1
00:00:00,810 --> 00:00:04,620
Hello and welcome in the first course on this.

2
00:00:05,180 --> 00:00:11,520
And then we have learned about process injection, and in this case, now we are going to go through

3
00:00:11,610 --> 00:00:14,220
some more advanced techniques for injection.

4
00:00:14,850 --> 00:00:20,850
So now we're going to learn about context injection injecting payload to another.

5
00:00:43,150 --> 00:00:48,460
What is Trent context, quite right, context is information about a threat.

6
00:00:48,820 --> 00:00:57,670
For example, information about memory allocation and body heat and stack the register values and the

7
00:00:57,670 --> 00:01:05,950
next instruction pointer instruction pointer is the address in memory ready Cheney supposed to execute

8
00:01:05,950 --> 00:01:06,910
the next instruction.

9
00:01:07,660 --> 00:01:18,790
And you can exploit it to our advantage in context, injection and mechanism or contextual action on

10
00:01:18,790 --> 00:01:19,120
the left.

11
00:01:19,270 --> 00:01:29,590
He's our malware trojan with an embedded payload containing a shackle that can show a message box on

12
00:01:29,590 --> 00:01:29,950
the right.

13
00:01:30,100 --> 00:01:37,180
He's your target process, which, for example, is Microsoft Paint hitting the target.

14
00:01:37,900 --> 00:01:41,380
We also have a tray running in the process.

15
00:01:41,380 --> 00:01:42,970
Every process has quite a tray.

16
00:01:44,440 --> 00:01:52,660
And this is the train that is running in the target process in the first set, the malware Trojan.

17
00:01:52,990 --> 00:01:57,190
You search for the target process once he finds it.

18
00:01:57,610 --> 00:02:01,390
He would then search for the chip inside the target process.

19
00:02:02,650 --> 00:02:13,870
Next, you allocate memory in a target process using the Microsoft API function call Virtual X. The

20
00:02:13,870 --> 00:02:21,760
purpose of that is to create allocated memory so that you can copy over to the allocated memory.

21
00:02:24,760 --> 00:02:34,150
The next step is the malware Trojan will write the code over to the allocated memory using the API call

22
00:02:34,390 --> 00:02:36,190
write process memory.

23
00:02:38,830 --> 00:02:48,310
Next, the Trojan will suspend the threat of the targeted process by using the API function, call,

24
00:02:48,400 --> 00:02:55,900
suspend, track the purpose of suspending your checks so that you can change the instruction pointer

25
00:02:55,900 --> 00:03:01,990
for the check so that the instruction pointer will point to the code when he resumes later.

26
00:03:04,770 --> 00:03:08,070
Next step is to change the instruction pointer.

27
00:03:08,850 --> 00:03:19,860
So this is where the malware will get the instruction pointer off the track and modify temporary in

28
00:03:19,860 --> 00:03:24,570
order to bring it to the next session, which is the code itself.

29
00:03:25,380 --> 00:03:28,110
He does state by using two apps.

30
00:03:28,440 --> 00:03:34,610
One is called direct contact, which is not shown here and then sent straight contacts.

31
00:03:34,770 --> 00:03:35,430
Short, yeah.

32
00:03:36,390 --> 00:03:42,090
So essentially, contacts would change the interaction point of the set so that he will then execute

33
00:03:42,090 --> 00:03:44,040
initial code in the next step.

34
00:03:45,810 --> 00:03:53,790
So this is the next step where the medical unit will resume the trick by calling by using the API function

35
00:03:53,910 --> 00:03:55,030
call resume zoom trick.

36
00:03:55,590 --> 00:03:59,820
So at this point in time, the trigger will then execute the shark.

37
00:04:02,410 --> 00:04:11,860
Advantages and disadvantages of direct contest ingestion, the advantages is no need to create remote

38
00:04:11,860 --> 00:04:17,170
trick, you can use the existing trait of the target process itself.

39
00:04:17,890 --> 00:04:19,810
So this makes it more stealthy.

40
00:04:22,340 --> 00:04:28,840
There are also disadvantages, the disadvantages that you may crash the parents process of the check

41
00:04:29,420 --> 00:04:38,480
when the hijacked jet exits, you may also disrupt what the original track was doing and disadvantages

42
00:04:38,480 --> 00:04:38,640
it.

43
00:04:38,990 --> 00:04:43,820
It takes a little bit longer to inject compared to process ingestion.

44
00:04:44,330 --> 00:04:52,570
There is a slight delay a leg, so that's all for this juridical background on direct contact ingestion.

45
00:04:53,090 --> 00:04:54,110
Thank you for watching.