How Does Malware Know It's Being Monitored?

Рет қаралды 74,764

Күн бұрын

jh.live/maldev... || Learn how to write modern 64-bit Windows malware and more anti-debugging techniques with Maldev Academy! For a limited time you can use code 'HAMMOND10' to save 10%: jh.live/maldev...
Previous videos mentioned:
1. Classic Shellcode Loader in Nim: • How Hackers Write Malw...
2. Using Sliver for Command & Control: • How Hackers Use netsh....
3. Permanently Disable Windows Defender: • PERMANENTLY TURN OFF W...
4. Spoof Parent Process ID & CreateToolhelp32Snapshot: • How Hackers & Malware ...
🔥 KZbin ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware

Пікірлер: 94

@psr9289 Жыл бұрын

"hippity hoppity your code is now my property" 😂

@会供価 Жыл бұрын

Is that a Dani reference?

@sleepyyui Жыл бұрын

@@会供価probably

@ReligionAndMaterialismDebunked Жыл бұрын

Nice. :3😊

@ReligionAndMaterialismDebunked Жыл бұрын

Out a day ago. I'm watching it rn. Hell yeah to try to hide it. XD 💀😅🐀👨‍💻🤝🤓💪🏻👁️🔥 Polymorphic malware. Encrypted malware. Etc. Red teams. Blue teams. Fighting corrupt government. Etc.

@CuchulainZA Жыл бұрын

His videos tend to be so good and informative that I am able to reuse some of the concepts for CTF challenges and training for our staff. He makes everything so easily accessible

@nonyabizz6992 Жыл бұрын

Very informative thanks, I have been interested in learning how to craft shellcode recently.

@blinking_dodo Жыл бұрын

One extra trick: check for a file you placed somewhere else on the filesystem. If it does not exist, your executable is running on another computer or inside a sandbox. (But it does NOT protect against debugging though. You need something else for that)

@fuckit563 Жыл бұрын

this would require the program to be launched twice

@blinking_dodo Жыл бұрын

@@fuckit563 No? If you have initial access to a system, you place the executable and schedule it, then you create the canary file and just wait. When your program can't find the file, you know *for sure* that you aren't running on the system you wanted to run on and should nope the hell out. Any AV that doesn't do in-place analysis or copies the canary file too would have a hard time doing any run-time analysis. This would obstruct any external analysis, including virustotal or similar services.

@fredwright4423 Жыл бұрын

Problem is the windows api calls CreateFile for not just creating files and is signatured and looked for: Ransomware note or to write obfuscated code to a file.

@fredwright4423 Жыл бұрын

MalwareJake's red team village 101 malware analysis cover this and other api calls

@blinking_dodo Жыл бұрын

@@fredwright4423 You don't need windows API or anything like that. You could even make this in Java. Point is that a file somewhere else on the filesystem won't get copied for external analysis. Especially if they are in a totally different directory.

@hydroponicgard Жыл бұрын

You n danooct1 have been an inspiration for me to do CySec, still going through what I wanna focus mainly on, but I love both red/blue team jazz, so time will tell, mby I go purple team c: Thank you again, John, hope all good happens in your life

@argentiignis 6 ай бұрын

Love it, great video. I think you talk at an excellent pace lol

@Revamped1953 2 ай бұрын

Love there is a lifetime access option! usually go right past the sponsor this is one time i'm glad I did not.

@laurenlewis4189 Жыл бұрын

It strikes me that checking the time delta as a quick way of determining if the software is sandboxed would lead to a perverse incentive, where old and slow computers (and VMs or containers without many resources) can't get infected because the shellcode stager thinks it's a sandbox

@vnc.t Жыл бұрын

9:00 remember, if you've got procmon rename it to prankmin or something, same for x64dbg, make it x69dgb or something, ida can be ide, something you'll remember but won't match a blacklist.

@negrastormentas2865 Жыл бұрын

Is your correction in 14:07, correct? Previously in the video, at 12:06 it says "__readfsdword" for 32 bit.

@_JohnHammond Жыл бұрын

Ah! I apparently missed that too. Good catch!

@ThisIsJustADrillBit Жыл бұрын

The GOAT strikes again ❤

@gaminganup3148 Жыл бұрын

From India love you sir❤❤❤

@dunk32767 Жыл бұрын

john please stop looking at me so scarily in these thumbnails

@quaniypw3 Жыл бұрын

thanks cuz of u i bring some 66G db logs u deserve that ❤️

@FatBoi305 Жыл бұрын

8:10 - Nice, mine did the same too, but I think it's because you have submitted a debug build, cause if I compile it with “-s -O3” options the detection falls to just 1. Edit 1: I also tried submitting unoptimized bin with just “puts” and other stdio functions - and virus-total seems to flag it with the same 6 flags, so most of the problem are from submitting debug builds.

@naseerahmadayan199 Жыл бұрын

John The way i see you You are one in a million ❤❤

@LoneWolf-dj7so Жыл бұрын

Always got great videos

@manny9639 Жыл бұрын

This is amazing man, what a great video

@DivineBiblePrayers Жыл бұрын

Damn Grey hats I love you

@trishulsingh01 Жыл бұрын

Let’s make a malware just for fun 😂

@nekosalad8308 Жыл бұрын

for science

@LittleRainGames Жыл бұрын

Or to attack tech support scammers

@6digitzz Жыл бұрын

@@LittleRainGames if u think its a big threat stop youtube, just try to post content of world in north korea intranet it will be more usefull

@vpakarinen Жыл бұрын

Good to know about new tools and techniques

@georgiosroumeliotis4383 Жыл бұрын

Hey John, How it's going with OSEE, can you make a video about it?

@khaledijbariye5809 Жыл бұрын

Can you do full course about sliver c2 framework from zero? Thank you❤

@kashoo_1 Жыл бұрын

Sounds good 💯

@georgehammond867 Жыл бұрын

I like to hear that out track song fearless.

@kallekivimaki7825 8 ай бұрын

this is so simple that it is scary

@patrickslomian7423 Жыл бұрын

Thank You John !! :)

@ricseeds4835 Жыл бұрын

Anyone got resource recommendations for learning the Sysinternals tools and WinDbg? Maybe John can start a series on them.

@ajaykumar1 Жыл бұрын

Which is the best course for malware development Sector7 OR MalDevAcademy

@tebogobrooks7844 Жыл бұрын

Hey John I enjoy watching your videos. They are informative. There's a new malware called whiffy recon which infects vulnerable windows devices by wi-fi access point by scanning every 60 seconds and tries to triangulate a device's location. if you can find a sample code could you please do some analysis

@aspacegamer92 Жыл бұрын

could you not use this kind of behavior to spoof and make believe maleware that its inside a debug enviroment so it doesn‘t fire on a regular system?

@johndeaux8815 Жыл бұрын

If you want malware to not fire on a regular system, the same rules apply as when you are debugging it. Just don’t run the fully compiled program or any malicious code with administrator privileges if you don’t know EXACTLY what it does 😂

@johndeaux8815 Жыл бұрын

Idiotproofing is impossible, as long as there is malicious code that can be run, there will be someone dumb enough to run it, regardless of any failsafes. If you made a malware that tries to avoid execution, someone will find a way to get it to run 😂

@aspacegamer92 Жыл бұрын

@@johndeaux8815 true i was thinking of this in a similar way of some russian ransomeware a while ago that would not fire if you had the russian language pack installed on your system 😂

@aspacegamer92 Жыл бұрын

just some extra safety net that also abuses the fact that most malware devs want to keep their code hidden / hard to analyse but i agree that you can‘t protect against the human factor and thats usually the weakest point in any security anyway😅

@johndeaux8815 Жыл бұрын

@@aspacegamer92 ah true, that reminds me of an idea I had a while back where you make a virus that swaps the code for i to the cyrillic i in someones language pack so they cant code lol

@DamianRyse Жыл бұрын

Well, if I would be a blue-teamer, I'd just Ghidra into the binary and reverse the If statement. I can run it with a debugger attached but it can't run standalone. ^^

@kopuz.co.uk. Жыл бұрын

What is the lib is loaded dynamically with loadliba using obfuscated strings

@kasemsh7583 Жыл бұрын

Hi John I'm I want get the maldev academy course but they don't have account security 2fa or any paying 500$ with no account security I sent them a massage with no response

@PGW90RU14 6 ай бұрын

I feel that runnung windbg may be a good method to sabotage malware.

@aadhiseshandc7260 Жыл бұрын

If john notices this comment [heart or comment]. Im convincing my mom to give my laptop back for cybersecurity and personally loves these videos. I regret using a chromebook. Luckily i have linux

@gniteeshreddy5078 Жыл бұрын

Hey Mr.John! I am a beginner in the field of cybersecurity. Could you please help me with some resources which help to start my career in offensive security. Thanks in advance!

@zaccampa4055 Жыл бұрын

There is so many free resources available on KZbin and the internet. Just do some research and you’ll definitely find something that suits your needs.

@asldkfjzopiuqea Жыл бұрын

How to convert it to useable shell code?

@MasterCraft_48 Жыл бұрын

I hope we don't get put on a list by watching these sort of videos...

@racecar_johnny Жыл бұрын

If ur watching these kind of videos, it’s likely that your already on some kind of watchlist. For example, just for downloading and using TOR. But it doesn’t matter, because with all the data they have, they are able to differentiate between someone who’s doing it for education, and one who has malicious intends.

@RS6Showtime Жыл бұрын

Do you also have a casio clock? Same as me if you say yes :P

@neilmeich 11 ай бұрын

6:56 9:10

@RandomGeometryDashStuff Жыл бұрын

try all debug detction methods in virustotal (don't include malware, just `if(isdebugged())puts("debugged");`)

@RoninAuron Жыл бұрын

Your thumbnail predicted the Trump mugshot insider info?? 😂

@justingreen6561 Жыл бұрын

K, this has nothing to do with this video but figured this was the community to help answer a question. Seems Facebook has a phishing scam circulating thats proposed as a post on someones wall with a "guess whose died" car crash headline thats provides a link. Apparently, as John has shown/demoed, its the whole fake signin spoof workflow where your creds will then go to 💀. My question though is, all times Ive seen this the link has clearly been a vercel application which A) makes me think the jerkoff mastermind apparently has backend skills about as sophisticated as mine but more importantly B) wouldnt/shouldnt Vercel sniff this transparent nonsense out and put a quick rm -rf on things? And certainly, if anyone reads this and decides to phish the phisher, well, i applaud and respect da skills. But ya, mainly just seems weirder an apparent 'prod' malware thats breached FB would still carry a transparent vercel domain.

@SumanRoy.official Жыл бұрын

This won't work, exe files are always checked if they are from a trusted publisher or not, UAC will probably block it if it runs on a different machine, even if the defender is turned off.

@pr0tagnist Жыл бұрын

YEA BOOOOOIIIII!!!!

@scootergirl3662 Жыл бұрын

Same

@Dahlah.FightMe Жыл бұрын

Nice :D

@FalcoGer Жыл бұрын

c and c++ can determine the array size if you initialize it in the same line. that said, bare arrays are deprecated. Use std:array. Why are you using boolean macros instead of the proper types? And why don't you just "return pPeb->BeingDebugged == 1;"

@bigsam2928 Жыл бұрын

nerd