Great as usual :), I created similar injector but in C#, the important thing here is that you need to create two versions of injector; a x64 one to inject x64 processes, and a x86 one to inject x86 processes.
Thanks for your nice explanation. Does this technic work even if "Address space layout randomization" is enabled? Does the address of "LoadLibraryA" the same in virtual address space of all processes?
Hey Pavel, great video to show some basics, thats often underrated. If you wouldn't mind, could you help me out with a little problem that I am facing right now? I want to get a better understanding of the entire usermode concept in windows, I also bought the wininternals books and partially read them. So my problem is, that I want to perform accurate handle enumeration. There is a usermode process that is creating a lot of short lived handles to scan memory regions of my process, but I cant find these handles by using NtQuerySystemInformation using the SystemHandleInformation class. On the other hand, I know that the other process is also doing a usermode handle enumeration to detect any opened handles to the process. So my question is, are there other ways to enumerate handles of a process in usermode? NtQuerySystemInformation gives us a list of all system handles, and each scan takes multiple seconds to traverse through, which could be a reason why short lived handles are not found... I really don't want to inject into the other process though and hook stuff, the goal was to perform a good handle enumeration externally. I hope you can give me a hint maybe :) But for now - Спасибо за всё, Я огромный Фан!
NtQuerySystemInformation is the way to go. There is no better way from user mode. Short-lived handles are just that - enumeration has nothing to do with that. It captures what exists at enumeration time. With a kernel driver, you could intercept opening handles to processes, for example.
@@zodiacon Alright, so I guess that detecting short lived handles from usermode is a thing of time luck then. Would multithreaded scanning increase the probability of detecting these handles?
Hey Pavel big fan! I have some of your books and also your pentester academy windows series. Glad to see you on UA-cam. If you make a Patreon I'd be interested in donating! Thanks again, you're a master at this !
and what happened if nothing happened i mean the code compiled without error when I'm try to inject nothing do no error print nothing all anti virus is off!! any idea ? ?? ?
Make sure you inject a 64 bit DLL into a 64-bit process or 32-bit DLL into a 32-bit process. Other than that, you can use Process Monitor to see if the DLL is loaded, if the thread is created, etc.
Hi Pavel, Thanks for tutorials...But all your tutorial is injected to already running process.. How about Create new process and inject in to it? My current problem is create new progress (Ex Notepad) and inject to it..but sometime it work...sometime it dont...I dont know why...just assume dll injected when nodepad process not full loaded
Usually injecting into a new process is much easier, because you have an all powerful handle to it (no need to call OpenProcess which may fail). If you create the process suspended and try to inject to it, it is likely to fail, because the process only has NtDll loaded into it.
Depends on what you mean by "convert". You can remove the DLL bit from the PE header, but the entry point will DllMain, and it's not what is expected from an EXE, so likely to crash.
Dude you explained some things I didnt know and ot really helped thanks. Most youtubers ignore some important details and itsannoying
Great as usual :), I created similar injector but in C#, the important thing here is that you need to create two versions of injector; a x64 one to inject x64 processes, and a x86 one to inject x86 processes.
I learned a lot from this! Thank you, you're a legend :)
aint he just?
Thanks a lot, Great help to me.
thanks for sharing ,good man .
Thanks for your nice explanation.
Does this technic work even if "Address space layout randomization" is enabled? Does the address of "LoadLibraryA" the same in virtual address space of all processes?
@@nazmdar yes
Hey Pavel, great video to show some basics, thats often underrated.
If you wouldn't mind, could you help me out with a little problem that I am facing right now?
I want to get a better understanding of the entire usermode concept in windows, I also bought the wininternals books and partially read them.
So my problem is, that I want to perform accurate handle enumeration.
There is a usermode process that is creating a lot of short lived handles to scan memory regions of my process, but I cant find these handles by using NtQuerySystemInformation using the SystemHandleInformation class.
On the other hand, I know that the other process is also doing a usermode handle enumeration to detect any opened handles to the process.
So my question is, are there other ways to enumerate handles of a process in usermode? NtQuerySystemInformation gives us a list of all system handles, and each scan takes multiple seconds to traverse through, which could be a reason why short lived handles are not found...
I really don't want to inject into the other process though and hook stuff, the goal was to perform a good handle enumeration externally.
I hope you can give me a hint maybe :)
But for now - Спасибо за всё,
Я огромный Фан!
NtQuerySystemInformation is the way to go. There is no better way from user mode. Short-lived handles are just that - enumeration has nothing to do with that. It captures what exists at enumeration time. With a kernel driver, you could intercept opening handles to processes, for example.
@@zodiacon Alright, so I guess that detecting short lived handles from usermode is a thing of time luck then. Would multithreaded scanning increase the probability of detecting these handles?
Not really, there is internal locking happening anyway.
Could you please create a tutorial for a mini driver to inject this dll into any user-mode process when it starts 🙏
There are such examples on Github... for now, I'll stick with simpler things :)
Hey Pavel big fan! I have some of your books and also your pentester academy windows series. Glad to see you on UA-cam. If you make a Patreon I'd be interested in donating! Thanks again, you're a master at this !
Happy to receive support! patreon.com/zodiacon
i bet u want a make a cs go cheatoos xd
and what happened if nothing happened i mean the code compiled without error when I'm try to inject nothing do no error print nothing all anti virus is off!! any idea ? ?? ?
Make sure you inject a 64 bit DLL into a 64-bit process or 32-bit DLL into a 32-bit process.
Other than that, you can use Process Monitor to see if the DLL is loaded, if the thread is created, etc.
@@zodiacon yhea thanks i solve it . i try with other injector and the injector tell you are dumb u want to inject 32 bit into a 64 bit :D
Hi Pavel, Thanks for tutorials...But all your tutorial is injected to already running process.. How about Create new process and inject in to it?
My current problem is create new progress (Ex Notepad) and inject to it..but sometime it work...sometime it dont...I dont know why...just assume dll injected when nodepad process not full loaded
Usually injecting into a new process is much easier, because you have an all powerful handle to it (no need to call OpenProcess which may fail). If you create the process suspended and try to inject to it, it is likely to fail, because the process only has NtDll loaded into it.
@@zodiacon so what is solution ?
There is no "one, single" solution... do some research, try things out...
Hey bro if I subscribe to patreon, can you compile an injector for me?
No... that's not the purpose of this channel.
I'm sure you can find plenty elsewhere.
The source code is provided at github.com/zodiacon/youtubecode
hi, is it possible to convert a dll to .exe trainer?
Depends on what you mean by "convert". You can remove the DLL bit from the PE header, but the entry point will DllMain, and it's not what is expected from an EXE, so likely to crash.