1 00:00:00,420 --> 00:00:03,700 Hello and welcome to a new session, this new session. 2 00:00:03,720 --> 00:00:06,540 We are going to do process injection. 3 00:00:07,650 --> 00:00:08,910 What is process injection? 4 00:00:09,390 --> 00:00:15,990 It is injecting Beirut to another process, the mechanism of process injection. 5 00:00:16,680 --> 00:00:22,830 On the left, you have a malware trillion with a shellcode, and on the right and you have a target 6 00:00:22,830 --> 00:00:31,920 process, which could be any other running program, for example, Explorer, Microsoft Paint and so 7 00:00:31,920 --> 00:00:32,100 on. 8 00:00:33,070 --> 00:00:41,490 Now, military units going to allocate memory in the targeted process, as can be seen by the green 9 00:00:41,490 --> 00:00:42,300 shaded area. 10 00:00:43,350 --> 00:00:48,240 He will use the Windows API call, which he likes. 11 00:00:49,870 --> 00:00:52,600 Next step is to write the sherkat. 12 00:00:53,320 --> 00:01:02,470 So the medical unit will use the Windows API call to process memory to copy a Sherko into the newly 13 00:01:02,470 --> 00:01:03,610 allocated memory. 14 00:01:04,630 --> 00:01:13,470 Finally, the Maretto region will call the API, create and remote treck in order to run the Chalco, 15 00:01:13,780 --> 00:01:19,180 which he has copy over to the allocated memory while processing Yashin. 16 00:01:19,900 --> 00:01:20,950 Three reasons. 17 00:01:22,120 --> 00:01:23,830 Reasons for processing Yashin. 18 00:01:24,490 --> 00:01:29,140 Firstly, it is to pivot to a more longer lasting process. 19 00:01:29,800 --> 00:01:35,830 For example, from Nakazawa to Explorer, or even to a vet browser. 20 00:01:36,310 --> 00:01:44,770 This is because the initial program which launch the navigator region may be only temporary. 21 00:01:45,100 --> 00:01:48,910 Perhaps the user was just opening what documentary? 22 00:01:48,910 --> 00:01:57,850 Something to read the file, or perhaps opening a claim software somewhere for downloading files. 23 00:01:57,940 --> 00:02:01,840 And then after finishing, she is going to close the program. 24 00:02:02,680 --> 00:02:06,640 So that's why you need to move to another program. 25 00:02:07,180 --> 00:02:11,620 And one program which is always opening will be your Windows Explorer. 26 00:02:12,460 --> 00:02:20,200 So that's why you never want to pivot to a second process, which is running in memory so that you will 27 00:02:20,200 --> 00:02:22,370 stay resident in memory. 28 00:02:22,390 --> 00:02:29,470 So the second is you want to migrate to a more legitimate process for connecting to the Internet. 29 00:02:30,190 --> 00:02:39,550 And the reason is because if you were to open the Microsoft Word and use Microsoft as a malware Trojan 30 00:02:39,550 --> 00:02:42,520 to connect to the Internet, the firewall may block it. 31 00:02:42,730 --> 00:02:46,580 Because Microsoft does not normally connect to the Internet. 32 00:02:46,600 --> 00:02:54,730 So in such a case, it makes a lot of sense for the malware Trojan to pivot to that browser and from 33 00:02:54,730 --> 00:02:56,650 the Web browser, connect to the Internet. 34 00:02:57,190 --> 00:03:04,690 And it is more likely that the firewall or the Windows defense system will allow you no connection to 35 00:03:04,690 --> 00:03:06,910 the Internet if it comes from a browser. 36 00:03:07,210 --> 00:03:11,590 And the reason is has a backup back door connection. 37 00:03:12,730 --> 00:03:20,680 And also, you might enjoy yourself into another process in order that shoot the first process, come 38 00:03:20,680 --> 00:03:22,300 down for whatever reason. 39 00:03:22,750 --> 00:03:27,000 The second process is still up and running as become very common. 40 00:03:27,010 --> 00:03:32,920 You need this kind of secondary backup in order for the malware to reach out to the command and control 41 00:03:32,920 --> 00:03:33,340 server. 42 00:03:33,670 --> 00:03:35,500 So that's all for this video. 43 00:03:36,040 --> 00:03:37,180 Thank you for watching.