1
00:00:00,270 --> 00:00:02,820
So in this video we will be talking about the data and the action.

2
00:00:02,970 --> 00:00:07,470
In the previous videos we have seen how best are record in that remote process?

3
00:00:08,370 --> 00:00:13,410
And this will be seeing how to inject the real inside another process.

4
00:00:13,950 --> 00:00:17,220
So if you have not watching my previous videos gone, watch them.

5
00:00:17,940 --> 00:00:25,680
But still, I'll be explaining the previous the functions we have written previously briefly so that

6
00:00:25,680 --> 00:00:27,180
we can be on the same page.

7
00:00:27,480 --> 00:00:29,950
So first function is open process.

8
00:00:29,970 --> 00:00:35,340
So this will be this function may open the process and we will get the handle.

9
00:00:35,400 --> 00:00:38,300
So we can do some operations on that process.

10
00:00:39,450 --> 00:00:41,340
And the question is desired access.

11
00:00:41,340 --> 00:00:46,290
So you do have this access rights for the process.

12
00:00:46,710 --> 00:00:51,210
So what you have what you want to do on this process with this controls.

13
00:00:51,480 --> 00:00:52,890
So process all access.

14
00:00:53,070 --> 00:00:54,750
So you get the all access.

15
00:00:55,140 --> 00:01:00,840
And with this process, create process, you can create the new process and new threads and duplicate

16
00:01:00,840 --> 00:01:03,780
handle and you can create for information and etc..

17
00:01:04,200 --> 00:01:06,660
Here we have the real operation breed, right?

18
00:01:06,660 --> 00:01:14,220
So these three permissions are required if you want to perform operations on the virtual displays are

19
00:01:14,220 --> 00:01:15,090
the process.

20
00:01:15,330 --> 00:01:17,880
So that all will be including these three as well.

21
00:01:20,770 --> 00:01:24,790
And the second parameter is the, uh, can be fast.

22
00:01:24,820 --> 00:01:31,060
We don't want an inheritance handle and that a parameter prosody or any of the process, we want to

23
00:01:31,060 --> 00:01:31,900
open the handle.

24
00:01:32,470 --> 00:01:38,080
So after getting the handle, maybe allocating some memory using the virtual x function.

25
00:01:39,070 --> 00:01:44,170
So this will take the process handle and the address where we want to allocate.

26
00:01:44,350 --> 00:01:45,640
So we'll be sending this.

27
00:01:45,640 --> 00:01:52,960
And now, uh, if you send Mel at this second parameter, that means operating system will automatically

28
00:01:52,960 --> 00:01:56,560
decide where is the free space of this, let's say.

29
00:01:56,710 --> 00:02:04,060
So we are also specifying how much sense of region we want to get and that much I want say will be allocated

30
00:02:04,360 --> 00:02:10,300
in the free space of the process, whatever space but operating system.

31
00:02:11,880 --> 00:02:15,660
And the rational parameters are a regression in production by regression.

32
00:02:15,660 --> 00:02:19,260
Do we want to enable the on demand building?

33
00:02:19,260 --> 00:02:26,830
Are we want to reserve and commit so we'll be using the reserve and commit and also production.

34
00:02:26,850 --> 00:02:34,770
So so this production being partly page read, write, execute and read only and write on the etc. So

35
00:02:34,770 --> 00:02:42,780
we'll be using the page reader to execute because we want to execute that region as well.

36
00:02:47,850 --> 00:02:55,050
So after creating that memory region in that what does space are?

37
00:02:55,050 --> 00:03:00,360
The process will be writing some actual data using the function called write, produce memory.

38
00:03:02,000 --> 00:03:06,320
So it will take the process ended and the base address at at each address.

39
00:03:06,410 --> 00:03:12,860
You want to start writing and what you want to write that is the battery and how much you want to write

40
00:03:12,980 --> 00:03:13,190
that.

41
00:03:13,910 --> 00:03:15,920
And I produce a number of bytes written.

42
00:03:16,610 --> 00:03:18,620
So if I want to write under weights.

43
00:03:18,650 --> 00:03:21,710
So that would be the 100 variable.

44
00:03:22,580 --> 00:03:24,820
So integer variable holding hundred.

45
00:03:28,840 --> 00:03:34,080
So after reading the proverb in the previous, You get smart.

46
00:03:34,750 --> 00:03:39,850
We have written the show according to this process.

47
00:03:40,150 --> 00:03:42,850
What place is in this movie?

48
00:03:43,150 --> 00:03:49,840
And at that address we have executed, but not as a function.

49
00:03:50,320 --> 00:03:57,160
But in this moment, what we are going to do is we are going to use a function called load library.

50
00:03:57,400 --> 00:04:03,070
So it will label the file name so you can see the parameter is the file name.

51
00:04:04,590 --> 00:04:06,030
And this can be their dealer.

52
00:04:06,030 --> 00:04:12,720
So they use this available every year for a dealer in bought process.

53
00:04:15,580 --> 00:04:18,050
And this resides in Connecticut.

54
00:04:18,790 --> 00:04:27,970
So very convenient because the Canada deal is like our most important by almost all the transit because

55
00:04:28,180 --> 00:04:33,880
this Canada right there contains the core functionality of any process.

56
00:04:36,360 --> 00:04:45,900
So that's why every, uh, many process import this candidate, they automatically win the, uh.

57
00:04:47,800 --> 00:04:48,610
When they start.

58
00:04:49,450 --> 00:04:57,280
So what we need to do is we need to search this allowed library year functions address in the process

59
00:04:57,280 --> 00:05:00,730
mental address space so you can do that using the get proper address.

60
00:05:01,810 --> 00:05:06,310
So the module we need to get the get module handle.

61
00:05:09,500 --> 00:05:16,370
So if we were using this function, that model handle and maybe getting the handle for this model and

62
00:05:16,370 --> 00:05:20,130
this model should be loaded in the process.

63
00:05:20,900 --> 00:05:21,920
What does this.

64
00:05:39,130 --> 00:05:49,600
So then maybe creating a new thread, then finding the sort of finding the address of this around library

65
00:05:49,600 --> 00:05:50,200
or function.

66
00:05:50,440 --> 00:05:52,930
And we were passing that to this creative model.

67
00:05:53,140 --> 00:05:55,510
So we are basically creating a period.

68
00:05:57,300 --> 00:05:57,990
Uh.

69
00:05:59,520 --> 00:06:05,370
That will at the specified function so far shown is the process handle.

70
00:06:05,400 --> 00:06:08,310
And second one a trait data which we can specify null.

71
00:06:09,240 --> 00:06:19,150
This will be inherited from the parent process and the stack says we can define getter and the start

72
00:06:19,170 --> 00:06:25,230
address is the address of the function we want to execute of district.

73
00:06:25,410 --> 00:06:28,620
And this is the parameter and the creation flags.

74
00:06:28,920 --> 00:06:35,430
So whether you want to start the thread immediately after creating or you just want to suspend.

75
00:06:36,570 --> 00:06:44,370
So we were starting out immediately after the creation and the Russian is the threaded output parameter,

76
00:06:44,880 --> 00:06:47,940
so will be getting the territory as done into this variable.

77
00:06:48,690 --> 00:06:51,720
And also we got the handle that that thread.

78
00:06:52,910 --> 00:06:56,690
So I added it defined all of these functions here.

79
00:06:56,690 --> 00:07:01,130
So you here can see, uh, importing the candidate data.

80
00:07:01,250 --> 00:07:03,050
And we have this open process.

81
00:07:03,470 --> 00:07:05,120
These are the axis handler I.D..

82
00:07:06,540 --> 00:07:09,660
So I have already defined this.

83
00:07:09,840 --> 00:07:16,820
So to save some time on lateral objects, you can see well plus memory correctly moderate.

84
00:07:21,150 --> 00:07:23,820
So you're going to see these are the constants.

85
00:07:24,390 --> 00:07:26,400
So we are opening the process.

86
00:07:26,640 --> 00:07:27,150
Uh.

87
00:07:28,450 --> 00:07:29,680
In the desert axis.

88
00:07:29,830 --> 00:07:35,380
So we are we need to send some flags that is created quite information.

89
00:07:35,410 --> 00:07:36,740
We are operation three.

90
00:07:36,780 --> 00:07:37,180
Right.

91
00:07:38,440 --> 00:07:43,490
And seven barramundi is fast and this is the argument we need to do the period.

92
00:07:44,110 --> 00:07:50,230
Our process ideas, our argument then it will be placed here so that we have reopened the process.

93
00:07:50,260 --> 00:07:52,660
Now we need to get some Maori material.

94
00:07:54,130 --> 00:07:57,450
So the first one is the frog handle.

95
00:08:01,470 --> 00:08:03,000
And the second one.

96
00:08:04,800 --> 00:08:07,920
Is the you can point pointer dot zero.

97
00:08:08,220 --> 00:08:13,890
So we are telling the operating system to choose a free region of the sites.

98
00:08:14,720 --> 00:08:17,640
They're saying, okay, how much we want to allocate.

99
00:08:17,640 --> 00:08:21,570
That is the length of the spring part.

100
00:08:21,750 --> 00:08:24,930
So here you can see in my folder.

101
00:08:26,050 --> 00:08:29,440
So this is the character that I had undergone using Metasploit.

102
00:08:29,830 --> 00:08:31,660
It's a simple command I was offering them.

103
00:08:34,200 --> 00:08:38,910
Commanding the Coast Guard, the Dixie Windows SC, Article 86.

104
00:08:41,680 --> 00:08:44,700
So when it's run, it will just pop up the trigger.

105
00:08:44,920 --> 00:08:53,470
So quiet if you've turned back on this and copy has but will get the part of the deal and I send this

106
00:08:53,470 --> 00:09:03,780
to a variable and this much amount of me want to create the in the address space at the process because

107
00:09:04,180 --> 00:09:11,580
we'll be sending this value as the parameter to the word library, a function.

108
00:09:11,590 --> 00:09:13,630
So see what you can see in the string.

109
00:09:13,870 --> 00:09:15,850
So we need to load this module.

110
00:09:16,030 --> 00:09:24,220
And this started this point to the project manager and the parameter to this function binds to a parameter.

111
00:09:24,430 --> 00:09:29,650
So this LP parameter will be the the particle nebula and the loop starter.

112
00:09:29,650 --> 00:09:32,860
This will be the pointer to this library.

113
00:09:33,250 --> 00:09:37,240
So this thread executes dysfunction and with this as a parameter.

114
00:09:37,300 --> 00:09:38,380
So obviously.

115
00:09:42,770 --> 00:09:44,400
And you do?

116
00:09:44,420 --> 00:09:52,070
I have already converted this to bytes using this encoding gas and the popular instances.

117
00:09:58,490 --> 00:10:00,650
So Election Day, we can say.

118
00:10:03,160 --> 00:10:05,650
Committee members are.

119
00:10:07,440 --> 00:10:17,760
And our action in Spain is good rhetoric and the return trip is the stopping address of this creative

120
00:10:18,210 --> 00:10:18,630
space.

121
00:10:20,870 --> 00:10:25,220
It's a starting PDR, so we have created a space.

122
00:10:25,220 --> 00:10:30,050
We need to write that space using the right process memory.

123
00:10:33,410 --> 00:10:42,770
And the first parameter is the process handle and second parameter is starting address where we want

124
00:10:42,770 --> 00:10:45,860
to write that is starting with the right.

125
00:10:46,520 --> 00:10:48,980
And the third one is battery.

126
00:10:49,430 --> 00:10:51,110
So battery, this is the part.

127
00:10:54,450 --> 00:10:56,070
Sainz returned to.

128
00:10:59,600 --> 00:11:02,390
The sales of this spring.

129
00:11:03,530 --> 00:11:06,020
And the last one is the output parameter.

130
00:11:06,020 --> 00:11:14,090
We can say we can define integer bytes, return variable and initializing to zero.

131
00:11:14,690 --> 00:11:17,570
Now we need to pass the reference bytes return.

132
00:11:19,700 --> 00:11:27,440
So when I read this function indicates it will write this spring to that address and will be getting

133
00:11:27,440 --> 00:11:27,950
the output.

134
00:11:29,070 --> 00:11:32,670
Berlin does the to return to that address.

135
00:11:35,140 --> 00:11:38,980
So we can also print this as it's written.

136
00:11:47,060 --> 00:11:49,100
So after writing the.

137
00:11:55,840 --> 00:12:03,430
So I'm providing this one way to get the broadcasters, that is the producers of this function.

138
00:12:03,940 --> 00:12:09,600
So before that, we need to get the, uh, handle of this, uh.

139
00:12:14,640 --> 00:12:16,040
Canada to do a deal.

140
00:12:22,180 --> 00:12:23,650
Think I have to find a your.

141
00:12:25,370 --> 00:12:26,630
So I had to find Europe.

142
00:12:27,470 --> 00:12:29,240
So let's use this.

143
00:12:35,040 --> 00:12:43,450
Here's what we're going to do is we are where we are getting the model handle of.

144
00:12:44,980 --> 00:12:46,930
The Canada did a deal.

145
00:12:47,230 --> 00:12:52,000
So let's pass this Canada deal and put peace.

146
00:12:53,500 --> 00:12:56,530
The handle so and pointer.

147
00:12:58,040 --> 00:12:59,340
My door handle.

148
00:13:02,110 --> 00:13:06,610
And this model handle can be passed to this address.

149
00:13:16,880 --> 00:13:17,960
And my door handle.

150
00:13:19,780 --> 00:13:23,220
And what we want to search further.

151
00:13:23,820 --> 00:13:26,340
That is the law library.

152
00:13:29,420 --> 00:13:33,670
And also if you observe we can see he's not uh.

153
00:13:35,270 --> 00:13:35,690
Uh.

154
00:13:37,130 --> 00:13:39,320
And get broken business are pretty unique.

155
00:13:39,560 --> 00:13:44,090
So that's why I have changed this function definition to normal string.

156
00:13:44,090 --> 00:13:46,490
So otherwise I would be uh.

157
00:13:46,490 --> 00:13:50,390
Can register and the long pointer Unicode string.

158
00:13:50,450 --> 00:13:52,220
So I have got some errors.

159
00:13:52,490 --> 00:13:59,990
So that's why I then after uh, uh, searching in Google I can do this function does not support Unicode.

160
00:14:02,050 --> 00:14:06,010
So the return type is, uh, the function address.

161
00:14:08,790 --> 00:14:10,110
Function address.

162
00:14:12,770 --> 00:14:15,780
Something about the function address they can pass there to create.

163
00:14:16,610 --> 00:14:18,160
So let's go and create the matrix.

164
00:14:20,880 --> 00:14:23,520
And the first one is the process and the.

165
00:14:28,590 --> 00:14:30,510
And the second one can be zero.

166
00:14:33,260 --> 00:14:34,910
And stack sales zero.

167
00:14:36,000 --> 00:14:37,380
And the starting address.

168
00:14:37,650 --> 00:14:39,420
So that is the function address.

169
00:14:46,520 --> 00:14:54,290
And then the parameters, the parameter to this function, which is gets educated at this address that

170
00:14:54,290 --> 00:14:58,670
is not regulated here and the parameter is our this starting pointer.

171
00:14:58,970 --> 00:15:01,460
So we have the right to return.

172
00:15:02,450 --> 00:15:04,220
At this starting point to address.

173
00:15:07,670 --> 00:15:09,410
And the next one is creation flags.

174
00:15:09,410 --> 00:15:16,880
It can be zero and different spool thread so we can see where they are that are behind it.

175
00:15:33,110 --> 00:15:34,670
So I put this provided.

176
00:15:42,010 --> 00:15:43,190
And didn't bring peace.

177
00:15:43,660 --> 00:15:44,590
This third hand.

178
00:15:52,860 --> 00:15:55,800
So we can put in doubt the third party.

179
00:16:00,980 --> 00:16:02,390
So I think our function.

180
00:16:07,440 --> 00:16:08,340
A successful.

181
00:16:26,380 --> 00:16:26,650
Okay.

182
00:16:26,830 --> 00:16:28,990
So I think we are good to go.

183
00:16:29,200 --> 00:16:34,760
I so remember, uh, you can just change 64.

184
00:16:34,780 --> 00:16:35,420
Which does what?

185
00:16:44,290 --> 00:16:46,450
And we do send the

186
00:16:49,030 --> 00:16:50,670
process ideas, the arguments.

187
00:16:50,670 --> 00:16:53,800
So let's open this together with application.

188
00:17:04,030 --> 00:17:06,440
Because I would be instructed of it.

189
00:17:06,460 --> 00:17:13,900
So that PowerShell is 1864018640.

190
00:17:14,920 --> 00:17:22,870
And if you run this, we should see the character and we can see the calculator and we can also see

191
00:17:22,870 --> 00:17:23,320
the bytes.

192
00:17:23,320 --> 00:17:26,080
Newton 82 and the numerator.

193
00:17:27,640 --> 00:17:30,430
So this is how you would normally election.

194
00:17:30,550 --> 00:17:37,120
You can also write the green for this struct, their data set and the process and injecting into that

195
00:17:37,120 --> 00:17:37,660
process.