Just Hacking Training - Windows Malware Development
Skills:
Security Basics80%
Key Takeaways
Introduces Windows malware development using Just Hacking Training resources
Full Transcript
Learn cyber security and focus technical training with just hacking.com, where all-star instructors and industry experts provide hands-on, affordable, and practical learning across courses, free upskill challenges, hackalong training videos, and capt Capture the flag competitions. There's always something to hack. With new content twice a month, all throughout the year, plus bimonthly live streams, you can sharpen your skills in our ondemand and interactive lab environments. Advance your career and level up regardless of your experience or budget. Forget all the noise and get to just hacking. Sign up now at justacking.com. Alrighty. Woohoo. It works. I think we're doing it. I think we're live. Hey, if folks were tuning in for some of the late night test experiment stream that we were doing, uh, if you tuned in to the last live stream that we did, I'm going to be honest, hey, it was a little bit scuffed. I don't know if it was my connection. I don't know if it's my computer. We traditionally use reream and that helps us multiccast out to LinkedIn, to Twitter, to YouTube and Twitch all at the same time. Um, but something was just going a little bit wonky. I think it's my device. Not quite sure positive why. Um, and we could, I know it, of course, realistically should just be using stinking OBS, like Open Broadcaster Studio, but it is very, very handy when we actually get to use uh some online solution because we can bring in a guest. And as you know, we like to have some guests here on the show uh when we do these every couple of weeks. Um, look, if you're here, if this is your first rodeo, even if it isn't, this is a just hacking training live stream, which means that I kind of get to talk shop. I get to tell you all about the sweet awesome stuff that we have been up to, what the team has been cooking with, all the crew and folks, the incredible instructors, all-star trainers building out some sweet material here for us. And honestly, we got a lot of sweet stuff to talk about. uh you know the rules, the layout, the agenda, the outline. I will probably do the spiel. I'll give you a couple of the cool announcements for maybe 10 minutes or so and then we'll bring in our guest uh to do some live demos and to hang out and to do some AMA, ask us anything. AUA, I don't know if that's the right acronym in that case, but I really appreciate you all. Uh thank you so much for tuning in. But please do keep me honest. Please do. Uh, hey, hold me accountable. If for whatever reason my connectivity, my camera quality just starts to turn into a potato. Let me know. Say the word. Uh, but I'm hoping we got that full HD. I'm hoping things are looking good. Um, with that, let me share my screen. Let's get to it. Let's do the real stuff. I've already burned however many minutes. So I want to bring us all to just hacking.com. This is homebase. This is HQ. Just hacking.com is where we are showcasing all of our courses and training and path of learning upskill challenges that are a little bit more free, a little bit more accessible, little bite-size, easy nuggets of education, hackalongs that we'll be including with a video demonstration usually on YouTube. So that's out and about and accessible and capture the flag. Look, the first question that I know everyone's going to ask is, is this live stream being is always the answer? And if you're willing to take a look uh way up here in the navigation, you can get to the vitals and the events page clues you in and clues us in with all the stuff that we're up to. How we are multiccast to LinkedIn, Twitch X, and YouTube. uh you get a little bit of the archives as to all the other great folks and people that we've had here with us. Uh OSENT operate, excuse me, open source intelligence with Michelle Khan, crypto with Ellie Dah, active directory shenanigans with Slavi. Tons of good stuff. Um the conferences and the IRL events are where you can track us down, where you can say hi, where we can shake hands, hey, hang out, chat for a little bit, get a pick, whatever you're up for. We just got off the tales of Defcon and I don't want to spend too much time bantering about the past, but I do want to tell you, hey, if you're around for blue team con, please come say hello. We'll have some of the crew over with the IoT village or the internet of things village. Uh truthfully, I will not be there. Uh unfortunately, it will just be uh it's not going to be me there with you, but get some stickers. I think we might have some t-shirts and swag that we might be sharing out. Um, don't hold me to that, but we will be showcasing and we'll have some workshops, we'll have some hands-on activities there with a lot of the upskill challenges that we've been preparing. And if you've actually taken a look in the last live stream, if you are still sticking with us, we have brought out what we're calling the UCX. Well, usually the UC acronym is for a free byte-sized uh little learning lesson. UCX are upscale challenges extended because those will include some virtual machines, a lab for you to experiment in. And huge shout out, big thanks to Matt E who's been on the stream with us before. Uh another incredible friend, a genius, another wizard. uh he cut up some really cool different IoT devices and turned out what we are calling these UCX or upskill challenge extended where you could dig into MQTT the protocol to be able to talk to different internet of things devices and if you ever want to do that on demand I know I showcased this in the last live stream that is a name your price little playground so if you want it for $0 totally free it's yours dive right in um usually the upskill challenges are just straight flat, easy, free. But because these include virtual machines because there is a lab component there, those are things that we kind of, you know, got to got to cover the costs for. So if you like or love any of the stuff that we're up to, please, please, please, we're always grateful for your support. uh router rut row. While I did not get a chance to cover that in the previous live stream, that is a fun one that actually lets you extract some firmware for an internet of things devices. A router in this case of course was hacked. So you get to pull out, find a web shell, find a back door, see how it was compromised. So we'll have that live and in person at Blue Team Con, but you can always grab that on demand if you're willing to help support. So heck yeah. All right, another super cool big announcement. We're genuinely super stoked, excited about this because this is kind of like a milestone that we feel we felt as our own goal to get out and about and accomplish live and in-person training. Getting to hang out with you face to face, getting a chance to teach, getting a chance to share some of that education. And we've got that at Bside Chicago. Besides Chicago coming up, the workshops um include some of the stuff that we've been able to bring to life. So if you want to hang out with me for some scriptbased malware analysis, that is a full day workshop alongside OSENT, the open source intelligence from Michelle Khan, alongside hardware hacking, some of the sweet hey on the in the circuitry. All the sweet stuff that or Trevor will bring to the table and a little bit of AI fun. Ellie, she's an angel, but showcasing some vibe coding for responsible adults. would absolutely love to see you there. Of course, that will be live and in person. We'll get a chance to hang out. We'll get a chance to chat. We can do anything that you're up for. Um I believe the early bird registration is extended. Um we are bringing and that that's on me. That's my fault. Truth be told, we can we can blame me. I am always behind on mostly everything. I think that's I think that's fair to say. Backstage production letting me know. Yes. Yes, John. I know you're always awful. Um, I didn't get some of the social promos and posts out the door that I wanted to. So, I think this is now through the weekend. I believe September 7th up until midnight Chicago time. CDT. That's totally the time zone name. Chicago time. So, uh, links for that I think will be tossed out, cast amongst the chat, and, uh, would love to see you there. Please, seriously do come out. Those are going to hopefully have a really cool packed room. So we'll see you there. Bside Chicago live and inerson training. I'm stoked for it. Now it is a new month with that. We have some new content, new training, new education out the door for you. Uh but let me say while we had released incident response 101 previously, this came out last month or sometime in in the time vortex that we live in. Um, it's really cool that we've been amping up a lot of our blue team portfolio. We've given that a lot of love, a little bit of defense, a little bit of, hey, secure and things and digging into incident response work. Now, I know that's not everybody's bag. Maybe a whole lot of folks are really just eager to cut up some malware and dig into whatever a security operation center might be up to. Well, all of these include big ginormous virtual labs, a whole cyber range and environment for you to play in. We're stoked to get out the door sock analyst 101 security operations center activity work and there that is I know oftentimes an entry point for folks getting into their career in cyber security. So, we were stoked to be able to bring this together and these are all from Ali who's also been on the live stream before. another super sweet, incredible fella. And I'm just pumped to be able to bring this to you because this one is name your price. Uh this is affordable. I hope in my opinion. I think this is pretty accessible. Uh there is a floor here of $25. But again, if you ever wanted to give us a bit more love, I appreciate your support. We all do. This is, you know, effort and uh the work that we do. But this one includes a another sweet lab environment for you to be able to dig into work with a endpoint uh edr kind of solution that we'll get a chance to play with working with some of the thread intelligence and case management there. Um and if you had any interest in some of the other blue team shenanigans that were out and about constructing defense is alongside that. Um, along with incident response 101, we will have a heck of a lot more blue team material on its way and I'm stoked about that. But dude, seriously, links in the video description or in chat or whoever this flies out and about. Take a look at sock analyst 101. Pay what you can. You can change that to whatever you'd like. But the floor here being 25. Grateful for your support. Take a look at the material. Can I zoom in? Super crazy. Look at this outline. case management, building a sock. We're using elk in this case. So, elastic, log stash, cabana, and some of the sweet things, even sysmon, some investigations. So, that should be super practical. That should be very tactical, and I'm stoked for it. I hope you dig in. I hope that one is accessible and easy to play with. But here's the thing. We're chatting a little bit about blue team end of things, but we need to give a little bit more love to the red team side of the house. So, we've got a little bit more on the cooker, but one thing that we are extremely excited to bring to you is the continuation of WMD. And that's the cool fun acronym for Windows malware development uh that Davided Schlloth has been putting together. And I love Devid. I love hanging out with Devid because he's just cool. Like there's no better way to say it. He's just casual. He's just chill. He's just He's just hanging out with us. And that's the best thing. And it's actually really really cool and it's super fun to learn from because he keeps things real and it's silly. They're shenanigans. They're so much fun. But for a long while, we put out WMD 1 through3. And that was the beginning intro trilogy that was a little bit more for the beginners, for the basics, for hey, you know, just getting your feet wet in a lot of this Mau development world. Um, WMD and taking a look at some shell code, trying to get some loaders and droppers together. But now we are starting the saga of the next trilogy that leans a little bit more intermediate to advanced. Uh, I'm not sure how far that Davidid will take this, which is pretty exciting and pretty cool. Uh, I know there are plans for a couple more iterations, but I don't know if we're going to keep spinning even more after that. Um, we'll have the links flying around in the uh chat just as well. But one of the things that WMD super duper focuses on in WMD4 is position independent code. And of course, these will all have by default for their launch period, the 20% off. So, I'm grateful for your support in there. Um, and I love this picture. I mean, both in the moment of, okay, trying to get all the work out and fighting through these labs because this is tough now. You get you get into the world of, oh, cutting up assembly and position independent code. And it's no secret sometimes that can be tough to wrestle with. But there's a lot of good stuff that we get to dive into and I'm stoked to have David here with us to tell us a little bit more about it. But the material is super cool because he presents it in a cool casual way and position independent code certainly brings us to a new level. Uh, hey, the next beginning steps in the path or the saga for WMD, I think. Yeah, we can go take a look. I can show you a little bit of the outline, but I do want to let David really tell us all what it's all about. Uh, some cool stuff we're digging into with Cough, common object file formats, Crystal Palace. I'm super excited to ask him a little bit more about that. And it looks like from the outliner agenda, this is super duper lab focused. There's not a lot of oh boring slides or text. It is the hands-on write code, test and debug and craft all this in the moment and together. So definitely definitely definitely excited about it. But with that, I think I can stop talking and I think we can let David join the show. So if I stop sharing my screen and I have burned about 15 minutes, that's my fault. But I do want to hear from Davidid. So let me double check. Hey, are you here with us, my friend? I can't see the little thumbs up anymore because Riverside doesn't give us a preview like Reream does. So I have blind trust and hope. that Davidid is ready. All right, my friend. If you can hear me, I'm going to bring you in in three, two, one. David. >> Oh, it works. Okay, cool. >> It works. >> I had to I had to quickly hide the burrito that I've been trying to stuff down while you were talking. >> Some Chipotle. >> Yeah, some some California burrito. You know, I miss the the homeland, I guess. But >> well chat audience, friends and family listening in uh please do keep me honest. Again, how is the audio? Uh is David loud enough? Am I loud enough? Are one of us too quiet, etc. Um but David, it's great to see you, man. Hey, nice shirt. I I dig it. I love it. >> Yeah, I like your shirt, too. Yeah, it's almost like we got them from the same place. >> So cool. >> Well, how are you doing, man? >> On pretty good. Uh I've recovered most of my sanity from this course. Uh, as I love the photo that Dawn put up that that pretty much perfectly explains the level of what are we doing throughout this entire course. Um, pick is one of those unique things where you think you've written it well and you think you do it well and then you try to compile all your code and it just doesn't work and you have to figure out why. For me, most the most of the time that's spelling. But um even even beyond that, sometimes loaders don't work. Sometimes your uh function format doesn't work out. So a lot of troubleshooting. Uh which is why we put this more into the advanced side of the house than putting it in the one through three side of the house. But >> well, if I may say something that almost sounds counterintuitive, but it's what I genuinely hear from either folks that watch my videos or see stuff out online that kind of we put out. Uh it's so strange when they tell me and they say, "I want to see you struggle." Like I like seeing you get in the tough spot um where something doesn't work or something isn't working the way that you expected and then you get to watch and see like the live debugging and troubleshooting. So you start to get a little bit of their intuition of like okay how do I go find and figure out what is wrong and I don't think there's any secret. I I was hey scrolling through taking a look at some of the stuff that you made and build up there and it's like oh David does not hold back. He shows you the raw real process of putting together position independent code shell code the malware dropper stager loader. Uh and that's been one of the coolest things for me to see in all reality was like this is real. This is where we get to the you're really cutting up the code for yourself right now. >> Yeah. And and I think by even showing the mistakes at hand really humanizes the process because we tend to think especially around malware that is this super mythical um complex situation that uh you really have to truly understand understand the CIS internals of an OS in order for things to function. And then you go and read something like Typhoon Salts loaders and they're just like character replaces from an HTTP request. You're like, wait, that's all that it took to bypass these AVs, right? So by by showcasing these errors, by showcasing what can go wrong, yeah, you get a little bit of that troubleshooting process to start getting the gears moving a little bit better, but it also just makes it a lot more demystified for people. So they're not they're not looking at malware like it's this super complex process. There is that stuff, right? We we've definitely seen some of the the coolest uh bootloadaders out there, but uh at the same time, most of it is just simplistic creativity, right? It's like if you were if you were to draw a picture on the uh on a piece of paper, but instead do it through a computer. That's that's all malware really is. So that's what I what I really try to focus and showcase when when we do these courses. >> And I just love your style. Like even reading through the text, reading through the material, and seeing you in the video, it is casual. It's candid. It's like, hey, you're just hanging out with a buddy, uh, cutting up code. Um, and I'm grateful for you to make that so approachable because just as you mentioned, it it can sometimes feel like we're just up against the wall trying to learn this big scary amorphous thing. But a lot of your presentation is like, hey, this doesn't have to be scary. Let's take it and experiment and play. That's the biggest part. Just make it fun and play, >> right? So, and especially in in pick where there is a lot of complexity, right? I think most people when they think of pick or shell code, they're thinking purely writing an assembly. And while writing in assembly can be cool, it's daunting. It's terrifying because it's not like a human-based language, right? Not like what we get through C or Python or PowerShell or anything like that. So it can be really scary to look at. But if we can walk through and understand what is happening in assembly without having to write in assembly, uh now we're better at at writing pick. Now we're better at troubleshooting our code. Now we can fully understand what's going on and even lead into some of that defensive stuff where you know doing malware reverse engineering and trying to figure out what certain functions do. uh we don't have to just purely rely on Gedra to pop out like hey look this is probably doing what I think it's doing um but instead now you can just read the assembly and figure it out >> and those are all included from what I understand right hey you what you're covering in the course is trying and experimenting it kind of with assembly at first uh and then you crack open a debugger or disassembler right uh what can you tell me a little bit of how the structure the trajectory is so we first start off with the basics, right? Similar one through three where we really focus in the Windows 32 API. Now what we're doing is we're focusing more into how assembly works, how the basic PE or portable executable works. um get a general idea of what move instructions do, what load effective address does, where things exist in a in a general executable, like where strings are not in your text section, they're in your R data section, and why does that cause problems when you develop pick without a uh pick template or some other sort of dynamic resolver? Uh so we we start off there, right? It's nothing malware. It's all just hey, how does this work? And then we take that, we start translating into process independent code. We start saying, all right, hey, how do we take something simplistic like message box A, uh, or a call to message box A and turn it into shell code or hex code or pick, whatever you want to call it, uh, and then execute it. Um because pick is one of those unique styles of coding that doesn't rely on the general portable executable structure. We now have to use the tool sets that we've learned through 1 through3 like our shell code loaders or uh some sort of of execution create process a create thread right uh to go through and execute that stuff. Then once we have that then we iterate upon it. We go all right hey how do we create a reverse shell? How do we create a socket connection? How do we create an HTTP connection? Because we as programmers or if you've done programming especially in C or C# C++ we rely on a lot of dynamic resolution and linking from the compiler and we don't realize how much we rely on it until we start to try to write pick and nothing works. So we go through like why you can't call inet pons the function inet ptonons to translate a a IP address from a string to the way that um network uh CPU architectures uh understand the the information. We go over why you can't use hton tons like the port uh translation or how to get different ways to get to it. Um, so I say like it t there's like 10 ways to skin a cat, right? Like the phrase. Um, and I probably say that far too many times in the course, but ultimately we're going through different iterations of similar process functionality to teach that there are other ways to go about getting that information without relying on the general relocations or resolving functions uh that our uh that our compiler goes and gives us. uh which is a large portion of the course and then we wrap up with a code cave because I think code caves are hilarious and I just have a lot of fun of just throwing my malicious code into other people's programs and executing. So we we showcase that as well. >> Sweet. I know that is a hot topic. Code caves are certainly uh one of the fun uh set of words we tend to be throwing around these days. But I know you show the struggle. I know you show, hey, kind of putting your head through fan blades, trying to make sense of this, riding it kind of by hand, doing all that manual work and assembly here and there. Um, but I think you also get into one portion of the course where you talk about how we can make this a little bit easier. And this is all thanks to some really new and recent innovations. Like this is a new utility, new tool that came out like genuinely just a few months ago, I think July. Um, and I'm alluding to you probably can pick up and maybe some folks in chat are tracking it too, but Raphael Mudge, the creator of Cobalt Strike, the command and control framework that everyone knows and recognizes and is used ubiquitously, uh, had built and prepared what he calls Crystal Palace. Is that right? Can you tell me a little bit about Crystal Palace? What is that for folks that aren't familiar? So his words were, "It separates the tradecraftraft from the capability." So a lot of times when we write pick um we're not going to get to the level of the MSF venom stage zero stage one loaders, >> right? Uh mainly because when when the process to create that uh that template that they push out has been written in assembly and it's it's extremely optimized. they know exactly what they need to do. So when we write pick ourselves and we write our own dynamic loaders for uh how to reflectively load in a DLL, they tend to be quite large, tend to be quite inefficient. Uh and we're forced into certain uh what do you want to call it? I guess templates of how we have to write uh in order for our pick to work. And so if you want to bring it down then you would have to learn assembly. And if you want to learn assembly then we have to go through 10 hours plus of really understanding how to read and write assembly. But with Crystal Palace it's taking our pick through like a cough file that we create or a DLL that we create and extracting uh like the text section which is really where our pick comes from. and optimizing it uh which removes all the unnecessary functionality. If we added anything in through like a reflective DLL loader uh it will uh mutate it. So we get a little bit of offuscation involved with our with our shell code and it it will also append things like strings. So, what's really cool uh about that is normally with strings, if you want to do anything with strings and pick, you have to use either what's called a stack string, which is a really really annoying way of writing out strings, or you have to find a way of appending your R data section, your readonly data section where your strings actually live in the PE to the text section of your your code. So, unless you do that manually, you don't have strings. So this brings in a lot of that functionality that you lose by appending those sections to the uh to the text section and outputting it as a bin file or ah file whatever you may want. Uh but it's it's a very unique and efficient way of uh making your code a lot more optimized and a lot smaller. So you can go from something like 2500 bytes, which let's be honest is still pretty small, down to 1500 bytes, which is even smaller. And in malware, it's the smallest footprint wins. So the more you can remove, the more you can bring it down, the better it is for evasion and bypassing of ABS. Uh so without it, this course would have been what 13 14 hours. Uh which was the original design of it. with it, we were able to bring it down because we could remove a lot of the the explanations of assembly and writing an assembly and compiling the code there. So, super grateful for that tool set. Honestly, if you're going to pull from from anyone, you might as well pull from the best. And that dude is wicked smart, you know? So, that's the reason why we kind of brought it into this course. >> I'm just super happy because that I don't know, it tells me, look, this is the I don't want to say cutting edge, but I feel like that's the right word. Like, this is modern. This this is this is stuff. This is utilities. These are tools in your toolkit that were released two months ago. >> Yeah. Yeah, pretty much. >> Well, I know I kind of drove us all over the map. I know you were chatting a little bit about code caves. I did want to pick your brain on, hey, maybe some of the cool tools that you've been building out as part of preparing this course. I heard like Low Rider or something was to help hunt down code caves. Uh, but I know I think you also had some tricks up your sleeve and maybe some showand tell if you were able or willing or if you're up for a demo. Uh, are there any fireworks you could bring up? >> Yeah, I I think what would be fun would be to showcase the the code cave aspect. Um, you know, we won't go over how to modify the binary and all that. Like we got to keep some trade secrets here. Um, but uh here let me share my screen real quick. So the code that we would be running here uh hopefully this is the right window everyone needs to sign an NDA now. Uh no so like in this case this this is just a simple reverse shell. Uh what this does is we have DLL Illuminati um which is our reflective loader. Uh and what that's going to do is is go out and find the uh modules and the uh processes so that we don't have to just load in like get process A load library A and plus we can't call Windows 32 API organically uh like we would with a normal program because it will break pick due to what's called a relocation. So we have to do everything in our code. If we want to find something like a function or resolve something like a function, we have to bring it in manually. So we have that in our header file here. Um we set up our entry points for how the script will work. Uh or not the script but the pick. So with pick, you have to write it like a script. Everything starts at the top and goes to the bottom. Unlike where an application or a a normal program you can pull from other files and kind of bounce around wherever you want, it just needs to come in order. So what we do here is we define two structures through a macro. One we call uh whn which is our hton uh translator because we can't call that in normally. Uh and then yeetus deletus which is how we denote uh our functions. And so we first resolve out our our kernel 32 and our uh WS2 DLS because those are going to be the two DLS that we need for uh the socket information plus our create process a. So this is really the only complex part of the the application right now, right? Uh the way we resolve modules, the way we resolve u functions is through RO13 hashes. And so we have an application. You can go out and find the RO13 generator from uh I believe it's I hack for falafel is the OG uh GitHub repo. I made some modifications on my GitHub which resolve uh DLLs as well just because they're just different uh ways of resolving. So you can go check out my GitHub as well. It'll have that information there. But we resolve these through RO13 hashes. very very common way of of resolving functions without using strings and then we set our uh our actual functions at the beginning. So then we can later call them like normal right WSA startup WSA socket a sock handle connect all those uh also fun fact if you ever want to do uh pick and you don't want to use inet pons I tried this for the first time during the course demo or the course labs uh which could have gone really really bad but uh it worked out in the long run so if you read the structures and we do read a lot of the structures of like how things work like memcopy memove uh inet ther address or sin adder right what I had noticed was hey sn adder has like this anonymous union that you can call down to the individual bytes and so instead of adding an IP address through text and translating it over we can just individually assign each bite um which I thought was really I know most people will be like, "All right, whatever." And many malware developers are probably like, "You didn't know that." Um, but yeah, first time it worked. So that's that's my my pride and joy. But the rest of this looks very very similar to what you would get from a normal application minus maybe uh store string bytes. And this I think is kind of cool. Learned this from Raphael Mudge as well. store string bytes is like a replacement of memcopy. Yeah, memcopy. So memcopy and memove both have what's called compiler intrinsics. So they look like normal functions, but they're actually from a compiler uh that adds in the appropriate assembly code that'll work very very similar to how uh memcopy or memove work. So you have stob and stow or move sbov. So those two, we use those quite a bit. And then we just start our process. Pretty pretty simple in general, right? So once we have that all compiled up and and ready to go, we can actually create our shell code, which would look very similar to metas-loits, MSFN or any of those. We use XXD uh which is organic in Linux or at least in Cali. And that prints us out, what did I call it? Uh, I think it's this. Yeah. So, then we can just print out the hex bytes and see. And you could take this this header file, shove it into any of the the one through three shell code loaders that we created in WM3 or WMD 1 through3, any of the shell code loaders. You could shove this right into there and it would work. It would call back. But since we're doing something like code caving, we can make this even more efficient by just bringing down to the bytes. So that would look something like rev scod. Yeah. Hey, I'm a I got good memory. And then you know now we actually have like the straight up hex. So why does any of this matter, right? So in code caving we can't use the Cbased formatting uh because we we're going to modify the the hex bytes inside the binary itself. So we need to actually bring it down to here. But this is just rev this is our our our cabbage wizard reverse shell this shell code right here which sits at what 1548 pretty small overall right. Um, so what we can do from there, let me jump over to the target host. Where is Oh, here it is. window. Here we go. So, this is the target host. And we have this cave demo here. Uh I wrote this out so that it mimics a very common error in in application writing which is allocating large buffers for nothing, right? You just have some space that's like, hey, we need we know we're going to put something here at runtime, but we don't know what it's going to be. So you get these large swasts of of of space that you could just shove your information into. And so all cave demo does is it calls the Windows 32 API and then as a nicity to the students, I told them exactly where they can go and find it, right? But there's other ways of doing that. So if we jump back over to our demo, we could use Low Rider, right? And Low Rider you could just find off my GitHub. Um so if we use low rider what we're looking for in low rider is low entropy regions because low entropy usually 00cc uh 9099 a bunch of knops right that typically means that there's an unused set of space and so if we use lowriter what it comes out and tells us is hey hey in that text section you have at the file offset of 400 roughly about 2176 bytes of code uh that's empty and really low and the entropy being zero, excuse me, means that it's 0000 0. So we go through how low rider kind of works with entropy and and dig into the cave. And then if you want to make that work, this is where OBS would have been great for me on this side. So if you want to make that work, you would use something like your hex editor. You would open up your cave and then go to 0400, which starts right here. And I put a knop just so students can find it. Right? We're we're trying to make this simple. But now you have all this space to shove in your code. And this this is kind of an unrealistic example in your text section. And you're not going to have just, you know, a whole two two uh 248 kilobytes of uh or 248 bytes of of empty space before in your text record. But if you modify all that and you which one's the modified one, this one. You modify all that still looks like it works normally, right? But if we jump back into a netcat session which I have over here, we can see it closed but we have a shell. Right? So the whole principle of of where we're trying to get with WMD 4 through six is working through the stages of the agent life cycle. So stage 01 is mostly developed in in pick as like your loaders your your way of like opening the door to let the full agent come into uh and take the place of that pick. So this whole course is focused around how do we do that initial access? How do we get the smallest footprint possible here so we can build into something like a code cave that executes in this way and then we'll load in WMD5. We'll load our full C2. So the plan is right now I really like Mythic just because it's open source. They give a lot of templates. We don't have to write everything from scratch. I think having a whole course on writing C2s would be cool, but it's a lot more programming than just, hey, what is Windows malware, right? So what we want to do in in WMD5 is hey how do we go from this stage where we're writing in our our process independent code that looks like this shoving it into a code cave and now instead of just getting you know a a simple reverse shell we're getting a straight up mythic C2 implant that we've created that we wrote that we can modify that we can change our own IoC's for. So now you're getting into a lot more of the realistic aspects of APS so that we can start to bring red teamers up to that same level of our criminal counterparts so that we're not teaching our clients, we're not teaching our workplaces the inappropriate way of fighting, right? Because when you just use unoffiscated cobalt strike, unoffiscated mythic, all that, of course they're going to find it. Of course, they're going to win on those and that's fine. That's good. You want to see them get that. But we don't want to just run into the same old situations where now our our internal teams, now our blue teams aren't able to actually tune their systems to look for IoC's that replicate particular threat actors. Right? So that's the whole course goal here is we're going to go this is stage 01. Next one is stage two and then six I'm looking at probably doing um three maybe four stage four but that's more nation state so I don't know if I want to go down that route that would be a nightmare but this is kind of a sneak peek to get you to into that 01 kind of stage mentality right just going from something as simple as well I guess this isn't really simple but writing our C code to getting the hex to compiling it to piping it out and putting it into somewhere like a code cave uh for execution. I know I kind of rambled there. What kind of >> Oh, that was perfect. >> Oh, was it? Okay, cool. What kind of questions we got? Are there questions? >> Yeah, I'd love to see if there are any other questions coming through in chat. Uh I did want to pick your brain and and ask uh obviously the seemingly random or silly function names that you would use like yeet us delete us or whatever are kind of twofold. Is that right? That that's one to have some fun and oh have some silly variable and function names but also like that is in a certain way obfuscation and evasion in its own right. Correct. >> Right. So, um, one of the first things that we go over in in the first lesson is how your compiler can break pick. Uh, and so a lot of times when we write code, we write with main because colloally that's how we were taught how to how to write code. And the problem with that is is as we wrote compilers, we started saying, oh, main means that's the entry function. That's going to be the very start. So, wherever main goes, make sure that in the PE we put an optional header for address entry point. Um, so we can't use main because main is going to break our code because it creates a relocation that the compiler puts in. There are probably ways of getting around it, but honestly, then you have to add in a bunch of options and just make it easier on yourself. So, my naming convention is always whatever I think is funny. Um so you don't have to name it this way right but that it does get around that mentality that you have to follow a convention for naming things that you have to call your variables I or A or offuscation in that manner right like you can call it whatever you want that's the beauty about coding is like as long as the variable names as long as the function names match to where you're calling them they work and so with pick especially with pick. You're going to have to use things like not an entry point or one day I'll code something normal. I probably will never code anything normal. Um the only caveat to this would be if you're using the Crystal Palace tool set, uh the optimization function that Mudge wrote in is looking for a entry point of a variable or an entry point called go. So this would need to change to go if you're going to optimize your code. And the reason being is because with any pick your entry point has to be at the very beginning. It can't be anywhere else in the code. So with optimize it just makes sure that the function go is maintained at the top. So that's where the the only caveat to the rule of you can name this whatever you want it to be. But yeah, I uh I just I think it's funny. So yeetus deletus like that's that's pretty entertaining to me. I did see some little W's in the chat. I think people like that a lot. It was good. One question that came through I do see in chat and and I don't know if this is bringing us to maybe either WMD5 or six or others or if you've touched on this previously and I'm just not aware. Uh but Ashraf, forgive me I might be getting the name wrong. Uh one of the evasion techniques that good malware uses is indirect SIS calls. Do you think that there is a more stealthy way than this? I don't know. Could you chat about that at all or what do you think? >> So I think the indirect SIS calls is probably your best bet with with evasion to calling functionality. Um we're going to have to change here in the near f near future because with Windows 11 they're implementing a new set of SIS calls that cannot be turned off. So, Interact SIS calls actually abuses like a legacy format of calling CIS CIS calls. Um, that is going to eventually change. So, as mau developers, we're probably going to have to look into how to get down to that level. Uh, but I think that's probably your best bet. I I mean I haven't seen anything in at least in my research or time of better evasion than SIS calls. But with that as well, you have to consider how do you do your indirect SIS calls? Are you just looking at Irate team and copying the way that they do it or are you manually writing out your um your dynamic resolutions? So your best I actually let me let me change that answer then. Your best evasion technique is your creativity and doing it your own unique way. Um, you can probably talk more about this than I can uh with AVs and EDRs, but you know there is a machine learning aspect that you have to get around, but the other side of the house is the static analysis aspect of this is obviously doing something malicious because we've seen the 10,000 tutorials doing this. So, uh, just doing something just unique enough will enable you to evade so much more. And that's that's truly what I try to teach in this course in any of the WMD courses is be creative with it. learn how things work so that you can circumn from what we teach in the course like virtual create thread wait for single object and now you're doing heap allec or heap realloc uh or virtual extended I mean I think the windows 32 API has like 17 different ways to allocate virtual space so as long as you know what you need you can you can kind of juggle with what you're what you're calling May I ask you to drop your screen share because I don't think I can and I don't know if we need it again. But um >> another one that came through. Um hey, how many years have you been coding in assembly? >> Be willing to >> I don't know chat a little bit about your background, your history, what you've been doing. >> So I learned I learned assembly way long ago. Uh probably seven, eight years ago. And then I stopped coding in it cuz it's a nightmare. >> Yeah, that's painful. >> Yeah, it is extremely painful. So most of the time I code in in the C-based languages, C, C#, C++, and for this course truthfully, I had to go back and do my quick little refresher uh because it has been a long time. Uh but this course has been under development for a few months now. I want to say like five, six uh months or so. So it gave me plenty of opportunity to code again in assembly. But um I would say truly coding probably only like a year and a half two in assembly avoid assembly. >> Yeah. Suggestion is try to not code in assembly but bring yourself to a sane space of C or C++ etc. Uh which is why Crystal Palace is so stinking cool. >> Yeah. No, it's so nice. Sweet. >> Any other chats? >> Oh, you see one. >> It says, "Why is malware very harmful?" >> So, it doesn't have to be. >> Malware doesn't have to be harmful. >> Would you mind filling the gap in for that just a little bit too? Because what we've showcased, what you have showcased is usually a reverse shell socket connection. Right. I know we are building up the building blocks to get to mythic or whatever else fill-in-theblank C2 agent that could then do anything more. But there's a whole road and rabbit hole to fall down on that one. So, sorry, I didn't mean to ramble. I'll let you >> No. Yeah. No, you're good. No, say it. I mean, it's one of those nomenclature issues we have in cyber, right? Um, too many too many terms mean too many different things. Um, malware being malicious software, right? It's just the combined uh piece of it. So there is nothing unique about malware in compare. Yeah. Nothing really uh unique about malware in comparison to normal programming. It's just doing things that we as moralistic human beings believe is malicious. Um you can't really teach a computer to do something that it never intended to do. Right? And all malicious software does is takes normal application uh programming techniques and makes it so that it can be used in a malicious manner. Reverse shells are totally normal. You know, we we do this with SSH um shells in general, right? Uh remote access, all those we I mean MSPs use remote access tools all the time, but when it's used by a malware actor, it's called the remote access Trojan. Uh it's it's really how you use the software in itself which what makes it malware. Uh so that's why a lot of times when we think of malware, we're only thinking of like ransomware. We're thinking of uh destruction. What do they call them? Uh you know the ones that delete everything on file. Um >> wiper kind of thing. >> Wipers. Thank you. Uh so it doesn't have to be truly malicious. In this case, you know, I'm not teaching you how to write your own ransomware. I think that would be I think it'd be cool, but I don't think it's uh I don't think it's appropriate, right? You can you can figure that out on your own, but you know, it's it really comes down to using the tools that are provided to you like through the Windows 32 API or through the OS itself um to run whatever you're trying to run in the manner that hopefully is completely legal and you have a signature at the base of your contract. uh between you and your client so that they can learn better against their uh their perceived adversaries with that. I think there's a cool question that just popped up. Hey, is exploit development or really malware development, right? If we kind of expand this a little bit, is that really a job? Is that kind of just for the government? is some folks say they've been studying for a while, really enjoy it, but how do we find this to be a career that I mean, short answer, yes, but I'll let you fill in the gaps. >> Yeah, I mean, it's definitely a job for government. Um, if you're good at it, you can make seven figures, no problem. uh you know I I know some people who make some buku money but I think as the industry as a whole has matured significantly in the last 20 years uh especially as cyber crime has only exponentially increased year-over-year. There has become a higher need for experienced individuals in those realms like mauard development in exploit development to better emulate the criminals and outpace the criminals. That's the whole job of offensive security as an industry is to outpace the criminal threats. Um whether you believe in in responsible disclosure or not because we are the only industry that does that. uh there is a a kind of a need and a requirement for us to get better at this because if we only ever learned uh the very very base of of an attack, how are we ever supposed to train and and get better at defending against the attack? It's like if no one ever learned lockpicking and we left it to the criminals, right? like how do they how do they not use a key? Right? We we teach all this because there is a a defensive win by doing that. Hopefully that answered that question. >> I think so. And with that, man, can I give you I don't know, maybe just a little bit of a spotlight for the stuff you're up to on the side. Em emulated criminals is uh your extra endeavor. Is that fair to say? >> Uh that's my full-time gig. >> Yeah. Yeah. Yeah. >> Yeah. So, Emulated Criminals, uh, thanks for that shout out. So, we are a continuous red team as a service, but without the general cost that would come with being a continuous red team as a service, right? Uh, as as my partner says, we are humanled, but priced like automation. Um, the idea is we really got tired of seeing single point in time testing. Only do it once or twice a year. You look at the environment and you're like, hey, you're good to And then these companies get hacked all the time. And the reason being is that they only got looked at once or twice in a year. But cyber changes constantly. So our our goal is to truly outpace the criminals by being that emulated criminal that emulates the threats that are realistic and relevant to our clients. So that's what I do now full-time. I love it. Doesn't feel like a job. I mean, honestly, you get to do goofy stuff all day every day, right? write malware, send fishing emails, but it it helps our clients truly train how they fight and I think that's super important. Uh, and there are more companies that are coming out like that. So, super excited to see how this uh industry changes and expands in the in the near future. >> Excellent. Hey, thank you so much for the super chat, Lentense. Super appreciate all your support. I know we are wrapping up getting close to the top of the hour. So, if I may leave you with uh our last couple of cool, hey, sweet call to actions here. Gentle reminder, something we're super stoked about. If you did love hanging out with us, if you did love chatting, hey, being part of the live stream, tuning in. Look, you could do this in person. Hey, Bside Chicago, we do have our workshops where there's me, there's Michelle, there's Trevor, there's Ellie. Super duper stoked for Bside Chicago in-person live training. a couple more links that will be flying around in the chat, but we absolutely would love to spend some time with you IRL. And we're just so happy about the opportunity to do that in-person live instructor-led training. Uh early bird registration if you wanted to dive in, that should be extended through, I think, the weekend, uh the end of the weekend, September 7th or so. Uh but hey, dive in, jump in, check it out. Would love to see you there. Um, and with that, I think that's my last CTA other than get to just hacking. Get to just hacking.com. Forget the noise and get tojusting.com to check out the sock analyst 101 course to check out WMD, WMD1, WMD2, WMD3, and now WMD4. Thank you so so much, Debbie. This has been awesome getting a chance to hang out with you. >> Yeah, man. It was a good time. Thanks for having me on. >> Any other call to actions from your end? Any last parting shots or >> um don't do drugs. I'm not your dad. >> I love it. Excellent. >> All right, everybody. I'm going to tune out. We'll do the slow, awkward wave goodbye while we give live stream whatever amount of time it needs to be able to actually close out across all different platforms. LinkedIn, Twitter, X, YouTube, Twitch, >> platforms. We'll see you in the next one. Huge thanks for hanging out. Gettojusthacking.com.
Original Description
Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter
ℹ️ Affiliates:
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Security Basics
View skill →Related Reads
🎓
Tutor Explanation
DeepCamp AI