Malware Development: Native API

Подписаться 84 тыс.

Просмотров 39 тыс.

50% 1

#Malware #Development
🦠 Use code "CROW10" for 10% OFF your order when you checkout at Maldev Academy! maldevacademy.com/?ref=crow
⚠️ Disclaimer
The information presented in this video is for educational purposes only. It is not intended to be used for illegal or malicious activities. The creator and any individuals involved in the production of this video are not responsible for any misuse of the information provided. It is the responsibility of the viewer to ensure that they comply with all relevant laws and regulations in their jurisdiction.
💖 Support My Work
/ cr0w
ko-fi.com/cr0ww
www.buymeacoffee.com/cr0w
Join this channel to get access to perks:
/ @crr0ww
🔖 My Socials
/ discord
www.crow.rip/
github.com/cr-0w
/ cr0ww_
📹 Videos/Channels Featured
Spongebob bruh video: • Oh Brother, This Guy S...
• Malware Development: P...
• Malware's LAST Stand: ...
❤️ Websites Featured
Kernel32 Functions: www.geoffchappell.com/studies...
Inside the Native API: web.archive.org/web/201212240...
PHNT GitHub Repository: github.com/winsiderss/phnt
NtDoc: ntdoc.m417z.com/
Vergilius: www.vergiliusproject.com/
The images and music used in this video are used under the principle of fair use for the purpose of criticism, comment, news reporting, teaching, scholarship, and research. I do not claim ownership of any of the images/music and they are used solely for the purpose of enhancing the content of the video. I respect the rights of the creators and owners of these images and will remove any image upon request by the rightful owner.
Copyright Disclaimer under section 107 of the Copyright Act of 1976, allowance is made for “fair use” for purposes such as criticism, comment, news reporting, teaching, scholarship, education, and research. Fair use is a use permitted by copyright statute that might otherwise be infringing.
🕰️ Timestamps:
00:00 - Intro
01:40 - Learn Malware Development
03:58 - Recap
08:25 - Introducing: The Native API
09:38 - User-mode and Kernel-mode
13:42 - Function Flow Path
16:25 - Dissecting a Program (Reverse Engineering)
24:46 - Short Intermission
25:01 - Making an NTAPI Injector
43:00 - Running The Shellcode Injector
44:08 - Outro

Наука

Опубликовано:

26 июн 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 138

@crr0ww 7 месяцев назад

📌 Use code "CROW10" for 10% off your order when you checkout at Maldev Academy FOR A LIMITED TIME! ---> maldevacademy.com/?ref=crow Font: DinaRemasterII Theme: Zero (Dark Theme)

@CaptainLeviOfTheScoutRegiment 7 месяцев назад

I can't find the theme, could you give me the link for it

@drishalballaney6590 4 месяца назад

if possible could you please also cover these videos in rust?

@TheCalinative707 7 месяцев назад

this man is the best teacher I've ever seen, strictly on his use of comedy and 4th wall breaks, while being detailed and informative

@crr0ww 7 месяцев назад

i appreciate that so much! thank you :')

@malcomclark2261 4 месяца назад

I thought I was crazy for thinking that too. Something about the way he explains things just works for my mush-brain.

@nero2k619 7 месяцев назад

Best part of using native APIs in usermode is the things you can do that you would never be able to achieve with using just win APIs. Of course native APIs add a lot more code but the amount of flexibility and control you can achieve is just pure gold.

@crr0ww 7 месяцев назад

agreed! it's also just a lot of fun to see how everything comes together! thank you so much for commenting!

@upliftingspirit6873 16 дней назад

saw your videos yesterday and all i have to say is ... please never stop doing what you are doing. you are really talented and good at explaining. i really like that your teaching method is not possessed by elitism which as you said (and i agree) is one of the biggest problems in this field. you never take anything for granted and you are willing to explain even the slightest thing to your "students". subscribed, of course :)

@JohnDoe-cx6zd 7 месяцев назад

Man, I literally have been watching your buffer overflow video right now, and just noticed an upload! What a timing

@z4rathustr4 7 месяцев назад

This man is one of a kind. Seriously, so informative, but keeping it fun and cool! So much love, looking forward for the next episode ❤

@crr0ww 7 месяцев назад

thank you so much! that's so kind of you

@phantompuma228 7 месяцев назад

LETS GOOO HES BACK, I HOPE YOU GET SOME REST CROW!!! I SEE THE EFFORT!! THANKS FOR ALWAYS PUTTING OUT LEGIT CONTENT!!

@crr0ww 7 месяцев назад

ILY LEGEND

@ttj_ 7 месяцев назад

as soon as i saw you posted a new video i got so excited, you’re my favourite youtuber. malware development is so fascinating when coming from a software dev background

@piyayozeo 6 месяцев назад

I thank the universe for putting your video on my feed, it was so well explained and you kept my attention at all times with the memes and jokes. Thank you Crow!

@sinatra02 7 месяцев назад

thought i was losing it seeing a crow notification

@Brahvim 7 месяцев назад

It was 1 AM and yet I clicked. Was not disappointed, and *genuinely* enjoyed the jokes, and knowledge shared (thanks to knowing the non-WinAPI parts in advance, I guess!). Thank you, crow!

@crr0ww 7 месяцев назад

it's my pleasure! thank you so much for commenting

@vittoriomondelli7172 7 месяцев назад

bro this is actually so much enternaining thanks for your work boss

@ai_coding 7 месяцев назад

I swear ur the best teacher out there!! Glad i stumbled upon ur channel even tho im not into malware dev im learning a lot.

@p3tergriffin 7 месяцев назад

Recently discovered your channel and the content is great. Thanks man.

@crr0ww 7 месяцев назад

thank you so much!

@pspnerd45 7 месяцев назад

That coding montage at 4:30 is so smooth. Could have that playing in the background while I work/study.

@ikennamanagwu9646 7 месяцев назад

Wooooooowww..... Maldev academy is literally what I've been looking for for years ..!!!!

@justin7oo994 7 месяцев назад

Oh wow look my favourite bird is back

@Proferk 7 месяцев назад

yay, our beloved malware man crow is back

@christian_leone 7 месяцев назад

I love you crow, your videos are really simple but interesting, thanks so much!!!

@crr0ww 7 месяцев назад

aw thank you so much, that's so heartwarming to hear

@user-qb3xm2yq6f 7 месяцев назад

I've been waiting for your new teaching

@dayhta 7 месяцев назад

YES ANOTHER CROW VIDEO!!!

@SZTUKAHARDKORU 7 месяцев назад

nice channel, will watch all today

@mrpoodoboo6785 7 месяцев назад

awesome video, thanks for addressing the goto statement, immediately started having flashbacks to uni...

@omfg4956 7 месяцев назад

BABE WAKE UP NEW CROW DROPPED

@541v 7 месяцев назад

In love with crow's humour

@curryjl1027 7 месяцев назад

Another fantastic video, keep it up, legend

@zvqle 7 месяцев назад

great video, loved it very much. please do more!

@backinyourcommentsectionag3191 7 месяцев назад

HE HAS RETURNED ALL HAIL ALL HAIL

@DroneMothership 7 месяцев назад

Yo this is like spooky Christmas

@piolix0004 7 месяцев назад

THE KING IS BACK

@gersonsv12 Месяц назад

idk when I'll have time to try this but it looks fun af

@nikos4677 3 месяца назад

10:54 Damn I remember reading that from that book

@OfficialChubz 7 месяцев назад

don’t care who says what this man needs and 100k play button

@PandaGoesMoo 7 месяцев назад

return of the -king- crow

@fxiqval 7 месяцев назад

i actually found out a weird thing with object_attributes. the length member is optional on some functions, but required on others. but the interesting thing with that is with e.g. NtOpenProcess the lengh can be 0, but the actual pointer to the object attributes can't be nullptr/NULL/0, otherwise the function will fail.

@sinatra02 7 месяцев назад

HES ALIVEEE

@crr0ww 7 месяцев назад

IM ALIVEEEE

@ismailaf3634 7 месяцев назад

Finally let's goo

@sy-tv3ic 7 месяцев назад

i hope bro keeps getting butterflies after referring to past videos. goatttt

@jbray250 7 месяцев назад

I'm trying to play mapleatory with Crow. Also this was so dope

@the_internet_332 5 месяцев назад

Great Video!

@detective5253 7 месяцев назад

ayyee, crow's back to the crew w/ anotha motha video bout maldev series. love ya homie

@slamdude321 7 месяцев назад

wow so informative crow i love you

@crr0ww 7 месяцев назад

THANK YOU SM LOVE

@phobosmoon4643 7 месяцев назад

im not sure if shitposting has finally caught up to my refined, god-like tastes and humor, or if I have just been too stupid to hang with the cool kids this whole time? either way: ooh la la.

@crr0ww 7 месяцев назад

HAHAHA i'm glad to hear that xD thank you so much for commenting

@YAHWA-fb7ww 7 месяцев назад

Best recourse ever !!

@aa898246 7 месяцев назад

amazing video

@lysikasaito 7 месяцев назад

Awesome video!!! What font are you using? It's great (the pixel art font, not iosevka)

@crr0ww 7 месяцев назад

thank you so much!! :D it's called "DinaRemasterII"

@icarlyfan102 7 месяцев назад

already know its a banger

@inn6300 7 месяцев назад

Crow10 crow10 crow10 !

@-uz 6 месяцев назад

DROP another Banger please 🤝

@pookbally 7 месяцев назад

crow ur the best

@trintlermint 7 месяцев назад

I LOVE YOU CROW!! hope youre doing well!

@crr0ww 7 месяцев назад

ILYT THANK YOU TRINTLER, SAME TO YOU HOMIE

@gregandark8571 7 месяцев назад

@@crr0ww I was and i'm always wondering - why theres 0 content like this for linux?

@crr0ww 7 месяцев назад

@@gregandark8571 well, windows is the most popular platform that people use, so it's natural that most malware is made for it! that isn't to say that there isn't malware for linux, there's a lot out there too (some really really cool techniques as well!) dont worry, i have something planned for linux-based malware development too :) all in due time. thank you so much for commenting!

@gregandark8571 7 месяцев назад

@@crr0ww Awesome!

@X_explotion 7 месяцев назад

Especially you, slouching in your chair. I feel personally attacked

@Bingo901 7 месяцев назад

Great video ! What font do you use ?

@muhamedadel3984 7 месяцев назад

DinaRemasterII

@jacobjohnson1501 7 месяцев назад

YOU GOT A SPONSOR

@crr0ww 7 месяцев назад

!!!!!!!!!

@Trad3st0rm 7 месяцев назад

Sick new intro mate

@crr0ww 7 месяцев назад

thank you so much!

@ryuu8027 7 месяцев назад

Good video

@Redyf 7 месяцев назад

What font is that on vscode? it's pretty cool

@sparky1377 7 месяцев назад

What visual studio theme is that?

@cjsmax75 2 месяца назад

Hi, thanks for the video. for the Object_attributes, the doc says "For standard processes, all fields of ObjectAttributes should be NULL", how can we know that we'll need the size of the struct and not just follow the doc ? Thanks!

@ThisShitWontWor 5 месяцев назад

What’s the name of the font your using in VS ?

@BoopyTheFox 7 месяцев назад

Man you're cool

@kingananas2.0 3 месяца назад

What font is that?

@MalwareHunter_07 Месяц назад

make videos on EDR Evasion

@peppidesu 7 месяцев назад

13:44 jyuugatsu 👀

@crr0ww 7 месяцев назад

はい！そうですね～ peppiさんの日本語本当に上手ですね。：）コメントありがとうございます！

@Snydzzz 7 месяцев назад

How do you generate the shellcode for starting the calculator?

@crr0ww 7 месяцев назад

well, you could make your own shellcode (which is recommended, but for beginners might be too difficult at first) or you could use a shellcode-generating tool, the most popular of which is called "msfvenom". although, be warned that msfvenom has been heavily scrutinized and documented so pretty much all of its shellcode will get caught by windows defender. now, you could get past this by encrypting the shellcode, or for this example, since we're not doing anything malicious, you can set an exclusion path for windows defender so that your program can run and not get thanos snapped out of existence. hope that helps

@Snydzzz 7 месяцев назад

@@crr0ww could I make an exe that starts calculator with system(“calculator.exe”) then try to get the bytes from a disassembler? Btw, I got into this with game hacking stuff like assault cube and your channel now has gotten me into the more general area of malware. I like how you present the information in an entertaining way instead of speed running code with subtitles. Really makes it enjoyable 👍🏼.

@cadeathtv 7 месяцев назад

How true is the legendary, "Do not upload to VT"?

@crr0ww 7 месяцев назад

if it's something you care about (i.e., you don't want to get signatured, taken apart, and analyzed), then yeah, don't upload your malware to virustotal. VT will share these samples for the sole purpose of taking it apart and documenting it. it says the following in their historic privacy policy statement: "We share the raw data underlying Samples uploaded to the Services as well as information relating to the submitter (ciphered ID, city, and country) of the Sample, as follows: With our security partners. When you upload a Sample to VirusTotal in order to receive a report about the potential maliciousness of its content, we store it in the Corpus and share it with our partners in the anti-malware and security industry. Partners that participate in VirusTotal are bound by contract to only use the Samples for internal security purposes in compliance with our Terms of Use to detect malicious code and to improve their antivirus engines. All partners receive Samples that their antivirus engines did not detect as potentially harmful if the same Sample was detected as malicious by at least one other partner’s antivirus engine. This information sharing helps correct potential vulnerabilities across the security industry." tl;dr if you care about this malware, something you made for engagements and you want to increase its shelf life, don't upload it to VT. there are alternatives that you can upload your malware to, to see what defensive solutions get triggered by your malware which i can't remember off the top of my head unfortunately, but yeah! i hope that helps! :D

@cadeathtv 7 месяцев назад

@@crr0ww thanks for the input. How risky is it to upload it during the development phase? Any tips on how to test the effectivity of your malware?

@Celestenshi 5 месяцев назад

Thanks

@Celestenshi 5 месяцев назад

idk why it only typed out thanks im gonna cry

@brmenna 7 месяцев назад

Bro, I absolutely love your content! My book recommendation for anyone trying to understand more about this topic is: Windows Internals by Pavel Yosifovich

@crckrbrrs 7 месяцев назад

>disappears for a month >uploads maldev 2, apologizes for not being active >continues to not be active >drops this absolute masterpiece 2 months later, talks on discord for a bit, leaves never change

@sinatra02 7 месяцев назад

LMAOOO

@interrrp_with_three_rs 7 месяцев назад

good video, you and cazz should collab

@jjurmean 7 месяцев назад

you could also just do if !Buf if it equals null, good video though

@alexanderdell2623 7 месяцев назад

Is Ntapi using is same of using syscalls?

@crr0ww 7 месяцев назад

Not DIRECTLY. There are certain NTAPI functions (as talked about in the video) that don't actually result in a syscall/int 2eh/sysenter instruction. Those NTAPI that do however, will end up invoking these instructions. so, when we call an NTAPI function, yeah, we will eventually have it perform a syscall, but we're not using syscalls directly, moreso transitively using them through the NTAPI. Using syscalls directly/indirectly is going to be main focus point of the next video, but just remember that when we use syscalls, we're ushering them out directly (typically through our own defined assembly stubs) and not having the NTAPI do it for us! Hope that helps! :)

@0xGast 7 месяцев назад

what font are you using

@0xGast 7 месяцев назад

nvm

@freeeverymalloc 7 месяцев назад

happy halloween

@crr0ww 7 месяцев назад

happy (late) halloween!!

@peppidesu 7 месяцев назад

13:52 osu reference 👀👀

@crr0ww 7 месяцев назад

SHIT I'VE BEEN MADE

@fostn 7 месяцев назад

What theam you using in Visual stedio

@crr0ww 7 месяцев назад

Zero (dark theme)

@fostn 7 месяцев назад

@@crr0ww thank you crow

@coder_rc 7 месяцев назад

Crow evenly spaces his code 😱😱😱😱😱😱

@crr0ww 7 месяцев назад

:GASP: !!! xD tysm for commenting brother

@coder_rc 7 месяцев назад

@@crr0ww

@DuckeyDev 7 месяцев назад

Noice

@ismaildogukancokluk3679 7 месяцев назад

Yoooo. Your font looks great mind sharing the name of it ?

@crr0ww 7 месяцев назад

sure, it's called "DinaRemasterII"

@noorkhara1429 7 месяцев назад

crows rat 🐀 4 grams protein I’m gonna nomnomnomnom

@crr0ww 7 месяцев назад

[crow's rat WILL remember this]

@desmon3341 7 месяцев назад

hola desde españa

@crr0ww 7 месяцев назад

hola! thank you for commenting

@Alfakatt 4 месяца назад

What is accomplished with a goto that couldn’t just have been a function?

@K4nj 7 месяцев назад

What's your theme

@crr0ww 7 месяцев назад

it's called zero (dark theme): marketplace.visualstudio.com/items?itemName=AgitoReiKen.zerovstheme

@K4nj 7 месяцев назад

appreciate it so pleasing on the eye @@crr0ww

@Zetty 8 месяцев назад

penith

@nassvandrunen6020 6 месяцев назад

lmao

@notechnolife9596 7 месяцев назад

Marry me !

@daljeetbhati8353 7 месяцев назад

i want meet you so bad 😭

@crr0ww 7 месяцев назад

haha maybe one day, brother

@Haapavuo 7 месяцев назад

45 minutes to be able to open Calculator from CMD 😆 Just joking... But for real, I had to skip most parts of the video since I'm in a hurry right now. What is the main achievement here? You still need to be able to run your own exe (or modded exe) on the PC to be able to inject anything. Where is the malware part here? 🙂 Please give us a summary of the achievement of this video. Thanks!

@jonobrien8848 7 месяцев назад

gotos are great, old people are just bad at comprehension that dont like gotos.

@swoodc 2 месяца назад

nah its a black cat they wouldve shot it before locking it up lmfao

@alec3217 4 месяца назад

GET OUT YOUR COZY BED RIGHT NOW AND MAKE A TUTORIAL ON REFLECTIVE DLL INJECTION CODE BOI

@humanxoxo4 7 месяцев назад

Thank you for your videos and tutorials sir! As someone whos in a 3rd world country and wants to become an exceptional ethical hacker, you are a god send, thank you so much sir, hope you have more power to teach. 🫡🫶

@crr0ww 7 месяцев назад

that means so much to me to hear. i am doing this for specifically that reason, to provide information and knowledge to everyone, no matter their walk of life for free. thank you so much for your comment, it's very inspiring and humbling. thank you and keep up the great work, you'll be a great hacker