1 00:00:00,630 --> 00:00:08,160 Hello and welcome to a new section in this section, we are going to learn how to create Trojans by 2 00:00:08,160 --> 00:00:14,190 embedding sharks in site B, executable files, B, excludable files. 3 00:00:14,400 --> 00:00:15,630 Windows programs. 4 00:00:18,190 --> 00:00:24,460 What are Trojans, a Trojan is a fake program that pretends to be something it is not. 5 00:00:25,180 --> 00:00:25,790 Inside. 6 00:00:26,140 --> 00:00:29,290 There is some hidden court that does something else. 7 00:00:29,830 --> 00:00:36,760 For example, listening bot or connecting to a server, or alternatively, the reverse connection you 8 00:00:36,760 --> 00:00:37,150 share. 9 00:00:37,570 --> 00:00:43,810 Capturing keystrokes, a key logger, stealing usernames and passwords, spying on screen. 10 00:00:44,260 --> 00:00:48,340 The additional malicious tools spreading to other machines. 11 00:00:48,730 --> 00:00:55,530 Escalating privileges to become gaming user and gift files, as are in some way, and even become a 12 00:00:55,540 --> 00:00:56,260 remote, he says. 13 00:00:56,260 --> 00:01:02,860 Tool techniques to create trillions in malicious code site court case. 14 00:01:04,060 --> 00:01:07,330 These are the taxation of the executable file. 15 00:01:08,080 --> 00:01:16,180 Second, these by creating new sections to put malicious code and waste by extending existing sections 16 00:01:16,180 --> 00:01:17,200 to put malicious code. 17 00:01:18,490 --> 00:01:22,960 Yeah, I was going to look ahead the practical on how to create trillions. 18 00:01:23,260 --> 00:01:24,340 The court case. 19 00:01:26,780 --> 00:01:35,480 So the objective of the next project and we are going to do is to progenies correct me to run Microsoft 20 00:01:35,480 --> 00:01:35,810 pin. 21 00:01:36,920 --> 00:01:38,810 So this is a crime scene and I written. 22 00:01:39,550 --> 00:01:44,320 And many ranny case opens a graphical user interface. 23 00:01:44,620 --> 00:01:47,970 Can you go into the theater key then you can check to see. 24 00:01:47,990 --> 00:01:48,760 That is correct. 25 00:01:49,360 --> 00:01:57,260 So I'm going to show you how to and that Chalco inside this cracked me one so that when you run it, 26 00:01:58,030 --> 00:02:05,620 it also runs and then a program called Microsoft Paint, which is available in Windows computers. 27 00:02:06,630 --> 00:02:11,880 The next thing we need to look at is how to choose a suitable EIC to treat you nice. 28 00:02:12,330 --> 00:02:19,220 And this is in respect to the court case method for court case, you need taxation. 29 00:02:19,710 --> 00:02:26,280 So that is bigger than your sherkat, the rosacea, which is size different. 30 00:02:26,850 --> 00:02:28,470 So that's something you should be careful. 31 00:02:29,040 --> 00:02:30,570 You should be more concerned. 32 00:02:30,660 --> 00:02:33,810 And the Ross ice Ross ice is far ice. 33 00:02:34,110 --> 00:02:35,760 What you're saying is memory size. 34 00:02:36,300 --> 00:02:40,260 When a fire is run, a failure refers to the program. 35 00:02:40,860 --> 00:02:47,200 The European system would not be to what your memory and most memory space for optimization purposes. 36 00:02:47,200 --> 00:02:48,990 So that would be a your memory size. 37 00:02:50,010 --> 00:02:53,480 So you need to check the raw size. 38 00:02:54,090 --> 00:03:02,280 You can use Beeban and excited to see how chocolate would be slightly smaller than 200 bytes. 39 00:03:02,700 --> 00:03:11,790 So we need about 300 bytes of cookie so called Kathie's to part of the taxation of a P file that has 40 00:03:11,790 --> 00:03:13,140 no instructions in it. 41 00:03:13,700 --> 00:03:17,190 They're denoted by zero base numbers. 42 00:03:17,820 --> 00:03:22,620 If you cannot find enough cookie, then you cannot use D cookie method. 43 00:03:22,980 --> 00:03:24,690 You need to use T admitted. 44 00:03:25,200 --> 00:03:27,840 So it is how you can check for cookie sizes. 45 00:03:28,320 --> 00:03:30,960 You use eBay to open your crimi. 46 00:03:31,350 --> 00:03:36,150 The target program you wanted to reunite and look at the session hit us. 47 00:03:36,510 --> 00:03:42,900 So here you can see to the time that we want to insert our Chako resti taxation. 48 00:03:43,320 --> 00:03:51,090 So taxation contains the instructions and this action is readable and executable by default. 49 00:03:51,540 --> 00:03:55,050 That's why we put our Chako in this session. 50 00:03:55,950 --> 00:04:05,310 So over here, you can see that the row address starts at 400 offset and runs all the way to be a hundred 51 00:04:05,970 --> 00:04:06,660 bandra. 52 00:04:06,660 --> 00:04:08,520 Easy to read only the transaction. 53 00:04:09,450 --> 00:04:18,090 So if you want to know whether there is cookie, if you go to hex editor and open your Kimie edit, 54 00:04:18,100 --> 00:04:20,420 scroll down to the radiator session. 55 00:04:20,790 --> 00:04:28,170 In this case, the offset is via hundred over here and then just be above it will be your quote key 56 00:04:28,890 --> 00:04:30,390 for your tax section. 57 00:04:31,170 --> 00:04:35,100 So the region just above it will be the next section. 58 00:04:35,670 --> 00:04:39,420 And you can see the code key is all null base, all zero. 59 00:04:39,450 --> 00:04:43,320 So this is where you can inject your Chako in here. 60 00:04:44,760 --> 00:04:52,590 So if you want to know whether this number or by seeing concave is enough for your shellcode, you need 61 00:04:52,590 --> 00:04:54,210 to perform some calculation. 62 00:04:54,870 --> 00:04:57,600 So here go down to the last byte here. 63 00:04:58,050 --> 00:05:01,530 This last by here is B seven F F. 64 00:05:02,280 --> 00:05:08,370 So you take these seven F F minus to start off with give. 65 00:05:08,760 --> 00:05:12,000 This is B six eight zero the first by here. 66 00:05:12,600 --> 00:05:21,030 So after my meeting, you find it, you have hex one seven F, which is 383 by decimal. 67 00:05:21,510 --> 00:05:26,640 So it's already three bases more than enough for our shortcut because how Chakotay stressed into our 68 00:05:26,640 --> 00:05:27,030 base. 69 00:05:27,510 --> 00:05:32,280 Now, you have to bear in mind that Sherkat alone is not enough to execute. 70 00:05:33,270 --> 00:05:37,240 You need to also put additional instructions in before and after initial court. 71 00:05:37,650 --> 00:05:41,580 That is why you need extra base in addition to the shell. 72 00:05:42,840 --> 00:05:46,110 So this is the anatomy of the execution floor. 73 00:05:46,710 --> 00:05:51,360 Take, for example, on the left here, normal P executable file. 74 00:05:51,930 --> 00:05:55,800 He has got an entry point and then followed by all the regular code. 75 00:05:56,250 --> 00:06:00,210 And then below is a key feature C from the Hex editor here. 76 00:06:00,490 --> 00:06:01,140 A quick if. 77 00:06:02,140 --> 00:06:04,860 Now the cookie consists of zero base, no vice. 78 00:06:05,250 --> 00:06:13,380 So what we do is we will put a jump at the top of the entry point here, a jump instruction, and cause 79 00:06:13,380 --> 00:06:14,850 it to jump to our case. 80 00:06:15,480 --> 00:06:20,730 The first address, the court gave you the address to jump to. 81 00:06:21,360 --> 00:06:27,270 Now, because we are we are inserting Jume instructions inside the entry point. 82 00:06:27,590 --> 00:06:30,270 We will be overwriting some instructions. 83 00:06:30,630 --> 00:06:37,000 So those instructions, if you overwrite if you have to replace it back over here, is equally key. 84 00:06:38,100 --> 00:06:41,610 So remember to take note of those instructions which you overwrite. 85 00:06:42,270 --> 00:06:49,530 And then when the execution of these be fast start, you should we jump to the record key. 86 00:06:50,190 --> 00:06:53,820 And the first thing it does is safety registers in a place. 87 00:06:54,360 --> 00:07:00,990 The reason why you need to do this is because later on you are going to come back to the entry point 88 00:07:01,320 --> 00:07:04,260 to continue running your original fire. 89 00:07:04,710 --> 00:07:05,690 So that's why you need. 90 00:07:05,840 --> 00:07:10,670 Save the original state of the registers and the Fleck's. 91 00:07:11,420 --> 00:07:18,960 So after a severe recession inflects by pushing them to the stack, then you put your shellcode. 92 00:07:19,610 --> 00:07:20,900 So you were running. 93 00:07:21,740 --> 00:07:30,860 And after Chako complete stronie, in our case, I was shocked is going to run Microsoft being program. 94 00:07:31,700 --> 00:07:34,760 So the Microsoft Pentagrams should open because of the Shaqra. 95 00:07:35,480 --> 00:07:42,100 And then you go on to the next instructions, which is to restore flags and then the registers. 96 00:07:42,540 --> 00:07:51,380 So the restart of pressingly registers, you just pop the values from the stack back to the registers. 97 00:07:51,740 --> 00:07:57,230 So the order of pupping would be reversed from the order pushing here. 98 00:07:57,230 --> 00:08:00,530 You push the registers first and then you push the flags. 99 00:08:00,860 --> 00:08:05,090 Here you rest, you pop the flags first, and then you pop the register. 100 00:08:05,750 --> 00:08:13,760 So once you're restored the registers back to his original state, then you are ready to run your code, 101 00:08:13,760 --> 00:08:15,440 which you have overwritten here. 102 00:08:16,310 --> 00:08:20,420 So Paravel could get overwritten here by the Gemmy thrashing. 103 00:08:20,660 --> 00:08:26,660 You have to replace it here so that now you will go and run those code which has been overwritten by 104 00:08:26,660 --> 00:08:27,080 a jam. 105 00:08:27,830 --> 00:08:34,190 So when he has finished executing those instructions, you're supposed to jump back to the entry point 106 00:08:34,580 --> 00:08:36,890 just after the jump to Recook Give. 107 00:08:37,190 --> 00:08:45,440 So then you will continue from here, run like the regular code that your regular program there is supposed 108 00:08:45,440 --> 00:08:45,800 to run. 109 00:08:45,830 --> 00:08:47,750 In our case, it is a new one. 110 00:08:48,890 --> 00:08:50,960 Now is something else you need to take our. 111 00:08:52,340 --> 00:08:59,480 You, after you have injected all of this instruction in, say, a care, you also need to make sure 112 00:08:59,600 --> 00:09:04,890 that your shell does not cost a whole program to exit the shackley by. 113 00:09:04,910 --> 00:09:06,890 So it's called the exit instruction. 114 00:09:07,280 --> 00:09:12,830 So you need to take care of that here to find where is the exit instruction. 115 00:09:13,380 --> 00:09:16,010 You're doing one, the shortcut to exit. 116 00:09:16,130 --> 00:09:18,680 So the whole program does not sit with it. 117 00:09:19,040 --> 00:09:25,730 So in order to we had to find the address and then the address of the instruction and come back to continue 118 00:09:25,730 --> 00:09:26,000 here. 119 00:09:26,410 --> 00:09:28,280 So they said, lastI, you need to take care. 120 00:09:29,010 --> 00:09:35,810 Now, this is the step by step instructions for creating a cookie, Georgian forces. 121 00:09:35,890 --> 00:09:40,720 You need to use Metasploit in Kali Linux to Jan Schakowsky. 122 00:09:41,060 --> 00:09:45,620 So in our project for Trojan's, we are going to create that. 123 00:09:45,620 --> 00:09:46,790 It would be Trojans. 124 00:09:47,240 --> 00:09:49,820 That means Drogin, ESAF. 125 00:09:49,820 --> 00:09:51,170 He said that it would be a program. 126 00:09:51,590 --> 00:09:54,320 We are going to use Metasploit, as he did before. 127 00:09:54,650 --> 00:10:01,850 By this time to January 30 to be Sherkat and Ashoka, we are going to use it to launch Microsoft, Bing, 128 00:10:01,850 --> 00:10:10,880 EMC and this Microsoft Bing is far in C Windows system three to four years and is presenting all Windows 129 00:10:10,880 --> 00:10:11,660 operating system. 130 00:10:12,470 --> 00:10:17,030 Next, we are going to test a Chako using our Schuckert runner, which we have used before. 131 00:10:17,630 --> 00:10:24,220 And then we need to use Xty digitally duby version to identify address Ildiko key. 132 00:10:25,010 --> 00:10:31,420 Then we need to copy the first few lines on the entry point because we are going to overwrite if a jump. 133 00:10:32,640 --> 00:10:36,980 Then he said, I would jump to the quick if it is at the start of the entry point. 134 00:10:37,960 --> 00:10:42,550 We need to use fear not so that we know how much of the instructions we have written. 135 00:10:43,540 --> 00:10:46,390 So now we notice how many instructions were written. 136 00:10:46,810 --> 00:10:49,030 You will need to insert them in the cookie. 137 00:10:50,560 --> 00:10:55,360 Then you need to see instructions to safety registers using push aid. 138 00:10:56,290 --> 00:11:01,580 And instead of flexing push F.D. for a rainy day, you will put Sherkat. 139 00:11:03,010 --> 00:11:10,090 Then after that Sherkat, you put your wrist either flex using top heavy and restore the registers using 140 00:11:10,090 --> 00:11:19,630 Prop 80, then, you know, insert the instructions usif overeaten in the entry point using a jump instructions. 141 00:11:20,080 --> 00:11:22,330 So now you have to put it back in the cookie. 142 00:11:23,050 --> 00:11:28,450 Next, you insert a jam instruction to jam back to the beginning of the entry point just after the jump 143 00:11:28,450 --> 00:11:29,140 to the cookie. 144 00:11:29,830 --> 00:11:32,620 Next step is to batch and see this far. 145 00:11:33,700 --> 00:11:39,640 Then you need to test and debug to see where the shackle coarsest a program to exit. 146 00:11:40,420 --> 00:11:47,860 Then you need to assemble the jam to bypass the exit and instead continue on with the rest of the cookie. 147 00:11:48,550 --> 00:11:53,410 Finally, you push and save to a final offer at this point. 148 00:11:53,470 --> 00:11:55,540 Your project is complete. 149 00:11:56,680 --> 00:12:01,290 So that is all for the theoretical aspect of creating Georgian's. 150 00:12:01,650 --> 00:12:03,250 I'll see you in the next video.