Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,160 --> 00:00:04,120 This is part 2 of our malware development series,  go ahead and watch part 1 first, if you haven’t 2 00:00:04,120 --> 00:00:11,200 already to get the most out of this video. Leet cipher: hey sed, what the hell you 3 00:00:11,200 --> 00:00:14,280 doin'? NOOOOOOO!!! Leet cipher: why, 4 00:00:14,280 --> 00:00:16,160 why did you do that??? Sed: I didn't know it's 5 00:00:16,160 --> 00:00:18,720 going to work the first time. Leet cipher: It did, and now 6 00:00:18,720 --> 00:00:21,787 all of my projects are gone. Sed: I'm sorry, man! 7 00:00:21,787 --> 00:00:24,200 Leet cipher: You know what,  that's it, I had enough of 8 00:00:54,520 --> 00:00:59,920 your s**t... 9 00:01:23,560 --> 00:01:26,440 Hey there passwiper77, I read a comment of yours 10 00:01:26,440 --> 00:01:30,240 on a YouTube video claiming that the  saturnians have the most advanced 11 00:01:30,240 --> 00:01:34,280 quantum forensics tools, do you know a  way with which I can reach out to them? 12 00:01:34,280 --> 00:01:38,920 Regards, Leet cipher 13 00:01:38,920 --> 00:01:41,040 Hi eet cipher, 14 00:01:41,040 --> 00:01:44,320 Please, do not email me in English,  I only understand Japanese. 15 00:01:44,320 --> 00:01:45,600 Regards, Passwiper77 16 00:01:47,640 --> 00:01:49,760 Hey there a**wiper77, 17 00:01:49,760 --> 00:02:09,018 I don't care if you understand English or not  just use Google translate you stupid motherf@$k3# 18 00:02:09,018 --> 00:02:18,960 Leet cipher: 19 00:02:18,960 --> 00:02:23,322 Hey sed, wake up, we're going to space. Sed: what is it? 20 00:02:23,322 --> 00:02:24,304 Leet cipher: we're going to space Sed: what for? 21 00:02:24,304 --> 00:02:28,760 Leet cipher: To fix your f**k up Sed: Alright, let's go! 22 00:02:30,080 --> 00:02:50,200 Hahaha, didn't know that saturnian jokes  are that funny. Alright guys thanks a 23 00:02:50,200 --> 00:02:55,480 lot for everything. Safe travels. Goodbye. Anyways, let’s start this video up and talk about 24 00:02:55,480 --> 00:03:01,200 DLLs, but before that, I just want to mention that  some of you told me that I work for the FBI or I’m 25 00:03:01,200 --> 00:03:05,280 an undercover FBI agent and all of that, well... Sed: hey leet I found your badge 26 00:03:05,280 --> 00:03:08,800 Hey, wtf...I believe, we didn’t  get the FBI’s attention so far, 27 00:03:08,800 --> 00:03:12,160 but I’m pretty sure by the end of this  series, we will be on their watchlist, 28 00:03:12,160 --> 00:03:18,240 so watch your backs. FBI OPEN UP!!! Anyways, Alright, now, first things first, 29 00:03:18,240 --> 00:03:24,800 let’s talk about DLLs, DLL is an abbreviation for  “Dynamic link library”, A DLL is like a special 30 00:03:24,800 --> 00:03:31,000 file that contains code and data that programs can  use. If you happen to work on big coding projects, 31 00:03:31,000 --> 00:03:35,680 most of the time, you’ll find yourself writing  a function or a block of code repeatedly in your 32 00:03:35,680 --> 00:03:40,800 app, and since we have to follow the “dry” or  “don’t repeat yourself” principle in programming, 33 00:03:40,800 --> 00:03:45,120 we take these functions and put them in a  separate file so whenever we need them we 34 00:03:45,120 --> 00:03:49,720 can just include them and that’s all. DLLs  work the same way, you can think of it as 35 00:03:49,720 --> 00:03:54,720 a collection of mini-programs or functions  that can be shared among larger programs. 36 00:03:54,720 --> 00:03:59,920 Also keep in mind that a DLL is also considered  a portable executable, we can confirm that by 37 00:03:59,920 --> 00:04:05,840 examining the “DOS” header in a hex editor  for both an executable such as “calc.exe” 38 00:04:05,840 --> 00:04:11,280 and a DLL file like “kernel32.dll”. We can  see that they both share the same exact 39 00:04:11,280 --> 00:04:18,000 “DOS” header. But still if we run the file  command on “calc.exe” and “kernel32.dll”, 40 00:04:18,000 --> 00:04:23,760 we can see that “clalc.exe” is identified as “GUI”  executable and “kernel32.dll” is identified as a 41 00:04:23,760 --> 00:04:28,720 DLL, but if that’s the case then how does the  operating system differentiate between the two? 42 00:04:28,720 --> 00:04:34,240 Knowing that they both share the same dos header. Well, if we load those two files in a “pe” parser 43 00:04:34,240 --> 00:04:39,200 tool like “pe bear”, we can see in the “File  Header” section, the “characteristics” member has 44 00:04:39,200 --> 00:04:45,160 an additional flag set for “kernel32.dll” which is  “File is a DLL”, so whenever the operating system 45 00:04:45,160 --> 00:04:50,160 loads a portable executable, it first checks the  “characteristics” member to determine whether 46 00:04:50,160 --> 00:04:54,880 this file is a “DLL” or a normal “executable”.  This is just a quick explanation so that you 47 00:04:54,880 --> 00:05:06,120 don’t get confused when you see a DLL file has  the same header as a portable executable file. 48 00:05:06,120 --> 00:05:10,400 From here, we will be talking about stuff  such as the windows api and the structure 49 00:05:10,400 --> 00:05:15,160 of the memory space inside running processes,  so I highly recommend that you first watch the 50 00:05:15,160 --> 00:05:20,840 previous video in which I explained these  concepts in detail and then come back here. 51 00:05:20,840 --> 00:05:25,800 Now, to understand how DLL injection works,  we first need to understand how an executable 52 00:05:25,800 --> 00:05:31,720 loads DLLs at runtime. When a process is run or  executed, the operating system dynamically links 53 00:05:31,720 --> 00:05:37,720 all the necessary DLLs that the process will need  at runtime. These DLLs contain the windows APIs 54 00:05:37,720 --> 00:05:42,240 that the process needs for its functionality. We can use a tool such as process hacker to 55 00:05:42,240 --> 00:05:46,960 confirm that by inspecting the loaded DLLs  in the memory space of a running process. 56 00:05:46,960 --> 00:05:51,280 Everything so far until here is legit  and nothing is suspicious with it. Now, 57 00:05:51,280 --> 00:05:56,800 if we want to abuse this behavior, we will have  to first create a malicious DLL and inject it 58 00:05:56,800 --> 00:06:01,880 into the memory space of the target process. But we still have a problem though, you see, 59 00:06:01,880 --> 00:06:07,080 all of these loaded DLLs, the process uses them  for its functionality and if that's the case, 60 00:06:07,080 --> 00:06:12,160 how are we supposed to execute our malicious  code that is inside this DLL, if the target 61 00:06:12,160 --> 00:06:18,000 process is not using any code at all from it? Well, there are 4 DLL callbacks that we can 62 00:06:18,000 --> 00:06:25,200 abuse to execute code. “DLL_PROCESS_ATTACH”,  “DLL_PROCESS_DETACH”, “DLL_THREAD_ATTACH” and 63 00:06:25,200 --> 00:06:30,760 “DLL_THREAD_DETACH”. These are called callbacks or  I would rather say event listeners. If you happen 64 00:06:30,760 --> 00:06:35,320 to work with an awesome programming language  such as javascript, you’re probably familiar 65 00:06:35,320 --> 00:06:41,360 with event listeners such as “onclick, onhover,  ondrag, ondrop…etc”. These event listeners listen 66 00:06:41,360 --> 00:06:46,840 for the event to occur and then execute code  accordingly. For example, we can add an “onclick” 67 00:06:46,840 --> 00:06:52,400 event listener on a certain button in a web page  which when clicked the code here is executed. 68 00:06:52,400 --> 00:06:57,720 The same thing goes for these 4 callbacks or  event listeners. The “DLL_PROCESS_ATTACH” event 69 00:06:57,720 --> 00:07:03,040 is triggered when the DLL is loaded or injected  into the memory space of a certain process, The 70 00:07:03,040 --> 00:07:08,440 “DLL_PROCESS_DETACH” event is triggered when the  DLL is unloaded or freed from the memory space of 71 00:07:08,440 --> 00:07:13,920 a certain process, The “DLL_THREAD_ATTACH” event  is triggered when a thread is created after the 72 00:07:13,920 --> 00:07:20,540 DLL is loaded. And lastly the “DLL_THREAD_DETACH”  event is triggered when a thread is terminated. 73 00:07:20,540 --> 00:07:24,640 Will go through each callback in detail  and how to execute it with code, just in 74 00:07:24,640 --> 00:07:29,520 case you didn’t understand the process here,  but before that let’s first create our DLL. 75 00:07:47,480 --> 00:07:50,520 Our quote and quote malicious  DLL here is fairly simple, 76 00:07:50,520 --> 00:07:55,280 in the “DLLMain” function which is similar  to the main function in a standard C program, 77 00:07:55,280 --> 00:07:59,720 we check which callback was invoked, and in  each of the four callbacks or event listeners 78 00:07:59,720 --> 00:08:03,840 we discussed, we call the “MessageBox”  Windows API with a different message to 79 00:08:03,840 --> 00:08:07,280 indicate which callback was triggered.  Make sure to set the compile mode to 80 00:08:07,280 --> 00:08:19,400 release and the architecture to x64, same as  our DLL injector which we will create next. 81 00:08:19,400 --> 00:08:25,080 Alright, now, similar to the previous video, we  will first inject this DLL into the memory space 82 00:08:25,080 --> 00:08:30,280 of our local process and after that, we’ll get  nerdier and inject it into the memory space of 83 00:08:30,280 --> 00:08:34,640 any running process of our choosing, sounds  good? Sounds great, alright, good, let’s do 84 00:08:34,640 --> 00:08:43,560 this. Alright, sed, bring out the code, not this  one, the other one, the other other one, the other 85 00:08:43,560 --> 00:08:53,000 other other one, there you go, well done, you can  go now, I’ll take it from here, still can see you, 86 00:08:53,000 --> 00:08:59,120 anyways, this code is fairly simple to understand,  we first include the windows header to be able to 87 00:08:59,120 --> 00:09:04,400 use WinAPI functions in our code. Again, we  talked about the windows API in detail in the 88 00:09:04,400 --> 00:09:10,520 previous video, so, please, go and watch that one  first so that you can see the bigger picture here. 89 00:09:10,520 --> 00:09:16,160 next the “stdio” header for input and output  operations. Here we have four windows APIs that 90 00:09:16,160 --> 00:09:22,680 make this local injection happen, first, we use  the “LoadLibrary” API to load our malicious DLL 91 00:09:22,680 --> 00:09:27,440 into the memory space of our process from disk. If the call succeeds, it will trigger the 92 00:09:27,440 --> 00:09:32,880 “DLL_PROCESS_ATTACH” callback which executes  our malicious code or the “MessageBox” API in 93 00:09:32,880 --> 00:09:38,240 this case. Now, to trigger the next callback  which is the “DLL_THREAD_ATTACH” we use the 94 00:09:38,240 --> 00:09:43,120 “CreateThread” API. Basically, the idea here  is that in order to trigger this callback, 95 00:09:43,120 --> 00:09:48,480 we need to create a thread that does absolutely  anything, and for that we use the “CreateThread” 96 00:09:48,480 --> 00:09:54,560 API and we pass to it a dummy function such  as this one, if this API runs successfully, 97 00:09:54,560 --> 00:10:00,600 the second “MessageBox” API will be executed.  The last two callbacks are fairly simple, 98 00:10:00,600 --> 00:10:05,960 we just need to wait till the thread terminates  and then we unload or free our malicious DLL. 99 00:10:05,960 --> 00:10:12,480 So to trigger the “DLL_THREAD_DETACH” callback,  we use the “WaitForSingleObject” API, this API 100 00:10:12,480 --> 00:10:17,880 halts the execution flow of the program until the  specified thread returns or terminates, once the 101 00:10:17,880 --> 00:10:24,320 thread terminates, the callback will be triggered  and its “MessageBox” API will run. Finally, we use 102 00:10:24,320 --> 00:10:31,080 the “FreeLibrary” API to unload our malicious  DLL and trigger the last callback. We can even 103 00:10:31,080 --> 00:10:36,800 comment out this API since the process will free  all loaded modules or DLLs when it’s about to 104 00:10:36,800 --> 00:10:41,480 terminate which will trigger this callback for  us. Now, before you run this program, make sure 105 00:10:41,480 --> 00:10:48,080 the architecture is the same as the malicious DLL  then build the solution in release mode. After the 106 00:10:48,080 --> 00:10:54,920 build is complete, run the program and give it the  full path to the malicious DLL. We can see here 107 00:10:54,920 --> 00:11:00,360 our malicious DLL is loaded and the first callback  is triggered, and we can even confirm that our 108 00:11:00,360 --> 00:11:05,360 malicious DLL is residing in the memory of our  process by inspecting the loaded modules inside 109 00:11:05,360 --> 00:11:11,560 its memory space using process hacker. Moving  on, we can see the rest of the callbacks are 110 00:11:11,560 --> 00:11:25,200 executed successfully without any issues, just,  you know, legit stuff as usual. NEXT! COME ON! 111 00:11:25,200 --> 00:11:30,080 Alright, cool, now, before we proceed to create  our DLL Injector, we need to understand the 112 00:11:30,080 --> 00:11:36,040 difference between two Windows APIs, “LoadLibrary”  and “GetModuleHandle”, both of these APIs return a 113 00:11:36,040 --> 00:11:41,440 handle to a specified module or DLL, you might  be asking now, if that’s the case that means, 114 00:11:41,440 --> 00:11:46,160 I can replace this “LoadLibrary” API with  “GetModuleHandle” and the code will still 115 00:11:46,160 --> 00:11:51,720 work just fine, right? Well, no, it’s not going to  work. What “LoadLibrary” does is that it loads a 116 00:11:51,720 --> 00:11:57,120 DLL from Disk and takes care of some stuff behind  the scenes such as resolving the Import Address 117 00:11:57,120 --> 00:12:02,800 Table, and once it’s done, it returns a handle  to the loaded DLL. “GetModuleHandle” on the other 118 00:12:02,800 --> 00:12:08,200 hand, just looks for the specified DLL in the list  of the loaded DLLs in the process memory, if the 119 00:12:08,200 --> 00:12:14,560 DLL is found, it returns a pointer to the DLL base  address, which is what we call a handle. So here, 120 00:12:14,560 --> 00:12:20,240 we used “LoadLibrary” because our malicious DLL is  loaded from disk straight to the process memory. 121 00:12:20,240 --> 00:12:25,360 This is yet not the best way to load a malicious  DLL into memory, because most of the time, all of 122 00:12:25,360 --> 00:12:30,280 these APIs are hooked and monitored by security  solutions. To get around this we would use a 123 00:12:30,280 --> 00:12:35,560 technique called “Reflective DLL” which loads a  malicious DLL straight from memory, but that’s 124 00:12:35,560 --> 00:12:41,360 a bit advanced and I don’t want to overwhelm you  with any more details. So now, Oh, crab, I forgot 125 00:12:41,360 --> 00:12:47,200 to write the code. You know what, just give me  like 5 minutes and I’ll be done, this is jus... 126 00:12:47,200 --> 00:12:50,680 Alright, this is the code that makes  the functionality for our DLL Injector. 127 00:12:50,680 --> 00:12:55,560 It takes 2 parameters, the full path to our  malicious DLL and the process id into which 128 00:12:55,560 --> 00:13:00,880 this DLL will be injected. Let’s assume that we  will inject into mspaint or microsoft paint. We 129 00:13:00,880 --> 00:13:05,560 can obtain its process id by using a tool  such as process hacker or any similar tool, 130 00:13:05,560 --> 00:13:10,120 or we can do the same thing we did in the previous  video which is to take a snapshot of all running 131 00:13:10,120 --> 00:13:15,200 processes and search for mspaint and retrieve its  process id if it’s found. I didn’t implement that 132 00:13:15,200 --> 00:13:19,680 here to reduce the complexity of the code and  only focus on the core functionality of this 133 00:13:19,680 --> 00:13:24,360 DLL Injector. But you can do this yourself as  homework, but do not copy and paste anything. 134 00:13:24,360 --> 00:13:28,800 Write the whole thing from scratch and implement  the processes enumeration functionality and pick 135 00:13:28,800 --> 00:13:33,200 another process to inject into like notepad  or something. Anyways, let’s now visualize 136 00:13:33,200 --> 00:13:38,400 what will happen in the memory when this code is  executed rather than explaining it line by line. 137 00:13:38,400 --> 00:13:43,960 So, imagine this is the memory map of microsoft  paint. First things first, we get a handle 138 00:13:43,960 --> 00:13:49,280 to this process using the “OpenProcess”  API, this api takes in three parameters: 139 00:13:49,280 --> 00:13:54,480 the desired access to process object or the  access rights we want to have over the process, 140 00:13:54,480 --> 00:13:59,120 Since we want access to all process resources,  we use the “PROCESS_ALL_ACCESS” flag. 141 00:13:59,120 --> 00:14:03,160 The second parameter takes in a boolean  value, and we set it to “TRUE” if we want 142 00:14:03,160 --> 00:14:07,000 to make the child processes created  by our process inherit this handle, 143 00:14:07,000 --> 00:14:11,720 and since we’re not going to create any, we set  it to “FALSE”. The third parameter is the process 144 00:14:11,720 --> 00:14:16,920 id which we want to access, which in our case  here will be the process id of mspaint. After 145 00:14:16,920 --> 00:14:22,240 this handle is obtained, we use it to allocate  memory using “VirtualAllocEx”, this API takes in 146 00:14:22,240 --> 00:14:27,400 5 parameters, the process handle, the base address  of the block of memory that we want to allocate, 147 00:14:27,400 --> 00:14:30,960 since we don’t know exactly where should we  allocate this block of memory, will let the 148 00:14:30,960 --> 00:14:35,040 operating system do that for us by setting this  parameter as “NULL”, the size of the memory that 149 00:14:35,040 --> 00:14:39,800 we want to allocate and it’s set to the size of  the DLL path plus one, the extra byte here is 150 00:14:39,800 --> 00:14:44,760 just for the terminating null byte of the string.  Next parameter is the allocation type. I explained 151 00:14:44,760 --> 00:14:49,480 this parameter in great detail in the previous  video if you want to see the full explanation, 152 00:14:49,480 --> 00:14:54,160 but in a nutshell, all what this parameter does  is that it tells the operating system to let us 153 00:14:54,160 --> 00:14:59,040 write to this block of memory. Last parameter is  the page permissions, since we only want to read 154 00:14:59,040 --> 00:15:03,800 and write to this block of memory, we set it to  “PAGE_READWRITE”. After our memory is allocated, 155 00:15:03,800 --> 00:15:09,480 we use “WriteProcessMemory”, this api takes in  five parameters: the handle to the “microsoft 156 00:15:09,480 --> 00:15:14,400 paint” process, a destination to write to, a  source to copy or read from, the size of the 157 00:15:14,400 --> 00:15:18,720 copied data and the “number of bytes read” if  the function succeeds, will just set that one 158 00:15:18,720 --> 00:15:23,560 to “NULL” since it’s not that important. Alright,  now, we have successfully written the full path 159 00:15:23,560 --> 00:15:29,000 of the DLL into the allocated memory inside the  “mspaint” process. What we need to do now, is to 160 00:15:29,000 --> 00:15:34,840 load the actual DLL into the memory space of this  process, and yes, you guessed right, we can do 161 00:15:34,840 --> 00:15:41,040 that by using the “LoadLibrary” API, but the real  question here, how can we force this process to 162 00:15:41,040 --> 00:15:46,520 execute “LoadLibrary” for us? Well, the answer is  pretty simple, we just need to obtain the virtual 163 00:15:46,520 --> 00:15:52,520 address of the “LoadLibrary” API inside the memory  space of the “mspaint” process. We first need to 164 00:15:52,520 --> 00:15:58,040 figure out which DLL has the “LoadLibrary” API.  From Microsoft documentation, we can see that it 165 00:15:58,040 --> 00:16:04,360 resides in the “kernel32” DLL. So now, we get a  pointer to the base address of the “kernel32” DLL 166 00:16:04,360 --> 00:16:09,240 using the “GetModuleHandle” API as we demonstrated  before, once we have the base address of this DLL, 167 00:16:09,240 --> 00:16:15,040 we need to know the exact virtual address of the  “LoadLibrary” API relative to the base address 168 00:16:15,040 --> 00:16:21,440 of the “kernel32” DLL, or in plain english, we  need to know how far is the “LoadLibrary” API 169 00:16:21,440 --> 00:16:27,000 from the beginning of the “kernel32” DLL since  it has a ton of other APIs in it. So for that, 170 00:16:27,000 --> 00:16:33,480 we use the “GetProcAddress” API, this API takes  in 2 parameters, the base address of the DLL and 171 00:16:33,480 --> 00:16:39,080 what API to look for. This API will do some magic  and return the virtual address of the specified 172 00:16:39,080 --> 00:16:43,920 API. It’s not really magic, it will just access  something called the “export directory” within 173 00:16:43,920 --> 00:16:48,560 the DLL and look up the export table to retrieve  the address of the API. But we can call it magic 174 00:16:48,560 --> 00:16:53,240 for now, just for the sake of simplicity.  You’re now might be like: wait a second, 175 00:16:53,240 --> 00:16:59,040 the virtual address returned by “GetProcAddress”  is the virtual address of the “LoadLibrary” API 176 00:16:59,040 --> 00:17:04,040 but only within the address space of our  “dll-injector” process, will this address 177 00:17:04,040 --> 00:17:09,160 (of the “LoadLibrary” API) be the same within the  address space of the “microsoft paint” process, 178 00:17:09,160 --> 00:17:14,120 since we will create a thread to run this API  within its address space? The answer is yes, 179 00:17:14,120 --> 00:17:19,080 the addresses are identical in both processes. The  reason for that is because the windows operating 180 00:17:19,080 --> 00:17:24,960 system knows that this “kernel32” file is a DLL  file. So, it just loads it somewhere in memory 181 00:17:24,960 --> 00:17:29,760 and makes it accessible by all processes that  might need it, without the need to re-allocate 182 00:17:29,760 --> 00:17:34,880 each DLL for each running process, which in  return saves much computing time and increases 183 00:17:34,880 --> 00:17:40,720 performance. We can confirm that a DLL such as  “kernel32” is loaded in the same virtual address 184 00:17:40,720 --> 00:17:46,020 by checking the loaded modules for any 2 processes  using the “process hacker” tool. So now, since we 185 00:17:46,020 --> 00:17:51,080 are certain that we have the right virtual address  of the “LoadLibrary” API, we just need to create 186 00:17:51,080 --> 00:17:55,960 a remote thread to execute this API within  the “microsoft paint” process, and for that, 187 00:17:55,960 --> 00:18:01,760 we use the “CreateRemoteThread” API, this API  takes in 7 parameters, will set all parameters 188 00:18:01,760 --> 00:18:07,200 to the default values except for 3, the process  handle, the address of the function to be run by 189 00:18:07,200 --> 00:18:11,440 the thread and the parameter that will be passed  to the function. So essentially, what is actually 190 00:18:11,440 --> 00:18:16,000 happening here is that the thread that will be  created, will execute the API in this address 191 00:18:16,000 --> 00:18:20,680 which in this case is the “LoadLibrary” API and  we pass to it the allocated memory that stores the 192 00:18:20,680 --> 00:18:26,920 full path to our DLL as a parameter. This typecast  as demonstrated before in the previous video, 193 00:18:26,920 --> 00:18:32,520 converts this address to an entry point address  or in simple words, tells the created thread 194 00:18:32,520 --> 00:18:37,200 that this address is the start of the code  that must be executed. Now, the last thing we 195 00:18:37,200 --> 00:18:42,880 need to do is to wait for the thread to finish  execution using the “WaitForSingleObject” API, 196 00:18:42,880 --> 00:18:48,120 this API takes in the handle to the thread and how  long to wait for the thread to return, we set that 197 00:18:48,120 --> 00:18:53,520 to “INFINITE” since we want to completely halt the  execution flow until the thread returns. After it 198 00:18:53,520 --> 00:18:58,024 returns, we close the handle to the process using  “CloseHandle”. After building this solution, you 199 00:18:58,024 --> 00:19:04,280 will find the executable in “x64” then “Release”.  I already went ahead and copied our malicious DLL 200 00:19:04,280 --> 00:19:09,760 in the same directory along with our DLL Injector.  Now, open a command prompt, make sure microsoft 201 00:19:09,760 --> 00:19:14,440 paint is running to obtain its process id using  “process hacker” and then run the DLL Injector and 202 00:19:14,440 --> 00:19:19,720 supply to it, the name of the DLL and the process  id. Running this, we can see the DLL callbacks 203 00:19:19,720 --> 00:19:24,760 were triggered. We can even force the program  to trigger the “DLL_THREAD_ATTACH and DETACH” 204 00:19:24,760 --> 00:19:29,640 callbacks by using any functionality in the  program that would create a thread such as opening 205 00:19:29,640 --> 00:19:35,800 a file or a new window. Finally, once the program  is terminated, our malicious DLL will be freed and 206 00:19:35,800 --> 00:19:41,120 the “DLL_PROCESS_DETACH” callback is triggered.  You can also find where exactly our DLL is loaded 207 00:19:41,120 --> 00:19:47,080 in memory by checking the modules of the “mspaint”  process using process hacker. So yeah, that 208 00:19:47,080 --> 00:19:52,800 concludes our DLL Injector, we did it, everyone. Now, As an exercise or homework for you, 209 00:19:52,800 --> 00:19:56,800 I want you to implement the whole thing from the  ground up and add to it the process enumeration 210 00:19:56,800 --> 00:20:01,800 functionality, so that when you run it, you  supply the process name instead of the process id, 211 00:20:01,800 --> 00:20:05,960 and if you get stuck, just watch the previous  video. You’ll find the code along with the 212 00:20:05,960 --> 00:20:11,000 executables in my github, link in the description  below. I also wanted to apologize for my absence 213 00:20:11,000 --> 00:20:15,920 for the past 6 to 7 months. This video should  have been up way sooner thatn that, I promise, 214 00:20:15,920 --> 00:20:20,560 there was a lot I mean a lot going on in my  life, but hopefully now things are settled, 215 00:20:20,560 --> 00:20:24,640 and I’m already working on the next video which  is going to be really on fire, so watch out for 216 00:20:24,640 --> 00:20:29,560 this one. In the previous video, I told you let’s  get to 10k and now, we’re over 30, so yeah, that’s 217 00:20:29,560 --> 00:20:33,760 really great, but you still need to subscribe  though, especially, when over 95% of you guys 218 00:20:33,760 --> 00:20:40,280 aren’t, so yeah, subscribe really really I mean  it like like you need to subscribe now, so please 219 00:20:40,280 --> 00:20:44,400 subscribe. If you made it this far,  umm thank you, I really appreciate you, 220 00:20:44,400 --> 00:20:47,600 you’re awesome, you’re my hero. If this content was beneficial to 221 00:20:47,600 --> 00:20:52,480 you in any way and learned a thing or two from  it, you can buy me a coffee and keep the show 222 00:20:52,480 --> 00:20:56,480 going. It’s only one man with his computer. Lastly, I want to thank my saturnian friends 223 00:20:56,480 --> 00:21:01,200 for restoring my projects and files. Really don’t  know what I would do without you guys. Perhaps, 224 00:21:01,200 --> 00:21:03,920 I’ll start by replacing you, Sed: me? 225 00:21:03,920 --> 00:21:08,280 yeah you, I’m getting a new assistant, maybe  someone with a higher IQ level than yours, 226 00:21:08,280 --> 00:21:12,320 or maybe, I can shoot you again now,  so that you don…wait, where’s my gun? 227 00:21:12,320 --> 00:21:58,520 sed: you’re looking for this. No, wait, no, NOOOOOOOOOOOOOOOOOOO.28859