Love your work mate, i was recently doing some adhoc hunting and found that md5section keyword in VT helped me find the similar pe's and as in this scenario .text and.rdata sections have different md5 hash while rest of the sections have exact same hash which indicates that both sections went through some code changes. Keep up the good work mate , your work is always amazing and knowledge filled.

love this video. today i understand what actually dll is doing. My previous understanding was wrong. As always, Thanks for the clear explanation and waiting for the second video of this. ❤

Very very interesting! I'm looking forward to the next video.

Oh btw, the same thing can happen, if you have Python installed (java does that too, but it's inside C:\ProgramFiles). Check, if your system PATH variable has the Python directory listed first in it. If it isn't, the next steps won't work. Copy a random exe like mspaint into the Python directory and rename it "cmd.exe" now open the real cmd and type "cmd" in it.. voila, you will run your fake exe instead. Since that Python directory is User writable for unknown reasons... Good job, now where is the CVE, no one seems to know that? This is not a bypass in Python, it's the way it is installed improperly on Windows which allows that. And that's why you should NEVER append your own programs path to the PATH variable *before the windows directories* as it always opens attack vectors. It could also be my system is busted and that's just me. If someone wants to try that, be my guest.

Fun Fact, thats how Gshade/Reshade (kinda) work, by hijacking DirectX somehow.

Hahahahah not updating windows

Fake hammond.