📌 Use code "CROW10" for 10% off your order when you checkout at Maldev Academy FOR A LIMITED TIME! ---> maldevacademy.com/?ref=crow Font: DinaRemasterII Theme: Zero (Dark Theme)
Best part of using native APIs in usermode is the things you can do that you would never be able to achieve with using just win APIs. Of course native APIs add a lot more code but the amount of flexibility and control you can achieve is just pure gold.
It was 1 AM and yet I clicked. Was not disappointed, and *genuinely* enjoyed the jokes, and knowledge shared (thanks to knowing the non-WinAPI parts in advance, I guess!). Thank you, crow!
as soon as i saw you posted a new video i got so excited, you’re my favourite youtuber. malware development is so fascinating when coming from a software dev background
I thank the universe for putting your video on my feed, it was so well explained and you kept my attention at all times with the memes and jokes. Thank you Crow!
saw your videos yesterday and all i have to say is ... please never stop doing what you are doing. you are really talented and good at explaining. i really like that your teaching method is not possessed by elitism which as you said (and i agree) is one of the biggest problems in this field. you never take anything for granted and you are willing to explain even the slightest thing to your "students". subscribed, of course :)
@@gregandark8571 well, windows is the most popular platform that people use, so it's natural that most malware is made for it! that isn't to say that there isn't malware for linux, there's a lot out there too (some really really cool techniques as well!) dont worry, i have something planned for linux-based malware development too :) all in due time. thank you so much for commenting!
well, you could make your own shellcode (which is recommended, but for beginners might be too difficult at first) or you could use a shellcode-generating tool, the most popular of which is called "msfvenom". although, be warned that msfvenom has been heavily scrutinized and documented so pretty much all of its shellcode will get caught by windows defender. now, you could get past this by encrypting the shellcode, or for this example, since we're not doing anything malicious, you can set an exclusion path for windows defender so that your program can run and not get thanos snapped out of existence. hope that helps
@@crr0ww could I make an exe that starts calculator with system(“calculator.exe”) then try to get the bytes from a disassembler? Btw, I got into this with game hacking stuff like assault cube and your channel now has gotten me into the more general area of malware. I like how you present the information in an entertaining way instead of speed running code with subtitles. Really makes it enjoyable 👍🏼.
i actually found out a weird thing with object_attributes. the length member is optional on some functions, but required on others. but the interesting thing with that is with e.g. NtOpenProcess the lengh can be 0, but the actual pointer to the object attributes can't be nullptr/NULL/0, otherwise the function will fail.
Hi, thanks for the video. for the Object_attributes, the doc says "For standard processes, all fields of ObjectAttributes should be NULL", how can we know that we'll need the size of the struct and not just follow the doc ? Thanks!
>disappears for a month >uploads maldev 2, apologizes for not being active >continues to not be active >drops this absolute masterpiece 2 months later, talks on discord for a bit, leaves never change
Not DIRECTLY. There are certain NTAPI functions (as talked about in the video) that don't actually result in a syscall/int 2eh/sysenter instruction. Those NTAPI that do however, will end up invoking these instructions. so, when we call an NTAPI function, yeah, we will eventually have it perform a syscall, but we're not using syscalls directly, moreso transitively using them through the NTAPI. Using syscalls directly/indirectly is going to be main focus point of the next video, but just remember that when we use syscalls, we're ushering them out directly (typically through our own defined assembly stubs) and not having the NTAPI do it for us! Hope that helps! :)
im not sure if shitposting has finally caught up to my refined, god-like tastes and humor, or if I have just been too stupid to hang with the cool kids this whole time? either way: ooh la la.
Bro, I absolutely love your content! My book recommendation for anyone trying to understand more about this topic is: Windows Internals by Pavel Yosifovich
if it's something you care about (i.e., you don't want to get signatured, taken apart, and analyzed), then yeah, don't upload your malware to virustotal. VT will share these samples for the sole purpose of taking it apart and documenting it. it says the following in their historic privacy policy statement: "We share the raw data underlying Samples uploaded to the Services as well as information relating to the submitter (ciphered ID, city, and country) of the Sample, as follows: With our security partners. When you upload a Sample to VirusTotal in order to receive a report about the potential maliciousness of its content, we store it in the Corpus and share it with our partners in the anti-malware and security industry. Partners that participate in VirusTotal are bound by contract to only use the Samples for internal security purposes in compliance with our Terms of Use to detect malicious code and to improve their antivirus engines. All partners receive Samples that their antivirus engines did not detect as potentially harmful if the same Sample was detected as malicious by at least one other partner’s antivirus engine. This information sharing helps correct potential vulnerabilities across the security industry." tl;dr if you care about this malware, something you made for engagements and you want to increase its shelf life, don't upload it to VT. there are alternatives that you can upload your malware to, to see what defensive solutions get triggered by your malware which i can't remember off the top of my head unfortunately, but yeah! i hope that helps! :D
45 minutes to be able to open Calculator from CMD 😆 Just joking... But for real, I had to skip most parts of the video since I'm in a hurry right now. What is the main achievement here? You still need to be able to run your own exe (or modded exe) on the PC to be able to inject anything. Where is the malware part here? 🙂 Please give us a summary of the achievement of this video. Thanks!
📌 Use code "CROW10" for 10% off your order when you checkout at Maldev Academy FOR A LIMITED TIME! ---> maldevacademy.com/?ref=crow
Font: DinaRemasterII
Theme: Zero (Dark Theme)
I can't find the theme, could you give me the link for it
if possible could you please also cover these videos in rust?
this man is the best teacher I've ever seen, strictly on his use of comedy and 4th wall breaks, while being detailed and informative
i appreciate that so much! thank you :')
I thought I was crazy for thinking that too. Something about the way he explains things just works for my mush-brain.
Best part of using native APIs in usermode is the things you can do that you would never be able to achieve with using just win APIs. Of course native APIs add a lot more code but the amount of flexibility and control you can achieve is just pure gold.
agreed! it's also just a lot of fun to see how everything comes together! thank you so much for commenting!
This man is one of a kind. Seriously, so informative, but keeping it fun and cool! So much love, looking forward for the next episode ❤
thank you so much! that's so kind of you
Man, I literally have been watching your buffer overflow video right now, and just noticed an upload! What a timing
LETS GOOO HES BACK, I HOPE YOU GET SOME REST CROW!!! I SEE THE EFFORT!! THANKS FOR ALWAYS PUTTING OUT LEGIT CONTENT!!
ILY LEGEND
It was 1 AM and yet I clicked. Was not disappointed, and *genuinely* enjoyed the jokes, and knowledge shared (thanks to knowing the non-WinAPI parts in advance, I guess!). Thank you, crow!
it's my pleasure! thank you so much for commenting
as soon as i saw you posted a new video i got so excited, you’re my favourite youtuber. malware development is so fascinating when coming from a software dev background
I thank the universe for putting your video on my feed, it was so well explained and you kept my attention at all times with the memes and jokes. Thank you Crow!
saw your videos yesterday and all i have to say is ... please never stop doing what you are doing.
you are really talented and good at explaining.
i really like that your teaching method is not possessed by elitism which as you said (and i agree) is one of the biggest problems in this field.
you never take anything for granted and you are willing to explain even the slightest thing to your "students".
subscribed, of course :)
I swear ur the best teacher out there!! Glad i stumbled upon ur channel even tho im not into malware dev im learning a lot.
That coding montage at 4:30 is so smooth. Could have that playing in the background while I work/study.
bro this is actually so much enternaining thanks for your work boss
thought i was losing it seeing a crow notification
Wooooooowww..... Maldev academy is literally what I've been looking for for years ..!!!!
Recently discovered your channel and the content is great. Thanks man.
thank you so much!
yay, our beloved malware man crow is back
awesome video, thanks for addressing the goto statement, immediately started having flashbacks to uni...
10:54 Damn I remember reading that from that book
I've been waiting for your new teaching
I love you crow, your videos are really simple but interesting, thanks so much!!!
aw thank you so much, that's so heartwarming to hear
Oh wow look my favourite bird is back
I LOVE YOU CROW!! hope youre doing well!
ILYT THANK YOU TRINTLER, SAME TO YOU HOMIE
@@crr0ww
I was and i'm always wondering - why theres 0 content like this for linux?
@@gregandark8571 well, windows is the most popular platform that people use, so it's natural that most malware is made for it! that isn't to say that there isn't malware for linux, there's a lot out there too (some really really cool techniques as well!)
dont worry, i have something planned for linux-based malware development too :) all in due time. thank you so much for commenting!
@@crr0ww
Awesome!
nice channel, will watch all today
don’t care who says what this man needs and 100k play button
In love with crow's humour
i hope bro keeps getting butterflies after referring to past videos. goatttt
I'm trying to play mapleatory with Crow. Also this was so dope
How do you generate the shellcode for starting the calculator?
well, you could make your own shellcode (which is recommended, but for beginners might be too difficult at first) or you could use a shellcode-generating tool, the most popular of which is called "msfvenom". although, be warned that msfvenom has been heavily scrutinized and documented so pretty much all of its shellcode will get caught by windows defender. now, you could get past this by encrypting the shellcode, or for this example, since we're not doing anything malicious, you can set an exclusion path for windows defender so that your program can run and not get thanos snapped out of existence. hope that helps
@@crr0ww could I make an exe that starts calculator with system(“calculator.exe”) then try to get the bytes from a disassembler? Btw, I got into this with game hacking stuff like assault cube and your channel now has gotten me into the more general area of malware. I like how you present the information in an entertaining way instead of speed running code with subtitles. Really makes it enjoyable 👍🏼.
Awesome video!!! What font are you using? It's great (the pixel art font, not iosevka)
thank you so much!! :D it's called "DinaRemasterII"
BABE WAKE UP NEW CROW DROPPED
ayyee, crow's back to the crew w/ anotha motha video bout maldev series. love ya homie
i actually found out a weird thing with object_attributes. the length member is optional on some functions, but required on others. but the interesting thing with that is with e.g. NtOpenProcess the lengh can be 0, but the actual pointer to the object attributes can't be nullptr/NULL/0, otherwise the function will fail.
idk when I'll have time to try this but it looks fun af
Yo this is like spooky Christmas
Thanks
idk why it only typed out thanks im gonna cry
Hi, thanks for the video.
for the Object_attributes, the doc says "For standard processes, all fields of ObjectAttributes should be NULL", how can we know that we'll need the size of the struct and not just follow the doc ?
Thanks!
Especially you, slouching in your chair. I feel personally attacked
i love your visual identity
return of the -king- crow
13:44 jyuugatsu 👀
はい!そうですね~ peppiさんの日本語本当に上手ですね。:)コメントありがとうございます!
YES ANOTHER CROW VIDEO!!!
HE HAS RETURNED
ALL HAIL
ALL HAIL
wow so informative crow i love you
THANK YOU SM LOVE
Another fantastic video, keep it up, legend
What font is that on vscode? it's pretty cool
What visual studio theme is that?
>disappears for a month
>uploads maldev 2, apologizes for not being active
>continues to not be active
>drops this absolute masterpiece 2 months later, talks on discord for a bit, leaves
never change
LMAOOO
great video, loved it very much. please do more!
Is Ntapi using is same of using syscalls?
Not DIRECTLY. There are certain NTAPI functions (as talked about in the video) that don't actually result in a syscall/int 2eh/sysenter instruction. Those NTAPI that do however, will end up invoking these instructions. so, when we call an NTAPI function, yeah, we will eventually have it perform a syscall, but we're not using syscalls directly, moreso transitively using them through the NTAPI. Using syscalls directly/indirectly is going to be main focus point of the next video, but just remember that when we use syscalls, we're ushering them out directly (typically through our own defined assembly stubs) and not having the NTAPI do it for us! Hope that helps! :)
Great video !
What font do you use ?
DinaRemasterII
im not sure if shitposting has finally caught up to my refined, god-like tastes and humor, or if I have just been too stupid to hang with the cool kids this whole time? either way: ooh la la.
HAHAHA i'm glad to hear that xD thank you so much for commenting
What font is that?
What theam you using in Visual stedio
Zero (dark theme)
@@crr0ww thank you crow
HES ALIVEEE
IM ALIVEEEE
Sick new intro mate
thank you so much!
THE KING IS BACK
already know its a banger
YOU GOT A SPONSOR
!!!!!!!!!
DROP another Banger please 🤝
Best recourse ever !!
what font are you using
nvm
Bro, I absolutely love your content! My book recommendation for anyone trying to understand more about this topic is: Windows Internals by Pavel Yosifovich
amazing video
13:52 osu reference 👀👀
SHIT I'VE BEEN MADE
How true is the legendary, "Do not upload to VT"?
if it's something you care about (i.e., you don't want to get signatured, taken apart, and analyzed), then yeah, don't upload your malware to virustotal. VT will share these samples for the sole purpose of taking it apart and documenting it.
it says the following in their historic privacy policy statement: "We share the raw data underlying Samples uploaded to the Services as well as information relating to the submitter (ciphered ID, city, and country) of the Sample, as follows: With our security partners. When you upload a Sample to VirusTotal in order to receive a report about the potential maliciousness of its content, we store it in the Corpus and share it with our partners in the anti-malware and security industry. Partners that participate in VirusTotal are bound by contract to only use the Samples for internal security purposes in compliance with our Terms of Use to detect malicious code and to improve their antivirus engines. All partners receive Samples that their antivirus engines did not detect as potentially harmful if the same Sample was detected as malicious by at least one other partner’s antivirus engine. This information sharing helps correct potential vulnerabilities across the security industry."
tl;dr if you care about this malware, something you made for engagements and you want to increase its shelf life, don't upload it to VT. there are alternatives that you can upload your malware to, to see what defensive solutions get triggered by your malware which i can't remember off the top of my head unfortunately, but yeah! i hope that helps! :D
@@crr0ww thanks for the input. How risky is it to upload it during the development phase?
Any tips on how to test the effectivity of your malware?
Yoooo. Your font looks great mind sharing the name of it ?
sure, it's called "DinaRemasterII"
Crow evenly spaces his code 😱😱😱😱😱😱
:GASP: !!! xD tysm for commenting brother
@@crr0ww
Crow10 crow10 crow10 !
Finally let's goo
good video, you and cazz should collab
What's your theme
it's called zero (dark theme): marketplace.visualstudio.com/items?itemName=AgitoReiKen.zerovstheme
appreciate it so pleasing on the eye @@crr0ww
make videos on EDR Evasion
you could also just do if !Buf if it equals null, good video though
crow ur the best
What is accomplished with a goto that couldn’t just have been a function?
happy halloween
happy (late) halloween!!
Great Video!
crows rat 🐀 4 grams protein I’m gonna nomnomnomnom
[crow's rat WILL remember this]
Good video
Man you're cool
hola desde españa
hola! thank you for commenting
Noice
nah its a black cat they wouldve shot it before locking it up lmfao
i want meet you so bad 😭
haha maybe one day, brother
Marry me !
penith
lmao
gotos are great, old people are just bad at comprehension that dont like gotos.
45 minutes to be able to open Calculator from CMD 😆 Just joking... But for real, I had to skip most parts of the video since I'm in a hurry right now. What is the main achievement here? You still need to be able to run your own exe (or modded exe) on the PC to be able to inject anything. Where is the malware part here? 🙂 Please give us a summary of the achievement of this video. Thanks!
GET OUT YOUR COZY BED RIGHT NOW AND MAKE A TUTORIAL ON REFLECTIVE DLL INJECTION CODE BOI