1
00:00:00,760 --> 00:00:01,530
Hello.

2
00:00:01,690 --> 00:00:10,300
In this video, we're going to do a practical walkthrough on this view injection, so use the same folder

3
00:00:10,300 --> 00:00:12,700
that we did in the previous lesson.

4
00:00:14,020 --> 00:00:14,950
So we're going to build it.

5
00:00:14,980 --> 00:00:18,460
So let's open the access for suits come on front.

6
00:00:20,520 --> 00:00:25,800
And you never get to this holder so quick on this stuff.

7
00:00:25,860 --> 00:00:26,970
Right click Copy.

8
00:00:28,440 --> 00:00:40,650
Come back to your ex FCC for analytics tools and teach directly to it and then compile the program by

9
00:00:40,650 --> 00:00:43,470
using the compile script you enter.

10
00:00:47,160 --> 00:00:48,960
So now it he or the.

11
00:00:50,190 --> 00:00:56,010
And you should open the Microsoft Pay because the target is Microsoft.

12
00:00:57,300 --> 00:00:59,040
So let's run Microsoft Paint.

13
00:01:04,280 --> 00:01:10,880
And because of pain is running now, we run our ESG, our now they.

14
00:01:14,430 --> 00:01:15,030
You enter.

15
00:01:17,570 --> 00:01:22,970
And you will see here he brings up the iPad for Microsoft Paint two three zero eight.

16
00:01:23,540 --> 00:01:25,890
He also prints the address on eBay.

17
00:01:26,780 --> 00:01:32,000
The remote villages and local villages because that was what he wanted.

18
00:01:32,540 --> 00:01:40,130
He wanted to inspect the addresses, S5e putting all those information here.

19
00:01:41,800 --> 00:01:48,610
All right, so now you're going to do some analysis so you can see that the payload, he said, his

20
00:01:48,610 --> 00:01:49,180
address.

21
00:01:49,750 --> 00:01:54,220
So let's go to this address by using Process Hacker.

22
00:01:57,630 --> 00:02:03,480
So in process, hacker, we can look at the address of the bill.

23
00:02:04,890 --> 00:02:12,650
So we go to this now menu injection and here were two one four zero zero one zero zero zero.

24
00:02:12,660 --> 00:02:14,130
He would be different for your case.

25
00:02:17,280 --> 00:02:20,730
Over here, one four one zero zero zero.

26
00:02:21,210 --> 00:02:27,240
So just a click on this and that is your bill.

27
00:02:28,380 --> 00:02:35,370
Here is your Peter Yoshiaki that is supposed to show the message box over here.

28
00:02:36,540 --> 00:02:39,480
Now let's take a look at another one local view.

29
00:02:40,650 --> 00:02:43,890
So local, you will be this address.

30
00:02:45,200 --> 00:02:48,740
One, he followed by four zero zero two once he.

31
00:02:52,550 --> 00:03:01,050
We'll hear one see four by four 00 p.m., and you can see over here is the same tale ending with these

32
00:03:01,470 --> 00:03:08,550
strings, so this local view is to a view to the new section in the local process.

33
00:03:09,780 --> 00:03:14,570
All right, now, let's take a look at the remote you so for can remove you.

34
00:03:14,880 --> 00:03:20,180
We will go to the Microsoft Pink, which is over here.

35
00:03:23,340 --> 00:03:24,500
This is the target.

36
00:03:25,310 --> 00:03:30,590
So look for this address in the Microsoft Paint two eight five four by four zeros.

37
00:03:37,950 --> 00:03:46,260
And here it is to a five four zero, so double click on it and you will see your period is over here.

38
00:03:46,860 --> 00:03:50,190
Here to hear the strings for the message box.

39
00:03:51,200 --> 00:04:00,300
So this is the remote view that is mapped from the target process, which is Microsoft pain and back

40
00:04:00,300 --> 00:04:02,280
to your malware.

41
00:04:02,820 --> 00:04:07,290
So this is how your view code injection works.

42
00:04:08,550 --> 00:04:12,210
So let's continue with the execution of this presenter.

43
00:04:13,820 --> 00:04:21,580
And I can hear you and me at the same time pop up box has shown here.

44
00:04:22,940 --> 00:04:27,680
So if you use this tool here.

45
00:04:31,850 --> 00:04:39,280
That's closest he is to here finding new and to the pop up message box and released.

46
00:04:40,190 --> 00:04:48,560
He shows you the parent for this pop up message box is Microsoft Paint with process bad two three zero

47
00:04:48,560 --> 00:04:54,620
eight matches this one here and also matches the same two three zero eight.

48
00:04:57,150 --> 00:05:05,440
You head over to the memory section and scroll down to the the archives executable section and the protection

49
00:05:05,830 --> 00:05:07,270
you should be able to find elsewhere.

50
00:05:08,970 --> 00:05:12,120
Over here, two, eight, five four four zero.

51
00:05:13,170 --> 00:05:15,120
And this is a landmark session.

52
00:05:16,320 --> 00:05:17,830
And here you see your chocolate.

53
00:05:20,290 --> 00:05:21,580
From here to here.

54
00:05:23,360 --> 00:05:28,210
So this is see how you do your menu coordination.

55
00:05:28,730 --> 00:05:31,670
The practical walkthrough, thank you for watching.

56
00:05:31,880 --> 00:05:32,900
I'll see you the next one.