- Видео 46
- Просмотров 55 355
Pavel Yosifovich
США
Добавлен 28 сен 2021
Short videos related (mostly) to Windows Internals and software development.
Simple RPC Client/Server
Demonstrates building a very simple RPC client /server from scratch.
Просмотров: 523
Видео
Darkside Clone Demo from the webinar
Просмотров 1,1 тыс.6 месяцев назад
just the code demo! source code: github.com/zodiacon/MalDevWorkshopWebinar
Fork/Join Parallelism
Просмотров 6456 месяцев назад
For more on threads, see the course Windows System Programming 2 at training.trainsec.net/windows-system-programming-2-pavel Souce code: github.com/zodiacon/youtubecode/tree/main/PrimesCounter
Create Process with Alternate Parent
Просмотров 4317 месяцев назад
Create Process with Alternate Parent
Hooking Functions in a different Process
Просмотров 9987 месяцев назад
Hooking Functions in a different Process
I love thee videos label!!!
I’m please heart my comment, it would mean the world to me
MY MAN PAVEL RPC IS MY FAVORITE I LOVE THE RPCRT SUNRPC aka ONC portmappers stubs marshalls the whole deal!!!
you should show us DCOM and psremoting
This channel is definitely not for newbies this content the author provides is really unique on yt.
Thank you a lot for this channel
One of the few channels that provide good and informational content.
Yes, and as usually, as much the information is complicated as less ppl care about :) Ppl like TikTok nowadays, no one cares about learning really hard and complicated things...
this channel is pure gold
NO CAP PAVEL GOT MIDAS TOUCH
Great explain even for teapots like me. EAC hold on...
thank you for these video's :)
Is there a way to track a particular thread states (Init, Running, Suspended, Waiting etc) having it handle or id?
It depends what you mean by "track". You can get a thread's state with NtQueryInformationThread. You cannot get a callback or something similar. You can record an ETW trace that will show you thread state changes.
Ok, but NtQueryInformationThread can give THREAD_BASIC_INFORMATION which not contain thread state. So now my solution is to use NtQuerySystemInformation with all that processes and threads enumerations.
You can use ThreadSystemThreadInformation info class to get SYSTEM_THREAD_INFORMATION where there is a ThreadState member.
Ok, got it. Thanks! But this info is not well documented (
MY MAN PAVEL , you should show us putting a dll under a normal service so when that service runs itll run the dll that was placed under that service maybe somthing like RPCSS
also wanted to thank you for your time teaching us my friend watches your videos too he is only 15 and trying to become a cpe entry level certified. i am ccna certified right now !!!
Not sure what you mean by "normal service". I guess you mean svchost.exe as a generic host for services implemented in DLLs. This is undocumented but has been reverse engineered. You can probably find it elsewhere online.
@@zodiacon yea that is what I meant thanks I will look !! ps you are the MAN !!! <- know that
Daniela Stream
looking forward to next video on service
if you dont watch pavel you wont win in life
hey do you know how to install and configure a service offline on a vhd filesystem without sc.exe?
You'll have to write to the Registry directly to the SYSTEM hive... (Systsm32\Config\System). Need a tool that can do that.
@@zodiacon ye ever done it? before sysprep windeploy?
I didn't do that personally. But I know of someone that did something like that.
@@zodiacon ah. perhaps do a vid on it. for now, i cannot figure how to insert a new service for a headless boot without sc
Unlikely, noy really interesting for me... sorry
Sir pavel your work is really admired thank for taking your time to help us am 17 year old and you made me learn a lot
i remeber when i was 17 keep going bro everything will pay off with time and dedication to your cs craft !!! 😉
Wow video made by the master himself, what a treat. I have read all your Windows books and learned a great deal.
Excellent summary as always.
Sir, you are so valuable! I'm 20 years old and I've learn so many things from you, I really love what you do!
im 19 been watching pavel for year now he is the master !
@zodiacon Pavel please read another email message that I sent you. I really need some help.
Great video!
I have just found your video series. Thanks Man
Thanks for the video!
Hi Pavel great video, i wanted to ask for example the application i tried to close the window is having 2 same mutant handle (with the same name) if i close either one of them it will success, if i try to close the last mutant handle, it will not able to close it (i've tried using handle.exe -p <PID> -c <handle_id> -y it will successfully close but i checked using process explorer it will still be there (even if i close it using process explorer it will still be there). any idea why?
No idea, this can't really happen. Maybe your Process Explorer view is paused (press/release Space Bar) so it's not updated.
@@zodiacon Found it, Seems like the 2 same mutant handle is having a different attribute (I checked it using your Object Explorer great apps pavel), one of them is None (0) and the other is Protect (1) and i can't seems to close the Protect (1). could this indicate that my user login windows is not higher authority ? if so, any idea how to close the Protect (1) mutant handle?
The Protect flag prevents closing the handle. You need to call SetHandleInformation(h, HANDLE_FLAG_PROTECT, 0) from within that process to remove the Protect bit. Who put the Protect bit there?
nvm... even if i use process explorer, it will says i successfully close it but it still showing on it. this could be protected by something. any idea how to trace it?
There is nothing to trace once the flag is there. You could set a breakpoint in SetHandleInformation, maybe something will show up.
Thx! Great video like always
Very informative and well explained video, Pavel! thank you. It will be awesome if someday you could present a use case scenario, maybe investigating a troubled application, just explaining the basics, obviously.
love your videos man
just amazing! <3 <3
Thank you very very much!!!! ❤❤
Really great videos for youtube. Thanks much for these.
CPU control
and what happened if nothing happened i mean the code compiled without error when I'm try to inject nothing do no error print nothing all anti virus is off!! any idea ? ?? ?
Make sure you inject a 64 bit DLL into a 64-bit process or 32-bit DLL into a 32-bit process. Other than that, you can use Process Monitor to see if the DLL is loaded, if the thread is created, etc.
@@zodiacon yhea thanks i solve it . i try with other injector and the injector tell you are dumb u want to inject 32 bit into a 64 bit :D
is it possible to load the dll from memory instead of from disk using the QueueUserAPC method?
Not directly, as there is no API for that. It's called Reflective loading (unrelated the technique).
Hudson Road
Why don't you just use Msvenom for BYTE shellcode[]=?
is there a way to differentiate between file upload initiated by user instead of file upload one internally by a browser ? since most of the file upload stuff is done using IFileopenDialog, is it possible to use ETW to check it information?
Only if the IFileOpenDialog implementation raises ETW events - since there are many ETW providers and events, more research is needed.
thx
I have an technical question I know that TCP port 445 is listening on for incoming SMB connections and it is probably registered by something like Winsock but for kernel because the PID is 4 which as far as I understand is "process" of the Windows Kernel, but how can I find out which Kernel Driver is responsible for that.
PID 4 is indeed the System process, where the kernel and kernel drivers execute. There is no direct way to tell which driver is listening on which port as far as I know without doing reverse engineering or kernel debugging. In the SMB case, I would guess mup.sys
@@zodiaconOk but is there an way to at least close that port without using a firewall.
@@filips_world no dont worry about that i need that open for me to share with ipc or admin leave it alone :)
hey are there options to patch kernel to load bigger than 4GB exe
Why on earth would you want to do that? The PE format does not support larger than 4GB binaries anyway.
love your work Pavel! I see green tick up top right for copilot? maybe signing out of copilot might stop the completions?
Good idea :) Actually, I found a setting there that disables C++ completions! Finally!
Absolutely love it! Please keep making more of this amazing content!
R!,?*’l
Just wanna say, after spending a lot of time watching your instructionals, how much I appreciate you keeping in the mistakes, sharing thought process of figuring out what's likely wrong, and only then correcting it. Not because of "it's good to see someone of your level still makes mistakes", but I think literally as a pedagogical device it holds more value vs if you were to edit this out, and just present a flawless progression. I feel like these moments create much more "sticky" impressions, and have noticed now in my thought process how recollections related to "mistakes" you made and corrected are much more prominent. Not sure if this was a conscious decision on your part, but it's really great man thanks.
I think it's important to realize that mistakes are inevitable, and they are not a bad thing. These are great opportunities for learning. Thank you for your kind words!
So incredibly grateful for all the knowledge you put out and teaching style Pavel, a real pleasure learning from you.
Sorry to ask this just in case this has been asked before, I love the windows internals books and was just wondering if anyone knows whether an 8th edition will be on the way or wether the current 7th edition also is completely relevant to windows 11? I assume it is since I have heard that 11’s codebase is the same or most of it is to 10,s. Thanks to any replies!
Yes, the 7th edition is relevant to Windows 11 as well as Windows 10. There are some new stuff in Windows 11, but it's still the same codebase.
@@zodiacon Thanks Pavel, is there likely to be an 8th edition in the future if enough changes occur?
I would say it's likely, but really no way to tell...
@@zodiacon Thanks pavel, really appreciate your replies!
better than finding some porno magazines when I was a kid. kids today are lucky with the internet.
Thanks for your nice explanation. Does this technic work even if "Address space layout randomization" is enabled? Does the address of "LoadLibraryA" the same in virtual address space of all processes?
@@nazmdar yes
Very cool if you can maybe show us adding functions to a driver then injecting that driver without hurting the non-tampered with driver functionability !! 😃😄
Hey, anyone knows how to download the notepad's symbols? In my case, it seems like windbg doesn't download it automatically.
If you're on Win 11 and using the "new" notepad - I believe the symbols are not provided by MS.
@@zodiacon Yes, I am on Win 11. I see it now, thanks alot. Uhh, if you don't mind, may I ask you why a Windows Guru like you doesn't prefer Win 11? I don't like Win 11 too but use it though because of hardware/driver compatibility.
Win 11 is a failure, in my opinion. The kernel is still good, but the user-facing features are terrible, such as the task bar and explorer.
@@zodiacon Yes, I agree with you. In addition, its memory use in idle takes increasingly more memory. Even just a simple calculator app can take 100 MB in memory. I miss the old Windows 7 days so much.
thank for this content. you can access \Device\HarddiskVolume1 and read the content of it by create symlink of it using this command mklink /d C:\FAT \\?\GLOBALROOT\Device\HarddiskVolume1\ and then go to the path C:\FAT using cmd!
it seems a sata volume can only be accessed after it was mounted into a empty folder. yet can we use a volume without mounting it to any folder?
Not sure what you mean by "mounting to a folder" - a volume is independent of any folder. It may be unformatted, which will not allow "standard" access but still possible with APIs.
@@zodiacon seems without calling SetVolumeMountPoint one cannot access files directly on the new volume, otherwise one could subst subfolders as drives directly via Control\Session Manager\DOS Devices ..
I did access files directly...
That said, there may be subtleties I am missing here.
@@zodiacon your volume was mounted as C. try a volume thats not mounted at all.