1
00:00:00,240 --> 00:00:08,070
So in this video we'll be mapping the sections from the rod disk that is this byte area to the memory.

2
00:00:09,030 --> 00:00:18,780
So we have already this group looping over these sections and passing these sections as, as each of

3
00:00:18,780 --> 00:00:19,140
the.

4
00:00:19,530 --> 00:00:24,000
So as each of the first section as the top one is the second section, etc..

5
00:00:24,240 --> 00:00:33,310
So we can pass the section or data and throw it into memory here only.

6
00:00:33,330 --> 00:00:35,990
But you can also use another for loop as well.

7
00:00:36,000 --> 00:00:37,770
So I'm using another for loop.

8
00:00:37,830 --> 00:00:39,030
Let's say region.

9
00:00:41,720 --> 00:00:45,410
Mapping sections into memory.

10
00:00:47,750 --> 00:00:57,920
And so we can after writing the code, you can just click this minus icon to collapse this code, so

11
00:00:57,920 --> 00:00:58,640
you can just

12
00:01:01,490 --> 00:01:04,670
collapse this entire section to save some space.

13
00:01:05,480 --> 00:01:13,580
So now we are going to map the sections for INT is equal to zero i less than the number of sections

14
00:01:13,580 --> 00:01:14,750
and the header.

15
00:01:15,500 --> 00:01:18,590
That file had a number of sections.

16
00:01:18,590 --> 00:01:19,190
I press.

17
00:01:19,190 --> 00:01:19,760
Press.

18
00:01:21,410 --> 00:01:24,740
And we we don't need to again pass these sections.

19
00:01:24,740 --> 00:01:29,730
We have already sections stored in this area, etc..

20
00:01:31,430 --> 00:01:38,540
So what we need to do is if you go to this P e where you can see the RA address on the disk.

21
00:01:38,690 --> 00:01:43,670
So I have this internet problem.

22
00:01:43,670 --> 00:01:45,640
So it's going to load very slowly.

23
00:01:45,650 --> 00:01:53,480
So if you go to a hex editor, you can see from the 400 the offset, you have the content of the text

24
00:01:53,480 --> 00:01:59,000
section and the size is 1200, but virtual size is 1000.

25
00:01:59,120 --> 00:02:05,600
These are 200 extra bytes are due to another byte padding because of the file arrangement.

26
00:02:08,000 --> 00:02:12,400
That's why the zero bites have been appended at the last.

27
00:02:12,410 --> 00:02:15,180
But the actual size is what, sir?

28
00:02:15,200 --> 00:02:17,660
What size is one zero 40.

29
00:02:17,960 --> 00:02:19,490
So this is a virtual address.

30
00:02:19,490 --> 00:02:20,590
So sorry for that.

31
00:02:20,600 --> 00:02:29,800
So in memory, the content which is starting at this 400,000 should start at the thousandth offset.

32
00:02:34,440 --> 00:02:39,540
So let's go and declare it by to store the contents.

33
00:02:40,340 --> 00:02:48,050
There is a section that is equal to new battery off and how much size we want to allocate that is defined

34
00:02:48,290 --> 00:02:52,250
as each of a dot virtual size.

35
00:02:57,720 --> 00:03:00,480
Now we need to read the data from this.

36
00:03:01,260 --> 00:03:02,880
That is filed by the.

37
00:03:05,020 --> 00:03:12,910
From the offset this section dot section header section header dot pointer to RAS data.

38
00:03:18,580 --> 00:03:24,310
So far, Jay-Z calls to zero jail less than.

39
00:03:30,690 --> 00:03:31,050
Copy.

40
00:03:31,050 --> 00:03:35,100
This virtual side is here, so we need to read these many number of bytes.

41
00:03:36,720 --> 00:03:37,230
The press.

42
00:03:37,260 --> 00:03:37,980
Press.

43
00:03:39,990 --> 00:03:52,740
On these many number of words, starting from Rafael off a switch of five dot pointer to raw data.

44
00:03:52,740 --> 00:04:01,170
So this pointer to data pointing to this section's starting data, the offset of the starting data.

45
00:04:03,600 --> 00:04:05,250
Let me see the file.

46
00:04:10,260 --> 00:04:12,510
Let me open this file in the hex editor.

47
00:04:12,510 --> 00:04:15,440
You can see there are addresses 400.

48
00:04:15,450 --> 00:04:19,380
If you go to this 400, you will see the content of this.

49
00:04:20,950 --> 00:04:21,910
Text section.

50
00:04:26,410 --> 00:04:34,720
So the raw data point to the data is pointing to the that the 400 to offset we need to add for this

51
00:04:34,810 --> 00:04:37,540
is the loop we want to read.

52
00:04:39,070 --> 00:04:41,710
So we'll be reading this.

53
00:04:43,740 --> 00:04:46,860
These many number of bytes up to this virtual size.

54
00:04:48,490 --> 00:04:54,030
And we gonna assign this to section data of the.

55
00:04:58,860 --> 00:05:00,820
So we have this section data.

56
00:05:00,840 --> 00:05:06,870
Now, what we can do is we can go and map this for a semicolon here.

57
00:05:07,680 --> 00:05:13,370
So we can copy this whole data into this virtual space.

58
00:05:13,410 --> 00:05:14,030
So sorry.

59
00:05:14,040 --> 00:05:15,120
Virtual address.

60
00:05:16,160 --> 00:05:25,400
So you can say Marshall Art copy and the source not the source is section data and starting index is

61
00:05:25,400 --> 00:05:27,800
zero and the destination is based address.

62
00:05:28,640 --> 00:05:33,320
And remember, the virtual address is the offset from the image base.

63
00:05:33,530 --> 00:05:41,660
So image base is something from that offset of the thousand bytes.

64
00:05:41,660 --> 00:05:51,110
We have this this sections data so we can just say section data dot within.

65
00:05:55,690 --> 00:05:57,340
So that's it.

66
00:05:57,940 --> 00:05:59,630
We have successfully copied.

67
00:05:59,650 --> 00:06:03,640
And one thing you need to change is this.

68
00:06:05,390 --> 00:06:08,700
Pedro says to image this.

69
00:06:09,260 --> 00:06:15,650
Because the headdress is only fit for only the headers, because we are relocating the sections, we

70
00:06:15,650 --> 00:06:18,020
need to allocate the whole size.

71
00:06:21,390 --> 00:06:26,480
So what we're going to do is I'm going to put a break point at this march or that copy.

72
00:06:26,490 --> 00:06:27,990
So let's go and run this.

73
00:06:33,300 --> 00:06:35,850
And the starting address is this one.

74
00:06:39,320 --> 00:06:45,050
And you can see the exact now you can click on these columns and click on 16.

75
00:06:45,050 --> 00:06:52,520
So you get exact 16 columns of bytes as that of this hex editor.

76
00:06:52,520 --> 00:06:55,010
So it would be very easy to compare for you.

77
00:07:08,940 --> 00:07:12,750
And here we can see this is a completely in.

78
00:07:13,320 --> 00:07:17,670
And if I go and step into this.

79
00:07:21,830 --> 00:07:25,010
And I should see some data.

80
00:07:29,810 --> 00:07:30,040
Okay.

81
00:07:30,040 --> 00:07:32,050
This is me.

82
00:07:32,080 --> 00:07:33,340
Copy this address.

83
00:07:36,130 --> 00:07:38,680
And press zero 6000.

84
00:07:41,840 --> 00:07:42,130
Okay.

85
00:07:42,170 --> 00:07:43,910
I think we did not copy correctly.

86
00:07:46,640 --> 00:07:47,720
Oh, sorry.

87
00:07:49,520 --> 00:07:54,560
At the base address, plus a sci of fi.

88
00:07:55,300 --> 00:07:55,610
Dot.

89
00:07:55,630 --> 00:07:56,330
What's your address?

90
00:07:56,350 --> 00:07:57,250
Sorry for this.

91
00:07:58,420 --> 00:07:59,680
What's your address?

92
00:08:08,140 --> 00:08:10,510
Now let's put a breakpoint here.

93
00:08:17,170 --> 00:08:22,180
And we have the B file contents and if you add zero X thousand.

94
00:08:26,010 --> 00:08:29,640
What you see are the debates because we did not execute this copy

95
00:08:32,580 --> 00:08:33,210
instruction.

96
00:08:33,210 --> 00:08:34,320
So let's step into this.

97
00:08:34,320 --> 00:08:36,750
And here we can see the exact.

98
00:08:38,890 --> 00:08:47,830
Data, which we can see in the hex editor and you can continue on this and you hit another breakpoint

99
00:08:47,830 --> 00:08:50,500
because this is the for loop.

100
00:08:50,560 --> 00:08:53,800
We are looping over this and we're hitting breakpoint again.

101
00:08:54,130 --> 00:08:56,270
So and the next address is 3000.

102
00:08:56,290 --> 00:08:57,880
If you go and.

103
00:09:01,140 --> 00:09:04,770
Safe Bets Address Price zero x 3000.

104
00:09:05,610 --> 00:09:10,470
And now let's go and step into this and we will see the.

105
00:09:12,010 --> 00:09:12,820
Another section.

106
00:09:12,820 --> 00:09:16,360
So here we have the raw data.

107
00:09:16,360 --> 00:09:18,870
So our data also contains inputs.

108
00:09:18,880 --> 00:09:27,810
Here we can also see in the text, ASCII text, you can see exit process or Canada data.

109
00:09:27,880 --> 00:09:29,200
So these are the inputs.

110
00:09:29,800 --> 00:09:32,290
We'll be fixing these inputs in the next video.

111
00:09:33,680 --> 00:09:36,650
So everything up to now is fine.

112
00:09:36,650 --> 00:09:38,420
So let's click on Continue.

113
00:09:39,110 --> 00:09:47,420
Now we have passed the P headers and we have copied those headers into the memory and also we have mapped

114
00:09:47,420 --> 00:09:48,860
these sections into memory.

115
00:09:49,520 --> 00:09:53,570
So up to now, let's test whether everything is correct or not.

116
00:09:53,690 --> 00:09:55,430
So I have this.

117
00:09:56,940 --> 00:10:07,960
There are no dependencies to THC which will pop up in CMD and it does not have any imports based relocations,

118
00:10:07,960 --> 00:10:14,560
etc. So if we have done correctly, we should execute this no dependency on THC.

119
00:10:16,330 --> 00:10:23,530
So let's go and create a remote thread at the entry point.

120
00:10:23,530 --> 00:10:26,560
So we have this entry point here.

121
00:10:28,710 --> 00:10:34,290
And at this this is the starting of the stages.

122
00:10:35,880 --> 00:10:41,520
So what we are going to do is we are going to create a remote threat.

123
00:10:55,810 --> 00:10:56,200
Sorry.

124
00:10:56,200 --> 00:10:57,120
Not remotely.

125
00:10:57,160 --> 00:10:58,030
Create thread.

126
00:11:05,090 --> 00:11:06,440
The stag says zero.

127
00:11:06,440 --> 00:11:14,060
And the third one is the starting address, starting addresses, based address, press and T header

128
00:11:14,420 --> 00:11:17,870
dot optional header dot at the soft entry point.

129
00:11:32,730 --> 00:11:35,580
And the parameters to these functions are null.

130
00:11:46,510 --> 00:11:49,500
Creation flex zero and the reference to the thread.

131
00:11:49,840 --> 00:11:55,330
So let's say our thread handle is equal to.

132
00:12:02,300 --> 00:12:04,100
And output ease.

133
00:12:04,670 --> 00:12:08,000
We will get the thread handle from this function's return.

134
00:12:08,270 --> 00:12:11,620
Return and we will also get this thread data.

135
00:12:36,650 --> 00:12:38,750
Now we can go and print.

136
00:12:41,750 --> 00:12:42,880
The Third Lady.

137
00:12:51,350 --> 00:12:54,020
So let's do this and let's.

138
00:12:56,120 --> 00:12:57,160
Copy as part.

139
00:12:58,850 --> 00:13:00,860
And change the part to this one.

140
00:13:04,080 --> 00:13:05,430
So we are basically.

141
00:13:07,880 --> 00:13:12,410
Pasting the contents into memory and executing at this entry point.

142
00:13:20,350 --> 00:13:22,990
So let's put a break point at this for sort of three.

143
00:13:27,640 --> 00:13:31,720
It's also put time before this creating a threat and start this.

144
00:13:33,540 --> 00:13:35,340
And you have this base address.

145
00:13:39,070 --> 00:13:42,550
And we can see our program has been successfully copied.

146
00:13:46,540 --> 00:13:52,690
So if everything goes well, we should see a new cmd pop up.

147
00:13:52,690 --> 00:13:57,970
So we are successfully executing the.

148
00:13:59,520 --> 00:14:01,740
Binary inside our process memory.

149
00:14:06,660 --> 00:14:10,260
So you can print the this is the thread data.

150
00:14:11,310 --> 00:14:13,170
So if you continue this.

151
00:14:14,900 --> 00:14:16,580
And we can close this one.

152
00:14:17,570 --> 00:14:21,090
So we have successfully mapped the sections into memory.

153
00:14:21,110 --> 00:14:30,290
So what we have done is we have read the sections content from this rather point out the raw data,

154
00:14:30,290 --> 00:14:36,320
and then we have copied the virtual size amount of bytes into the memory.

155
00:14:37,570 --> 00:14:44,730
And since our entire memory was required to execute, our code got executed.

156
00:14:44,740 --> 00:14:46,870
So you can change it here.

157
00:14:46,880 --> 00:14:54,760
While allocating, you can read the sections characteristics and determine whether they are readable,

158
00:14:54,830 --> 00:14:59,610
readable, executable and use whatever product to change their protections.

159
00:14:59,620 --> 00:15:01,020
So you can do that as well.

160
00:15:01,030 --> 00:15:06,830
For just simplicity and to data purposes, I have assigned this 3.0.