Also if you have some time to practice you can try NoScript, it often fucks up "please disable adblock" thing so it doesn't even shows P. S. Idk about UA-cam anti adblock cus I don't use YT on PC
"There's not much risk or installing a kernel level anti-cheat or a kernal level driver in general" One sentence. "Crowdstrike wasn't malicious." A kernel level process caused so much havoc and that was a simple woopsy daisy we messed up situation. A bad actor with an in at any of these companies could very easily destroy lives. Kernel access is given away far too easily and anyone who says otherwise is ignorant of technology.
When you say it's given away far too easily, I'm not sure if you're referring to Microsoft/Windows signing these drivers, the companies installing the software or users installing drivers, but you can't exactly gate keep kernel level access.
@@joopie46614all three. MS signing a Kernel Level process that basically parses definitions feels like a giant security flaw. Companies/individuals just installing it without critical thinking 'what could go wrong?' is also too easily done. Sure MS can't gatekeep kernel level, but also they should atleast be aware that they have ppl relying on their stamp of approval as well as end users should be aware that such systems can lead to such problems.
I kinda find it funny people complain about kernel level anti-cheats without mentioning proper privilege controls. Under a standard user account, both UAC bypass and BYOVD will fail. I still argue that kernel anti-cheats are unacceptable, as they break the basic privilege control concepts (a game should not have administrative privilege access). But most complaints I've seen on the internet don't even mention about using a low-privilege account as a security measure, and running random things on an admin account is just as bad as any kernel level access.
the issue is with vulnerability in Anti-Cheats. if Anti-Cheat is exploited, it is Ring 0 access. Now consider all the games with RCEs that went unpatched for weeks or months.
The risk is substantially higher once a kernel mode driver is signed by microsoft or any reputable signing authority. The problem isnt the kernel itself but rather that Microsoft even allows running code in kernel mode in the first place.
Even GNU/Linux allows third-party codes to run in kernel space. Only macOS, iOS, and Android in their default configurations (non-rooted, etc.) that don't allow this. My guess is, a lot of people will complain if Microsoft really as strict as those OSes in Windows.
@@bltzcstrnx AFAIK while the Linux kernel *does* let you load kernel modules arbitrarily, It only permits modules it was configured in advance to accept. To load anything else in you need to change that configuration and reboot (effectively bypassing the kernel and its restrictions anyway)
was helping a friend troubleshoot earlier today after he seemed to have gotten a trojan from an .exe adobe premiere crack setup on a youtube video didn't show up in malwarebytes, random ml trojan on windows defender, and despite trying for like an hour to un-quarantine the file and scan it with virustotal he just kept getting denied permissions coincidentally this pops up in my recommended later on - getting him on a clean wipe rn
I have to listen to the video instead of watching it, that white background is killing me. (yes, my HDR is on and I could night shift it to workaround, but cmone...) I liked it, ty!
YES, there IS risk to installing kernel level anticheats. Multiplayer games end up with RCE Exploits ALL the time. If a kernel mode anticheat is ever accidentally (or intentionally. They’re all big fans of “security” through obscurity, and could easily exploit these permissions) exposed to this, your entire machine can be hijacked for playing a game, or even just having the game installed, since most kernel level anticheats run from boot time. Do not downplay the irresponsibility and risk of a GAME demanding full and complete access to your entire computer.
Why do people try to get cracked copies of jetbrains when it is so easy to find a license server to use? It is literally on the surface web such as yandex google etc. I can't deal with these types of people and it frusteruates me
Because some of them are for hardware that might never be updated. People would be more upset if they were blocked, but you can opt into the blocklist.
No, its not. Windows Kernel is not more vulnerable than Linux Kernel. The guy literally did "sudo install and installed a '.ko' " Driver signing isn't even activated by default on most Linuxes distros. The Windows user interface might be more vulnerable than KDE (but not Gnome). Maybe if you are running SELinux and know what you are doing you can make the Linux Kernel become more secure, but the same is true for Windows, but its absolutely less vulnerable. Both are micro-kernels after all. Its a huge surface of attack. People keep saying that the Linux kernel is more secure. The Windows Kernel is absolutely a very well designed and very secure piece of software. Most of the 0-days that happens on Windows are always other weak components running in user mode that allow for privilege escalation, usually because Windows is huge and have a huge surface of attack, so there's always misconfigured permissions. Ironically the same thing happens to SELinux all the time, except Linux is a 10 times smaller system, and has 1000 times less users. Any system is always insecure as its weakest link, the kernel is not the weakest link. I hate people keep saying shit like that, meanwhile I broke the security of my TV the other day, why, the encoder driver running on Linux Kernel Ring0 instead of Ring3. Stupid monolith kernel systems where a mistake.
@@monad_tcpif MS just open up the windows kernel it’d have real competition with linux (headless windows NT) There’s absolutely nothing wrong with the windows kernel, it is the shell of windows that is buggy and vulnerable (user mode). Windows kernel is extremely secure and powerful
You would have to download the certificate revoke list. At the end of the video he shows how to enable the blacklist which is the certificate revoke list. It isn't enabled by default because it would break a lot of existing systems
@@Votexforxme I could care less if you support Riot or any other company, rando. It’s just sad how negative you are. But that’s okay, I hope you have a good day m8.
1.03 Just no, shows a lack of understanding of how kernel drivers work. Venerable kernel drivers are a massive problem. They should not exist! C isn't unsafe...
Oh so it means the freshly installed Windows 10 is having rootkits and bootkits and kernel trojans already I'm not allowed to run anything other than the very latest version, I tried deleting program compatibility assistant trojan but couldn't fully remove it...
At least someone recognizes that kernel level anti cheat isn't inherently bad. Riot games gets so much shit for being first to openly claim kernel level anti cheat when the haters have been running other kernel level anti cheat just fine until now
Riot was far from the first to do it. ESEA for counterstrike has been doing it for a decade, and FACEIT has been doing it for a long time as well. The only difference is that Riot markets it as if it's something new.
one shouldnt judge a book by its cover, but... If we take a look at your pfp, your name, the content you upload and the date your account was made, we conclude that you are AT MOST 16 years old and that you have no real world experience whatsoever. You really shouldnt be talking like that. Thats the type of behavior that gets you in trouble.
@@AraiDigital he says oh it has "VirtualProtect" it should be easy to unpack. virtual protect is an api for changing protection of a memory region, most of the time its not even being used by malware because they use direct syscalls. so if it was so easy why didnt he put a bp on virtualprotect and dumped it from there and ended the video in 3mins? The fact that he said if you dont wanna spend 3 hours unpacking it like me go join my school is hilarious lmao. Literally all you had to do is use dump the process from kernel 💀
That's genius using Adobe as a cover for crypto miner,
Since it's normal for Adobe to hog processing power
It's also normal for adobe to fill your PC with spyware and rootkits that keeps calling home (if you do the mistake to buy it)
@@theloststarbounder Adobe is worse, it also takes your money.
The fake may be less harmfull than the oregano.
stealthy crypto mining malware will just stop mining once task manager is opened and resume when closed
@@rob2roxthere’s other programs besides task manager to check
You're halfway there to realising that Adobe is today's most popular malware
I hope this Kernel guy is okay
"Today we're going to be doing penetration testing on the kernel"
The Colonel: 😳😳
kernel sanders
Same bro
@@simo_viewer_pr9030 can't believe they're gonna hack kfc
Colonel Panic is reporting to General Failure.
I know you're in a VM, but I can't imagine ever using a browser without uBlock Origin. Just too much shit.
Also if you have some time to practice you can try NoScript, it often fucks up "please disable adblock" thing so it doesn't even shows
P. S. Idk about UA-cam anti adblock cus I don't use YT on PC
How tf does this guy live? Over 40% of his page is whitespace and ads 😭
he probably uses the ads to get samples
i use malwarebytes browser guard works well lmao
Well, since he uses Chrome, thanks to the manifest v3 update he can't use a (proper) ad blocker any more anyway :P
Only kernels I invade is the popcorn kind
Leave the popcorn out of this.
"There's not much risk or installing a kernel level anti-cheat or a kernal level driver in general"
One sentence. "Crowdstrike wasn't malicious."
A kernel level process caused so much havoc and that was a simple woopsy daisy we messed up situation. A bad actor with an in at any of these companies could very easily destroy lives.
Kernel access is given away far too easily and anyone who says otherwise is ignorant of technology.
When you say it's given away far too easily, I'm not sure if you're referring to Microsoft/Windows signing these drivers, the companies installing the software or users installing drivers, but you can't exactly gate keep kernel level access.
Scrolled to far down to see this. Based opinion.
@@joopie46614all three. MS signing a Kernel Level process that basically parses definitions feels like a giant security flaw. Companies/individuals just installing it without critical thinking 'what could go wrong?' is also too easily done.
Sure MS can't gatekeep kernel level, but also they should atleast be aware that they have ppl relying on their stamp of approval as well as end users should be aware that such systems can lead to such problems.
yeah i was done with league after they wanted kernel anticheat in there lol
I kinda find it funny people complain about kernel level anti-cheats without mentioning proper privilege controls. Under a standard user account, both UAC bypass and BYOVD will fail. I still argue that kernel anti-cheats are unacceptable, as they break the basic privilege control concepts (a game should not have administrative privilege access). But most complaints I've seen on the internet don't even mention about using a low-privilege account as a security measure, and running random things on an admin account is just as bad as any kernel level access.
mfw bios anticheat:
the issue is with vulnerability in Anti-Cheats. if Anti-Cheat is exploited, it is Ring 0 access. Now consider all the games with RCEs that went unpatched for weeks or months.
I have a question: what kind of account do I have, if I installed windows 11 clean and never messed around with administrator settings ?
@@fux3669 you are admin by default
@@fux3669 The default OOB account on Windows is an admin account. You have to go to the settings and explicitly create a new non-admin user account.
sometimes i wonder why anti cheat providers dont just start flagging malware as well. seems like theyd do a better job compared to half of other AVs
Lmaoo imagine riot games sending tou notifciations about how many attacks they protected you from
Jokes on them, mine was promoted to GENEREL.
I'll see myself out.
General, to correct you.
@@chipproductions1510 Kernel Sanders is telling me otherwise.
They ought to add killswitches if the current user is "lain" at this point
but what if a legitimate fan of "serial experiments lain" could have been exploited with a cryptominer
More user protection hah
Well that'd be bad for me since I've lain with your mother
When I’m in a system-breaking vulnerability competition and my opponent is Windows
theyre left there for the cia to use
6:43 Famous Last Words from @Eric Parker for the unpacking
I'd rather have a Bitcoin miner then pay for Adobe.
paws at everyone
why are you
Thank you popular Eric Parker comment section micro celebrity Luna "paws-at-you" Paws At You
:3
paws back
:3
The risk is substantially higher once a kernel mode driver is signed by microsoft or any reputable signing authority. The problem isnt the kernel itself but rather that Microsoft even allows running code in kernel mode in the first place.
Even GNU/Linux allows third-party codes to run in kernel space. Only macOS, iOS, and Android in their default configurations (non-rooted, etc.) that don't allow this. My guess is, a lot of people will complain if Microsoft really as strict as those OSes in Windows.
@@bltzcstrnx AFAIK while the Linux kernel *does* let you load kernel modules arbitrarily, It only permits modules it was configured in advance to accept. To load anything else in you need to change that configuration and reboot (effectively bypassing the kernel and its restrictions anyway)
Its kinda really smart to target Jetbrains IDE because it already comes with a kernel debugger that's actually WQHL signed.
was helping a friend troubleshoot earlier today after he seemed to have gotten a trojan from an .exe adobe premiere crack setup on a youtube video
didn't show up in malwarebytes, random ml trojan on windows defender, and despite trying for like an hour to un-quarantine the file and scan it with virustotal he just kept getting denied permissions
coincidentally this pops up in my recommended later on - getting him on a clean wipe rn
Great work tracking it down yourself! The analysis is thorough as usual.
Wait, JetBrains is an IDE?
I thought that it was just the name of a font I use on neovim
I love this type of content!! Please keep making these malware dissections.
I have to listen to the video instead of watching it, that white background is killing me. (yes, my HDR is on and I could night shift it to workaround, but cmone...)
I liked it, ty!
We are going blind with this one 🗣🗣🗣🔥🔥🔥
Why adjusting brightness isn’t an option?
YES, there IS risk to installing kernel level anticheats. Multiplayer games end up with RCE Exploits ALL the time. If a kernel mode anticheat is ever accidentally (or intentionally. They’re all big fans of “security” through obscurity, and could easily exploit these permissions) exposed to this, your entire machine can be hijacked for playing a game, or even just having the game installed, since most kernel level anticheats run from boot time. Do not downplay the irresponsibility and risk of a GAME demanding full and complete access to your entire computer.
every time i get my dinner you post love the videos
Why do people try to get cracked copies of jetbrains when it is so easy to find a license server to use? It is literally on the surface web such as yandex google etc. I can't deal with these types of people and it frusteruates me
Where did you get the sample from? Do you host malware samples somewhere?
googling the payload name
@@EricParker Thanks, I completely missed the part when you said that you found it on github
Kernal level is insane
Waiting for Eric to check if NTSCQT is safe or not (VirusTotal says it is)
check the source?
@@EricParker I saw it in a youtube video a lot of people agreed it worked and some had videos on their channels, still not sure.
@@EricParker Yes just go trough all of the code lol
@ 17:03 I don't have that option. Enterprise Win11?
He needed to go to the Kernel to get the recipe.
Why does windows not block those vulnerable drivers?
I think it blocks them if memory integrity is enabled.
There are thausands of drivers with vulnerabilities from thausands of companies. Even Windows Defender has one. No way to stop this.
@@kirill9064 Yes, this is correct.
@@kirill9064 one in a krillion
Because some of them are for hardware that might never be updated. People would be more upset if they were blocked, but you can opt into the blocklist.
neovim activator exe when
i literally don't understand anything this guy says in videos like these but for some reason i still love it lol
Can u make a video on Solstice client its a minecraft bedrock client that flags alot as trojans but still the client has a very large player base.
Have you ever feel like the malware escaped from vm?
Or im just too paranoid
it's possible but extremely unlikely to happen, most malware if anything just refuses to run on a vm
Too paranoid
it's possible the the software for said VM has an exploit
Windows kernel more vulnerable than the Linux kernel
Linux will never be as popular as Mac and Windows, buddy.
No, its not. Windows Kernel is not more vulnerable than Linux Kernel.
The guy literally did "sudo install and installed a '.ko' "
Driver signing isn't even activated by default on most Linuxes distros.
The Windows user interface might be more vulnerable than KDE (but not Gnome).
Maybe if you are running SELinux and know what you are doing you can make the Linux Kernel become more secure, but the same is true for Windows, but its absolutely less vulnerable. Both are micro-kernels after all. Its a huge surface of attack.
People keep saying that the Linux kernel is more secure. The Windows Kernel is absolutely a very well designed and very secure piece of software. Most of the 0-days that happens on Windows are always other weak components running in user mode that allow for privilege escalation, usually because Windows is huge and have a huge surface of attack, so there's always misconfigured permissions.
Ironically the same thing happens to SELinux all the time, except Linux is a 10 times smaller system, and has 1000 times less users.
Any system is always insecure as its weakest link, the kernel is not the weakest link.
I hate people keep saying shit like that, meanwhile I broke the security of my TV the other day, why, the encoder driver running on Linux Kernel Ring0 instead of Ring3. Stupid monolith kernel systems where a mistake.
@@TheUncleTedKzyokay????😂😂
@@TheUncleTedKzykinda wrong, linux is the most popular kernel for servers
@@monad_tcpif MS just open up the windows kernel it’d have real competition with linux (headless windows NT)
There’s absolutely nothing wrong with the windows kernel, it is the shell of windows that is buggy and vulnerable (user mode). Windows kernel is extremely secure and powerful
Why can't Microsoft revoke the certificate for insecure drivers?
You would have to download the certificate revoke list. At the end of the video he shows how to enable the blacklist which is the certificate revoke list. It isn't enabled by default because it would break a lot of existing systems
Being a Valorant player FINALLY paid off in some way. Thanks Eric!
Sorry to hear that you play this garbage.
@@Votexforxme Sorry that you don’t have more love in your heart.
@@Wiyt Yeah, i dont share "love" with companys that abloslutley dont value their customers.
@@Votexforxme I could care less if you support Riot or any other company, rando. It’s just sad how negative you are. But that’s okay, I hope you have a good day m8.
@@Votexforxmeforever virgin
i could’ve sworn i saw this yestersy
Different channel maybes?
mightve been low level learning's video if you watch him
@ oh yeah you’re right that’s where i saw it
Can we get an updated tutorial on the stealth VM?
not mentioned but, LAIN?!!
Thanks Eric this is really intresting
Ubuntu Linux activator for Windows next?
C is not unsafe. Incompetent programmers are.
Software always has bugs
C is unsafe because an incompetent programmer can make a vulnerable application easily
@@CommandoBlack123 so... any language
@@chaoticsoap Not true
@@CommandoBlack123literally true youcan write an unsafe program in any language. Some are just harder
Kernel Level Anticheat doesn't need to exist.
13:32 the hash is slightly different.
Oh the hash is only *slightly* different 🤨
ms windows is the true kernel level malware
dont worry thats just the new riot anti-cheat update
why does erics accent change from british english to american english halfway through? just curious lol
Vanguard makes a better job than windows defender gg.
Kernel wants to know:
🚨Why TF are you downloading viruses
it's art
I have jetbrains… better be the right one bro
Plot twist: The real malware is Windows... Steelfox is trying to hijack the telemetry processes back off the Windows kernel to save your PC
I don't understand any of the words he was saying but I appreciate it
hey, could you look if roblox account manager is a virus? alot of people say it is but some also say its just a false flag
weren't there viruses that could invade the BIOS?
It’s very rare because you have to specifically target a specific motherboard and it’s version
Logofail can
Never thought that Vanguard would actually be helpful 🙏🙏🙏
Love your vids! You should make some troll malware that will just prank people and not harm anything
I installed many cracks and am worried now
As you should be. You should have been worried when you installed them, not now lol
just dont put them on your main system lol
This is recent and of course should mostly been in new strains of cracks like modified copies of Medicine, etc
Your just amazing how you can explain how everythings works
Hello Eric!
"win ring zero dot sys" is an incredible name for a vulnerable driver
Wrong. Yes, anticheat is evil. Bethesda shouldve been removed from being allowed on steam after what they did with Doom Eternal.
that wasn't anticheat, that was drm afaik, two different things
@@AraiDigital It was denuvo anticheat.
Isnt that what vanguard anti cheat does?
winring0x64 is spelled wrong 13:10
linux users like me are invading more kernels using the "hand" exploit right now
I enjoyed this episode that much, I watched it twice. ❤
1.03 Just no, shows a lack of understanding of how kernel drivers work. Venerable kernel drivers are a massive problem. They should not exist! C isn't unsafe...
Based Riot Vanguard (for once)
This
I thought most malwares these days ran at kernel level? Isn't that why most anti-virus software runs on the kernel?
Almost zero modern malware runs at the kernel level. Rootkits are few and far between.
jerbrains with zombies
just in time for dinner
"This Malware Invades the KERNEL?" so any Kernel level aticheat that also does not really prevent cheating.
wow what a wonderful piece of code haha!
Can you do more fake download buttons
F for my popcorn 🍿
Oh so it means the freshly installed Windows 10 is having rootkits and bootkits and kernel trojans already I'm not allowed to run anything other than the very latest version, I tried deleting program compatibility assistant trojan but couldn't fully remove it...
Seroxen and darkgate are best rat so far ❤ 🎉
seroxen is discontinued but true
Darkgate is just a loader? currently dealign with one.
I continued watching but no cookie!
that's crazy
crazy
smh why waste 3 hours trying to dump it from the loader, when you can just dump the process using a kernel driver
go back to reviewing awful minecraft clients lil bro
@@dead-l0lz😭
@@dead-l0lz only minecraft video is my own project from long ago, the others are cracks
@@dead-l0lz kinda funny u switched topic, imagine learning from a guy who doesnt know what he is talking about stupid ahh
@@dead-l0lz Savage☠
kernelwaaaaaaaaaaaaa
-poland
Hi
How much knowledge you need to be able to learn from your skool?
I use arch btw.
You are not safe either
Check your door.
hmmm
At least someone recognizes that kernel level anti cheat isn't inherently bad. Riot games gets so much shit for being first to openly claim kernel level anti cheat when the haters have been running other kernel level anti cheat just fine until now
Riot was far from the first to do it. ESEA for counterstrike has been doing it for a decade, and FACEIT has been doing it for a long time as well. The only difference is that Riot markets it as if it's something new.
No if is inherently bad, its blindly trusting the client and its security through obscurity
Andrew tate?
Nu e nimic nou frate
this is same as vanguard lol
are you stupid, vanguard is safe
WOOOOOOOO
....riot vanguard
is not a malware, but an anticheat you dumbass
The best antivirus
activate windows -_-
Ahh, i love kernels
Oh wait this isnt a corn tutorial 🌽 :/
6:39 this guy doesn't know what he is talking about 😂
one shouldnt judge a book by its cover, but... If we take a look at your pfp, your name, the content you upload and the date your account was made, we conclude that you are AT MOST 16 years old and that you have no real world experience whatsoever. You really shouldnt be talking like that. Thats the type of behavior that gets you in trouble.
They don't know? Alright, explain this to us! I'd like to see you even try to take a crack at it.
@@AraiDigital he says oh it has "VirtualProtect" it should be easy to unpack. virtual protect is an api for changing protection of a memory region, most of the time its not even being used by malware because they use direct syscalls. so if it was so easy why didnt he put a bp on virtualprotect and dumped it from there and ended the video in 3mins? The fact that he said if you dont wanna spend 3 hours unpacking it like me go join my school is hilarious lmao. Literally all you had to do is use dump the process from kernel 💀
Wait, JetBrains is an IDE?
I thought that it was just the name of a font I use on neovim
Hi