1
00:00:00,610 --> 00:00:01,160
Hello.

2
00:00:01,180 --> 00:00:03,880
Welcome to a new section on code injection.

3
00:00:04,360 --> 00:00:11,830
This time we are going to take a look at net new code injection, never code injection use by creating

4
00:00:11,830 --> 00:00:17,110
views on sections of memory and mapping them to remote processes.

5
00:00:19,440 --> 00:00:23,600
The basic concepts involved in this injection are the more.

6
00:00:23,640 --> 00:00:29,970
It is a type of internal process, communication or IPC, the mapping view techniques.

7
00:00:31,150 --> 00:00:40,360
Letting views are accomplished by sharing memory between due processes, and now they share his memory

8
00:00:40,540 --> 00:00:44,410
if a target process that is the meaning or view.

9
00:00:45,520 --> 00:00:52,660
Then and now, the execution is set many remotely via the talent process, so that can happen because

10
00:00:53,050 --> 00:00:57,730
the local view of the memory is being shared even remotely.

11
00:00:58,210 --> 00:01:01,060
So that concept is called mapping the.

12
00:01:03,210 --> 00:01:10,900
Mechanism or net new injection in this diagram on the left who have maybe children and even embedded

13
00:01:10,910 --> 00:01:16,020
childhood on the right is a target process, which is going to be injected.

14
00:01:18,450 --> 00:01:23,370
The first step is to create a new section in malware Trojans memory.

15
00:01:23,940 --> 00:01:31,890
And this is accomplished by using the API function call and to create session, as you can see here.

16
00:01:32,310 --> 00:01:38,400
After calling this API function, you will get this new session in the memory email that Trojan.

17
00:01:40,530 --> 00:01:43,710
The second step involves creating a local view.

18
00:01:44,780 --> 00:01:53,420
A view is actually real, assessing a session inside the memory, and this local view is accomplished

19
00:01:53,420 --> 00:02:03,120
by calling the API function and view of session, as you can see here, these blue shaded area is the

20
00:02:03,290 --> 00:02:03,740
could you?

21
00:02:06,580 --> 00:02:15,730
The tests involves copying the shackle to the newly created section by using the look of you.

22
00:02:16,330 --> 00:02:25,180
And this is accomplished by by using a copy function named Poppy is a see language function.

23
00:02:26,430 --> 00:02:32,820
So after copping shackled, the new session will be populated with the shackles of the American Legion,

24
00:02:33,330 --> 00:02:36,360
and it is accessible using the view.

25
00:02:39,660 --> 00:02:46,630
And if Offset is to create a remote view in each other process and that is accomplished by using and

26
00:02:46,880 --> 00:02:52,260
the U.S., which is actually the same API, it was used in the two.

27
00:02:55,420 --> 00:03:02,200
And finally, the fifth step is to assess the issue, and this is accomplished by using the API function

28
00:03:02,200 --> 00:03:02,500
call.

29
00:03:02,530 --> 00:03:04,510
How do you create user track?

30
00:03:05,230 --> 00:03:12,880
And in this in this step, the miracle union actually use the target process three months of you.

31
00:03:13,900 --> 00:03:18,880
As a proxy to access the show locally and a security.

32
00:03:20,440 --> 00:03:27,040
So this is a stealthy technique, because it will appear as though the charcoal is coming from the tanker

33
00:03:27,040 --> 00:03:29,080
process, rather from the malware Trojan.

34
00:03:31,710 --> 00:03:37,310
Advantages and disadvantages of Mamu injection advantages.

35
00:03:38,210 --> 00:03:46,050
Firstly, there is no need to use which he and Wright possess memory gearbox, who calls classic telltale

36
00:03:46,050 --> 00:03:49,830
signs or possess injection, which antivirals can detect.

37
00:03:51,820 --> 00:03:58,690
And other advantages by sharing memory, we make it appear like a legitimate remote process is executing

38
00:03:58,690 --> 00:03:59,240
a shocker.

39
00:04:00,190 --> 00:04:07,120
The target process as a proxy for the malware, the malware runs the show via the tagging process,

40
00:04:07,420 --> 00:04:10,930
and this is more stealthy than continuously, Dennis.

41
00:04:13,390 --> 00:04:21,220
The disadvantages are that it makes use of the API and demonization, which may be monitored by a.

42
00:04:23,200 --> 00:04:27,830
So that's all for the theoretical background concepts on this map.

43
00:04:27,830 --> 00:04:28,720
View buccal injection.

44
00:04:29,260 --> 00:04:30,670
Thank you for watching.