How Hackers Evade Program Allowlists with DLLs

yes please, more nim content. thank you for your service

I love that Nim is in this picture. It is such a nice little language that sadly gets attention by bad actors

Yes! We want more Nim. I've never used it, and would like to know more about it and how it's being used in the security space. 😊

Nim deserves more community attention. Although I don't think they would be happy to hear they are again being used to develop malware. Anti-malwares are already flagging them as malware because so many people are using it to that end :D

I'm a Python guy, so seeing that style of syntax used on lower level winapi stuff is sick! I'd love to see more Nim stuff in the future. So unfortunate a powerful lang with a familiar syntax has a bad rep.

Your videos feels like 5 minute long. Your method of explaining is so much interesting and captivating, sure do love to see more nim action.

Thank you! Absolutely need more cool stuff in NIM.

I've been interested in learning Nim, so I'm definitely interested in seeing more

That Right of Boom shirt though... IYKYK

And now using Nim language, John, you now have my full attention.

John, you are just firing off videos here lately, I love it. Thanks!!

Would love to see more stuff on nim and DLLs!

I weep for the day when all my Nim payloads get flagged. Every other week it seems like more and more effort is required to keep them working, pre-obfuscation.

Why on earth have I never heard about Nim???

Thx for new video!😊

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters]
"AutodialDLL"="C:\\Windows\\System32\
asadhlp.dll"
Change the file to your dll which u want to inject, start the program and it will inject in every process with system rights. I use this this to inject the ReverseKit into highly obfuscated malwares/loaders. After your injection just set the old dll

very nice and easy to understand, thank you

It's the first time I even heard from nim. Looks easy to have fun with. But dll sideloading is hard, for most apps you have to be able to write into a directory of the app, but it's a possible way. But this is hard compared to just start an exe and then, you filter out script kiddie attacks.

More nim please

This was cool, but I was hopping for an explanation on how to find applications that are vulnerable to dll hijacking

Its how roblox gets hacked non stop by using dll

Why do people use Nim instead of Python? First time I've ever heard of Nim and am curious

Nice. Next video on some type of SQLi, maybe🤷😉

yes pls, more bim stuff

I created an entire undetected reverse shell via DLL Sideloading on an official windows application.

I know C++ and rust quite well. Should i learn nim for offensiveNim or ofRust, OfCpp will do the work?

More NIM wouldn’t be horrible.

Great video.. make some more fun Nim video's 👍

Stay watch.. 🍿

Thanks for your daily Tutorial

I'd love to play with Nim more, but last time I messed around with it and was just starting out doing "hello world", EDRs flagged it just because it was Nim.... it was Hello World.... :(

Super neat! 🤓

I love your content my Friends thanck tou men for best channel.

ah yeah deff had my first dll fk my pc up back in 2004. unforgetable.

yes

Not using Rust/10. :P I bet if you tried hard enough, you could do this in Python, too.

Great content

So this is a persistence mechanism, not an initial access vector?

Isn't there a program out there that can scan all the .dll files on a system or in a folder, checking them for malicious activities?

Learning is hai movement more

Can Windows trigger SystemRestorePlatform.exe as System user?
Its running as standard user in this tutorial.

literally you are teaching hackers how to compromise victims :)))

I would love to learn more about nim and how it can be used to hack.

Beginner positional to explaining middle option for you explain

Hackers can employ various techniques to evade program allowlists using dynamic-link libraries (DLLs). Here are a few common methods:
DLL Side-Loading: This technique involves exploiting the way Windows loads DLLs for an application. Hackers identify a trusted DLL that is allowed by the program's allowlist and replace it with a malicious DLL having the same name. When the program is executed, the malicious DLL is loaded instead of the legitimate one, allowing the hacker to bypass the allowlist.
DLL Hijacking: In this method, hackers identify programs that load DLLs using a relative path or search order. They place a malicious DLL in a directory that is searched before the intended DLL location. When the program is launched, it unknowingly loads the malicious DLL, bypassing the allowlist.
Reflective DLL Injection: This technique involves injecting a DLL into a running process without writing the DLL to the disk. Hackers load the malicious DLL directly into the process memory and execute it from there. Since the DLL is not written to the disk, it can evade allowlists that check for file presence or file hashes.
DLL Proxying: In this method, hackers intercept calls to legitimate DLLs by creating a proxy DLL. The proxy DLL loads the original DLL and performs the intended functionality while also executing malicious actions. This way, the hacker can bypass the allowlist by ensuring that the proxy DLL is allowed while the original DLL may be restricted.
DLL Load Order Hijacking: Hackers take advantage of the DLL search order used by Windows. By manipulating the order in which DLLs are loaded, they can force a program to load a malicious DLL before the legitimate one. This way, the malicious DLL can override the legitimate DLL's functionality and evade allowlists.
To mitigate these evasion techniques, organizations should consider the following countermeasures:
Regularly update and patch applications to prevent known DLL vulnerabilities.
Implement strong allowlisting mechanisms that validate DLL signatures, hashes, or secure file paths.
Employ secure coding practices to prevent DLL hijacking vulnerabilities in applications.
Monitor DLL loading activities and detect any anomalous behavior.
Implement behavior-based security solutions that can identify and block malicious activities performed by DLLs.
Apply the principle of least privilege by ensuring that applications and users have the minimum required permissions to reduce the impact of any successful DLL attacks.
It's important to note that the effectiveness of these techniques can vary depending on the security measures in place and the sophistication of the attackers. Staying updated with the latest security practices and maintaining a strong defense-in-depth strategy is crucial in mitigating DLL-based attacks.

sir can you crush or bypass some apps

Gief more nim plz

🤓

Nim pleeease!

cant believe im this early lol

Dll more explain 😡🤖🚩

Nim limn moor explain deep class the little bit understanding how to explain in the "full file"explain what video

Early. :3

Ptp , elements ip /update/ ecppt exam
Oscp

Jesus Christ the pronunciation 😂

Llmnr

Meanwhile windows calc why are you making look bad to people what i did to you 🤣

“allowlist” in whitelist in cuckspeak btw

Very cool stuff, I've never even heard of nim until now lol
Given that he used SystemResetPlatform.exe to lauch calc.exe, could this be potentially used to make a persistent malware that wipes files or makes the system unbootable when a system reset is attempted? That would be really cool to see.

+/dll mind moor explain deep class+/-/cylekytr

Nim is awesome