1 00:00:00,590 --> 00:00:05,850 Hello and welcome to a new section called Functions Association. 2 00:00:06,650 --> 00:00:13,930 Now, what is functions, obfuscation, function obfuscation means that you're trying to hide the functions 3 00:00:13,950 --> 00:00:18,380 that you're using so that Andy Virus cannot detect it. 4 00:00:19,750 --> 00:00:27,610 The reason why we want to hide that is because antivirus sometimes detecting whether a particular application 5 00:00:27,610 --> 00:00:32,740 is malicious or not based on the type of functions that it is using. 6 00:00:34,330 --> 00:00:42,460 Let's take an example of a new project here going down on this and zip and putting nowadays 06 functioning 7 00:00:42,460 --> 00:00:43,150 obfuscation. 8 00:00:44,230 --> 00:00:47,890 Now, let's open this file functioning, obfuscated the CPP. 9 00:00:50,080 --> 00:00:57,160 Inside here, there is the usual people in this case, it is the Chalco to run. 10 00:00:57,590 --> 00:01:02,140 Not that no say here you will see in excusal. 11 00:01:03,520 --> 00:01:05,920 Which lock move memory? 12 00:01:07,020 --> 00:01:09,840 Would you protect, create training and so on? 13 00:01:10,830 --> 00:01:17,760 Now, all this can be detected by antivirus and antivirus, the technology using this site. 14 00:01:18,010 --> 00:01:19,980 This is a malicious program. 15 00:01:21,150 --> 00:01:24,440 So that's why you and the high, somewhat dysfunctional homes. 16 00:01:25,230 --> 00:01:32,610 So let's say we try to compile and run this without hiding any of our function calls and see what we 17 00:01:32,610 --> 00:01:33,210 can detect. 18 00:01:33,990 --> 00:01:42,150 So let's now open a command common terminal X Nitish to command from. 19 00:01:43,820 --> 00:01:44,960 Company bar. 20 00:01:47,350 --> 00:01:51,100 And navigate to it so you can buy. 21 00:01:55,530 --> 00:01:59,790 And now we were running using you, Farkle. 22 00:02:00,800 --> 00:02:03,350 Function obfuscated dout eic. 23 00:02:04,100 --> 00:02:07,250 So let's hit enter into again. 24 00:02:08,210 --> 00:02:10,760 So this shellcode opens up, look back. 25 00:02:11,690 --> 00:02:12,620 So now let's see. 26 00:02:13,040 --> 00:02:15,890 You try to analyze this fifth studio. 27 00:02:18,360 --> 00:02:26,070 I put a shortcut in the desktop, you can do the same, just go to play and then open the treaties and 28 00:02:26,080 --> 00:02:29,820 then Jack rankling in these two do to a desktop. 29 00:02:31,560 --> 00:02:38,580 So now we will drag the malware in sight, the studio and let unionise. 30 00:02:42,240 --> 00:02:49,380 Now, if you click on the inputs, you will see all the functions that are be used by this Malaby. 31 00:02:49,830 --> 00:02:57,660 And you can group them take on group and you look at memory, which like which is pointing and so on. 32 00:02:58,260 --> 00:03:01,950 So all of these are visible by antivirus. 33 00:03:02,550 --> 00:03:07,580 So let's take, for example, we try to highlight what you ALAC. 34 00:03:08,250 --> 00:03:11,640 How do we hire are from the antivirus? 35 00:03:12,770 --> 00:03:15,050 We can use runtime loading. 36 00:03:15,710 --> 00:03:21,980 That means we dynamically load the functions during runtime and we can do that using. 37 00:03:24,170 --> 00:03:33,890 The more you handle API and the gate process address API, going download this file from the association. 38 00:03:34,160 --> 00:03:37,970 He continues to notes for this lecture and the subsequent ones. 39 00:03:38,810 --> 00:03:40,340 So as you can see from here. 40 00:03:41,330 --> 00:03:43,520 This is how you use getting more under. 41 00:03:45,130 --> 00:03:52,630 Assuming you wanted to look connected to the earth, because connected to the area provides the function 42 00:03:52,630 --> 00:03:53,440 Covid Sherlock. 43 00:03:54,040 --> 00:04:00,780 So you used this function to the country too, to after you get he connected, he too. 44 00:04:00,820 --> 00:04:05,840 He was saving into his milieu and used it in the second function here called get proper. 45 00:04:05,890 --> 00:04:06,220 Yes. 46 00:04:07,030 --> 00:04:11,620 And you will supply the Hazmi you containing the country to you. 47 00:04:12,760 --> 00:04:19,510 And from here, you try to extract their functions, which are from the country to the air and sea to 48 00:04:19,570 --> 00:04:20,320 address. 49 00:04:21,010 --> 00:04:27,070 So now that do this address, you can call it as a virtual function. 50 00:04:28,410 --> 00:04:35,340 So this is how one of the ways you can dynamically look your functions during runtime. 51 00:04:35,910 --> 00:04:37,290 Let's try this now. 52 00:04:39,270 --> 00:04:42,450 So now let's see if we will close our piece to you. 53 00:04:44,760 --> 00:04:50,010 And now we open our function, obfuscated CP. 54 00:04:51,470 --> 00:04:52,850 If not, back plus plus. 55 00:04:56,840 --> 00:05:01,850 So here, instead of writing the name of the function here, which Sherlock? 56 00:05:02,830 --> 00:05:04,150 We don't want to do that. 57 00:05:04,390 --> 00:05:12,370 Instead, we will look this dynamically, so to do that, we will use this baseline. 58 00:05:12,390 --> 00:05:16,210 Let me and who will get the process handle? 59 00:05:17,340 --> 00:05:20,580 Process address for which I long over here. 60 00:05:21,330 --> 00:05:26,130 So in this year, we will give it a name which will allow. 61 00:05:30,150 --> 00:05:36,900 And then the first barometer is the Hendo that contains the deal that we have to watch our law functioning. 62 00:05:37,650 --> 00:05:40,830 So how do you know which a lot comes from going to do? 63 00:05:41,430 --> 00:05:45,840 You can refer to the documentation for which you are. 64 00:05:46,320 --> 00:05:47,520 Now, this is Majella. 65 00:05:48,000 --> 00:05:55,680 If you scroll down to the bottom, you can see what the contents it connected to the URL. 66 00:05:55,740 --> 00:05:56,640 That's how you know. 67 00:05:57,480 --> 00:05:58,840 So that's why we're here. 68 00:05:58,840 --> 00:06:00,930 And the first Bahrami to get proper address. 69 00:06:01,620 --> 00:06:04,200 You have to call you get them on. 70 00:06:04,200 --> 00:06:06,690 You handle to look at your data. 71 00:06:07,830 --> 00:06:13,770 So the documentation for getting will you handle is also in the question. 72 00:06:14,250 --> 00:06:15,210 So here you see again. 73 00:06:15,210 --> 00:06:15,890 Will you handle. 74 00:06:16,320 --> 00:06:22,740 And these are the parameter you provide the module name, which is going to take you to use a string. 75 00:06:23,280 --> 00:06:26,140 And if you return the my you nearly 10 times more new. 76 00:06:26,520 --> 00:06:30,420 So that's why you can call it directly like this over here. 77 00:06:30,930 --> 00:06:35,460 You have also to declare address appointer. 78 00:06:36,210 --> 00:06:38,070 So we are with you along. 79 00:06:38,880 --> 00:06:47,470 So since we already declared address to start this, which are our lock function, we also have to turn 80 00:06:47,470 --> 00:06:50,400 this into a pointer and address. 81 00:06:51,360 --> 00:06:54,950 So there is a declaration we have to declare up here. 82 00:06:57,420 --> 00:07:00,060 We can declare, yes, a global variable. 83 00:07:05,300 --> 00:07:08,450 The easiest way is to go to the. 84 00:07:10,860 --> 00:07:14,100 Emceeing in Copia, Your Watch. 85 00:07:16,210 --> 00:07:19,900 Function call in nature. 86 00:07:20,830 --> 00:07:25,210 And you come back here and it over here. 87 00:07:27,440 --> 00:07:28,990 Next thing you do is you. 88 00:07:30,100 --> 00:07:33,010 Turn this to a pointer. 89 00:07:33,730 --> 00:07:36,130 So you in India says BTR, which along. 90 00:07:39,100 --> 00:07:45,700 BTR, which I love, and then you cast it as a as an address. 91 00:07:46,300 --> 00:07:58,570 So you put opening and close it here and you convert it into a green API dress, like putting the Assiri 92 00:07:58,570 --> 00:07:59,020 symbol. 93 00:07:59,890 --> 00:08:02,950 So now this is an address rather than a direct function call. 94 00:08:04,000 --> 00:08:06,910 So this way, you can now make use of this. 95 00:08:11,010 --> 00:08:12,230 Titled Nina Extravert. 96 00:08:12,960 --> 00:08:15,660 So this is how you can declare an address for what you allow. 97 00:08:16,480 --> 00:08:23,490 Then you can use it in, say, your main function over here by calling it politics. 98 00:08:24,300 --> 00:08:27,750 And then once you get there, you'll be able to make use with. 99 00:08:29,200 --> 00:08:29,740 This spring. 100 00:08:31,500 --> 00:08:32,790 So now you can save this. 101 00:08:33,140 --> 00:08:33,990 Try to compile it. 102 00:08:40,180 --> 00:08:41,380 And we running again. 103 00:08:46,570 --> 00:08:47,290 It still works. 104 00:08:47,890 --> 00:08:49,720 Now, let us analyze it a piece to you. 105 00:08:53,600 --> 00:08:57,220 We will drink in New York following the studio. 106 00:09:01,790 --> 00:09:08,960 Now we click on imports and look under memory, you will see what it is missing. 107 00:09:10,280 --> 00:09:16,880 So this is how you can hide the function call from the antivirus. 108 00:09:18,380 --> 00:09:20,840 However, if you click on strings. 109 00:09:22,600 --> 00:09:25,780 And then we click on this to a certain ascending order. 110 00:09:26,770 --> 00:09:29,980 And if you scroll down to go to Allah. 111 00:09:31,950 --> 00:09:32,820 And the V. 112 00:09:36,650 --> 00:09:38,870 You will still see the string which are along. 113 00:09:39,810 --> 00:09:40,770 As an excuse to. 114 00:09:42,300 --> 00:09:47,280 Now, the reason there happens to be because you are using as a string over here. 115 00:09:47,310 --> 00:09:49,350 That's why they're piercing the string skin. 116 00:09:51,330 --> 00:10:00,780 So antivirus may still be able to detect your which function call through the string scan by using this. 117 00:10:02,080 --> 00:10:08,860 So in the next video, I'm going to show you how to obfuscate this string so that antivirus may not 118 00:10:08,860 --> 00:10:12,920 be able to find your virtual string in sight. 119 00:10:13,510 --> 00:10:14,500 Strings can. 120 00:10:15,460 --> 00:10:16,960 So that's all for this video. 121 00:10:17,140 --> 00:10:18,550 I'll see you in the next to one.