1 00:00:00,120 --> 00:00:08,100 So in this, we will be taking a look at the function set with the successor to the events and execute 2 00:00:08,100 --> 00:00:10,620 our shared code whenever that event occurs. 3 00:00:10,740 --> 00:00:21,720 So hooking means it's kind of like monitoring or reiterating the actual code to the our our desired 4 00:00:22,560 --> 00:00:23,250 function. 5 00:00:23,700 --> 00:00:32,040 So this thing is used to monitor the functions and we can also redirect the actual code to the, our 6 00:00:32,040 --> 00:00:33,210 malicious function. 7 00:00:34,120 --> 00:00:39,280 So we can set the Windows Hook using this function. 8 00:00:39,280 --> 00:00:42,580 And there are certain types of hooks available. 9 00:00:43,480 --> 00:00:50,800 There are mouse events and keyboard events, etc. So we'll be using the keyboard to monitor the keyboard 10 00:00:50,800 --> 00:00:58,090 events and whenever there is a keyboard event will be executing a function that normally well, you 11 00:00:58,090 --> 00:00:59,220 can execute the reversal. 12 00:00:59,380 --> 00:01:02,680 For now, we'll be just popping the message box. 13 00:01:02,980 --> 00:01:04,540 So first we need to. 14 00:01:04,660 --> 00:01:09,220 The second parameter is the function address, and third parameter is the handle. 15 00:01:09,790 --> 00:01:11,710 And the last one is the thread data. 16 00:01:12,640 --> 00:01:16,350 In the thread we need to specify which thread we need to monitor. 17 00:01:16,360 --> 00:01:25,120 If you give zero, are the new threads going to execute our function whenever there is an event? 18 00:01:25,960 --> 00:01:30,370 So that's first created here that simply pops up the message box. 19 00:01:31,360 --> 00:01:34,990 So here, let me create. 20 00:01:37,530 --> 00:01:39,270 A function called pop up. 21 00:01:42,340 --> 00:01:44,950 So I'm using the. 22 00:01:48,020 --> 00:01:49,790 C-sharp forms. 23 00:01:49,790 --> 00:01:56,140 So standard windows we have this message box show so we can just say testing. 24 00:01:56,150 --> 00:01:57,020 One, two, three. 25 00:02:00,010 --> 00:02:03,880 So whenever in my main court I do the pop up. 26 00:02:05,790 --> 00:02:08,100 I should get the message box. 27 00:02:25,400 --> 00:02:27,740 And we can see the message box. 28 00:02:28,160 --> 00:02:34,460 Now, this is generated in the format we need to be in the format of digital. 29 00:02:35,780 --> 00:02:39,810 So for that, we need to manage add the NuGet package. 30 00:02:39,830 --> 00:02:43,310 I have already insert this one that is the export. 31 00:02:43,310 --> 00:02:48,080 So this converts a function into a data export function. 32 00:02:48,080 --> 00:02:51,020 So we can import that data and use that function. 33 00:02:52,960 --> 00:02:58,960 All we need to say is the export of the name pop up. 34 00:03:03,190 --> 00:03:11,680 So we need to change the app to class library so this will generate the solution. 35 00:03:15,310 --> 00:03:19,630 And we can see message box there so we can go and test this one. 36 00:03:28,980 --> 00:03:33,030 Let's execute the function pop up and here we can see the message box. 37 00:03:33,840 --> 00:03:35,260 So let's copy this one. 38 00:03:35,280 --> 00:03:37,320 Copy the path and let's go. 39 00:03:37,320 --> 00:03:41,430 And so I have already written the signature for this. 40 00:03:50,050 --> 00:03:56,140 So it's nothing fancy integer and two endpoints and again you want that data. 41 00:04:00,200 --> 00:04:01,830 So, uh. 42 00:04:04,000 --> 00:04:05,290 So this is the part. 43 00:04:05,290 --> 00:04:06,640 So let's, uh. 44 00:04:07,600 --> 00:04:12,400 So I am using the road library to load the data into the memory. 45 00:04:12,400 --> 00:04:18,580 And we are going to find the address of the function pop up so we can use get proc address. 46 00:04:19,750 --> 00:04:25,450 So the first one is the other hand and second one is the function name that is pop up. 47 00:04:30,630 --> 00:04:32,940 And we regret the function at this. 48 00:04:45,560 --> 00:04:49,970 If your hand did not is cause to. 49 00:04:53,700 --> 00:04:54,300 Zero. 50 00:04:59,820 --> 00:05:03,240 And if you got any function address, then you can say. 51 00:05:03,270 --> 00:05:10,410 If function or does not is equal to 1.0. 52 00:05:13,330 --> 00:05:16,210 Then the function is rewarded in our process. 53 00:05:22,800 --> 00:05:24,780 So let's actually run this one. 54 00:05:24,780 --> 00:05:33,750 I have created it here so we can just say Marshal should get delegate for a function pointer and the 55 00:05:33,750 --> 00:05:38,640 pointer is the function address, the type of delegate. 56 00:05:38,640 --> 00:05:41,190 So the delegate name is also pop up. 57 00:05:41,190 --> 00:05:41,580 So. 58 00:05:57,240 --> 00:05:59,700 So we can see that dynamic in work. 59 00:06:01,230 --> 00:06:07,410 Now, at this point, we should be we should be getting the message box if everything goes well. 60 00:06:13,110 --> 00:06:15,510 And here you can see the message box has been popped. 61 00:06:15,900 --> 00:06:18,070 So that means the function address. 62 00:06:18,090 --> 00:06:20,580 We can print out the function address as well. 63 00:06:39,350 --> 00:06:41,390 And we can see the function address. 64 00:06:41,810 --> 00:06:44,960 So now we have successfully. 65 00:06:49,920 --> 00:06:53,760 Pre-order that digital and found that function address. 66 00:06:53,940 --> 00:06:59,580 Now we need to call this set Windows XY. 67 00:07:02,380 --> 00:07:08,440 And the first parameter is the integer, the type of the hook we want to monitor. 68 00:07:09,010 --> 00:07:11,110 So that is the keyboard one. 69 00:07:12,160 --> 00:07:13,510 So I can pass two. 70 00:07:14,890 --> 00:07:17,500 And second one is the function address. 71 00:07:19,300 --> 00:07:23,780 And the third one is the other hand in Russian is trade daddy. 72 00:07:23,790 --> 00:07:31,630 So if I pass zero, then the newly created threats will execute this function. 73 00:07:39,930 --> 00:07:43,880 To unhook this, we can use unhook windows hooks. 74 00:07:55,630 --> 00:08:02,350 And meanwhile, what we need to do is, since these are the key word events, our keyboard won't give 75 00:08:02,350 --> 00:08:03,850 the input to this program. 76 00:08:03,850 --> 00:08:09,580 So we can do read it or three so we can say 6 seconds. 77 00:08:12,700 --> 00:08:16,270 So after cooking for the keyword events, we are sleeping for 6 seconds. 78 00:08:16,270 --> 00:08:23,580 So in these 6 seconds, if there is any keyboard press, then our function gets executed. 79 00:08:23,590 --> 00:08:27,670 So let's start this one and now I'm going to press. 80 00:08:28,690 --> 00:08:35,230 So here you can see I have pressed the keyboard and here we can see the message box have been popped 81 00:08:35,230 --> 00:08:41,680 and whenever the program has been exited, this memory was destroyed. 82 00:08:41,680 --> 00:08:43,120 And so this. 83 00:08:46,840 --> 00:08:47,590 We don't. 84 00:08:48,010 --> 00:08:49,810 Those passes also exited. 85 00:08:54,730 --> 00:08:55,810 Now let's. 86 00:08:58,850 --> 00:08:59,070 So. 87 00:09:02,170 --> 00:09:06,360 So in these 15 seconds, I'm going to open Notepad already. 88 00:09:07,860 --> 00:09:09,870 So now I can type normal? 89 00:09:09,880 --> 00:09:10,530 Yes. 90 00:09:10,890 --> 00:09:12,990 Now let's start hooking. 91 00:09:14,130 --> 00:09:22,770 And whenever there is a key press, even in the notepad now, this process will try to load the function 92 00:09:22,770 --> 00:09:25,260 from this data, and it's going to execute. 93 00:09:27,150 --> 00:09:28,500 So I am pressing. 94 00:09:28,710 --> 00:09:35,340 And now we can see our main process has been exited, but still you can see these are not disturbed 95 00:09:35,340 --> 00:09:39,270 because these are loaded by this process. 96 00:09:47,050 --> 00:09:55,330 So that some of these, uh, video hooking, uh, events using set windows for clicks, you can also 97 00:09:55,330 --> 00:10:04,000 create the data and you can also generate that using em as a venom and you can point the functionalities.