1 00:00:00,720 --> 00:00:01,290 Welcome. 2 00:00:01,980 --> 00:00:11,460 We are not going to look at the explanation for the call in use using the reflective loading technology. 3 00:00:12,470 --> 00:00:20,280 Going down this projecting zero eight reflective loading, unzip it and put it in email def to folder 4 00:00:21,260 --> 00:00:27,950 within it, you find all these files and also not a folder called Trojan. 5 00:00:29,060 --> 00:00:35,510 All of these files are used to create the refractive loader, whatever you want to do. 6 00:00:35,540 --> 00:00:40,910 You need to put it in the L file so you need to create and you have first. 7 00:00:41,480 --> 00:00:46,220 So this is a detail that will contain wherever things you want from. 8 00:00:47,180 --> 00:00:52,920 And then you have to compile this into a deal and the process of compiling. 9 00:00:52,970 --> 00:00:58,020 You need to also include Steven Few with source code. 10 00:00:58,800 --> 00:01:01,760 We need both the reflective gear to work. 11 00:01:02,690 --> 00:01:05,330 So let's take a look at this zip file. 12 00:01:06,410 --> 00:01:14,540 So we open it in back plus and you can see here this is how you include different view. 13 00:01:16,510 --> 00:01:23,540 You have a library or you need to do is include the header file, which is this header file here. 14 00:01:24,230 --> 00:01:34,190 So this header file here we include the source code for your this article here for your reflective library. 15 00:01:35,510 --> 00:01:44,330 So just by putting this line here, you totally convert this entire source code into reflective gear. 16 00:01:45,890 --> 00:01:55,010 So after you have already compiled this reflective detail, you would take the binary off the DL and 17 00:01:55,010 --> 00:01:57,800 then put it inside your Drugeon. 18 00:01:58,760 --> 00:02:03,290 So and then once that region runs, you will thank you. 19 00:02:03,890 --> 00:02:04,280 Yeah. 20 00:02:04,280 --> 00:02:10,730 Embedded inside Iran, back in the air and then you execute it. 21 00:02:11,810 --> 00:02:12,910 So this is how it works. 22 00:02:14,230 --> 00:02:15,970 So let's take a look at this. 23 00:02:16,190 --> 00:02:17,020 Yeah, our first. 24 00:02:18,020 --> 00:02:24,140 So this is the part where you put your Microsoft Bench or any chocolate. 25 00:02:25,130 --> 00:02:26,570 So here we go. 26 00:02:26,600 --> 00:02:31,340 They created chocolate from the lesson from the first costs. 27 00:02:32,030 --> 00:02:40,820 And we use Metasploit to create this chocolate this year called the open Microsoft Bing. 28 00:02:42,630 --> 00:02:46,050 So the binary or the how is this one? 29 00:02:46,860 --> 00:02:52,630 Microsoft paints it for being so you need to open your the. 30 00:02:54,240 --> 00:02:56,160 And in these this insight here. 31 00:02:57,280 --> 00:02:59,200 And then from here, you need to export. 32 00:03:00,940 --> 00:03:01,740 I see far. 33 00:03:02,590 --> 00:03:14,950 So once I spot a CFR, you can save in a folder in this folder and then you can call it any name me 34 00:03:14,950 --> 00:03:16,770 one, for example, you can call. 35 00:03:20,070 --> 00:03:20,910 And it's being 36 00:03:24,990 --> 00:03:25,710 shall quote. 37 00:03:30,630 --> 00:03:32,310 So now you have these shackled. 38 00:03:35,230 --> 00:03:35,810 We'll hear. 39 00:03:37,270 --> 00:03:37,590 Right. 40 00:03:37,660 --> 00:03:39,880 So you can now open this door. 41 00:03:41,260 --> 00:03:42,970 We use copy all of this. 42 00:03:44,720 --> 00:03:46,640 And then put it in here. 43 00:03:47,630 --> 00:03:48,800 That's how we got in this. 44 00:03:50,650 --> 00:03:54,940 So we're here and then we need this to become be. 45 00:04:00,420 --> 00:04:05,550 So he says same as the sample here, so he can use this. 46 00:04:08,970 --> 00:04:10,740 So this is a reflective Gale. 47 00:04:11,520 --> 00:04:15,680 So when he runs, he's going to run your. 48 00:04:17,680 --> 00:04:20,170 Running is our function here. 49 00:04:22,450 --> 00:04:28,780 And this could you be creating memory using which other? 50 00:04:30,010 --> 00:04:34,650 And then here you can put your options and the Captain Cook, if you're. 51 00:04:35,930 --> 00:04:39,480 Peter was encrypted by in this case, it is not. 52 00:04:40,880 --> 00:04:50,390 And then here you copy appear to your allocated memory and in chief the protection to become executable 53 00:04:50,390 --> 00:04:52,430 and readable using which are protect. 54 00:04:53,530 --> 00:04:56,700 And finally, Azikiwe, using Create. 55 00:04:58,330 --> 00:05:06,490 So all of this will be created on the fly again, reflective, Gail notes. 56 00:05:07,030 --> 00:05:13,930 So this thing only is being created during the reflective loading process. 57 00:05:15,640 --> 00:05:20,380 So just how useful it is before that, it does not exist. 58 00:05:21,970 --> 00:05:22,730 So let's take a look. 59 00:05:22,750 --> 00:05:25,090 And in fact, we know this quote. 60 00:05:27,220 --> 00:05:36,490 So this is the reflective little quote we here so reflective of the code is written by Stephen Kua. 61 00:05:40,550 --> 00:05:44,630 So we just use it as it is without any changes. 62 00:05:46,370 --> 00:05:51,410 It is a very complicated piece of code, but basically what it is doing. 63 00:05:52,760 --> 00:05:57,860 Can be understood by and looking at this diagram here. 64 00:06:00,280 --> 00:06:04,930 So the reflecting loader will create HEDA in memory. 65 00:06:06,160 --> 00:06:07,660 Here to her behavior. 66 00:06:08,500 --> 00:06:16,810 All of this directories and also session tables and also the various sections, all of this would be 67 00:06:16,810 --> 00:06:18,070 done dynamically. 68 00:06:19,280 --> 00:06:19,880 You would think. 69 00:06:22,060 --> 00:06:23,740 You grab hold of. 70 00:06:25,370 --> 00:06:27,950 All the court from. 71 00:06:29,070 --> 00:06:34,920 This loaded process itself and a copy to another location in memory. 72 00:06:35,690 --> 00:06:43,920 In effective will that we do and then I see copies, you create all the various sections it be here 73 00:06:44,280 --> 00:06:51,420 all the way down to the section here, and he will then relocate in memory aswell, incite the memory 74 00:06:51,420 --> 00:06:51,840 region. 75 00:06:52,910 --> 00:06:54,410 And then you execute. 76 00:06:57,020 --> 00:06:57,310 All right. 77 00:06:57,350 --> 00:06:59,660 So the next step is to compile this. 78 00:07:00,410 --> 00:07:05,570 So after this thing has been on file, you will get the alpha. 79 00:07:06,970 --> 00:07:14,110 So after you have compiled compiled Yam, you will give a yes. 80 00:07:14,350 --> 00:07:17,590 This is to have another kind of layer of obfuscation. 81 00:07:18,340 --> 00:07:19,660 So it is entirely optional. 82 00:07:20,410 --> 00:07:31,420 So are you going to give to yes, you then copy the bill as well as the key for a yes. 83 00:07:33,950 --> 00:07:35,000 Let's take a look at this. 84 00:07:36,690 --> 00:07:37,890 This is a Python script. 85 00:07:39,030 --> 00:07:44,580 So what he does is he will create two separate areas. 86 00:07:44,640 --> 00:07:48,870 One is your alias key, which is randomly generated by here. 87 00:07:49,680 --> 00:07:55,010 Get random base key and then here you formatted in the Hex format. 88 00:07:56,240 --> 00:08:01,520 And then here he will also in January, he say safely ciphertext. 89 00:08:03,290 --> 00:08:09,590 Over here, this is a very see prenup in parliament for sir. 90 00:08:10,580 --> 00:08:18,020 So you have he Bill and Caterpillar as well as the key and you will copy all those out and put it in 91 00:08:18,020 --> 00:08:19,250 your effective Trojan. 92 00:08:20,480 --> 00:08:23,660 We're here for the people we have with the key. 93 00:08:25,400 --> 00:08:30,940 After you will built, you were confined to this, in fact, intrusion, as you can see, this is a 94 00:08:31,120 --> 00:08:33,520 Win-Win, which makes you stealthy. 95 00:08:33,550 --> 00:08:34,240 No conceal. 96 00:08:35,440 --> 00:08:44,170 So when this thing runs, you will allocate memory and then decrypt the appeal and then copy the memory 97 00:08:44,170 --> 00:08:47,080 to the newly allocated memory up here. 98 00:08:48,510 --> 00:08:56,010 To ensure protection of the allocated memory to become readable and accessible, then look for the effective 99 00:08:56,010 --> 00:08:59,610 leader, the effective and know function. 100 00:09:01,090 --> 00:09:06,370 Now, the every year, in fact, even though the library has got a reflective go, the function. 101 00:09:08,460 --> 00:09:11,130 So you can see in here, sir. 102 00:09:12,490 --> 00:09:14,650 He in effect, even though the. 103 00:09:18,330 --> 00:09:22,050 This is doing, in fact, even though the commission is. 104 00:09:24,830 --> 00:09:26,840 So you're finding their function. 105 00:09:30,730 --> 00:09:31,510 You stand. 106 00:09:34,300 --> 00:09:40,210 Once you find that effect, even though they're finally came over here, you save it to the offset. 107 00:09:41,350 --> 00:09:48,910 And then after that, you can create a trip by using a creative solution and then putting the offset 108 00:09:49,360 --> 00:09:55,810 adding offset to the base base address of your executable allocating memory, which is here. 109 00:09:56,990 --> 00:09:59,420 So then we effectively execute. 110 00:10:00,640 --> 00:10:07,330 You execute and then you do your executable file in memory, piece by piece. 111 00:10:09,170 --> 00:10:18,560 Until you get everything created and loaded in memory, and once that is completed, you will then create 112 00:10:18,560 --> 00:10:19,540 a rainy. 113 00:10:21,270 --> 00:10:26,610 And you give it about five thousand milliseconds for it to do all that. 114 00:10:27,680 --> 00:10:30,020 So that's why you see four, five times in here. 115 00:10:31,490 --> 00:10:37,160 So this could here get effect zero, the offset is also provided by Steve Wynn fewer. 116 00:10:38,560 --> 00:10:39,010 We're here. 117 00:10:40,320 --> 00:10:44,280 In here, so all these adapted from Stephen Few. 118 00:10:44,910 --> 00:10:46,230 The library function. 119 00:10:47,640 --> 00:10:52,440 So this is how the court for the reflective of the Trojan works. 120 00:10:53,250 --> 00:10:54,600 Thank you for watching.