1
00:00:00,740 --> 00:00:05,210
Hello and welcome back to a new section in this new section.

2
00:00:05,250 --> 00:00:10,550
You got going to look at the injection, the injection.

3
00:00:10,790 --> 00:00:15,140
He's about injecting the path to another process.

4
00:00:17,630 --> 00:00:25,040
In this slide here, we can see that there are several components of a direct injection mechanism.

5
00:00:25,640 --> 00:00:28,040
On the left, we have some malgre corrosion.

6
00:00:28,580 --> 00:00:31,250
On the right, we have a target process.

7
00:00:31,970 --> 00:00:33,440
Then we are going to inject.

8
00:00:34,070 --> 00:00:38,990
And at the bottom here we see there is a file called the far.

9
00:00:39,950 --> 00:00:50,630
The objective of the injection is to cross and the target process to look the deer far and execute it

10
00:00:51,650 --> 00:00:52,820
in order to do that.

11
00:00:53,240 --> 00:01:03,470
The measure Trojan will contain the path to this valve far this year, far could have been downloaded

12
00:01:04,100 --> 00:01:10,090
by the network Drugeon, or it could have been planted day by some other means.

13
00:01:12,070 --> 00:01:21,280
So the first thing in that region to do is to allocate memory in a targeted process as denoted by the

14
00:01:21,610 --> 00:01:22,750
green box here.

15
00:01:24,040 --> 00:01:30,340
If we do that by using the API function, vertue ALAC eex.

16
00:01:33,070 --> 00:01:37,420
Next, the metro region will write to memory.

17
00:01:38,960 --> 00:01:49,940
You copy this path to jam over to the allocated nemy region, this path to jail contains a path to this

18
00:01:50,570 --> 00:01:50,990
far.

19
00:01:52,490 --> 00:01:56,600
He does that by using the API function call, right.

20
00:01:56,840 --> 00:01:58,310
Process memory.

21
00:02:00,500 --> 00:02:03,920
You then create no library track.

22
00:02:05,670 --> 00:02:13,920
So you create a track using the API called Create a remote track and passing some parameters to it.

23
00:02:14,670 --> 00:02:19,890
Two of the parameters are law library, which is to look Nadifa.

24
00:02:20,990 --> 00:02:31,610
And the other barometer is the path to the GHAFFAR to below that after this created what is called the

25
00:02:31,610 --> 00:02:38,450
target process, will look this library using the library API.

26
00:02:40,210 --> 00:02:49,690
How does the malware from, you know, the address of the library API in order to get the address of

27
00:02:49,690 --> 00:02:51,190
the library API?

28
00:02:52,190 --> 00:03:02,360
The medical unit who used to get proper dress function, the library function comes from country to

29
00:03:02,750 --> 00:03:07,330
the law library comes from country to drill.

30
00:03:08,120 --> 00:03:15,920
And Lewis had a similar dress for all prosthesis, therefore get the address is used to get library

31
00:03:15,920 --> 00:03:19,910
function from country to DNA within the military unit.

32
00:03:19,920 --> 00:03:24,560
So then used the same address for the target process.

33
00:03:26,430 --> 00:03:35,100
So this is how the Mehretu, you know, the address, the library, once the grid in which she runs

34
00:03:35,430 --> 00:03:39,030
and uses the library to look yellow.

35
00:03:40,280 --> 00:03:49,700
Today, I will be loaded into the target process, and I say good days, because in a deal that is the

36
00:03:50,090 --> 00:03:58,970
main function in the the main function, that is to switch the switch, they will have a few cases.

37
00:03:59,720 --> 00:04:09,260
The reason for the call and if the case falls under the first one, the process Thach, Iran, the sherkat.

38
00:04:10,230 --> 00:04:13,020
This circle is defined here.

39
00:04:14,090 --> 00:04:16,850
In this function, also in the same year.

40
00:04:17,720 --> 00:04:21,380
And this Chalco is designed to run Sherko shown up here.

41
00:04:22,340 --> 00:04:28,520
And this court is similar to what we used in the previous lessons to run Unshackle.

42
00:04:30,010 --> 00:04:35,260
So this makes it possible for the owls to be secure the moment it is loaded.

43
00:04:37,240 --> 00:04:39,980
API calls for DNA injection.

44
00:04:40,750 --> 00:04:42,730
There are four functions in total.

45
00:04:44,320 --> 00:04:50,470
These are the four APIs used in DNA injection get proper address is used.

46
00:04:50,800 --> 00:04:59,830
You get in the is just what you Elaheh X is used to allocate memory in the target process.

47
00:05:01,450 --> 00:05:08,480
Right, process, memory, he used to write a part of the mail to the target, and this part of the

48
00:05:08,480 --> 00:05:11,440
year is a return to the allocated memory.

49
00:05:11,770 --> 00:05:12,790
It came from which?

50
00:05:13,150 --> 00:05:13,570
Yes.

51
00:05:14,700 --> 00:05:23,490
Finally, they create a remote EPA, who we call Rita Barometers of the address of the library, which

52
00:05:23,490 --> 00:05:27,450
she got from Get Proc. address and also the path to the air.

53
00:05:28,630 --> 00:05:37,360
So that's all for this theory on how the injection works when we do the practical sessions.

54
00:05:37,780 --> 00:05:39,190
All this would become clear.

55
00:05:40,120 --> 00:05:41,170
Thank you for watching.