1
00:00:01,290 --> 00:00:02,460
Hello and welcome back.

2
00:00:02,760 --> 00:00:08,670
We are now going to discuss API functions used in new injection.

3
00:00:09,420 --> 00:00:17,760
So please download this project zero five Mamu injection and zip and put it into the mountain dashboard

4
00:00:17,760 --> 00:00:18,000
to.

5
00:00:19,430 --> 00:00:21,440
Inside it, you will find a few.

6
00:00:22,040 --> 00:00:30,680
Compound bench, which is to compile this source code into ESG, and you have also the message box,

7
00:00:30,950 --> 00:00:39,050
binary code and glossy file with the properly formatted for use in the C program.

8
00:00:39,950 --> 00:00:47,330
Let's take a look at the source code for this malware by opening the press.

9
00:00:50,360 --> 00:00:56,510
On top, we have the usual includes, and here you see the same shark for showing a message box pop

10
00:00:56,510 --> 00:01:04,490
up created on Kleenex using Metasploit, the Lion Shark TV seven times before.

11
00:01:05,600 --> 00:01:13,160
And here you find some time death for the fashion pointers in structures that are used in this.

12
00:01:13,580 --> 00:01:14,080
Now they.

13
00:01:15,730 --> 00:01:22,240
And if you want to know more information going down the notes that I provide for you here.

14
00:01:24,510 --> 00:01:30,990
So it is not shall we give you all the links where you can more can go and read in details about some

15
00:01:30,990 --> 00:01:34,200
of these structures function pointers.

16
00:01:40,190 --> 00:01:44,990
Over here, you see the same function that we used before social process.

17
00:01:46,340 --> 00:01:48,710
And we hear something new in Jane view.

18
00:01:49,580 --> 00:01:51,680
So this is a user defined function.

19
00:01:52,520 --> 00:02:00,650
In a sense, these parameters the handles through a process that you went to inject the pill itself

20
00:02:00,800 --> 00:02:01,510
in the light.

21
00:02:02,840 --> 00:02:06,020
Inside it, you create a.

22
00:02:07,180 --> 00:02:14,230
New session, but before that, you need to get the process address for A. Great session by using this

23
00:02:14,230 --> 00:02:14,630
function.

24
00:02:15,340 --> 00:02:17,620
The reason we do this is to be stealthy.

25
00:02:18,730 --> 00:02:22,570
So this dynamic random loading as we have done before.

26
00:02:23,650 --> 00:02:26,350
So integration comes from Antigua.

27
00:02:27,010 --> 00:02:37,540
So after you've got the address for this function, you save into this function pointer and then over

28
00:02:37,540 --> 00:02:40,840
here you will use the function pointer to.

29
00:02:41,860 --> 00:02:46,360
Create a new section and this is an undocumented.

30
00:02:48,760 --> 00:02:52,000
You can go and look at the undocumented apps who are here.

31
00:02:52,460 --> 00:02:53,410
A.S..

32
00:02:57,180 --> 00:03:07,590
So this website has got a list of undocumented guys, if you wanted to search for an API which is undocumented,

33
00:03:07,920 --> 00:03:13,320
you just need to click on a search button and type in here the API and you only look for.

34
00:03:15,030 --> 00:03:19,770
So, for example, in this one and decrease session accepts these parameters.

35
00:03:21,840 --> 00:03:25,980
The first one session handle these, I says I'll tell you attributes and so on.

36
00:03:26,910 --> 00:03:31,710
And now in the modern library, there is no hazing API.

37
00:03:31,770 --> 00:03:35,370
By day, something similar called that debut session function.

38
00:03:36,840 --> 00:03:38,760
So the parameters are the same.

39
00:03:39,060 --> 00:03:40,290
Strikingly similar.

40
00:03:41,290 --> 00:03:47,170
And if you want to read the details, you can read the Microsoft MSDE for this API instead.

41
00:03:50,370 --> 00:03:56,340
So let's take a look at this in here, we specify the handle through the section.

42
00:03:56,470 --> 00:03:57,210
We're going to create.

43
00:03:57,900 --> 00:04:05,370
So after you've successfully called this commission, you see the handle to this book or section.

44
00:04:06,980 --> 00:04:14,000
And you won't do it, he says all access for compressors for this session and the Sony LIV lives now

45
00:04:14,870 --> 00:04:20,240
here you specify the line and the payload so that you would create the size of the station large enough

46
00:04:20,240 --> 00:04:20,900
for your appeal.

47
00:04:21,710 --> 00:04:29,680
And you also are going to make it executable and readable and readable and committed in the last pad

48
00:04:29,700 --> 00:04:30,230
Middle East.

49
00:04:30,230 --> 00:04:37,040
Normally that has no next year you want to make use of the of sessions.

50
00:04:37,370 --> 00:04:42,860
So we need to use the proper address to dynamically look the address of this function.

51
00:04:43,430 --> 00:04:49,160
And this function also comes from an DDL and I tell you, got the address to receive it in this function

52
00:04:49,160 --> 00:04:53,060
pointer and over here you will use it to create a local view.

53
00:04:53,810 --> 00:04:55,460
So it is how you create local view.

54
00:04:56,060 --> 00:05:04,580
And if you want to read more about this, you can also refer to the undocumented functions website here.

55
00:05:04,580 --> 00:05:15,380
Which brings all this, and the Microsoft media has quite a some almost similar to the U.S..

56
00:05:17,160 --> 00:05:23,860
So this one here you specify the handout to the session, which you got from the previous API, and

57
00:05:23,880 --> 00:05:32,040
here you specify current process because in this first call to make this issue.

58
00:05:32,140 --> 00:05:40,440
Yeah, getting the look of you and then over here is a pointer to the look of you, which you created

59
00:05:40,440 --> 00:05:42,420
here as a white pointer.

60
00:05:43,200 --> 00:05:47,340
And then here it is not now specified a better length.

61
00:05:47,760 --> 00:05:54,030
And here you specify a special kind of stroke you can enumeration over here.

62
00:05:55,290 --> 00:06:03,510
So this inauguration is also undocumented, and you can go and read up by referring to these references

63
00:06:03,510 --> 00:06:04,410
I have given to you.

64
00:06:06,100 --> 00:06:06,880
The.

65
00:06:10,700 --> 00:06:18,860
S. Inherit this one session, Harry enumeration you can read by referring to this, so you need to specify

66
00:06:18,860 --> 00:06:23,990
this view I meant as the barometer for this.

67
00:06:25,100 --> 00:06:29,620
And finally put it now for next parameter and set it to be readable and rainy.

68
00:06:30,950 --> 00:06:38,570
So after you call this API look, a view will be created to get can assess your session.

69
00:06:40,450 --> 00:06:47,290
So at this point in time, why have you done what you've accomplished carefully?

70
00:06:48,060 --> 00:06:49,250
Antique recession?

71
00:06:49,810 --> 00:06:56,890
Is this part here where we created a session and then here met your session?

72
00:06:57,070 --> 00:07:05,200
He created a local you because the second parameter, he specified the local process and it corresponds

73
00:07:05,200 --> 00:07:05,920
to this one.

74
00:07:06,210 --> 00:07:08,890
Create local you to create this view here.

75
00:07:10,300 --> 00:07:14,710
After that, we need to copy the chocolate to the local session.

76
00:07:15,010 --> 00:07:22,510
So we use memory copy that corresponds to this part of the stage copy to chuck over to your local view.

77
00:07:24,730 --> 00:07:26,200
This is the section you created.

78
00:07:27,910 --> 00:07:30,310
Again, you crazy so of you.

79
00:07:31,150 --> 00:07:35,410
And now you are copying a chocolate to your section that you created.

80
00:07:36,640 --> 00:07:41,740
Next thing is to create remote this remote view.

81
00:07:42,010 --> 00:07:49,810
And again, you call in the U.S. By this time, the second parameter is different from the first time

82
00:07:49,810 --> 00:07:50,230
you call it.

83
00:07:50,230 --> 00:07:52,330
This time you specify the target process.

84
00:07:53,140 --> 00:07:55,480
So this target process will be this one here.

85
00:07:55,510 --> 00:07:57,340
He could be Microsoft Paint.

86
00:07:58,330 --> 00:08:03,490
You'll be doing lab practically to how it could be any adipocytes which he went to target.

87
00:08:04,660 --> 00:08:08,400
So this makes the difference between the fourth and second stage.

88
00:08:08,410 --> 00:08:15,190
In the second stage, you specify the second parameter to the gate progress because you are creating

89
00:08:15,190 --> 00:08:15,850
a local view.

90
00:08:17,110 --> 00:08:24,610
But in this hostage, you specify the second parameter to the target process in order to create this

91
00:08:24,610 --> 00:08:25,210
remote view.

92
00:08:26,530 --> 00:08:34,090
So after you done this, you have a remote view that the target process is animal sharing with your

93
00:08:35,860 --> 00:08:38,090
memory from the malware trojans.

94
00:08:38,090 --> 00:08:42,310
So we didn't shares his memory use using the remote you.

95
00:08:44,370 --> 00:08:46,110
And then here you print some messages.

96
00:08:46,500 --> 00:08:50,920
And over here you will then call the function out.

97
00:08:51,660 --> 00:08:52,410
Here's a track.

98
00:08:53,740 --> 00:08:55,660
So I think he's a threat.

99
00:08:56,380 --> 00:09:01,450
You need to get a dynamically he addressed by using a proper address.

100
00:09:01,910 --> 00:09:04,750
And once you get it, he will call your function here.

101
00:09:05,350 --> 00:09:06,640
So this is the meeting.

102
00:09:07,060 --> 00:09:08,380
This is where the magic happens.

103
00:09:08,380 --> 00:09:16,320
Once you call creating more track, what you are doing is you are executing a shall call remotely.

104
00:09:16,660 --> 00:09:24,310
That means you are using the target process as a proxy to execute your own memory, which you shouldn't

105
00:09:24,310 --> 00:09:25,300
be your target process.

106
00:09:25,780 --> 00:09:29,170
So this is your usefulness or how create a trick.

107
00:09:30,100 --> 00:09:31,510
So attacker is a threat.

108
00:09:31,780 --> 00:09:33,610
He's also an undocumented function.

109
00:09:33,610 --> 00:09:43,300
You can wait here for the various parameters and hear the important one is the first parameter where

110
00:09:43,420 --> 00:09:49,360
you specify the target process and also this parameter here.

111
00:09:50,370 --> 00:09:58,680
The seven barometer, they specify the address of the remote view that you are going to use in order

112
00:09:58,680 --> 00:10:07,230
to access the memory and also the handle to the tracking issue be created once this process succeeds,

113
00:10:07,950 --> 00:10:12,330
it last is a tragedy which you created here, Chidi.

114
00:10:13,540 --> 00:10:14,320
He claimed it.

115
00:10:14,620 --> 00:10:15,370
We should read it here.

116
00:10:16,780 --> 00:10:22,630
So as I read the check to execute and then you wait for it because this is the concurrent processing.

117
00:10:23,050 --> 00:10:28,420
So it said you are running concurrently with the mean process.

118
00:10:29,920 --> 00:10:33,110
And then here is your main function, which ties it all together.

119
00:10:33,940 --> 00:10:35,660
The first step is this search process.

120
00:10:35,680 --> 00:10:38,560
In this case, you'll be targeting Microsoft Paint.

121
00:10:39,100 --> 00:10:40,390
So after searching, you get a.

122
00:10:41,470 --> 00:10:45,910
And here you used iPad to open the process.

123
00:10:46,940 --> 00:10:54,160
And then you start you handled who is credible process and down here, you passed his process as a parameter

124
00:10:54,170 --> 00:10:58,010
to inject you along with the chocolate and the lines chocolate.

125
00:10:58,610 --> 00:11:09,560
So this is how you you use map view ingestion in the melody in the next video, you are going to compile

126
00:11:09,560 --> 00:11:13,280
and do this in running the song or this video.

127
00:11:13,310 --> 00:11:14,540
Thank you for watching.