1
00:00:00,900 --> 00:00:07,770
So in this video, we'll be taking a look at the creating sections and mapping these sections into our

2
00:00:07,770 --> 00:00:12,240
process, copying the payload into that view.

3
00:00:12,240 --> 00:00:18,990
And then we'll be simply mapping that same view into the remote process and execute the shared code.

4
00:00:19,560 --> 00:00:25,560
So first, these sections are kind of like shared memory.

5
00:00:26,130 --> 00:00:35,550
You can, whenever you want to write some data into some large file, like 400 MB B or one GB or two

6
00:00:35,550 --> 00:00:36,270
GB of file.

7
00:00:36,270 --> 00:00:38,940
So then you don't need to load the entire file.

8
00:00:38,940 --> 00:00:45,150
You can load some part of that file and you can write to that part of the file.

9
00:00:46,650 --> 00:00:50,580
And also these sections are used to further shared memory.

10
00:00:51,240 --> 00:00:57,750
So that means one process can write and another process can read from these sections.

11
00:00:58,080 --> 00:01:05,340
So first we'll be creating the section and then we'll be using a map view of the section.

12
00:01:05,340 --> 00:01:13,290
So that's a whole section or some part of the section can be mapped into our own process at the space

13
00:01:13,290 --> 00:01:15,840
using this function and D map your section.

14
00:01:16,050 --> 00:01:20,580
And in that memory we can do some changes.

15
00:01:20,580 --> 00:01:27,360
You can write some data and you don't need to commit to specifically the operating system will automatically

16
00:01:27,870 --> 00:01:39,750
save the changes and when other process maps the sections view, then the latest changes for this data

17
00:01:39,750 --> 00:01:43,020
will be reflected into the process at the space.

18
00:01:44,970 --> 00:01:48,810
So function we are will be using our the created section.

19
00:01:49,050 --> 00:01:54,060
So this is the W the can use this function.

20
00:01:54,570 --> 00:01:56,850
We will be using the integrated section.

21
00:01:57,510 --> 00:02:02,730
So you can copy this from the paint work for the anti mafia section.

22
00:02:02,730 --> 00:02:05,880
We need to make some small modifications here.

23
00:02:06,060 --> 00:02:11,310
This is also the in parameter, so you need to pass the reference.

24
00:02:11,490 --> 00:02:13,680
So first let's create the section.

25
00:02:15,270 --> 00:02:18,240
I have already declared all of these here.

26
00:02:18,240 --> 00:02:18,900
So.

27
00:02:21,480 --> 00:02:28,800
So let's go and create, let's see the first parameters out so we get the handle to the section and

28
00:02:28,800 --> 00:02:30,180
the desired axis.

29
00:02:30,510 --> 00:02:34,410
Object attributes maximum size section page production.

30
00:02:34,410 --> 00:02:40,380
So we'll be dictating, read, write, execute and allocation attributes and the hand.

31
00:02:40,470 --> 00:02:46,080
So here you can see the section can be created using the file handle as well.

32
00:02:47,760 --> 00:02:52,320
And then we can view some part of file using the map section.

33
00:02:52,320 --> 00:02:58,410
So we will be passing null because we already have the shared code.

34
00:02:59,160 --> 00:03:04,060
So this is the shared code generated by a 64 bit calculator.

35
00:03:05,280 --> 00:03:08,940
So let's create the section and create section.

36
00:03:12,770 --> 00:03:14,240
And the first parameter is out.

37
00:03:14,240 --> 00:03:20,030
So it's a int and pointer section and.

38
00:03:29,800 --> 00:03:31,630
And the deserted axis is.

39
00:03:33,720 --> 00:03:37,110
So I have already copied this from pin work.

40
00:03:38,070 --> 00:03:41,520
If you type in the access mask you will get all these values.

41
00:03:41,760 --> 00:03:45,930
So I will be declaring x section all access.

42
00:03:52,680 --> 00:03:53,900
And object attributes.

43
00:03:53,910 --> 00:03:58,350
You can pass this null and maximum size.

44
00:03:58,350 --> 00:04:01,980
So you need to pass this payload amount of size.

45
00:04:02,700 --> 00:04:08,640
So let's just say max size equals 2000 hexadecimal bytes.

46
00:04:12,760 --> 00:04:18,370
So reference max size and the section page production.

47
00:04:22,520 --> 00:04:23,030
I think.

48
00:04:27,080 --> 00:04:28,190
Section pace protection.

49
00:04:28,190 --> 00:04:31,190
We need to pass the read, write, execute.

50
00:04:34,970 --> 00:04:35,960
So pass this.

51
00:04:35,960 --> 00:04:37,280
140.

52
00:04:41,760 --> 00:04:43,310
Education attributes.

53
00:04:49,110 --> 00:04:51,420
So we are going to commit this fund.

54
00:04:55,000 --> 00:04:56,450
The last one is five handed.

55
00:04:56,470 --> 00:04:58,420
We don't have anything so zero.

56
00:04:58,690 --> 00:05:03,610
So we should be good to go and return.

57
00:05:03,610 --> 00:05:06,070
Value is the status code.

58
00:05:09,150 --> 00:05:16,710
And we are going to check if section and not is equal to in 2.0.

59
00:05:19,900 --> 00:05:25,480
If equal to 2.0, then that means the function failed and we need to print.

60
00:05:29,020 --> 00:05:31,840
The return value that is there is.

61
00:05:34,920 --> 00:05:43,050
Eris, that is what we're going to do is we are going to print the section handed.

62
00:05:46,380 --> 00:05:46,640
And.

63
00:05:47,370 --> 00:05:48,740
And we are going to close this.

64
00:05:48,750 --> 00:05:52,350
We can use the function card and t cross.

65
00:05:54,030 --> 00:05:54,930
Section and.

66
00:05:58,510 --> 00:06:00,880
So let's build this one and let's run this.

67
00:06:05,400 --> 00:06:06,810
And we got that section.

68
00:06:06,810 --> 00:06:09,510
So we have successfully created the section.

69
00:06:17,600 --> 00:06:24,800
Now we can map this using the map view of the New York section.

70
00:06:27,680 --> 00:06:30,200
So I did not find this in MSDN.

71
00:06:30,200 --> 00:06:34,490
So first one is a section handle, and the second one is process handle.

72
00:06:37,460 --> 00:06:38,860
So base address is optional.

73
00:06:38,870 --> 00:06:47,120
If you did not specify the this will allocate for you and zero which commit size so we can pass them

74
00:06:47,120 --> 00:06:49,100
null and the view size.

75
00:06:50,870 --> 00:06:54,290
This will pass the maximum size and inherit this position.

76
00:06:54,290 --> 00:06:56,750
So we need to pass the value.

77
00:06:56,750 --> 00:07:05,250
One or two will be passing view on map and then actually the aggregation type commit and action is praise

78
00:07:05,300 --> 00:07:08,870
prediction for the page prediction of our local process.

79
00:07:08,870 --> 00:07:16,730
We can specify read, right, because we are not executing in our local process where we allocating

80
00:07:16,730 --> 00:07:24,440
same view will be mapping the view onto the remote process and then we can allocate, read, execute

81
00:07:24,620 --> 00:07:26,090
on that remote process.

82
00:07:27,380 --> 00:07:34,130
So let's go and create an RT map, view our section.

83
00:07:35,540 --> 00:07:39,020
So the first one is the section handle.

84
00:07:41,960 --> 00:07:45,070
And the next one is the process.

85
00:07:45,110 --> 00:07:50,270
And so we can get that using process, get current process that handle.

86
00:07:52,350 --> 00:07:53,680
The third one is zero bit.

87
00:07:53,690 --> 00:07:56,760
So we need to, let's say.

88
00:08:08,300 --> 00:08:10,640
So this one is the.

89
00:08:12,550 --> 00:08:12,950
Okay.

90
00:08:12,970 --> 00:08:14,740
So normally no reference for this.

91
00:08:14,740 --> 00:08:16,660
And next one is also commit size.

92
00:08:26,730 --> 00:08:28,850
And an external section offset.

93
00:08:28,860 --> 00:08:31,080
So it should be zero.

94
00:08:31,080 --> 00:08:37,620
So here you can see it is also in parameter, but in the P in work it's only out parameter.

95
00:08:39,090 --> 00:08:42,960
So first time I got this function fade because of this.

96
00:08:46,750 --> 00:08:51,760
So you wrong section offset is equal to zero.

97
00:08:53,540 --> 00:09:02,660
So let's follow this one by one zero bits, comet size and different section offset.

98
00:09:05,860 --> 00:09:08,320
And the same will be for The View.

99
00:09:11,240 --> 00:09:13,210
View size is equal to.

100
00:09:22,940 --> 00:09:24,290
Maximum size.

101
00:09:29,310 --> 00:09:31,020
Reference view size.

102
00:09:33,420 --> 00:09:37,380
So we can pass the search to further view and map.

103
00:09:38,520 --> 00:09:45,000
And the last one is also there are two men commit, commit.

104
00:10:36,670 --> 00:10:37,870
So pass this one.

105
00:10:37,870 --> 00:10:42,370
And the next one is the stage production.

106
00:10:44,950 --> 00:10:48,190
So we can pass only the page rewrite.

107
00:10:50,050 --> 00:10:51,130
Page rewrite.

108
00:11:46,570 --> 00:11:48,170
We do not give the best address.

109
00:11:48,170 --> 00:11:50,770
So sorry for that.

110
00:11:51,490 --> 00:11:53,320
I forgot the best address.

111
00:11:59,570 --> 00:12:05,210
So Pointer Bay's address scores to zero.

112
00:12:07,540 --> 00:12:09,880
Sandy says reference base address.

113
00:12:43,870 --> 00:12:45,370
Oh, this one is.

114
00:12:53,320 --> 00:13:02,250
So that's if the bills address the calls to the cause to the point zero.

115
00:13:05,410 --> 00:13:09,190
Then Mapper.

116
00:13:15,250 --> 00:13:15,940
There's to.

117
00:13:18,190 --> 00:13:25,690
And it's what we can do is we can just print out the best address there is address.

118
00:13:30,570 --> 00:13:32,330
These are the start to spring.

119
00:13:37,730 --> 00:13:41,660
So after printing the best address, we can actually and map this.

120
00:13:43,770 --> 00:13:44,720
We can use an.

121
00:13:48,440 --> 00:13:50,780
And the unmanned U.S.

122
00:13:53,390 --> 00:13:54,440
prog handle.

123
00:14:02,540 --> 00:14:03,820
And the base visitors.

124
00:14:08,860 --> 00:14:17,050
So let's build this one and let's put a breakpoint at this, uh, before unmapped section.

125
00:14:17,050 --> 00:14:18,400
So let's go and run this.

126
00:14:20,690 --> 00:14:22,550
So we got the error.

127
00:14:27,630 --> 00:14:29,910
So we need to convert to hexadecimal.

128
00:14:33,210 --> 00:14:36,060
And Google for anti status codes.

129
00:14:38,640 --> 00:14:40,170
So in varied parameter.

130
00:14:46,140 --> 00:14:47,660
So I found the error.

131
00:14:47,670 --> 00:14:49,320
So we need to change this.

132
00:14:49,320 --> 00:15:00,090
Uh, commit to zero because it's already committed in this clear section so we can pass this zero here.

133
00:15:00,420 --> 00:15:04,950
Now, let's run this, and we have the address.

134
00:15:08,340 --> 00:15:12,000
And if you go this, we have our analysis.

135
00:15:12,600 --> 00:15:13,830
So let's continue.

136
00:15:15,780 --> 00:15:16,320
Or no.

137
00:15:16,330 --> 00:15:19,180
What we can do is we can copy our

138
00:15:22,330 --> 00:15:27,220
let's say let's copy normally the normal ASCII characters.

139
00:15:27,850 --> 00:15:29,860
So by temp is equal to.

140
00:15:32,810 --> 00:15:36,110
And coding before the GED by itself.

141
00:15:36,290 --> 00:15:38,180
So let's say ABCD.

142
00:15:40,080 --> 00:15:46,080
And we are going to copy this to the best address.

143
00:15:50,490 --> 00:15:53,850
Now let's put the breakpoint before this copy and run this one.

144
00:15:57,650 --> 00:16:02,570
And as you can see, we have nothing.

145
00:16:02,570 --> 00:16:04,970
And let's go and step into this.

146
00:16:04,970 --> 00:16:05,990
And here we can see.

147
00:16:09,220 --> 00:16:10,810
So let's continue this fun.

148
00:16:12,800 --> 00:16:16,790
Now what we're going to do is we are going to copy our character paper to this

149
00:16:19,430 --> 00:16:20,000
view.

150
00:16:20,330 --> 00:16:27,380
And also let's turn this to page, read, write, execute.

151
00:16:30,400 --> 00:16:36,370
Because we are going to test in our legal process, then we can simply map to the remote process.

152
00:16:37,270 --> 00:16:40,570
So copy the payload.

153
00:16:43,590 --> 00:16:44,740
Peter Dutton.

154
00:16:49,450 --> 00:16:50,450
Let's run this.

155
00:16:54,270 --> 00:16:58,650
And let's click on step into and we have the parent here.

156
00:16:58,650 --> 00:17:00,630
You can see that XY.

157
00:17:03,880 --> 00:17:08,030
Now we are going to create the thread at this base address.

158
00:17:08,290 --> 00:17:11,110
Create thread.

159
00:17:14,230 --> 00:17:20,350
So the first one is the attributes we can say zero.

160
00:17:20,590 --> 00:17:23,990
And the next one is tag size zero based address.

161
00:17:25,720 --> 00:17:28,960
Function parameters that are no function parameters.

162
00:17:28,990 --> 00:17:34,910
Creation x zero means we need to start the thread immediately and thread data.

163
00:17:37,630 --> 00:17:38,950
It is close to zero.

164
00:17:40,960 --> 00:17:42,390
Out today.

165
00:17:44,770 --> 00:17:46,240
So we are good to go.

166
00:17:46,270 --> 00:17:49,120
So let's put the breakpoint and start this.

167
00:17:54,830 --> 00:17:56,000
So there is nothing.

168
00:17:56,000 --> 00:17:58,790
Let's copy this instruction, master.

169
00:17:58,790 --> 00:17:59,420
Copy.

170
00:17:59,420 --> 00:18:02,540
And we have the period here.

171
00:18:05,160 --> 00:18:05,360
No.

172
00:18:05,400 --> 00:18:07,110
We are about to create a thread.

173
00:18:07,110 --> 00:18:10,530
Let's run this and here we can see the character got pop.

174
00:18:11,130 --> 00:18:15,030
So let's continue this one and it says So we are good to go.

175
00:18:15,270 --> 00:18:20,340
So after copying into the view so we can just comment this one.

176
00:18:28,820 --> 00:18:34,580
So we have successfully copied the pillar into view and then we need to map the same view into the remote

177
00:18:34,580 --> 00:18:35,420
process.

178
00:18:37,260 --> 00:18:40,590
So what we can do is we can say open process.

179
00:18:53,280 --> 00:18:56,190
So we need to specify a process our access.

180
00:19:18,060 --> 00:19:21,840
So this one or this one.

181
00:19:21,840 --> 00:19:25,500
So you can just simply add these places.

182
00:19:27,420 --> 00:19:28,770
So it was like one.

183
00:19:28,770 --> 00:19:29,340
F.

184
00:19:29,950 --> 00:19:30,230
F.

185
00:19:30,240 --> 00:19:30,690
F.

186
00:19:33,880 --> 00:19:35,830
So we have the process of access.

187
00:19:38,990 --> 00:19:45,920
Process all access and inherit and enforce and the process ID.

188
00:19:55,690 --> 00:19:57,190
We re changing this process.

189
00:19:57,580 --> 00:20:00,610
So it's so not.

190
00:20:05,060 --> 00:20:10,010
So we have the pad 2000 for it's best this year.

191
00:20:12,660 --> 00:20:14,520
And pass this beard here.

192
00:20:17,380 --> 00:20:18,130
It's a beer.

193
00:20:19,570 --> 00:20:22,280
It will be very simple then process under security.

194
00:20:22,660 --> 00:20:24,490
So we will be getting the handle.

195
00:20:34,330 --> 00:20:45,400
So if broken cycles is equal to zero, then it's a fair to open process.

196
00:20:46,970 --> 00:20:50,450
And we have successfully open the process.

197
00:20:50,900 --> 00:20:53,900
Now, all we need is we need to just map this.

198
00:20:55,590 --> 00:20:56,220
Section.

199
00:21:07,010 --> 00:21:07,520
Oh I see.

200
00:21:08,450 --> 00:21:11,270
So you can copy the same variables.

201
00:21:11,570 --> 00:21:12,350
Paste here.

202
00:21:12,770 --> 00:21:15,290
Zero bits to convert to.

203
00:21:17,440 --> 00:21:20,170
So take this to remote base.

204
00:21:22,940 --> 00:21:30,620
So the first one is section handed and the next one is a process that is broken, which you open to

205
00:21:30,620 --> 00:21:35,660
the notepad and then the reference remote base.

206
00:21:40,480 --> 00:21:42,910
Zero bits to.

207
00:21:44,390 --> 00:21:45,740
It seems to.

208
00:21:48,230 --> 00:21:51,560
Her friends are said to.

209
00:22:02,470 --> 00:22:04,000
And the view is.

210
00:22:06,160 --> 00:22:08,500
Preference use size to.

211
00:22:15,900 --> 00:22:17,770
Share and map zero.

212
00:22:17,820 --> 00:22:22,080
And the last one is page read execute.

213
00:22:25,700 --> 00:22:26,180
Execute.

214
00:22:27,700 --> 00:22:28,780
So 20.

215
00:22:38,420 --> 00:22:42,920
And if a remote base is equal to zero.

216
00:22:45,430 --> 00:22:46,300
Then print.

217
00:22:46,360 --> 00:22:46,980
Uh.

218
00:22:49,430 --> 00:22:50,940
Remote mapper.

219
00:22:54,500 --> 00:23:00,250
And this time print printed this return type that is there else.

220
00:23:00,260 --> 00:23:06,200
So there is a success in mapping this section into the remote process.

221
00:23:09,630 --> 00:23:13,980
All we need to do is we need to just create a remote thread.

222
00:23:19,180 --> 00:23:19,880
All Candy.

223
00:23:20,140 --> 00:23:23,050
And the next one is attributes, which can be zero.

224
00:23:25,050 --> 00:23:28,830
Taxes zero and start address is remote base.

225
00:23:30,760 --> 00:23:32,360
And the function parameters.

226
00:23:32,380 --> 00:23:33,070
Zero.

227
00:23:34,790 --> 00:23:37,820
Creation facts zero so that that should start immediately.

228
00:23:37,820 --> 00:23:39,020
And then the thread.

229
00:23:47,380 --> 00:23:50,800
We'll be getting the thread and.

230
00:23:55,420 --> 00:23:56,840
So I think we are good to go.

231
00:23:56,860 --> 00:24:01,810
So let's put the breakpoint at this great remote moderator and run this.

232
00:24:13,260 --> 00:24:14,700
So let's run this.

233
00:24:18,360 --> 00:24:19,170
Okay.

234
00:24:20,820 --> 00:24:21,710
Let's continue.

235
00:24:21,720 --> 00:24:23,460
And we got the category report.

236
00:24:25,310 --> 00:24:28,820
Let's also print the remote base.

237
00:24:53,060 --> 00:24:54,260
So let's run this.

238
00:24:56,660 --> 00:24:57,200
So.

239
00:25:04,460 --> 00:25:05,780
Read Execute.

240
00:25:12,340 --> 00:25:15,820
So here you can see I think this is the exact address.

241
00:25:18,370 --> 00:25:26,820
Driver one so this one and here we can see the exact our calculator has has been mapped into this view

242
00:25:28,650 --> 00:25:35,640
and one thing is you don't need to map the view from the remote process.

243
00:25:35,640 --> 00:25:44,790
So it should be there or and you should not that map because otherwise the outer pair are not going

244
00:25:44,790 --> 00:25:45,060
to run.

245
00:25:45,450 --> 00:25:48,570
So this program is also working for 32 bit.

246
00:25:48,570 --> 00:25:55,530
All you need to do is put that attribute better and change the comparison to x86.