1
00:00:04,240 --> 00:00:11,920
I come back in this lesson, I'm going to explain to you the project itself, the source code, so there'll

2
00:00:11,920 --> 00:00:13,420
be two main buttons.

3
00:00:13,990 --> 00:00:21,490
The first button will be the year early cell and the second button will be the dial injector trojan.

4
00:00:23,010 --> 00:00:32,850
So the jail cell will be converted into a form it hex, format it and put it inside the jails, Virginia,

5
00:00:32,850 --> 00:00:33,150
So.

6
00:00:35,690 --> 00:00:44,430
So, Gwen, download this project called 16 Project Password, Sniffer and Zip It and put it in Maldive

7
00:00:44,450 --> 00:00:45,200
two folder.

8
00:00:46,940 --> 00:00:53,030
Inside it, you find two folders and one EPA monitor capture, which will not be here.

9
00:00:53,840 --> 00:01:03,230
But this one was from the previous lesson where we use API monitor to hunt the API function that saves

10
00:01:03,230 --> 00:01:04,370
the password.

11
00:01:07,370 --> 00:01:12,950
So the two for this year, one is in Delta region, Drugeon, the director general, Jack.

12
00:01:14,510 --> 00:01:16,370
This refers to this.

13
00:01:17,390 --> 00:01:23,000
Project and the other one is a pacifist for Yale, which is first to this one here.

14
00:01:24,080 --> 00:01:26,150
So let's take a look at each one then.

15
00:01:26,960 --> 00:01:30,890
So first we look at the idea injected religion.

16
00:01:33,870 --> 00:01:34,680
They are too far.

17
00:01:36,210 --> 00:01:40,680
You have your computer screen visual, compile this into a new form.

18
00:01:42,430 --> 00:01:44,230
That's open this and see what's inside.

19
00:01:46,950 --> 00:01:50,760
Now, this deal injector is a classic injection.

20
00:01:51,890 --> 00:01:57,860
And we have here the shark, the shark for the past 24.

21
00:01:58,820 --> 00:02:00,110
These puzzles differ.

22
00:02:00,470 --> 00:02:04,010
He's referring to this, but here.

23
00:02:06,240 --> 00:02:11,100
Despite our comes from here and this, the file is.

24
00:02:13,050 --> 00:02:15,310
This one, this project.

25
00:02:16,410 --> 00:02:18,590
This will be compiled into a deal.

26
00:02:19,710 --> 00:02:22,290
And then converted into this text format.

27
00:02:23,650 --> 00:02:25,480
And putting say to you.

28
00:02:26,170 --> 00:02:33,070
So that's how we can get your gear inside the gear injector Trojan.

29
00:02:36,190 --> 00:02:37,900
So it is a kind of chocolate.

30
00:02:38,860 --> 00:02:44,620
It is quite big because it is a complete executable file and deal financially.

31
00:02:45,730 --> 00:02:50,080
So let's go down to the end of this and take a look at do you mean?

32
00:02:55,530 --> 00:02:58,770
So when this program runs you.

33
00:03:00,250 --> 00:03:01,180
Go to Maine here.

34
00:03:02,720 --> 00:03:09,230
Eventually, you need to convert this into a win win in order to heighten the console terminal, but

35
00:03:09,230 --> 00:03:12,710
for testing and developmental stages.

36
00:03:13,040 --> 00:03:16,940
We always want to make it easy, so we just put me here.

37
00:03:18,750 --> 00:03:23,730
So that you can bring up, he can bring to the console, they can develop.

38
00:03:26,280 --> 00:03:30,330
So right now, you can see here, when this thing runs, it will.

39
00:03:31,690 --> 00:03:34,270
Keep on looping, you keep on looking.

40
00:03:36,440 --> 00:03:46,010
While the IDs zero zero is to the ID, referring to the terror group, the target, so this video here

41
00:03:46,950 --> 00:03:49,940
is referring to the video for their group.

42
00:03:51,200 --> 00:03:54,740
So when it truly starts, it is looking for that group.

43
00:03:56,330 --> 00:04:05,260
So you here you are searching for a very good social process and process to inject the process of changing

44
00:04:05,420 --> 00:04:06,950
his name here.

45
00:04:07,850 --> 00:04:09,640
In this string very accurately.

46
00:04:11,120 --> 00:04:17,990
So if he doesn't find it, you keep on looking and you stick for one thousand milliseconds between each

47
00:04:17,990 --> 00:04:18,290
loop.

48
00:04:19,620 --> 00:04:20,700
Which is one second.

49
00:04:21,690 --> 00:04:27,360
So once we are crew has loaded, the idea will be none zero.

50
00:04:27,870 --> 00:04:34,380
So he would then proceed to the next step and the next step by several activists in memory.

51
00:04:34,380 --> 00:04:35,100
We continue.

52
00:04:36,490 --> 00:04:38,990
The first thing we do is get it back to the dealer.

53
00:04:40,130 --> 00:04:45,300
So this part of the town is actually define the clap here.

54
00:04:45,710 --> 00:04:46,630
Get back to the.

55
00:04:48,900 --> 00:04:57,210
Over here, we want to get the temporary off and then the funding to a temporary park now in windows.

56
00:04:57,390 --> 00:04:59,490
The temporary part can be accessed.

57
00:05:00,710 --> 00:05:12,080
By using this special constant environment, constant percentage, 10 percentage.

58
00:05:13,680 --> 00:05:15,990
And then he will find here.

59
00:05:18,750 --> 00:05:26,640
So the idea is to use this path to to expand and bring out the Alpha.

60
00:05:27,540 --> 00:05:35,730
So remember in our design of the system, once did you injected Trojan has found it very crude has loaded

61
00:05:35,730 --> 00:05:38,350
into memory it is supposed to unpack.

62
00:05:38,370 --> 00:05:39,030
Yeah.

63
00:05:39,600 --> 00:05:46,200
So what we're doing is you're picking this gel into the temporary folder, which is here.

64
00:05:46,980 --> 00:05:50,000
So that is the reason why we are doing this.

65
00:05:50,020 --> 00:05:57,260
Get back to jail because you want to get temporary part and then a pen this string to it so that you

66
00:05:57,260 --> 00:05:58,440
will get the complete payoff.

67
00:05:59,880 --> 00:06:05,580
Then you print this for debugging purposes so that we can be sure that we get the correct part.

68
00:06:06,000 --> 00:06:12,040
So the string carries just to append the this name to the end of this temporary path.

69
00:06:12,060 --> 00:06:18,990
If you get from this API, so get tempah, you can read up by referring to my notes, which I already

70
00:06:18,990 --> 00:06:19,800
provide for you.

71
00:06:21,160 --> 00:06:23,020
Here he can read all about it here.

72
00:06:28,120 --> 00:06:31,810
So this is a reference for Get Temporary Pop.

73
00:06:33,020 --> 00:06:37,410
So the he has got two parameters the string.

74
00:06:37,700 --> 00:06:40,790
They are going to stall the result here and the.

75
00:06:42,530 --> 00:06:49,910
So you must make sure that you provide the first parameter, the length of the string to it is big enough

76
00:06:50,150 --> 00:06:51,900
to stall the path.

77
00:06:51,920 --> 00:06:53,330
So it's going to be a long bar.

78
00:06:53,360 --> 00:07:03,110
So I put five and two should be sufficient for getting through to the full path to the this year.

79
00:07:04,980 --> 00:07:08,370
5+2 Bath is more than enough to get this far.

80
00:07:08,780 --> 00:07:12,210
This story is the second one would be the string itself.

81
00:07:13,790 --> 00:07:15,540
So this file into the mismatch this.

82
00:07:16,160 --> 00:07:23,300
So at the end of this function, call this string we start if we're path to a temporary folder and this

83
00:07:23,300 --> 00:07:31,400
path is used later on in, say, the function, then we call the unpacking function here.

84
00:07:32,540 --> 00:07:41,270
So the next step is you call you and pick your function and the function who then create the folder

85
00:07:42,260 --> 00:07:44,750
will then create a file using this path.

86
00:07:46,690 --> 00:07:49,180
This you got from here, from the previous call.

87
00:07:50,230 --> 00:07:59,680
So you create this file containing the jail cell and then over here you will check whether you successfully

88
00:07:59,680 --> 00:08:00,740
creating the handle.

89
00:08:01,750 --> 00:08:04,310
And what if you have successfully created a handle?

90
00:08:04,310 --> 00:08:06,940
There's no area and then you write the file.

91
00:08:07,840 --> 00:08:11,030
So here is where you write the price.

92
00:08:11,030 --> 00:08:17,500
So it's only for DLP, which is this all existing here?

93
00:08:18,760 --> 00:08:20,260
All this thing here is called.

94
00:08:22,250 --> 00:08:24,970
It sniffer DLP.

95
00:08:25,880 --> 00:08:29,720
So you're going to dump all of this into a file.

96
00:08:31,230 --> 00:08:32,880
Using erectile function.

97
00:08:34,740 --> 00:08:37,050
This one right fire function.

98
00:08:38,010 --> 00:08:42,810
So far, function, you can refer to the MSDN.

99
00:08:43,980 --> 00:08:47,910
Over here, it accepts all these parameters.

100
00:08:48,990 --> 00:08:51,990
The handle of the file is the first parameter.

101
00:08:52,890 --> 00:08:58,200
So just hang up the file, you got it from here when you create a file and here's where you use it.

102
00:08:59,540 --> 00:09:05,930
And then here, the second parameter is your string in this case is your hex string.

103
00:09:06,680 --> 00:09:13,100
The shellcode itself, the be executable, which you are going to dumb into this location, into this

104
00:09:13,100 --> 00:09:13,430
file.

105
00:09:14,570 --> 00:09:18,320
And then the science used to say the function to calculate the size.

106
00:09:18,680 --> 00:09:24,500
So the tip parameters are size and number four is number based return, which is not so important in

107
00:09:24,500 --> 00:09:26,060
the last one, is also not important.

108
00:09:26,900 --> 00:09:35,210
So after you've written this, you all your persistence for a deal will be inside your temporary for

109
00:09:35,210 --> 00:09:35,420
the.

110
00:09:36,560 --> 00:09:37,610
Then you close the handle.

111
00:09:38,480 --> 00:09:44,270
So at this point in time, you have all your gear and bank and then you bring a message to inform the

112
00:09:44,270 --> 00:09:44,690
user.

113
00:09:45,650 --> 00:09:54,350
This is for debugging purposes, and then here is where you get the library function from to.

114
00:09:55,450 --> 00:10:01,180
So this dynamic loading the trying to obfuscate the function, so that's why we're doing dynamic loading.

115
00:10:02,050 --> 00:10:05,980
So we get a process of the library because this is a drill.

116
00:10:06,700 --> 00:10:14,440
So you know, if a deal you won the call the library after the year has been attached to the target.

117
00:10:16,720 --> 00:10:25,150
So here you open the process, open process is where you open the fire, so

118
00:10:28,510 --> 00:10:29,500
open process.

119
00:10:30,370 --> 00:10:33,130
You open the file to Billy the Kid.

120
00:10:33,370 --> 00:10:34,930
You would have got it from up here.

121
00:10:35,680 --> 00:10:36,730
The search for process.

122
00:10:38,060 --> 00:10:42,470
By the way, this is a process, I think, yes, before I vote, yes, please.

123
00:10:42,770 --> 00:10:50,300
In the press, in a previous lessons, so I won't go through any such process where you search for whatever

124
00:10:50,480 --> 00:10:51,350
process you want.

125
00:10:51,350 --> 00:10:52,490
In this case, we are accurate.

126
00:10:53,060 --> 00:10:55,510
And if if I see if we return the.

127
00:10:56,750 --> 00:10:58,010
That is how he does it.

128
00:10:59,390 --> 00:11:06,410
So he ipid's over here and we'll hear.

129
00:11:09,200 --> 00:11:15,820
And you're using it inside open process, so you open that process in this case, a process, the idea

130
00:11:15,870 --> 00:11:20,090
would be a very big idea and then you start to this handle.

131
00:11:21,120 --> 00:11:28,500
And if there is no area, that means if the process does exist, it managed to open, then you will

132
00:11:28,500 --> 00:11:30,300
allocate memory in target.

133
00:11:30,930 --> 00:11:40,510
So you're allocating memory in the there could be some soda in the next step, you can copy your tweet.

134
00:11:41,100 --> 00:11:53,810
So that the deal is the The Daily Show, the location of the town inside a temporary folder and in a

135
00:11:53,830 --> 00:11:56,640
next in the next function call create remote track.

136
00:11:57,180 --> 00:12:00,820
You actually pass the library function.

137
00:12:00,820 --> 00:12:01,770
You should go from here.

138
00:12:02,490 --> 00:12:04,950
And then the perimeter to the library function.

139
00:12:04,950 --> 00:12:08,280
So this very much is slightly different.

140
00:12:09,000 --> 00:12:15,120
In this year, you get the function that you want to create machine and a barometer for it.

141
00:12:15,750 --> 00:12:23,250
So Peter, I breezed this one, the library and he read name here is actually the party idea, which

142
00:12:23,250 --> 00:12:24,900
you copy from here to here.

143
00:12:26,010 --> 00:12:34,410
So this is in effect, asking the library to look your passwords and you verify and then you bring the

144
00:12:34,530 --> 00:12:36,780
message here to the user.

145
00:12:37,350 --> 00:12:38,640
Then you close the handle.

146
00:12:39,880 --> 00:12:46,990
Then you sleep for about five seconds to give time for a deal to inject in a ditch and then you try

147
00:12:46,990 --> 00:12:51,790
to delay it, but you won't be able to do it OK because the library is loading.

148
00:12:52,090 --> 00:12:53,830
OK, so a day you said, Yeah, injector.

149
00:12:53,840 --> 00:13:01,320
Now let's take a look at the the other project, which is your process new feature.

150
00:13:02,710 --> 00:13:07,690
So the passive sniffer is going to hook the yeah.

151
00:13:09,610 --> 00:13:18,640
The API, which we got from the previous lesson and that API, if you recall, is this API, which we

152
00:13:18,640 --> 00:13:20,050
got it from API monitor.

153
00:13:21,150 --> 00:13:22,680
White Cha to motivate.

154
00:13:23,400 --> 00:13:24,420
All right, so let's take a look.

155
00:13:26,490 --> 00:13:34,590
So it is going to use the tourist library to do it, and it is why we are before and in the previous

156
00:13:35,040 --> 00:13:35,640
year lessons.

157
00:13:35,910 --> 00:13:37,530
And here is where we are using it.

158
00:13:37,770 --> 00:13:44,430
And if you call in order to use a library here to put a detour package here, which contains all they

159
00:13:44,640 --> 00:13:46,290
need to, is a library.

160
00:13:46,650 --> 00:13:50,100
And here, the fastest you must be here also belongs to eToys.

161
00:13:51,000 --> 00:13:52,890
So let's take a look at password sniffer.

162
00:13:55,680 --> 00:13:57,900
OK, so pastors need further continue.

163
00:13:58,440 --> 00:14:02,360
This one pointed to oregano, Rachel Martin buy.

164
00:14:02,910 --> 00:14:09,540
So this can be obtained from the MSDN library over here.

165
00:14:11,580 --> 00:14:11,830
Right?

166
00:14:11,850 --> 00:14:15,960
You go to this website and take a look at it.

167
00:14:17,800 --> 00:14:24,880
This is the great chart in Martin, back years before, so I lost a copy of this.

168
00:14:26,280 --> 00:14:33,900
You can click copy here and then basically here, I'll tell you, they see here, you convert this into

169
00:14:33,900 --> 00:14:36,120
a function pointer and put it in front.

170
00:14:37,940 --> 00:14:44,900
And put this week API as there is so this included bracket here, so this would convert it into a function

171
00:14:44,900 --> 00:14:45,530
pointer.

172
00:14:46,730 --> 00:14:47,060
All right.

173
00:14:47,330 --> 00:14:54,620
So and then after then you assign weight champ to motivate function to this fashion point to then from

174
00:14:54,620 --> 00:14:56,090
here onwards, you can use this.

175
00:14:57,170 --> 00:14:59,030
To refer to this function.

176
00:15:01,590 --> 00:15:05,310
Then we declare their function for a prototype, for who target and who target.

177
00:15:06,030 --> 00:15:08,610
All right, let's go straight to the women.

178
00:15:09,790 --> 00:15:17,290
Yeah, I mean, so as you recall, every detail we have a year, I mean, this is where the execution

179
00:15:17,290 --> 00:15:18,460
of guilt begins.

180
00:15:19,420 --> 00:15:29,020
And there is always a switch statement for the triggers that will be called when the DEA attaches or

181
00:15:29,020 --> 00:15:29,650
detaches.

182
00:15:30,640 --> 00:15:34,110
So in the case Veridia attaches, we are going to hook target.

183
00:15:34,510 --> 00:15:35,830
We are going to call this function.

184
00:15:37,060 --> 00:15:44,710
And when the DEA dtg, we are going to in this case, trigger this and call unhooked target.

185
00:15:45,610 --> 00:15:47,440
So let's take a look at the hook target first.

186
00:15:48,470 --> 00:15:54,260
So this would target who said a hook on the right charge to motivate API function, which you saw above,

187
00:15:55,250 --> 00:16:01,070
and this will use the transaction functions which you have studied before.

188
00:16:01,730 --> 00:16:09,560
So after you finish here, you have to put your function pointer and your substitute hooking function.

189
00:16:10,460 --> 00:16:18,050
So you are going to replace the watch to modify your own cooking function over here.

190
00:16:18,880 --> 00:16:19,170
All right.

191
00:16:19,700 --> 00:16:26,870
And then once you replacing, this thing will run instead of the original original function.

192
00:16:27,770 --> 00:16:31,040
So the whoop right to modify function is here.

193
00:16:31,430 --> 00:16:34,100
Guess who would take over the actual function?

194
00:16:34,910 --> 00:16:44,960
And you say here all you're doing is you are reusing back in the same parameters for the original white

195
00:16:45,020 --> 00:16:50,750
jar to multiply because you are going to pass it to the original function point to.

196
00:16:50,930 --> 00:16:56,870
The reason you do that is because you want to extract the fish parameter, which contains your password.

197
00:16:57,050 --> 00:17:04,270
That's why you are recreating the parameters, although this is your own function.

198
00:17:05,060 --> 00:17:12,380
So you are recreating a barometer so that you can pass all these same parameters back to the original

199
00:17:12,380 --> 00:17:12,800
function.

200
00:17:14,360 --> 00:17:14,660
All right.

201
00:17:14,900 --> 00:17:16,310
And why do that?

202
00:17:16,580 --> 00:17:17,630
Because we're here.

203
00:17:18,140 --> 00:17:22,850
The next step, you are going to string this fifth parameter.

204
00:17:23,760 --> 00:17:24,150
OK.

205
00:17:24,600 --> 00:17:31,490
And you are going to strike me and then say me to this password, string this past history and restore

206
00:17:31,560 --> 00:17:39,960
your actual password, and then I'll tell you, I'll put you back string to inform the user that you

207
00:17:39,960 --> 00:17:42,440
have successfully whatever you successfully capture.

208
00:17:43,320 --> 00:17:49,970
Now you can use Pranav here because Pranav will need to run if your function is functioning.

209
00:17:50,880 --> 00:17:53,640
In this case, here you are not using may function.

210
00:17:53,880 --> 00:18:00,810
He is in dire need and this thing is going to become part stealthily so that you will not show any console

211
00:18:01,530 --> 00:18:05,340
that's way in place in place of Britney.

212
00:18:05,640 --> 00:18:07,490
You can use output debug string.

213
00:18:08,460 --> 00:18:13,620
So when you are good, you are saying you have to use another program called Give Up.

214
00:18:13,650 --> 00:18:15,690
You wish I would demonstrate in the particular.

215
00:18:16,410 --> 00:18:22,320
So the Debug You program will show every debugging which comes from this function.

216
00:18:23,010 --> 00:18:29,610
So this fine tuning output, this this message to the to the other to call the value and you can see

217
00:18:29,610 --> 00:18:30,960
or debugging information here.

218
00:18:31,260 --> 00:18:35,580
So it is only useful when you are developing the Trojan.

219
00:18:35,580 --> 00:18:38,630
Once you finish developing, you can all combine all this.

220
00:18:39,170 --> 00:18:44,640
Well, let's come back to the our hope, our cooking function.

221
00:18:46,170 --> 00:18:52,500
So here now that you have gotten the the password start in password string.

222
00:18:53,040 --> 00:18:56,130
Next step is to store the captured data in a fire.

223
00:18:57,000 --> 00:18:58,740
So here you use create fire again.

224
00:18:58,740 --> 00:19:04,090
This time you are going to star in this in this fake password.

225
00:19:04,140 --> 00:19:04,560
Thanks.

226
00:19:04,980 --> 00:19:08,940
And so here you are, creating this farm, getting a handle.

227
00:19:09,750 --> 00:19:14,760
And then here you are writing your password to the fire.

228
00:19:15,900 --> 00:19:22,890
So at the end of this function column, you have a new farm called password tags in this location.

229
00:19:23,880 --> 00:19:24,480
So that's it.

230
00:19:24,660 --> 00:19:32,670
So this is how we can steal a password using this API hugging.

231
00:19:33,030 --> 00:19:34,140
Yeah, ingestion.

232
00:19:35,010 --> 00:19:37,800
And later on, I speak to you about persistence.

233
00:19:37,800 --> 00:19:45,150
Persistence is where you you put your Trojan in a location, especially a location called a startup

234
00:19:45,150 --> 00:19:51,870
folder, so that when the computer reboots your Trojan, you also always run that are also explained

235
00:19:51,990 --> 00:19:54,360
in the life walkthrough later.

236
00:19:55,660 --> 00:20:03,160
So that's all for this exploration of the apes, and it's Osgood.

237
00:20:03,520 --> 00:20:04,600
Thank you for watching.

238
00:20:04,690 --> 00:20:05,710
I'll see you in the next one.