1 00:00:01,050 --> 00:00:02,610 Hello and welcome back. 2 00:00:03,030 --> 00:00:11,130 In this video, I'm going to show you how to be he actually follows in the Air Force, so go in create 3 00:00:11,130 --> 00:00:19,680 folder on your desktop called Mandate, and then download this file from the recession and zip and put 4 00:00:19,920 --> 00:00:22,650 in Modak inside this file. 5 00:00:22,890 --> 00:00:29,910 You will find two projects, simple, easy project and a simple gear project. 6 00:00:30,750 --> 00:00:34,850 So just open this simple, easy for there. 7 00:00:34,860 --> 00:00:38,610 And you will find Yazar source code for C++. 8 00:00:38,760 --> 00:00:41,820 Simple, easy and a compiler script. 9 00:00:42,300 --> 00:00:43,920 So let's open this employee. 10 00:00:44,040 --> 00:00:52,680 See my right clicking and Mopani we've not back plus plus and is a simple program. 11 00:00:53,220 --> 00:01:01,380 There is a main function and this print statement, this prints helper and then a user to Presti in 12 00:01:01,380 --> 00:01:03,600 Turkey and then he exits. 13 00:01:04,500 --> 00:01:05,730 These are the header files. 14 00:01:06,120 --> 00:01:08,340 Standard C header for us. 15 00:01:09,030 --> 00:01:14,430 So in order to compile these, we can use the compiler script who are here. 16 00:01:15,150 --> 00:01:17,610 So if you open these Kompass click here. 17 00:01:18,390 --> 00:01:18,490 Right. 18 00:01:18,570 --> 00:01:20,580 Click and open any big notepad plus. 19 00:01:20,580 --> 00:01:29,970 Plus, you will see that if you simply calling the C a command line compiler to compile this into a 20 00:01:30,070 --> 00:01:30,480 Yassky. 21 00:01:31,350 --> 00:01:37,200 So this is a simple way of building a E.S. Far from the command line. 22 00:01:37,890 --> 00:01:45,330 So in order to build this, you need to open the correct the correct prompt command line from left. 23 00:01:45,330 --> 00:01:49,440 Click on the bottom here and then here search for Netiv. 24 00:01:51,150 --> 00:01:52,920 And then here you will find a few. 25 00:01:53,280 --> 00:01:55,410 Look for the 64 bit. 26 00:01:57,150 --> 00:02:02,100 No 464 s.e.c for native tools combined from four V. 27 00:02:02,160 --> 00:02:03,510 S to 019. 28 00:02:04,110 --> 00:02:12,330 If you are bidding for a 64 bit Yangzi, since you are bidding the output to be 64 bit easy, we will 29 00:02:12,330 --> 00:02:13,320 choose this one. 30 00:02:13,770 --> 00:02:16,260 s.E.C for Netiv is common from. 31 00:02:16,410 --> 00:02:20,520 So just click on this now and then you open the car. 32 00:02:20,670 --> 00:02:21,720 Come on, environment. 33 00:02:22,230 --> 00:02:23,280 I suggest you find it. 34 00:02:23,280 --> 00:02:27,210 If two is common from four wishes to do it, two zero nine. 35 00:02:27,840 --> 00:02:32,640 Now we have to navigate to the folder that contains have a project which is this folder. 36 00:02:33,120 --> 00:02:43,020 So just like the mafia rackley and copy that path and then come back down here and used to change directory 37 00:02:43,020 --> 00:02:44,620 command, which is CD. 38 00:02:45,510 --> 00:02:52,960 And then put a space by pressing spacebar and then use the mouse rightly to paste pop here and maybe 39 00:02:53,400 --> 00:02:54,240 the enter key. 40 00:02:55,440 --> 00:03:02,220 And then if you press diar r, he released the contents of this directory. 41 00:03:03,090 --> 00:03:09,320 So we press enter you see that there is the compiler script day and the subsequent Far East as well. 42 00:03:09,870 --> 00:03:16,450 So in order to use his script to compile is seeping into an equal, we just have to run the compiler 43 00:03:16,470 --> 00:03:22,830 script by typing the name to script, compile that and enter. 44 00:03:24,830 --> 00:03:32,600 And immediately you see here on the hand corner, it has been populated, you've and fast and Farleigh 45 00:03:32,630 --> 00:03:33,100 snakes. 46 00:03:33,120 --> 00:03:33,980 Yes, you can see. 47 00:03:34,490 --> 00:03:41,540 So now in order to run this far, all we need to do is take the name of the sea. 48 00:03:42,230 --> 00:03:42,450 Yes. 49 00:03:42,500 --> 00:03:43,640 Type simple. 50 00:03:44,720 --> 00:03:47,730 And then the extension should be easy. 51 00:03:48,020 --> 00:03:49,970 And he enter a prince. 52 00:03:49,970 --> 00:03:51,380 Halloa to the screen. 53 00:03:52,330 --> 00:03:59,650 We can actually examine years using process hacker so you can go to FLER here and then go for utilities 54 00:04:00,070 --> 00:04:04,810 and look for process hacker cleaning process hacker. 55 00:04:07,540 --> 00:04:11,320 Process hacker is more powerful than Tasmania. 56 00:04:12,220 --> 00:04:19,720 So here you scroll down and you can see the parent processes command line and the child process is simple 57 00:04:19,720 --> 00:04:21,970 EIC, which is now running in memory. 58 00:04:22,510 --> 00:04:28,140 So you can double click on simply a seat, open up another window, expand. 59 00:04:28,930 --> 00:04:31,280 And you can see here the command line is simple. 60 00:04:31,390 --> 00:04:31,840 I see. 61 00:04:32,590 --> 00:04:35,400 And it is a 64 bit program. 62 00:04:36,070 --> 00:04:37,210 Over here, you can see. 63 00:04:38,020 --> 00:04:42,940 And here's the path to the image, file and directory. 64 00:04:43,420 --> 00:04:50,140 And if you click on memory, you can look for the location in memory. 65 00:04:50,410 --> 00:04:52,810 Then use EIC has been loaded. 66 00:04:53,650 --> 00:04:57,130 You need to spend on these column here to see the path. 67 00:04:57,700 --> 00:05:03,550 And here you can see he is loaded in memory and this address like this. 68 00:05:04,120 --> 00:05:06,760 So you can expand and you see all these here. 69 00:05:07,450 --> 00:05:11,860 This is how you can examine the running process in memory. 70 00:05:13,600 --> 00:05:18,460 And you can click on Molineux and see what are the other dialyzed. 71 00:05:18,550 --> 00:05:21,230 It is depending on most of it. 72 00:05:21,230 --> 00:05:24,310 You have connected to the base. 73 00:05:24,590 --> 00:05:25,010 Yeah. 74 00:05:25,030 --> 00:05:25,950 a.D.A. 75 00:05:26,000 --> 00:05:30,280 These three are the basic ones for all programs that are running in windows. 76 00:05:32,120 --> 00:05:38,340 So we can close this, not we lift heck up, and so now we're here. 77 00:05:38,630 --> 00:05:41,000 If we compare this, if our sourcecode. 78 00:05:42,020 --> 00:05:47,450 So this is what we're expected to see whenever a program runs. 79 00:05:47,690 --> 00:05:53,330 If you look for mean function, so for command line, the main function is mean. 80 00:05:53,990 --> 00:05:55,820 And then you say you get a penny. 81 00:05:55,940 --> 00:06:00,950 So this brunette who cannot go to the screen and then go to the new light, who here? 82 00:06:01,970 --> 00:06:07,700 And then after that, he will call the getcha getcha is a C function that will wait for you to take 83 00:06:07,700 --> 00:06:09,590 something on the command line. 84 00:06:10,730 --> 00:06:17,220 So we can get to this program or we won't have a chance to examine the process. 85 00:06:17,600 --> 00:06:20,270 That is why we put Jinda. 86 00:06:20,870 --> 00:06:26,010 So now over here, if you press enter and the program, will you exit, OK? 87 00:06:26,010 --> 00:06:31,190 If your program doesn't just take any character, for example, E and enter, and then you actually 88 00:06:31,790 --> 00:06:34,010 that is built a dia alpha. 89 00:06:34,520 --> 00:06:37,070 So we have a gal who here. 90 00:06:37,130 --> 00:06:39,710 So we will never get to the idea of project here. 91 00:06:40,580 --> 00:06:41,500 Quite simple. 92 00:06:41,550 --> 00:06:41,970 Yeah. 93 00:06:41,990 --> 00:06:45,080 And in society you will find two files as well. 94 00:06:45,600 --> 00:06:50,520 You have the same compiler script and we have a ship. 95 00:06:51,230 --> 00:07:00,170 So there is rightly impune he nonpaid plus plus no idea is different from AC DC. 96 00:07:00,200 --> 00:07:04,460 We have a main function and he can do this by savvy memory. 97 00:07:05,210 --> 00:07:12,080 But again, I cannot run independently again needs to be loaded into the process piece of a running 98 00:07:12,080 --> 00:07:12,830 EIC. 99 00:07:13,340 --> 00:07:18,020 So idea does not have me, but it has something called the L mean. 100 00:07:18,770 --> 00:07:19,820 And there are many. 101 00:07:19,820 --> 00:07:27,020 We have Suchi nominee that will run depending on the lifecycle of these. 102 00:07:27,110 --> 00:07:27,490 Yeah. 103 00:07:28,040 --> 00:07:33,890 For example, when the idea is first attached to a running process, this case will be triggered. 104 00:07:34,820 --> 00:07:42,410 And when it is detach from the running process, this case will be triggered, something for me attached 105 00:07:42,410 --> 00:07:44,750 to a track, you would trigger this case. 106 00:07:45,170 --> 00:07:48,740 And if we detach from a threat, you trigger this case. 107 00:07:49,220 --> 00:07:51,440 So at the moment, all of them are blank, empty. 108 00:07:51,770 --> 00:07:54,340 You just return true in this. 109 00:07:54,880 --> 00:07:57,020 We also haven't exported functions. 110 00:07:57,650 --> 00:08:02,090 Now, Gmail needs to export functions so that other processes can make use of it. 111 00:08:02,420 --> 00:08:04,760 So in this case, we are exporting one function. 112 00:08:05,120 --> 00:08:05,930 Say hello. 113 00:08:06,420 --> 00:08:08,780 Let us do this now using a script. 114 00:08:09,380 --> 00:08:15,230 So we go back to here absentminded yell Kompass screen correctly and open is not bad. 115 00:08:15,230 --> 00:08:19,450 Plus plus you will see we have also a command line compiler here. 116 00:08:20,420 --> 00:08:28,140 By this time, we are compiling a simple idea that CVP sourcecode how we think it as a simple idea dot. 117 00:08:28,460 --> 00:08:30,170 Yeah, you did an extension. 118 00:08:30,890 --> 00:08:37,970 OK, so let's now change our directory by typing key space dhanda to go back to the parent directory. 119 00:08:39,260 --> 00:08:40,430 And then yeah. 120 00:08:40,430 --> 00:08:41,510 To see the contents. 121 00:08:41,600 --> 00:08:45,830 So now enter the folder for the simple the am 122 00:08:49,070 --> 00:08:52,520 I type dir to list the contents of the directory. 123 00:08:53,330 --> 00:08:55,360 And then there's a compiler script. 124 00:08:56,570 --> 00:09:00,860 So I think the name of the script on the back and into. 125 00:09:03,290 --> 00:09:10,310 So is now going to combine the the file and it is completed, as you can see down here. 126 00:09:10,610 --> 00:09:20,120 If you want to test the deal, we can use to that to the operating system called Randy and you type 127 00:09:20,120 --> 00:09:31,370 Randy out twenty two and then the name Eedle Comma, followed by the exporter's functions in this case, 128 00:09:31,370 --> 00:09:34,230 he had to add any to. 129 00:09:35,330 --> 00:09:37,970 Then you execute the exported function. 130 00:09:38,990 --> 00:09:45,970 Now, this exported function comes from the source code and that is reexamined the sasko rankly king 131 00:09:45,970 --> 00:09:48,080 in openi even back plus plus. 132 00:09:48,710 --> 00:09:50,390 And you can see the esposa function. 133 00:09:50,390 --> 00:09:51,050 You say hello. 134 00:09:52,550 --> 00:09:58,220 So it is important to put a comma for them by the function that you want to call from the L. 135 00:09:59,260 --> 00:10:02,950 So now the question is, what if you do know why the body functions? 136 00:10:03,490 --> 00:10:12,070 Then you can test it up so you can test by running and being human command, followed by forward snack 137 00:10:12,230 --> 00:10:18,190 time spots, followed by a name of the D.A. So he didn't. 138 00:10:19,660 --> 00:10:22,270 So this will show you and the Espiner function. 139 00:10:22,300 --> 00:10:22,960 Say hello. 140 00:10:24,250 --> 00:10:26,510 Another way to check is using be there. 141 00:10:26,530 --> 00:10:28,270 So you open your flair here. 142 00:10:28,480 --> 00:10:29,780 Guti retail is. 143 00:10:30,940 --> 00:10:32,330 And lunch B. 144 00:10:35,530 --> 00:10:39,010 Now you can open the reality for eBay. 145 00:10:39,640 --> 00:10:41,710 So let's go to our audio file. 146 00:10:42,460 --> 00:10:45,970 And every day, a simple dial into Beeban. 147 00:10:48,210 --> 00:10:55,890 And then here, if he spend years and go through the ice, that we can see why the function is being 148 00:10:55,890 --> 00:10:56,460 exported. 149 00:10:56,850 --> 00:10:58,200 So there is one function call. 150 00:10:58,500 --> 00:10:59,130 Say hello. 151 00:10:59,700 --> 00:11:01,320 And then he also be there. 152 00:11:01,320 --> 00:11:10,140 You can see the structure of the for every program in windows is called the B, e, fo B stands for 153 00:11:10,140 --> 00:11:12,450 portable executable format. 154 00:11:13,050 --> 00:11:19,200 So if you want to know more details, p fa structure, you can refer to this. 155 00:11:19,350 --> 00:11:22,170 Tigran, we showed you some detail. 156 00:11:22,890 --> 00:11:31,050 Every P for we have a header and the header consists of a dossier doing a desktop and followed by some 157 00:11:31,050 --> 00:11:31,980 other headers here. 158 00:11:33,260 --> 00:11:35,330 Otieno Heda session tables. 159 00:11:36,080 --> 00:11:41,810 So at this point in time, we do not go into too much detail about this, just knowing that there is 160 00:11:41,810 --> 00:11:49,920 such a thing as a behavior that identifies the fight as a B file, an executable file, or niloufer 161 00:11:50,690 --> 00:11:57,200 this structure of the AP header and contents can be seen here so that he has the DOS header, which 162 00:11:57,200 --> 00:11:57,650 is here. 163 00:11:58,340 --> 00:12:05,720 And if you click on this does header, you can see the AMZIE meeting right now, Amesys matching base, 164 00:12:05,960 --> 00:12:08,480 which is a zesting in all be false. 165 00:12:08,870 --> 00:12:15,560 So when the moment you open fire movie in a hex editor, you can see these Amzie and you start. 166 00:12:15,770 --> 00:12:18,710 Which means that this is a portable executable fire. 167 00:12:19,310 --> 00:12:23,030 The other telltale sign that is Beevor is this string. 168 00:12:23,480 --> 00:12:27,230 This program cannot be run in DOS. 169 00:12:27,230 --> 00:12:33,530 Not so when you see these two things, you know for sure that this is a P, as if it were a fire detail 170 00:12:33,530 --> 00:12:33,980 as well. 171 00:12:35,180 --> 00:12:37,820 Both has got these telltale signs and. 172 00:12:38,660 --> 00:12:39,560 And this string. 173 00:12:40,880 --> 00:12:44,300 Now, you can also see I mean, and EKU far using B there. 174 00:12:44,720 --> 00:12:49,760 So let's say we now drag our SFR in here. 175 00:12:50,240 --> 00:12:53,030 Django, easy for you to be bad. 176 00:12:53,870 --> 00:12:57,070 We can now examine the file as well. 177 00:12:57,680 --> 00:12:59,090 And you click on the nice header. 178 00:12:59,270 --> 00:13:02,540 You also see the Amzie magic byte and the string. 179 00:13:02,780 --> 00:13:05,870 This program cannot be run in month. 180 00:13:06,110 --> 00:13:10,670 So this also seems to go far more fesco the same behavior. 181 00:13:12,640 --> 00:13:16,450 So in addition to that, you can also see that he has other things as well. 182 00:13:16,720 --> 00:13:18,940 For example, he has got the sanctions. 183 00:13:19,750 --> 00:13:20,920 So are the sessions here. 184 00:13:21,310 --> 00:13:22,900 You can click on this session. 185 00:13:22,900 --> 00:13:31,720 He does and reviewed all the sanctions that are existing in the EIC far that the next session is a session 186 00:13:31,720 --> 00:13:34,840 on memory where he contains all the instructions. 187 00:13:35,440 --> 00:13:37,810 Our data contains realigning data. 188 00:13:38,650 --> 00:13:41,320 Data contains all the global variables. 189 00:13:41,800 --> 00:13:50,680 B, data contains these data exceptions and relock the information on telling the system to dynamically 190 00:13:51,070 --> 00:13:52,510 load the base address. 191 00:13:53,650 --> 00:13:56,060 Same thing with our dialer as well. 192 00:13:56,080 --> 00:13:56,390 Yeah. 193 00:13:56,390 --> 00:14:02,740 Also Haskell only section Cleeland sections you go to you go to session hater's you receive the has 194 00:14:02,740 --> 00:14:04,270 also got the same thing here. 195 00:14:04,370 --> 00:14:04,570 Right. 196 00:14:05,230 --> 00:14:08,320 But the main difference between them and yes. 197 00:14:08,500 --> 00:14:11,590 Is that there needs to export functions. 198 00:14:13,190 --> 00:14:19,430 So you click on exports, you see all the functions, which is exporting for use by other processes. 199 00:14:20,280 --> 00:14:20,600 Yes. 200 00:14:21,020 --> 00:14:22,790 However, there will be. 201 00:14:23,180 --> 00:14:29,810 The important thing is the imports, the imports, all those libraries, which it is using. 202 00:14:30,200 --> 00:14:33,560 These libraries are the APIs coming from the operating system. 203 00:14:33,610 --> 00:14:38,480 So if you need more information about this, you can go to this website here. 204 00:14:40,240 --> 00:14:40,960 This Web site. 205 00:14:42,900 --> 00:14:49,110 Back Okami picks, which contains a lot of nice diagrams, we can give you a lot of detailed information 206 00:14:49,530 --> 00:14:51,000 about the behavior. 207 00:14:51,720 --> 00:14:54,900 For example, you can click on these to download this if you wanted to. 208 00:14:55,530 --> 00:15:03,390 And you can see that he has got in great detail about the structure of each of its SFR. 209 00:15:04,440 --> 00:15:07,110 So that's all for this video. 210 00:15:07,470 --> 00:15:09,390 Thank you for watching.