1 00:00:00,960 --> 00:00:09,210 Hello and welcome to a new session in this session, we are going to reverse engineer process injection. 2 00:00:10,440 --> 00:00:18,360 So go and download this project called Reversing Process Injection on the Zippi and put it in the mail 3 00:00:18,690 --> 00:00:19,060 order. 4 00:00:20,220 --> 00:00:30,570 The first thing we need to know whether or not the malware has got process injection capability to do 5 00:00:30,570 --> 00:00:40,530 that, we will need to use the studio so open peace to do and then your malware to be used to you. 6 00:00:44,420 --> 00:00:47,460 And then he used to do do the scanning. 7 00:00:48,000 --> 00:00:56,270 If you are interested in it, but after he has finished Kennie, click on the imports and then look 8 00:00:56,270 --> 00:01:02,330 at the group column and study the type of imports he is using. 9 00:01:02,840 --> 00:01:11,600 We are looking for the imports because the imports will tell us what the malware is capable of. 10 00:01:13,430 --> 00:01:21,320 So for a process injection capable malware, you will see which aola eex right. 11 00:01:21,320 --> 00:01:22,610 Process memory. 12 00:01:24,770 --> 00:01:28,190 Create a remote and open process. 13 00:01:28,850 --> 00:01:35,900 So if you look in the memory section, you will see virtual yex here and right process memory here. 14 00:01:38,190 --> 00:01:47,940 And then if you scroll down to the execution section, the groups, you will see remote and open process 15 00:01:47,940 --> 00:01:48,360 here. 16 00:01:49,910 --> 00:01:57,770 So these are clear signs that this malware is capable of process injection. 17 00:01:59,660 --> 00:02:03,740 So this is how we can detect what the malware is capable of doing. 18 00:02:04,550 --> 00:02:11,270 And this also gives us a hint on how to reverse engineer this particular malware. 19 00:02:12,110 --> 00:02:18,560 So since we know that this is processing Jahshan malware, guess by looking at the inputs, we can put 20 00:02:18,560 --> 00:02:22,400 breakpoints on some or all of these APIs. 21 00:02:24,030 --> 00:02:26,670 Especially open process. 22 00:02:28,820 --> 00:02:30,110 Right, process, memory. 23 00:02:31,720 --> 00:02:36,700 And creating more charm and optionally virtual along ice. 24 00:02:38,050 --> 00:02:39,100 So let us do that now. 25 00:02:39,280 --> 00:02:47,860 We can close our piece to do now, even though we do not know what target this process is looking for. 26 00:02:49,670 --> 00:02:50,780 We can still find out. 27 00:02:51,350 --> 00:02:56,390 So let's run the FCC for native. 28 00:02:58,070 --> 00:02:58,880 Command from. 29 00:03:00,740 --> 00:03:02,750 And that is fire, Miss Spin. 30 00:03:06,890 --> 00:03:13,430 Because this particular malware will be looking for Microsoft Paint. 31 00:03:14,990 --> 00:03:17,510 So we need to start Macassar Beinfest. 32 00:03:18,440 --> 00:03:21,470 Although in an unknown malware, we do not know this. 33 00:03:21,950 --> 00:03:29,990 But for a Singhalese demonstration, they want to will fire Microsoft Paint and leave it running and 34 00:03:29,990 --> 00:03:34,100 assume that we do not know that it is actually looking for Microsoft Bing. 35 00:03:34,940 --> 00:03:36,260 So we can minimize this. 36 00:03:37,890 --> 00:03:42,600 Now we can fire our Xti Biji 64 Hussien. 37 00:03:48,290 --> 00:03:55,130 Click on the options preferences and make sure that only entry point is checked. 38 00:03:56,060 --> 00:03:56,900 Click on Safe. 39 00:04:00,230 --> 00:04:03,680 Now open the Nullarbor. 40 00:04:10,150 --> 00:04:12,250 So now we can put our break points. 41 00:04:14,900 --> 00:04:17,120 So these are the break points we can put. 42 00:04:17,780 --> 00:04:19,670 Which analogy, which is optional? 43 00:04:20,790 --> 00:04:24,210 Open process, which you should put. 44 00:04:25,190 --> 00:04:28,010 And represents memory, which you also should put. 45 00:04:29,710 --> 00:04:31,920 Great remorse transfer if you wanted to. 46 00:04:32,950 --> 00:04:35,290 So the first one is open process. 47 00:04:37,120 --> 00:04:44,680 So we come down to the bottom and put a breakpoint on open process, hit enter, click on your breakpoint 48 00:04:44,680 --> 00:04:46,630 stack to ensure it is day. 49 00:04:50,910 --> 00:04:54,930 And the second point is on right process memory. 50 00:04:58,320 --> 00:04:59,280 So BP. 51 00:05:02,780 --> 00:05:03,110 Right. 52 00:05:03,380 --> 00:05:06,830 Process, memory. 53 00:05:10,420 --> 00:05:11,830 This, too, should be sufficient. 54 00:05:12,340 --> 00:05:18,580 If you wanted to, you can go further and put a breakpoint on create remote trek. 55 00:05:19,570 --> 00:05:26,800 Now we can run, so he hits our open process break breakpoint. 56 00:05:29,330 --> 00:05:30,540 Now he's going to jump. 57 00:05:30,830 --> 00:05:31,850 So he step movie. 58 00:05:33,800 --> 00:05:37,730 And now he's going to jump jumped open process rechannel Sabawi. 59 00:05:38,880 --> 00:05:45,720 And now it is really to run and you come to the barometers window here to see what are the parameters 60 00:05:46,020 --> 00:05:47,250 for open process. 61 00:05:47,670 --> 00:05:52,740 So from here you can see the open process has got three parameters. 62 00:05:53,370 --> 00:05:59,310 And the one we are interested in is the third parameter, which is a process, Aidy. 63 00:05:59,640 --> 00:06:00,810 It is looking for. 64 00:06:02,280 --> 00:06:04,110 So let's look at it, that parameter. 65 00:06:05,800 --> 00:06:07,440 This is the process, Heidi. 66 00:06:08,020 --> 00:06:09,310 It is trying to open. 67 00:06:10,600 --> 00:06:16,060 So we can convert these hacks into decimal 94. 68 00:06:17,560 --> 00:06:21,880 Use the calculator and key nine E for. 69 00:06:24,730 --> 00:06:28,000 And you get the process in two, five, three, two. 70 00:06:29,650 --> 00:06:38,080 So now we can open our process hekker and look for process ID two, five, three, two. 71 00:06:39,640 --> 00:06:41,260 So this is a process heko now. 72 00:06:42,220 --> 00:06:47,350 And scroll down in this column and look for process two, five, three, two. 73 00:06:49,040 --> 00:06:50,970 And we see it is Microsoft pin. 74 00:06:53,650 --> 00:06:59,590 So this is how you can know what process a particular malware is trying to inject to. 75 00:07:01,840 --> 00:07:04,330 So now that we know it is Microsoft pain. 76 00:07:05,440 --> 00:07:09,550 We can keep a lookout on the memory of Microsoft binge. 77 00:07:11,170 --> 00:07:20,740 So if you opened Microsoft Bing now and look into memory, we do not know which part, which regional 78 00:07:20,740 --> 00:07:25,960 memory the malware is going to inject his coat to. 79 00:07:26,920 --> 00:07:32,920 So to find out which region of memory, we have to rely on the other breakpoint. 80 00:07:33,340 --> 00:07:33,600 Right. 81 00:07:33,610 --> 00:07:34,570 Process memory. 82 00:07:35,440 --> 00:07:37,570 So we continue to execute. 83 00:07:39,560 --> 00:07:42,980 Now he hits our breakpoint, right process memory. 84 00:07:43,700 --> 00:07:54,200 We step away until we come to this call and then now we look at the parameters of window here, right 85 00:07:54,200 --> 00:07:57,260 process memory, right process memory. 86 00:07:57,560 --> 00:08:00,080 He's got these five parameters. 87 00:08:00,800 --> 00:08:04,580 And the one we're interested in is the second parameter. 88 00:08:05,600 --> 00:08:12,020 This is the address where the Melva is going to inject it shellcode into. 89 00:08:13,280 --> 00:08:17,840 So we look at a second parameter here, which is this address. 90 00:08:18,830 --> 00:08:21,240 Two three, followed by five zeros. 91 00:08:22,130 --> 00:08:29,570 Not that we know we can go back to process Hekker and Noufal to three, followed by five zeros. 92 00:08:30,230 --> 00:08:32,480 Just scroll down until you find it. 93 00:08:33,110 --> 00:08:35,900 If you do sit here, remember to click refresh. 94 00:08:36,590 --> 00:08:42,800 After taking refresh and scrolling through, you should easily find it to three, followed by five zeros. 95 00:08:43,640 --> 00:08:49,940 Now, if you double click on this, you will see that it is still empty because it has not yet written. 96 00:08:50,480 --> 00:08:53,360 He has not yet copied the chocolate. 97 00:08:53,810 --> 00:08:57,280 So if you step in with this, you can see that he will copy. 98 00:08:57,920 --> 00:08:59,090 So we start with this. 99 00:08:59,600 --> 00:09:01,760 And now if you come back, you see this. 100 00:09:03,560 --> 00:09:06,940 We need to refresh this very clearly. 101 00:09:07,160 --> 00:09:09,650 And now we see the shellcode has been copied over. 102 00:09:12,770 --> 00:09:18,830 So now we are ready to dump this sherkat from the memory of Microsoft Paint. 103 00:09:19,550 --> 00:09:21,170 And you can click on Safe. 104 00:09:22,730 --> 00:09:25,190 And then we are going to dump me here. 105 00:09:26,080 --> 00:09:28,250 He accepted the default name. 106 00:09:29,400 --> 00:09:30,150 Clean and safe. 107 00:09:30,360 --> 00:09:34,290 Did you find them has got the memory from where it was dumped from. 108 00:09:35,160 --> 00:09:36,270 So just clean and safe. 109 00:09:37,890 --> 00:09:45,480 So if we want to confirm that you've gotten the correct one, we can go and open the -- file. 110 00:09:52,520 --> 00:09:57,200 You can open this -- file if Hicks fxd hex editor. 111 00:09:58,500 --> 00:10:01,080 Just drag it into Hayasaki has Ed. 112 00:10:03,780 --> 00:10:07,020 So this is a down far as you can see is to see. 113 00:10:10,200 --> 00:10:17,880 Now, if you wanted to be 100 percent sure, you can always compare with our original if our original 114 00:10:17,910 --> 00:10:18,750 show, Cahier. 115 00:10:21,590 --> 00:10:28,040 But from this, you can see already a string and in Boston for the messagebox by, if you compare it 116 00:10:29,030 --> 00:10:31,400 with Jaggi in, you can see we are correct. 117 00:10:32,960 --> 00:10:36,890 So this is a show called F.S. for it one. 118 00:10:38,350 --> 00:10:47,410 FC four eight one Ending the shellcode and not Terminator and shellcode and now Terminator. 119 00:10:48,820 --> 00:10:53,110 So this is how we can reverse engineer malware. 120 00:10:54,070 --> 00:10:57,280 We has got processing injection capability. 121 00:10:58,660 --> 00:10:59,800 Thank you for watching. 122 00:11:00,400 --> 00:11:01,630 I'll see you in the next one.