1
00:00:00,450 --> 00:00:07,380
In this lesson, we are going to take a look at the apps that are used, so go and download this Project

2
00:00:07,390 --> 00:00:12,690
zero for context, injection and zip it and put it in the malware to folder.

3
00:00:13,350 --> 00:00:15,210
Inside it, you will find a few files.

4
00:00:15,720 --> 00:00:20,700
These files are also using the malware development that will one cause.

5
00:00:21,680 --> 00:00:24,710
In here, you have to compile a batch script.

6
00:00:25,310 --> 00:00:34,250
The message was being shellcode we sure generated using Metasploit on Kali Linux and the message Moxie,

7
00:00:34,430 --> 00:00:39,710
which is the formatted version article there, was used in this quote here.

8
00:00:40,730 --> 00:00:46,390
So this is a transition CBP source code itself on the top.

9
00:00:46,390 --> 00:00:47,720
We have the usual includes.

10
00:00:48,260 --> 00:00:55,670
And then here is your 64bit code to display message box generated using Metasploit on Kali Linux.

11
00:00:56,150 --> 00:00:57,980
The size is 27 bytes.

12
00:00:58,310 --> 00:00:59,660
You should also put it here.

13
00:01:00,230 --> 00:01:01,370
The length of the shower could be.

14
00:01:02,540 --> 00:01:05,540
Then we have a user defined function code, such for process.

15
00:01:05,990 --> 00:01:11,520
And this works exactly the same as the lesson we did in the government course.

16
00:01:11,800 --> 00:01:12,500
Have a one.

17
00:01:14,470 --> 00:01:16,800
And then this is something you hear.

18
00:01:16,900 --> 00:01:22,090
Search for trick search for is almost similar to search for process.

19
00:01:22,480 --> 00:01:29,230
The difference is that over here you are using create to try to snapshot and passing a barometer of

20
00:01:29,320 --> 00:01:37,120
snip snapshot track instead of the snapshot process, which was used when you are searching for a process

21
00:01:37,960 --> 00:01:39,320
now to understand this.

22
00:01:39,370 --> 00:01:42,950
You can look for the missing library.

23
00:01:43,390 --> 00:01:49,180
I have provided this file for you containing the note saying the references so you can go here and look

24
00:01:49,180 --> 00:01:56,660
for create 232 two snapshot and in over here you do not need a first parameter, a snapshot tray.

25
00:01:57,820 --> 00:02:00,010
So this is the reference to.

26
00:02:01,380 --> 00:02:06,490
The documentation for create two, three two snapshot in the first married woman costs.

27
00:02:06,510 --> 00:02:14,930
He used this in order to search for processes in memory, and the first barometer is the Flex, which

28
00:02:14,970 --> 00:02:17,220
is, you specify one of these here.

29
00:02:18,030 --> 00:02:24,720
So if you are looking for a snapshot of all the processes running memory, he will provide this parameter

30
00:02:24,900 --> 00:02:25,800
snap process.

31
00:02:26,880 --> 00:02:29,050
See here social processes.

32
00:02:29,070 --> 00:02:31,470
He passed the first parameter snap process.

33
00:02:32,490 --> 00:02:39,390
However, if you are looking for searching, you are looking for tracks running in memory and then you

34
00:02:39,390 --> 00:02:41,910
should provide this parameter instead.

35
00:02:42,450 --> 00:02:49,830
As can be seen here, when you are searching for track, you pass the snap track as the first parameter.

36
00:02:51,000 --> 00:02:55,410
So once you pass this first parameter, you create a snapshot.

37
00:02:57,480 --> 00:03:05,420
The other important strategy is, you know, he's trick and treat to structure, which is define who

38
00:03:05,480 --> 00:03:10,020
is created here and use by the creator snapshot who are here.

39
00:03:11,100 --> 00:03:14,760
You need this structure in order to save the snapshot.

40
00:03:15,440 --> 00:03:20,130
So, so once you can create this snapshot, you save it to this.

41
00:03:22,000 --> 00:03:23,110
Handle to the snake.

42
00:03:23,530 --> 00:03:26,140
And here is where you iterate through.

43
00:03:26,920 --> 00:03:35,590
So I teach you by using this structure trick and treat every two, so the explanation for that is found

44
00:03:35,590 --> 00:03:35,950
here.

45
00:03:38,440 --> 00:03:45,370
Amazing library territory to structure consists of all these members, but the most important one is

46
00:03:45,370 --> 00:03:46,030
your.

47
00:03:50,320 --> 00:03:51,580
On the process, Heidi.

48
00:03:53,440 --> 00:04:00,250
And you will hear you see on the process it is the body of the pairing process.

49
00:04:00,700 --> 00:04:07,120
So despite his return from here, when he search process, he will return to Paddy and you used tempted

50
00:04:07,810 --> 00:04:10,930
to search for the trapped within the process.

51
00:04:11,710 --> 00:04:14,920
So that is important because you need to get a handle to the track.

52
00:04:15,760 --> 00:04:23,980
So here, once you have found the idea that matches the Pattern ID, you will then return the handle

53
00:04:24,010 --> 00:04:25,510
to the track and save it here.

54
00:04:26,470 --> 00:04:31,570
So now that you've got to be returning to the corner, so that's where you can make use of the handle

55
00:04:31,570 --> 00:04:36,070
to try to perform your contacts, your contacts injection.

56
00:04:37,690 --> 00:04:44,230
And this is the user defined function where you actually inject the now injecting chocolate.

57
00:04:44,920 --> 00:04:50,800
So I sense all of these parameters, the idea, the pairing process, the handle to the vetting process,

58
00:04:51,490 --> 00:04:53,380
the payload itself and a lengthy debate.

59
00:04:54,720 --> 00:05:00,300
Now we'll hear the first thing you do is you search for a track based on the video that you got.

60
00:05:01,050 --> 00:05:04,380
And then over here you fail to find the train.

61
00:05:04,770 --> 00:05:11,550
Then you find out you were to show an error message saying Fail to hijack track.

62
00:05:12,750 --> 00:05:16,260
And here is your optional function to decrypt failure.

63
00:05:17,070 --> 00:05:21,370
If you use payload that was encrypted, then here's where you should put a good.

64
00:05:23,000 --> 00:05:29,740
Over here is where you actually create a little memory in the target process by using which?

65
00:05:29,910 --> 00:05:30,140
Hello.

66
00:05:30,170 --> 00:05:30,620
Yes.

67
00:05:31,370 --> 00:05:39,170
And you can refer to it over here, which you discussed before following cause number one, which he

68
00:05:39,170 --> 00:05:39,490
likes.

69
00:05:41,820 --> 00:05:47,520
And we'll hear you then write your shock to the educated meeting memory.

70
00:05:48,540 --> 00:05:50,190
And here is something new.

71
00:05:50,250 --> 00:05:51,800
This is where you suspend the trip.

72
00:05:53,020 --> 00:05:56,050
So the suspension, you can go and look at my school.

73
00:05:57,470 --> 00:06:01,670
To spend money in library references who are here.

74
00:06:07,890 --> 00:06:17,670
Suspension, so suspension is way you pass a check, you just passed the first bear guess only one parameter,

75
00:06:17,670 --> 00:06:21,600
which is to handle, and once you call it, it said it would be suspended.

76
00:06:22,830 --> 00:06:29,190
There is one other thing which I want also talk about directly to annex territory to next is use when

77
00:06:29,190 --> 00:06:31,110
you are searching for a check up here.

78
00:06:32,410 --> 00:06:33,340
Totally do next.

79
00:06:33,640 --> 00:06:37,900
I trip through the least of the trip in memory.

80
00:06:38,620 --> 00:06:43,060
And then once you find, you know, we tell you, yes, you should be aware.

81
00:06:43,540 --> 00:06:45,190
OK, let's come back to inject.

82
00:06:46,270 --> 00:06:55,120
So after you suspend the train, you're now carry initialise contents, such because you are going to

83
00:06:55,120 --> 00:07:01,690
use this content structure and do save the contents till you get back from the ISS function.

84
00:07:02,200 --> 00:07:04,230
Why do you need context?

85
00:07:04,720 --> 00:07:11,770
Because a context contains information about the running running track, and there is one particular

86
00:07:11,770 --> 00:07:14,750
information called the extraction point.

87
00:07:15,160 --> 00:07:16,120
You want to temper.

88
00:07:16,390 --> 00:07:22,990
That's why you need to do initialize contents and pass it to this API.

89
00:07:23,650 --> 00:07:28,360
So what this context looks like, you can't always refer to your method.

90
00:07:29,530 --> 00:07:31,690
So use your messaging.

91
00:07:33,840 --> 00:07:35,370
The structure contents.

92
00:07:36,530 --> 00:07:38,990
The important one which we're interested in is this one.

93
00:07:39,020 --> 00:07:39,640
R.I.P..

94
00:07:40,810 --> 00:07:43,310
He should point out, is certainly, to be fair, game.

95
00:07:43,340 --> 00:07:44,770
He will be VIP.

96
00:07:45,770 --> 00:07:47,690
So this is a one we're going to temper.

97
00:07:49,540 --> 00:07:57,300
So here we are after suspending the train, we initialize, this one contains flags to fool because

98
00:07:57,320 --> 00:08:00,190
you only capture everything about the contest.

99
00:08:00,910 --> 00:08:08,440
And over here, the car, they get track on decks and past the perimeter, one which is the handle to

100
00:08:08,440 --> 00:08:15,220
the track and whatever information about the train will be safe in a context which we create here.

101
00:08:16,530 --> 00:08:25,370
So get get track contacts, you can really hear key track on things, so get a check on thanks function,

102
00:08:25,800 --> 00:08:29,280
we retrieve the contents of the specified track.

103
00:08:30,600 --> 00:08:33,420
And and save in the second barometer.

104
00:08:35,920 --> 00:08:44,890
So now that you got the contents of the set, you can go and modify the EIB, he was 32 bit and 64 bit

105
00:08:44,890 --> 00:08:48,640
and you modify the R.I.P. to point to your chako.

106
00:08:50,080 --> 00:08:51,040
This is your shellcode.

107
00:08:51,600 --> 00:08:56,350
We'll hear your B remote code.

108
00:08:57,900 --> 00:09:01,650
Right here, you allocate memory in the process.

109
00:09:02,100 --> 00:09:05,410
And then you allocate memory in a remote process.

110
00:09:05,430 --> 00:09:09,660
And here is where you copy appealed to the remote process to allocate a memory.

111
00:09:10,230 --> 00:09:16,950
And is where you modify the instruction pointer to point to your chocolate.

112
00:09:17,970 --> 00:09:19,950
Which you all copied over here.

113
00:09:20,370 --> 00:09:21,690
So this is how it works.

114
00:09:22,050 --> 00:09:30,030
And then finally, you call these separate contacts, you know that you modify the contents of the contract

115
00:09:30,600 --> 00:09:31,950
with your new contacts.

116
00:09:33,150 --> 00:09:39,650
So set contacts, access to parameters and you can refer to it again over here.

117
00:09:40,050 --> 00:09:41,100
Cetera contacts?

118
00:09:41,760 --> 00:09:43,050
OK, so that's two parameters.

119
00:09:43,290 --> 00:09:49,980
It certainly won't modify modifying the context of as soon as the new context the is set for the trip.

120
00:09:51,000 --> 00:10:00,630
So here we pass the new contacts saying we can modify R.I.P. so that this API will cost this trend to

121
00:10:00,630 --> 00:10:01,770
use these new contacts.

122
00:10:02,520 --> 00:10:04,290
Finally, you call the resume trade.

123
00:10:04,860 --> 00:10:08,850
So the resume trade will then run your chocolate.

124
00:10:09,210 --> 00:10:16,320
This is a resume API, so we access only one parameter and it's set which you want to resume that was

125
00:10:16,320 --> 00:10:17,640
previously suspended.

126
00:10:18,480 --> 00:10:20,850
So this is how the API works.

127
00:10:21,270 --> 00:10:24,750
And here is your main function, which ties in everything together.

128
00:10:25,200 --> 00:10:29,940
So the first thing he does is search for the process in this case, Microsoft Paint.

129
00:10:30,360 --> 00:10:38,100
Once it finds it, he will return it to this variable and then Ethiopia ID is zero.

130
00:10:38,520 --> 00:10:41,370
That means you have found the body.

131
00:10:41,970 --> 00:10:47,910
So you bring a message to let the user know that your Microsoft Bing is such and such.

132
00:10:48,780 --> 00:10:56,250
Next, you will use the open process API to open the process containing this guide and return a handle

133
00:10:56,250 --> 00:10:57,960
and story in this variable.

134
00:10:58,860 --> 00:11:06,240
And if the process is not now, then you will call the inject injection function and pass all these

135
00:11:06,240 --> 00:11:08,430
parameters to, as we are discussing.

136
00:11:09,600 --> 00:11:12,420
And finally, you will closely process after injecting.

137
00:11:12,960 --> 00:11:17,640
So this is how he contacts thread injection works.

138
00:11:18,480 --> 00:11:26,190
So the next lesson you are going to do any practical by compiling the U.S. run.

139
00:11:26,850 --> 00:11:28,540
So that's all for this video.

140
00:11:28,590 --> 00:11:29,330
Thank you.