1
00:00:01,010 --> 00:00:08,390
Welcome in this video, we're going to discuss the API used in early, but epic injection.

2
00:00:09,470 --> 00:00:14,660
You may download these notes with the links that I provided for you from the resource section.

3
00:00:15,630 --> 00:00:22,860
And it contains some of the extra readings that will help you understand some of the APIs that are being

4
00:00:22,860 --> 00:00:23,250
used.

5
00:00:25,910 --> 00:00:33,710
Also going on this weekend, zero seven, rebut ABC injection and zip it and put it in the now they

6
00:00:33,710 --> 00:00:42,470
have to hold it, the insight you find all the similar fallacy he used in the previous lessons, the

7
00:00:42,470 --> 00:00:44,660
media exception and this is something new.

8
00:00:45,980 --> 00:00:47,540
So let's open the source code.

9
00:00:47,780 --> 00:00:49,310
You've got that plus plus.

10
00:00:53,240 --> 00:00:59,990
We also used the same charcoal payload, which is the charcoal used to open a pop up message box.

11
00:01:01,720 --> 00:01:02,940
Everything is the same.

12
00:01:04,100 --> 00:01:11,000
There is only one function, the main function, and you say here we create some of the structures,

13
00:01:11,600 --> 00:01:18,020
the some of the objects variables which are used for process creation, which he starts up in full and

14
00:01:18,020 --> 00:01:19,130
process information.

15
00:01:20,770 --> 00:01:26,440
And over here, we zero those objects before we use them, we need to zero.

16
00:01:26,800 --> 00:01:34,030
So this is a function of who convenient function for easy growing up, the cyber variable and by variable.

17
00:01:35,320 --> 00:01:37,360
And both are being used in the process.

18
00:01:38,140 --> 00:01:40,330
Create process API, as you can see here.

19
00:01:41,170 --> 00:01:47,830
So after you zero out these two variables which are using this process, you can now use this new function

20
00:01:47,840 --> 00:01:52,780
co-create process to open our target.

21
00:01:53,020 --> 00:01:58,250
Our target is Microsoft Paint to get a better understanding of this API.

22
00:01:58,270 --> 00:02:01,000
You can go and refer to this link here.

23
00:02:01,330 --> 00:02:05,710
Great process from the MSDN documentation.

24
00:02:11,250 --> 00:02:13,980
This is the documentation for key process here.

25
00:02:15,360 --> 00:02:19,140
So this function creates a new process and its primary trick.

26
00:02:21,540 --> 00:02:25,710
And these are the barometers to the commission.

27
00:02:28,490 --> 00:02:33,140
So you can see the important one is the second parameter and the six parameter.

28
00:02:34,970 --> 00:02:39,380
The second parameter is the name of the program that you want to start.

29
00:02:39,860 --> 00:02:47,420
And the sixth parameter is the creation flags and you want to create the process in a suspended state.

30
00:02:47,780 --> 00:02:50,270
So you have to pass to create suspended fly.

31
00:02:51,830 --> 00:02:59,990
And then the last two parameters are the start up four and the processing for the objects which we develop

32
00:02:59,990 --> 00:03:00,260
here.

33
00:03:05,080 --> 00:03:08,920
So the important one is the second line, second parameter.

34
00:03:10,090 --> 00:03:19,300
How common I must paint suspended is the six parameter six parameter creation, right?

35
00:03:20,710 --> 00:03:21,800
So the creation flag?

36
00:03:22,700 --> 00:03:26,530
Yes, you can look at process creation flag here.

37
00:03:27,940 --> 00:03:33,790
This example, this documentation, the occasion flag can be any one of these.

38
00:03:34,210 --> 00:03:40,030
And the one we're interested in is the suspended Greece suspended creation flag.

39
00:03:42,420 --> 00:03:48,960
And the primary trend of the new process is creating a suspended state in the state run until the IS

40
00:03:49,110 --> 00:03:50,130
to function is called.

41
00:03:51,390 --> 00:03:58,980
So once you have created a process in suspended state, you can resume it later on down here, very

42
00:03:58,980 --> 00:04:00,810
used to resume track function.

43
00:04:02,740 --> 00:04:09,160
So next thing is you can add any additional decryption code or function call for decrypting the payload

44
00:04:09,700 --> 00:04:12,190
if you use some kind of encrypted payload.

45
00:04:13,220 --> 00:04:14,640
And that is entirely optional.

46
00:04:14,660 --> 00:04:21,650
It's up to you after that, we allocate memory for the bill and copy the shall go to it by using the

47
00:04:21,650 --> 00:04:23,300
virtual hicks function.

48
00:04:24,110 --> 00:04:25,970
And then we passed these parameters.

49
00:04:26,780 --> 00:04:33,670
The first one is the end of the process, which can be extracted from the process information by.

50
00:04:34,650 --> 00:04:37,680
He has the documentation for processing permission structure.

51
00:04:38,580 --> 00:04:39,750
The members are here.

52
00:04:41,450 --> 00:04:45,470
So you can see he's got one, two, three, four four members.

53
00:04:45,890 --> 00:04:48,530
And in order to get the.

54
00:04:50,360 --> 00:04:56,180
Handled in process, you will access the first member handled the process over here.

55
00:04:58,310 --> 00:05:05,450
Then you also pass the length of parent night for the size of the allocated region and every year when

56
00:05:05,450 --> 00:05:14,360
you create and you want to create as executable, readable next, you write to the newly allocated region

57
00:05:14,360 --> 00:05:19,130
of memory using the right process memory API and the first parameter.

58
00:05:19,130 --> 00:05:25,280
You pass the handle to the process and the allocated region, which you got back from the previous call

59
00:05:26,030 --> 00:05:32,690
and the shellcode payload, which is this chako here and also the size of the payload.

60
00:05:34,160 --> 00:05:35,480
Next one is the important one.

61
00:05:35,510 --> 00:05:41,930
This is where you you were to put your job into the APC queue of the trip.

62
00:05:42,650 --> 00:05:47,870
So this queue APC, you APC functions the same one as you used before.

63
00:05:48,350 --> 00:05:50,210
So you pass a cheap barometer study.

64
00:05:50,660 --> 00:05:56,600
The first one is the allocated region of memory, which now contains a shark coming from the previous

65
00:05:56,600 --> 00:05:59,390
call and also the handle to the train.

66
00:06:00,380 --> 00:06:01,130
So do you handle that?

67
00:06:01,130 --> 00:06:11,030
The train is obtainable through the process information by seeing the handle chamber, which is seen

68
00:06:11,030 --> 00:06:15,330
here, the second member of the structure is handled to the tray.

69
00:06:18,620 --> 00:06:25,490
And then you bring some debugging information so that we can see the addresses of the remote dress,

70
00:06:26,000 --> 00:06:26,990
which has been allocated.

71
00:06:28,490 --> 00:06:33,020
And then over here you will pass for the user to press enter.

72
00:06:33,920 --> 00:06:35,660
And finally, you resume check.

73
00:06:36,290 --> 00:06:39,050
So the reason API is exploding here.

74
00:06:40,810 --> 00:06:47,230
Yes, that's one parameter, the handle to the track, which is here, specify here, and once you call

75
00:06:47,230 --> 00:06:53,770
this, the chain will resume execution and execute your quick in the APC queue.

76
00:06:54,460 --> 00:07:00,670
It will totally abandon whatever call you are supposed to execute because he has not reached the entry

77
00:07:00,670 --> 00:07:01,180
point yet.

78
00:07:01,600 --> 00:07:09,550
So this is how you can camouflage your shackle inside a newly created process.

79
00:07:11,470 --> 00:07:14,830
So that's all for this expansion of the API.

80
00:07:15,190 --> 00:07:16,180
Thank you for watching.