How Hackers Exploit Vulnerable Drivers
Рет қаралды 42,191
7 ай бұрынjh.live/maldevacademy || Learn to develop modern malware and more BYOVD techniques with Maldev Academy! For a limited time you can use code 'HAMMOND10' to save 10%: jh.live/maldevacademy
Free Cybersecurity Education and Ethical Hacking
🔥KZbin ALGORITHM ➡ Like, Comment, & Subscribe!
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
@diveallz1044 7 ай бұрын
One of my favorite topics so glad to see you do some deep dives on it love the content man
@_Rinzler_ 7 ай бұрын
Nice video, John!
@nepzraaz 7 ай бұрын
Great content John
@JassonCordones 7 ай бұрын
This is scary. Great video !
@ReverseSec 7 ай бұрын
Finally Was Waiting For This Video
@Gray3ther 7 ай бұрын
Thanx for sharing John...sweeeet shirt!!
@J0R1AN 7 ай бұрын
I just got an ad with John at the start and thought the video had already started lmao
@timvw01 7 ай бұрын
Funny seeing an ad before this video with you in it 😂
@stephencole9289 7 ай бұрын
Note - The interesting stuff (loading the driver etc) needs to be done as admin. However the driver etc then allows you to do things that even having admin wouldnt be possible or easy.
@ytg6663 7 ай бұрын
How would attacker get privilege escalation in first place??
@TbM 7 ай бұрын
@@ytg6663 There are different aproaches, most users are simply dumb and will click on "yes" if the system asks for it...
@testuser1235 6 ай бұрын
@@ytg6663 Cause windows already uses a lot of drivers and often these have vulnerabilites.
@CyberZyro 5 ай бұрын
@@ytg6663 @stephencole9289 actually this method is first and mostly used by game hackers for bypassing kernel level anticheats by loading their cheats or anticheat bypass mechanisms on kernel level, i didnt saw it being used or exploited by a threat actor in the post exploitation phase after "gaining initial access to victim systems", so yeah you can say that the whole point of this hack is just to get some ring 0 access on systems to do other shenanegans (though u can use it as a post expllitation tool to do some other shit as well)
@breadcraft3605 25 күн бұрын
@@ytg6663 hmmm.. the user doing it
@finnymarigold5898 7 ай бұрын
Anyone else get the synk ctf ad from the prevideo ads?
@weaselwhistle5330 7 ай бұрын
Professor, if I don't understand this course where I do have to start? Could you give me advice from basic step? I have empty brain in IT area.
@kipchickensout 7 ай бұрын
Didn't expect to see good ol' UC in the video
@bonganijele9770 7 ай бұрын
Unbelievable tool I've never seen
@RonyMarcolino 7 ай бұрын
Nice video!
@honestsniping1 7 ай бұрын
But wouldn't you see the executed comands at 22:10 in an EDR under the msmpeng process tree? Or will comands executed on a kernel level not be visible on an EDR?
@nero2k619 7 ай бұрын
This video doesn't test against EDR only against AV. If you try to inject into EDR then this would still work and you would successully be injected into EDR process but it will also trigger an alert and create events because EDRs also use kernel drivers for monitoring and protection of its own user mode process. The proper approach would be removing EDRs callbacks before trying to inject the payload because in the kernel you are a lot more exposed then in user space in regards to visiblity.
@nero2k619 7 ай бұрын
Also, the driver is the only component here that runs in the kernel. The injected shellcode runs in user space and not it the kernel.
@fritsonpetitfrere9038 4 ай бұрын
Where do I get one of those shirts?
@aliakbar307 7 ай бұрын
Hi, thanks for the great video. I have a question. How the shellcode is decrypted and which component will decrypt it?
@tanvorn9323 7 ай бұрын
The encrypted shellcode basically decrypts itself during runtime
@aliakbar307 7 ай бұрын
@@tanvorn9323 cool. Thanks
@alanh7285 7 ай бұрын
Would have liked to see the network and security event logs when you ran commands after the system was vulnerable.
@Alfred-Neuman 7 ай бұрын
DIY...
@ytg6663 7 ай бұрын
What if it patched the Event viewer 🙂
@LoloisKali 7 ай бұрын
Nice shirt john hammond
@SALTINBANK 7 ай бұрын
Great job but be cool to have all your sources
@stollenjack6699 7 ай бұрын
Thanks you
@Muziek37414 7 ай бұрын
Havoc is a fork from Villain right? Just with some extra functions
@nordgaren2358 7 ай бұрын
Villain was written in python. Havoc is Go/C/C++. So I doubt it.
@JontheRippa 7 ай бұрын
Wow Respekt 👍👍
@SumanRoy.official 7 ай бұрын
Well, without digital signature if you try to run any executable defender will flag it. It worked because it is compiled on the same machine where it was executed. Else I don't see anyway around it.
@ec0logiskasec045 7 ай бұрын
what are you talking about? Defender wont flag any executable but it will just throw a security warning for the exe, and ask the user if he really wants to run it
@ec0logiskasec045 7 ай бұрын
also i dont know if you know but other files exist besides executables
@funil6871 7 ай бұрын
windows smartscreen@@ec0logiskasec045... MOTW can be bypassed e.g. using img or iso containers, then it wont be flagged anymore... or just download onto FAT32
@nero2k619 7 ай бұрын
Digital Signature blocks unsigned drivers and on windows 10 and 11 there is also driver blacklist which will stop from loading any vulnerable drivers that are known for being abused. However, if you load a signed driver that is not present in blacklist then you could use it to load another unsiged driver into kernel which then you can call by your client application. Defender & EDRs won't stop you unless you are trying to load something that has been already signatured.
@PythagoreanProgrammer 6 ай бұрын
@@nero2k619 you can pay to have your drivers signed, or you can manually map your drivers with open source tools
@Mezzosd 7 ай бұрын
Does anyone know how to exit graphical mode in Linux Parrot 5.0?
@glaszn 7 ай бұрын
u m8 are mind blowing :)
@aryangurung3401 7 ай бұрын
maldev is the best shit i have come across to learn malware development but their price is just a bit high
@gooniesfan7911 5 ай бұрын
All of their content is free and leaked as soon as it gets posted. U just need to know where to find it
@war-c0mmander 7 ай бұрын
Nice stuff but too expensive for a hobby!
@dlshackedcoinz 7 ай бұрын
Hey John, 🎉
@dlshackedcoinz 7 ай бұрын
Great work 🎉🎉
@JontheRippa 7 ай бұрын
I can't find the kernlLdr
@badrakhariunchimeg1031 4 ай бұрын
love you
@elmatheotheo4583 7 ай бұрын
I love synk ;-)
@mastercodeon42 7 ай бұрын
He sooooo should have played with KDU, its mind blowing cause kdmapped is way old
@_hackwell 7 ай бұрын
Is there a way to make me stop hating windows hacking? Could you make a video about this issue? It seems loads of people are in this state of mind
@racecar_johnny 7 ай бұрын
Bruh that’s what I’m thinking every day. Feel it.
@IDJENAwoqqqxdre 7 ай бұрын
Mission complete > enjoyment until then
@rodricbr 7 ай бұрын
now this is a cool content I always wanted to see
@mattcargile 7 ай бұрын
Oh now?! Why are you launching cmd?!
@MFoster392 7 ай бұрын
Unbelievable man, how long have you been hacking for?
@wildstorm74 7 ай бұрын
Welp, went from knowing nothing about this, something. Which is a (driver) and the possibility to do with it.😅😑
@user-hd3pz2ow1b 3 ай бұрын
cool
@elmatheotheo4583 7 ай бұрын
I like kernel ;-) salam dari indonesia anonym
@P4ul0L 7 ай бұрын
Tell us about MBR Bootkits😅
@ytg6663 7 ай бұрын
LoL
@Slumber_Tales 4 ай бұрын
is this binary exploitaion
@nordgaren2358 7 ай бұрын
I bet all those cheaters on Warzone, or R6 Siege, all have a vulnerable driver installed on their system, to get around the anti-cheat. 🤔
@nero2k619 7 ай бұрын
Usually kernel anti-cheats require a driver so in order to bypass the anti-cheat you also need a driver to abuse it.
@nordgaren2358 7 ай бұрын
@@nero2k619 that is literally what this is...
@nordgaren2358 7 ай бұрын
@@nero2k619 also, this is highly dependent on the developers to implement the anticheat properly, whether it's in house or third party, into their game. But the two games that I mentioned do require kdmapper, or another tool, to install and use a vulnerable driver and load your own driver.
@nero2k619 7 ай бұрын
@nordgaren2358 I think you misunderstood me. I know how this all works and how cheat devs bypass anti cheats.
@nordgaren2358 7 ай бұрын
@@nero2k619 Same. That's why I mentioned that they all have left themselves open, which is nice to think about, because cheaters in those games are extremely frustrating. Big problem with newer tech, though. There's been aim-bots that work off output from a capture card, for a few years, now. I've also heard, recently, that hardware memory access using an adapter and an external PC, is starting to become a method for skirting the anti-cheat. And then there's companies that don't read the manual, and integrate the anti-cheat into their game in a manner that just requires the user emulate the anti-cheat on the client side, and send a few packets every now and then. But the easiest way, by far, is to install a vulnerable driver, and, that is just a bad idea. I'm sure WinPEAS would pick it up, easily.
@tysonweber2706 7 ай бұрын
250$ for a few months access.................. this feels very seedy
@distortions 7 ай бұрын
If you have Cloud Delivered Protection off 90% chance your malware wont get flagged lol.
@tanvorn9323 7 ай бұрын
Kinda pointless if you need admin priv to do it. Might as well use token impersonation technique if you have admin priv to escalate to system which is also less complicated
@C5pider 7 ай бұрын
😄
@sent4dc 4 ай бұрын
hey, that's where script kiddies are made
@lukasandresson3990 7 ай бұрын
Revoked driver certificates is a thing. Microsoft is working to defend its users.
@nezu_cc 7 ай бұрын
yeah no, KDU has over 40 different providers (vulnerable drivers), and like half of them are still not blocked on a fully patched Windows 11 system. Even some drivers from 2014 still load to this day and haven't been added to the list. Finding new ones isn't hard because most of the hardware vendors copy&paste like maniacs, and many have no clue what they are doing.
@Pr0xima_audio 7 ай бұрын
Shill
@Alfred-Neuman 7 ай бұрын
lol
@mastercodeon42 7 ай бұрын
@@nezu_ccYou can actually disable the msft driver block list programmaticly, my program ksDumper 11 does this as a pre-req to leveraging KDU to load the ksDumper driver
@zaki_fl 7 ай бұрын
comments like this make me want to switch to linux
@sul3y 6 ай бұрын
You were already admin when running that shellcode, there’s a million ways to to do shit like become a system or execute c2 payload
@3rawkz 7 ай бұрын
So I just learned about Havoc LMAO.... SOOOOOO since Havoc doesn't seem to have any "auto-pwn" features, is it OSCP-friendly?
@somerandomwithacat750 7 ай бұрын
You don't need a c2 for anything on the oscp.
@3rawkz 7 ай бұрын
@@somerandomwithacat750 Netcat gets boring lol... I can see the benefit of to use it as way to manage rshells. Seems to automatically upgrades to a 'smart' shell, thats nifty; extendability!! I realize you can do it straight on the terminal but why not? I need to play around with it some more.
@k3rn3l_panic81 7 ай бұрын
This topic is way over hambone's skillset.
@spelz1751 7 ай бұрын
😂😂😂
@sedokun200 7 ай бұрын
A « mind-blowing » technic that requires to be admin of the machine in the first place. Lol. That’s cool but just when you want to play at home. This is not how it goes in real life within big companies. Hackers are using way more efficient and straightforward procedures.
@insu_na 7 ай бұрын
I am unreasonably angry that they called it "demon" and not "daemon"
@ia-maxiweb-nc 7 ай бұрын
you speak so fast that I have to slow down the video to 0.75
@ronpaul9172 7 ай бұрын
Bro....quit sharing our community with skids.
@saltedhash6467 7 ай бұрын
John, how much coffee or caffeine did you have before you made this video. You talk so fast. Slow down bro.
@yourmomandme69 7 ай бұрын
I have an investigation that might make an interesting video. How can I contact u
@nordgaren2358 7 ай бұрын
You can contact him with his details under the video.