1
00:00:00,960 --> 00:00:09,210
Hello and welcome to a new session in this session, we are going to reverse engineer process injection.

2
00:00:10,440 --> 00:00:18,360
So go and download this project called Reversing Process Injection on the Zippi and put it in the mail

3
00:00:18,690 --> 00:00:19,060
order.

4
00:00:20,220 --> 00:00:30,570
The first thing we need to know whether or not the malware has got process injection capability to do

5
00:00:30,570 --> 00:00:40,530
that, we will need to use the studio so open peace to do and then your malware to be used to you.

6
00:00:44,420 --> 00:00:47,460
And then he used to do do the scanning.

7
00:00:48,000 --> 00:00:56,270
If you are interested in it, but after he has finished Kennie, click on the imports and then look

8
00:00:56,270 --> 00:01:02,330
at the group column and study the type of imports he is using.

9
00:01:02,840 --> 00:01:11,600
We are looking for the imports because the imports will tell us what the malware is capable of.

10
00:01:13,430 --> 00:01:21,320
So for a process injection capable malware, you will see which aola eex right.

11
00:01:21,320 --> 00:01:22,610
Process memory.

12
00:01:24,770 --> 00:01:28,190
Create a remote and open process.

13
00:01:28,850 --> 00:01:35,900
So if you look in the memory section, you will see virtual yex here and right process memory here.

14
00:01:38,190 --> 00:01:47,940
And then if you scroll down to the execution section, the groups, you will see remote and open process

15
00:01:47,940 --> 00:01:48,360
here.

16
00:01:49,910 --> 00:01:57,770
So these are clear signs that this malware is capable of process injection.

17
00:01:59,660 --> 00:02:03,740
So this is how we can detect what the malware is capable of doing.

18
00:02:04,550 --> 00:02:11,270
And this also gives us a hint on how to reverse engineer this particular malware.

19
00:02:12,110 --> 00:02:18,560
So since we know that this is processing Jahshan malware, guess by looking at the inputs, we can put

20
00:02:18,560 --> 00:02:22,400
breakpoints on some or all of these APIs.

21
00:02:24,030 --> 00:02:26,670
Especially open process.

22
00:02:28,820 --> 00:02:30,110
Right, process, memory.

23
00:02:31,720 --> 00:02:36,700
And creating more charm and optionally virtual along ice.

24
00:02:38,050 --> 00:02:39,100
So let us do that now.

25
00:02:39,280 --> 00:02:47,860
We can close our piece to do now, even though we do not know what target this process is looking for.

26
00:02:49,670 --> 00:02:50,780
We can still find out.

27
00:02:51,350 --> 00:02:56,390
So let's run the FCC for native.

28
00:02:58,070 --> 00:02:58,880
Command from.

29
00:03:00,740 --> 00:03:02,750
And that is fire, Miss Spin.

30
00:03:06,890 --> 00:03:13,430
Because this particular malware will be looking for Microsoft Paint.

31
00:03:14,990 --> 00:03:17,510
So we need to start Macassar Beinfest.

32
00:03:18,440 --> 00:03:21,470
Although in an unknown malware, we do not know this.

33
00:03:21,950 --> 00:03:29,990
But for a Singhalese demonstration, they want to will fire Microsoft Paint and leave it running and

34
00:03:29,990 --> 00:03:34,100
assume that we do not know that it is actually looking for Microsoft Bing.

35
00:03:34,940 --> 00:03:36,260
So we can minimize this.

36
00:03:37,890 --> 00:03:42,600
Now we can fire our Xti Biji 64 Hussien.

37
00:03:48,290 --> 00:03:55,130
Click on the options preferences and make sure that only entry point is checked.

38
00:03:56,060 --> 00:03:56,900
Click on Safe.

39
00:04:00,230 --> 00:04:03,680
Now open the Nullarbor.

40
00:04:10,150 --> 00:04:12,250
So now we can put our break points.

41
00:04:14,900 --> 00:04:17,120
So these are the break points we can put.

42
00:04:17,780 --> 00:04:19,670
Which analogy, which is optional?

43
00:04:20,790 --> 00:04:24,210
Open process, which you should put.

44
00:04:25,190 --> 00:04:28,010
And represents memory, which you also should put.

45
00:04:29,710 --> 00:04:31,920
Great remorse transfer if you wanted to.

46
00:04:32,950 --> 00:04:35,290
So the first one is open process.

47
00:04:37,120 --> 00:04:44,680
So we come down to the bottom and put a breakpoint on open process, hit enter, click on your breakpoint

48
00:04:44,680 --> 00:04:46,630
stack to ensure it is day.

49
00:04:50,910 --> 00:04:54,930
And the second point is on right process memory.

50
00:04:58,320 --> 00:04:59,280
So BP.

51
00:05:02,780 --> 00:05:03,110
Right.

52
00:05:03,380 --> 00:05:06,830
Process, memory.

53
00:05:10,420 --> 00:05:11,830
This, too, should be sufficient.

54
00:05:12,340 --> 00:05:18,580
If you wanted to, you can go further and put a breakpoint on create remote trek.

55
00:05:19,570 --> 00:05:26,800
Now we can run, so he hits our open process break breakpoint.

56
00:05:29,330 --> 00:05:30,540
Now he's going to jump.

57
00:05:30,830 --> 00:05:31,850
So he step movie.

58
00:05:33,800 --> 00:05:37,730
And now he's going to jump jumped open process rechannel Sabawi.

59
00:05:38,880 --> 00:05:45,720
And now it is really to run and you come to the barometers window here to see what are the parameters

60
00:05:46,020 --> 00:05:47,250
for open process.

61
00:05:47,670 --> 00:05:52,740
So from here you can see the open process has got three parameters.

62
00:05:53,370 --> 00:05:59,310
And the one we are interested in is the third parameter, which is a process, Aidy.

63
00:05:59,640 --> 00:06:00,810
It is looking for.

64
00:06:02,280 --> 00:06:04,110
So let's look at it, that parameter.

65
00:06:05,800 --> 00:06:07,440
This is the process, Heidi.

66
00:06:08,020 --> 00:06:09,310
It is trying to open.

67
00:06:10,600 --> 00:06:16,060
So we can convert these hacks into decimal 94.

68
00:06:17,560 --> 00:06:21,880
Use the calculator and key nine E for.

69
00:06:24,730 --> 00:06:28,000
And you get the process in two, five, three, two.

70
00:06:29,650 --> 00:06:38,080
So now we can open our process hekker and look for process ID two, five, three, two.

71
00:06:39,640 --> 00:06:41,260
So this is a process heko now.

72
00:06:42,220 --> 00:06:47,350
And scroll down in this column and look for process two, five, three, two.

73
00:06:49,040 --> 00:06:50,970
And we see it is Microsoft pin.

74
00:06:53,650 --> 00:06:59,590
So this is how you can know what process a particular malware is trying to inject to.

75
00:07:01,840 --> 00:07:04,330
So now that we know it is Microsoft pain.

76
00:07:05,440 --> 00:07:09,550
We can keep a lookout on the memory of Microsoft binge.

77
00:07:11,170 --> 00:07:20,740
So if you opened Microsoft Bing now and look into memory, we do not know which part, which regional

78
00:07:20,740 --> 00:07:25,960
memory the malware is going to inject his coat to.

79
00:07:26,920 --> 00:07:32,920
So to find out which region of memory, we have to rely on the other breakpoint.

80
00:07:33,340 --> 00:07:33,600
Right.

81
00:07:33,610 --> 00:07:34,570
Process memory.

82
00:07:35,440 --> 00:07:37,570
So we continue to execute.

83
00:07:39,560 --> 00:07:42,980
Now he hits our breakpoint, right process memory.

84
00:07:43,700 --> 00:07:54,200
We step away until we come to this call and then now we look at the parameters of window here, right

85
00:07:54,200 --> 00:07:57,260
process memory, right process memory.

86
00:07:57,560 --> 00:08:00,080
He's got these five parameters.

87
00:08:00,800 --> 00:08:04,580
And the one we're interested in is the second parameter.

88
00:08:05,600 --> 00:08:12,020
This is the address where the Melva is going to inject it shellcode into.

89
00:08:13,280 --> 00:08:17,840
So we look at a second parameter here, which is this address.

90
00:08:18,830 --> 00:08:21,240
Two three, followed by five zeros.

91
00:08:22,130 --> 00:08:29,570
Not that we know we can go back to process Hekker and Noufal to three, followed by five zeros.

92
00:08:30,230 --> 00:08:32,480
Just scroll down until you find it.

93
00:08:33,110 --> 00:08:35,900
If you do sit here, remember to click refresh.

94
00:08:36,590 --> 00:08:42,800
After taking refresh and scrolling through, you should easily find it to three, followed by five zeros.

95
00:08:43,640 --> 00:08:49,940
Now, if you double click on this, you will see that it is still empty because it has not yet written.

96
00:08:50,480 --> 00:08:53,360
He has not yet copied the chocolate.

97
00:08:53,810 --> 00:08:57,280
So if you step in with this, you can see that he will copy.

98
00:08:57,920 --> 00:08:59,090
So we start with this.

99
00:08:59,600 --> 00:09:01,760
And now if you come back, you see this.

100
00:09:03,560 --> 00:09:06,940
We need to refresh this very clearly.

101
00:09:07,160 --> 00:09:09,650
And now we see the shellcode has been copied over.

102
00:09:12,770 --> 00:09:18,830
So now we are ready to dump this sherkat from the memory of Microsoft Paint.

103
00:09:19,550 --> 00:09:21,170
And you can click on Safe.

104
00:09:22,730 --> 00:09:25,190
And then we are going to dump me here.

105
00:09:26,080 --> 00:09:28,250
He accepted the default name.

106
00:09:29,400 --> 00:09:30,150
Clean and safe.

107
00:09:30,360 --> 00:09:34,290
Did you find them has got the memory from where it was dumped from.

108
00:09:35,160 --> 00:09:36,270
So just clean and safe.

109
00:09:37,890 --> 00:09:45,480
So if we want to confirm that you've gotten the correct one, we can go and open the -- file.

110
00:09:52,520 --> 00:09:57,200
You can open this -- file if Hicks fxd hex editor.

111
00:09:58,500 --> 00:10:01,080
Just drag it into Hayasaki has Ed.

112
00:10:03,780 --> 00:10:07,020
So this is a down far as you can see is to see.

113
00:10:10,200 --> 00:10:17,880
Now, if you wanted to be 100 percent sure, you can always compare with our original if our original

114
00:10:17,910 --> 00:10:18,750
show, Cahier.

115
00:10:21,590 --> 00:10:28,040
But from this, you can see already a string and in Boston for the messagebox by, if you compare it

116
00:10:29,030 --> 00:10:31,400
with Jaggi in, you can see we are correct.

117
00:10:32,960 --> 00:10:36,890
So this is a show called F.S. for it one.

118
00:10:38,350 --> 00:10:47,410
FC four eight one Ending the shellcode and not Terminator and shellcode and now Terminator.

119
00:10:48,820 --> 00:10:53,110
So this is how we can reverse engineer malware.

120
00:10:54,070 --> 00:10:57,280
We has got processing injection capability.

121
00:10:58,660 --> 00:10:59,800
Thank you for watching.

122
00:11:00,400 --> 00:11:01,630
I'll see you in the next one.