Malware Development in C | Remote Process Injection
Вставка
- Опубліковано 11 чер 2022
- Hello everyone! Hope you all are doing well! Today I'll be teaching you process injection in C. Process injection is a technique in which an attacker can inject malicious shellcode or a DLL inside a remote process. Hope you all enjoy the video! Make sure to leave a like and subscribe my channel!
Resources :
CreateRemoteThread MSDN : docs.microsoft.com/en-us/wind...
WriteProcessMemory MSDN : docs.microsoft.com/en-us/wind...
VirtualAllocEx MSDN : docs.microsoft.com/en-us/wind...
Socials:
Twitter : / bhalgamavedant
GitHub : github.com/Vedant-Bhalgama
Note:
All videos and tutorials are for informational and educational purposes only. I believe that ethical hacking, information security, and cybersecurity should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on this channel are only for those interested in learning about Ethical Hacking, Security, and Penetration Testing. Hacking tutorials are against the misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. - Наука та технологія
Your channel is gold mine for C lovers..
Haha, thank you for your kind words mate 😁
Love the content on C ... please keep them coming ❤
Thank you for the fantastic video - always appreciate your C programming content!
Thank you so much! 😁
Very well explained, thank you, good luck!!
I love how he was so kind to zoom at 14:30 eventhough it was clearly visible hahah.
Excellent tutorial, thank you very much!
Haha! Thank you for your kind words! ❤️☺️
Very well explained !! We are waiting for more techniques like Process Hollowing !!
Another perfect video, thank you!
great stuff man! would love to see an extended video including how to obfuscate the c code within jpeg or pdf!
This is sweet. Looking forward to what you bring next.
Thank you! 😁
Keep the content in C. Good job man!
Amazing like always
Nice film bro! Pls more C coz it's the best content 🙂
Nice bro ❤
Well explained
i randomly came to here, amazing recources
Thx for share my bro
Love it
after a long time
Plz make a video about PE INJECTION and PROCESS HOLLOWING... Very hard to find good information on those
Here is something you might wanna check out : www.ired.team/offensive-security/code-injection-process-injection/pe-injection-executing-pes-inside-remote-processes
anyone know to add the thing in 11:59 where you can see what is supposed to be in the parentheses, thanks
Love u
I have a noob question. Why does the malware want to run the shell code through notepad process and not its own process? Is it to be less suspicious?
Well, yes, it's not like running through the notepad process but, you could inject it into any process which you had rights to. In the past when this technique was discovered, a lot of AV's could be bypassed just by injected the malware in memory and running it, No AV could detect and even now, some AV's are still not able to detect these kind of file less malware attacks which usually only good EDR and AV solutions do like Defender, Kaspersky, etc.
Can you please make a video on Spymax Software/spyware...
Really appreciate 🤩🤩🤩🤩 but what about badchars bro ??
You can add the -b switch to remove bad chars while generating shellcode using metasploit and specify the bad chars you don't want in the shellcode
I had an error when coding: "exec_mem" could be "0"
Do you have to do the injection process once? Or when the pc reboots, the injections disappears?
Yeah the injection process only works once, it isn't persistent, though you can make it persistent. But, you gotta code it in such a way that it can find PIDS on the basis of the process name, as PID of every process changes on reboot.
Sir making a video to get Linux terminal like reverse shell on windows
Why it is not working to me? I have done all exactly as in the video, but I cannot manage to get a shell. Ps: No firewall, no defender... Any idea?
Check if the IP Address you have provided in the client file matches to that of the server.
beginner question so what is the use case/ how would a "hacker" use this? What is this supposed to do? just establish a connection to a kali linux machine? SO would an unsuspecting victim download that exe click on it and then without knowing it it takes over a notepad process and establishes a connection to the hacker and then it would grant the hacker access to whatever victim? is that right?
Look, Process Injection has it's own advantages, A normal reverse shell payload will work, but, this is more stealthy and difficult to identify (obviously not in 2023 lol) EDR/AV can easily detect process injection attempts via API Hooking but it can be bypassed too! Moreover, there are other better injection techniques than this, this is the most basic one
Yes, Now imagine if you inject into a program which performs legitimate TCP connections too, It is difficult for a person to identify the malicious TCP connection which was established due to process injection right? Also, in real world scenario, you won't know the target's notepad.exe process PID (or any other process) so for that, you can write additional code to get the PID of a process by it's name
@@ActiveXSploit I see, thank you so much for clarifying. I've actually added a WriteProcess script to open a notepad and grab the PID of that and then had your code inject into that. Although its obvious but just wanted a proof of concept
What font you use at 13:14?
It comes by default in Visual Studio 2022
You are asking about the parameter hints which it gives for a function right?
@@ActiveXSploit aaa ok, thanks bro
Modern AV signals these functions as misc and make an alert on it
Yep, very easily, Techniques like direct system calls can be used to evade EDR Hooking and stuff
@@ActiveXSploit can you show how to implement direct sys Calls.i believe it must also some asm code no?
@@_Afsus Yep, ASM Coding is required for it, I have some pretty cool resources which you can check out :
www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs
outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
@@ActiveXSploit this is what i' ve been looking for .
Why did the defender not catch the shellcode?
As i had turned it off for demonstration purposes, if you want to bypass defender, you can try various other injection techniques. Though, they won't work, now a days good EDR systems use API HOOKING to monitor API Calls executed by programs, in order to bypass that you have to use direct system calls. Search for it online to get more info about it
do you have course content in Udemy for malware development in C ??
please make one
Sure mate, i shall make one in future!
Where do you recommend to someone who is starting out in C, this stuff looks alien to me and hard to make sense of.
You gotta learn c first mate
Get comfortable with its syntax, code some basic programs to gain experience and you'll soon understand all this
bro why did you stopped making these videos
I am a bit busy with my academics right now and i don't get much time, I'll surely be back once I'm free
hey br wassup ur discord wizard here
This is not remote process injection. This is injection into a local process, not a remote process. despite the name of the function call "CreateRemoteThread"
This literally is remote process injection mate, I'm injecting the shellcode in a remote process running on Target
@@ActiveXSploit No, when a process is running in the same PC it's local and the other process is running in the same machine. "Remote" refers to a process running in a different PC, i.e. over the network, such in the case of RCE
Mate, both things are entirely different, remote process injection is injecting into a different process running on the target system, whereas local process injection is injecting the shellcode itself in the local process which is running. If you don't believe me you should check this out www.ired.team/offensive-security/code-injection-process-injection/process-injection