1
00:00:01,140 --> 00:00:01,980
Hello, welcome.

2
00:00:02,850 --> 00:00:07,740
We are not going to do a practical walkthrough on these types crossing issues.

3
00:00:08,460 --> 00:00:13,800
We are going to confine each one of these and to see how it works.

4
00:00:14,400 --> 00:00:22,110
So the first one is 64 bit process if a 64 bit payload trying to inject into a 64 bit target.

5
00:00:23,100 --> 00:00:32,070
So let's see going download this project from the association and zip it and put it in there too for

6
00:00:32,070 --> 00:00:32,280
the.

7
00:00:33,840 --> 00:00:36,530
So Washington, D.C., or, you know, so let's open.

8
00:00:37,620 --> 00:00:42,380
And here you find the source code.

9
00:00:43,560 --> 00:00:43,820
Yes.

10
00:00:43,840 --> 00:00:46,980
All right, click and open this cross injections are.

11
00:00:48,220 --> 00:00:50,400
And here you will see the pale.

12
00:00:51,820 --> 00:00:56,170
A pillar is supposed to generate a message box.

13
00:00:56,800 --> 00:01:00,920
Then he is injected into target.

14
00:01:01,960 --> 00:01:07,050
We have two types here 64bit and you have a little bit better.

15
00:01:08,470 --> 00:01:17,230
And then we learned that some call should be discussing data, maybe do the Heaven's Gate session.

16
00:01:17,770 --> 00:01:23,380
Here we have two types of congestion pricing classic Inyang is the normal injection we without using

17
00:01:23,380 --> 00:01:28,810
the Heaven's Gate exploit, and you also have the Heaven's Gate exploit here, which I'll be discussing

18
00:01:28,810 --> 00:01:29,200
later.

19
00:01:30,280 --> 00:01:32,530
So for now, just ignore the Heaven's Gate.

20
00:01:32,890 --> 00:01:43,660
Just focus on classic inject so classic Inyang, who allocate space and the target process.

21
00:01:44,020 --> 00:01:46,000
And then he will write to the memory.

22
00:01:46,330 --> 00:01:51,160
He will say that you run the pill, which is injected.

23
00:01:52,570 --> 00:01:56,680
Can you print the handle for your for you to inspect?

24
00:01:57,040 --> 00:02:00,670
And then it costs the Hibbett for a single trip?

25
00:02:01,990 --> 00:02:10,360
He basically saying, OK, because this is a multi track project and the main function is who were here.

26
00:02:10,960 --> 00:02:16,200
You can see there are four types, of course, injection, so we are going to start off the first time.

27
00:02:17,380 --> 00:02:20,320
And the main main protease main function is here.

28
00:02:21,250 --> 00:02:22,510
He's such a target.

29
00:02:22,570 --> 00:02:25,660
In this case, you are going to inject into make yourself paint.

30
00:02:27,190 --> 00:02:33,130
Microsoft Bing is our target for all of these four different experiments.

31
00:02:34,480 --> 00:02:38,980
And the on the left will be a Trojan, which will be compiled.

32
00:02:40,180 --> 00:02:44,720
So after he face the Microsoft Pay, he will return the iPad.

33
00:02:45,700 --> 00:02:53,500
And then he printed off and he opens the process based on the pad officiating and written the handle.

34
00:02:54,250 --> 00:02:59,890
And down here you can choose either heaven's gate in all the normal range.

35
00:03:00,550 --> 00:03:04,760
So for this experiment, you are going to use the classic ink.

36
00:03:05,950 --> 00:03:13,490
So now we say we make sure it's classic and so classy, enjoying reading your process, handle and then

37
00:03:13,720 --> 00:03:15,010
inject the payload.

38
00:03:16,180 --> 00:03:21,160
You can study the different payload here, either 64 bit or 32 bit.

39
00:03:22,000 --> 00:03:23,260
So now 64 bit.

40
00:03:23,290 --> 00:03:26,950
So you said 64 bit payload, which is referring to.

41
00:03:28,200 --> 00:03:29,490
This 64 bit.

42
00:03:31,960 --> 00:03:39,190
And also, the second parameter would be the science 64 bit the length of it.

43
00:03:39,820 --> 00:03:44,680
So this line of people is coming from down here.

44
00:03:44,890 --> 00:03:50,470
I'm here since probably like 27 size of the trying to sound bites.

45
00:03:52,030 --> 00:03:55,870
So now that you've got it, let's try to compile it.

46
00:03:56,800 --> 00:04:03,580
So we open x64 native problem because we are comparing a city where we process.

47
00:04:05,960 --> 00:04:06,770
Click on the sign.

48
00:04:13,300 --> 00:04:19,970
So excited, needed to command prompt a change to this folder.

49
00:04:21,010 --> 00:04:29,530
So we copy this folder, right click pasty and granny compound script to compile it.

50
00:04:37,380 --> 00:04:39,720
And you see, he has successfully compact.

51
00:04:40,080 --> 00:04:45,690
So now we are going to inject into Microsoft pains me, share your Microsoft being is static.

52
00:04:46,270 --> 00:04:49,110
See, this is a 64 bit version of Microsoft Paint.

53
00:04:51,200 --> 00:04:57,110
So now we run how he our children.

54
00:04:57,890 --> 00:04:59,150
And he's supposed to.

55
00:05:00,650 --> 00:05:04,680
Of course, the message box to pop up in India.

56
00:05:05,610 --> 00:05:13,740
And I heard the the notification sound and the message boxes popped up to confirm that this message

57
00:05:13,740 --> 00:05:16,230
box is coming from Microsoft Bing.

58
00:05:16,800 --> 00:05:18,570
You can use Process Hacker.

59
00:05:21,360 --> 00:05:32,430
Gain from process hacker, you can drag this this tool here and drag this to here and drop it here,

60
00:05:33,450 --> 00:05:42,360
and you see it opens up the parent for the message box Microsoft Ping, which is recess to do for all.

61
00:05:43,770 --> 00:05:50,610
Another confirmation is from the memory you can play on memory tech and the protection, scroll down

62
00:05:50,610 --> 00:06:02,580
to our x readable and executable and look for X here in the one machine unmarked and then here in the

63
00:06:02,580 --> 00:06:06,940
weekly and you see your Shakeri say hello from clicking license.

64
00:06:09,660 --> 00:06:16,830
The other thing you want to make sure that they show this Trojan is actually 64bit, you can use the

65
00:06:16,830 --> 00:06:26,640
dumping mine dummy, select the options, hate us and then if you just click internal, you'll find

66
00:06:26,640 --> 00:06:27,170
it's a lot.

67
00:06:29,850 --> 00:06:40,860
So you have to provide the name of the binary, you have to allow us to get information about this.

68
00:06:42,850 --> 00:06:43,840
How about this region?

69
00:06:44,260 --> 00:06:47,470
But you just want to know very 64bit or not?

70
00:06:48,160 --> 00:06:53,770
So what do you do is you specify you who find this tree for your machine specification?

71
00:06:56,580 --> 00:07:04,350
So repeated command Typekit yes, spikes in boys phone in the above, the enter key of her keyboard

72
00:07:06,030 --> 00:07:13,920
fine string and then put forward slash hi option means ignore case.

73
00:07:14,400 --> 00:07:18,210
You don't care what type of case on the case, you're looking for the story machine.

74
00:07:19,230 --> 00:07:22,650
So what this does is it will you pass ahead?

75
00:07:22,650 --> 00:07:29,730
Is, of course, enjoying the behavior and then you are put in regarding.

76
00:07:31,000 --> 00:07:35,590
To the fine string or mine fine string, we look for the string machine.

77
00:07:36,490 --> 00:07:40,270
So you press enter, you find 80, 64 and a 64 bit.

78
00:07:41,080 --> 00:07:41,410
All right.

79
00:07:41,410 --> 00:07:44,590
So now you know that the first.

80
00:07:46,270 --> 00:07:54,130
The first experiments in success in Asia injected 64 bit payload from a 64 bit process into a 64 bit

81
00:07:54,460 --> 00:07:56,810
target now in Australia's second one.

82
00:07:57,610 --> 00:08:05,350
The second one, we are going to have a 32 bit payload, so we need to change the payload here.

83
00:08:06,750 --> 00:08:09,600
So he has successfully done the first one.

84
00:08:10,470 --> 00:08:17,610
So let's put it this way to say that you are successfully Danny, put a blast in boy.

85
00:08:19,380 --> 00:08:20,610
Now we are going in the second one.

86
00:08:21,210 --> 00:08:26,280
So we changed the parent to 32 bit down here and here.

87
00:08:26,280 --> 00:08:29,700
We also teach the science to teach you to be.

88
00:08:30,360 --> 00:08:31,860
So now we are going to inject.

89
00:08:33,830 --> 00:08:41,540
This bill, that it would be better in a sciences year, two nine three two nine three base cases involving

90
00:08:41,720 --> 00:08:47,480
with is safe and then we have to use a new command environment.

91
00:08:49,250 --> 00:08:54,710
Actually, six, which is if you don't see here, just don't need to search for it.

92
00:08:55,160 --> 00:09:04,400
And you can see there are two, so select x86 92 command from and navigate to this folder.

93
00:09:05,690 --> 00:09:07,370
Copy the address,

94
00:09:10,310 --> 00:09:12,740
right click copy and over here.

95
00:09:12,740 --> 00:09:16,490
See Cooee into a running compound.

96
00:09:16,490 --> 00:09:16,970
That's great.

97
00:09:19,580 --> 00:09:23,480
And then now you test whether it's

98
00:09:27,540 --> 00:09:33,110
the little be be into.

99
00:09:34,670 --> 00:09:36,560
Oops, I forgot something.

100
00:09:37,130 --> 00:09:39,020
You need to provide the.

101
00:09:43,680 --> 00:09:48,940
Then by pick to find strength, and she she.

102
00:09:51,180 --> 00:09:51,430
Right.

103
00:09:51,460 --> 00:09:52,410
So he's 32 bit.

104
00:09:53,050 --> 00:09:56,170
So we confirm, he said today, so we said it will be.

105
00:09:56,770 --> 00:10:10,120
We cannot use 64bit to test because now we are experimenting with second second experiment where you're

106
00:10:10,120 --> 00:10:11,500
going to inject into 32 bit.

107
00:10:12,250 --> 00:10:13,690
So we have to run.

108
00:10:14,290 --> 00:10:19,840
We since you already do 32 bit or, you know, we need to run it through, it will be Microsoft Paint.

109
00:10:20,370 --> 00:10:24,580
Well, where do you find it easy to beat Microsoft PIN on a 64 bit system?

110
00:10:26,110 --> 00:10:27,460
He is very funny.

111
00:10:27,940 --> 00:10:33,130
You hit over to your cell phone navigator, file explorer.

112
00:10:35,270 --> 00:10:39,680
Go here and go to see go to Windows.

113
00:10:40,820 --> 00:10:51,200
Go to Cicero, 64, inside here you will find Microsoft Bing must be easy.

114
00:10:51,500 --> 00:10:56,930
This Microsoft maniac in this location is 32 bit version Microsoft Bing.

115
00:10:57,530 --> 00:11:04,010
So you press, enter and knowing that it'll be the version of Microsoft Paint, he's running.

116
00:11:05,000 --> 00:11:14,090
So now the 32 bit version of Microsoft Page is running that is, try to run our Trojan inventor.

117
00:11:14,900 --> 00:11:22,100
And you can see Trojan, No.3 and I hear the beeping, and you will see that it will be your standard

118
00:11:22,390 --> 00:11:25,610
message is different that it'll be message from cracking lessons dot com.

119
00:11:26,540 --> 00:11:29,660
And again, we can use our process.

120
00:11:29,660 --> 00:11:39,220
I could confirm by going to Microsoft pane down here, or you can click on this main drag.

121
00:11:39,320 --> 00:11:46,610
Finally, losing track right here and you see the parents because I've been and and their memory.

122
00:11:46,640 --> 00:11:51,950
You can also scroll down and the protection look for RW w r x.

123
00:11:54,350 --> 00:11:55,580
Our ex.

124
00:11:57,350 --> 00:11:58,460
And this one.

125
00:11:59,860 --> 00:12:04,360
Here you can see the coldest day in Stockholm.

126
00:12:05,880 --> 00:12:06,270
OK.

127
00:12:07,590 --> 00:12:08,340
So it's working.

128
00:12:09,000 --> 00:12:11,430
All right, so let's close this now.

129
00:12:11,430 --> 00:12:17,460
The next experiment is this one 64 bit processing to 32 bit processor.

130
00:12:17,880 --> 00:12:22,980
So now we have to compile this article in a 64.

131
00:12:24,280 --> 00:12:26,500
Environment, so we just run this.

132
00:12:30,510 --> 00:12:30,890
OK.

133
00:12:31,260 --> 00:12:35,610
And we repeat the damning comment, confirm there is indeed 64 the.

134
00:12:37,470 --> 00:12:39,320
So is 1864.

135
00:12:40,470 --> 00:12:41,460
So the target.

136
00:12:43,140 --> 00:12:51,180
He's also that it would be so let's run our 32 bit version of Microsoft Bin again.

137
00:12:52,600 --> 00:12:56,080
And let's execute a twin.

138
00:12:57,420 --> 00:13:04,350
And you can see Triangle Tony and I hear the beeping sound and the chocolate, it's open.

139
00:13:04,920 --> 00:13:05,240
All right.

140
00:13:05,250 --> 00:13:06,090
So far, so good.

141
00:13:07,590 --> 00:13:16,110
So now we go for the last one, the last one is three to be precise, which is four week payload injected

142
00:13:16,170 --> 00:13:17,640
into a 64 bit process.

143
00:13:18,390 --> 00:13:21,270
So let's go and make the modification.

144
00:13:24,270 --> 00:13:28,680
So for this last experiment so far, we've already successfully done the.

145
00:13:30,900 --> 00:13:36,560
First Tree, how are you the last one that it will be through June six if we fail?

146
00:13:36,690 --> 00:13:39,720
So we need to change this to 64 bit.

147
00:13:40,620 --> 00:13:42,630
And this is also 64 bit.

148
00:13:45,030 --> 00:13:53,070
And then the target is 64 bit because I've been so we need to close to the soft of pain.

149
00:13:55,110 --> 00:13:56,280
Something needs to happen.

150
00:13:56,550 --> 00:13:58,650
So it's quite normal for this kind of thing.

151
00:13:59,280 --> 00:13:59,580
All right.

152
00:13:59,580 --> 00:14:00,060
So now.

153
00:14:01,470 --> 00:14:02,790
We are going to compile this.

154
00:14:05,120 --> 00:14:07,850
Compile this as a 32 bit Trojan.

155
00:14:11,020 --> 00:14:16,810
So go to your ex 86 environment combine.

156
00:14:21,750 --> 00:14:22,170
All right.

157
00:14:22,500 --> 00:14:28,020
And then use see done been to confirm it is indeed that it'll be OK.

158
00:14:28,030 --> 00:14:32,430
So now we are supposed to run 64bit.

159
00:14:32,470 --> 00:14:40,920
Microsoft been spread out a little bit, tweeting can inject into into a 64 bit process.

160
00:14:42,920 --> 00:14:45,950
So I saw our 64bit a of paint.

161
00:14:47,230 --> 00:14:48,820
And then try to inject to it.

162
00:14:53,610 --> 00:14:57,300
And you see, he feels true handle is zero, right?

163
00:14:57,360 --> 00:15:03,960
This Rihanna zero is coming from from the classy Inyang over here.

164
00:15:05,580 --> 00:15:12,160
To handle so many situations, zero, it means that this API film to create a threat.

165
00:15:13,080 --> 00:15:13,440
OK.

166
00:15:13,830 --> 00:15:22,620
But he probably has succeeded to copy the show could write to confirm that we can go here and look for

167
00:15:22,620 --> 00:15:27,810
Microsoft Pain Memory and look under our X as usual.

168
00:15:31,500 --> 00:15:33,990
Scroll down to our scene and not one.

169
00:15:35,580 --> 00:15:39,450
And you can see the shakeout indeed was successfully copied.

170
00:15:39,450 --> 00:15:43,980
That means right process memory succeeded by creating more check feel.

171
00:15:44,640 --> 00:15:51,270
OK, so that means the last one feels only the first, second and third one succeeded.

172
00:15:51,970 --> 00:15:52,230
Right?

173
00:15:52,260 --> 00:15:59,370
The lesson fails because the wrong process the raw emulator has got kind of protection.

174
00:16:00,110 --> 00:16:08,490
It does not allow you to inject 64 bit payload into a 64 bit operating system coming from a 32 bit process.

175
00:16:09,210 --> 00:16:09,570
All right.

176
00:16:09,630 --> 00:16:19,320
So next, we are going to explore how to bypass that protection by using different fuels x86 execute

177
00:16:19,320 --> 00:16:21,990
x64 and x64 function algorithms.

178
00:16:23,160 --> 00:16:28,140
Finally, the Metasploit framework, which implements Heaven's Gate, right?

179
00:16:28,170 --> 00:16:31,110
So that would be the next lesson coming up soon.

180
00:16:31,470 --> 00:16:33,270
So that's all for this video.

181
00:16:33,480 --> 00:16:35,070
Thank you for watching.