How Hackers Evade Program Allowlists with DLLs
Вставка
- Опубліковано 14 чер 2023
- j-h.io/plextrac || Save time and effort on pentest reports with PlexTrac's premiere reporting & collaborative platform in a FREE one-month trial! j-h.io/plextrac 😎
/ 1666716511988330499
github.com/byt3bl33d3r/Offens...
🔥 UA-cam ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
I love that Nim is in this picture. It is such a nice little language that sadly gets attention by bad actors
' *sadly gets attention by bad actors* ' Yeah this is real problem it is rare to see someone use this language other than do malicious staff
Now this language is flaged by a lot of Anti virus even if the code is simple as *echo "Hello, World!"*
All languages are used for malicious purpose maybe not scratch
yes please, more nim content. thank you for your service
I'm a Python guy, so seeing that style of syntax used on lower level winapi stuff is sick! I'd love to see more Nim stuff in the future. So unfortunate a powerful lang with a familiar syntax has a bad rep.
Yes! We want more Nim. I've never used it, and would like to know more about it and how it's being used in the security space. 😊
Thank you! Absolutely need more cool stuff in NIM.
Nim deserves more community attention. Although I don't think they would be happy to hear they are again being used to develop malware. Anti-malwares are already flagging them as malware because so many people are using it to that end :D
Indeed, innocent apps compiled with nim compiler are being flagged as malware by market anti-malware solutions.
I've been interested in learning Nim, so I'm definitely interested in seeing more
Your videos feels like 5 minute long. Your method of explaining is so much interesting and captivating, sure do love to see more nim action.
Would love to see more stuff on nim and DLLs!
Thx for new video!😊
very nice and easy to understand, thank you
John, you are just firing off videos here lately, I love it. Thanks!!
It's the first time I even heard from nim. Looks easy to have fun with. But dll sideloading is hard, for most apps you have to be able to write into a directory of the app, but it's a possible way. But this is hard compared to just start an exe and then, you filter out script kiddie attacks.
More nim please
Nice. Next video on some type of SQLi, maybe🤷😉
Great content
That Right of Boom shirt though... IYKYK
🔥💥💪
And now using Nim language, John, you now have my full attention.
Great video.. make some more fun Nim video's 👍
I know C++ and rust quite well. Should i learn nim for offensiveNim or ofRust, OfCpp will do the work?
yes pls, more bim stuff
Super neat! 🤓
I love your content my Friends thanck tou men for best channel.
This was cool, but I was hopping for an explanation on how to find applications that are vulnerable to dll hijacking
Why do people use Nim instead of Python? First time I've ever heard of Nim and am curious
Nim is awesome
So this is a persistence mechanism, not an initial access vector?
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters]
"AutodialDLL"="C:\\Windows\\System32\
asadhlp.dll"
Change the file to your dll which u want to inject, start the program and it will inject in every process with system rights. I use this this to inject the ReverseKit into highly obfuscated malwares/loaders. After your injection just set the old dll
I weep for the day when all my Nim payloads get flagged. Every other week it seems like more and more effort is required to keep them working, pre-obfuscation.
Isn't there a program out there that can scan all the .dll files on a system or in a folder, checking them for malicious activities?
Why on earth have I never heard about Nim???
Can Windows trigger SystemRestorePlatform.exe as System user?
Its running as standard user in this tutorial.
ah yeah deff had my first dll fk my pc up back in 2004. unforgetable.
I created an entire undetected reverse shell via DLL Sideloading on an official windows application.
More NIM wouldn’t be horrible.
yes
Its how roblox gets hacked non stop by using dll
roblox patched all exploits
@@R3v0ult😂 nope
@@R3v0ultwrong
@@R3v0ult incorrect
@@R3v0ult false
Stay watch.. 🍿
I'd love to play with Nim more, but last time I messed around with it and was just starting out doing "hello world", EDRs flagged it just because it was Nim.... it was Hello World.... :(
sir can you crush or bypass some apps
Thanks for your daily Tutorial
I would love to learn more about nim and how it can be used to hack.
Not using Rust/10. :P I bet if you tried hard enough, you could do this in Python, too.
Early. :3
Beginner positional to explaining middle option for you explain
cant believe im this early lol
Gief more nim plz
Learning is hai movement more
Nim pleeease!
🤓
Ptp , elements ip /update/ ecppt exam
Oscp
Dll more explain 😡🤖🚩
literally you are teaching hackers how to compromise victims :)))
Nim limn moor explain deep class the little bit understanding how to explain in the "full file"explain what video
PE LOADER
Jesus Christ the pronunciation 😂
Meanwhile windows calc why are you making look bad to people what i did to you 🤣
Hackers can employ various techniques to evade program allowlists using dynamic-link libraries (DLLs). Here are a few common methods:
DLL Side-Loading: This technique involves exploiting the way Windows loads DLLs for an application. Hackers identify a trusted DLL that is allowed by the program's allowlist and replace it with a malicious DLL having the same name. When the program is executed, the malicious DLL is loaded instead of the legitimate one, allowing the hacker to bypass the allowlist.
DLL Hijacking: In this method, hackers identify programs that load DLLs using a relative path or search order. They place a malicious DLL in a directory that is searched before the intended DLL location. When the program is launched, it unknowingly loads the malicious DLL, bypassing the allowlist.
Reflective DLL Injection: This technique involves injecting a DLL into a running process without writing the DLL to the disk. Hackers load the malicious DLL directly into the process memory and execute it from there. Since the DLL is not written to the disk, it can evade allowlists that check for file presence or file hashes.
DLL Proxying: In this method, hackers intercept calls to legitimate DLLs by creating a proxy DLL. The proxy DLL loads the original DLL and performs the intended functionality while also executing malicious actions. This way, the hacker can bypass the allowlist by ensuring that the proxy DLL is allowed while the original DLL may be restricted.
DLL Load Order Hijacking: Hackers take advantage of the DLL search order used by Windows. By manipulating the order in which DLLs are loaded, they can force a program to load a malicious DLL before the legitimate one. This way, the malicious DLL can override the legitimate DLL's functionality and evade allowlists.
To mitigate these evasion techniques, organizations should consider the following countermeasures:
Regularly update and patch applications to prevent known DLL vulnerabilities.
Implement strong allowlisting mechanisms that validate DLL signatures, hashes, or secure file paths.
Employ secure coding practices to prevent DLL hijacking vulnerabilities in applications.
Monitor DLL loading activities and detect any anomalous behavior.
Implement behavior-based security solutions that can identify and block malicious activities performed by DLLs.
Apply the principle of least privilege by ensuring that applications and users have the minimum required permissions to reduce the impact of any successful DLL attacks.
It's important to note that the effectiveness of these techniques can vary depending on the security measures in place and the sophistication of the attackers. Staying updated with the latest security practices and maintaining a strong defense-in-depth strategy is crucial in mitigating DLL-based attacks.
Llmnr
“allowlist” in whitelist in cuckspeak btw
Very cool stuff, I've never even heard of nim until now lol
Given that he used SystemResetPlatform.exe to lauch calc.exe, could this be potentially used to make a persistent malware that wipes files or makes the system unbootable when a system reset is attempted? That would be really cool to see.
+/dll mind moor explain deep class+/-/cylekytr