Im very hyped for COM content. Im still very new and trying to learn com and winapi for amusement. Bought 'windows via c/c++' by Jeffrey Richter recently. I still have alot of work to do but Im planning on reading your book on native windows next. Is it just me or is com content on youtube really scarce?
This is great. Will you cover more COM things in the future e.g. the COM threading model (sta, mta) in future videos? I'm trying to find good COM resources for colleagues and they don't seem to like to read books :( your videos are perfect for the younger guys honestly.
Very nice! well explained! respect for boiling down this intricate stuff into sth ingestible and digestible! Also respect for the 128 GiB RAM machine 😅
Depends on what you mean by "convert". You can remove the DLL bit from the PE header, but the entry point will DllMain, and it's not what is expected from an EXE, so likely to crash.
Thank you very much for sharing you knowledge, I know you have a course about this on trainsec but if possible please create a video teaching the basic of wdf.
Great video as always, what i think would be really interesting is a video about networking internals of windows because i never found a lot of information about that. Ive read Windows internals 7th edition part 1 and am currently reading part 2 but there isnt anything about networking.
got to say the one thing I appreciate the most about all of what you are doing is the dedication to digging to the exact fact i need to see to verify what you're saying is true. windows makes that very hard.
I will say this: my tool supports dark mode and for that I had to use some hooks and subclassing, but I didn't touch the scroll bars that are built into windows (like the list view), because they are very difficult to customize.
Thank you for the great video. I am wondering if we need thread-synchronization especially for the wchar process name changed by the configurator process and used inside the compare function inside the .dll? Also what about memory barriers so that writes to pid and process name are actually flush the store buffer and can be observed by dll inside task manager? I'm a total noob on this and I am probably wrong. I would be grateful if you could add a short explanation why we don't need to care about these threading-problems in this case. Thanks a lot
In theory, you would need thread sync (a simple mutex or SRWLock will do) because the globals are read and written potentially at the same time from 2 different threads, but not really in practice, since if something is observed as partially changed, it will be picked up correctly the next time NtQuerySystemInformation is called. A memory barrier here is an alternative to synchronization - you could add a memory barrier to force the memory to be observed by other processors right after update to ensure sequential consistency, but again, from a practical perspective it's not needed, especially since the configurator exits quickly which will force store buffer flushing . And in any case, the example is non-trivial as it is without adding sync to the mix :)
Nice! I was thinking about C++ constexpr function converting from module name and function name to a hash. Then searching the module list and export list hashing each element and comparing it to pre-computed hashes. This way you hide the strings from anti virus and from offline analyzers. But no, Pavel ecrypted the whole thing. Nice. Possible red flag would be running code that is not mapped to any file (that modified pages after decryption).
Hi Pavel, Thanks for tutorials...But all your tutorial is injected to already running process.. How about Create new process and inject in to it? My current problem is create new progress (Ex Notepad) and inject to it..but sometime it work...sometime it dont...I dont know why...just assume dll injected when nodepad process not full loaded
Usually injecting into a new process is much easier, because you have an all powerful handle to it (no need to call OpenProcess which may fail). If you create the process suspended and try to inject to it, it is likely to fail, because the process only has NtDll loaded into it.
Очень полезное видео, но не совсем понял один момент. Каким образом новый поток с точкой входа в функции GetProcAddress() заставляет в дальнейшем исполнить LoadLibraryA(dllpath)?
My idea would be to split the work to fixed number of chunks, like 1024. Then spawn the same number of threads as I have number of processors. Or maybe add one or two threads more in case of some thread gets stuck on I/O for a while, so the extra threads could run in meantime. Then each thread would repeatedly take one work chunk form shared queue until the queue is empty. This is more work for the programmer, but I believe the CPU utilization will be more even. For example when the work items are part of image that needs to be processed in some way (ray casting). Or when converting video file. If some part of the image is solid color or if some part of video is still then the speedup would be still (close to) linear.
parallel_for works along similar lines, but it does not choose a fixed number, but uses the actual number of iterations, keeping the CPUs busy by throwing the next item at an idle CPU.
Great! I learned and studied a lot from your 'Parent Process vs. Creator Process' blog post. That's a really cool code, but it would have been nice if you put the CREATE_NEW_CONSOLE flag in when calling the CreateProcess because the 0xC0000142 error occurs if the process you're trying to spoil is the console process. And some uwp apps, such as calc.exe, do not have this spoofing. Anyway, thank you so much for sharing that information through blogs and RU-vid.
