1
00:00:00,500 --> 00:00:04,640
How can they know they are going to save this file?

2
00:00:04,700 --> 00:00:09,650
The process injection CBB could and they are going to compile it.

3
00:00:11,540 --> 00:00:15,290
So this select this path here rightly and cockpit.

4
00:00:16,720 --> 00:00:20,800
Going open your eyes for native tools, come on from.

5
00:00:25,670 --> 00:00:32,710
And change to the radar screen, and you have copy and confirm that you are in the right territory and

6
00:00:32,740 --> 00:00:40,250
that the compound that he's present, you know, around the compadre script.

7
00:00:42,650 --> 00:00:46,790
The SFA has been successfully built that will be contested.

8
00:00:47,420 --> 00:00:52,040
But before we can test it, we need to run the Microsoft Paint program.

9
00:00:53,060 --> 00:00:58,010
So yesterday, maybe not the AC and hit enter,

10
00:01:00,920 --> 00:01:12,740
and now that Microsoft Paint is running, we can run our Melby, which to process injection Yasi hit

11
00:01:12,740 --> 00:01:13,160
enter.

12
00:01:15,260 --> 00:01:21,770
And immediately I can hear some notification some and at the same time.

13
00:01:22,790 --> 00:01:24,770
This message pops up.

14
00:01:26,780 --> 00:01:33,650
And he says hello from tracking lessons, Dotcom and Titus's Chalco.

15
00:01:34,460 --> 00:01:42,830
And there's also an information icon since we specify in the Metasploit anyone that this icon.

16
00:01:45,570 --> 00:01:49,400
So how do we know that Shirley came from Microsoft?

17
00:01:50,250 --> 00:01:56,110
Look, we can open process hacker to investigate if.

18
00:02:02,810 --> 00:02:07,760
So in process Hacker, you will see that because I've been running so double thing on it.

19
00:02:12,850 --> 00:02:21,250
And then you can also see it from the apple here at the pad from crispiness five to zero.

20
00:02:23,020 --> 00:02:25,590
And then here this is Microsoft P.

21
00:02:25,810 --> 00:02:29,410
And you can see from Intel here, the princess ID is five to zero.

22
00:02:30,940 --> 00:02:34,330
You can also see the process ID in this column.

23
00:02:36,260 --> 00:02:37,040
Five two zero.

24
00:02:41,440 --> 00:02:44,830
So we can you can some interpretation column here.

25
00:02:47,300 --> 00:02:54,350
By clicking on it and then scroll down to look for the region of Mimmi, which is readable and executable,

26
00:02:57,290 --> 00:02:58,640
and then you will find here.

27
00:02:59,420 --> 00:03:04,220
There are many regions of memory which are readable and executable.

28
00:03:05,940 --> 00:03:10,680
All of them belonging to dear buddies, one which is unmarked.

29
00:03:12,450 --> 00:03:14,550
And this region of memory.

30
00:03:16,240 --> 00:03:18,400
He can double click to view the contents.

31
00:03:19,680 --> 00:03:21,030
And this is I wish I could.

32
00:03:23,090 --> 00:03:28,520
To confirm that this is indeed an Chako, and you can look at the last few bites here, which shows

33
00:03:28,520 --> 00:03:35,420
the text of the show, including hello from clicking lessons dot com, and also the title for the MessageBox.

34
00:03:36,500 --> 00:03:39,310
And then you can also open our.

35
00:03:41,380 --> 00:03:46,570
Open the Sherko in case Ed, he takes the sex ed.

36
00:03:52,810 --> 00:04:01,030
So if you put your Hex editor survey site, Mutty region and memory for Microsoft, Bing, you can see

37
00:04:01,030 --> 00:04:02,830
here easier to compare.

38
00:04:03,280 --> 00:04:07,480
So advice on the same FC four eight four eight eight one EFO.

39
00:04:08,920 --> 00:04:10,450
And here in the last few months.

40
00:04:14,380 --> 00:04:18,490
So the identical suit is confirm that they chako indeed.

41
00:04:19,720 --> 00:04:29,830
Is that because I've been shako and also it is residing in the memory space of Microsoft PIN, which

42
00:04:29,830 --> 00:04:32,980
is here in this memory of Microsoft pin.

43
00:04:34,270 --> 00:04:37,330
This is the allocated memory our malware has created.

44
00:04:37,630 --> 00:04:43,480
Another thing you can do is you can make use of a special to incite a process hacker.

45
00:04:47,300 --> 00:04:56,030
He said to hear finally windows in three, so you can click on this and drag it to over to the message

46
00:04:56,030 --> 00:04:56,870
box in release.

47
00:04:58,230 --> 00:05:04,970
And and then you will see he will show you the pattern for the messagebox in this case, he's mad because

48
00:05:04,970 --> 00:05:08,150
I've been here to press this idea of five to zero.

49
00:05:09,230 --> 00:05:16,700
So these are so confirmed, stay in these messagebox came from I guess I've been he calls me because

50
00:05:16,700 --> 00:05:19,250
I've been paid five to zero.

51
00:05:20,520 --> 00:05:21,960
And also, I can see from here.

52
00:05:23,420 --> 00:05:23,720
Right.

53
00:05:25,790 --> 00:05:29,300
So this is how we can build our malware.

54
00:05:29,570 --> 00:05:35,810
They can inject shellcode into a remote process.

55
00:05:36,620 --> 00:05:38,090
In this case, Microsoft Paint.

56
00:05:38,510 --> 00:05:43,160
And this is how we can test using process hacker to confirm that it is working.

57
00:05:44,300 --> 00:05:45,740
So that's all for this video.

58
00:05:46,160 --> 00:05:47,420
Thank you for watching.