1
00:00:01,230 --> 00:00:06,450
So in this video will be seeing how to obfuscate the function names that we use in the program.

2
00:00:06,750 --> 00:00:10,560
So what we're going to do is we're going to use some random names.

3
00:00:11,600 --> 00:00:15,950
But shouldn't we get the code execution from the function?

4
00:00:16,880 --> 00:00:19,670
So we're going to execute the same function with a different name.

5
00:00:20,990 --> 00:00:23,200
We can build that using that sheesha better yet.

6
00:00:23,210 --> 00:00:25,040
So we have already seen the benefits.

7
00:00:25,460 --> 00:00:28,400
So there's other function pointers where we can execute.

8
00:00:29,090 --> 00:00:31,310
Chain of functions are one function as well.

9
00:00:31,730 --> 00:00:38,150
So we are going to execute the message box function without using the actual string message box.

10
00:00:38,780 --> 00:00:47,120
Because in the static malware analysis, the my release will see the P about the inputs.

11
00:00:47,120 --> 00:00:52,370
Then we can get an idea that what functions that your table is using.

12
00:00:53,570 --> 00:01:01,400
Then it he can analyze that it's master and it's connecting to some address and sending the data using

13
00:01:01,400 --> 00:01:02,870
this function names.

14
00:01:04,130 --> 00:01:07,490
So what we're going to do is we're going to declare a delegate.

15
00:01:07,760 --> 00:01:15,920
So it's a public delegate and same function signature as the text message box.

16
00:01:16,850 --> 00:01:23,150
So when you do see, let's say there are messenger.

17
00:01:24,680 --> 00:01:26,510
You can do whatever you want.

18
00:01:26,810 --> 00:01:30,350
So the first one is the Gucci handle.

19
00:01:30,710 --> 00:01:32,300
So it's just the normal.

20
00:01:35,190 --> 00:01:37,530
And the second one is the next.

21
00:01:42,960 --> 00:01:48,570
We can use measures about the value so we can set parameter.

22
00:01:50,310 --> 00:01:53,820
Martial arts managed to, but.

23
00:01:59,770 --> 00:02:03,010
Our long term Unicode character Unicode string.

24
00:02:05,040 --> 00:02:06,830
Spring text.

25
00:02:09,210 --> 00:02:11,160
And copy the same.

26
00:02:13,400 --> 00:02:15,680
And rename this to caption.

27
00:02:16,280 --> 00:02:23,390
And the last one is the type of the message box or to create, whether it contains or care button,

28
00:02:23,390 --> 00:02:29,660
yes or no, cancer, etc. So that should be one party to the type of this message box.

29
00:02:30,440 --> 00:02:37,130
So we have one function signature that matches exactly as the message box.

30
00:02:37,670 --> 00:02:44,090
So what we're going to do is we are going to find the address of this message box function in our process.

31
00:02:44,660 --> 00:02:50,720
When we run the process, automatically it will input some basic builders and then function.

32
00:02:50,720 --> 00:03:00,170
So we going to search in those real space at the space for these functions so you can get module handle.

33
00:03:00,290 --> 00:03:01,640
So we are going to bring this.

34
00:03:06,050 --> 00:03:08,270
So let me just put this.

35
00:03:15,200 --> 00:03:17,600
The return date is the handle to the market.

36
00:03:17,600 --> 00:03:18,110
So.

37
00:03:26,190 --> 00:03:30,420
And we should get behind the bill.

38
00:03:30,420 --> 00:03:32,250
And we need to pass that handle to this.

39
00:03:32,310 --> 00:03:33,420
Get brokers.

40
00:03:45,870 --> 00:03:47,430
So the first one is the handler.

41
00:03:48,780 --> 00:03:53,310
Actually, the pointer to the handler which you get from the get my 200 year.

42
00:03:57,710 --> 00:04:01,870
And the second one is the actually the function there.

43
00:04:02,090 --> 00:04:04,310
So it can be just bring.

44
00:04:05,280 --> 00:04:06,070
Function them.

45
00:04:14,230 --> 00:04:20,710
So let's go and get my junior year off, Colonel.

46
00:04:21,460 --> 00:04:30,490
Sorry, that is user 32 because the message box W is in there.

47
00:04:30,630 --> 00:04:34,630
If the deal is not important by default, you can load that.

48
00:04:34,630 --> 00:04:41,290
We're using the load library function so we run to get the address of.

49
00:04:43,810 --> 00:04:45,370
User tactic to address.

50
00:04:48,090 --> 00:04:50,070
And we need to pass this address to this.

51
00:04:50,700 --> 00:04:52,560
Get put our cadres.

52
00:04:55,490 --> 00:05:01,400
User 32 address and such for the function m message box w.

53
00:05:02,910 --> 00:05:05,460
And we'll get the address of this.

54
00:05:06,610 --> 00:05:08,730
Function sort of to fund cadres.

55
00:05:08,890 --> 00:05:10,930
So Vanguard responds to the function.

56
00:05:12,250 --> 00:05:16,220
And what we need to do is we need to marshal this to the end of the year.

57
00:05:16,240 --> 00:05:25,210
So we have this marshal that will get the delegate search function.

58
00:05:25,720 --> 00:05:27,430
So we need to pass the function pointer.

59
00:05:28,090 --> 00:05:31,020
The functional does come up a.

60
00:05:33,150 --> 00:05:34,720
Which type you want to delegate.

61
00:05:34,990 --> 00:05:40,480
I want to get the delegate for this mess and get so far with this.

62
00:05:41,770 --> 00:05:43,000
And the Republicans in the.

63
00:05:46,550 --> 00:05:49,820
So messenger young music learns to love messenger.

64
00:05:50,840 --> 00:05:57,140
Now we do just call this function, but we need to pass the parameters because the message box functions.

65
00:05:57,140 --> 00:05:59,510
Signature content parameters.

66
00:05:59,690 --> 00:06:01,400
So the first parameter is null.

67
00:06:03,480 --> 00:06:14,280
And the second one is the actual hello world and the caption of the message box and it's testing.

68
00:06:14,490 --> 00:06:17,550
And the second one, the last one is the paper.

69
00:06:17,550 --> 00:06:20,250
The message box begins at zero.

70
00:06:24,980 --> 00:06:27,860
So now we can actually run this one.

71
00:06:35,020 --> 00:06:46,540
And now we can see we've got the materials and we can see we are good at the message box function without

72
00:06:46,540 --> 00:06:50,560
actually having that spring message box in this function.

73
00:06:51,310 --> 00:07:00,070
So like this, you can execute, you can obfuscate the function and execute those functions without

74
00:07:00,070 --> 00:07:02,500
having the actual name in this function.

75
00:07:03,070 --> 00:07:04,720
So with the help of the benefits.