1 00:00:00,480 --> 00:00:03,332 Welcome to the Introduction to Windows 2 00:00:03,332 --> 00:00:06,183 Malware Development course from 0X12 Dark 3 00:00:06,183 --> 00:00:09,035 Development OK If you're curious about 4 00:00:09,035 --> 00:00:11,886 how malware works, how attackers exploit 5 00:00:11,886 --> 00:00:14,738 Windows systems, and how defenders detect 6 00:00:14,738 --> 00:00:17,589 them, this course is your starting 7 00:00:17,589 --> 00:00:19,490 point. OK, this course. 8 00:00:20,410 --> 00:00:23,013 It's designed to give you a technical, 9 00:00:23,013 --> 00:00:25,243 hands on introduction to the fundamentals 10 00:00:25,243 --> 00:00:27,474 of malware development on Windows. We 11 00:00:27,474 --> 00:00:29,705 focus on practical techniques that real 12 00:00:29,705 --> 00:00:31,935 malware uses, dissecting them from a 13 00:00:31,935 --> 00:00:33,794 developer's perspective so you can 14 00:00:33,794 --> 00:00:36,769 understand both how to vault and how to 15 00:00:36,769 --> 00:00:39,371 defend it. OK, perfect, perfect. And this 16 00:00:39,371 --> 00:00:42,352 will be the topics that. We will see 17 00:00:42,352 --> 00:00:45,129 in this in this course, OK, First of 18 00:00:45,129 --> 00:00:47,559 all, we will start with the introduction 19 00:00:47,559 --> 00:00:50,337 that it's this video after this setup to 20 00:00:50,337 --> 00:00:52,767 create the same environment on me, OK. 21 00:00:52,767 --> 00:00:55,545 And when this is done, we can start 22 00:00:55,545 --> 00:00:58,322 with the topic course, OK, First of all, 23 00:00:58,322 --> 00:01:00,753 the first category of lessons, it's the 24 00:01:00,753 --> 00:01:03,590 shell. We are generating payloads 25 00:01:03,590 --> 00:01:06,285 with MSF Venom from metasploit OK and 26 00:01:06,285 --> 00:01:08,595 after this using the generated shellcode. 27 00:01:08,595 --> 00:01:11,290 We are explaining what is shellcode, why 28 00:01:11,290 --> 00:01:13,985 we want to use the shell code 29 00:01:13,985 --> 00:01:16,680 and by using techniques to execute the 30 00:01:16,680 --> 00:01:19,375 shell code. The first of all the 31 00:01:19,375 --> 00:01:20,915 classic shellcode execution some 32 00:01:20,915 --> 00:01:23,335 functions. Call it enumerate enum to 33 00:01:23,335 --> 00:01:26,085 execute the shell code and executing the 34 00:01:26,085 --> 00:01:28,836 shell code via timer OK. Once this 35 00:01:28,836 --> 00:01:31,586 is done, we will start encrypting our 36 00:01:31,586 --> 00:01:34,337 share code to make it harder to 37 00:01:34,337 --> 00:01:36,695 detect by the security defense like 38 00:01:36,695 --> 00:01:39,445 antivirus or address using a gas or 39 00:01:39,445 --> 00:01:41,410 chore OK and shore sorry. 40 00:01:42,150 --> 00:01:45,093 Both options are, uh, very good and we 41 00:01:45,093 --> 00:01:48,035 will see them in the in the following 42 00:01:48,035 --> 00:01:50,610 videos. After this, we start the process 43 00:01:50,610 --> 00:01:52,449 injection that basically it's the 44 00:01:52,449 --> 00:01:55,024 shellcode execution, but in the space in 45 00:01:55,024 --> 00:01:57,598 the context of another process. OK, we 46 00:01:57,598 --> 00:01:59,805 are executing our shellcode, but in 47 00:01:59,805 --> 00:02:02,012 another process we start with the 48 00:02:02,012 --> 00:02:04,622 classic. Process injection. Then we use 49 00:02:04,622 --> 00:02:06,634 the asynchronous procedure call injection 50 00:02:06,634 --> 00:02:08,646 technique. After this the thread 51 00:02:08,646 --> 00:02:11,060 hijacking injection and finally the final 52 00:02:11,060 --> 00:02:13,877 window injection. Once this is done, we 53 00:02:13,877 --> 00:02:16,694 jump to the DLL injection steps. OK, 54 00:02:16,694 --> 00:02:19,511 DLL injections lessons. First of all we 55 00:02:19,511 --> 00:02:22,328 will see simple simple lesson about the 56 00:02:22,328 --> 00:02:25,261 violin. Fiction. And after this how to 57 00:02:25,261 --> 00:02:27,304 make persistent DLL injection. Nice. 58 00:02:27,304 --> 00:02:30,164 Great. Once this is done, we jump 59 00:02:30,164 --> 00:02:32,207 to the interprocess connection section. 60 00:02:32,207 --> 00:02:35,067 OK, in this section we will see 61 00:02:35,067 --> 00:02:37,519 various lessons with various options to 62 00:02:37,519 --> 00:02:39,970 make interprocess connection. OK, we will 63 00:02:39,970 --> 00:02:42,421 see how to make the interprocess 64 00:02:42,421 --> 00:02:45,400 connection. Bips, musics and registries. 65 00:02:46,160 --> 00:02:49,004 Once this is done we go to 66 00:02:49,004 --> 00:02:51,849 the dollar. There OK, we will see 67 00:02:51,849 --> 00:02:54,693 how to create a malware that downloads 68 00:02:54,693 --> 00:02:57,537 the payload from Internet. OK from a 69 00:02:57,537 --> 00:02:59,569 typical HTTP, Https://petition. Then we 70 00:02:59,569 --> 00:03:02,413 jump to the multi platform malware. OK, 71 00:03:02,413 --> 00:03:05,257 we will create a malware from 32 72 00:03:05,257 --> 00:03:07,801 and 64. UH-64UH, Windows systems 73 00:03:07,801 --> 00:03:10,370 OK for both platforms. For 74 00:03:10,370 --> 00:03:12,938 both architectures we will creating 75 00:03:12,938 --> 00:03:15,507 the same EXE OK. After 76 00:03:15,507 --> 00:03:18,075 this we will see the 77 00:03:18,075 --> 00:03:20,130 malware as a service. 78 00:03:21,290 --> 00:03:24,031 To install our X as a service 79 00:03:24,031 --> 00:03:26,772 in the system. And then another important 80 00:03:26,772 --> 00:03:29,512 topic is the persistence. OK, we will 81 00:03:29,512 --> 00:03:31,470 see two different things to. 82 00:03:33,200 --> 00:03:35,578 Performed to approach the persistence in 83 00:03:35,578 --> 00:03:38,353 the system using run register case and 84 00:03:38,353 --> 00:03:41,128 via application events. Once this is done 85 00:03:41,128 --> 00:03:43,903 we jump to the import address table 86 00:03:43,903 --> 00:03:46,677 that basically it's a lesson where we 87 00:03:46,677 --> 00:03:49,280 bypass the. Import address 88 00:03:49,280 --> 00:03:52,157 table. Then Dumpty sandbox. 89 00:03:52,157 --> 00:03:54,769 It's interesting to then allow 90 00:03:54,769 --> 00:03:57,381 the any malware analyst to 91 00:03:57,381 --> 00:03:59,993 execute our malware in sandboxes 92 00:03:59,993 --> 00:04:01,560 or virtual machines. 93 00:04:02,550 --> 00:04:05,280 OK, then we jump to the 94 00:04:05,280 --> 00:04:08,010 string encryption that we are encrypting 95 00:04:08,010 --> 00:04:10,740 our strings of the of our 96 00:04:10,740 --> 00:04:13,470 malware, the strings of our malware 97 00:04:13,470 --> 00:04:16,200 to make unreadable and basically then 98 00:04:16,200 --> 00:04:18,930 we still have valid Microsoft signatures 99 00:04:18,930 --> 00:04:21,660 and we put these signatures in 100 00:04:21,660 --> 00:04:24,638 our ex. In our model perfect. After 101 00:04:24,638 --> 00:04:27,626 this we will create a reverse shell using 102 00:04:27,626 --> 00:04:30,145 C. Then OK, 103 00:04:30,145 --> 00:04:33,071 I came over to uh to 104 00:04:33,071 --> 00:04:35,996 look each stroke from the from 105 00:04:35,996 --> 00:04:38,922 the victim skateboards. After this we 106 00:04:38,922 --> 00:04:41,360 will I will show you. 107 00:04:42,970 --> 00:04:45,478 Windows Defender Killer simple 108 00:04:45,478 --> 00:04:47,985 tool to permit permit 109 00:04:47,985 --> 00:04:50,493 permanently delete Windows Defender 110 00:04:50,493 --> 00:04:53,000 from the victim system. 111 00:04:54,960 --> 00:04:57,781 And then an orange so interesting 112 00:04:57,781 --> 00:05:00,133 section. It's the privilege escalation 113 00:05:00,133 --> 00:05:02,954 where we will see different techniques, 114 00:05:02,954 --> 00:05:05,775 these 3 foot helper, token manipulation 115 00:05:05,775 --> 00:05:08,597 and finally a Class C class 116 00:05:08,597 --> 00:05:11,418 where we combine both to escalate 117 00:05:11,418 --> 00:05:14,240 privileges, one of these techniques to 118 00:05:14,240 --> 00:05:17,050 escalate. Villages from user to admin and 119 00:05:17,050 --> 00:05:19,997 the other one is to scale privileges from 120 00:05:19,997 --> 00:05:22,575 admin to entity of thority system. OK 121 00:05:22,575 --> 00:05:25,522 perfect. After this we jump to the API 122 00:05:25,522 --> 00:05:28,468 hooking where we will see how to set 123 00:05:28,468 --> 00:05:31,415 U it. We explain what it what is 124 00:05:31,415 --> 00:05:33,993 it and finally we create RDP credential 125 00:05:33,993 --> 00:05:36,796 stealer tool. To steal credentials from 126 00:05:36,796 --> 00:05:39,399 the RDP protocol. OK, after this 127 00:05:39,399 --> 00:05:42,003 we go to the parent Peter 128 00:05:42,003 --> 00:05:44,606 spoofing video. But it's a simple 129 00:05:44,606 --> 00:05:47,210 technique to create the spoofing from 130 00:05:47,210 --> 00:05:49,813 the planning process. And after this 131 00:05:49,813 --> 00:05:52,417 we jump to the process token. 132 00:05:52,417 --> 00:05:55,020 We will see techniques like token. 133 00:05:55,090 --> 00:05:57,080 People Action talked impersonation. 134 00:05:58,570 --> 00:06:01,145 Various techniques OK finally the vamp 135 00:06:01,145 --> 00:06:03,720 Elsa's process is interesting to steal 136 00:06:03,720 --> 00:06:06,295 credentials from the victim system and 137 00:06:06,295 --> 00:06:08,870 the final project of this course 138 00:06:08,870 --> 00:06:11,444 will be as simple simple bonnet 139 00:06:11,444 --> 00:06:14,019 so simple bonnet where we will 140 00:06:14,019 --> 00:06:16,594 see the server side tackling side 141 00:06:16,594 --> 00:06:19,578 after this we will just. Go 142 00:06:19,578 --> 00:06:21,487 through the conclusions video that will 143 00:06:21,487 --> 00:06:24,033 end this course. OK, And that's all from 144 00:06:24,033 --> 00:06:26,260 this course. OK? That's all the videos 145 00:06:26,260 --> 00:06:28,805 that all the sections and all the lessons 146 00:06:28,805 --> 00:06:29,760 of this course. 147 00:06:31,620 --> 00:06:34,367 To get the most value from this 148 00:06:34,367 --> 00:06:36,721 course you should have a basic 149 00:06:36,721 --> 00:06:39,468 understanding of C++ OK. Also you will 150 00:06:39,468 --> 00:06:41,430 need to familiarity with Windows. 151 00:06:42,220 --> 00:06:45,192 Operating system internals and it will 152 00:06:45,192 --> 00:06:48,163 be so useful when not necessary. 153 00:06:48,163 --> 00:06:51,135 Some experience using tools like MSF, 154 00:06:51,135 --> 00:06:54,106 Venom, the Devil X64 Debugger or 155 00:06:54,106 --> 00:06:57,078 Process Hacker that are. They are 156 00:06:57,078 --> 00:07:00,049 so simple to understand and you 157 00:07:00,049 --> 00:07:03,043 can find YouTube tutorials. And with 10 158 00:07:03,043 --> 00:07:04,828 minutes of tutorial you can understand 159 00:07:04,828 --> 00:07:05,720 these tools OK. 160 00:07:07,260 --> 00:07:08,920 So. 161 00:07:09,930 --> 00:07:12,729 Basically, it's this head over to the 162 00:07:12,729 --> 00:07:15,527 next video to set up your lab 163 00:07:15,527 --> 00:07:18,326 and prepare to write your feet first 164 00:07:18,326 --> 00:07:21,124 payload. This is the real world of 165 00:07:21,124 --> 00:07:22,723 malware simulated safely, taught 166 00:07:22,723 --> 00:07:25,522 ethically and void from scratch. OK and 167 00:07:25,522 --> 00:07:27,921 finally, just a simple a simple 168 00:07:27,921 --> 00:07:30,559 disclaimer OK to. Remind you that 169 00:07:30,559 --> 00:07:32,818 this source is strictly for educational 170 00:07:32,818 --> 00:07:35,077 and research purposes, OK? All techniques 171 00:07:35,077 --> 00:07:37,713 shown must only be used in isolated 172 00:07:37,713 --> 00:07:39,219 lab environments with proper 173 00:07:39,219 --> 00:07:41,101 authorization. OK. These techniques can 174 00:07:41,101 --> 00:07:43,736 cannot be executed in a system that 175 00:07:43,736 --> 00:07:46,372 you don't have permissions if you execute 176 00:07:46,372 --> 00:07:49,007 these techniques in a system that you 177 00:07:49,007 --> 00:07:51,267 don't have. Emissions. This will be 178 00:07:51,267 --> 00:07:54,230 illegal, OK. So this 179 00:07:54,230 --> 00:07:57,100 misuse of this acknowledge is illegal and 180 00:07:57,100 --> 00:07:59,150 historically against the principles of 181 00:07:59,150 --> 00:08:02,020 the 0X Dark Development Academy. OK, so 182 00:08:02,020 --> 00:08:04,890 that's all. Let's start and let's enjoy 183 00:08:04,890 --> 00:08:07,760 this course. Thank you so much and 184 00:08:07,760 --> 00:08:10,220 let's go to the next video.