1
00:00:00,600 --> 00:00:03,620
Hello, and I can now be having dog racket.

2
00:00:04,260 --> 00:00:07,800
We need to find out which by we are going hook.

3
00:00:08,400 --> 00:00:16,890
So in order to help us find out what API Deborah Craig uses for the entering the password, we need

4
00:00:16,890 --> 00:00:17,900
to use another tool.

5
00:00:18,840 --> 00:00:21,990
So you can use a tool in flare.

6
00:00:23,190 --> 00:00:24,330
So open flair.

7
00:00:25,080 --> 00:00:32,730
Head over to the utilities and we have API monitor since this is a 64 bit program.

8
00:00:33,180 --> 00:00:36,000
We used a 64 bit version of API Monitor.

9
00:00:37,080 --> 00:00:40,230
So just open the EPA monitor.

10
00:00:40,560 --> 00:00:41,130
Yes.

11
00:00:45,650 --> 00:00:46,100
OK.

12
00:00:48,890 --> 00:00:56,510
Now that EPA monitor started, you can see here in the top left all the APIs that we can hook.

13
00:00:57,840 --> 00:01:00,120
So are many of them.

14
00:01:00,540 --> 00:01:04,650
And then on the bottom left are all of the processes which are running in memory.

15
00:01:05,010 --> 00:01:12,780
And one of it is where actually the one we want to target and then here will be monitored processes

16
00:01:13,800 --> 00:01:18,390
and then wherever you select here to monitor it will appear here in this list.

17
00:01:19,110 --> 00:01:26,160
And then here will be all the results of the monitoring, and a barometer will show you the details

18
00:01:26,160 --> 00:01:29,880
and even more details of each of the barometers.

19
00:01:31,900 --> 00:01:38,890
So now we have to select the criteria before that, we need to choose what API we want to monitor.

20
00:01:40,000 --> 00:01:46,390
If you're not sure, do not use or try to narrow it down because you will choose all you, there would

21
00:01:46,390 --> 00:01:48,580
be too many to fill it out later.

22
00:01:49,870 --> 00:01:56,710
So if you're not sure you're a good one to start these Windows API development so you can select this.

23
00:02:00,440 --> 00:02:05,680
And another one wishes good for trying to ease and unity.

24
00:02:06,050 --> 00:02:07,550
This one, right?

25
00:02:08,150 --> 00:02:12,170
But let us try these first Windows API application development.

26
00:02:13,160 --> 00:02:20,690
So now you say like this, you want to hook all the API functions use by that actually makes next used

27
00:02:20,690 --> 00:02:24,440
to select that actually correctly and then start monitoring.

28
00:02:26,770 --> 00:02:32,590
So immediately, you see the rhetoric now appears in a monitored process list, and it is already starting

29
00:02:32,590 --> 00:02:35,860
to monitor all the API calls that got us.

30
00:02:37,490 --> 00:02:40,370
That is coming from in the application UI development.

31
00:02:41,270 --> 00:02:49,610
Now you start to open the Arctic, you are going to mount it, so select the this and the fact that

32
00:02:49,610 --> 00:02:51,620
you are in demand and then click Mount.

33
00:02:54,110 --> 00:03:03,290
And here, keen, he passed it on display pass with Saleh Shah five on to a key in your password?

34
00:03:04,690 --> 00:03:05,180
Yes.

35
00:03:06,060 --> 00:03:07,130
Pass what?

36
00:03:09,290 --> 00:03:10,160
This is a it.

37
00:03:10,910 --> 00:03:11,240
All right.

38
00:03:11,600 --> 00:03:12,470
So click OK.

39
00:03:19,670 --> 00:03:20,060
All right.

40
00:03:21,040 --> 00:03:22,240
So now he has mounted.

41
00:03:24,140 --> 00:03:30,140
So now you can stop the monitoring process going on here and rightly and stop monitoring.

42
00:03:34,100 --> 00:03:38,330
We don't need that appeal anymore, so you can dismount and exit.

43
00:03:40,050 --> 00:03:42,250
So no insight and this API calls.

44
00:03:42,740 --> 00:03:44,400
That would be the password that you keen.

45
00:03:44,880 --> 00:03:49,770
So you have to find out which API call has got the password as a parameter.

46
00:03:50,790 --> 00:03:52,830
So to do that, we can search.

47
00:03:53,340 --> 00:04:01,050
Click on this search here this find here and find before you do that and be sure you click on the first

48
00:04:01,830 --> 00:04:02,250
API.

49
00:04:02,250 --> 00:04:04,170
Call analysts the first one here.

50
00:04:06,210 --> 00:04:15,690
And then click on Find and here again, the string that you're going to find, that's possibly yeah.

51
00:04:15,870 --> 00:04:16,200
All right.

52
00:04:16,270 --> 00:04:19,080
Did a device down any findings?

53
00:04:21,170 --> 00:04:29,670
So you research all the API calls, which we have this string as a parameter, and he has fun following

54
00:04:29,720 --> 00:04:30,290
it over here.

55
00:04:30,830 --> 00:04:31,280
This one?

56
00:04:32,560 --> 00:04:33,400
Take finesse.

57
00:04:37,610 --> 00:04:39,950
No more damages, only one when he.

58
00:04:40,940 --> 00:04:49,620
Came closest now, so now we know this API call right chart to Matthew Buy has got this possibly as

59
00:04:49,640 --> 00:04:51,080
a barometer, as you can see here.

60
00:04:52,070 --> 00:04:59,420
So you go down to the time the least, you can see the details of all the parameters used by this function.

61
00:05:04,850 --> 00:05:12,680
You can refer to MSDN here by charting Marty by to see more details about the parameters of the function.

62
00:05:14,310 --> 00:05:18,780
And this is the media reference, right, Jonathan Martin by function.

63
00:05:23,960 --> 00:05:25,730
Syria has got all these parameters.

64
00:05:26,630 --> 00:05:31,630
So this is all the parameters that we are actually seeing inside here.

65
00:05:32,680 --> 00:05:33,040
This.

66
00:05:34,390 --> 00:05:37,660
We know when you pull it out and you can see the details here.

67
00:05:37,960 --> 00:05:41,920
All these parameters here, the one we're interested in is this.

68
00:05:43,930 --> 00:05:44,800
This parameter.

69
00:05:47,580 --> 00:05:54,540
The fish barometer, the barometer also has got the password that we're interested in the fisherman.

70
00:05:55,320 --> 00:06:00,180
So the purpose of this function is to convert the string from one format into another.

71
00:06:00,990 --> 00:06:05,190
If you read the documentation, it would become clearer to you.

72
00:06:06,550 --> 00:06:07,630
So according to this.

73
00:06:09,430 --> 00:06:10,780
The fifth barometer.

74
00:06:14,060 --> 00:06:15,980
Contains the convicted string.

75
00:06:17,380 --> 00:06:19,030
So that is what we want to hook.

76
00:06:20,420 --> 00:06:24,830
We can be on the hook and disappear and then retrieve this parameter.

77
00:06:26,370 --> 00:06:29,520
So you can scroll down and look at the barometer.

78
00:06:31,700 --> 00:06:33,080
Help motivate string.

79
00:06:35,990 --> 00:06:37,610
You can see here this is in.

80
00:06:38,270 --> 00:06:39,020
And here is how.

81
00:06:47,380 --> 00:06:50,230
This is in the tech barometer.

82
00:06:53,500 --> 00:06:54,160
That's part of it.

83
00:06:55,690 --> 00:07:00,610
So the end is what the user input and it is in the role for me, Unicode.

84
00:07:01,090 --> 00:07:05,830
And then here you can to convert it into multi by the fifth parameter.

85
00:07:09,440 --> 00:07:09,710
Yeah.

86
00:07:10,960 --> 00:07:15,460
Pointer to this is our barometer pointer to buffer the risks of Congo to extreme.

87
00:07:16,750 --> 00:07:24,370
So once you receive just come with this stream, you can save it to a fallen disk, a log file of sorts.

88
00:07:25,270 --> 00:07:26,980
So this is our strategy.

89
00:07:27,580 --> 00:07:33,970
So here's how this is how useful this API Hook API monitor program is.

90
00:07:34,990 --> 00:07:43,570
So before you start to write any kind of Trojan for targeting a particular software, this is what you

91
00:07:43,570 --> 00:07:43,990
would do.

92
00:07:44,620 --> 00:07:51,850
You install the software in your own computer and then via API monitor and investigate.

93
00:07:52,150 --> 00:07:56,410
Where is the password using in the SoC?

94
00:07:57,100 --> 00:08:03,550
So the only way you can find out is to hook the API calls made by that particular software.

95
00:08:04,900 --> 00:08:08,710
And then once you sign up next year, you can start writing your Trojan.

96
00:08:09,190 --> 00:08:10,360
There we have a deal.

97
00:08:10,360 --> 00:08:12,620
They can hook this API call.

98
00:08:13,540 --> 00:08:19,480
And then once you develop the Trojan, you can deploy it to your target machine.

99
00:08:21,490 --> 00:08:22,870
So this is the strategy.

100
00:08:24,370 --> 00:08:31,990
So now they've you know, they've you're supposed to hook this white charger, you can start to right

101
00:08:31,990 --> 00:08:41,030
our Drugeon so we can just say this word, just copy this regulating copy paste and then fire your back.

102
00:08:41,620 --> 00:08:43,060
And basically there.

103
00:08:46,830 --> 00:08:48,420
We don't have money to pay.

104
00:08:51,180 --> 00:08:51,720
B.C..

105
00:08:54,510 --> 00:08:56,220
OK, so this is your.

106
00:08:57,660 --> 00:08:58,080
Are actually.

107
00:09:01,240 --> 00:09:03,360
And yet you and copy here.

108
00:09:07,890 --> 00:09:08,580
So they are.

109
00:09:11,600 --> 00:09:13,340
Copy and NBC.

110
00:09:15,120 --> 00:09:20,010
Now here, so we can use this as a reference later.

111
00:09:21,450 --> 00:09:22,740
All right, so now we're ready.

112
00:09:23,220 --> 00:09:26,730
You can close this and you can proceed to the next lesson.

113
00:09:27,210 --> 00:09:34,380
That's how I speak to you, the program that we are going to write in order to capture to hook this

114
00:09:34,590 --> 00:09:35,340
API call.

115
00:09:36,360 --> 00:09:37,920
So that's all, thank you for watching.

116
00:09:37,980 --> 00:09:38,880
See you next time.