1
00:00:00,960 --> 00:00:06,270
So in this video, we'll be taking a look at the process hollowing technique, which is also called

2
00:00:06,270 --> 00:00:07,350
injection technique.

3
00:00:07,380 --> 00:00:11,610
In this way, we creating a process in a suspended state.

4
00:00:12,090 --> 00:00:21,360
When the process is suspended, we will replace the legitimate process code with our malicious code.

5
00:00:25,050 --> 00:00:31,930
And then we set the threat to resume the normal execution.

6
00:00:31,950 --> 00:00:40,320
So first we were using the create function to create the process and we need to get the image base of

7
00:00:40,320 --> 00:00:41,340
this process.

8
00:00:41,340 --> 00:00:47,850
So we'll be using antiquated information process to get the PDB address.

9
00:00:47,850 --> 00:00:56,960
And in that process environment, we will at offset of one zero at 16 bytes, we have the image based

10
00:00:56,970 --> 00:00:59,370
address for 64 bit executable.

11
00:01:02,000 --> 00:01:11,980
And then we will remove that this illegitimate process occurred and we will inject our initial, uh,

12
00:01:11,990 --> 00:01:16,190
ex into that process and by getting the trade context.

13
00:01:16,190 --> 00:01:23,600
So this threat context is like a safe state or snapshot of the registers of the, uh, executing thread.

14
00:01:23,630 --> 00:01:30,800
That is the main thread since you are uh, creating the process suspended, suspending the thread,

15
00:01:31,370 --> 00:01:39,740
all of the thread data registers will be saved and we will set the RC register, uh, to point to that

16
00:01:39,750 --> 00:01:40,730
reserve entry point.

17
00:01:40,730 --> 00:01:48,800
So I thought it's a rip instruction point, but it's not, it's uh, RC for that little bit, uh, you

18
00:01:48,800 --> 00:01:53,030
need to set the register to the entry address of entry point.

19
00:01:53,240 --> 00:01:56,240
So let's create the new func, uh, new process.

20
00:01:57,760 --> 00:02:02,220
I have already defined out of this copy from the work.

21
00:02:09,630 --> 00:02:12,930
So let's go and create a process w.

22
00:02:14,760 --> 00:02:18,240
And the first one is the string.

23
00:02:21,580 --> 00:02:23,740
So let's create notepad de thc.

24
00:02:23,740 --> 00:02:28,090
And the second parameter is command line arguments.

25
00:02:28,090 --> 00:02:30,430
So that is that can be null.

26
00:02:31,290 --> 00:02:33,090
And the process attributes.

27
00:02:35,050 --> 00:02:40,090
So we can pass that now.

28
00:02:45,120 --> 00:02:49,470
And the thread that attributes this can also be null.

29
00:02:51,650 --> 00:02:54,230
And inherit handles false.

30
00:03:00,240 --> 00:03:00,960
And

31
00:03:03,750 --> 00:03:06,760
we will be creating this startup info.

32
00:03:06,810 --> 00:03:16,260
So this startup info contains the some properties of the process during the startup like its rectangle

33
00:03:16,260 --> 00:03:17,430
size, etc..

34
00:03:32,320 --> 00:03:36,160
So here you can see this CD defines the size of the structure.

35
00:03:37,540 --> 00:03:40,260
We can say startup info.

36
00:03:40,350 --> 00:03:40,740
Yes.

37
00:03:40,840 --> 00:03:42,490
Equal to new startup info.

38
00:03:43,000 --> 00:03:45,010
You don't need to initialize any of these.

39
00:03:56,030 --> 00:03:57,970
So where we are here.

40
00:03:57,980 --> 00:04:00,800
So we have completed five parameters.

41
00:04:06,340 --> 00:04:07,600
Creation flex.

42
00:04:07,950 --> 00:04:11,350
Let's add this to zero.

43
00:04:12,800 --> 00:04:14,060
And environment.

44
00:04:21,700 --> 00:04:30,610
And the current directory and the reference to startup info and the last one is up to the process information.

45
00:04:30,610 --> 00:04:37,480
So this out is like we don't need to initialize this process information object, we can send that one.

46
00:04:38,830 --> 00:04:45,760
So process information by is cause to new process information.

47
00:04:51,880 --> 00:04:57,430
So you get some process information and it contains the handle to the process and the thread.

48
00:04:59,920 --> 00:05:05,670
So hand over to the process and hand it to the main thread and also we will get the process ID and thread

49
00:05:05,680 --> 00:05:06,140
ID.

50
00:05:09,840 --> 00:05:10,950
So out by.

51
00:05:15,280 --> 00:05:18,910
So at this point, we are creating the process.

52
00:05:19,900 --> 00:05:25,750
And this creation for X is for for the creator spender.

53
00:05:58,780 --> 00:06:03,430
So here we can see zero four for the cricket suspended.

54
00:06:10,140 --> 00:06:10,520
So.

55
00:06:10,620 --> 00:06:13,860
So we can see food and it will be in a suspended mode.

56
00:06:19,990 --> 00:06:21,280
Let's try to run this.

57
00:06:26,110 --> 00:06:29,260
And I have created a function that process image based.

58
00:06:51,470 --> 00:06:55,220
So let's run this and we should see the new process.

59
00:06:55,790 --> 00:06:57,470
So let's close this one.

60
00:06:58,070 --> 00:07:00,920
So let's change this to 0x4.

61
00:07:01,550 --> 00:07:04,280
Now, the process will be in a suspended state.

62
00:07:05,730 --> 00:07:08,850
Let's also run the process as administrator.

63
00:07:13,710 --> 00:07:16,140
Now let's put a breakpoint here.

64
00:07:17,810 --> 00:07:22,670
And if you run this and we should see the notepad.

65
00:07:22,670 --> 00:07:25,460
Notepad that you see in a suspended state.

66
00:07:26,470 --> 00:07:28,240
And we get inside and.

67
00:07:30,270 --> 00:07:30,800
Are.

68
00:07:33,120 --> 00:07:35,160
Just one handle.

69
00:07:36,670 --> 00:07:37,050
It's.

70
00:07:38,890 --> 00:07:42,070
So let's stop this and let's kill this press.

71
00:07:44,060 --> 00:07:47,230
So here you can see at the bottom it.

72
00:07:50,110 --> 00:07:53,170
Now we have created the process in a suspended state.

73
00:07:53,200 --> 00:07:58,930
Now what we want to do is we are going to get the image of this suspended process.

74
00:07:58,990 --> 00:08:04,390
So we can do that using antiquated information process, function.

75
00:08:08,810 --> 00:08:11,330
So the first two parameters, the process handle.

76
00:08:22,310 --> 00:08:25,970
So when we send in the progress end to this function parameter.

77
00:08:28,810 --> 00:08:30,630
That is prog.

78
00:08:31,450 --> 00:08:34,930
And the next one is process information.

79
00:08:35,320 --> 00:08:38,380
So there are different process information classes.

80
00:08:38,380 --> 00:08:47,250
And depending on what number you pass here, it will be we will be getting that type of information.

81
00:08:47,260 --> 00:08:51,610
So the various process information classes are defined by this.

82
00:08:51,850 --> 00:08:54,850
So we'll be using the process basic information.

83
00:08:56,770 --> 00:09:02,590
And depending upon this, you get the structure to this parameter.

84
00:09:05,860 --> 00:09:08,350
So these are pointers.

85
00:09:11,460 --> 00:09:11,820
So

86
00:09:15,600 --> 00:09:17,010
we need to create.

87
00:09:19,130 --> 00:09:20,060
Process.

88
00:09:20,060 --> 00:09:23,780
Basic information PBIS course to new process.

89
00:09:23,780 --> 00:09:25,010
Basic information.

90
00:09:28,420 --> 00:09:29,500
A.P.B.

91
00:09:45,020 --> 00:09:48,140
Well, there is a third one.

92
00:09:49,760 --> 00:09:52,580
So second one is integer and third one is.

93
00:10:01,870 --> 00:10:05,680
Third one is the, uh, old one.

94
00:10:05,720 --> 00:10:16,270
Okay, so next we need to pass the process information then so we can do U.S. Marshal the size of.

95
00:10:19,110 --> 00:10:22,560
They both process basic information.

96
00:10:30,230 --> 00:10:34,490
And the reference the last one is, uh, parameter.

97
00:10:34,490 --> 00:10:35,090
So.

98
00:10:38,230 --> 00:10:42,220
Urine length is equal to zero.

99
00:10:44,360 --> 00:10:45,610
And reference length.

100
00:11:18,290 --> 00:11:20,860
So think this is the point.

101
00:11:29,700 --> 00:11:39,990
So what we are going to do is we can send Peter ten bicycles to we are going to allocate some size.

102
00:11:46,590 --> 00:11:52,260
Martial arts is of type of process, basic information.

103
00:11:53,040 --> 00:12:02,610
So this pointer can hold those many number of uh or decimal number of baits so we can measure that into

104
00:12:02,610 --> 00:12:03,210
the process.

105
00:12:03,210 --> 00:12:04,440
Basic information.

106
00:12:06,290 --> 00:12:07,580
So we can see them.

107
00:12:09,690 --> 00:12:13,670
Now you have the temple pointer.

108
00:12:14,400 --> 00:12:16,200
We can marshal that one as.

109
00:12:19,050 --> 00:12:20,520
Pointer to structure.

110
00:12:20,550 --> 00:12:28,140
We have the temple pointer pointing to the process, basic information structure.

111
00:12:36,980 --> 00:12:39,470
And we can say Piva is equal to this one.

112
00:12:51,620 --> 00:12:55,530
Now we can go and print that address.

113
00:12:56,930 --> 00:13:00,220
So I have already copied this structure from print.

114
00:13:00,240 --> 00:13:04,160
Well, it's basically you can, uh, accept these two members.

115
00:13:04,160 --> 00:13:08,270
Every thing are the pointers, so you get the proper dress.

116
00:13:16,540 --> 00:13:18,310
We are going to print that one.

117
00:13:27,460 --> 00:13:32,470
So let's put breakpoint at this point and let's go and.

118
00:13:34,410 --> 00:13:35,910
Well, call this one.

119
00:13:35,910 --> 00:13:37,740
I have already caught this one.

120
00:13:37,740 --> 00:13:42,510
Get processed, image based prog handle so we can just.

121
00:13:46,110 --> 00:13:46,430
Oh.

122
00:13:48,330 --> 00:13:49,320
Let's run this.

123
00:13:53,310 --> 00:13:56,220
And we should see the output address.

124
00:13:56,220 --> 00:14:01,800
That is the Web address and we can verify that using this.

125
00:14:02,770 --> 00:14:05,500
Doesn't go to notepad and memory.

126
00:14:05,500 --> 00:14:07,660
And here we should see the.

127
00:14:09,840 --> 00:14:11,670
Bob here you can see the pep.

128
00:14:11,670 --> 00:14:13,140
And if you explain this.

129
00:14:15,120 --> 00:14:16,860
If you open this one.

130
00:14:16,860 --> 00:14:21,360
Uh, this after 16 bites, you have this.

131
00:14:38,760 --> 00:14:46,150
So this you can see the pepper dress is starting pepper dressing 65851210.

132
00:14:46,170 --> 00:14:55,560
So the same pepper dress from here onwards, if you are 16 BATES And this eight BATES is the.

133
00:14:56,420 --> 00:15:00,500
You made this, you can confirm that using this one.

134
00:15:00,500 --> 00:15:05,300
So here you can see seven F, we have six, seven, seven, e, seven.

135
00:15:05,630 --> 00:15:07,100
So if you go to here.

136
00:15:11,510 --> 00:15:15,620
Write, copy, execute and.

137
00:15:18,530 --> 00:15:18,980
Here.

138
00:15:18,980 --> 00:15:22,520
We should have the best address.

139
00:15:30,990 --> 00:15:32,890
So let me quickly search this.

140
00:15:32,890 --> 00:15:34,260
7ff6.

141
00:15:37,120 --> 00:15:38,230
So here you go.

142
00:15:38,260 --> 00:15:39,720
So this one is the environment.

143
00:15:39,730 --> 00:15:41,890
So I got confused about this.

144
00:15:42,220 --> 00:15:44,380
So this is the place address.

145
00:15:44,620 --> 00:15:47,380
So after 16 bytes from the IP address.

146
00:15:48,590 --> 00:15:54,590
So now you can stop this and also terminate this phone.

147
00:15:58,200 --> 00:16:00,660
And what we can do is we can say.

148
00:16:09,710 --> 00:16:11,540
A real process memory.

149
00:16:13,350 --> 00:16:25,070
Blog handle and the best addresses BBA Dot Pepper Dress Press 0x10 and the bed buffer.

150
00:16:25,080 --> 00:16:27,120
So let's create it.

151
00:16:30,930 --> 00:16:35,490
Let's say, bite this new bite of it.

152
00:16:42,530 --> 00:16:50,480
Uh, the size is weight base, not length and the number of bytes read so we can say.

153
00:16:58,530 --> 00:16:59,260
Ah.

154
00:17:00,300 --> 00:17:01,780
This one is in the pointers.

155
00:17:01,810 --> 00:17:03,390
Also not sure.

156
00:17:11,530 --> 00:17:16,660
So let's just say in point by it's written.

157
00:17:22,650 --> 00:17:26,430
Out into Pinter so out by it's written.

158
00:17:29,350 --> 00:17:32,200
So we have successfully.

159
00:17:35,040 --> 00:17:40,530
Read the memory from this address to the 16 bytes.

160
00:17:44,460 --> 00:17:49,340
Now we need to convert these bacteria into the integers so we can use it.

161
00:17:49,530 --> 00:17:52,710
Convert that to into 64.

162
00:17:55,860 --> 00:17:58,710
Baby's starting index is zero.

163
00:18:04,430 --> 00:18:06,710
So this will give you the.

164
00:18:08,330 --> 00:18:16,050
Uh, wrong value so I'm going to convert this image pointer is equals to in the pointer.

165
00:18:18,210 --> 00:18:25,950
So we had our image printer ready that is pointing to the, uh, this process image this.

166
00:18:28,040 --> 00:18:29,780
So I think we are good to go.

167
00:18:32,600 --> 00:18:39,600
Well, now we can put the breakpoint at this one before this process is 64 function.

168
00:18:39,600 --> 00:18:44,140
So this is very similar to the remote IP injection we have seen in the previous videos.

169
00:18:44,160 --> 00:18:53,340
So let's run this and we should see this one as the base address so that we can see this is the same

170
00:18:53,340 --> 00:18:58,000
address as that the previous notepad dot xy.

171
00:18:58,020 --> 00:19:06,390
So that means our model is loading at the same base address because that's empty, I guess.

172
00:19:09,160 --> 00:19:16,390
Click on Notepad and if you go to the pub we have the commit and here you can see the same address.

173
00:19:17,050 --> 00:19:19,870
And if you go to this one, this is the starting image.

174
00:19:19,870 --> 00:19:20,440
This.

175
00:19:22,320 --> 00:19:27,690
So let's go and stop this and also terminate this one.

176
00:19:28,200 --> 00:19:29,790
Now we have everything ready.

177
00:19:31,140 --> 00:19:33,230
Uh, I also forgot to show you.

178
00:19:33,240 --> 00:19:35,310
Uh, let me quickly start this.

179
00:19:37,040 --> 00:19:37,630
Not bad.

180
00:19:37,640 --> 00:19:44,630
And if you go to this one, if you double click on this and here you should see the P file of the notepad,

181
00:19:44,630 --> 00:19:45,590
that dot xy.

182
00:19:49,270 --> 00:19:51,920
You know what they're going to do.

183
00:19:51,940 --> 00:19:56,620
It's similar to what we have done in the remote injection.

184
00:19:56,620 --> 00:20:03,910
So we got the we have the handle to the process and the remote base and the raft.

185
00:20:03,970 --> 00:20:06,790
Is this the file you want to inject?

186
00:20:07,090 --> 00:20:15,670
So it's similar to uh, uh, that size reference getting size and then uh, allocating some size in

187
00:20:15,670 --> 00:20:18,650
our long process to pass the pre locally.

188
00:20:18,670 --> 00:20:27,610
And then we'll be using another function and PE and map U.S. to map this, uh, memory so that we can

189
00:20:27,610 --> 00:20:30,490
write and change the production to the read execute.

190
00:20:30,940 --> 00:20:37,240
So after n mapping, we're allocating the size and we are changing the read, write, execute.

191
00:20:37,240 --> 00:20:45,640
And uh, it's similar to parsing headers and writing into the that process using writer's memory.

192
00:20:45,640 --> 00:20:53,590
So from here onwards it's similar to remote IP injection and then fixing ides and basically locations.

193
00:21:00,500 --> 00:21:08,960
And after fixing everything we need to get the thread the context, using that thread context.

194
00:21:08,960 --> 00:21:13,550
So this will give you the context structure so that we need to.

195
00:21:16,600 --> 00:21:25,330
Do the RC x value to the remote base address press entry point, and we'll be setting that value using

196
00:21:25,540 --> 00:21:26,890
separate context.

197
00:21:27,790 --> 00:21:29,470
So it's a small call.

198
00:21:29,470 --> 00:21:35,740
So that's why, uh, I did not, uh, I'm not writing again, so get red context.

199
00:21:35,740 --> 00:21:40,840
It takes the thread handle and this contextual structure.

200
00:21:40,960 --> 00:21:44,470
So context, structure, it contains all these flags.

201
00:22:06,640 --> 00:22:09,160
Why not search for that threat context?

202
00:22:18,530 --> 00:22:20,960
So we can see we have all these flags.

203
00:22:20,960 --> 00:22:25,050
So make sure you have this third context.

204
00:22:25,070 --> 00:22:26,000
64 one.

205
00:22:27,770 --> 00:22:36,620
And then we will set the trade context using this function to handle and reference the context structure.

206
00:22:38,520 --> 00:22:46,950
So after that we can print the R value and setting this to the remote base address plus and three point.

207
00:22:48,430 --> 00:22:50,050
So let's go and run this one.

208
00:22:52,180 --> 00:22:57,250
So we have set the breakpoint at this process of a function.

209
00:22:59,490 --> 00:23:00,840
And let's start this.

210
00:23:03,200 --> 00:23:05,060
So the same image based.

211
00:23:12,940 --> 00:23:16,600
Now we can see the old, uh, not bad.

212
00:23:16,600 --> 00:23:17,500
Dirty, sexy.

213
00:23:17,530 --> 00:23:20,160
Now, let's go and click on this next.

214
00:23:20,170 --> 00:23:20,830
So.

215
00:23:23,110 --> 00:23:25,210
Process, how the function gets executed.

216
00:23:27,370 --> 00:23:27,630
So.

217
00:23:27,950 --> 00:23:29,950
So let's also put the breakpoint.

218
00:23:32,550 --> 00:23:33,400
Right here.

219
00:23:33,450 --> 00:23:37,530
After that, we use the resume thread to resume the thread, so click on Continue.

220
00:23:37,560 --> 00:23:43,170
So we write our malicious B into the process memory.

221
00:23:44,990 --> 00:23:49,400
Now we need to close this one and again, refresh this.

222
00:23:49,400 --> 00:24:01,130
And here we can see a single private region with the our C latest pillar where you can see this is a

223
00:24:01,130 --> 00:24:08,930
different pillar that is, um, specifying the normal, uh, cm data to see that is, that does not

224
00:24:08,930 --> 00:24:10,250
have any dependencies.

225
00:24:10,460 --> 00:24:16,700
So it should pop up the CM data to see if everything goes, uh, nice.

226
00:24:16,700 --> 00:24:20,570
So it's click on continue and here you can see the cmd, right?

227
00:24:20,750 --> 00:24:30,320
See, so we have successfully hollowed out the notepad dot xy and replace that memory with our malicious

228
00:24:30,320 --> 00:24:31,010
P file.

229
00:24:31,160 --> 00:24:37,130
And we have resumed the threat to resume the execution of the process.

230
00:24:37,670 --> 00:24:41,510
It still says not to exit but executes our cmd c.

231
00:24:58,540 --> 00:25:00,850
So that's how far this process are going.

232
00:25:00,850 --> 00:25:03,550
It's very similar to the remote injection.

233
00:25:03,550 --> 00:25:05,050
We are seeing the previous videos.

234
00:25:05,080 --> 00:25:12,130
If you did not watch the videos, I highly suggest to watch those videos because they are passing file

235
00:25:12,130 --> 00:25:18,490
and fixing ideas and basic locations are the main important thing in this, uh, injection technique

236
00:25:18,490 --> 00:25:20,230
or in any injection technique.