1
00:00:00,940 --> 00:00:06,970
Hello, welcome to a new section, this time we are going to study a new injection technique.

2
00:00:07,480 --> 00:00:14,320
It is called a synchronous procedure called injection, where we'll be injecting a callback function

3
00:00:14,320 --> 00:00:18,280
or remote processes basic concepts.

4
00:00:18,940 --> 00:00:25,750
It is a kind of callback function mechanism by putting instructions in memory cue of a running track

5
00:00:26,710 --> 00:00:28,420
when you enter southern state.

6
00:00:28,900 --> 00:00:32,920
You will notice the Q and execute instructions in the queue.

7
00:00:33,880 --> 00:00:37,740
The term asynchronous means not executing immediately.

8
00:00:38,350 --> 00:00:40,990
It can execute any time in the future.

9
00:00:44,210 --> 00:00:46,080
A sample of ABC.

10
00:00:46,650 --> 00:00:53,190
For example, if a process wants to read a file, it will make a request to the operating system.

11
00:00:54,300 --> 00:01:03,000
But opening a fire is slow, so the process will not stop in a week, but allows the US to open the

12
00:01:03,000 --> 00:01:06,930
file while the process continues to do other things.

13
00:01:07,800 --> 00:01:15,180
Once the file is ready, the operating system will inform the process that upon the process, who execute

14
00:01:15,180 --> 00:01:16,920
the instruction in the queue.

15
00:01:18,650 --> 00:01:24,290
Mechanism or APC injection on the left, we have a malware Trojan.

16
00:01:24,830 --> 00:01:25,700
We have an embedded.

17
00:01:27,420 --> 00:01:32,070
On the right, we have a target process, we attract more.

18
00:01:33,190 --> 00:01:36,400
Inside the target process is Typekit.

19
00:01:37,060 --> 00:01:39,790
Every Iranian trained who have been executed.

20
00:01:42,210 --> 00:01:45,150
The first step is to search for the trip.

21
00:01:47,330 --> 00:01:53,870
So the malware search for the process, and once he finds it, he was searched for the trip within the

22
00:01:53,870 --> 00:01:54,440
process.

23
00:01:55,310 --> 00:01:57,020
And this we're of before.

24
00:01:59,040 --> 00:02:05,940
The second step is after having found the process and the target threat.

25
00:02:06,690 --> 00:02:08,490
He will then allocate memory.

26
00:02:09,550 --> 00:02:17,890
In the target process, if you do that by using the API function, call virtual help.

27
00:02:18,070 --> 00:02:18,540
He asks.

28
00:02:19,240 --> 00:02:20,350
If you ask me for.

29
00:02:22,660 --> 00:02:27,430
So in here, the blue shaded box shows the newly allocated memory.

30
00:02:29,990 --> 00:02:36,140
Next, the malware in the shark could do this newly allocated memory.

31
00:02:38,420 --> 00:02:43,970
He does that by using the API function call right process memory.

32
00:02:44,780 --> 00:02:49,430
So both of these APIs have been used before in previous lessons.

33
00:02:51,870 --> 00:02:56,520
So now the shellcode has been copied over to the newly allocated memory over here.

34
00:02:59,070 --> 00:02:59,430
Nice.

35
00:03:00,060 --> 00:03:03,960
The American Legion had this drop to the queue.

36
00:03:04,140 --> 00:03:04,980
ABC queue.

37
00:03:07,310 --> 00:03:12,590
He does that by using the API function, call Cue user ABC.

38
00:03:15,030 --> 00:03:18,420
So now the shark has been added into the queue.

39
00:03:18,900 --> 00:03:19,950
The ABC queue.

40
00:03:22,650 --> 00:03:28,860
Then the next step is to wait for the trek, to enter a little more state.

41
00:03:31,220 --> 00:03:40,940
Eligible states, one of these states here, when the track calls any of these functions, you can tell

42
00:03:40,940 --> 00:03:47,590
the eligible state, for example, a signal of getting with message reach for multiple objects, wait

43
00:03:47,600 --> 00:03:50,180
for multiple projects recording objects.

44
00:03:52,320 --> 00:04:01,230
So these states can be entered into, usually by some kind of task involving funnel operations, for

45
00:04:01,230 --> 00:04:01,740
example.

46
00:04:02,760 --> 00:04:10,320
Once the threat enters energy state, you notice essential Sharkawy instruction in the Q and so you

47
00:04:10,320 --> 00:04:14,260
will go there and then you will execute the good.

48
00:04:17,680 --> 00:04:27,580
Advantages and disadvantages of asynchronous procedure, call injection advantages, delay execution

49
00:04:27,580 --> 00:04:31,570
or shortcut truth of causation between Norway and target.

50
00:04:32,950 --> 00:04:40,480
A little girl state history, not by no way, but by Taggert process user will not suspect that the

51
00:04:40,520 --> 00:04:42,560
never process is responsible.

52
00:04:44,620 --> 00:04:54,040
Disadvantages it needs to reach for track to enter in editable state and is therefore slow and uncertain

53
00:04:55,780 --> 00:05:04,150
uses which are in right process memory API functions, which are usually detected by antivirus unless

54
00:05:04,300 --> 00:05:05,050
obfuscated.

55
00:05:07,530 --> 00:05:11,580
That is all for the theoretical background on APC injection.

56
00:05:12,000 --> 00:05:13,110
Thank you for watching.