1
00:00:00,570 --> 00:00:04,080
So in this video we'll be talking about the technical data harrowing.

2
00:00:04,080 --> 00:00:05,850
So it's similar to the process ring.

3
00:00:05,850 --> 00:00:13,110
So in this, we will load the legitimate deal into the process and then we will hollow out the text

4
00:00:13,110 --> 00:00:18,660
section with our shell code and then at the checkout we will create the thread to run the shell code.

5
00:00:19,050 --> 00:00:21,870
So first, let's get the handle to this process.

6
00:00:33,290 --> 00:00:38,780
So there is an API called Steam API, which is a legitimate steam dealer.

7
00:00:42,950 --> 00:00:47,780
So let's say stirring the pot is equals to the pot.

8
00:00:55,470 --> 00:01:03,840
We'll be using the open process function to get the handle and then we will allocate some memory to

9
00:01:03,840 --> 00:01:05,880
write the this spring.

10
00:01:06,120 --> 00:01:13,980
So why we need to write this thing because we will be using the function load library, uh, to load

11
00:01:14,010 --> 00:01:24,750
uh, Canada to do the deal and then finding the load function and then we'll, uh, run the function

12
00:01:24,750 --> 00:01:27,240
load library with this parameter.

13
00:01:27,240 --> 00:01:34,200
So with this as a parameter, so the data gets routed in the remote process using create remote read.

14
00:01:35,700 --> 00:01:37,320
So first let's get the handle.

15
00:01:37,320 --> 00:01:43,980
So open process, so desired access is process all access.

16
00:01:44,550 --> 00:01:46,440
So I have just copied from this.

17
00:01:46,440 --> 00:01:47,850
Uh, or.

18
00:01:53,010 --> 00:01:59,280
And the process ID so let's say period is equal to zero for now.

19
00:02:03,090 --> 00:02:05,100
And in return we get the.

20
00:02:07,590 --> 00:02:08,040
Prague.

21
00:02:08,060 --> 00:02:18,150
And now we are going to allocate some memory that is, uh, this one, uh, we can also convert this

22
00:02:18,150 --> 00:02:21,490
into bytes byte by it.

23
00:02:21,540 --> 00:02:28,710
The other part is equals to encoding dot as key dot get bytes.

24
00:02:30,620 --> 00:02:31,790
And the other part.

25
00:02:37,020 --> 00:02:41,050
So let's, uh, irrigate some memory using water locks.

26
00:02:43,450 --> 00:02:48,130
This is prog handle and the bass address will do zero.

27
00:02:48,130 --> 00:02:59,950
So the operating system will allocate a memory region for us and the size is this one by part dot size.

28
00:03:10,360 --> 00:03:16,960
That rent and allocation type is a ma'am commit and resolve.

29
00:03:23,310 --> 00:03:25,890
Our production type is, uh, read, write, execute.

30
00:03:27,990 --> 00:03:35,430
Uh, you don't need, uh, execute because uh, we are scoring only the spring at that.

31
00:03:35,730 --> 00:03:37,860
So I think rate, rate should be fine.

32
00:03:46,100 --> 00:03:50,060
So we will get the, uh, best address.

33
00:03:58,400 --> 00:03:59,660
So this pacer does.

34
00:03:59,780 --> 00:04:05,090
We are going to write using right process memory.

35
00:04:07,200 --> 00:04:15,990
Baroque Handel and the bass addresses this bass address and the bite above, uh, betrays, uh, bite

36
00:04:15,990 --> 00:04:27,750
the other part and the sizes uh, by it, the other part, the length and how it's written.

37
00:04:31,800 --> 00:04:38,280
So let's create a variable by it's written is equal to zero and we can say out by it's written.

38
00:04:43,370 --> 00:04:44,450
So the.

39
00:04:48,500 --> 00:04:48,900
Um.

40
00:04:49,340 --> 00:04:51,950
The string will be returning to the process.

41
00:04:51,950 --> 00:04:53,750
Memory, remote process, memory.

42
00:04:53,870 --> 00:05:04,330
Now, what we going to do is we need to, uh, load library, uh, of the kernel that it would deal.

43
00:05:04,610 --> 00:05:08,840
So this will load the specified data into the memory.

44
00:05:17,720 --> 00:05:18,880
So it's a deal.

45
00:05:18,890 --> 00:05:21,250
And so we we get the hang of this deal.

46
00:05:21,260 --> 00:05:25,610
And in this deal, we need to find the function that is allowed.

47
00:05:25,610 --> 00:05:26,510
Library.

48
00:05:26,540 --> 00:05:28,010
Uh, e.

49
00:05:32,480 --> 00:05:41,270
And the function name is road library here and we will get the functions address.

50
00:05:42,710 --> 00:05:45,440
Function address is equal to this one.

51
00:05:46,640 --> 00:05:52,370
Now we have the function address and we have the string address so we can create the thread to execute

52
00:05:52,370 --> 00:05:58,160
this road library with the argument as this one so that the error will be loaded.

53
00:05:58,820 --> 00:06:00,970
So it's nothing much, it's a legitimate error.

54
00:06:00,980 --> 00:06:04,850
Later we will, uh, replace the text section with the actual code.

55
00:06:05,390 --> 00:06:08,780
So create a remote thread.

56
00:06:11,000 --> 00:06:21,560
430 attributes null stack size zero start address is this function address.

57
00:06:25,560 --> 00:06:31,740
And the function parameter is the base address in the creation flex zero.

58
00:06:31,950 --> 00:06:34,320
So that thread will start immediately.

59
00:06:41,920 --> 00:06:44,950
And the return type is the thread handle.

60
00:06:47,980 --> 00:06:50,700
And I hope to read it.

61
00:06:52,420 --> 00:06:56,410
So let's put the breakpoint here and let's start the notepad.

62
00:07:05,820 --> 00:07:09,620
So there is this double click on this and go to modules is here.

63
00:07:09,660 --> 00:07:12,120
See there is no steam aviator dealer.

64
00:07:13,140 --> 00:07:21,060
So you can click on this name to sort according to the, uh, alphabetical order.

65
00:07:21,960 --> 00:07:23,340
So there is no steam API.

66
00:07:23,370 --> 00:07:25,630
Now, let's, uh.

67
00:07:28,260 --> 00:07:32,820
We can also print this address dart to string.

68
00:07:36,390 --> 00:07:37,710
So let's run this one.

69
00:07:44,690 --> 00:07:46,370
So we got some error.

70
00:08:03,630 --> 00:08:05,120
Okay because of the PID.

71
00:08:05,130 --> 00:08:11,790
So we do not give the correct process I.D. so copy this one and paste here.

72
00:08:14,020 --> 00:08:17,320
So let's put the breakpoint before this remote read function.

73
00:08:18,670 --> 00:08:20,680
And now we got the place address.

74
00:08:27,140 --> 00:08:28,560
So way to read.

75
00:08:28,580 --> 00:08:29,030
Right?

76
00:08:29,040 --> 00:08:29,430
Right.

77
00:08:29,450 --> 00:08:31,670
So we can do like this.

78
00:08:34,580 --> 00:08:36,110
236.

79
00:08:51,890 --> 00:08:53,240
900.

80
00:09:24,300 --> 00:09:25,590
236 E.

81
00:09:27,460 --> 00:09:28,210
So this one?

82
00:09:28,210 --> 00:09:28,620
I guess.

83
00:09:28,630 --> 00:09:37,210
So here we can see that the little, uh, uh, string or let's cross this and let's go and run this

84
00:09:37,210 --> 00:09:37,630
one.

85
00:09:39,750 --> 00:09:43,740
Now we should see the data if it's loaded on a go to modules.

86
00:09:52,810 --> 00:09:55,480
And here we can see where they later.

87
00:09:56,740 --> 00:10:02,650
So let's, uh, call this one now.

88
00:10:04,940 --> 00:10:06,440
What we're going to do is.

89
00:10:25,660 --> 00:10:32,080
So we are going to find the loaded dealer's names and their based addresses so we can do that using

90
00:10:32,080 --> 00:10:34,420
the function create to her particular snapshot.

91
00:10:34,420 --> 00:10:41,170
So we have seen this in the previous videos, how to load that, how to find the details, uh, name

92
00:10:41,170 --> 00:10:42,940
and, and their based addresses.

93
00:10:45,310 --> 00:10:48,760
So, uh, it will take the snapshot of the process.

94
00:10:48,760 --> 00:10:57,370
Uh, processes, uh, uh, are the modules, threads, etc. at that point of time.

95
00:10:57,370 --> 00:11:02,680
So if you, uh, run this, uh, after 10 minutes, you may get different values.

96
00:11:04,510 --> 00:11:07,750
So the first one is the, uh.

97
00:11:08,540 --> 00:11:09,200
The facts.

98
00:11:09,200 --> 00:11:11,150
What what type of information do you want?

99
00:11:11,160 --> 00:11:12,520
So we, uh.

100
00:11:12,530 --> 00:11:16,340
We want the information and the process ID the second parameter.

101
00:11:19,660 --> 00:11:21,160
So now create.

102
00:11:22,480 --> 00:11:28,510
So I have already declared this, uh, because I don't want to waste your time by creating this so you

103
00:11:28,510 --> 00:11:30,820
can go to paint work and copy this.

104
00:11:30,820 --> 00:11:32,380
So these functions are there.

105
00:11:49,360 --> 00:11:49,810
It's.

106
00:11:53,450 --> 00:11:54,680
So one eight.

107
00:11:54,680 --> 00:11:55,850
Uh, two four.

108
00:11:56,030 --> 00:11:59,570
So, one, two, four, eight.

109
00:12:06,930 --> 00:12:09,330
And then we need to pass the pad.

110
00:12:15,250 --> 00:12:18,980
So we will get the snap and the snapshots handy.

111
00:12:19,000 --> 00:12:22,480
So let's call this, uh, snapshot handle.

112
00:12:23,920 --> 00:12:29,050
So this snapshot handle should be passed up to this module first to function.

113
00:12:31,260 --> 00:12:37,620
So this will use this use the information about the first module so you can see the first parameter

114
00:12:37,620 --> 00:12:41,040
is the snapshot handle and second parameter is the string.

115
00:12:41,040 --> 00:12:42,900
We will get to this one.

116
00:12:42,900 --> 00:12:47,700
So a pointer to the structure module that you do structure.

117
00:12:50,870 --> 00:12:58,850
Here we have the size and the modularity process ID belongs to and here we have the base address, base

118
00:12:58,850 --> 00:13:01,770
address and here module.

119
00:13:01,820 --> 00:13:09,560
We also have the handle of this module and also this module part and that module module name.

120
00:13:09,560 --> 00:13:13,760
And that module is absolute part.

121
00:13:15,290 --> 00:13:18,280
So this, uh, structure can be copied from being work.

122
00:13:18,290 --> 00:13:21,920
So, uh, I have already copied this one.

123
00:13:21,920 --> 00:13:27,290
So here you can see, uh, before copying, I thought it was, uh, by value area.

124
00:13:27,290 --> 00:13:29,000
So it's not by value string.

125
00:13:29,000 --> 00:13:33,020
So entire area will be converted into the string.

126
00:13:33,020 --> 00:13:35,180
So you don't need to worry about that.

127
00:13:36,050 --> 00:13:42,410
So let's call this one module 32 first snapshot handle.

128
00:13:43,520 --> 00:13:52,670
So we will be creating a new module and data, data, let's say me new module and the data and we need

129
00:13:52,670 --> 00:13:54,110
to define the size.

130
00:13:54,110 --> 00:14:00,230
So it will take the information in this, uh, structure and we need to declare the size.

131
00:14:00,380 --> 00:14:11,600
So Yami dot size is equal to ma shall dot size of type of module and 332.

132
00:14:18,160 --> 00:14:20,100
Uh, we got some error.

133
00:14:20,140 --> 00:14:22,660
So it is unit and this one is int.

134
00:14:22,660 --> 00:14:23,200
So.

135
00:14:27,230 --> 00:14:29,410
Now we can pass this as a reference to make.

136
00:14:34,410 --> 00:14:40,950
Now I can print me that, uh, module is that module.

137
00:14:40,950 --> 00:14:43,770
So that module is this one name.

138
00:14:44,040 --> 00:14:48,540
You can also rename this one, uh, so that we can read, uh, clearly.

139
00:14:53,000 --> 00:15:01,970
So what we can do is we can use the, whenever this, uh, function is called the module 32 next.

140
00:15:01,970 --> 00:15:06,470
So it will be like a, uh, link, which it will move on to the next one.

141
00:15:06,800 --> 00:15:10,520
So what we can do is while a meet dot.

142
00:15:12,830 --> 00:15:14,060
I am made out.

143
00:15:16,890 --> 00:15:19,110
But as a side note, is equal to zero.

144
00:15:21,330 --> 00:15:30,060
Uh, we'll be calling more data to next snapshot handle reference me.

145
00:15:32,410 --> 00:15:33,360
So, uh.

146
00:15:46,490 --> 00:15:46,790
Okay.

147
00:15:46,790 --> 00:15:48,770
This should be fine, I guess.

148
00:15:48,800 --> 00:15:52,550
Now, let's go and print these, uh, module names.

149
00:15:55,610 --> 00:15:59,540
So again, once again to the notepad and.

150
00:16:02,170 --> 00:16:03,210
Copy the process.

151
00:16:03,220 --> 00:16:03,760
I'd.

152
00:16:06,210 --> 00:16:07,170
Based here.

153
00:16:08,160 --> 00:16:09,900
So let's go and run this one.

154
00:16:11,340 --> 00:16:12,630
So at this point.

155
00:16:12,630 --> 00:16:12,910
So.

156
00:16:12,930 --> 00:16:14,820
So let's also run this remote read.

157
00:16:14,850 --> 00:16:16,890
At this point, we should have the.

158
00:16:19,410 --> 00:16:22,440
Uh, steam rolled into the.

159
00:16:24,390 --> 00:16:25,490
Process.

160
00:16:25,530 --> 00:16:29,310
Uh, so here we have this TV right here.

161
00:16:29,370 --> 00:16:32,160
Now, let's go and run this one.

162
00:16:37,010 --> 00:16:38,540
Well, we are getting some.

163
00:16:38,760 --> 00:16:41,870
So let's stop this and.

164
00:16:48,230 --> 00:16:52,130
So that more immediate is that module.

165
00:17:22,570 --> 00:17:30,730
So since the IPA team IPA, they'll already run it, so we can, uh, just comment on this one.

166
00:17:35,640 --> 00:17:37,230
Commander up to this.

167
00:17:37,470 --> 00:17:40,800
So since we are getting error, so let's run this one.

168
00:17:42,240 --> 00:17:47,280
Okay, we, uh, we got this, uh, deltas, so fine.

169
00:17:47,460 --> 00:17:57,090
And we can also print the meter module based address dot to string.

170
00:17:59,630 --> 00:18:00,910
So that's gonna run this.

171
00:18:00,920 --> 00:18:04,880
And we should have a very rigorous, uh, based address.

172
00:18:11,800 --> 00:18:16,120
So it's, uh, it's not sorted out.

173
00:18:16,270 --> 00:18:27,760
So what we can do is if your meter is that module is equal is equal to or dot contains steam.

174
00:18:31,680 --> 00:18:32,960
And then only we can.

175
00:18:32,970 --> 00:18:39,990
We are going to print this one and here we can see we got the one dealer with the name Steam in it and

176
00:18:39,990 --> 00:18:41,070
the base address.

177
00:18:41,670 --> 00:18:44,750
Now at this base address, there is a dealer.

178
00:18:44,760 --> 00:18:49,260
And what we need to do is we need to find the offset of this, uh, entry point.

179
00:18:49,530 --> 00:18:56,130
So I have this function, uh, we have seen this in the, uh, p passing videos.

180
00:18:56,130 --> 00:19:00,840
So this is similar, uh, where we have found the size of header offset.

181
00:19:00,840 --> 00:19:04,890
So here it will be 80 years and I change this to 40.

182
00:19:04,890 --> 00:19:08,660
So P offset plus 40 which gives you the entry point.

183
00:19:08,670 --> 00:19:14,220
So you can just change this for D and you will get the, uh, entry point.

184
00:19:16,940 --> 00:19:19,040
So we can, uh, do this one.

185
00:19:19,040 --> 00:19:23,030
Uh, we can create.

186
00:19:30,010 --> 00:19:33,310
Let's, uh, we need to store this, uh, value based address.

187
00:19:36,160 --> 00:19:42,430
Military bases equals to zero and dealer bases equals to.

188
00:19:46,080 --> 00:19:48,660
So we are saving this to a variable database.

189
00:20:08,500 --> 00:20:10,600
So we can put a check if.

190
00:20:11,030 --> 00:20:13,960
And pointer dot, uh, size.

191
00:20:16,140 --> 00:20:27,570
Is equal is equal to eight, then the other base is equals to a dot base address dot point 64.

192
00:20:29,730 --> 00:20:36,150
Else the other base is equal to your made out base at the start to end the data.

193
00:20:36,930 --> 00:20:43,080
So you don't need to worry about changing the 64 to 32 when you compare for 32 bit architecture.

194
00:20:43,890 --> 00:20:45,270
So we have the database.

195
00:20:45,270 --> 00:20:51,840
All we need to find is the entry point offset so we can get our image entry point off.

196
00:20:52,140 --> 00:20:54,930
So it takes the white area.

197
00:20:59,950 --> 00:21:03,790
And it gives you the entry point.

198
00:21:06,740 --> 00:21:13,820
So whenever, uh, you can add this one database, an entry point, so that gives you the first instruction.

199
00:21:16,030 --> 00:21:20,110
So we need to first write the, uh, this.

200
00:21:22,180 --> 00:21:26,380
Uh, the actual content.

201
00:21:32,930 --> 00:21:40,770
So we have, I have already copied this one, uh, the previous, uh, period, that is calculator period.

202
00:21:48,410 --> 00:21:53,840
So we're going to write into the into that based address database and then two point.

203
00:21:57,540 --> 00:22:02,420
But our candidate and the best actress is Taylor Bass.

204
00:22:02,430 --> 00:22:04,590
Plus, uh, entry point.

205
00:22:06,520 --> 00:22:11,260
And the buffer is our calculator payload and the size is payload length.

206
00:22:13,190 --> 00:22:13,970
And now.

207
00:22:16,420 --> 00:22:17,080
It's written.

208
00:22:40,260 --> 00:22:40,530
Okay.

209
00:22:40,530 --> 00:22:42,090
Let's delete this one.

210
00:23:01,680 --> 00:23:07,170
So we are writing that, uh, our share code into that, uh, database based press entry point.

211
00:23:07,380 --> 00:23:10,200
Now, what we can do is we can.

212
00:23:12,840 --> 00:23:15,990
Create a remote read at that.

213
00:23:16,170 --> 00:23:16,710
Uh.

214
00:23:18,500 --> 00:23:22,390
Uh, address where our record resides.

215
00:23:28,020 --> 00:23:28,520
There.

216
00:23:28,650 --> 00:23:30,420
So you can just copy this one.

217
00:23:36,020 --> 00:23:38,120
Creation flags start immediately.

218
00:23:40,670 --> 00:23:41,630
How did.

219
00:23:57,040 --> 00:23:58,970
So I think we have missed or something.

220
00:24:00,470 --> 00:24:02,210
So function parameters or.

221
00:24:09,150 --> 00:24:09,270
Okay.

222
00:24:09,390 --> 00:24:11,010
I think we are good to go.

223
00:24:13,970 --> 00:24:15,890
So let's put the breakpoint at this.

224
00:24:18,290 --> 00:24:21,260
Let's also print the other base press.

225
00:24:24,030 --> 00:24:25,200
And three point.

226
00:24:30,510 --> 00:24:31,650
Not to string.

227
00:24:35,120 --> 00:24:38,240
So let's, uh, cross this one.

228
00:24:50,850 --> 00:24:52,020
So let's run this.

229
00:24:53,910 --> 00:24:56,310
So we have this, uh, address.

230
00:25:12,980 --> 00:25:14,510
7ff.

231
00:25:14,690 --> 00:25:19,660
So here we can see the data so we can search for our of ideal.

232
00:25:33,420 --> 00:25:33,610
Okay.

233
00:25:33,840 --> 00:25:37,020
Here we have the director's memory.

234
00:25:37,230 --> 00:25:39,870
7fff, 7ff.

235
00:25:41,640 --> 00:25:42,510
Eight F.

236
00:25:47,130 --> 00:25:49,140
And if and for so.

237
00:25:55,580 --> 00:26:03,040
So when an F rate of 40 and 70,000, I guess this one.

238
00:26:03,050 --> 00:26:07,700
So if I go and double click this, uh, not this one.

239
00:26:10,960 --> 00:26:15,050
Well, yes, at this one, we have, uh.

240
00:26:17,650 --> 00:26:19,090
And then three point.

241
00:26:19,090 --> 00:26:21,670
Uh, we should have the record.

242
00:26:22,210 --> 00:26:22,740
Uh.

243
00:26:29,000 --> 00:26:30,920
We got some error, so let's see that.

244
00:26:49,480 --> 00:26:49,840
Okay.

245
00:26:49,840 --> 00:26:55,340
So, uh, we need to read this, uh, file that, uh.

246
00:26:56,760 --> 00:26:58,050
Read our bytes.

247
00:26:59,570 --> 00:27:05,510
So we are, uh, actually parsing the string instead of, uh, reading the contents.

248
00:27:18,920 --> 00:27:20,000
The content.

249
00:27:28,770 --> 00:27:30,860
So let's copy the process already.

250
00:27:35,650 --> 00:27:39,670
And now let's put the breakpoint at this right process memory.

251
00:27:41,290 --> 00:27:42,370
So let's run this.

252
00:27:45,280 --> 00:27:47,890
Well, we have this address.

253
00:27:48,820 --> 00:27:52,270
So previously this is the base of this, uh, database.

254
00:28:40,360 --> 00:28:48,100
So I guess our, uh, after this point, uh, it should write, uh, correctly so.

255
00:28:48,750 --> 00:28:51,290
So let's go and run this.

256
00:28:51,310 --> 00:28:54,010
So if I go and run this, our categories should pop up.

257
00:28:55,120 --> 00:28:56,890
And here we can see the calculator.

258
00:29:01,570 --> 00:29:04,450
So that's, uh, about the they're hiring.

259
00:29:04,450 --> 00:29:11,220
So we, uh, loaded that barrel and then we hollowed out the tech section and the place that we shall

260
00:29:11,230 --> 00:29:11,500
code.

261
00:29:12,760 --> 00:29:19,360
And we also used the script to help that to Snapchat, which is, uh, very helpful in finding the best

262
00:29:19,360 --> 00:29:21,520
address and address at the same time.

263
00:29:21,670 --> 00:29:26,050
And then later we created the thread that shortcode, uh, address.