bit LoadLibrary.
@@zodiacon For now im using EnumProcessModulesEx to get k32 address on target process and add LoadLibrary offset to it.
Thank you! I followed the same instructions to configure symbols for Process Monitor and it worked too :)
Great explanation! That really helped me a lot to understand and a land the lectures I've been reading about COM.
my man pavel got me and my homie a xmas gift windows programming part 1 and 2 with the kernel programming for after best 100 dollars i spent this whole year
Amazing :) regards from Peru south America :)
Yet another amazing video.
But you don't use Api CreateProcessWithTokenW....
It's used in CreateProcessWithLogonW (calls LogonUser and CreateProcessWithTokenW in one stroke).
As always you are amazing ❤❤❤❤❤
does explorer do animated icons yet? on hover?
Not that I'm aware of.
Hi pavel, i wanted to thank you for making these amazing videos about these interesting things (the shell internals always got me interested but i couldn't find a lot of information about it). By the way i just got your kernel programming book :)
Very glad you make videos on various topics. It is really magnificent discovering many different topics you cover, and they are always interesting and well explained.
Hello sir can u please make a video on getting the user logon events using etw provider I have tried it but using the provider Microsoft-Windows-Security-Auditing I can't able to get any event using this provider
I'm afraid I am not a video producer on demand.
@zodiacon just asking in intrest
I didn't try it, so can't tell. You wrote that you "have tried it". How? Check with other sources online. Also, please understand this is not a support channel for random topics of interest. You can join the Trainsec Discord community and ask there.
@@zodiacon Thanks, by the way, I am very grateful for your kernel development books.
@@zodiacon can u please share the discord invite link
<3
Lets say i want to do all of this on sn Android app emulated on my pc Is this possible?
You could inject a DLL into the emulating process, but not the specific android app.
Great stuff as always Pavel! Thank you for the content.
great video!
12:30 I’m looking forward to the video about the missing crucial pieces
hi pavel, thanks for sharing great contents for free, it would be so nice to make a video about registry programmingm , like services you did, thanks :)
I'm new to this. My observation is that when you create shared memory where 8 processes can write *in their own segment*, and then after some time close the view for these 7 processes and try to read with the remaining process what the others have written, about 2% of the writes seem to have failed: there is nothing there but zeros. The result is not always the same, and waiting a few seconds before starting the read helps somewhat. I stress the system a bit during the writes (CPU 80%, 50% of it disk I/O) and I see disk-i/o still going on after the writes stop, but more than 10 seconds waiting does not help. As I mentioned, the writes do not overlap in memory, and reading starts after the writes. I'm baffled.
You have a bug somewhere, this is not how it works.
@@zodiacon I sure hope so. I guess that your comment tells me that there is nothing I have obviously forgotten to do.
@@zodiacon It appears to be necessary to insert a tiny delay between writing to the shared memory and reading from it for the first time.
Greate Work !
BrainFuck fr
Wow. I have never seen so much information on anything. 👍
I might have found a peak channel
int main(int argc, const char* argv[]) { if (argc < 3) { printf("Usage: CloseHandle <pid> <handle> "); return 0; } int pid = strtol(argv[1], nullptr, 0); HANDLE handle = (HANDLE)(ULONG_PTR)strtol(argv[2], nullptr, 0); HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pid); if (!hProcess) { printf("Error opening process (%u) ", GetLastError()); return 1; } HANDLE hTarget; if (DuplicateHandle(hProcess, handle, GetCurrentProcess(), &hTarget, 0, FALSE, DUPLICATE_CLOSE_SOURCE)) { CloseHandle(hTarget); printf("Success! "); } else { printf("Error duplicating handle (%u) ", GetLastError()); } CloseHandle(hProcess); return 0; }
Technically you can DuplicateHandle(hProcess, handle, nullptr, nullptr, 0, FALSE, DUPLICATE_CLOSE_SOURCE); A bit more efficient - the handle in the current process never gets duplicated.
@Pavel What is the significance of setting completion key? you are not checking it anywhere anyways.
This is a helper value for the application. It can be useful if you have multiple completion ports possibly handled by the same handler. The key could be used to provide some "context".
@@zodiacon Can you please cover a video for file handle version of IO completion ports, It would be nice if you can cover multiple IO ports.
PAVEL my man!!!! if you will tell mark i said what up 🙂
You should probably tell him yourself... :)
Thanks so much Pavel, appreciate all of your work heaps mate, always a pleasure to be able to leave a thumbs up and a comment 😊
Going to write the coordinates to my buried treasure in a stream on "monthly_budget_oct24_revised_v2.pdf"
As you demonstrated int the source code, an stream could be opened by using plain old Win32 name and the classic file opening functions. Guess what program uses these two: notepad.exe! So you can launch notepad from command line, giving it the stream name. Now you have Windows built-in tool to both view and edit alternate data streams.
As you demonstrated int the source code, an stream could be opened by using plain old Win32 name and the classic file opening functions. Guess what program uses these two: notepad.exe! So you can launch notepad from command line, giving it the stream name. Now you have Windows built-in tool to both view and edit alternate data streams.
appreciate the uploads!
Yaaaaay ADS!! Hope you are well Pavel!
You explaining very fast and most of code i did not know what you did
I understand, sorry about that. Perhaps you can view it in slower motion.
connection is established between the two programs but i get an error code 10057(lost connection) from the local program. in tcpview it shows that the connection is established i tried downloading the reverse shell on my laptop and i connected the laptop to my LAN but i get an error from the send function 10051
I'm afraid I cannot debug your system.
@@zodiacon ok after a long time with debugging i found the problem, so the cmd gets created and then closed immediately if you run the reverse shell in the virtual studio folder (the place where it gets built) i figured that out when i typed cmd.exe in C:\Users\alkat\Desktop everse shell\Local\x64\Release (you can try this just go to the path and delete it and type instead cmd.exe) the cmd will not be created. maybe some Windows 11 stupid shit ??? i had to take the executable to the desktop and then run it ok, the second reason is the function socket i had to change it to WSASocket.
Great video Pavel! Very enlightening!
Hi, thanks for such a great explanation. I have a question: When I run notepad, the corresponding message box will always appear?
No, you need to inject with the correct process ID.
Regarding shellcode injection using APC, I successfully execute the shellcode in the remote process, but afterward, the target process forcibly terminates. Do you know how to resolve this issue?
You'll have to debug it, since there is some issue with your shellcode.
@@zodiacon The shellcode was generated with msfvenom, and since other injection methods worked correctly, I believe the likelihood of an issue with the shellcode itself is low. However, for APC injection, is it necessary to add a separate stub apart from the shellcode? The shellcode was generated with the following command: msfvenom -p windows/x64/messagebox EXITFUNC=thread -f c ExitProcess is not called.
@@zodiacon Since the shellcode was generated with msfvenom, I think the likelihood of issues is low. Or do APC injections require an additional stub? The thread creation and hijacking methods worked successfully.
I love thee videos label!!!
I’m please heart my comment, it would mean the world to me
MY MAN PAVEL RPC IS MY FAVORITE I LOVE THE RPCRT SUNRPC aka ONC portmappers stubs marshalls the whole deal!!!
you should show us DCOM and psremoting