1 00:00:00,630 --> 00:00:09,170 Hello and welcome to a new lesson in this lesson, I'm going to show you how to evade antivirus are 2 00:00:09,180 --> 00:00:16,440 going down this project 13 dash Avie death evasion from the recession. 3 00:00:16,830 --> 00:00:20,040 Unzip it and put it in the now Defour. 4 00:00:20,050 --> 00:00:28,110 You open the folder and you see the nitrogen that we created from the previous lesson. 5 00:00:28,680 --> 00:00:31,410 Then we did the let project. 6 00:00:34,380 --> 00:00:44,530 So this Trojan here will inject into the exploratory process and then he will cost he shockoe to open 7 00:00:44,530 --> 00:00:45,450 the messagebox. 8 00:00:46,830 --> 00:00:59,370 Now we are going to scan this quiara so open a command line terminal xixi for is going on, and then 9 00:00:59,370 --> 00:01:07,860 this change to this store directory, copy spark and then KDI right click into. 10 00:01:09,060 --> 00:01:10,740 So we're going to do a virus. 11 00:01:10,740 --> 00:01:17,010 Can Tierra 64 heading for the path to the virus? 12 00:01:22,780 --> 00:01:35,410 And then now only type in the name of the Trojan horse, he said EXR and then give the W and this options. 13 00:01:39,200 --> 00:01:43,910 Now, I already set my properties for the LEHA. 14 00:01:45,360 --> 00:01:51,000 To be with 140 so that I can have a better view. 15 00:01:54,170 --> 00:01:54,860 No, he didn't. 16 00:01:55,130 --> 00:01:56,030 And it's skin. 17 00:01:59,530 --> 00:02:00,760 And here's the result. 18 00:02:02,130 --> 00:02:04,890 Notice that it has detected. 19 00:02:06,530 --> 00:02:19,280 A.D. Bungay, it was also detected in Gentry, and these are the the conditions that see inject Trent 20 00:02:19,610 --> 00:02:19,970 rule. 21 00:02:20,510 --> 00:02:21,590 These are recognition's conditions. 22 00:02:22,190 --> 00:02:25,480 And there are also other things that they're lying in foul. 23 00:02:27,020 --> 00:02:36,230 But this one is the most damaging one, because from this condition, condition, one condition, the 24 00:02:36,740 --> 00:02:46,910 condition for condition fifing condition seven herea has concluded that this is a malicious program 25 00:02:47,870 --> 00:02:50,250 because it is capable of injecting. 26 00:02:52,040 --> 00:02:59,150 So if you want to know more details about this room, just open notepad. 27 00:03:00,520 --> 00:03:07,900 And you will look at the details of this house simply on search finance files. 28 00:03:09,370 --> 00:03:15,820 And then here, make sure, you know, we get to the Yara rules. 29 00:03:15,820 --> 00:03:18,040 Fouda, we are going to search. 30 00:03:18,040 --> 00:03:23,770 Here are rules for the for the rules that define these injector. 31 00:03:25,180 --> 00:03:26,890 So you like these rules, Holder? 32 00:03:28,630 --> 00:03:30,040 Michaud is correct. 33 00:03:30,610 --> 00:03:33,910 And then here we are going to search for injector. 34 00:03:34,090 --> 00:03:41,020 So just to inject underscore, Trey, the one that you see here, the rule and including final. 35 00:03:43,640 --> 00:03:49,340 So you got one hit, Jack Trent is fun in this Fiala. 36 00:03:50,640 --> 00:03:53,640 And the capabilities for the. 37 00:03:55,030 --> 00:04:02,410 And you say that you have a capability's yaffa and then to see the content of these capabilities, Yaffa, 38 00:04:03,010 --> 00:04:14,890 you double click and you resolve a huge issue in the chat room is define the metadata, the version, 39 00:04:14,890 --> 00:04:16,270 the strings and the condition. 40 00:04:16,270 --> 00:04:20,500 Those are the mean parts for Huru in Yaro. 41 00:04:22,230 --> 00:04:25,770 The important one is your strength and conviction. 42 00:04:26,820 --> 00:04:30,630 So here you have a string, once he wants you to see trees, you fall. 43 00:04:30,660 --> 00:04:36,510 So these are his trees and these are the conditions that he will. 44 00:04:36,630 --> 00:04:42,090 He defines whether or not this intact trek capability exists. 45 00:04:43,050 --> 00:04:52,950 So if you find it, see one and see two houses and see three or four. 46 00:04:53,970 --> 00:05:06,600 And see if I see 647, if this condition is satisfied, then Iran will conclude that this melee, that 47 00:05:06,600 --> 00:05:10,620 this program that you are skinny is capable of injecting. 48 00:05:12,720 --> 00:05:14,820 So this is how you works. 49 00:05:15,720 --> 00:05:25,100 So you can see from here, if you want to defeat this this rule, all we have to do is study the conditions. 50 00:05:26,070 --> 00:05:29,250 So the condition for inject track will be true. 51 00:05:30,330 --> 00:05:34,290 You see one can see two and this and this are true. 52 00:05:35,220 --> 00:05:44,730 So in order to defeat it, we only need to defeat SE1 if he offers it this open process function call, 53 00:05:45,450 --> 00:05:52,020 and then he will feel to take this into treck capability. 54 00:05:53,250 --> 00:05:57,650 Alternatively, we can also choose to obfuscate, which you are lucky. 55 00:05:58,230 --> 00:06:01,620 If you do that second condition, we will the false. 56 00:06:02,100 --> 00:06:04,080 And so the whole condition also feel. 57 00:06:05,100 --> 00:06:14,190 So this is how you can use these files where the rules are defined in order to study and understand 58 00:06:14,190 --> 00:06:16,260 how you can defeat antivirus. 59 00:06:16,980 --> 00:06:24,870 In this case here, I'm going to show you how to obfuscate this tree, which. 60 00:06:25,170 --> 00:06:25,490 Hello? 61 00:06:25,540 --> 00:06:26,010 Yes. 62 00:06:27,610 --> 00:06:31,830 That process, memory and human trait. 63 00:06:32,980 --> 00:06:34,420 So let's try it now. 64 00:06:34,840 --> 00:06:37,210 I've already created this file for you. 65 00:06:38,500 --> 00:06:44,290 That has got a new court for avoiding antivirus. 66 00:06:45,100 --> 00:06:48,070 So we are using the estrogen development lifecycle. 67 00:06:48,610 --> 00:06:49,570 You have developed it? 68 00:06:49,600 --> 00:06:49,940 Yes. 69 00:06:49,970 --> 00:06:51,730 Can you see a result? 70 00:06:51,800 --> 00:06:54,550 Have you studied the report? 71 00:06:54,760 --> 00:06:56,080 And now we know what to do. 72 00:06:56,380 --> 00:07:02,560 You have to do a modification to our file so that this thing will not be detected in the skin. 73 00:07:03,430 --> 00:07:07,150 So in order to do that, we will use hunkin obfuscation. 74 00:07:07,540 --> 00:07:11,680 Also known as function hiding and also encryption or string parameters. 75 00:07:12,430 --> 00:07:13,450 So let's get started. 76 00:07:14,730 --> 00:07:21,270 So this fall, you already have this I share this with you in the first lecture for this session. 77 00:07:24,140 --> 00:07:29,000 So let's open the so-called file and you will see the modification that I made. 78 00:07:31,840 --> 00:07:32,910 Coming back to the court. 79 00:07:33,670 --> 00:07:37,120 Let me explain this to function pointers up here. 80 00:07:38,110 --> 00:07:46,720 So this refreshing pointis BGR with her long PDR persist memory and peaty are creating more out then 81 00:07:46,720 --> 00:07:48,540 by going to mischin. 82 00:07:49,450 --> 00:07:53,530 So you go to my machine for which eler and you copy. 83 00:07:54,310 --> 00:07:56,890 Copy this definition for which you allow. 84 00:07:57,370 --> 00:07:58,210 And put it here. 85 00:07:58,870 --> 00:08:06,700 And then you convert it into a function pointer by putting the API in asterisk frame and put the opening 86 00:08:06,700 --> 00:08:11,530 and closing bracket back and also changing in to PITR. 87 00:08:12,880 --> 00:08:14,980 And then same thing for right. 88 00:08:14,990 --> 00:08:17,620 Process memory you're getting from here. 89 00:08:19,720 --> 00:08:23,800 And finally, for creative military use in getting from here. 90 00:08:25,210 --> 00:08:34,210 So this is how we create this function pointers which are used, say your chacal check who are here 91 00:08:34,990 --> 00:08:36,230 and then they change. 92 00:08:36,540 --> 00:08:41,060 Could I have I created this additional lines? 93 00:08:41,740 --> 00:08:42,730 I have cone with it. 94 00:08:43,360 --> 00:08:50,680 This function calls the create wrote you add up, we can call into a pointer. 95 00:08:51,720 --> 00:08:54,270 Same thing with the right reprocessed memory. 96 00:08:55,120 --> 00:08:57,780 I've converted into a point function pointer. 97 00:08:58,440 --> 00:09:00,680 Same here as for creating Moutray. 98 00:09:01,500 --> 00:09:09,060 So because these are fashion pointers, you have to resolve it before you can use to point. 99 00:09:09,900 --> 00:09:17,850 So this tree, this tree line we use get progress is very eyestrain, which are lot from going into 100 00:09:17,850 --> 00:09:20,160 D2 and return the address to it. 101 00:09:20,730 --> 00:09:27,090 Same thing with positioning the right process memory and also creating a tree in this tree. 102 00:09:27,810 --> 00:09:35,220 The string switch has been an encrypted because we don't want any antivirus to scan these things. 103 00:09:36,060 --> 00:09:38,910 So we are encrypted and put it here. 104 00:09:40,080 --> 00:09:49,350 So a string, which I know this is easily encrypted and it is encrypted using the this secret key. 105 00:09:51,010 --> 00:09:56,110 And then for possess memory is encrypted using the secret key as well. 106 00:09:56,560 --> 00:09:58,510 And the same thing, the Clairemont Train. 107 00:09:59,830 --> 00:10:01,450 So that's how we encrypt. 108 00:10:01,810 --> 00:10:05,350 And here is very decrypt these three strings. 109 00:10:07,190 --> 00:10:16,190 So after the coopting, you will get back the plane tax for which you long and the plane tax to overeaten 110 00:10:16,190 --> 00:10:18,050 into this history. 111 00:10:18,500 --> 00:10:22,550 And here is where you used to have been sitting in this line. 112 00:10:22,970 --> 00:10:29,410 You would write precess memory and I and use it here, say Methy creating Moutray. 113 00:10:30,170 --> 00:10:32,570 So how do we get this encryption? 114 00:10:33,260 --> 00:10:36,060 They say maybe we didn't the last time. 115 00:10:36,060 --> 00:10:38,270 Maybe they were doing functioning obfuscation. 116 00:10:38,810 --> 00:10:40,910 You used the Python script. 117 00:10:42,080 --> 00:10:49,250 So in order to use the screen, the fathers so we could have file for Python script to read. 118 00:10:49,850 --> 00:10:56,360 So we create a new file here and you can call it to be encrypted. 119 00:11:00,620 --> 00:11:06,530 And you say here we put the first thing that you want to encrypt, which is which aola. 120 00:11:08,270 --> 00:11:08,480 He. 121 00:11:09,500 --> 00:11:11,960 And ABC, which. 122 00:11:12,320 --> 00:11:12,770 Hello. 123 00:11:14,030 --> 00:11:17,300 He is now yakking and creepy. 124 00:11:18,710 --> 00:11:19,460 We come here. 125 00:11:19,490 --> 00:11:25,340 It's clear the screen, the code of Python two point seven. 126 00:11:30,400 --> 00:11:35,830 And then we give it the script and click. 127 00:11:36,130 --> 00:11:36,820 Yes, a lot. 128 00:11:37,510 --> 00:11:44,400 And then you input file is to be encrypted, to be encrypted, and then the output file. 129 00:11:45,340 --> 00:11:55,020 So we need to futureproof out here because this screen that's open and see this discrete will encrypt 130 00:11:55,030 --> 00:11:56,280 and save and ciphertext. 131 00:11:56,290 --> 00:12:04,120 And then you have all these different things you did for me or X in front so that you can be using the 132 00:12:04,150 --> 00:12:06,670 our code here in this format. 133 00:12:07,720 --> 00:12:17,820 So we put the file, you can see and Krypto Aizawa see president. 134 00:12:18,910 --> 00:12:20,500 And now you see there's a new file. 135 00:12:20,540 --> 00:12:25,390 And because I saw so we opened this and you copy. 136 00:12:28,320 --> 00:12:30,570 Copy this, I get a copy. 137 00:12:32,640 --> 00:12:35,970 And you come to your son's school and P.S. here. 138 00:12:39,390 --> 00:12:43,340 So is how I got his name, PC. 139 00:12:43,410 --> 00:12:43,740 OK. 140 00:12:43,950 --> 00:12:50,410 And do the same thing for the other to write process memory and also create remotely the exact same 141 00:12:50,430 --> 00:12:50,730 thing. 142 00:12:51,120 --> 00:12:57,510 So to do that, you just have to come back here and change the to be encrypted. 143 00:12:59,450 --> 00:13:01,010 Chief, this is string. 144 00:13:02,640 --> 00:13:08,760 Here to second function, if you want to increase, is your right process memory. 145 00:13:09,330 --> 00:13:11,310 So this typewrite process memory. 146 00:13:14,550 --> 00:13:18,390 See, and they know over here. 147 00:13:19,410 --> 00:13:20,380 Repeat command. 148 00:13:21,570 --> 00:13:22,710 And they'll come back here. 149 00:13:24,250 --> 00:13:25,870 Reopen is fire. 150 00:13:28,440 --> 00:13:28,920 And in. 151 00:13:30,030 --> 00:13:31,950 Yes, we look so copy. 152 00:13:32,960 --> 00:13:39,240 I notice there's another monitor here is your tracks here by Vaisakhi because here for the replay string 153 00:13:39,240 --> 00:13:41,100 length, the size of function. 154 00:13:41,790 --> 00:13:44,430 So it will not cause any errors. 155 00:13:46,890 --> 00:13:48,540 So it is copy and paste here. 156 00:13:54,510 --> 00:13:58,410 Right now in the Navy, we're doing a lesson on encryption. 157 00:13:58,830 --> 00:14:06,450 I tell you, if you have another minute of insight because we're here, you are using Strimling to calculate 158 00:14:06,540 --> 00:14:08,640 the length of the string. 159 00:14:09,000 --> 00:14:10,710 But now we replace it with Siza. 160 00:14:10,860 --> 00:14:13,620 So Siza is immune to not a meter. 161 00:14:14,010 --> 00:14:15,990 So it's OK to have not a meter. 162 00:14:17,190 --> 00:14:23,500 OK, so not a last one is clearly Moutray chief, these two creating more track. 163 00:14:26,870 --> 00:14:41,810 We will try and save it and repeat this one and then come here a copy or encrypt that stream, creating 164 00:14:41,810 --> 00:14:47,010 military copy and put it into your. 165 00:14:49,000 --> 00:14:49,570 Cohere. 166 00:14:53,730 --> 00:14:54,280 OK. 167 00:14:54,990 --> 00:14:57,120 All right, so this is how this program will work. 168 00:14:57,720 --> 00:15:05,460 When you call this function, you will run the women here, women to consult, to make it stealthy. 169 00:15:06,180 --> 00:15:08,610 And then he will come down here. 170 00:15:09,830 --> 00:15:17,660 And then he will find a resource to create the Chalco for the message, which we already stated before, 171 00:15:18,230 --> 00:15:24,410 and then create the new allocation and move to memory and so on. 172 00:15:25,190 --> 00:15:31,550 And he could use her good and then come down here hoping that possess the export process. 173 00:15:32,000 --> 00:15:35,330 And here she is going to inject so many injections. 174 00:15:35,540 --> 00:15:46,190 He comes up here and over here you look the string for which are along, which is encrypted string for 175 00:15:46,190 --> 00:15:51,890 which for reemphasis, memory, which is encrypted history for Climo trick, which is also encrypted. 176 00:15:53,120 --> 00:15:56,680 And here you decrypt all the trees and civvy. 177 00:15:56,750 --> 00:15:57,250 Yes. 178 00:15:57,250 --> 00:15:57,830 Has tanks. 179 00:15:58,340 --> 00:16:07,790 And down here, he uses and get forwardness to retrieve the address of the various APIs from country 180 00:16:07,790 --> 00:16:11,420 to and in in this point in their booth. 181 00:16:12,020 --> 00:16:16,460 And then now here he makes use of them, for which I look is this one. 182 00:16:17,300 --> 00:16:23,330 And for access memories here and over here, he's trying to create emotion. 183 00:16:24,050 --> 00:16:24,810 So this Hywel. 184 00:16:24,860 --> 00:16:26,750 So let's let's give it a run. 185 00:16:26,750 --> 00:16:26,900 Me? 186 00:16:26,900 --> 00:16:27,350 Sure. 187 00:16:27,590 --> 00:16:28,010 How? 188 00:16:28,220 --> 00:16:29,360 Let's compare it first. 189 00:16:30,230 --> 00:16:32,210 And be sure he works, right? 190 00:16:32,620 --> 00:16:32,860 Yes. 191 00:16:34,490 --> 00:16:38,840 And so now you can double click it to see if he works. 192 00:16:39,920 --> 00:16:41,270 So we just have achiness. 193 00:16:42,380 --> 00:16:52,220 And he looks at to confirm that this is coming from Explorer has opened this open process hacker and 194 00:16:52,220 --> 00:16:55,070 then drag this over this release. 195 00:16:55,670 --> 00:17:02,240 And you can see that either pattern for this message, MessageBox is Explorer. 196 00:17:03,080 --> 00:17:11,090 And you can go to the memory here and scroll down and look at to our accession. 197 00:17:14,590 --> 00:17:18,960 This one without any mocking old openI. 198 00:17:19,910 --> 00:17:20,600 Not this one. 199 00:17:21,560 --> 00:17:22,520 The other one is here. 200 00:17:22,760 --> 00:17:24,050 It's tiny marking IREX. 201 00:17:25,700 --> 00:17:28,730 And here you can see I wish I could decrypt it. 202 00:17:29,210 --> 00:17:31,190 And now is working. 203 00:17:31,520 --> 00:17:33,350 So let's test it. 204 00:17:35,210 --> 00:17:37,700 So we repeat under are asking again. 205 00:17:38,450 --> 00:17:40,100 This time you see whether you can detect it. 206 00:17:40,940 --> 00:17:42,980 OK, let's scrub and see. 207 00:17:43,670 --> 00:17:46,550 And you see, he has failed to detect the check. 208 00:17:47,630 --> 00:17:50,120 So it looks like the Vipassana and device. 209 00:17:50,390 --> 00:17:52,670 So this is how you can bypass antivirus. 210 00:17:53,210 --> 00:17:59,600 Using this Trojan development lifecycle who are here. 211 00:18:00,740 --> 00:18:01,820 So this is how it works. 212 00:18:02,930 --> 00:18:04,220 That's all for this session. 213 00:18:04,790 --> 00:18:06,380 Thank you for watching.