1 00:00:00,150 --> 00:00:01,230 Hello and welcome. 2 00:00:01,650 --> 00:00:12,600 In this video, we're going to build a program that is going to inject the message was shellcode into 3 00:00:12,600 --> 00:00:15,540 a Microsoft bin program. 4 00:00:16,500 --> 00:00:17,360 Let's get started. 5 00:00:18,570 --> 00:00:25,920 After we execute our new malware, you will look for the Microsoft pain program in memory. 6 00:00:26,670 --> 00:00:27,750 Why is it feinted? 7 00:00:28,080 --> 00:00:37,830 He would then inject the MessageBox Chalco into Microsoft pain and then immediately he would show he 8 00:00:37,830 --> 00:00:46,260 was sure the messagebox go in, download this project and zip into your mandate for the first Forestier 9 00:00:46,260 --> 00:00:57,330 compound backstory, which you take the process injection SARS-CoV-2 and give the SFA and the files 10 00:00:57,330 --> 00:01:04,320 to one we are going to use to inject MessageBox Chakwal into a Microsoft bin. 11 00:01:04,920 --> 00:01:07,530 And you have MessageBox Chalco here. 12 00:01:08,430 --> 00:01:11,100 So let's open the process injection shakuri now. 13 00:01:12,000 --> 00:01:13,940 You can look at plus plus it. 14 00:01:14,190 --> 00:01:20,310 Now we have to prepare the sherkat in a format suitable for use. 15 00:01:21,390 --> 00:01:24,540 To do that, we open our hex editor. 16 00:01:25,860 --> 00:01:33,630 Inject messagebox and beam into our house, Ed, next, you can file export C. 17 00:01:36,120 --> 00:01:40,710 And safe, the message box got Cifas into this for the. 18 00:01:42,350 --> 00:01:43,010 Click on Safe. 19 00:01:44,930 --> 00:01:53,550 Confirm that the fire has been created, messagebox, see now you can close your hastey, Ed. 20 00:01:53,960 --> 00:01:54,630 Thanks, Ed.. 21 00:01:55,520 --> 00:01:59,960 Then you open the messagebox, see in notepad plus plus. 22 00:02:02,390 --> 00:02:04,400 Copia the. 23 00:02:05,960 --> 00:02:09,740 For the Sherko Rackley copy. 24 00:02:11,650 --> 00:02:15,340 And coming to your process, injection's CPB fa. 25 00:02:17,020 --> 00:02:18,130 In fact, down here. 26 00:02:21,780 --> 00:02:33,420 Next, we are going to change the name into Chocolate Bill, so copy the name from the top. 27 00:02:35,990 --> 00:02:42,560 Come down here in your name and then wrinkly and piss in your name here. 28 00:02:45,370 --> 00:02:46,330 Now you can delete. 29 00:02:47,510 --> 00:02:49,160 This sample. 30 00:02:53,250 --> 00:02:56,850 So this is a 64 bit Chalco to display MessageBox. 31 00:02:57,300 --> 00:02:59,460 And the scientists recently soundbytes. 32 00:03:01,560 --> 00:03:07,800 Come down here and change this to the same number I saw here January seven. 33 00:03:10,450 --> 00:03:13,660 Now, this program has got a main function. 34 00:03:14,980 --> 00:03:16,330 So when the program runs. 35 00:03:17,650 --> 00:03:20,530 You call the function search for process. 36 00:03:22,280 --> 00:03:24,290 This function will look for this program. 37 00:03:26,080 --> 00:03:29,170 And I spent Yasi in the memory. 38 00:03:29,920 --> 00:03:32,820 If you manage to find these places, you is safe. 39 00:03:33,370 --> 00:03:35,620 You process it into this variable. 40 00:03:36,340 --> 00:03:43,630 And then he checks to see whether the pads is really in pads, not zero. 41 00:03:44,080 --> 00:03:47,650 Then he will print a message to the console. 42 00:03:48,190 --> 00:03:48,610 Ms. 43 00:03:48,620 --> 00:03:51,110 Pennisi, iPads. 44 00:03:51,130 --> 00:03:51,880 Such and such. 45 00:03:52,540 --> 00:03:56,140 Nacy recalling the open process API. 46 00:03:57,040 --> 00:03:57,880 And then here. 47 00:03:58,870 --> 00:04:02,160 You trying to open iPad? 48 00:04:03,010 --> 00:04:04,360 Based on this? 49 00:04:06,090 --> 00:04:07,290 Did you have fun? 50 00:04:07,980 --> 00:04:14,250 So this is a Microsoft Windows API, kindly download this file from the recession. 51 00:04:15,030 --> 00:04:22,470 It contains links, references to the API that you are using in this in this program. 52 00:04:22,500 --> 00:04:24,870 So open process is here. 53 00:04:25,410 --> 00:04:29,340 You can go and look up open process function. 54 00:04:31,000 --> 00:04:33,400 Opens an existing law process object. 55 00:04:34,900 --> 00:04:36,400 It takes three barometers. 56 00:04:37,800 --> 00:04:40,020 And we turn to hinder to the process. 57 00:04:41,150 --> 00:04:48,860 The first parameter is design access and the access to the process object and then the Tideway Sensorites. 58 00:04:49,160 --> 00:04:50,390 You can read from here. 59 00:04:50,660 --> 00:04:52,310 Yes, right click and open it. 60 00:04:52,940 --> 00:04:56,330 So this is a kind of a centralized it you can specify. 61 00:05:00,900 --> 00:05:01,980 Yes, along this year. 62 00:05:03,570 --> 00:05:08,040 So the first parameter we specify all these says if you want. 63 00:05:10,590 --> 00:05:18,480 And then the second parameter will then process is the inherent Hindoo, which I know Keith, he said 64 00:05:18,480 --> 00:05:24,930 before, since you are not inheriting from any other process, and then the parameter is a process ID. 65 00:05:25,560 --> 00:05:28,920 It is the identify of the local process to be open. 66 00:05:30,510 --> 00:05:36,990 So in our case, we were passing the process in which you obtain from this search for process function. 67 00:05:38,060 --> 00:05:45,810 After opening the tiger process, which is Makassar pain, he will return to handle 10 percent and safety 68 00:05:45,980 --> 00:05:46,910 in this variable. 69 00:05:47,300 --> 00:05:51,830 Next year we check whether the process is known, if it is not known. 70 00:05:51,950 --> 00:05:54,740 It means we have successfully open the process. 71 00:05:55,250 --> 00:05:58,100 Then we will call the Chalco inject function. 72 00:05:58,340 --> 00:06:02,330 Yeah, Sherko inject function will pass three parameters. 73 00:06:02,690 --> 00:06:06,920 First parameter is to handle to process, which we obtain from here. 74 00:06:07,550 --> 00:06:08,900 The open process function. 75 00:06:09,980 --> 00:06:14,720 The second parameter is a sherkat and anyone to use to inject. 76 00:06:16,190 --> 00:06:17,540 And this comes from here. 77 00:06:24,040 --> 00:06:29,440 And it is barometer is a line of shock appeal, which comes from here. 78 00:06:33,230 --> 00:06:36,610 Then after you close the handle of the process. 79 00:06:38,250 --> 00:06:45,790 Let's take a look in detail among these two functions, search for process and shackling. 80 00:06:46,910 --> 00:06:48,020 Leads to user user. 81 00:06:49,550 --> 00:06:51,020 So they are defiant up here. 82 00:06:53,010 --> 00:06:58,410 Social process is defined here, a circle is defined here. 83 00:07:01,230 --> 00:07:03,750 A process accepts the name of the process. 84 00:07:04,860 --> 00:07:07,290 He runs a search for a nanny here. 85 00:07:07,650 --> 00:07:14,790 We used to create to have 32 snapshot API that's looking to create, to update, to snapshot. 86 00:07:15,810 --> 00:07:22,470 Takes a snapshot of these specified processes, as well as the heaps more news and tricks used by these 87 00:07:22,470 --> 00:07:23,160 processes. 88 00:07:24,090 --> 00:07:33,030 So in summary, this API release will capture all the processes which are running in memory and access 89 00:07:33,030 --> 00:07:34,020 to parameters. 90 00:07:35,110 --> 00:07:36,190 And we tend to handle. 91 00:07:36,580 --> 00:07:40,930 So these are two parameters, the one snapshot of the process. 92 00:07:41,530 --> 00:07:50,620 Second parameter we normally levy heads you then after he returns handle containing a snapshot of the 93 00:07:50,620 --> 00:07:54,460 processes which are running in memory and safety in this variable. 94 00:07:54,580 --> 00:07:55,180 These object. 95 00:07:56,530 --> 00:08:01,870 And then he checks whether or not the snapshot is already here is in reality. 96 00:08:02,680 --> 00:08:08,920 He would only return zero, meaning to in the function and return to zero. 97 00:08:09,760 --> 00:08:17,620 If he succeeds to get a snapshot of all the running processes in memory, he was save the size of the 98 00:08:17,890 --> 00:08:24,070 structure process and data into one of the members of this structure. 99 00:08:25,300 --> 00:08:32,140 This structure was created up here in order to save all the data abstract from the creating hub snapshot 100 00:08:32,290 --> 00:08:33,340 and this structure. 101 00:08:33,940 --> 00:08:35,650 You can look it up from here. 102 00:08:36,700 --> 00:08:44,460 Process and 332 structure describes an entry from a list of the processes residing in the system address 103 00:08:44,470 --> 00:08:46,810 base when a snapshot was taken. 104 00:08:47,890 --> 00:08:49,720 And he has got all these members. 105 00:08:51,780 --> 00:08:54,960 The first one is the size of the structure. 106 00:08:58,090 --> 00:09:02,380 So here is very initialised SISO, the structure. 107 00:09:03,590 --> 00:09:13,850 Do the science of processing treat any to any misuse or to the EPA to iterate through the list of processes, 108 00:09:14,270 --> 00:09:17,270 process data first and process 82 next? 109 00:09:17,780 --> 00:09:24,800 Great to have 32 snapshot is always used to gather the process data first and to 82 these. 110 00:09:26,060 --> 00:09:35,810 So this is how we can search for process in memory making use of these three API processed edito, first 111 00:09:36,350 --> 00:09:44,360 go to parameters, processed ST2 first function retrieves information, and thus the first process encountered 112 00:09:44,570 --> 00:09:45,830 in a system snapshot. 113 00:09:46,700 --> 00:09:48,200 And it takes two parameters. 114 00:09:49,940 --> 00:09:57,410 So the two parameters we provide, the handle of the snapshot of processes and the process structure 115 00:09:57,530 --> 00:09:58,460 which we created here. 116 00:09:59,180 --> 00:10:06,560 If it is not successful, you will close the handle of the special processes and return zero, which 117 00:10:06,560 --> 00:10:07,100 means quick. 118 00:10:08,210 --> 00:10:12,800 But if successful, that means you managed to retrieve the lists of the processes. 119 00:10:13,400 --> 00:10:20,180 You would then use a value to iterate through the entire list and search for the process that you want. 120 00:10:21,970 --> 00:10:31,000 So use possessory tunics to do this in a loop process, 32 next function, which is information about 121 00:10:31,000 --> 00:10:33,640 the next process recorder in a system snapshot. 122 00:10:34,390 --> 00:10:36,280 It also accepts two parameters. 123 00:10:38,940 --> 00:10:40,800 And these are two parameters. 124 00:10:41,750 --> 00:10:45,410 A handle to the natural processes come from here. 125 00:10:46,650 --> 00:10:55,410 And the precise structure which came from here, then we will go through the loop and compare it process 126 00:10:55,410 --> 00:11:00,330 name given the name of the SFR in the present structure. 127 00:11:01,860 --> 00:11:02,820 The process name. 128 00:11:03,970 --> 00:11:04,870 Comes from here. 129 00:11:06,490 --> 00:11:13,120 So they call this search for process function, the past name, which is Microsoft bin eeX MSP. 130 00:11:14,980 --> 00:11:17,890 Here we look through and use this information. 131 00:11:17,960 --> 00:11:21,430 Our string compar ignore case ia4. 132 00:11:21,430 --> 00:11:27,340 You know, that means he doesn't matter whether he's capitalized or who acase, you just want the name. 133 00:11:28,440 --> 00:11:32,070 So the first band is a name, second parameter is also the name. 134 00:11:32,790 --> 00:11:34,290 So this second parameter. 135 00:11:35,410 --> 00:11:44,050 Comes from the process of of string EIC funding of the structure process structure. 136 00:11:47,080 --> 00:11:47,440 String. 137 00:11:47,500 --> 00:11:54,820 Yes, he finally is the last member on this structure, and he starts to name off the process. 138 00:11:56,890 --> 00:12:02,000 So in this case, you are comparing it where there is a mess EIC. 139 00:12:03,010 --> 00:12:06,640 If it is, then you will get the ID. 140 00:12:08,730 --> 00:12:11,160 So the IDs obtained from this member. 141 00:12:12,160 --> 00:12:14,740 Which is the third member of the structure. 142 00:12:16,200 --> 00:12:17,970 And then you save to. 143 00:12:19,200 --> 00:12:21,930 And then you bring him back out of the loop. 144 00:12:22,320 --> 00:12:25,140 You no longer need to continue because you found what you want. 145 00:12:26,430 --> 00:12:31,050 But if you did not find a name me, see if this name here does not match. 146 00:12:31,770 --> 00:12:36,600 Then you come after Eastmond and go to the next iteration loop. 147 00:12:36,630 --> 00:12:40,500 And this API would then go to the second processing. 148 00:12:40,500 --> 00:12:46,440 The list should continue until he finds the name of the process or Hoie doesn't find. 149 00:12:46,740 --> 00:12:50,300 And finally, you close to Hinga return the bid. 150 00:12:50,850 --> 00:12:53,940 So these kids return to the caller who are here. 151 00:12:54,950 --> 00:13:00,470 And then he said, you predicted and then you call open process to open. 152 00:13:01,570 --> 00:13:07,300 And then while still being processed, you will call Shockoe Jack Shakarian Jeni's define here. 153 00:13:07,990 --> 00:13:10,630 So he takes three parameters. 154 00:13:11,320 --> 00:13:18,580 They handle the process, which you got from open process after passing a kid from here. 155 00:13:21,480 --> 00:13:27,930 The second parameter is the shock appeal, and it third parameter is a line of the shark appeal. 156 00:13:29,600 --> 00:13:32,480 Yes, I hear you used to watch. 157 00:13:32,960 --> 00:13:37,550 Yes, EPA to allocate some memory in the target. 158 00:13:37,910 --> 00:13:39,730 In this case, Microsoft P. 159 00:13:42,970 --> 00:13:44,080 People say the U.S. 160 00:13:44,410 --> 00:13:47,380 Which Anna Biodesign has gone to extension in front. 161 00:13:49,060 --> 00:13:49,570 Yes. 162 00:13:49,990 --> 00:13:53,010 So it is a standard from the Coachella. 163 00:13:55,080 --> 00:14:00,750 He reserves, comes or changes the state of a region of memory within the virtual address piece of a 164 00:14:00,750 --> 00:14:01,770 specified process. 165 00:14:02,790 --> 00:14:08,910 You can use this to create a memory space in another running process. 166 00:14:09,390 --> 00:14:12,390 And he accepts these parameters five parameters. 167 00:14:12,900 --> 00:14:17,100 The first parameter is a target process where you want to allocate your memory. 168 00:14:17,550 --> 00:14:18,300 So in here. 169 00:14:19,380 --> 00:14:26,970 The first parameter is the handless process, which is your handoff or the Microsoft being process. 170 00:14:28,280 --> 00:14:34,400 The second one he was sent to now says he don't want to specify a specific address. 171 00:14:34,820 --> 00:14:37,040 The third one is a line on the chocolate bill. 172 00:14:37,430 --> 00:14:39,350 Next one is to commit, memory, commit. 173 00:14:40,070 --> 00:14:42,870 And the last perimeter is a protection type. 174 00:14:42,980 --> 00:14:49,220 You want to set which is executable and readable after you have called this EPA. 175 00:14:49,820 --> 00:14:52,250 You will then move on to the right process. 176 00:14:52,250 --> 00:14:54,830 Memory API, write process. 177 00:14:54,830 --> 00:14:56,090 Memory function. 178 00:14:57,330 --> 00:15:00,850 Race data to an area of memory in a specified process. 179 00:15:01,560 --> 00:15:05,080 The entire race to be written, too, must be accessible. 180 00:15:05,220 --> 00:15:06,420 Audio, brief interviews. 181 00:15:08,320 --> 00:15:15,220 And assess these parameters, five parameters, first parameter is a hanger to process. 182 00:15:16,430 --> 00:15:20,330 Second parameter is the basic price in our case. 183 00:15:20,930 --> 00:15:26,920 You pass it in the remote allocated address, which came from the previous caller to what you are. 184 00:15:28,860 --> 00:15:34,950 It is burM, you say Chalco, the buffer Sherko debut and the right to. 185 00:15:36,270 --> 00:15:39,990 Then the next parameter after that is a length on the Sherko. 186 00:15:41,710 --> 00:15:45,250 And the final parameter, PDV has blank. 187 00:15:46,180 --> 00:15:53,140 After we have copied chocolate over to the target process, we will then call an API call, create a 188 00:15:53,200 --> 00:15:53,970 remote tray. 189 00:15:55,330 --> 00:16:01,810 Create a remote chat function, create a arancini virtual address space of another process. 190 00:16:02,590 --> 00:16:05,740 And this is how the parameters for this function. 191 00:16:06,850 --> 00:16:15,370 So this is where we will run the show in the idea of copy to the Microsoft buying process. 192 00:16:16,180 --> 00:16:19,000 The first parameter is to handle the process. 193 00:16:19,450 --> 00:16:26,440 The second parameter, we believe, is now, since we have no particular attributes to set the third 194 00:16:26,470 --> 00:16:28,330 parameter, Yossele zero. 195 00:16:30,460 --> 00:16:36,880 The fourth parameter is to allocate the memory address very shakuri sites. 196 00:16:38,320 --> 00:16:42,400 And the remaining parameters are reset to now zero and none. 197 00:16:42,850 --> 00:16:49,630 So after you call this process, they shall Covid run and then you will show the messagebox. 198 00:16:50,170 --> 00:16:54,370 Next, you test whether the process for successfully created. 199 00:16:55,070 --> 00:17:02,800 If it was, then you will wait for Hatra is how this process injection program works. 200 00:17:03,400 --> 00:17:10,300 So the stuff here for this video game will continue in the next video where we will compiling build 201 00:17:10,510 --> 00:17:12,760 this CRC and test it. 202 00:17:13,120 --> 00:17:14,320 See you in the next video. 203 00:17:14,620 --> 00:17:15,610 Thank you for watching.