Malware Development: Processes, Threads, and Handles

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] wake the up you've been asleep for months you have videos to be making okay obviously considering the subject matter of this video I must declare that this video is intended for educational purposes I'm not going to be held I won't be held responsible if you decide to do some and get yourself arrested always get permission from the person you're targeting to run exploits on their device or just be responsible and do it against things that you own anyways let's get back to the video I'd like to take a second to apologize for how long this video took to get out I've been studying for this certification and it's kind of got me in a Peruvian necktie at the moment I will also say in and this is important so don't skip goldfish this is part of our brand new malware development series which I know I know oh my God another unfinished series on top of the 300 trillion that you still have to get out there I know but you know what I'm kidding I I made this a standalone video instead of adding this to a process injection techniques which is going to be the next video in the series because I don't want to overload you guys with the information you're about to get telepathically beamed into your skulls and you must understand these Concepts first before we start delving into the nasty gritty Diddy stuff okay okay processes threads handles what the even is them who knows who cares I'm about to learn y'all a thing or two about these here x Concepts firstly it's important to mention student rather than later that you're gonna need some experience with some quote unquote low level languages or stuff because malware development at least the decent stuff is all about the super stinky Cesspool in which are treacherous CPUs live so it's important to be somewhat familiar with the language like C C plus plus and eventually some assembly I there's also the whole thing about dot net and c-sharp and Powershell but gross first of all kidding kidding but that's for future us to worry about don't worry I'll do my best to make this as easy to follow along as I can for everybody I'm just learning as you guys this is like my homework put out so that you guys can learn along with me okay and another disclaimer um I am a dumbass I mean I'm learning alongside you guys so if any of this stuff isn't 165 put 38 correct don't start foaming at the mouth instead just leave a comment so that all of us as a community as a team as a unit as birds as Corvettes grow as a unit okay I care about you guys and you and me we're like this we're a team who the is racing outside why is it just you and me we're a team we're a Duo you and me we can do any why are you going the same goddamn speed as everybody I don't understand processes more specifically processes in the context of Windows a process is just an instance of an executable now what doth that meaneth in English if basically think of it as a container that houses everything needed for a program to run the executable code the data data memory Etc a program or application or whatever you want to call it can have many processes running at once moreover an application like your web browser will spawn a new process for every tab that you create see and we can also see some extra information like how much memory [Music] you open a shell and run a command it'll run as a new process some processes can also create their own processes which are of leveling called child processes a nuclear family of computer architecture oh another thing this family is blind and greedy so a process typically isn't aware of processes outside of its own existence to a process it thinks that it's the only thing running on the computer for the most part and so if I process Alpha and um in process beta they don't know about each other each process has its own virtual address space or VA space which it believes is exclusively allocated to it meaning it thinks that all this memory is for it and it's self-alone bastard thoroughly rotten back processes are often seen as being the same thing as programs or applications however what you might see as a single application or a program May in fact be a collection of multiple multiple processes working together through something like task manager that you can find on Windows we can see that there are three types of processes application processes background processes and windows processes application processes are the processes that are launched to run a specific program if you open up an application like Ram be gone I mean Chrome that's an application process you can see this process spawn in the task manager and it can return terminated by the user that summoned it for the most part background processes these are the processes that run in the background they don't require user interaction they get started automatically meaning that you do not need to go in and start this one by one although you definitely could have a process that starts off as an application or an app process and then it turns into a background process these types of processes are responsible for some important system related tasks like updating software scheduling backups monitoring your system like antiviruses into indexing files Etc Windows processes these are system level processes that are vital for the proper functionality of your Windows operating system they automatically get launched upon startup and perform critical tasks such as memory management and security device drivers and so on and so on [Music] another thing to remember is the priority that windows will give a process in Bimbo's processes can have a priority level assigned to them which will determine how much CPU time they're given relative to the others that face nerdy processes okay CPU time is just a measure of the amount of time that your CPU spends processing instructions for a specific task or process okay there are six of these priority ratings and here they are from the lowest to the highest the ones to note are real-time normal and low since the other ones are kind of just self-explanatory if a process has been assigned a low priority it'll only be given this precious sweet sweet CPU time when there are no other higher priority processes running normal is a default process priority that most applications get and they're given a fair share of CPU ton real time is the highest priority level that a process can be assigned to in Windows they're given exclusive access to the CP okay they're guaranteed to be executed or be scheduled by the scheduling system of your operating system which without getting too far into it the scheduling system in Windows is responsible for managing the execution of a process and threads on the computer it decides which threads or slash processes get access to the CPU and for how long you know based on their aforementioned priority levels and some other factors highly oversimplified but maybe in another video the operating system will give your processes some very useful information including but not limited to a process identifier or PID or PID the location of the executable file that the process comes from this is called the image path command line so these are any arguments that have been supplied to this lastly a process gets allocated virtual memory sure but a process can also take up CPU time which means that the more processes you will have running the slower your computer will objectively be because of all the resources that snotty little infant is using up and obviously there's way more to processes and the way that they're prioritized we haven't even talked about the priority scheduling algorithms or the scheduler itself yet for that matter but we'll have to revisit that another time because for right now this should be more than enough to get started a little tangent if you ever get a super high CPU intensive process and you set that thing to a real-time priority like say for some reason you wanted to play Minecraft on real time for whatever reason because you've had that CPU intensive thing on real time your other processes like the things that handle your input and output like your mouse your keyboard everything like that would lag behind it okay so over here we can see that real-time priority is really dangerous it's higher priority than nearly everything else it's higher priority than Mouse input keyboard input and the disk cache itself if you foolishly set the priority class of the CPU intensive program like Minecraft to real time it will suck up your entire processor leaving no cycles for anything else and over here if you try sending Minecraft to real time your mouse will slow down the keys take five seconds to respond and explore.exe becomes unresponsive from msdin which by the way we will need to get extremely comfy with because this will be our grimoire we can read the following about processes okay each process is started with a single thread which is often called the primary or main thread but a process could also have multiple threads just like an apple applications can have multiple processes these processes may have multiple tiny little threads which are responsible for different tasks within the process and application by the way having multiple threads in a single process is called multi-threading and it's extremely useful and prevalent in modern applications since it provides responsiveness better resource utilization and most importantly the ability to perform multiple tasks and more processes can also create additional threads from any of its threads and threads and processes are very very similar they're both units of execution you know kindling that starts the fire that is your program if you will however there are some general differences between these two first of all if a thread is a light Little Feather falling through the sky so elegantly so gracefully then a process is a Soviet submarine crashing into the ground in Mach 9. I'm exaggerating a little bit but threads are lightweight and processes aren't processes consume much more resources if a process is a team working on a project and a thread is like a team member with a specific task just as each team member has their own role to play in completing the project each thread has its own specific task to perform within the process the team can work together to achieve the overall goal just as threads can work together to execute the program it takes more time to create a process than it does a thread it takes longer to kill a process than it does a thread believe me I've tried processes are independent of each other the threads however are interdependent and share memory within the process just as processes have IDs handles or whatever to describe them or interact with them so too do threads they've got IDs they've got handles as well Etc great thing about these threads as we'll see later on is that just like processes we can create our own within our script or within our Target process to run our own stuff this is huge for most of the processed injection techniques since yeah we're going to be starting some threads to actually run our code next section handles okay what's a handle next section okay actually we're gonna be dealing with handles so much during our time creating malware that I'm confident that if you don't understand what these are right now through the pure exposure we will have to them while programming you'll just get the hang of it just try to remember that a handle is a generic unit of identification that we can use to represent something it's like a pointer to our object and it allows our program to or code to interact with it without directly accessing it to memory location a bunch of weird Tech stuff I know but listen we're not going to be using these handles by themselves instead we're going to pass them through to some functions that will use them in order to accomplish our goals there are different types of handles as well and the most likely ones you'll see when you start experimenting with the win32 API or the win API which we'll take a look at in a second are handles to processes or handles to modules called handle and H module respectively there's also handles to Windows called hwnd so let's pretend there's a function called I don't know get process info and it takes a single argument which is just a handle to the process okay without the valid handle you won't be able to interact with or manipulate the resource do you get what I'm saying another thing to note is that handles are system-wide which just means that if we have two processes ah and ba if process ah finds out its process handle window handle module handle or whatever it can send the handle value to process B which can then do something with it not that important for us right now but it's still good to know I'm pretty sure like 87 percent of you are already familiar with what apis are or application programming interfaces but if not don't worry I'll explain it anyways an API in the simplest way I can describe it is just a way for something to interact with something else using predefined rules or protocols for instance you guys remember that video that one video by Jarvis Johnson where he ordered a pizza using the pizza site API those functions were created by the developers of that site or that program or whatever so that you could use it in your code otherwise the code that this person would have had to use would have number one been a lot harder to implement or much more work and number two may have looked completely different to how it does now an API makes a super super neat and easy to do what you're trying to do with someone else's code because there's functions made specifically for those purposes most of the time so just like the pizza store Windows has API for developers to use and for hackers to abuse so clever this API is aptly named Windows API or win32 API y32 is it only for 32-bit systems no it's not only for Windows 32-bit systems you'll see this a lot with Microsoft but they love to make sure that their stuff is backwards compatible and they will love even more to shove it down your throat than it is even though modern versions of Windows runs on 64-bit architecture the name is still kept because of the backwards compatibility you know it refers to the fact that the API was designed for 32-bit versions of Windows like Windows 95 98 nt2000 yada yada so when API whatever you want to call it refers to the same thing that being the API that Windows OS uses for functionality there's a ton of documentation okay let's go give it a visit another thing to internalize is the fact that win32 API is well documented we'll get into what why that's important maybe later in a future video since dots document to the lower level API like NT API from ntdll is not documented while Microsoft has given some of its documentation out but most other things have been reverse engineered by insanely intelligent people that's just a huge tangent if that doesn't make sense to you literally don't worry about it so let's give the msdn a visit so listen I know how goddamn yucky this looks but you will come to love this resource I'm not kidding you know you know what I'll prove it to you let's do two examples the first one let's do a super easy hello world example with a message box function using the win API okay so understanding what functions you will need in order to do the thing you're actually trying to do will come with some exposure experience maybe some research it's not really that obvious since there are so many of these functions I'm sure you can find some that do the same exact thing that you're trying to do with one function well luckily for us a message box that we're trying to do is literally just a single function okay so let's begin by setting up our script in visual code or Studio or whatever ID you want to use let's create a new C file we'll start by including Windows the windows header which will let us use all of the win API and if we actually go into this header file we can see what it is it's just a bunch of includes so this header file just houses several functions macros data types constants structures directives that we can use to interact with the operating system from userland and userline versus kernel stuff is something we'll get into later so after including the header let's set up our main function this is going to be our script entry or programs entry point and let's make the main void so that it doesn't take any arguments or return anything now here comes a scary Boogeyman the win API function message box let's examine the way this function is set up in the documentation the first part that we see is int this part before the function is what the function returns in this case the message box function returns an integer value which this integer value actually means something it means the value that gets returned will actually tell you what the user picked from the message box so example if the message box that gets displayed has an OK button or a no button and we pick OK the value that would get returned would be one and to denote that we picked okay a thing you'll notice is the weird naming convention that Microsoft uses like H process or H thread or H module this is actually called the Hungarian notation which is just when we use some letters or a letter to Define a variable type in the variable name so H process is a handle to a process each thread is a handle to the thread but you might end up seeing variations of this notation upon your truck studying like P handle or process handle or handle process and and this Mr Pepe [Music] there's none of your goddamn business just kidding Papi please don't force me to learn Haskell thanks the point is you'll see some things when you start tinkering with the API some terrible things so don't get too caught up on it if it all looks a bit different just spend some time working on your own scripts and understand the theory of what you're doing rather than remembering the names of the variables and symbols or whatever and that way even if you run it into someone who's using a totally valid and 100 decipherable naming Convention as I do Pepe you'll still be able to understand what they're doing in terms of malware development however we actually want to make our enemies lives as difficult as possible okay so we discovered what the function returns and what type it is all that stuff let's now start moving on to the individual parameters of this function so we can see that the first parameter is an input and it is optional from here this is why I say this is such a good resource is that all these parameters they will tell you detailed description of each phone the first parameter is a handle to the owner window of the message box to be created if this parameter is null the message box has no on or window we're not going to worry about owner windows we just want a message box to spawn not attach to anything let's start building this I don't know what the hell that was probably a ring zero root kit whatever let's start building out this function little by little okay I think that we will come back to is that you'll notice that there's a lot of these variations of the same function after we get the message box set up we'll come back to this and go through these one by one and see why there's so many for now we're just going to choose message box see expands to message box w w meaning wide chart but again we will come back to that later first parameter first parameters optional we don't want to attach in the owner window so we're just going to type in null the second parameter is also an optional but we actually do want to include this one because this will be the text of our message box this is the message to be displayed and we can add in new lines or Carriage returns to really format the message how we like to it inside of the box now we're going to figure out what message we're going to put into this message box we will come back to this again but for now we're just going to put an L here as well don't worry about it we will come back to this when we talk about all those different variations of the same function okay next section this next section is going to be the message box title and if we specify null here the default title will be error this will be the actual title of the message box let's fill this out remembering to include this l the last parameter is is my favorite and it's just going to be the type of buttons that we want inside of our message box and we can also make the message box display icons as well we can see that we can specify any of these this is why I love the documentation too is because it will tell you literally right here what it is and you'll see these values you can also in place of these names just specify these as well and the same exact thing will happen these values get expanded to these anyways but we're going to keep it simple for now so let's say that we want a typical yes no or cancel that option and we would include this as our last parameter so let's do that now we could at this point run this and we will get a message box actually let's do that make sure to save let's start sorry uh also make sure you specify W here because it expands out here anyways and if we don't then for some reason the a version or the ANZ version which again we're going to talk about in a second gets put so instead just do the message box W it's the same thing once you press run and compile it we should see our first message box foreign at all we could click on any of these buttons and remember what happens when we do this function returns an integer value that corresponds with the button that we pressed okay and there we go we just did our first message box now another thing we can add to this are the icons in a message box so there's all of these and you can see over here what they look like in order to add one of these let's say we want to we're excited this is our first message box let's say we want the the exclamation what we would do is specify this value like so and now if we save and compile we should get a message box with an exclamation icon with our message just like we thought it worked now let me format this a bit better I'm just doing this for the sake of demonstration but what were all those weird different variations of the same function well the thing is these win API functions some of them have different versions so w stands for wide Char or white character for Unicode string which is why we put that L macro in front of our string just to make sure that it gets encoded as Unicode as we can see if we remove those L's but keep this as a Unicode function or a y chart function we get this which is why encoding is very very important and now there are several ways we can fix this a way we could fix this is by using the ANSI version right and that way we wouldn't need to use Unicode encoding because we would be using anzi and if we save we'll see that it works just like normal however anzi is pretty old and dated so whenever possible it is best to use Unicode and if we wanted to use unicode we can specify W which by default will get used in your script I don't know if it's like that for every single IDE but for visual code and Studio it's like that we just have to make sure our encoding reflects the function that we're trying to use and there you go how about those other functions so we got W done we got the a done but what about the ex well the ex stands for extended basically functions with ex at the end of them just means that function usually gives you more parameters to Tinker around with for more tank robility more things for you to utilize or more debugging options or stuff like that and there's a very common one which we're going to be using for our purposes in process injection called create remote thread and create remote thread X for extended now we can take a look at these two functions and see how they differ the documentation just lets you search for whatever and from the documentation we can see use the create remote thread X function to create a thread that runs in the virtual address space of another process optionally specify extended attributes and the ex as we click on this we can see there is a little bit of variety we get a little bit more things to play around with there are more parameters usually in the extended ones and that's the main difference okay now that you're a master at the windows API you know you're already dumping the process and thread environment blocks and you're finding out the kernel offsets and using indirect assist calls to make your code less suspicious I'm kidding that first example is just our hello world but we're going to move into something that's more on the caliber of what we've been talking about okay it's going to incorporate the handles and the processes and this will be the last example that we did before the video will end and then we can pick it up in the next video which will be about the actual process injection techniques like Shell Code injection and dll injection what we're going to do now as our final thing is to create a process using the windows API so we created a message box great fantastic amazing but we're going to incorporate all of our learning crystallize that Foundation by making a process so first let's find the documentation I'll tell you right now that again it's just a single function that we need to use called create process and like message box there's different encodings we have the wide function and the anzi function we're just going to use wide so let's go find that okay we're at the create process function and a thing to know is that this function is not the same as open processes we are literally creating a process here whereas with open process we're just opening a handle to a process that's already existing when I'm first starting out I like to copy the syntax of the function and just paste it in my programs create a new file call it whatever you want what the file created and like we've been doing this entire time let's include the windows header let's set up the main function by the way this just expands to zero so it's literally the same thing as just doing return zero but as our code gets bigger and bigger I really find that it's helpful to use this instead just for the sake of clarity now let's copy and paste that function just so I can reference it within my colors fixed indents we can see that this this function is a Bool a Boolean which allows us to utilize it in a pretty cool way I'm going to say if not create process then we're going to return an exit failure and let the user know that the process could not be created we can see this just expands to one any non-zero digit that gets returned upon exit as an extra code usually signifies that there's an error of some sort you see there's a lot in Linux we'll also put in a print statement we love our status symbols as hackers so I put in a print statement and then over here just have it formatted to use the output of the get lost error function so if we look at the actual documentation for this function we see that it will just retrieve the calling threads loss error code value which is maintained on a per thread basis and it just Returns the last stud's error code right which we can then look up to figure out what went wrong but back to the topic at hand let's just make this a little bit easier for us to follow so we can see that the first parameter is the application that we want to run which in this case is just going to be the path to the executable let's just get this function to start up Microsoft Paint which by default the location of that is in system 32. so that was a fun lie let's run out the path of the executable I'm very Unicode so we make sure to encode properly next this is where we specify any command line parameters for here we are not going to do anything so we'll just do null this parameter determines whether the returned handle to the process can be inherited by child processes it's not important to us so if we do null then it means this handle won't be inherited so we'll just put it as no it's not really important for us right now same thing with the thread attributes we don't really care for that right now do we want to inherit handles right you can see the Hungarian notation coming in we'll set this to false really not important for us now this part is important this is our creation Flags so do you remember that talk that we had about the process priority well this is where we actually set it for our process that gets created usually I would leave this null or sorry zero but because we were talking about those process priorities I'm going to actually set the process priority for this one we'll do below normal just as a proof of concept this next option is a pointer to the environment block for the new process we don't need this if we set this to know the process that we create will use the environment of the calling process so we'll set this to know we don't really need this right now this is just the full path to the current directory for the process if we set this to null the process will have the same directory as the calling process well we don't need this either so this is something to know okay for these last two we actually need to do a little bit of setup here but we're almost done I promise these two parameters require us to set up some structures which will get populated by this function if we look at the documentation which again the Holy Grail right we can see that this parameter that we were just looking at second last one is a pointer to a startup info or startup info extended structure which if we click on it is this big structure already created for us so what we have to do is just use this structure and create a variable for it remember that Unicode you see how it was already populated we actually have to assign this to a variable so let's just call this SI for startup info or start info now remember this is going to be a pointer this parameter which is right here which we're about to fill out needs to be a pointer to this structure that we've just set up and we can do that by and we just have to do the same thing for the process information if we look at the documentation look at that it's already there so set up the structure assign it a variable and use it in our function and we'll call this Pi now if we try to run this we should see a paint process start up with this priority oops I also forgot to include the header for printf so just include that so ah the thing is right in this debugger even though it has crashed which we'll get to we can see what we would be able to access from the structures it gets populated in the process information structure that we set up we can see that we would actually get the ability to reference the process ID of this created thing which we could put into like a format string or something like that so we also made the change to well first of all not startup paint but we're going to start up a notepad and I also initialized these structures if we run this code we should see a process startup Notepad and there we go notepad has started so we are like 99 done as a final hurray let's start interacting with this structure and get some information about this process that we created about our child that greedy little infant okay but we want to get the process ID that gets returned which is stored like this you see we got all of these things so we're just gonna get the process ID after compiling this now if we run it we should see a printf statement as well as our process getting created now would you look at that we can actually verify this by using an amazing tool that I use almost every single day process hacker and if we search for something like notepad or if we just search for this reported PID there it is and remember we put it on below normal priority class we can see that it's that and if we got rid of this line we can see that it's actually going to be set as a normal priority so let's get rid of that set this to zero compile now let's run it okay 32 428 is our PID it is set at normal look at that we did it even if you just stuck out to the end of this video which I know is going to be long you can probably hear it in my voice but what your homework will be now is to go out and try this there's no feeling like it seriously I want you to number one first of all make a message box like this make it and interact with different types of encoding and a different functions to wide functions the the NZ ones whatever the extended ones even if you want to and then secondly I want you to create a process and as an extracurricular you can also try opening a process that's already existing I want you to try using open process as well that's going to be your homework I I sincerely hope you guys enjoyed this video again apologize for how long it took to get out and I also wanted to thank you guys so much we just recently hit a thousand subscribers which is mind-blowing to me this is insane we'll continue off by doing some process injection later since we now have the groundwork done that being said guys I really appreciate you watching and I thank you for watching until next time goodbye
Info
Channel: crow
Views: 720,435
Rating: undefined out of 5
Keywords: crow, hacking, maldev, winapi, c++, programming, malware development, malware, virus, tutorial, how to, pentesting, penetration testing, kali, windows, win32 api, security, hack, hacked, developing malware, making malware, making viruses, pentester, red teaming, red team, offsec, oscp, certification, research, developing, hacker, active directory, blue team, ad hacking, ad, binexp, binary exploitation, compsci, computer science, computer, pc, linux, os, operating system, 2023, minecraft, fun, live, memes, trending
Id: aNEqC-U5tHM
Channel Id: undefined
Length: 31min 29sec (1889 seconds)
Published: Mon Apr 17 2023
Related Videos
Malware Development: Process Injection
crow
196K
I Reverse Engineered a Dangerous Virus and Found Something WEIRD (ESXiargs ransomware deep dive)
Low Level Learning
768K
Malware Development: System Calls
crow
41K
🔥 ASSEMBLY VIRUS EXAMPLE + CODE EXPLANATION [MALWARE]
0xD3struction
782
one of the craziest exploits i've ever seen
Low Level Learning
367K
Malware's LAST Stand: SELF-DELETION
crow
53K
What is the Smallest Possible .EXE?
Inkbox
239K
Cracking Software with Reverse Engineering 😳
nang
1.6M
malware ain't what it used to be
nimk
746K
The ULTIMATE Browser Tier List (Based Tier to Spyware Tier)
Eric Murphy
2M
Why The End of WINDOWS 10 Could Be a Huge Problem
CHM Tech
962K
How Hackers Write Malware & Evade Antivirus (Nim)
John Hammond
389K
Never install locally
Coderized
1.7M
Malware development 101: Creating your first ever MALWARE
Leet Cipher
271K
Learn Reverse Engineering (for hacking games)
cazz
1M
I made an entire OS that only runs Tetris
jdh
1.6M
Analyzing the Zeus Banking Trojan - Malware Analysis Project 101
Grant Collins
31K
Pretending to be a VM to STOP Malware
Eric Parker
154K
Malware Development: Native API
crow
39K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.