1
00:00:00,180 --> 00:00:03,930
So in this video, we will be fixing the inputs for the executable.

2
00:00:03,930 --> 00:00:11,460
So every executable uses the functions in the ideas and those functions addresses should be updated

3
00:00:11,460 --> 00:00:13,170
in the first one.

4
00:00:13,950 --> 00:00:22,710
In the previous video, I forgot to say that this original first table is also called import name table

5
00:00:22,740 --> 00:00:30,600
or import lookup table simply called int and the table pointer by this first tank is of course array

6
00:00:30,600 --> 00:00:37,980
of tank data, but the data should be replaced by the artists of the functions that are loaded in the

7
00:00:37,980 --> 00:00:38,520
memory.

8
00:00:39,000 --> 00:00:42,660
And this is called import at this table, simply called IAT.

9
00:00:42,690 --> 00:00:46,110
So this one is empty and this one is called IAT.

10
00:00:46,590 --> 00:00:48,300
We now need to update this one.

11
00:00:49,110 --> 00:00:50,850
We need to update this one.

12
00:00:52,110 --> 00:00:54,240
So let's go ahead and do that.

13
00:00:54,240 --> 00:00:59,850
If you go to optional header, go to this import directory and you can read the size.

14
00:00:59,880 --> 00:01:03,720
If the size is greater than zero, that means there are some imports.

15
00:01:04,560 --> 00:01:07,800
Go to this offset and you will see this one.

16
00:01:09,160 --> 00:01:11,440
That is exactly this one.

17
00:01:11,440 --> 00:01:11,790
This.

18
00:01:11,830 --> 00:01:18,940
Here you can see click on this name and you can see these are 20 bytes of image import descriptor.

19
00:01:23,080 --> 00:01:33,280
First we'll be resolving the names of all the details that should be used by the executable.

20
00:01:34,030 --> 00:01:40,360
In our case, we have only one dealer that this executable is using.

21
00:01:41,080 --> 00:01:43,750
You can see the next 20 bytes are zero.

22
00:01:43,750 --> 00:01:46,750
So that means we need to loop over this.

23
00:01:46,930 --> 00:01:58,660
From starting first import descriptor until we reach the number bytes na bytes of our 20 NA waits are

24
00:01:58,660 --> 00:02:02,470
considered as the end of this are the input descriptors.

25
00:02:04,830 --> 00:02:14,040
So this address plus and the header dot optional header dot import table.

26
00:02:14,040 --> 00:02:15,690
So this import table

27
00:02:18,240 --> 00:02:22,500
or dot Watson address gives you the.

28
00:02:23,780 --> 00:02:25,160
The starting of this one.

29
00:02:31,970 --> 00:02:36,140
So what we can say is this is the first pointer to the.

30
00:02:40,140 --> 00:02:42,750
Pinter forced to import Pinter.

31
00:02:42,750 --> 00:02:47,280
So let's say this one, and we need to master this.

32
00:02:51,560 --> 00:02:57,770
So now the first time four pointer points to this address and the value is this one.

33
00:02:57,980 --> 00:03:06,590
So we need to master this one master point to structure.

34
00:03:08,510 --> 00:03:14,880
First import pointer and the type of how to each structure we need to match them.

35
00:03:14,900 --> 00:03:15,950
So it's, uh.

36
00:03:17,540 --> 00:03:18,320
Oh, you bought.

37
00:03:21,750 --> 00:03:25,110
So let's create a new object of this structure.

38
00:03:26,250 --> 00:03:28,500
Let's say this as first to import.

39
00:03:33,110 --> 00:03:34,700
Now, what I can do is.

40
00:03:35,120 --> 00:03:35,930
I can.

41
00:03:39,500 --> 00:03:42,740
First you put that name to Sting.

42
00:03:42,740 --> 00:03:44,870
So this will print the address.

43
00:03:47,190 --> 00:03:51,350
That is the offset of this their name.

44
00:03:53,700 --> 00:03:56,730
I have already removed this discrete thread.

45
00:03:56,760 --> 00:03:57,510
So.

46
00:04:03,790 --> 00:04:05,470
So let's go and run this one.

47
00:04:11,180 --> 00:04:11,660
I think.

48
00:04:27,050 --> 00:04:33,710
So let's run this and we will get the value 4158 so the 4158 is this one.

49
00:04:36,430 --> 00:04:38,590
So 00004158.

50
00:04:41,120 --> 00:04:43,310
So if you go to this 4158.

51
00:04:48,220 --> 00:04:52,090
You will get the actual name of the beer.

52
00:04:52,780 --> 00:04:54,280
You can see Canada Dealer.

53
00:04:55,150 --> 00:04:58,930
So we don't know the exact size of the name.

54
00:04:58,930 --> 00:05:02,390
So it just ends with the na na na by.

55
00:05:06,280 --> 00:05:11,680
So what we can do is we can martial to the string.

56
00:05:13,330 --> 00:05:17,470
So martial art pointer to string and.

57
00:05:18,190 --> 00:05:23,470
So this will read up to the bikes, up to the orbit, and it will convert to the string.

58
00:05:25,910 --> 00:05:27,410
So this name is offset.

59
00:05:27,410 --> 00:05:29,300
So we need to add the base address.

60
00:05:29,300 --> 00:05:31,610
But as to import that name.

61
00:05:33,810 --> 00:05:39,240
So this is the address and it will master the string so you can string.

62
00:05:39,240 --> 00:05:41,370
The name is equal to this one.

63
00:05:42,030 --> 00:05:46,470
Now I can go and say print their name.

64
00:05:52,710 --> 00:05:54,750
So we can actually remove this one.

65
00:05:58,680 --> 00:06:01,290
And here you can see that your is Senator Dodd.

66
00:06:02,460 --> 00:06:10,680
And in this cartoon that you see which is generated by Mr. himself has only one import dealer and in

67
00:06:10,680 --> 00:06:16,980
the normal C windows notepad de thc we have multiple dealers.

68
00:06:17,100 --> 00:06:20,820
So what we're going to do is we are going to print out of them.

69
00:06:23,640 --> 00:06:28,470
So I have already had the part for this notepad, the text.

70
00:06:28,890 --> 00:06:30,900
So all I can do is I can.

71
00:06:30,900 --> 00:06:32,910
I need to loop over until.

72
00:06:34,530 --> 00:06:38,910
This first important name not is equal to zero.

73
00:06:38,910 --> 00:06:45,450
So we can do that using wide loop while first import name is equal, not as close to zero.

74
00:06:46,140 --> 00:06:47,460
And then print this.

75
00:06:49,890 --> 00:06:51,870
So we are printing that uranium.

76
00:06:52,770 --> 00:06:54,360
We need to move forward.

77
00:06:54,390 --> 00:06:56,120
So how are you going to move forward?

78
00:06:56,130 --> 00:06:59,100
Is using these 20 bytes.

79
00:07:07,330 --> 00:07:14,230
So these 20 bytes you can see you need to just to move forward the size of image input descriptor to

80
00:07:14,230 --> 00:07:16,300
get the next to image input descriptor.

81
00:07:16,300 --> 00:07:22,360
So if I move forward from this place to the 20 bytes, I will get to this place that is this font.

82
00:07:22,450 --> 00:07:27,040
Now I can just simply read this address and master as a string.

83
00:07:29,600 --> 00:07:34,280
So the fascinating part, Peter, this is pointing to the first import.

84
00:07:34,370 --> 00:07:46,370
So what I want to do is I need to add the value of the size of this image import descriptor.

85
00:07:47,300 --> 00:07:50,990
Now we are moving forward to the next image import descriptor.

86
00:07:50,990 --> 00:07:52,790
That is this one user that we are.

87
00:07:54,290 --> 00:08:05,600
Now we need to marshal the this from this position to this emerging descriptor.

88
00:08:07,590 --> 00:08:12,030
So we are updating the first import as the this next import.

89
00:08:12,150 --> 00:08:15,290
Now this will read again the name value.

90
00:08:15,300 --> 00:08:17,880
This time the name will be this one.

91
00:08:23,390 --> 00:08:26,620
The last penultimate diver.

92
00:08:26,810 --> 00:08:32,270
So it is 299 to see, I guess.

93
00:08:34,370 --> 00:08:36,830
So just let's go.

94
00:08:36,830 --> 00:08:38,120
And it's good this.

95
00:08:39,980 --> 00:08:43,220
And here we can see we got the all the other names.

96
00:08:51,700 --> 00:08:57,430
We can also put the breakpoint and check for each and every step where this pointer is pointing.

97
00:08:57,790 --> 00:09:04,780
But it's obviously clear now we are just moving 2020 bytes and reading up to there is another byte.

98
00:09:06,000 --> 00:09:07,980
So we got the function names.

99
00:09:08,400 --> 00:09:10,680
The other names we need to get the function names.

100
00:09:11,820 --> 00:09:20,730
If you remember the our general first tank these this one first four bytes is pointed to the structure

101
00:09:20,790 --> 00:09:22,200
image tank data.

102
00:09:22,440 --> 00:09:25,470
And this is normally eight bytes.

103
00:09:30,200 --> 00:09:34,550
So our first tank is zero to.

104
00:09:35,520 --> 00:09:40,390
898 So here is see here it seems to eight nine here.

105
00:09:40,440 --> 00:09:41,700
So it's the same value.

106
00:09:41,700 --> 00:09:50,250
And if you go to this one, you would actually go to the this array of image data structures.

107
00:09:50,250 --> 00:09:57,270
And if you take the first three eight bytes, this is pointing to the address that is pointed by the

108
00:09:57,390 --> 00:09:58,560
import by name.

109
00:09:58,560 --> 00:10:03,240
So there is a import by name which contains two members.

110
00:10:27,910 --> 00:10:31,590
So here you can see import by name has two values.

111
00:10:31,600 --> 00:10:33,790
So let's go to this address.

112
00:10:34,000 --> 00:10:37,420
So it's 2938.

113
00:10:42,220 --> 00:10:44,700
2938e.

114
00:10:46,360 --> 00:10:54,340
So if you go to this and here we can see the hint that is two bytes and the name is we don't know the

115
00:10:54,340 --> 00:11:03,460
length of the name because the function names are not fixed and the first two bytes are the hint and

116
00:11:03,460 --> 00:11:05,140
the next one is the function name.

117
00:11:06,920 --> 00:11:13,040
So we can also import the functions using ordinary, but we'll be seeing that in the future.

118
00:11:13,040 --> 00:11:13,670
Videos.

119
00:11:14,090 --> 00:11:16,150
For now, let's just focus on this function.

120
00:11:16,460 --> 00:11:19,610
So we need to retrieve the value at this address.

121
00:11:20,480 --> 00:11:23,920
So what we're going to do is we are going to get that for general first.

122
00:11:23,930 --> 00:11:24,410
Thank.

123
00:11:31,980 --> 00:11:37,410
So here we have printed that name, so let's make some space.

124
00:11:37,950 --> 00:11:40,710
So, base address, press.

125
00:11:44,140 --> 00:11:46,510
And T dot option dot.

126
00:11:49,550 --> 00:11:52,300
Portable dot sensory.

127
00:11:54,560 --> 00:11:57,360
First import important original first.

128
00:12:01,830 --> 00:12:06,390
So this gives me to the position at this position.

129
00:12:14,260 --> 00:12:18,580
Let me call this as first or general a pointer.

130
00:12:22,890 --> 00:12:25,350
Now we need to master this one as.

131
00:12:26,860 --> 00:12:27,080
It's.

132
00:12:34,240 --> 00:12:40,330
First tongue pointer and we need to master this one as the data 64.

133
00:12:48,780 --> 00:12:53,810
So let me call this one as first two or tango.

134
00:12:57,800 --> 00:13:00,980
So now the fish tank has this value.

135
00:13:03,380 --> 00:13:06,290
That is 293 80.

136
00:13:07,730 --> 00:13:13,220
Now, if I go and add this one to the base address, I'll get to this.

137
00:13:14,210 --> 00:13:14,810
This one.

138
00:13:20,860 --> 00:13:29,950
So we can say pointer name pointer is equal to first two dot function.

139
00:13:37,380 --> 00:13:40,000
Now we got the name Pinter at this starting one.

140
00:13:40,020 --> 00:13:47,660
We need to skip two bytes to get the string because the official two words are the hint so we can see

141
00:13:48,480 --> 00:13:58,290
string function names equals to match the pointer to string and C and the name pointer plus two.

142
00:14:02,910 --> 00:14:05,940
Now we can go and function.

143
00:14:10,430 --> 00:14:11,660
Is the function.

144
00:14:13,420 --> 00:14:13,900
Now.

145
00:14:16,830 --> 00:14:20,760
And we need to loop over until the.

146
00:14:22,150 --> 00:14:25,180
This one is 010 first time.

147
00:14:41,080 --> 00:14:48,400
So while our general satisfaction or general standard function not is equal to zero.

148
00:14:58,820 --> 00:15:01,790
And we are going to move forward.

149
00:15:03,290 --> 00:15:06,110
But first point or press is equals to.

150
00:15:07,240 --> 00:15:15,550
The size of this image tank data or we can just say eight bytes.

151
00:15:17,430 --> 00:15:18,900
My success is off.

152
00:15:20,270 --> 00:15:20,470
A.

153
00:15:23,150 --> 00:15:24,770
Image Data 64.

154
00:15:24,800 --> 00:15:28,310
Now we have moved forward to this one.

155
00:15:30,860 --> 00:15:35,930
Now we need to master this one or this one.

156
00:15:36,770 --> 00:15:45,080
So we are moving forward and we are again marshalling this second aid bytes as this original first time.

157
00:15:49,980 --> 00:15:51,380
I think we are good to go.

158
00:15:51,390 --> 00:15:54,300
So let's go and run this and.

159
00:16:02,080 --> 00:16:06,820
So here we can see we got all the functions for the every day.

160
00:16:07,420 --> 00:16:08,890
So we can see that.

161
00:16:10,450 --> 00:16:15,250
And we have the same exact functions.

162
00:16:15,850 --> 00:16:17,800
So last one is get device cap.

163
00:16:17,800 --> 00:16:20,950
So here we can see all the function names.

164
00:16:22,320 --> 00:16:27,990
We can also change this to our original characteristics that was generated by Metasploit.

165
00:16:31,820 --> 00:16:35,510
And here we have two functions which are dialogue and exit process.

166
00:16:37,370 --> 00:16:38,240
So let's run this.

167
00:16:38,240 --> 00:16:40,150
And here we can see that he has a name.

168
00:16:40,160 --> 00:16:40,760
And the two.

169
00:16:40,760 --> 00:16:41,480
The functions.

170
00:16:41,480 --> 00:16:42,380
Two functions.

171
00:16:42,650 --> 00:16:52,790
Now what we're going to do is we are going to load this data later into the memory so we can do that

172
00:16:52,790 --> 00:16:59,360
using load, library or dealer name.

173
00:17:05,130 --> 00:17:07,350
So this will give you a handle.

174
00:17:12,590 --> 00:17:13,700
Handle to the module.

175
00:17:13,700 --> 00:17:18,770
So lets in the pointer below handle.

176
00:17:28,790 --> 00:17:31,310
And after getting this Twitter handle.

177
00:17:35,640 --> 00:17:39,420
And we need to use the get proc address for the function.

178
00:17:39,540 --> 00:17:41,130
So here we have the function name.

179
00:17:42,550 --> 00:17:49,240
So get proc address, the dealer handle and the function name.

180
00:17:50,200 --> 00:17:55,360
Now we will get the address of this function in the memory.

181
00:17:58,880 --> 00:18:00,860
Pointer function address.

182
00:18:04,560 --> 00:18:08,810
Now where we want to update is at this first one.

183
00:18:09,120 --> 00:18:16,350
So if you go to the first one, you will have the first eight bytes and we need to update that value.

184
00:18:18,430 --> 00:18:19,470
So.

185
00:18:22,060 --> 00:18:22,900
Let me.

186
00:18:25,210 --> 00:18:27,150
So we have this origin first tank.

187
00:18:27,190 --> 00:18:27,460
So?

188
00:18:27,460 --> 00:18:27,850
So.

189
00:18:29,910 --> 00:18:31,010
First import.

190
00:18:35,240 --> 00:18:38,470
Firstly important for first to thank.

191
00:18:54,300 --> 00:18:56,820
So we have this one based address press.

192
00:18:57,030 --> 00:19:00,630
The first tank gives you the offset for this.

193
00:19:03,210 --> 00:19:06,660
So we can see first point.

194
00:19:06,840 --> 00:19:12,540
So remember the first two pointer is different from this strong pointer.

195
00:19:12,540 --> 00:19:18,780
So that's why I have put this general in this, uh, first to this variable name.

196
00:19:19,260 --> 00:19:21,360
So we have this pointer.

197
00:19:25,230 --> 00:19:27,120
And what we need to do is.

198
00:19:32,490 --> 00:19:34,770
We need to update here.

199
00:19:34,890 --> 00:19:35,670
Exactly.

200
00:19:39,470 --> 00:19:43,130
Get dressed after getting the functional dress.

201
00:19:51,080 --> 00:19:52,670
My shared copy.

202
00:20:05,140 --> 00:20:07,480
So the functional dress.

203
00:20:08,390 --> 00:20:08,690
Uh.

204
00:20:10,100 --> 00:20:11,930
Function address dot.

205
00:20:13,570 --> 00:20:14,350
64.

206
00:20:27,080 --> 00:20:32,840
So this should give you the buy it off the dress.

207
00:20:34,740 --> 00:20:36,990
It's called this sense funk bait.

208
00:20:45,080 --> 00:20:46,220
Starting next year.

209
00:20:46,220 --> 00:20:49,190
The destination is this one.

210
00:20:51,430 --> 00:20:52,810
Fresh pointer.

211
00:21:17,420 --> 00:21:20,280
And by that's rent.

212
00:21:21,590 --> 00:21:26,860
So we are copying that function address into this first tank pointer.

213
00:21:28,430 --> 00:21:35,360
And after copying we need to update this first tank pointer press is equal to eight.

214
00:21:38,100 --> 00:21:39,930
So I think we are good to go.

215
00:21:44,350 --> 00:21:46,360
So we have updated everything.

216
00:21:52,200 --> 00:21:55,800
It's also put into the function address.

217
00:22:08,370 --> 00:22:09,540
And after that.

218
00:22:12,310 --> 00:22:15,490
That's the break point for this master copy.

219
00:22:28,360 --> 00:22:31,600
We need to print out these dresses.

220
00:22:34,540 --> 00:22:35,560
First to thank.

221
00:22:48,150 --> 00:22:49,860
So this is the first tank.

222
00:22:55,770 --> 00:22:58,200
So let's put the breakpoint and run this.

223
00:23:05,120 --> 00:23:08,210
So the best address is this one.

224
00:23:09,080 --> 00:23:11,480
The first tank is located at this.

225
00:23:15,000 --> 00:23:23,430
So we have some values here that is exactly equal to the original fish tank.

226
00:23:25,330 --> 00:23:26,860
Function address.

227
00:23:27,280 --> 00:23:34,240
So that's if I go and step into this, this functions address value should be copied here.

228
00:23:34,630 --> 00:23:42,760
So let's run this and here we should see 7fff00 so we can see the values here.

229
00:23:42,760 --> 00:23:45,250
So we have successfully updated these.

230
00:23:49,190 --> 00:23:50,690
But not so fast.

231
00:23:51,170 --> 00:23:57,590
So if I continue this, I will hit at the same breakpoint master copy because of the wide loop.

232
00:23:58,670 --> 00:24:03,350
So if I run this, if I step into this, we should see the zero here.

233
00:24:04,610 --> 00:24:06,650
So the zero.

234
00:24:07,640 --> 00:24:09,140
So I think we are good to go.

235
00:24:10,580 --> 00:24:20,960
Now, since we have fixed the inputs, we can directly go and run this executable because the base relocations

236
00:24:20,960 --> 00:24:21,740
are zero.

237
00:24:21,740 --> 00:24:25,360
So we'll be also fixing the base locations in our next video.

238
00:24:25,370 --> 00:24:33,380
Since for our executable, it's zero, we can directly go ahead and test this one using this create

239
00:24:33,380 --> 00:24:33,800
thread.

240
00:24:36,130 --> 00:24:42,250
So I'm going to run the thread at this entry point.

241
00:24:47,330 --> 00:24:55,280
If we are if everything is good, we should see greater pop up and we can see the pop up.

242
00:24:59,100 --> 00:25:01,050
So let's go and continue this one.

243
00:25:03,960 --> 00:25:10,290
So that's all about this, uh, fixing imports and then actually we'll see about fixing base relocations.

244
00:25:11,970 --> 00:25:23,160
Also, it's a good thing to write this entire code in a separate function like injector function.

245
00:25:23,160 --> 00:25:29,910
So give it a function name and it takes the parameters like Rafael.

246
00:25:31,630 --> 00:25:34,960
And the base is so base that there's no need.

247
00:25:34,960 --> 00:25:39,040
So it takes the file and it's going to inject into itself.

248
00:25:40,030 --> 00:25:41,830
So we also see those.

249
00:25:42,910 --> 00:25:46,270
We write one function and we copy and turn code into that.

250
00:25:47,080 --> 00:25:49,960
So that's how for this video fixing import address.