1
00:00:01,000 --> 00:00:02,500
Hello and welcome.

2
00:00:02,920 --> 00:00:06,530
In this video, we are going to get started.

3
00:00:06,550 --> 00:00:08,410
The DHL injection.

4
00:00:10,060 --> 00:00:15,340
The lexicon go in, download this project zero nine.

5
00:00:15,730 --> 00:00:22,270
The injection and zip it and put it in the murder for the opening.

6
00:00:22,660 --> 00:00:24,880
And you see a number of files.

7
00:00:26,020 --> 00:00:36,670
One on the FBI's is bin 64 bin, which is the 64 bit Microsoft page Chalco, which we generated using

8
00:00:37,060 --> 00:00:39,640
Metasploit in Kali Linux.

9
00:00:40,240 --> 00:00:43,180
And there are two compiler scripts.

10
00:00:45,230 --> 00:00:50,510
The first compulsory is to compile this entire file.

11
00:00:52,490 --> 00:00:55,290
In this use of a definition, Foresthill.

12
00:00:57,350 --> 00:00:58,550
Right click open.

13
00:00:59,290 --> 00:00:59,990
You bet.

14
00:01:00,110 --> 00:01:00,770
Plus, plus.

15
00:01:02,500 --> 00:01:12,540
You will see that the input far is Microsoft been the CP, the definition far is Microsoft paint the

16
00:01:13,300 --> 00:01:13,930
the.

17
00:01:15,040 --> 00:01:19,540
And the output file is Makassar being a done deal.

18
00:01:20,170 --> 00:01:21,970
And this is your final output file.

19
00:01:22,960 --> 00:01:30,070
You are going to use this screen to build a DFA out of this CP fa.

20
00:01:35,170 --> 00:01:46,840
Let's look at the far we have not backed plus plus the DFL specifies the library as Microsoft Benguiat

21
00:01:47,830 --> 00:01:50,640
and the Xbox as Iran Sherkat.

22
00:01:53,610 --> 00:02:04,220
That means that our Yale, who have won a spot which is ramshackled, that is open to the A's law school,

23
00:02:05,050 --> 00:02:06,130
is not bad plus.

24
00:02:07,740 --> 00:02:13,840
So now we're going to put our Chalco in here, the Microsoft page.

25
00:02:16,150 --> 00:02:18,220
This regenerator Metasploit.

26
00:02:19,720 --> 00:02:22,420
So open your høst.

27
00:02:25,320 --> 00:02:30,510
Drive to Microsoft, S.C. for Binbin Sherko into Hedgecoe.

28
00:02:31,940 --> 00:02:33,770
And export all of this.

29
00:02:35,440 --> 00:02:37,320
I see fire.

30
00:02:40,120 --> 00:02:42,160
A city insight here.

31
00:02:42,790 --> 00:02:44,740
The injection for the.

32
00:02:48,390 --> 00:02:52,710
Confirmed in a new fire is being created and then close it.

33
00:02:54,410 --> 00:02:56,540
Next opened a new file.

34
00:02:56,840 --> 00:02:58,160
We have not backed by Splice.

35
00:02:59,790 --> 00:03:02,310
And Copia Formate that Chalco.

36
00:03:03,950 --> 00:03:11,750
Right click, copy and then open your I guess I've been Yayo source code.

37
00:03:13,900 --> 00:03:15,220
And be sitting down here.

38
00:03:19,180 --> 00:03:21,820
Let's rename this Raw Data.

39
00:03:23,050 --> 00:03:30,760
The chocolate bill, so we copy from the sample and put it down here.

40
00:03:33,330 --> 00:03:35,640
Next, delete the sample.

41
00:03:41,780 --> 00:03:45,380
Next, check to make sure that the number here.

42
00:03:45,620 --> 00:03:46,850
And here are the scene.

43
00:03:48,130 --> 00:03:49,390
And then click on See.

44
00:03:51,780 --> 00:03:53,100
This is the year of.

45
00:03:55,100 --> 00:04:00,470
The DFA has called dear mean inside, and you will see a switch.

46
00:04:01,940 --> 00:04:08,810
The first case is when the D.A. said Desch are loaded by a be executable.

47
00:04:09,470 --> 00:04:14,960
When that happens, this case will be triggered and this function will run.

48
00:04:16,690 --> 00:04:25,960
And this function is defined here, you call what you're allowed to allocate some memory and you is

49
00:04:25,960 --> 00:04:27,340
a safety dresser.

50
00:04:27,760 --> 00:04:32,610
Yeah, look at that memory to this variable next to you.

51
00:04:32,620 --> 00:04:36,580
Copy the shellcode to the newly allocated memory.

52
00:04:38,320 --> 00:04:47,020
And then he will change the protection of that allocated memory containing the Chalco to become executable

53
00:04:47,320 --> 00:04:48,130
and readable.

54
00:04:48,850 --> 00:04:52,930
Next to you with Darth Vader and which to protect was successful.

55
00:04:53,380 --> 00:05:01,600
If it is, you will create a trick to execute the educated memory which contains the Chako that is compiled,

56
00:05:03,700 --> 00:05:04,810
copied this path.

57
00:05:06,250 --> 00:05:09,370
Open your access for native to us from.

58
00:05:12,620 --> 00:05:18,890
CD and BCO part, in fact, compiled the album into.

59
00:05:21,030 --> 00:05:22,830
That there are no arrests.

60
00:05:25,160 --> 00:05:27,170
So now your gear is created?

61
00:05:28,220 --> 00:05:28,700
It is.

62
00:05:28,860 --> 00:05:29,270
Yeah.

63
00:05:30,710 --> 00:05:37,190
So we are going to inject this Microsoft Paint yellow into Explorer.

64
00:05:38,870 --> 00:05:46,460
Explorer is whenever you click on any of the folders, you know, Point Explorer.

65
00:05:47,960 --> 00:05:50,840
So our objective is to inject.

66
00:05:51,900 --> 00:05:57,330
A year into Explorer, and this is the idea we want to enjoy.

67
00:05:59,580 --> 00:06:04,890
So there once this deal is injected, it will open up because of pain.

68
00:06:05,520 --> 00:06:08,920
So the next day we need to do is a DEA injector.

69
00:06:10,470 --> 00:06:13,650
And this is the COMPAR script for the injector.

70
00:06:14,960 --> 00:06:16,340
Rackley and openI.

71
00:06:19,150 --> 00:06:28,840
It takes the input file dioh injectors Seip and gives the output file called the injector, the EIC.

72
00:06:31,620 --> 00:06:33,060
This is the input far.

73
00:06:34,180 --> 00:06:39,980
The injector CP Reichling an opening, if not bad.

74
00:06:40,000 --> 00:06:40,690
Plus, plus.

75
00:06:44,280 --> 00:06:45,540
There is a main function.

76
00:06:47,630 --> 00:06:53,840
Containing the path to the deal to get this path a deal.

77
00:06:56,340 --> 00:06:57,270
This is a deal.

78
00:06:58,860 --> 00:07:01,620
Select this correctly and copy.

79
00:07:03,140 --> 00:07:10,050
And then come down here and face the path next.

80
00:07:10,550 --> 00:07:16,310
He said that because in the semicolon at the back and a double confront.

81
00:07:18,900 --> 00:07:22,770
And then copy this and put it here.

82
00:07:26,020 --> 00:07:28,330
Let's put the backslash.

83
00:07:30,490 --> 00:07:38,230
You need to put two backslash in order to tell the operating system that this is her decision, not

84
00:07:38,230 --> 00:07:39,400
an escaped character.

85
00:07:41,830 --> 00:07:50,590
Same thing over here, here and here and here, and they're back here.

86
00:07:52,090 --> 00:07:52,900
You need to put.

87
00:07:55,120 --> 00:08:08,230
The name of the Diantha expenditure that you're referring to this far, then you can come into the sample.

88
00:08:10,680 --> 00:08:11,480
Danny Sabih.

89
00:08:15,510 --> 00:08:23,210
Over here, given the name of the process that you want to inject in this case, he is an Explorer EIC.

90
00:08:24,300 --> 00:08:29,880
You would then call the function search for process and passed the name of the process.

91
00:08:30,220 --> 00:08:36,660
Then you when you inject, which is Explorer EIC, after he has found the process, he will return the

92
00:08:36,930 --> 00:08:37,380
process.

93
00:08:37,380 --> 00:08:46,050
Edee, Egypt process idea he zero you will give the ARACY process to inject not found and you actually.

94
00:08:47,200 --> 00:08:52,120
Otherwise, he will continue here and bring the message process to inject.

95
00:08:53,130 --> 00:08:56,640
And paid for that, and then he will see injecting.

96
00:08:57,740 --> 00:09:07,850
Next, he will call the process address and extract the library address from country two and save the

97
00:09:07,850 --> 00:09:11,680
address of the library in this variable.

98
00:09:12,600 --> 00:09:22,580
Although we're injecting remote process explorer, we can still use this method to find the address

99
00:09:22,580 --> 00:09:25,160
and no library for the target process.

100
00:09:25,580 --> 00:09:32,540
That is because it does seem address for all the files in the Windows system.

101
00:09:33,200 --> 00:09:35,030
Next, we call open process.

102
00:09:35,690 --> 00:09:38,790
You open the process based on the pad.

103
00:09:39,780 --> 00:09:47,330
Well, here in this case, you will be explorer and then we save the handle to the Explorer process

104
00:09:47,420 --> 00:09:49,700
in this variable Carhenge process.

105
00:09:50,150 --> 00:09:54,770
Then we test if you successfully managed to open the process.

106
00:09:55,520 --> 00:09:56,620
This will not be now.

107
00:09:57,300 --> 00:10:03,770
Now, we used to watch Elaheh s function to allocate some space in the Explorer process.

108
00:10:04,220 --> 00:10:07,790
And then we save the address into this variable.

109
00:10:08,390 --> 00:10:15,110
Then we call the right process memory to copy path to the Dáil.

110
00:10:16,330 --> 00:10:17,350
Which is this one.

111
00:10:18,270 --> 00:10:30,030
Is far over to the newly allocated memory, which is here again, we call the remote trek and pus the

112
00:10:30,270 --> 00:10:39,120
address to the library and also the parameters for that library, which is the path to the Explorer

113
00:10:39,480 --> 00:10:46,380
process, who then used a library API to look the Dow from the past.

114
00:10:46,920 --> 00:10:50,090
And the deal that is going to look his progress of been.

115
00:10:50,520 --> 00:10:50,940
Yeah.

116
00:10:51,280 --> 00:10:51,750
Yeah.

117
00:10:52,380 --> 00:10:55,320
As soon as the Americans have been on the air is loaded.

118
00:10:56,340 --> 00:11:02,550
He will satisfy first case process attached, and he will run the show.

119
00:11:04,020 --> 00:11:10,590
And what they show called is run he will execute, shall sherko to show the Microsoft PIN program.

120
00:11:11,400 --> 00:11:18,210
So now we are going to build this year and later by running the buggy and jack the screen.

121
00:11:20,750 --> 00:11:22,970
So let's start on file.

122
00:11:23,810 --> 00:11:26,000
The injector and hit enter.

123
00:11:30,610 --> 00:11:34,060
And notice we have a new far here.

124
00:11:38,380 --> 00:11:49,420
He has successfully built the Microsoft beinir and also the injector who stopped basketful now and continue

125
00:11:49,810 --> 00:11:52,960
to run this and examine it in the next video.

126
00:11:53,590 --> 00:11:54,970
Thank you for watching.