1 00:00:00,660 --> 00:00:01,770 Hello and welcome. 2 00:00:02,250 --> 00:00:10,260 In this video, we are going to reverse engineer how that Project Drugeon segoline down this project 3 00:00:10,440 --> 00:00:16,920 and zippi and put it in the mail, therefore, the first thing we do is open studio. 4 00:00:18,120 --> 00:00:20,220 We want to analyze this now. 5 00:00:20,250 --> 00:00:22,800 They call this source, Peter Yangzi. 6 00:00:24,920 --> 00:00:28,370 So we resource people into peace to you. 7 00:00:32,410 --> 00:00:35,140 Let's wait for it to finish the imports. 8 00:00:39,520 --> 00:00:48,460 Click on inputs and you will see under the group column, the memory group days, which are along eex 9 00:00:48,730 --> 00:00:50,050 and write process memory. 10 00:00:50,890 --> 00:00:57,040 And if you scroll down further into the execution group, you will see open process. 11 00:00:58,160 --> 00:01:01,170 Over here and also creating lecture. 12 00:01:01,880 --> 00:01:05,630 So this for any case that it is processing Gesh intrusion. 13 00:01:06,860 --> 00:01:14,210 So this and you can know then we need to put and break points on some of these four APIs. 14 00:01:15,500 --> 00:01:17,930 So let's open 64 DBG. 15 00:01:19,680 --> 00:01:21,540 We also know that from here. 16 00:01:25,340 --> 00:01:27,170 It is a 64 bit c.p.u. 17 00:01:28,230 --> 00:01:29,840 MENC says history forby program. 18 00:01:33,370 --> 00:01:36,280 So now we open our Fajon. 19 00:01:38,520 --> 00:01:41,310 Go to the Lucilla project, Fuda. 20 00:01:44,230 --> 00:01:49,030 My option preferences, I suppose, on the entry point is checked. 21 00:01:52,170 --> 00:01:58,290 Going on every point they come down and put breakpoint on open process. 22 00:02:02,030 --> 00:02:02,540 He didn't. 23 00:02:03,760 --> 00:02:05,870 And another big point on right. 24 00:02:06,020 --> 00:02:07,100 Process memory. 25 00:02:09,050 --> 00:02:15,720 He had to be confirmed and both already set and then go back to civility. 26 00:02:15,860 --> 00:02:16,940 And right. 27 00:02:19,100 --> 00:02:23,150 So he hits our first break point, which is open process. 28 00:02:23,930 --> 00:02:25,490 And we step away. 29 00:02:28,040 --> 00:02:29,390 And now it is ready to run. 30 00:02:31,180 --> 00:02:34,450 And you look at the parameters for open. 31 00:02:36,520 --> 00:02:40,660 So it take parameter is what we're interested in. 32 00:02:42,730 --> 00:02:49,420 Open process, watch the tech barometer, which is the IED monitor is processing process A. 33 00:02:50,680 --> 00:02:57,340 You can download these notes from resuscitation, so the tech barometer is finally seen, Hank, so 34 00:02:57,340 --> 00:02:59,770 we converted into Kashima. 35 00:03:03,910 --> 00:03:06,520 Fritzy convicted Asima. 36 00:03:07,240 --> 00:03:09,850 We'll give you one three four zero. 37 00:03:10,990 --> 00:03:14,050 So you open process hekker and look for one three four zero. 38 00:03:16,450 --> 00:03:19,180 And you find the 80s explorer. 39 00:03:20,110 --> 00:03:23,740 So now we know that he's targeting explorer process. 40 00:03:24,370 --> 00:03:31,120 He is going to inject he Flora, who you can monitor explorer's memory. 41 00:03:33,260 --> 00:03:34,290 By double clicking. 42 00:03:38,110 --> 00:03:41,110 And we do know which part parrot memory is going to. 43 00:03:42,190 --> 00:03:43,710 So we run again. 44 00:03:45,500 --> 00:03:47,330 So he's right, process, memory. 45 00:03:49,600 --> 00:03:52,750 And from the right precise memory, we can no. 46 00:03:55,140 --> 00:04:00,060 That is going to inject race, he's going to inject by looking at a second parameter. 47 00:04:01,850 --> 00:04:07,160 So the second parameter shows this address, two nine seven four zero. 48 00:04:09,160 --> 00:04:12,850 So we come to two nine seven four zero, so we need to refresh here. 49 00:04:14,690 --> 00:04:17,330 And it's close to nine seven four zero. 50 00:04:26,570 --> 00:04:28,310 Two nine seven four zero. 51 00:04:28,700 --> 00:04:29,210 Over here. 52 00:04:30,650 --> 00:04:36,800 And they will click on it, you will see carrying these to has an irritant to this memory. 53 00:04:37,730 --> 00:04:43,850 So we need to now continue to step over this car. 54 00:04:45,310 --> 00:04:49,330 And then you can see what happens after we step of what is car. 55 00:04:51,650 --> 00:04:52,650 Again, you can see. 56 00:04:56,070 --> 00:04:56,670 Who are here? 57 00:04:57,610 --> 00:05:03,450 We need to click on the button to refresh this regional memory. 58 00:05:04,980 --> 00:05:06,780 Now we see it has been populated. 59 00:05:07,050 --> 00:05:09,560 We have to sherkat. 60 00:05:11,780 --> 00:05:15,950 And this shall appear to be in play next week, so you can see some strings here. 61 00:05:17,300 --> 00:05:20,390 OK, so now you can dump this to a far click on Seph. 62 00:05:22,250 --> 00:05:25,010 And then you can save it to. 63 00:05:26,470 --> 00:05:27,930 You folding for project? 64 00:05:29,510 --> 00:05:34,610 So you scroll down to a folder for reading, which is reversing. 65 00:05:36,520 --> 00:05:37,210 Leveraging. 66 00:05:39,100 --> 00:05:40,660 Saving a different name. 67 00:05:43,130 --> 00:05:44,510 Now you can close this. 68 00:05:45,920 --> 00:05:54,560 So we assess what he's done, the memory from the process after the Trojan has injected a shortcut into 69 00:05:54,560 --> 00:05:54,710 it. 70 00:05:55,580 --> 00:05:59,330 So this is how you can reverse engineer a Trojan. 71 00:06:00,770 --> 00:06:02,390 It has got processing Deschene. 72 00:06:02,990 --> 00:06:04,040 Thank you for watching.