1
00:00:00,750 --> 00:00:09,210
Hello, and welcome back in this video, I'm going to explain the project itself and how you will go

2
00:00:09,210 --> 00:00:18,120
and download the thin Dash API hooky using IoT project and zip it and put it in the metadata for the

3
00:00:19,950 --> 00:00:20,470
insight.

4
00:00:20,550 --> 00:00:28,320
You will find three files the compound registry, which is being used to compile the IED -- into

5
00:00:28,320 --> 00:00:32,610
a DLL and also to compile the IED target.

6
00:00:33,060 --> 00:00:35,580
This is a target and we are going to hook.

7
00:00:37,650 --> 00:00:39,420
Let's take a look at the target list.

8
00:00:40,200 --> 00:00:44,120
Right click on the target and open the cockpit.

9
00:00:44,580 --> 00:00:46,980
Plus, us, it is a sin.

10
00:00:47,730 --> 00:00:51,090
Same target that we used in the previous session.

11
00:00:55,010 --> 00:00:58,640
Now we take a look at the IED hookah.

12
00:01:03,470 --> 00:01:07,340
The I.T. -- has basically the same structure.

13
00:01:07,830 --> 00:01:12,460
There is yeah, I mean, this is where the gas starts to end.

14
00:01:13,010 --> 00:01:16,760
It is attached to possess and.

15
00:01:18,010 --> 00:01:25,840
Once he's attached, you fulfill, you will trigger the first case, which is the sale process attached

16
00:01:26,380 --> 00:01:30,220
and you execute this function called hook target.

17
00:01:31,240 --> 00:01:41,110
Passing three parameters, the gear, and it contains the message box e, which we are going to hook

18
00:01:41,830 --> 00:01:46,090
and also our modified message box function.

19
00:01:47,560 --> 00:01:49,360
Let's take a look at the top.

20
00:01:51,180 --> 00:02:00,180
So over here, we will define the function pointer, which is similar and steep recession, and this

21
00:02:00,180 --> 00:02:03,360
is the modified message box, which is also similar.

22
00:02:05,190 --> 00:02:06,360
This pattern is different.

23
00:02:06,600 --> 00:02:12,540
This is very Sandy Hook on the original function by replacing it with our own function.

24
00:02:13,680 --> 00:02:19,680
So this hook target is called from here upon attachment by the Yale.

25
00:02:21,800 --> 00:02:29,360
Why is it that attaches to the target process, this function is caught and you will receive three parameters.

26
00:02:29,780 --> 00:02:37,430
How are you going to say in this case user three to zero because user three to deal contains the message

27
00:02:37,430 --> 00:02:39,410
box eight API.

28
00:02:42,390 --> 00:02:46,860
And then the barometer would be hooking function up here.

29
00:02:48,480 --> 00:02:52,410
So this is a function of is going to replace the original function.

30
00:02:54,510 --> 00:03:00,600
So you say here you get the base address of the module, which is also known as the handle of the module,

31
00:03:01,380 --> 00:03:09,030
and this handled the module is referring to the target possess actually base address once you get it

32
00:03:09,510 --> 00:03:13,260
here and then you get the important address table.

33
00:03:14,100 --> 00:03:15,240
So this is the function.

34
00:03:17,350 --> 00:03:19,970
Image directory entry to get access.

35
00:03:21,660 --> 00:03:23,160
This is what makes you look.

36
00:03:23,880 --> 00:03:27,420
This is this is a shortcut way to get the important stable.

37
00:03:29,380 --> 00:03:33,970
And this API comes from here.

38
00:03:34,600 --> 00:03:39,400
The reference you can look up the image directory entry to the attacks function.

39
00:03:41,250 --> 00:03:45,090
And then it is continuing the library.

40
00:03:45,870 --> 00:03:56,670
That is why we included ED here, use it to library is for the message box.

41
00:04:01,620 --> 00:04:04,050
So the parameters are as follows.

42
00:04:05,350 --> 00:04:07,720
The first barometer is the base address.

43
00:04:10,630 --> 00:04:12,370
The second parameter.

44
00:04:13,470 --> 00:04:14,640
Refers to.

45
00:04:15,820 --> 00:04:20,140
Whether you want to maybe as an image, so we put it through this case.

46
00:04:21,550 --> 00:04:25,570
And then third is the type of directory entry that you want to retrieve.

47
00:04:26,020 --> 00:04:28,750
So in this case, you won important that actually.

48
00:04:29,850 --> 00:04:31,620
The import directory table.

49
00:04:32,900 --> 00:04:33,920
And then the third one.

50
00:04:35,700 --> 00:04:37,590
The fourth parameter is the size.

51
00:04:39,360 --> 00:04:40,350
We should declare here.

52
00:04:42,440 --> 00:04:48,980
And the last one you just leave as now you can read up on the expansion in more detail here.

53
00:04:52,080 --> 00:05:00,210
Once you've got the important digestible IED, we save it to this variable import table next to you

54
00:05:00,210 --> 00:05:02,530
research for you and it went.

55
00:05:03,180 --> 00:05:07,890
In this case, you only look for he, particularly the alcohol u003e2.

56
00:05:08,100 --> 00:05:08,600
Yeah.

57
00:05:09,570 --> 00:05:11,720
So this is very true.

58
00:05:12,150 --> 00:05:17,520
The entire import address table and look for user to the entire.

59
00:05:19,330 --> 00:05:29,490
It is, and it is this language compares whether the deal is funny inside the inside the broadcast table,

60
00:05:30,180 --> 00:05:36,300
so he compares it with the deal and we see one he comes from here is the target here, one which is

61
00:05:36,300 --> 00:05:37,080
user data.

62
00:05:38,370 --> 00:05:44,340
So if you find it, then he returns the true and it breaks out of the look.

63
00:05:45,630 --> 00:05:50,550
If it's not fair, you just by returning false, can you kristie function?

64
00:05:51,870 --> 00:05:57,600
So once he is funny, you will now search for a function in the import address table locally.

65
00:05:59,330 --> 00:06:05,750
So he does that by using another look here and goes through every entry in sight.

66
00:06:05,840 --> 00:06:07,220
The imported table.

67
00:06:08,990 --> 00:06:11,750
And then why is it finally over here?

68
00:06:12,650 --> 00:06:17,150
You wouldn't change permission to become read a book and write a book.

69
00:06:17,770 --> 00:06:24,410
That is because you want to substitute your own function as fiber use, which are protected in order

70
00:06:24,410 --> 00:06:26,710
to change the mission.

71
00:06:28,610 --> 00:06:37,490
And then over here, this is the way we hook the function by assigning our own cooking function to replace

72
00:06:37,730 --> 00:06:39,110
the one that is found.

73
00:06:39,770 --> 00:06:48,170
So this cooking function is passed to this function here, and it is actually this one modifying message

74
00:06:48,170 --> 00:06:48,530
box.

75
00:06:49,930 --> 00:06:54,370
As you can see from your function call modifying message policy when you call it.

76
00:06:56,730 --> 00:06:59,400
So at this point in time, the WHO is set.

77
00:07:00,300 --> 00:07:05,730
And then once he said he will perform whatever is inside the money, find my message here.

78
00:07:08,040 --> 00:07:15,060
And then after that, you will then we return, revert back to the original production setting.

79
00:07:15,420 --> 00:07:16,110
Once it's done.

80
00:07:17,190 --> 00:07:22,770
So you used your protection and assign it back to that memory region.

81
00:07:24,570 --> 00:07:26,160
And then finally returns to.

82
00:07:27,310 --> 00:07:35,110
So this past class is just to iterate through the entire function, you say, the Yale.

83
00:07:36,460 --> 00:07:37,600
So this is how it works.

84
00:07:39,680 --> 00:07:48,680
So, yes, all for the explanation on the court, for the Heidi -- in the next video, we're going

85
00:07:48,680 --> 00:07:50,690
to do a practical walkthrough.

86
00:07:51,080 --> 00:07:52,040
Thank you for watching.