1 00:00:00,540 --> 00:00:01,320 Now come back. 2 00:00:02,160 --> 00:00:08,310 We are now going to do reverse engineering of a DHL injection Trojan. 3 00:00:09,030 --> 00:00:17,690 So go in, download this project, Congreve using DNA injection and zip it and put it in the mail for 4 00:00:17,700 --> 00:00:19,950 the inside. 5 00:00:20,430 --> 00:00:22,230 You will find few files. 6 00:00:22,800 --> 00:00:29,830 The most important two files is the DNA injector and the DEA. 7 00:00:29,900 --> 00:00:30,540 Alyssa. 8 00:00:31,780 --> 00:00:41,920 So we have created this in the previous lessons where the deer injector is going to inject into a process 9 00:00:41,920 --> 00:00:51,220 which is called Explorer, Explorer is always running on the Windows machine, and it is going to inject 10 00:00:51,520 --> 00:00:53,320 Microsoft into the air. 11 00:00:54,130 --> 00:00:54,670 Yeah. 12 00:00:55,480 --> 00:01:01,750 And once this Microsoft pin is injected, it will launch Microsoft Bean. 13 00:01:02,930 --> 00:01:10,070 Assuming we didn't know all of that and that we are now starting from scratch, assuming this is a that 14 00:01:10,070 --> 00:01:12,200 we don't know what he's going to do. 15 00:01:13,520 --> 00:01:17,510 So the first thing we do is to inspect the studio. 16 00:01:17,900 --> 00:01:19,310 So we open the studio. 17 00:01:20,090 --> 00:01:20,870 Then we drank. 18 00:01:22,000 --> 00:01:26,300 Yeah, injected into it and let it analyze. 19 00:01:27,430 --> 00:01:29,140 We take a look at it in pots. 20 00:01:30,300 --> 00:01:32,940 And then looking a good column. 21 00:01:33,990 --> 00:01:41,640 Under memory, you'll find you have virtual eggs, which allows you to allocate memory remotely in another 22 00:01:41,640 --> 00:01:44,310 process, right, to process memory. 23 00:01:45,150 --> 00:01:47,070 And then if you scroll down, you will see. 24 00:01:48,190 --> 00:01:50,440 Create a remote track and open process. 25 00:01:51,220 --> 00:02:00,870 So all of these for Epis hints that it is injection idea, process injection or injection malware. 26 00:02:01,420 --> 00:02:06,880 So we need to put breakpoints in our debugger on those APIs. 27 00:02:09,310 --> 00:02:12,760 So now we're opening our xixi for the DBG. 28 00:02:15,380 --> 00:02:20,810 And then here and there, the options, preferences, only the entry point is checked. 29 00:02:23,510 --> 00:02:26,270 Now we open our Trojan. 30 00:02:34,000 --> 00:02:36,250 He will put a breakpoint on. 31 00:02:37,480 --> 00:02:38,530 Open process. 32 00:02:40,380 --> 00:02:41,490 Let's click on this. 33 00:02:42,630 --> 00:02:45,960 He also put a great point on the right process memory. 34 00:02:47,250 --> 00:02:49,860 And optionally create remote tray. 35 00:02:52,740 --> 00:03:03,030 To really put my point is to tie BP, followed by open process and he to Yanyi, we see here I've done 36 00:03:03,030 --> 00:03:03,630 this before. 37 00:03:03,810 --> 00:03:04,400 So I'd say. 38 00:03:06,010 --> 00:03:07,710 And do the same thing for the other two. 39 00:03:08,440 --> 00:03:13,660 BP represents memory hit enter, BP created Moutray. 40 00:03:17,530 --> 00:03:18,460 Now we can run it. 41 00:03:21,010 --> 00:03:24,100 So he hits our first break point open process 42 00:03:26,680 --> 00:03:28,000 and this movie. 43 00:03:29,300 --> 00:03:30,260 Several rethinking. 44 00:03:31,710 --> 00:03:36,990 And now open process is about execute and you do in the parameters window. 45 00:03:39,740 --> 00:03:43,880 And compare it with the median documentation. 46 00:03:46,860 --> 00:03:50,650 The one we're interested in is the tech barometer, which is a process. 47 00:03:51,030 --> 00:03:52,110 It is trying to open. 48 00:03:54,100 --> 00:03:54,850 In this case. 49 00:03:55,840 --> 00:03:56,680 Nine nine zero. 50 00:03:57,780 --> 00:04:03,940 So we use our calculator and convert hex nine nine zero into decimal. 51 00:04:04,920 --> 00:04:06,630 And we get two for free. 52 00:04:09,650 --> 00:04:15,980 We open process hacker and look for process to for free, and you find an 80s explorer. 53 00:04:17,180 --> 00:04:21,190 So it is trying to inject itself into Explorer. 54 00:04:21,200 --> 00:04:22,730 So an explorer is a target. 55 00:04:23,900 --> 00:04:25,610 So now you open Explorer. 56 00:04:27,690 --> 00:04:29,320 And go to the memory, that voice. 57 00:04:30,270 --> 00:04:33,660 But we don't know which part of memory is going to inject. 58 00:04:34,800 --> 00:04:43,140 So we will need to rely on the next break point, which is that process memory. 59 00:04:44,580 --> 00:04:48,280 So click on run any hits, right? 60 00:04:48,300 --> 00:04:49,260 Process memory. 61 00:04:51,000 --> 00:04:53,580 Step over until he comes to this call here. 62 00:04:55,920 --> 00:04:56,850 Now we are here. 63 00:04:58,930 --> 00:05:01,150 We look at the documentation again. 64 00:05:03,420 --> 00:05:10,100 Reprocessed memory has these parameters you're interested in a second parameter, which is the address 65 00:05:10,110 --> 00:05:11,400 here is going to write to. 66 00:05:12,900 --> 00:05:15,900 So this is the address of the target process. 67 00:05:17,160 --> 00:05:19,650 In this case, it is an explorer. 68 00:05:20,660 --> 00:05:24,750 So we go to this address, two nine one four zero. 69 00:05:26,870 --> 00:05:29,420 And look for the location of that. 70 00:05:32,410 --> 00:05:36,670 It should be writable so we can scroll down until you see RW. 71 00:05:43,700 --> 00:05:46,700 Look, four two nine one, followed by four years. 72 00:05:48,410 --> 00:05:49,310 Click on refresh. 73 00:05:52,040 --> 00:05:56,330 And here you see two nine one, followed by four zeros. 74 00:05:56,480 --> 00:06:00,170 If we double click on it, he received this current U.S.A.. 75 00:06:01,610 --> 00:06:03,860 So let's talk about this and see what happens. 76 00:06:05,410 --> 00:06:14,290 Now we come back and click on re and we see now it has injected this string into this memory for the 77 00:06:14,290 --> 00:06:19,610 Explorer process at this address to name one, followed by four zeros. 78 00:06:21,250 --> 00:06:24,630 And this is seems to be a path to a deal. 79 00:06:25,360 --> 00:06:28,840 So now we know he's trying to run this, Nihaal. 80 00:06:29,350 --> 00:06:30,160 He's trying to look. 81 00:06:30,460 --> 00:06:30,880 Yeah. 82 00:06:32,470 --> 00:06:42,610 So we can confirm that if is trying to load these year by continuing to run until he hits the next API, 83 00:06:42,640 --> 00:06:43,810 which is creating more traffic. 84 00:06:44,290 --> 00:06:45,220 So let's do that now. 85 00:06:47,620 --> 00:06:55,000 So now he created Moutray, and these are the parameters for creating more trade. 86 00:06:58,830 --> 00:07:00,030 Over here, you can see. 87 00:07:01,060 --> 00:07:09,670 Yeah, Foft, burM, you see the address you're interested in, and if turm is a parameter to that address. 88 00:07:12,070 --> 00:07:18,550 So let's go there and see if far, Damita, you can increase the no visible timing, Tayseer. 89 00:07:20,320 --> 00:07:25,210 So the fourth parameter is not library, which is used to the house. 90 00:07:26,760 --> 00:07:30,720 And it's an easy barometer for tone library. 91 00:07:30,900 --> 00:07:36,170 So from here you can see these two nine one followed by four zeros, which is exactly this. 92 00:07:36,630 --> 00:07:38,100 Two nine one four four zero. 93 00:07:39,780 --> 00:07:46,920 So this confirms that he was using a remote tree to look at the alpha using the library API. 94 00:07:48,030 --> 00:07:51,780 So now that we know for sure is going to look this library. 95 00:07:52,330 --> 00:07:55,210 You can go directly to the location of this library. 96 00:07:56,220 --> 00:08:03,810 So you can see from here locations C, users, B.C. They're starting on that every single injection. 97 00:08:04,680 --> 00:08:04,890 Hmm. 98 00:08:05,070 --> 00:08:05,720 And so on. 99 00:08:05,730 --> 00:08:08,220 That location, is this for. 100 00:08:09,330 --> 00:08:12,360 So that's how we find out the location of the assuming. 101 00:08:12,360 --> 00:08:13,410 We didn't know it was here. 102 00:08:14,580 --> 00:08:16,530 So we go directly to this location. 103 00:08:16,860 --> 00:08:19,410 We can now do this directly. 104 00:08:21,670 --> 00:08:22,930 So we can stop this now. 105 00:08:25,520 --> 00:08:28,640 And then now we can open and down the NBA farm. 106 00:08:34,800 --> 00:08:40,140 So now we know that the Yale using the Luder. 107 00:08:42,690 --> 00:08:49,980 Before we can decide what the point is set, we can personalize it the to you. 108 00:08:51,960 --> 00:08:58,230 So you open the studio and we how would you have into the studio? 109 00:08:58,890 --> 00:09:03,090 And then we click on the inputs and we see what he's trying to do. 110 00:09:04,020 --> 00:09:07,530 And then the memory group he we see which are locked and which are pretty. 111 00:09:08,190 --> 00:09:10,260 And then and the execution, you see. 112 00:09:11,130 --> 00:09:11,740 Great trick. 113 00:09:12,780 --> 00:09:20,160 So this suggests he is probably trying to execute a shackle so we can put breakpoints on which are low, 114 00:09:20,370 --> 00:09:22,870 which is pointing and optionally create. 115 00:09:24,510 --> 00:09:27,610 So now we have our hint on how to debug this. 116 00:09:27,610 --> 00:09:39,450 You go back to our open yaml and start putting our big points refine, which will help hit, enter, 117 00:09:41,970 --> 00:09:46,170 refine on which overprotect, hit, enter. 118 00:09:48,690 --> 00:09:49,650 And now you can run. 119 00:09:53,380 --> 00:09:54,860 And yes, hit with yellow. 120 00:09:55,780 --> 00:09:59,920 If you want to see what they say, a dress alligator, we can. 121 00:10:01,170 --> 00:10:02,220 Ran two years ago. 122 00:10:03,300 --> 00:10:05,640 And you can look any written address here. 123 00:10:07,230 --> 00:10:09,030 So you can follow this in dumb. 124 00:10:11,750 --> 00:10:15,050 ABC now is you run again. 125 00:10:16,370 --> 00:10:20,810 And now is populated the allocated regional memory shellcode. 126 00:10:24,810 --> 00:10:26,670 So now is which a birthday? 127 00:10:28,380 --> 00:10:37,830 And if you look at the barometer for which the first barometer is the address of where it is going to 128 00:10:37,830 --> 00:10:39,060 alter the commission. 129 00:10:40,550 --> 00:10:43,340 And you compared this week is the same location. 130 00:10:44,700 --> 00:10:53,670 So currently this location, if likely, and following memory map, it is set in readable, writable. 131 00:10:55,750 --> 00:11:03,460 But if the execution point by running, these are good and the men we met again. 132 00:11:04,210 --> 00:11:07,660 It is now set to Executable and Gigaba. 133 00:11:08,560 --> 00:11:13,270 So that means that he has finished and backing and he is going to SRK. 134 00:11:14,320 --> 00:11:16,720 So at this point, we can dump this memory. 135 00:11:18,140 --> 00:11:20,690 So we set all this up to hear. 136 00:11:22,480 --> 00:11:30,280 He it up to here and then directly, and you can binary safe to a far. 137 00:11:32,530 --> 00:11:40,320 And you can see it through the location of our project, which is replacing the injection. 138 00:11:41,770 --> 00:11:43,810 And you can call it the dump. 139 00:11:46,230 --> 00:11:49,050 The B and C. 140 00:11:50,960 --> 00:11:52,310 Now we can close everything. 141 00:11:58,160 --> 00:12:05,990 In the next video, I'm going to show you how to debunk these dumb you have been see in the next video. 142 00:12:06,230 --> 00:12:07,190 Thank you for writing.