Love your work mate, i was recently doing some adhoc hunting and found that md5section keyword in VT helped me find the similar pe's and as in this scenario .text and.rdata sections have different md5 hash while rest of the sections have exact same hash which indicates that both sections went through some code changes. Keep up the good work mate , your work is always amazing and knowledge filled.
Excellent thing to note when looking for these! Thanks a bunch mate. One of the things I like to do for pivoting is for legitimate executables on VT, look on for their relations to other files. I often find a parent archive that's got some AV hits or looks suspicious, and then inside of that always wind up finding a new malicious DLL which drops with the legitimate executable.
love this video. today i understand what actually dll is doing. My previous understanding was wrong. As always, Thanks for the clear explanation and waiting for the second video of this. ❤
Oh btw, the same thing can happen, if you have Python installed (java does that too, but it's inside C:\ProgramFiles). Check, if your system PATH variable has the Python directory listed first in it. If it isn't, the next steps won't work. Copy a random exe like mspaint into the Python directory and rename it "cmd.exe" now open the real cmd and type "cmd" in it.. voila, you will run your fake exe instead. Since that Python directory is User writable for unknown reasons... Good job, now where is the CVE, no one seems to know that? This is not a bypass in Python, it's the way it is installed improperly on Windows which allows that. And that's why you should NEVER append your own programs path to the PATH variable *before the windows directories* as it always opens attack vectors. It could also be my system is busted and that's just me. If someone wants to try that, be my guest.
Yeah I believe you're right there 😅 Definitely seen that used in the wild too because of where it sits in the search order. Windows is full of random shenanigans like this 🫣
I've never actually looked into Gshade/Reshade before, but at a glance I think you're spot on. Either side-loading a DLL to get some code execution or manually injecting a DLL into the process... Or maybe even both 😅
Love your work mate, i was recently doing some adhoc hunting and found that md5section keyword in VT helped me find the similar pe's and as in this scenario .text and.rdata sections have different md5 hash while rest of the sections have exact same hash which indicates that both sections went through some code changes. Keep up the good work mate , your work is always amazing and knowledge filled.
Excellent thing to note when looking for these! Thanks a bunch mate. One of the things I like to do for pivoting is for legitimate executables on VT, look on for their relations to other files. I often find a parent archive that's got some AV hits or looks suspicious, and then inside of that always wind up finding a new malicious DLL which drops with the legitimate executable.
love this video. today i understand what actually dll is doing. My previous understanding was wrong. As always, Thanks for the clear explanation and waiting for the second video of this. ❤
I'm glad to hear it! Makes the effort put in to edit everything worthwhile! Thanks ❤️
Very very interesting! I'm looking forward to the next video.
Oh btw, the same thing can happen, if you have Python installed (java does that too, but it's inside C:\ProgramFiles).
Check, if your system PATH variable has the Python directory listed first in it. If it isn't, the next steps won't work.
Copy a random exe like mspaint into the Python directory and rename it "cmd.exe"
now open the real cmd and type "cmd" in it.. voila, you will run your fake exe instead.
Since that Python directory is User writable for unknown reasons... Good job, now where is the CVE, no one seems to know that?
This is not a bypass in Python, it's the way it is installed improperly on Windows which allows that.
And that's why you should NEVER append your own programs path to the PATH variable *before the windows directories* as it always opens attack vectors.
It could also be my system is busted and that's just me. If someone wants to try that, be my guest.
Yeah I believe you're right there 😅
Definitely seen that used in the wild too because of where it sits in the search order. Windows is full of random shenanigans like this 🫣
Fun Fact, thats how Gshade/Reshade (kinda) work, by hijacking DirectX somehow.
I've never actually looked into Gshade/Reshade before, but at a glance I think you're spot on. Either side-loading a DLL to get some code execution or manually injecting a DLL into the process... Or maybe even both 😅
@@cyberraiju I think it's sideloading first by dropping a DLL in the game directory and then (re-)loading the normal DLL, but inject itself into it?
Hahahahah not updating windows
Fake hammond.
Just liked and subscribed. This guy puts out good content that’s helpful to the industry. Unlike your toxic comment.