1
00:00:00,770 --> 00:00:05,780
So in this video we'll be discussing about the threads asynchronous processor cores.

2
00:00:06,320 --> 00:00:11,480
So IPC is a function that executes asynchronously in the context of particular thread.

3
00:00:12,470 --> 00:00:19,040
When an IPC is queued to a thread, the system issues software in the next time thread we should do

4
00:00:19,040 --> 00:00:27,860
it will run this APC function, so we'll be issuing the user mod APC and in order to in order for the

5
00:00:27,860 --> 00:00:33,440
thread to run that function, that should be in the other state.

6
00:00:34,340 --> 00:00:42,920
So here the thread to which queued is not related to the function unless it is in a laptop state.

7
00:00:42,920 --> 00:00:49,760
So the thread goes into the writable state where these functions so three pegs, wait for similar object

8
00:00:49,760 --> 00:00:50,630
x, etc..

9
00:00:52,190 --> 00:01:02,000
So what we're going to do is first we are going to write our shell code into the remote process and

10
00:01:02,000 --> 00:01:07,970
we'll be using the apex function for the thread to go into the other state.

11
00:01:08,330 --> 00:01:16,340
And in this adaptable state, the thread monitors for this APC queue and if there is any function in

12
00:01:16,340 --> 00:01:19,820
that APC queue, then it's going to execute that function.

13
00:01:23,980 --> 00:01:26,050
So I'm I open the two projects.

14
00:01:26,050 --> 00:01:29,500
So one is a normal three program.

15
00:01:29,740 --> 00:01:38,170
It will use the three picks to go into a one minute sleep and it goes into the other state as well.

16
00:01:39,490 --> 00:01:43,210
So I have already implemented this open process.

17
00:01:43,210 --> 00:01:50,120
It's very not nothing much process, all access inheritable first and pad.

18
00:01:50,950 --> 00:01:56,740
Now we are going to write the our paper into this process.

19
00:01:58,690 --> 00:02:03,230
So we'll be first allocating using what, x.

20
00:02:14,090 --> 00:02:15,170
Independent juror.

21
00:02:15,200 --> 00:02:18,140
So the system will decide where to allocate.

22
00:02:18,200 --> 00:02:22,820
So the size, let's face it, will bites.

23
00:02:28,620 --> 00:02:29,690
Allocation tapes.

24
00:02:38,010 --> 00:02:39,720
So men commit and deserve.

25
00:02:43,970 --> 00:02:46,880
And the page production is page execute rate rate.

26
00:02:46,940 --> 00:02:49,580
So the value is just hexadecimal 40.

27
00:02:49,790 --> 00:02:52,700
Now the return type is the base address.

28
00:02:57,420 --> 00:02:57,690
No.

29
00:02:58,290 --> 00:03:05,430
Now we have allocated we need to write our payload into that memory region.

30
00:03:05,970 --> 00:03:16,820
If base address not is equal to or in 2.0, then the memory region was committed.

31
00:03:16,830 --> 00:03:20,160
Then we can write the payload to that region.

32
00:03:20,340 --> 00:03:24,610
So we are going to use right process memory.

33
00:03:24,630 --> 00:03:31,620
I have already defined all of these functions in another file so you can copy from in work or you can

34
00:03:31,620 --> 00:03:38,430
just copy from previous programs or you can directly copy from the website.

35
00:03:40,130 --> 00:03:41,960
So let's go and write this one.

36
00:03:43,580 --> 00:03:45,380
And the proc handle.

37
00:03:46,430 --> 00:03:47,330
Process handle.

38
00:03:47,330 --> 00:03:51,590
And the base address and the payload.

39
00:03:53,900 --> 00:03:55,450
Where are that length?

40
00:03:57,920 --> 00:04:01,140
And we are going to create a variable bytes.

41
00:04:01,760 --> 00:04:05,540
Return is equal to zero and that will be out.

42
00:04:16,080 --> 00:04:24,450
Now we can place another check condition if bite's return greater than zero, but obviously the better

43
00:04:24,450 --> 00:04:25,230
will be written.

44
00:04:30,780 --> 00:04:33,810
So after that, what we need to do is we need to

45
00:04:36,420 --> 00:04:37,560
call this function.

46
00:04:37,590 --> 00:04:45,840
Q User ABC And here the first parameter is the functions address and the thread handle and the parameter

47
00:04:45,840 --> 00:04:47,520
to the function.

48
00:04:48,360 --> 00:04:50,720
So it's very simple.

49
00:04:50,730 --> 00:04:56,190
So before getting the thread handle, we need to use open thread function.

50
00:04:57,850 --> 00:05:04,690
So I have already searched for these constant values and copied here.

51
00:05:06,040 --> 00:05:09,760
So these are similar to the process of access.

52
00:05:11,270 --> 00:05:17,160
So now we need to call open thread to get the thread handle.

53
00:05:17,180 --> 00:05:26,000
So desired access thread all access and inherit handle true and thread id that is the thread id will

54
00:05:26,000 --> 00:05:28,600
be getting that using processor card.

55
00:05:29,960 --> 00:05:33,170
And the return type is the thread handle.

56
00:05:34,100 --> 00:05:37,790
Now we can pass this thread handler to the queue user apk function.

57
00:05:42,580 --> 00:05:45,490
And the function address is the base address.

58
00:05:45,820 --> 00:05:49,420
At that base address, the our shared code resides.

59
00:05:52,470 --> 00:05:57,720
And the third handle which we have got recently and the function parameter is not.

60
00:06:15,700 --> 00:06:17,710
So I think we are good to go.

61
00:06:17,740 --> 00:06:23,740
Now here we have first input.

62
00:06:23,740 --> 00:06:24,430
So.

63
00:06:25,960 --> 00:06:27,580
If I go and run this one.

64
00:06:29,740 --> 00:06:33,700
So let's stop here and put a breakpoint at this.

65
00:06:37,070 --> 00:06:42,820
And let's also put break point just after the right process memory.

66
00:06:45,260 --> 00:06:47,270
And we can get the process ID.

67
00:06:49,450 --> 00:06:53,460
So if you want to inject into other processes, you can inject as well.

68
00:06:53,470 --> 00:07:01,810
So you can loop over through all the threads and identify which thread the pass which to that process

69
00:07:01,810 --> 00:07:04,440
belongs, which process that thread belongs to.

70
00:07:04,450 --> 00:07:08,620
And then you need to wait until the thread goes into a vegetable state.

71
00:07:08,650 --> 00:07:12,460
Otherwise you are not going to execute for demonstrated purpose.

72
00:07:12,550 --> 00:07:18,070
I am going to create another process and the process pad is this one.

73
00:07:18,070 --> 00:07:19,090
Copy this.

74
00:07:20,840 --> 00:07:29,460
And pasted here and the thread ID is go to threads and here you will have the thread data.

75
00:07:29,990 --> 00:07:31,010
Copy this one.

76
00:07:34,360 --> 00:07:44,590
So we have said and today we are going to open the process and allocate some memory and writing the

77
00:07:44,590 --> 00:07:45,100
payroll.

78
00:07:45,310 --> 00:07:46,630
So let's run this.

79
00:07:49,050 --> 00:07:51,300
And if you go and see.

80
00:07:53,180 --> 00:07:53,660
Okay.

81
00:07:53,660 --> 00:07:56,060
So we are not printing anything.

82
00:08:01,200 --> 00:08:02,730
So let's go to print.

83
00:08:05,590 --> 00:08:07,270
Remote base address.

84
00:08:12,960 --> 00:08:19,290
Or you can also check in the process for read, write, execute regions.

85
00:08:27,300 --> 00:08:33,750
So let's run this and let's close this one and open another memory window.

86
00:08:33,750 --> 00:08:35,020
That is memory two.

87
00:08:35,040 --> 00:08:37,440
So memory two is this process.

88
00:08:51,830 --> 00:08:53,720
Now copy the trade data.

89
00:08:56,060 --> 00:09:00,350
And now let's run this and you have the best address.

90
00:09:04,150 --> 00:09:08,590
So if you go to this and we will have this category.

91
00:09:19,540 --> 00:09:21,420
So let's go ahead and run this one.

92
00:09:21,430 --> 00:09:23,950
Now the program is waiting for our input.

93
00:09:23,980 --> 00:09:29,530
Now you can directly go and cue this, uh, APC function.

94
00:09:31,550 --> 00:09:33,590
So let's continue this.

95
00:09:34,770 --> 00:09:35,310
And it's.

96
00:09:35,670 --> 00:09:47,430
So we have killed the APC function and now if I go and hit enter, this threat will go in order to --

97
00:09:47,430 --> 00:09:49,230
and our paper gets executed.

98
00:09:49,410 --> 00:09:51,000
So now we can see after a.

99
00:09:53,370 --> 00:09:54,290
Give this input.

100
00:09:54,300 --> 00:09:57,840
This function goes out that goes into the writable state.

101
00:09:58,800 --> 00:10:01,200
But this function and our projects executed.

102
00:10:07,770 --> 00:10:08,460
I.

103
00:10:14,890 --> 00:10:16,660
So you can also.

104
00:10:38,240 --> 00:10:41,900
So now let's go into this sleep mode state.

105
00:10:41,930 --> 00:10:44,440
Now our program is in alliteration.

106
00:10:44,450 --> 00:10:48,710
Now we can go ahead and try to run this to pop up the calculator.

107
00:10:54,880 --> 00:10:58,690
So that's how you kill the user.

108
00:10:58,780 --> 00:11:03,870
PC to a thread and the thread must be in order to set to execute our payload.