Wow, such a journey, thanks for making this vid! Fun fact (which you probably already know): if you know that application loads some library (*cough* DirectX *cough*), you can just place your version in a folder and chainload/intercept calls, without running an additional process alongside the game. That's the way I did it in my crime days in uni. Some game communities have even build plugin systems on top of that to chainload bunch of custom DLLs together, GW2 is a perfect example of this :)
Yeah, there's a fair few mods out there that work by hijacking a default dll. It's an easy in to the executable internals without dealing with memory too much. Funnily enough, for some games like the original Dark Souls, there could be different mods that hijacked the same dll (namely, dinput8.dll), so you had to put one as the first, then configure it to load the next mod with a renamed dll, then configure that mod to load the next one, etc. I myself have written a plugin loader of that sort for Monster Hunter: World, and it's been used to make a variety of pretty useful modifications. The whole process of reverse engineering the game to modify it's behavior is incredibly interesting as well. (I wish there was a less archaic alternative to cheat engine for that kind of stuff, but nothing comes even close).
@@jonathanbouchard720 let's say your game uses dX, so it will search for dX in the regular places an app looks for dll files, it just so happens that the first place that is checked is the game files, so if you place your code there and name it d3d11.dll and then you can put code in that file that, in addition to loading dX, does anything you want it to do
FWIW LoadLibraryEx has a flag which can be enabled to only search for the dll in "system" paths (i.e. System32 etc.) -- this is relatively commonly used nowadays.
Excellent video Amos! I love the convoluted way you took to really get us understanding the inner workings. Also as someone who's dabbled with the windows crate before it's great seeing how it's acutally supposed to be used. Eg. I was writing the bit flags myself. I hope you keep doing these advanced computer-science rust videos. Especially this one I think I will have to watch a few times to really extract all the valuable information you have provided. I also really enjoy your writing though I must confess I find I watch videos a lot more frequently in my spare time. It's a shame your videos haven't taken off yet but I'm sure that only a matter of time. Though maybe more project based videos and titles could help I think; even though I love your style.
39:24 I really think the fact that you learn as you go is what makes your videos so useful :-) it's not just about the knowledge, it's also very much about the process to acquire it!
I got into "hacking", aka reading weird thing in hexadecimal editors, when i was 12 specifically for ... cheating at video games. It starts simple, learn where to get the save files, check what is the biggest signed integer in hexadecimal on your platform ... profit ! In simcity at least (on Atari ST, early 90s). Fun times.
I love this guy’s presentation 😂 And he’s clever too! And hacking video games is how I started this channel during lockdown. With a little hardware hack finally defeating 100m dash on the C64. I only to retro games hacking and outplaying. Ties in with my origin as a kid hacking in the 80s. And my viewer base is 40-50 so….😂
Really amazing video! My only complaint is that its a bit hard to read when youre live coding since the window isnt fullsize, though that might just be me needing to get glasses :DD
Congrats on yet another awesome video! Wish I had stuff like this when I started my career as a weekend Win32 code criminal. Still, learned a lot of small things that could make my messy code a bit less messy. (PS I have a decent bit of experience -- more than I like to admit -- with game hacking topics in Rust, so feel free to reach out if you think you could use some help researching things for followup videos! It's wild out there on the internet.)
This is an awesome video! Super interesting and so satisfying when we get to the end and have our own code running in the target program, had to watch it a second time and follow along with the steps. I just have one question though, in an earlier video when loading shared object files into another program on Linux we were able to directly apply a detour to the libc functions whereas on windows we use the API to find the address of a function before we can intercept it. Why is it different? I have heard that when shared objects are loaded on Linux the dynamic loader may patch the functions and addresses at the time it is loaded so is that what is happening? And thanks again for this series on hacking, I'm finding it super fun and enjoyable to follow along :)
The thing I'm curious about it how does windows prevent any program from doing this. Are you disabling any security features in windows to do this? or are you running the program in a privileged mode?
That could be a whole video in itself! I am not disabling any security features or running the program in privileged mode. This is a fully-patched Windows 11 install with no modifications whatsoever. The general rule here is that programs can mess with other programs that have the same level of privilege or lower. I couldn't mess with some system service for example. And some low-privilege Edge or Chrome process could not mess with regular-privilege processes. I'm no expert on Windows security but chances are someone else in the comments will be!
Even Win10 doesn't enable DEP by default for all processes, neither does it enable any virtualization-based features or Defender Attack Surface Reduction rules. I would like to see this attempted after a bit of hardening, meaning those features are enabled.
Don't you find it weird that you find it weird that you are so fascinated by the concept of cross-platform software? I mean, the entirety of computer science is such a rabbit hole of fascinating concepts, whether those are endemic to CS or borrowed; like me for instance, I am fascinated by the concept of emergent complexity, both with regards to AI and just computing in general. That's not weird or strange, that's how you know you chose the right field of study, my friend, and enthusiastic people like you are the people who move stuff forward and get to the bottom of things, how is that weird?
@fasterthanlime can you tell me why you used Rust for this instead of C? To me it seems like worrying about memory safety isn't worth it when YOU ARE the hacker... Is it for high level functions? Not criticism btw, just genuinely wanted to know, thanks...
Memory safety is primarily about making your program robust (crash/error free) and memory efficient (not leak memory). Those are things you typically want regardless of what your program does. But most importantly: why wouldn't you use Rust? :)
How is this allowed?! Can I just spawn myself into, let's say the browser's address space, and continuously dump its contents to my server? And when other people run my program, they start sending me an unending stream of their browser data, including passwords they're typing in and whatnot? Being able to fool around in other programs' address spaces seem horribly unsecure
If the browser is running on the same user account - then yes. Injecting into other users' processes is only allowed for administrator accounts (or, to be specific - for users with debug privilege, which administrators always have by default). So, if you want to protect your browser (or any other app) - it might be a good idea to run it as a separate user account. Of course, that works as long as you don't run random programs as Admin - that's just game over, Admin has absolute control over the machine.
Some time back, WSL2 didn't support some of the things I needed for my job, like eBPF, or perf counters. There's been unofficial support since, and there may even be official support now, but the way it's set up makes it awkward to use a kernel other than the Microsoft-provided one, which is annoying at times.
@@fasterthanlime sounds great! I have it in reverse. Linux as host, and Windows VM for gaming, I use KVM and GPU pass-through for native like performance.
Did I just watch an hour long tutorial on how to write viruses in horrifically unsafe Rust?
I did and I enjoyed it.
Still more safe than any C++ you've ever read :p
just wanted to say the jazz in this video is absolutely killer, thanks for that
The UA-cam music library has good stuff if you keep scrolling!
Phew, almost thought you said "...*an* absolute killer"
Today I learned that PowerShell actually has interesting features
Wow, such a journey, thanks for making this vid!
Fun fact (which you probably already know): if you know that application loads some library (*cough* DirectX *cough*), you can just place your version in a folder and chainload/intercept calls, without running an additional process alongside the game. That's the way I did it in my crime days in uni.
Some game communities have even build plugin systems on top of that to chainload bunch of custom DLLs together, GW2 is a perfect example of this :)
Yeah, there's a fair few mods out there that work by hijacking a default dll. It's an easy in to the executable internals without dealing with memory too much.
Funnily enough, for some games like the original Dark Souls, there could be different mods that hijacked the same dll (namely, dinput8.dll), so you had to put one as the first, then configure it to load the next mod with a renamed dll, then configure that mod to load the next one, etc.
I myself have written a plugin loader of that sort for Monster Hunter: World, and it's been used to make a variety of pretty useful modifications. The whole process of reverse engineering the game to modify it's behavior is incredibly interesting as well. (I wish there was a less archaic alternative to cheat engine for that kind of stuff, but nothing comes even close).
I'm not really sure what you mean about chainload/intercept, do you have some resources about this technique? Sounds very interesting.
@@jonathanbouchard720 let's say your game uses dX, so it will search for dX in the regular places an app looks for dll files, it just so happens that the first place that is checked is the game files, so if you place your code there and name it d3d11.dll and then you can put code in that file that, in addition to loading dX, does anything you want it to do
This is called a resource dll injection
FWIW LoadLibraryEx has a flag which can be enabled to only search for the dll in "system" paths (i.e. System32 etc.) -- this is relatively commonly used nowadays.
Excellent video Amos! I love the convoluted way you took to really get us understanding the inner workings. Also as someone who's dabbled with the windows crate before it's great seeing how it's acutally supposed to be used. Eg. I was writing the bit flags myself. I hope you keep doing these advanced computer-science rust videos. Especially this one I think I will have to watch a few times to really extract all the valuable information you have provided. I also really enjoy your writing though I must confess I find I watch videos a lot more frequently in my spare time.
It's a shame your videos haven't taken off yet but I'm sure that only a matter of time. Though maybe more project based videos and titles could help I think; even though I love your style.
This is so good, thank you! It's so cool to have this kind of Windows+Rust knowledge explained in depth
17:10 lol, that "keep talking and nobody explodes" reference killed me
same
27:45 leaves a note for the linker saying "hey! please replace that with actual address when you get a chance, okay hun?" 🤣
Great video! By the way you can use w! for utf16 strings, its exported from the windows crate so you don't need an external dependency.
39:24 I really think the fact that you learn as you go is what makes your videos so useful :-) it's not just about the knowledge, it's also very much about the process to acquire it!
I got into "hacking", aka reading weird thing in hexadecimal editors, when i was 12 specifically for ... cheating at video games. It starts simple, learn where to get the save files, check what is the biggest signed integer in hexadecimal on your platform ... profit ! In simcity at least (on Atari ST, early 90s).
Fun times.
You are incredible! Thanks for all this content on these low-level stuff. Learn more with you than I'm college about this
It took me too long after reading all your articles to find the channel. (I know it's at the bottom of the blog home page, I'm dumb). Great stuff!
I love this guy’s presentation 😂
And he’s clever too!
And hacking video games is how I started this channel during lockdown. With a little hardware hack finally defeating 100m dash on the C64. I only to retro games hacking and outplaying. Ties in with my origin as a kid hacking in the 80s. And my viewer base is 40-50 so….😂
Probably the best system's programming youtube channel
Really amazing video! My only complaint is that its a bit hard to read when youre live coding since the window isnt fullsize, though that might just be me needing to get glasses :DD
Congrats on yet another awesome video! Wish I had stuff like this when I started my career as a weekend Win32 code criminal. Still, learned a lot of small things that could make my messy code a bit less messy.
(PS I have a decent bit of experience -- more than I like to admit -- with game hacking topics in Rust, so feel free to reach out if you think you could use some help researching things for followup videos! It's wild out there on the internet.)
20:44 Muahaha love badass Amos 😈
Thanks!
Thanks for watching & for your support! 🙌
really cool. thanks a lot for sharing.
6:23 there is a lldb which also natively supports msvc
This is an awesome video! Super interesting and so satisfying when we get to the end and have our own code running in the target program, had to watch it a second time and follow along with the steps.
I just have one question though, in an earlier video when loading shared object files into another program on Linux we were able to directly apply a detour to the libc functions whereas on windows we use the API to find the address of a function before we can intercept it. Why is it different?
I have heard that when shared objects are loaded on Linux the dynamic loader may patch the functions and addresses at the time it is loaded so is that what is happening?
And thanks again for this series on hacking, I'm finding it super fun and enjoyable to follow along :)
If u would add timestamp to the description it would be amazing, but really good video!
LOL "Her Majesty, Juniper W FartButt"
I swear I'm not making it up! Juniper has been taking full advantage of my "I will copy your Patreon name as-is into video credits" policy.
Great video! Just one comment: the mixing for the jazz around the 45 minute mark is quite a bit louder than your voice.
Love this! Some delicious [redacted] ;-)
The thing I'm curious about it how does windows prevent any program from doing this. Are you disabling any security features in windows to do this? or are you running the program in a privileged mode?
That could be a whole video in itself! I am not disabling any security features or running the program in privileged mode. This is a fully-patched Windows 11 install with no modifications whatsoever. The general rule here is that programs can mess with other programs that have the same level of privilege or lower. I couldn't mess with some system service for example. And some low-privilege Edge or Chrome process could not mess with regular-privilege processes. I'm no expert on Windows security but chances are someone else in the comments will be!
Even Win10 doesn't enable DEP by default for all processes, neither does it enable any virtualization-based features or Defender Attack Surface Reduction rules. I would like to see this attempted after a bit of hardening, meaning those features are enabled.
You can access memory of any process, that runs on the same user account. Admin account can also access process memory of other users.
He's modifying his own processes. Why wouldn't that be allowed?
Amos, I think you would enjoy CTF's. Especially binary exploitation challenges.
I've been thinking about getting into that, yes. I may or may not have accidentally acquired skills that would be very useful in infosec 😈
Amazing video but I was getting distracted by the amount of wetness being picked up on the mic. It's a great mic I think.
Don't you find it weird that you find it weird that you are so fascinated by the concept of cross-platform software? I mean, the entirety of computer science is such a rabbit hole of fascinating concepts, whether those are endemic to CS or borrowed; like me for instance, I am fascinated by the concept of emergent complexity, both with regards to AI and just computing in general. That's not weird or strange, that's how you know you chose the right field of study, my friend, and enthusiastic people like you are the people who move stuff forward and get to the bottom of things, how is that weird?
17:03 I believe the term is “brokepointed”
@fasterthanlime can you tell me why you used Rust for this instead of C?
To me it seems like worrying about memory safety isn't worth it when YOU ARE the hacker...
Is it for high level functions?
Not criticism btw, just genuinely wanted to know, thanks...
Memory safety is primarily about making your program robust (crash/error free) and memory efficient (not leak memory).
Those are things you typically want regardless of what your program does.
But most importantly: why wouldn't you use Rust? :)
19:17 i actually did this in vb6 once... the hardest part was finding the function in memory to copy
epic
GET. OUT!
Gets banned in game
bro your vid sure is a gem but timestamps would defo make it a favor
How is this allowed?! Can I just spawn myself into, let's say the browser's address space, and continuously dump its contents to my server? And when other people run my program, they start sending me an unending stream of their browser data, including passwords they're typing in and whatnot? Being able to fool around in other programs' address spaces seem horribly unsecure
If the browser is running on the same user account - then yes. Injecting into other users' processes is only allowed for administrator accounts (or, to be specific - for users with debug privilege, which administrators always have by default).
So, if you want to protect your browser (or any other app) - it might be a good idea to run it as a separate user account. Of course, that works as long as you don't run random programs as Admin - that's just game over, Admin has absolute control over the machine.
mmmm can i map my address onto your physical memory amos 👉👈😳
chapters plz
4:15 Why don't u use WSL Instead of a VM?
Some time back, WSL2 didn't support some of the things I needed for my job, like eBPF, or perf counters. There's been unofficial support since, and there may even be official support now, but the way it's set up makes it awkward to use a kernel other than the Microsoft-provided one, which is annoying at times.
22:22 use a NOP slide :)
The patreons have access to the source code ?
Writing such low level code in rust seems like a hassle, you would've done better using C or C++
why u dont use linux
I do, in a VM. My host OS is Windows 11, for video capture, editing, and gaming.
@@fasterthanlime sounds great! I have it in reverse. Linux as host, and Windows VM for gaming, I use KVM and GPU pass-through for native like performance.
please respond
first!
sceond!