1
00:00:01,100 --> 00:00:08,820
I come back in this video, we're going to look at obfuscating reflective loading screens.

2
00:00:11,480 --> 00:00:14,540
In a previous setting, we've already built our strategy.

3
00:00:14,970 --> 00:00:19,850
You know, the drill and also embedded in his site.

4
00:00:20,170 --> 00:00:21,920
You know, in fact, you Drugeon.

5
00:00:25,320 --> 00:00:28,180
There is a string in sight.

6
00:00:28,570 --> 00:00:33,960
The reflective gal can be detected by antivirus scanners.

7
00:00:34,950 --> 00:00:43,440
So if you look at do you use these to you, which are just open from here to look at the defective DNA

8
00:00:43,650 --> 00:00:44,160
spots?

9
00:00:45,230 --> 00:00:49,070
So rejecting reflective detail into peace to you.

10
00:00:50,470 --> 00:00:58,930
And then look at the experts, you will find it the eye spots contain the function reflective load.

11
00:00:59,890 --> 00:01:04,600
And this can be detected by antivirus is effective.

12
00:01:04,650 --> 00:01:07,570
No, the technology is already well known.

13
00:01:10,170 --> 00:01:19,020
So another problem is when you run nitrogen, you can also see the string reflected loading in memory.

14
00:01:19,830 --> 00:01:23,340
So that is no use existed before the big.

15
00:01:26,380 --> 00:01:28,420
And look, how Trojan.

16
00:01:30,150 --> 00:01:31,530
Reflective to GHC.

17
00:01:33,540 --> 00:01:38,130
My options settings for sovereign preferences on entry point is check.

18
00:01:39,810 --> 00:01:51,240
Now I'll put breakpoint on create trip time BP, create trip hit, enter breakpoint set and you can

19
00:01:51,240 --> 00:01:52,110
go to both points.

20
00:01:52,110 --> 00:02:01,530
You can see I have one breakpoint on great track, so now I'll run this and you hit my creator breakpoint

21
00:02:02,190 --> 00:02:09,750
and our lady execute creates right API function by clicking this icon run to years.

22
00:02:11,760 --> 00:02:13,020
Now he has created a threat.

23
00:02:13,860 --> 00:02:21,420
So now I'm going to search the memory for the string reflecting loader to do that directly.

24
00:02:21,420 --> 00:02:22,170
And you are here.

25
00:02:23,040 --> 00:02:27,300
Go down to search for all mode use button.

26
00:02:29,350 --> 00:02:36,550
And then in here, I think the string reflective load.

27
00:02:38,170 --> 00:02:39,160
And I think, OK.

28
00:02:40,490 --> 00:02:43,010
So you researched this betting advice in memory.

29
00:02:45,090 --> 00:02:46,350
And he's found two leads.

30
00:02:47,040 --> 00:02:49,230
So let's see this in in dumb memory dump.

31
00:02:49,260 --> 00:02:52,410
So I click CPU, select dumb one is a default.

32
00:02:53,780 --> 00:03:02,300
And then under the results in the references, I follow this pie in the memory by right clicking follow

33
00:03:02,300 --> 00:03:02,810
in them.

34
00:03:03,740 --> 00:03:05,270
So no choice in that one.

35
00:03:06,330 --> 00:03:14,160
The location where the string is found, in fact, Loader now is selling them to SFO and then go back

36
00:03:14,160 --> 00:03:21,120
to the references resource in in the second dress, click following done.

37
00:03:21,780 --> 00:03:26,810
And he shows me down to the location where the string factory loader is found.

38
00:03:26,820 --> 00:03:36,330
So it seems that reflective loader is found in the memory so during runtime and can be detected by antivirus.

39
00:03:36,810 --> 00:03:41,490
And he's also found in Yippie studio in the file itself.

40
00:03:42,480 --> 00:03:45,630
So we need to find a way to obfuscate the string.

41
00:03:46,640 --> 00:03:48,800
So let's try it now to stop this.

42
00:03:51,630 --> 00:03:58,710
So to obfuscate the string, we will make some changes to the south school and recompile.

43
00:03:59,670 --> 00:04:06,180
So the first five, we need to make changes in these different viewers, Larry, So.

44
00:04:07,050 --> 00:04:14,190
So we're actually on this relatively flat loader not see opening a look back plus plus.

45
00:04:15,150 --> 00:04:21,020
And then scroll down, you will find this line over here where you define your effective loading him.

46
00:04:21,990 --> 00:04:27,630
And I've also put a command to rename this string to evict a string skin.

47
00:04:29,130 --> 00:04:35,070
So this is the defined and its use in here, the effective loading.

48
00:04:36,570 --> 00:04:41,910
So in order to obfuscate history, we change it to harmless sounding string.

49
00:04:42,630 --> 00:04:45,570
So to do that, all you need to do is.

50
00:04:47,700 --> 00:04:57,240
Change his name to something else, so let me just copy this and then basically down here and up here,

51
00:04:57,240 --> 00:05:10,250
how we just commend this line up and down here, how we just give it a innocent sounding in unison sounding

52
00:05:10,250 --> 00:05:13,950
name, for example, windows.

53
00:05:17,320 --> 00:05:18,250
32.

54
00:05:23,210 --> 00:05:27,350
Something like that means Windows $282 are, for example.

55
00:05:27,980 --> 00:05:28,660
Then I see.

56
00:05:30,230 --> 00:05:30,710
And then.

57
00:05:31,920 --> 00:05:32,780
Oh, maybe.

58
00:05:35,160 --> 00:05:35,590
Yeah.

59
00:05:36,360 --> 00:05:44,980
So that any casual observer would not think twice about this, so I changed to this name with this idea

60
00:05:45,110 --> 00:05:49,590
so that any casual observer would not notice this has been suspicious.

61
00:05:50,670 --> 00:05:52,140
So I just say this now.

62
00:05:52,970 --> 00:05:58,410
You know, I also copied a string here, a mean disingenuous in another file.

63
00:05:59,160 --> 00:06:00,260
The Trojan itself.

64
00:06:00,990 --> 00:06:09,270
So you open the Trojan yourself with Nokia Plus Plus and here also you see to define effective learning.

65
00:06:10,140 --> 00:06:16,260
And here you also change it to an innocent sounding name.

66
00:06:17,340 --> 00:06:19,260
The same is the one here.

67
00:06:20,410 --> 00:06:22,320
OK, so you do see these two changes.

68
00:06:22,980 --> 00:06:24,510
You can now be compatible.

69
00:06:25,650 --> 00:06:27,570
So let's compile the.

70
00:06:29,730 --> 00:06:30,790
That's recompile.

71
00:06:34,690 --> 00:06:37,690
The deal first.

72
00:06:41,610 --> 00:06:42,010
OK.

73
00:06:42,030 --> 00:06:46,020
There is not there are no errors so that it's not encrypted.

74
00:06:55,810 --> 00:07:00,090
So now I've got the encrypted string seen here, encrypted data.

75
00:07:01,240 --> 00:07:04,960
So now head over to that string.

76
00:07:15,420 --> 00:07:17,340
Opening look bad plus plus.

77
00:07:24,790 --> 00:07:28,450
You know this Copia, his new cryptic halo.

78
00:07:30,880 --> 00:07:32,170
Opened my Drugeon

79
00:07:34,840 --> 00:07:36,100
with no purpose plus.

80
00:07:39,770 --> 00:07:43,220
Scroll down and paste it into the.

81
00:07:44,280 --> 00:07:53,670
People here first, I said this in Dili and at best new paper, I do the same for ESG.

82
00:07:54,720 --> 00:08:01,020
I select the ESG and I come here and replace those with the new key.

83
00:08:02,250 --> 00:08:07,170
Then I save it, and now I will rebuild my project.

84
00:08:07,380 --> 00:08:11,790
First, I change to the Trojan directory and I will by.

85
00:08:16,870 --> 00:08:25,450
First, I would test to make sure it is still working effectively to Juniac hit enter, and it still

86
00:08:25,450 --> 00:08:25,770
works.

87
00:08:25,800 --> 00:08:28,150
As you can see, Bing has just opened.

88
00:08:29,750 --> 00:08:32,740
No, I will open the studio.

89
00:08:38,950 --> 00:08:49,480
And I will go and drink my dear, you know, reflective gear in the studio and take a look at spots.

90
00:08:50,770 --> 00:08:58,120
And now you see the effect, even though the string is gone, it's now go industry to the ale, which

91
00:08:58,130 --> 00:08:59,320
appears quite harmless.

92
00:09:00,540 --> 00:09:03,210
So that does it for the air.

93
00:09:03,930 --> 00:09:06,720
Now let us analyze it with A.G..

94
00:09:10,100 --> 00:09:11,600
I will put my.

95
00:09:13,990 --> 00:09:16,420
Georgian memory prices today.

96
00:09:17,320 --> 00:09:18,420
So let me run it now.

97
00:09:18,860 --> 00:09:19,780
You hit a break point.

98
00:09:20,320 --> 00:09:24,460
Let me, ladies, that is not executing the creator.

99
00:09:25,420 --> 00:09:28,390
And by clicking is done two years ago.

100
00:09:29,260 --> 00:09:34,510
And now let us search for effective, you know, the string right click here anyway.

101
00:09:34,990 --> 00:09:45,220
Search for all use pattern in here that reflect the load and then click OK.

102
00:09:46,500 --> 00:09:47,250
And you find.

103
00:09:48,530 --> 00:09:51,380
The fact you load a string is now gone from memory.

104
00:09:52,130 --> 00:09:58,790
So this is how you can obfuscate their effective loader string in your effective Trojan.

105
00:09:59,720 --> 00:10:01,190
That's all for this video.

106
00:10:01,400 --> 00:10:02,720
Thank you for watching.