1
00:00:00,440 --> 00:00:03,830
So in this video, we'll be seeing how to bypass the MSI.

2
00:00:04,010 --> 00:00:07,960
So MSI stands for Anti-Malware scan interface.

3
00:00:07,970 --> 00:00:10,160
So this is the deal.

4
00:00:10,160 --> 00:00:13,190
And in this data we have these functions.

5
00:00:13,970 --> 00:00:20,030
I opened this letter in the paper and here you can see in the export section, you can see all of these

6
00:00:20,030 --> 00:00:20,780
functions.

7
00:00:21,050 --> 00:00:23,930
And one important function is MSI scan buffer.

8
00:00:23,930 --> 00:00:29,630
So what this function does is it will scan the input for any malicious strings.

9
00:00:29,630 --> 00:00:34,010
If there are any malicious strings, then this going to bracket this.

10
00:00:34,010 --> 00:00:38,210
MSI will be working with the Windows Defender and this.

11
00:00:42,020 --> 00:00:49,820
You can see this function results will be evaluated by the defender, not only defender if you have

12
00:00:49,820 --> 00:00:50,780
any other antivirus.

13
00:00:50,780 --> 00:00:53,240
So that antivirus can also work with this.

14
00:00:54,740 --> 00:00:59,210
So the Windows Defender is on and if I type in work.

15
00:01:00,690 --> 00:01:01,920
Mimi get.

16
00:01:03,240 --> 00:01:08,820
Then you can see the script contains malicious content and has been broken by your antivirus software

17
00:01:08,820 --> 00:01:09,790
that is defender.

18
00:01:09,810 --> 00:01:19,020
So what we are going to do is in this video will be patching this scan buffer so we make this function

19
00:01:19,020 --> 00:01:22,500
return true so that the Windows Defender continues.

20
00:01:24,810 --> 00:01:27,690
Will not detect the string as a malicious one.

21
00:01:29,550 --> 00:01:32,740
And you can also use some obfuscation techniques I can see.

22
00:01:33,360 --> 00:01:36,720
So here, if I type in work, we make it.

23
00:01:43,830 --> 00:01:46,860
And this Windows Defender is updated.

24
00:01:46,860 --> 00:01:48,180
And here you can see.

25
00:02:09,430 --> 00:02:14,800
And here you can see these obfuscations are also getting treated by the latest Windows defender.

26
00:02:18,230 --> 00:02:20,420
So we are going to patch this.

27
00:02:24,390 --> 00:02:26,700
But this amp, this can buffer function.

28
00:02:26,700 --> 00:02:32,990
So whenever this data are loaded, so data is rooted in this PowerShell and we need to find the best

29
00:02:33,000 --> 00:02:33,540
address.

30
00:02:33,540 --> 00:02:41,550
And if you find the base address of the data residing in that process, you can calculate the function

31
00:02:41,820 --> 00:02:49,770
at this, you can calculate the exports and you can find the function in that data and you can just

32
00:02:49,770 --> 00:02:52,740
modify with the return value one.

33
00:02:54,570 --> 00:02:58,110
So in this video, we'll be walking through the code I have written.

34
00:02:59,390 --> 00:03:00,770
Took me like one day.

35
00:03:00,780 --> 00:03:02,730
So let's get started.

36
00:03:02,730 --> 00:03:09,900
It is somewhat Randy Court and you can if you have watched my previous video so like passing experts

37
00:03:09,900 --> 00:03:15,180
and passing PFA then it should be good if you do not watch.

38
00:03:15,180 --> 00:03:19,920
I highly recommend watching this videos so the file.

39
00:03:20,430 --> 00:03:22,800
So this program takes arguments.

40
00:03:22,800 --> 00:03:27,090
One is process side and the dealer name and the function name you want to patch.

41
00:03:28,230 --> 00:03:36,330
So after that we are going to retrieve the DL based address using this create to have that snapshot.

42
00:03:36,330 --> 00:03:45,090
So it will take the snapshot of the process at the current time and you will be enumerating the first

43
00:03:45,090 --> 00:03:50,670
module and then we will be using this module 32 next.

44
00:03:51,520 --> 00:04:00,280
To enumerate the modules and if the name is equals to the one we have given in the command line argument,

45
00:04:00,550 --> 00:04:07,540
then we are going to say a found in modules that is the full path of the data and the database entries

46
00:04:07,540 --> 00:04:09,130
and the size of the image.

47
00:04:09,130 --> 00:04:14,050
So the size of the image is size of image from the optional header.

48
00:04:17,650 --> 00:04:19,450
And then we got the visitors.

49
00:04:19,450 --> 00:04:24,220
So we know where that error is going on and there are no words.

50
00:04:24,220 --> 00:04:26,290
You can start parsing this p file.

51
00:04:27,350 --> 00:04:29,270
And you can see open process.

52
00:04:29,510 --> 00:04:37,820
This is our access, so you can filter the access permissions like read, write, query information,

53
00:04:37,820 --> 00:04:44,640
etc. So for the demonstration purposes, let's give this full access and passing the process side.

54
00:04:44,690 --> 00:04:53,380
So we got the end to the process and we have the database address so we can read out memory.

55
00:04:54,320 --> 00:04:57,800
You can read out the memory from that address.

56
00:04:57,830 --> 00:05:04,510
Like if you read starting 64 bytes, that is going to be the dos stub.

57
00:05:04,520 --> 00:05:06,230
You can see the stub here.

58
00:05:06,590 --> 00:05:09,080
And this this is a revenue.

59
00:05:09,080 --> 00:05:14,810
If you go to this offset, you will go to the this P and t header study.

60
00:05:14,810 --> 00:05:19,940
So like that you can read the process memory using the read process.

61
00:05:20,210 --> 00:05:27,770
So read process memory the process to hand it to the process and the data remote based address and you

62
00:05:27,770 --> 00:05:31,730
create a new byte area that is the size of image dos.

63
00:05:31,910 --> 00:05:41,840
So that asset is a starting one and we are going to read the 64 bytes from that memory into this buffer

64
00:05:41,840 --> 00:05:47,840
byte byte, buffer dos, and we are going to use the function called bytes to shutter.

65
00:05:47,840 --> 00:05:49,790
So this is a generic type.

66
00:05:49,790 --> 00:05:50,900
So it will.

67
00:05:54,610 --> 00:06:01,780
So what we're doing is we are allocating some memory in our own process space of these bytes, and then

68
00:06:01,780 --> 00:06:05,950
we are going to converting that structure pointer into the structure.

69
00:06:05,950 --> 00:06:13,090
So whatever memory residing at that, whatever data residing at that pointer will be converted to the

70
00:06:13,090 --> 00:06:14,320
structure of that.

71
00:06:14,340 --> 00:06:16,450
P So that is the dynamic type.

72
00:06:16,450 --> 00:06:23,140
If you pass image the setter at this, it will convert into image if you pass an integer, if you convert

73
00:06:23,140 --> 00:06:23,780
into interior.

74
00:06:23,890 --> 00:06:27,040
So that is the advantage of generics.

75
00:06:27,460 --> 00:06:31,240
We can get the dynamic return type.

76
00:06:32,740 --> 00:06:37,900
In the same way we are going to process the next four bytes that is signature.

77
00:06:37,900 --> 00:06:40,730
So the remote base press is revenue.

78
00:06:40,750 --> 00:06:47,740
So if I go to this 100000, so if I go to F zero.

79
00:06:48,700 --> 00:06:55,810
So this you can see if, uh, for 5045 that is, that stands for P.

80
00:06:56,600 --> 00:06:57,770
And then you can.

81
00:06:59,980 --> 00:07:02,800
You can go and you can write these checks.

82
00:07:02,800 --> 00:07:06,250
If there is if this is not fair, then you can return that.

83
00:07:06,550 --> 00:07:07,580
This is not fair.

84
00:07:07,600 --> 00:07:14,320
So our next one is we are going to pass this file header that is 20 bytes, I guess.

85
00:07:16,980 --> 00:07:21,510
And same, and the offset will be changing the set revenue plus four.

86
00:07:21,840 --> 00:07:27,960
So these plus four is signature and then you get the file header and the next one is we are going to

87
00:07:27,960 --> 00:07:29,310
pass the optional header.

88
00:07:29,880 --> 00:07:30,840
So this one.

89
00:07:33,820 --> 00:07:36,250
Optional header and in this option, a header.

90
00:07:36,250 --> 00:07:41,140
If you look at the export address and here you can see four zero.

91
00:07:41,140 --> 00:07:48,460
So at this offset from the base address, you will have this image export directory.

92
00:07:49,790 --> 00:07:52,020
I made the export descriptor again.

93
00:07:52,050 --> 00:07:56,390
So here you can see this is the export.

94
00:07:58,610 --> 00:08:01,850
So here you can see now we've got the optional header and.

95
00:08:03,820 --> 00:08:05,200
We are going to.

96
00:08:08,130 --> 00:08:12,900
Export this one into image export directory.

97
00:08:13,290 --> 00:08:14,730
So if you go to the.

98
00:08:19,140 --> 00:08:23,490
So these are the characteristics and this is the name M.C. Data.

99
00:08:23,550 --> 00:08:25,890
You can see here if you go to this address.

100
00:08:28,790 --> 00:08:30,050
So you can go to the offset.

101
00:08:30,050 --> 00:08:32,470
You can see the MSI data.

102
00:08:33,910 --> 00:08:35,080
So go to.

103
00:08:37,350 --> 00:08:39,750
E file six here.

104
00:08:40,380 --> 00:08:44,310
Now you can see the screen saver data.

105
00:08:45,510 --> 00:08:47,430
So that is the outset, this one.

106
00:08:50,450 --> 00:08:54,450
So I have written another function that is Read Progress Memory Stream.

107
00:08:54,710 --> 00:08:58,850
So what this what this does is if you do the.

108
00:09:02,190 --> 00:09:08,640
So if you go to a base address or if I give this address out this year, then it will start reading

109
00:09:08,640 --> 00:09:12,810
byte by byte until it faces the null byte.

110
00:09:12,840 --> 00:09:18,180
If it fails, then if you read the null, then that means the string has been terminated.

111
00:09:18,180 --> 00:09:26,880
So it will read the year and then as a bill and if it faces the null byte, then it will return.

112
00:09:26,880 --> 00:09:33,360
So we are just this is a very convenient process to read the string from the remote process.

113
00:09:34,710 --> 00:09:40,650
So you can see if I have also set this limit to 50 because.

114
00:09:43,540 --> 00:09:44,590
I think no more.

115
00:09:44,950 --> 00:09:53,530
Not only the functioning cannot be more than 50 can be more than 50, but in normal it's just the limit.

116
00:09:54,010 --> 00:10:00,400
So we are reading byte by white, and if it's comparing with the zero, then we are getting that first

117
00:10:00,400 --> 00:10:01,850
thing and returning that string.

118
00:10:04,290 --> 00:10:07,470
So that is this function does for the remote process.

119
00:10:07,470 --> 00:10:12,030
If it's in the rocker process, we can use the marker dot to.

120
00:10:13,710 --> 00:10:15,720
A pointer to string ends.

121
00:10:17,820 --> 00:10:18,720
So.

122
00:10:21,660 --> 00:10:23,350
And we are parsing the exports.

123
00:10:23,370 --> 00:10:28,080
Now, our exports structure contains all of this information.

124
00:10:29,960 --> 00:10:35,120
Now we are going to read the experts journal so you can just.

125
00:10:36,450 --> 00:10:38,750
A real person sitting at that.

126
00:10:40,250 --> 00:10:41,870
Exports our name offset.

127
00:10:43,460 --> 00:10:46,160
Now we are going to pass these exports.

128
00:10:46,160 --> 00:10:50,330
So this this is the number of functions and number of names.

129
00:10:50,380 --> 00:10:55,880
B So that means there are no other functions that are exported by ordinary only.

130
00:10:57,390 --> 00:11:06,900
So if I go to address of names, if I go to this house and here you can see these values, if you pass

131
00:11:06,900 --> 00:11:10,260
these four bytes, you'll get the value ei7.

132
00:11:10,470 --> 00:11:13,590
So if I go to uh, e file seven three.

133
00:11:14,270 --> 00:11:14,870
I regret.

134
00:11:14,870 --> 00:11:16,760
Actually, I regret the name.

135
00:11:17,670 --> 00:11:19,410
AMC closed session.

136
00:11:22,060 --> 00:11:26,740
And if I go to the next four bites, that is five, eight, four.

137
00:11:29,770 --> 00:11:31,240
I really got the next to function.

138
00:11:31,240 --> 00:11:33,160
That is an MSI race.

139
00:11:33,640 --> 00:11:40,210
So like that we are going to loop over this one so this we can call this one as the name pointer.

140
00:11:40,210 --> 00:11:48,100
So this one is called Export address table and this one is called Export name Table and this one is

141
00:11:48,100 --> 00:11:50,170
called export Ordinal Table.

142
00:11:50,290 --> 00:11:57,670
So I have created three pointers which are just adding the base address, plus this value based address,

143
00:11:57,670 --> 00:12:00,100
plus this value and the basic response this value.

144
00:12:01,990 --> 00:12:06,130
So these are the three pointers, entry .8.3 and you already pointed.

145
00:12:06,160 --> 00:12:09,310
Now we can just print out these addresses.

146
00:12:10,760 --> 00:12:15,830
Now, what we're going to do is we are going to loop over all these names and we are going to find out

147
00:12:15,830 --> 00:12:19,370
which function we have given in the common argument.

148
00:12:20,420 --> 00:12:24,650
So we are going to read this memory entry point or press eye into four.

149
00:12:24,650 --> 00:12:26,690
So into four is the looping.

150
00:12:26,690 --> 00:12:33,860
So we want to loop four bytes each time and we are converting this into the string.

151
00:12:34,310 --> 00:12:38,510
So here you can see we are using again this feed memory string.

152
00:12:39,770 --> 00:12:42,410
And then onwards we are going to.

153
00:12:43,960 --> 00:12:53,230
So if I found this one, you can see if I want to find the address of this function.

154
00:12:53,230 --> 00:12:54,550
M.C. Crow Session.

155
00:12:57,970 --> 00:12:59,680
So this is the fascist element.

156
00:12:59,860 --> 00:13:01,360
So this is the first element.

157
00:13:01,360 --> 00:13:06,960
And you see the first element in the order of name ordinance that is zero zero.

158
00:13:06,970 --> 00:13:10,780
So you go to that index in this order of functions.

159
00:13:10,870 --> 00:13:14,910
So here the value is zero or what two bytes.

160
00:13:14,920 --> 00:13:17,320
And if you go to the zero at this.

161
00:13:19,810 --> 00:13:21,250
This address are functions.

162
00:13:21,250 --> 00:13:25,510
And here you can see 2520 is actual address of that function.

163
00:13:25,510 --> 00:13:28,110
So here you can see that is being passed by the p.

164
00:13:28,120 --> 00:13:28,380
B.

165
00:13:31,660 --> 00:13:35,680
So it's a saying the same applies to the AMCs can buffer.

166
00:13:35,680 --> 00:13:40,900
So the AMCs can buffer is the fourth element in this, hundreds of names.

167
00:13:40,900 --> 00:13:44,590
And if you look at the fourth element in the address of name address.

168
00:13:46,390 --> 00:13:49,100
One, two, three and four.

169
00:13:49,120 --> 00:13:52,420
So the third one, so zero three index.

170
00:13:52,420 --> 00:13:55,840
So if you go to the address of functions zero.

171
00:13:57,230 --> 00:13:57,890
One.

172
00:14:00,710 --> 00:14:03,220
Two and three.

173
00:14:03,230 --> 00:14:04,850
So it will be.

174
00:14:11,340 --> 00:14:14,030
25402540.

175
00:14:14,040 --> 00:14:15,690
So here you can see 2540.

176
00:14:15,840 --> 00:14:18,990
So this will be the address of their function.

177
00:14:18,990 --> 00:14:22,050
So that is what we are going to pass here.

178
00:14:24,210 --> 00:14:31,620
The precious memory is what Pointer So we will be here stepping too, because the index takes only the

179
00:14:32,070 --> 00:14:33,770
two bytes word.

180
00:14:34,650 --> 00:14:37,710
And then we are reading the process memory at that location.

181
00:14:37,710 --> 00:14:46,080
At that index you can see current what into for that index and we will get the address in this address

182
00:14:46,620 --> 00:14:53,850
by area and then we are going to write the this opcode.

183
00:14:53,880 --> 00:14:57,660
So this is actually more common one and written.

184
00:15:03,670 --> 00:15:04,810
So you can.

185
00:15:07,910 --> 00:15:08,960
So move.

186
00:15:10,250 --> 00:15:10,880
Politics.

187
00:15:10,880 --> 00:15:11,960
Come on, Britain.

188
00:15:11,960 --> 00:15:16,990
So what is the function in assembly?

189
00:15:17,000 --> 00:15:18,470
We take the.

190
00:15:20,260 --> 00:15:20,640
Yeah.

191
00:15:20,860 --> 00:15:24,520
And our researchers as the function return value.

192
00:15:24,550 --> 00:15:32,440
If the function returns one, then the defender will not have anything that there are no malicious things.

193
00:15:32,440 --> 00:15:35,710
So click on assemble and you can copy this.

194
00:15:35,980 --> 00:15:37,960
So that is the same area.

195
00:15:38,350 --> 00:15:41,320
And then we are writing at that function.

196
00:15:42,660 --> 00:15:48,060
So we got the function address that is 2450 and we are going to overwrite this bytes.

197
00:15:50,280 --> 00:15:54,780
We are also changing the water product so that we can rehydrate.

198
00:15:55,540 --> 00:16:01,090
And finally, we are writing those bytes into that function.

199
00:16:02,640 --> 00:16:10,320
And after that we are reading at that function address to verify if our payload is successfully returned

200
00:16:10,320 --> 00:16:10,710
or not.

201
00:16:11,250 --> 00:16:12,750
So that is what we are doing.

202
00:16:12,750 --> 00:16:13,320
So.

203
00:16:14,370 --> 00:16:18,990
So the function bytes can be like this, so assume these are the function bytes.

204
00:16:18,990 --> 00:16:21,120
So we are just.

205
00:16:22,800 --> 00:16:29,010
Replacing some of the bites with the mauve oryx come on one and return.

206
00:16:29,010 --> 00:16:35,550
So whenever this function gets executed, it will one will be copied into our X register and it will

207
00:16:35,550 --> 00:16:36,420
directly return.

208
00:16:36,420 --> 00:16:38,220
So these bytes are just

209
00:16:41,610 --> 00:16:43,530
empty once that does nothing.

210
00:16:43,530 --> 00:16:46,590
So you can also assume like this one.

211
00:16:46,860 --> 00:16:50,970
So here you can see if the arguments end is not equal to three.

212
00:16:50,970 --> 00:16:55,350
I'm directly exiting, so you can compare that to this one.

213
00:16:57,110 --> 00:16:57,410
So.

214
00:16:57,410 --> 00:16:59,780
All right, so let's go and.

215
00:17:02,840 --> 00:17:05,030
So let's mimic it.

216
00:17:05,030 --> 00:17:08,060
And it's not just getting hit by defender.

217
00:17:19,440 --> 00:17:21,530
So we the process and.

218
00:17:29,140 --> 00:17:30,310
And the dealer name.

219
00:17:30,310 --> 00:17:35,500
AMC Dealer and AMC can buffer.

220
00:17:37,100 --> 00:17:38,780
Now we are going to hit enter.

221
00:17:38,780 --> 00:17:44,630
And here you can see the phone in modules and see the detail and the base addresses this one.

222
00:17:46,170 --> 00:17:54,750
And so the image export are the stable export name, stable and stable and the function contains index

223
00:17:54,750 --> 00:17:54,940
three.

224
00:17:54,960 --> 00:17:55,950
So we.

225
00:17:57,570 --> 00:18:03,900
Just like we have passed from manually operating at this one and with the payroll.

226
00:18:03,900 --> 00:18:11,520
So this is the more common one written and after written we have read from that function address and

227
00:18:11,520 --> 00:18:12,780
we got the same bytes.

228
00:18:12,960 --> 00:18:15,540
So that means our function has been patched.

229
00:18:15,570 --> 00:18:24,690
Now, if I go and invoke memory card and here we can see we can successfully, uh, fool this defender

230
00:18:24,690 --> 00:18:27,120
to think that this is not a malicious string.

231
00:18:28,770 --> 00:18:35,880
So that's how you bypass this CMC by patching the function in memory.