Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:02,879 --> 00:00:06,420 hey hackers blue Cosmo here today I'm 2 00:00:05,220 --> 00:00:08,340 going to show you guys how Trojan 3 00:00:06,420 --> 00:00:10,260 viruses actually work how to build one 4 00:00:08,340 --> 00:00:11,460 and actually all that really cool stuff 5 00:00:10,260 --> 00:00:13,620 it's going to be pretty low level 6 00:00:11,460 --> 00:00:15,120 hopefully you guys have some sort of 7 00:00:13,620 --> 00:00:17,760 experience to it but I'll try to make it 8 00:00:15,120 --> 00:00:19,440 as beginner friendly as I can uh today 9 00:00:17,760 --> 00:00:22,140 I'm going to show you guys how Trojan 10 00:00:19,440 --> 00:00:23,880 viruses work right the Trojan virus um 11 00:00:22,140 --> 00:00:26,760 obviously if you guys aren't familiar 12 00:00:23,880 --> 00:00:28,800 with Trojan viruses it's basically a uh 13 00:00:26,760 --> 00:00:30,960 piece of malware embedded within another 14 00:00:28,800 --> 00:00:33,180 normal file right we have like this 15 00:00:30,960 --> 00:00:35,820 normal exe that we made a last episode 16 00:00:33,180 --> 00:00:37,140 in the previous video actually we um did 17 00:00:35,820 --> 00:00:39,059 a whole Deep dive on portable 18 00:00:37,140 --> 00:00:41,700 executables how they work so you guys 19 00:00:39,059 --> 00:00:44,579 you can understand how exe Pals work as 20 00:00:41,700 --> 00:00:45,780 well as uh dll files work as well so I 21 00:00:44,579 --> 00:00:47,820 definitely suggest you check that video 22 00:00:45,780 --> 00:00:49,860 out if you're new yeah so a trojan virus 23 00:00:47,820 --> 00:00:52,260 is just a piece of malware embedded 24 00:00:49,860 --> 00:00:54,780 within another another normal executable 25 00:00:52,260 --> 00:00:57,059 so if we were to execute this and then 26 00:00:54,780 --> 00:00:59,579 it were to also execute some malicious 27 00:00:57,059 --> 00:01:00,420 code in the background so it didn't look 28 00:00:59,579 --> 00:01:01,860 like 29 00:01:00,420 --> 00:01:04,140 um it was malware it looked like it was 30 00:01:01,860 --> 00:01:05,400 a part of the normal executable it's 31 00:01:04,140 --> 00:01:07,380 attached to which is a pretty cool 32 00:01:05,400 --> 00:01:09,060 concept it's named after the uh the 33 00:01:07,380 --> 00:01:10,740 Trojan Horse obviously and the method 34 00:01:09,060 --> 00:01:12,180 that I'll show you guys in this video is 35 00:01:10,740 --> 00:01:13,619 a pretty cool and somewhat kind of 36 00:01:12,180 --> 00:01:14,939 unique method 37 00:01:13,619 --> 00:01:17,760 um so I'll go ahead and open up the text 38 00:01:14,939 --> 00:01:20,159 editor and I'll just drop the exe that 39 00:01:17,760 --> 00:01:21,479 we made in the last video now in the 40 00:01:20,159 --> 00:01:22,979 last video I kind of talked about code 41 00:01:21,479 --> 00:01:24,720 caves and if you don't know what a code 42 00:01:22,979 --> 00:01:27,540 cave is I'll just scroll all the way 43 00:01:24,720 --> 00:01:31,680 down to the bottom of the pile and boom 44 00:01:27,540 --> 00:01:34,320 there is this Cave of no bites these 45 00:01:31,680 --> 00:01:35,700 just zeros just go straight down like if 46 00:01:34,320 --> 00:01:37,979 you scroll up for a little bit they go 47 00:01:35,700 --> 00:01:40,020 up for quite a bit right uh you can see 48 00:01:37,979 --> 00:01:43,439 I can highlight this down right and 49 00:01:40,020 --> 00:01:45,000 there are quite a lot of zeros here 50 00:01:43,439 --> 00:01:48,000 um so what we can do is we can actually 51 00:01:45,000 --> 00:01:49,500 load malicious bytes into this code cave 52 00:01:48,000 --> 00:01:51,420 right you guys can see there are plenty 53 00:01:49,500 --> 00:01:54,119 of normal bites here that are part of 54 00:01:51,420 --> 00:01:56,399 the normal program but who was to say 55 00:01:54,119 --> 00:01:58,799 that we can't put our own malicious 56 00:01:56,399 --> 00:02:00,299 stuff in here and the great thing about 57 00:01:58,799 --> 00:02:02,280 this too is that it doesn't make the 58 00:02:00,299 --> 00:02:04,380 file any bigger or smaller because we're 59 00:02:02,280 --> 00:02:06,780 just replacing bytes that already exist 60 00:02:04,380 --> 00:02:08,520 with malicious code right so it's gonna 61 00:02:06,780 --> 00:02:09,720 be great it's gonna be awesome 62 00:02:08,520 --> 00:02:11,640 um one thing we have to note though is 63 00:02:09,720 --> 00:02:13,500 we can't just directly you know change 64 00:02:11,640 --> 00:02:15,599 these bytes in here and expect it to 65 00:02:13,500 --> 00:02:17,580 work because that's not how it works in 66 00:02:15,599 --> 00:02:19,379 fact let me show you how it does work 67 00:02:17,580 --> 00:02:21,660 right 68 00:02:19,379 --> 00:02:23,520 so I'm going to go ahead and make a 69 00:02:21,660 --> 00:02:26,099 little diagram just going to help out 70 00:02:23,520 --> 00:02:28,260 with understanding uh the structure 71 00:02:26,099 --> 00:02:30,180 we'll make this white we'll get a little 72 00:02:28,260 --> 00:02:31,080 little blind going here there you go 73 00:02:30,180 --> 00:02:34,319 nice 74 00:02:31,080 --> 00:02:37,080 nice cool so this is what um our PE file 75 00:02:34,319 --> 00:02:40,560 structure looks like p e file right 76 00:02:37,080 --> 00:02:43,440 um in your PE file we have the code and 77 00:02:40,560 --> 00:02:45,540 then we have the code cave right I'll 78 00:02:43,440 --> 00:02:48,060 just put cave down here because it's a 79 00:02:45,540 --> 00:02:50,700 good uh understanding and what this code 80 00:02:48,060 --> 00:02:53,879 cave is going to do is nothing actually 81 00:02:50,700 --> 00:02:55,140 what this P file does is just go 82 00:02:53,879 --> 00:02:57,540 straight down 83 00:02:55,140 --> 00:02:59,640 the file just like that so it runs it 84 00:02:57,540 --> 00:03:01,140 executes pretty much top to bond they're 85 00:02:59,640 --> 00:03:02,819 going to be jumps that go up and down 86 00:03:01,140 --> 00:03:04,440 and all this other stuff but for the 87 00:03:02,819 --> 00:03:06,720 most part it's reading the instructions 88 00:03:04,440 --> 00:03:08,760 each line and just going down the file 89 00:03:06,720 --> 00:03:10,140 until the file is finished with its 90 00:03:08,760 --> 00:03:12,000 execution right you kind of think about 91 00:03:10,140 --> 00:03:13,800 it like that 92 00:03:12,000 --> 00:03:16,019 um I'll go ahead and copy this and make 93 00:03:13,800 --> 00:03:18,120 a another version right here and this is 94 00:03:16,019 --> 00:03:20,519 going to be our Trojan so I'll go ahead 95 00:03:18,120 --> 00:03:22,680 and call this the Trojan so with the 96 00:03:20,519 --> 00:03:25,200 Trojan virus right we don't go top to 97 00:03:22,680 --> 00:03:27,120 bottom right uh in fact this cave is 98 00:03:25,200 --> 00:03:29,040 actually going to be our shell coat and 99 00:03:27,120 --> 00:03:31,379 the shell code is the malicious code 100 00:03:29,040 --> 00:03:33,239 that we're going to put in that code kit 101 00:03:31,379 --> 00:03:35,099 right so we'll call it shell code that 102 00:03:33,239 --> 00:03:36,540 is the malicious code that we put in the 103 00:03:35,099 --> 00:03:38,220 code cave it's like our payload right 104 00:03:36,540 --> 00:03:39,300 I'll show you guys how to make some 105 00:03:38,220 --> 00:03:40,379 shortly 106 00:03:39,300 --> 00:03:43,379 um but just to kind of help you guys 107 00:03:40,379 --> 00:03:46,080 understand right uh when the file chose 108 00:03:43,379 --> 00:03:48,299 a virus executes it's going to start 109 00:03:46,080 --> 00:03:50,519 from the top right but instead of going 110 00:03:48,299 --> 00:03:53,220 down the code it's actually going to 111 00:03:50,519 --> 00:03:55,620 skip out and go straight to our Shell 112 00:03:53,220 --> 00:03:59,159 Code right so this our Shell Code gets 113 00:03:55,620 --> 00:04:01,860 executed before the actual code of the 114 00:03:59,159 --> 00:04:04,860 program so from there we can go 115 00:04:01,860 --> 00:04:07,500 and Lead ourselves back up to the 116 00:04:04,860 --> 00:04:10,739 beginning of the file right and then 117 00:04:07,500 --> 00:04:13,080 lastly have our code execute as normal 118 00:04:10,739 --> 00:04:15,120 to the bottom 119 00:04:13,080 --> 00:04:16,919 and that is how the Trojan Works 120 00:04:15,120 --> 00:04:19,139 compared to the B file right it's the 121 00:04:16,919 --> 00:04:21,299 same bio we're just manipulating right 122 00:04:19,139 --> 00:04:23,340 the code is still there this code right 123 00:04:21,299 --> 00:04:25,259 here and this code right here are the 124 00:04:23,340 --> 00:04:28,020 same code right this is the same file 125 00:04:25,259 --> 00:04:30,479 but we're going to manipulate the empty 126 00:04:28,020 --> 00:04:32,759 space within this file put malware in it 127 00:04:30,479 --> 00:04:34,560 that we call Shell Code and skip to the 128 00:04:32,759 --> 00:04:36,660 top of the file and execute it so that's 129 00:04:34,560 --> 00:04:39,240 how our chosen is going to work now 130 00:04:36,660 --> 00:04:41,100 Trojans are very vast form of malware 131 00:04:39,240 --> 00:04:43,380 right this is how the one I'm showing 132 00:04:41,100 --> 00:04:44,940 you is going to work but obviously it's 133 00:04:43,380 --> 00:04:46,919 going to work different for different 134 00:04:44,940 --> 00:04:49,979 files different methods different 135 00:04:46,919 --> 00:04:53,820 attacks procedures whatever 136 00:04:49,979 --> 00:04:54,960 we'll go into uh my Linux terminal you 137 00:04:53,820 --> 00:04:57,120 guys should probably have like a Kali 138 00:04:54,960 --> 00:04:58,740 Linux system or like uh I don't know 139 00:04:57,120 --> 00:05:01,139 paired OS that's what I'm using paired 140 00:04:58,740 --> 00:05:03,960 OS I'm going to go ahead and write msf 141 00:05:01,139 --> 00:05:05,460 console msf console is the Metasploit 142 00:05:03,960 --> 00:05:07,560 framework console 143 00:05:05,460 --> 00:05:09,960 um it is an amazing exploitation tool 144 00:05:07,560 --> 00:05:12,120 created by rapid7 145 00:05:09,960 --> 00:05:13,919 um so you guys can totally take their 146 00:05:12,120 --> 00:05:16,740 stuff and play around with it let's go 147 00:05:13,919 --> 00:05:20,479 ahead and create our shelter so we're 148 00:05:16,740 --> 00:05:24,419 going to do is use uh payload 149 00:05:20,479 --> 00:05:26,699 Windows exec and this is going to allow 150 00:05:24,419 --> 00:05:28,860 us to create our Shell Code for the 151 00:05:26,699 --> 00:05:30,960 Windows operating system now 152 00:05:28,860 --> 00:05:32,160 um this is going to create a 32-bit 153 00:05:30,960 --> 00:05:33,600 shell count and we're going to be 154 00:05:32,160 --> 00:05:36,240 working with 32-bit in this video 155 00:05:33,600 --> 00:05:39,720 however if you guys want to create 156 00:05:36,240 --> 00:05:42,660 64-bit Shell Code you can just do x64 in 157 00:05:39,720 --> 00:05:44,639 front of that exec and boom you have 64. 158 00:05:42,660 --> 00:05:46,919 uh bit shell kill right we're going to 159 00:05:44,639 --> 00:05:48,780 be using 32-bit up stuff for this entire 160 00:05:46,919 --> 00:05:49,860 video because 32 bits just a little bit 161 00:05:48,780 --> 00:05:52,440 more popular and a little bit more 162 00:05:49,860 --> 00:05:55,620 easier to work with but again you guys 163 00:05:52,440 --> 00:05:57,780 can totally use 64-bit stuff but because 164 00:05:55,620 --> 00:06:00,240 uh quick winning because we are using 165 00:05:57,780 --> 00:06:02,280 32-bit stuff all of our other work that 166 00:06:00,240 --> 00:06:04,500 we're going to have to do is 32-bit the 167 00:06:02,280 --> 00:06:06,960 executable we manipulate the executable 168 00:06:04,500 --> 00:06:09,419 we compile whatever has to be 32-bit as 169 00:06:06,960 --> 00:06:10,979 well with our 32-bit shock cool so keep 170 00:06:09,419 --> 00:06:13,020 that in mind as we kind of go forward 171 00:06:10,979 --> 00:06:15,120 right we can show what options we have 172 00:06:13,020 --> 00:06:17,639 and you can see there's two options uh 173 00:06:15,120 --> 00:06:19,800 command and an exit function the command 174 00:06:17,639 --> 00:06:22,259 is whatever malware we want to execute 175 00:06:19,800 --> 00:06:23,360 onto the system right so we'll set the 176 00:06:22,259 --> 00:06:28,740 command 177 00:06:23,360 --> 00:06:30,419 to calc dot exe right and count.exe is 178 00:06:28,740 --> 00:06:33,300 just a system calculator right if I open 179 00:06:30,419 --> 00:06:35,580 up a Powershell and I type in calc.exe 180 00:06:33,300 --> 00:06:37,139 you'll see the calculator pop up right 181 00:06:35,580 --> 00:06:39,240 so this is a good way to let us know 182 00:06:37,139 --> 00:06:41,340 that our code is working because if we 183 00:06:39,240 --> 00:06:43,620 can execute count.exe then we can 184 00:06:41,340 --> 00:06:45,180 execute whatever we want right so that's 185 00:06:43,620 --> 00:06:47,280 a good kind of proof of concept to help 186 00:06:45,180 --> 00:06:49,500 us out I kind of neglected to say this 187 00:06:47,280 --> 00:06:51,780 in the beginning of the video but uh you 188 00:06:49,500 --> 00:06:53,940 know don't do this unethically right do 189 00:06:51,780 --> 00:06:56,400 this in your own lab do this in a cool 190 00:06:53,940 --> 00:06:58,199 way to kind of learn how uh malware 191 00:06:56,400 --> 00:07:00,720 works and how to build your own stuff 192 00:06:58,199 --> 00:07:02,940 anyway uh the exit function is just 193 00:07:00,720 --> 00:07:04,560 basically how the exit technique of the 194 00:07:02,940 --> 00:07:06,120 shell code is going to work through 195 00:07:04,560 --> 00:07:07,500 right we're just going to use thread 196 00:07:06,120 --> 00:07:09,539 because it's easy to work with 197 00:07:07,500 --> 00:07:11,520 especially within our shotgun nice so 198 00:07:09,539 --> 00:07:14,280 thread awesome 199 00:07:11,520 --> 00:07:15,900 um that should be it uh you can go ahead 200 00:07:14,280 --> 00:07:18,479 and generate 201 00:07:15,900 --> 00:07:22,139 um the raw formats we'll do raw and 202 00:07:18,479 --> 00:07:24,060 we'll call this uh calc.binary uh 203 00:07:22,139 --> 00:07:26,460 content bin cool so you you can go into 204 00:07:24,060 --> 00:07:29,940 list to see your calc dot binge file 205 00:07:26,460 --> 00:07:33,840 right there and we can exit 206 00:07:29,940 --> 00:07:38,039 so if we do xxd on our calc.bin you can 207 00:07:33,840 --> 00:07:39,660 kind of see a good overview of what the 208 00:07:38,039 --> 00:07:41,400 actual Shell Code looks like you can see 209 00:07:39,660 --> 00:07:43,860 the offsets going down the left column 210 00:07:41,400 --> 00:07:46,800 the hexadecimal code in the middle 211 00:07:43,860 --> 00:07:48,620 column and the ASCII representation of 212 00:07:46,800 --> 00:07:51,000 the far right column you can also see 213 00:07:48,620 --> 00:07:53,880 calc.exe right here right and this is 214 00:07:51,000 --> 00:07:55,500 basically saying hey all these bytes are 215 00:07:53,880 --> 00:07:58,560 going to prepare 216 00:07:55,500 --> 00:08:00,479 um our system to execute calc.exe so 217 00:07:58,560 --> 00:08:03,180 yeah that's basically um the structure 218 00:08:00,479 --> 00:08:05,699 of our Shell Code and right these are 219 00:08:03,180 --> 00:08:08,520 the bytes these bytes are what we have 220 00:08:05,699 --> 00:08:11,460 to load into the system so go ahead and 221 00:08:08,520 --> 00:08:13,680 load your shell code into your system I 222 00:08:11,460 --> 00:08:16,259 already have mine uh waiting for me 223 00:08:13,680 --> 00:08:17,940 right here uh basic choice right count 224 00:08:16,259 --> 00:08:19,740 up in right there cool actually let's go 225 00:08:17,940 --> 00:08:21,599 ahead and load count.bin into here 226 00:08:19,740 --> 00:08:24,180 because we're actually going to need it 227 00:08:21,599 --> 00:08:26,520 um in our hex editor something super 228 00:08:24,180 --> 00:08:28,680 super important that a lot of people 229 00:08:26,520 --> 00:08:30,660 forget with shell code or when building 230 00:08:28,680 --> 00:08:33,120 or working with shortcut it's this no 231 00:08:30,660 --> 00:08:36,120 bite right here this no bite the zero 232 00:08:33,120 --> 00:08:37,979 zero indicates the end of our Shell Code 233 00:08:36,120 --> 00:08:39,659 and if we forget this our Shell Code 234 00:08:37,979 --> 00:08:41,459 will not work so make sure that we do 235 00:08:39,659 --> 00:08:43,380 not forget that no bite right there 236 00:08:41,459 --> 00:08:45,180 that's more of a reminder to myself than 237 00:08:43,380 --> 00:08:47,820 to you guys 238 00:08:45,180 --> 00:08:50,040 so we actually don't really have a 239 00:08:47,820 --> 00:08:51,180 executable we can work with so let's go 240 00:08:50,040 --> 00:08:54,060 ahead and make one 241 00:08:51,180 --> 00:08:55,980 um I'm going to use x86 the native tools 242 00:08:54,060 --> 00:08:58,140 command prompt this command prompt comes 243 00:08:55,980 --> 00:09:00,060 pre-installed with the visual studio so 244 00:08:58,140 --> 00:09:03,120 if you guys get Visual Studio you guys 245 00:09:00,060 --> 00:09:05,220 will get this x86 near the command 246 00:09:03,120 --> 00:09:07,380 prompt this is the 32-bit version which 247 00:09:05,220 --> 00:09:09,420 is why I'm using it right 248 00:09:07,380 --> 00:09:11,339 um so if we go ahead onto our file 249 00:09:09,420 --> 00:09:15,360 explorer I'll go ahead and just copy 250 00:09:11,339 --> 00:09:17,160 that route and CD and paste into that 251 00:09:15,360 --> 00:09:19,200 directory 252 00:09:17,160 --> 00:09:21,959 um we can go ahead and open up this 253 00:09:19,200 --> 00:09:24,480 directory in Visual Studio code all 254 00:09:21,959 --> 00:09:28,200 right so go ahead and Echo nothing into 255 00:09:24,480 --> 00:09:29,459 a main.c program and this is what we're 256 00:09:28,200 --> 00:09:31,440 going to go ahead and get started with 257 00:09:29,459 --> 00:09:32,820 working on in this video so our 258 00:09:31,440 --> 00:09:34,320 executable that we're going to create 259 00:09:32,820 --> 00:09:36,600 today is going to be a very simple 260 00:09:34,320 --> 00:09:38,399 message box I think message boxes are 261 00:09:36,600 --> 00:09:41,100 just easy for beginners to understand 262 00:09:38,399 --> 00:09:43,080 easy to work with easy for proof of 263 00:09:41,100 --> 00:09:45,180 Concepts and all that so to make our 264 00:09:43,080 --> 00:09:47,180 message box all we have to do is include 265 00:09:45,180 --> 00:09:50,339 it went into the 266 00:09:47,180 --> 00:09:55,560 windows.h header file we can do a pragma 267 00:09:50,339 --> 00:09:56,580 for uh the user32 uh dll all right so 268 00:09:55,560 --> 00:09:59,220 let's go ahead and make our main 269 00:09:56,580 --> 00:10:02,100 function we'll do it main void in here 270 00:09:59,220 --> 00:10:04,380 and then we will uh go ahead and have 271 00:10:02,100 --> 00:10:06,899 our opening acrylic braces then we'll 272 00:10:04,380 --> 00:10:10,019 just create our message box right here 273 00:10:06,899 --> 00:10:11,339 and our message box uh first parameter 274 00:10:10,019 --> 00:10:12,660 is no 275 00:10:11,339 --> 00:10:16,019 um our second parameter is the message 276 00:10:12,660 --> 00:10:19,320 so I'll just do a subscribe with the 277 00:10:16,019 --> 00:10:23,940 smiley face and then uh we'll go ahead 278 00:10:19,320 --> 00:10:28,440 and do cosmodium CS as the title and 279 00:10:23,940 --> 00:10:29,940 then we'll go ahead and do a uh MB icon 280 00:10:28,440 --> 00:10:34,380 this time we'll do exclamation I think 281 00:10:29,940 --> 00:10:36,779 last video we did a icon air uh MB okay 282 00:10:34,380 --> 00:10:38,880 and then have the button be the OK 283 00:10:36,779 --> 00:10:40,200 button uh real quick 284 00:10:38,880 --> 00:10:43,380 um if you guys haven't seen the previous 285 00:10:40,200 --> 00:10:45,120 video I really really really suggest you 286 00:10:43,380 --> 00:10:47,100 do especially if you guys are beginners 287 00:10:45,120 --> 00:10:50,160 in that video we talked about portable 288 00:10:47,100 --> 00:10:51,899 executables right so exes dlls and give 289 00:10:50,160 --> 00:10:53,279 you guys a really good understanding of 290 00:10:51,899 --> 00:10:55,320 how this stuff works so if you guys are 291 00:10:53,279 --> 00:10:56,579 new to this stuff I really really 292 00:10:55,320 --> 00:10:58,380 suggest you guys check out that video 293 00:10:56,579 --> 00:11:00,600 I'll link it in the cards and whatever 294 00:10:58,380 --> 00:11:03,480 but um this should be it this is a very 295 00:11:00,600 --> 00:11:06,240 basic uh C program and it's just going 296 00:11:03,480 --> 00:11:08,459 to create our message box so I'll go 297 00:11:06,240 --> 00:11:09,420 ahead and execute this compile it and we 298 00:11:08,459 --> 00:11:12,360 should see 299 00:11:09,420 --> 00:11:15,959 there you go cosmodium CS subscribe the 300 00:11:12,360 --> 00:11:18,720 exclamation icon and the OK button 301 00:11:15,959 --> 00:11:22,260 let's go ahead and make a Trojan out of 302 00:11:18,720 --> 00:11:24,540 this very basic main.exe right so if we 303 00:11:22,260 --> 00:11:27,060 open it up in our hex editor and scroll 304 00:11:24,540 --> 00:11:29,940 all the way down you guys can see the 305 00:11:27,060 --> 00:11:32,940 code cave that is in this file now that 306 00:11:29,940 --> 00:11:35,279 we have a file we can work with that has 307 00:11:32,940 --> 00:11:37,019 um an empty cocave we can actually go 308 00:11:35,279 --> 00:11:40,019 ahead and start working with this file 309 00:11:37,019 --> 00:11:42,360 now again we can't just drop our Shell 310 00:11:40,019 --> 00:11:44,700 Code into there we need to make sure we 311 00:11:42,360 --> 00:11:46,260 have to work with it properly therefore 312 00:11:44,700 --> 00:11:50,160 we are going to be working with 313 00:11:46,260 --> 00:11:51,779 everybody's favorite assembly cool so I 314 00:11:50,160 --> 00:11:53,700 can actually close this on they wouldn't 315 00:11:51,779 --> 00:11:55,019 need a lot of this stuff anymore 316 00:11:53,700 --> 00:11:59,040 um yeah so let's go ahead and get 317 00:11:55,019 --> 00:12:02,339 started and I'm going to open up x32dbg 318 00:11:59,040 --> 00:12:04,920 um this is what what stop stop I have 319 00:12:02,339 --> 00:12:07,800 the executable on my system X32 there 320 00:12:04,920 --> 00:12:09,779 you go um X32 dbg is just a very basic 321 00:12:07,800 --> 00:12:11,220 uh debugger it's an amazing debugger I 322 00:12:09,779 --> 00:12:13,800 definitely suggest you guys try it out 323 00:12:11,220 --> 00:12:17,339 go ahead hit that file button and attach 324 00:12:13,800 --> 00:12:19,019 our main.exe into this program right 325 00:12:17,339 --> 00:12:21,779 here we can kind of see the CPU right of 326 00:12:19,019 --> 00:12:24,360 the actual XP executable that got loaded 327 00:12:21,779 --> 00:12:26,940 right if we go ahead and run it you guys 328 00:12:24,360 --> 00:12:28,260 can see it hits the entry point now this 329 00:12:26,940 --> 00:12:31,140 is important right because the entry 330 00:12:28,260 --> 00:12:33,899 point is the uh kind of the beginning of 331 00:12:31,140 --> 00:12:36,240 where the executable actually starts 332 00:12:33,899 --> 00:12:38,220 running right if I kind of uh run 333 00:12:36,240 --> 00:12:40,680 through this right it hits that 334 00:12:38,220 --> 00:12:42,360 subscribe right we can hit okay and then 335 00:12:40,680 --> 00:12:45,600 the program closes right the program 336 00:12:42,360 --> 00:12:47,040 exits because the program finished it's 337 00:12:45,600 --> 00:12:50,100 execution so we can go ahead and hit 338 00:12:47,040 --> 00:12:51,839 restart go to the entry point right and 339 00:12:50,100 --> 00:12:54,480 what we're going to want to do is we're 340 00:12:51,839 --> 00:12:56,880 going to kind of start taking notes um I 341 00:12:54,480 --> 00:12:58,980 will use uh Visual Studio code for this 342 00:12:56,880 --> 00:13:01,980 actually I think I kind of like the way 343 00:12:58,980 --> 00:13:03,540 uh Visual Studio code looks uh when we 344 00:13:01,980 --> 00:13:04,920 kind of work with these files the first 345 00:13:03,540 --> 00:13:08,160 thing we're going to have to do is save 346 00:13:04,920 --> 00:13:10,740 the entry point address of our code so 347 00:13:08,160 --> 00:13:12,720 if we go back to our debugger 348 00:13:10,740 --> 00:13:14,220 um I'll go ahead and copy like through 349 00:13:12,720 --> 00:13:17,279 these lines you don't have to copy this 350 00:13:14,220 --> 00:13:19,860 many just copy a few and and save them 351 00:13:17,279 --> 00:13:21,779 into your little lockout just keep note 352 00:13:19,860 --> 00:13:23,820 of everything The Next Step we're going 353 00:13:21,779 --> 00:13:26,700 to get is the code kit right so we need 354 00:13:23,820 --> 00:13:28,920 to get the address of the code cave and 355 00:13:26,700 --> 00:13:30,839 um It's associated okay so what we can 356 00:13:28,920 --> 00:13:32,519 do is scroll down 357 00:13:30,839 --> 00:13:34,019 and again you guys can see all these 358 00:13:32,519 --> 00:13:35,279 note bytes at the end of the file it's 359 00:13:34,019 --> 00:13:38,700 just like looking at it in the hex 360 00:13:35,279 --> 00:13:40,440 editor uh but instead it's in a had a 361 00:13:38,700 --> 00:13:42,660 different format with actual addresses 362 00:13:40,440 --> 00:13:44,100 and some other information right but you 363 00:13:42,660 --> 00:13:46,019 guys can see right here is kind of where 364 00:13:44,100 --> 00:13:47,820 the code cave starts we have all these 365 00:13:46,019 --> 00:13:50,339 zeros here so we'll just kind of just 366 00:13:47,820 --> 00:13:53,399 rely on this area right here so I'll get 367 00:13:50,339 --> 00:13:56,279 Ctrl C copy that address and then we'll 368 00:13:53,399 --> 00:13:58,200 save it to the code K right so now that 369 00:13:56,279 --> 00:14:00,720 we have the actual 370 00:13:58,200 --> 00:14:03,480 um entry point information right here 371 00:14:00,720 --> 00:14:06,120 and the code cave information right here 372 00:14:03,480 --> 00:14:07,200 we can go ahead and do the first part of 373 00:14:06,120 --> 00:14:09,959 the code right so I'll go ahead and 374 00:14:07,200 --> 00:14:11,399 restart and run so we're at the entry 375 00:14:09,959 --> 00:14:13,680 point of the cut right so this is the 376 00:14:11,399 --> 00:14:15,420 first thing that executes right so 377 00:14:13,680 --> 00:14:17,700 instead of having this do whatever the 378 00:14:15,420 --> 00:14:20,639 heck it's doing we want to change this 379 00:14:17,700 --> 00:14:22,620 to have it jump to our Shell Code or to 380 00:14:20,639 --> 00:14:24,660 our code right so we'll hit the space 381 00:14:22,620 --> 00:14:28,500 that should allow you to edit that line 382 00:14:24,660 --> 00:14:30,660 so we'll do JMP for jump space and then 383 00:14:28,500 --> 00:14:33,480 you want to get the address of our 384 00:14:30,660 --> 00:14:36,480 cocave so we'll go ahead and copy this 385 00:14:33,480 --> 00:14:38,220 address right here and whoops paste it 386 00:14:36,480 --> 00:14:40,800 in right there make sure you select 387 00:14:38,220 --> 00:14:42,899 those no Ops and Z parse uh that will 388 00:14:40,800 --> 00:14:44,160 just make sure everything works okay and 389 00:14:42,899 --> 00:14:46,800 then hit okay 390 00:14:44,160 --> 00:14:48,959 so we can close this now close 391 00:14:46,800 --> 00:14:51,180 and you'll see now the entry point 392 00:14:48,959 --> 00:14:53,579 instead of doing what it used to do is 393 00:14:51,180 --> 00:14:56,100 jump into our hex address right here 394 00:14:53,579 --> 00:14:58,860 right and if we double click on that 395 00:14:56,100 --> 00:15:00,839 jump it takes you straight down to the 396 00:14:58,860 --> 00:15:02,699 code cave right so now we're actually at 397 00:15:00,839 --> 00:15:04,800 the cocave where we can work with right 398 00:15:02,699 --> 00:15:07,079 so now we're gonna have to start pushing 399 00:15:04,800 --> 00:15:08,880 some of these registers and I know you 400 00:15:07,079 --> 00:15:10,320 guys are pretty new to some of this 401 00:15:08,880 --> 00:15:13,740 stuff right so we're going to have to do 402 00:15:10,320 --> 00:15:15,540 a push ad and a push FD now I know you 403 00:15:13,740 --> 00:15:17,339 guys are new so I'll kind of help you 404 00:15:15,540 --> 00:15:20,220 guys understand what we're looking at 405 00:15:17,339 --> 00:15:22,380 right so the push ad 406 00:15:20,220 --> 00:15:25,199 um assembly code pushes all the general 407 00:15:22,380 --> 00:15:28,500 registers onto the set right so things 408 00:15:25,199 --> 00:15:29,519 like eax ECX edx ebx all that other 409 00:15:28,500 --> 00:15:31,019 stuff 410 00:15:29,519 --> 00:15:32,519 um that right here 411 00:15:31,019 --> 00:15:34,980 um this stuff is what it's going to be 412 00:15:32,519 --> 00:15:37,019 pushing on to the stack this way we can 413 00:15:34,980 --> 00:15:38,940 actually save the registers at that 414 00:15:37,019 --> 00:15:41,279 current time so that way we can pull 415 00:15:38,940 --> 00:15:43,260 them back down later and have the code 416 00:15:41,279 --> 00:15:45,060 execute as it's supposed to right so 417 00:15:43,260 --> 00:15:46,019 that's what our push ad is going to do 418 00:15:45,060 --> 00:15:49,620 it's going to get all the general 419 00:15:46,019 --> 00:15:51,600 registers and if we get our push FD or 420 00:15:49,620 --> 00:15:52,920 push FD this is going to do the same 421 00:15:51,600 --> 00:15:55,440 thing but it's just going to do the 422 00:15:52,920 --> 00:15:57,060 e-flex right again I'll leave uh these 423 00:15:55,440 --> 00:15:59,820 links in the description for you guys 424 00:15:57,060 --> 00:16:01,199 but ultimately just do research if you 425 00:15:59,820 --> 00:16:03,180 guys hear me talking about stuff right 426 00:16:01,199 --> 00:16:04,800 just build up your skill set your 427 00:16:03,180 --> 00:16:07,139 knowledge right because I can't teach 428 00:16:04,800 --> 00:16:09,420 everything all in one video 429 00:16:07,139 --> 00:16:12,360 um but yeah so what we want to do is do 430 00:16:09,420 --> 00:16:15,899 that push a d and push FD right so we'll 431 00:16:12,360 --> 00:16:19,019 go ahead and space push a d and then 432 00:16:15,899 --> 00:16:20,579 push FD and that should be it right so 433 00:16:19,019 --> 00:16:22,860 we can close up for now and now you can 434 00:16:20,579 --> 00:16:25,079 see we're pushing 80 and pushing FD and 435 00:16:22,860 --> 00:16:26,579 pushing those registers and flags onto 436 00:16:25,079 --> 00:16:29,160 the stack so we can pull them down later 437 00:16:26,579 --> 00:16:31,139 and have our code continue as normal 438 00:16:29,160 --> 00:16:33,180 with all the appropriate registers and 439 00:16:31,139 --> 00:16:35,160 flags right 440 00:16:33,180 --> 00:16:37,560 so now that we've saved the register 441 00:16:35,160 --> 00:16:39,959 save the flags we can actually start to 442 00:16:37,560 --> 00:16:41,639 execute our show code as anticipated 443 00:16:39,959 --> 00:16:44,880 right so you can go in your hex editor 444 00:16:41,639 --> 00:16:47,339 go on your calc.bin and then we can go 445 00:16:44,880 --> 00:16:49,620 ahead and highlight our Shell Code right 446 00:16:47,339 --> 00:16:51,360 here so I'll go ahead hit Ctrl c a bunch 447 00:16:49,620 --> 00:16:52,500 of times or you can just hit copy like 448 00:16:51,360 --> 00:16:54,660 that right 449 00:16:52,500 --> 00:16:57,120 um go back to the debugger and then 450 00:16:54,660 --> 00:16:58,740 select the line right under push FD and 451 00:16:57,120 --> 00:17:00,300 then just shift down and I'm just going 452 00:16:58,740 --> 00:17:01,980 to go down just for a little bit I'm 453 00:17:00,300 --> 00:17:03,720 just going to kind of estimate your 454 00:17:01,980 --> 00:17:05,640 guesstimate obviously you wouldn't want 455 00:17:03,720 --> 00:17:07,860 to calculate this realistically speaking 456 00:17:05,640 --> 00:17:09,720 but I'm sure you guys are pretty new and 457 00:17:07,860 --> 00:17:11,100 don't want to throw stuff into a 458 00:17:09,720 --> 00:17:12,600 calculator right 459 00:17:11,100 --> 00:17:15,000 um so in order to open this just hit 460 00:17:12,600 --> 00:17:16,799 Ctrl e and we can add edit the 461 00:17:15,000 --> 00:17:19,740 hexadecimal code and then you can just 462 00:17:16,799 --> 00:17:22,319 Ctrl V into the hex section right here 463 00:17:19,740 --> 00:17:24,799 and it will actually add the Shell Code 464 00:17:22,319 --> 00:17:29,100 from your 465 00:17:24,799 --> 00:17:30,540 calculator.binary into the actual main 466 00:17:29,100 --> 00:17:32,700 executable that we're working with right 467 00:17:30,540 --> 00:17:35,220 so I'll go ahead okay and if we scroll 468 00:17:32,700 --> 00:17:39,240 up you in the sea right after a push ad 469 00:17:35,220 --> 00:17:41,760 and push FD is our actual hex code right 470 00:17:39,240 --> 00:17:43,919 you can see the uh shell code being 471 00:17:41,760 --> 00:17:46,559 executed right after our push FD here 472 00:17:43,919 --> 00:17:48,539 and it is just being executed throughout 473 00:17:46,559 --> 00:17:51,299 the rest of the program and eventually 474 00:17:48,539 --> 00:17:53,640 we hit this null byte now leave this 475 00:17:51,299 --> 00:17:56,280 null bite here remember how this null 476 00:17:53,640 --> 00:17:58,440 byte is indicating the end of this 477 00:17:56,280 --> 00:18:00,600 executable leave that no bite there 478 00:17:58,440 --> 00:18:03,120 leave that there so that way the program 479 00:18:00,600 --> 00:18:05,100 knows when the end of the Shell Code 480 00:18:03,120 --> 00:18:07,320 actually exists so we're going to leave 481 00:18:05,100 --> 00:18:09,480 this line blank keep it all zeros and 482 00:18:07,320 --> 00:18:12,000 start working back on this line so in 483 00:18:09,480 --> 00:18:15,360 order to do this we'll do a pop 484 00:18:12,000 --> 00:18:17,039 FD and then pop 80 right because we want 485 00:18:15,360 --> 00:18:19,020 to do it first of all in the reverse 486 00:18:17,039 --> 00:18:22,140 order and again pop if you guys don't 487 00:18:19,020 --> 00:18:25,260 know uh what pop is 488 00:18:22,140 --> 00:18:28,020 um I'll go ahead and open it pop FD pop 489 00:18:25,260 --> 00:18:30,840 ad right the pop FD is going to restore 490 00:18:28,020 --> 00:18:32,520 those flags and then the pop 80 is going 491 00:18:30,840 --> 00:18:35,760 to restore those General registers 492 00:18:32,520 --> 00:18:36,840 remember the EDI ESI EB all these other 493 00:18:35,760 --> 00:18:38,880 registers 494 00:18:36,840 --> 00:18:40,679 um we're just restoring them back and 495 00:18:38,880 --> 00:18:41,820 then the pop FD is doing the same so 496 00:18:40,679 --> 00:18:43,980 that way 497 00:18:41,820 --> 00:18:47,100 um our program can actually continue to 498 00:18:43,980 --> 00:18:48,360 execute with its original registers and 499 00:18:47,100 --> 00:18:50,100 its original Flags right because 500 00:18:48,360 --> 00:18:52,380 basically we can just put those onto the 501 00:18:50,100 --> 00:18:53,700 stack let the stack hold on to them do 502 00:18:52,380 --> 00:18:55,679 whatever what the we need to do 503 00:18:53,700 --> 00:18:57,480 with our Shell Code and then pull those 504 00:18:55,679 --> 00:18:59,220 back down so now that we've pulled them 505 00:18:57,480 --> 00:19:01,500 back down right we need to actually 506 00:18:59,220 --> 00:19:03,000 execute the original program otherwise 507 00:19:01,500 --> 00:19:04,260 this wouldn't be a Trojan right this 508 00:19:03,000 --> 00:19:06,720 would just be 509 00:19:04,260 --> 00:19:09,299 um shitty malware right so we want to 510 00:19:06,720 --> 00:19:11,580 actually execute the original program so 511 00:19:09,299 --> 00:19:13,980 we can go back this line right here is 512 00:19:11,580 --> 00:19:16,559 the line replace we replaced this line 513 00:19:13,980 --> 00:19:18,840 at the entry point with the jump to the 514 00:19:16,559 --> 00:19:22,200 cocave right this line used to jump to 515 00:19:18,840 --> 00:19:24,179 our cocave but it no longer is the 516 00:19:22,200 --> 00:19:28,679 original code it used to be so what we 517 00:19:24,179 --> 00:19:30,720 can do is just highlight the original uh 518 00:19:28,679 --> 00:19:33,960 code that the entry point was supposed 519 00:19:30,720 --> 00:19:35,520 to execute and have it execute after our 520 00:19:33,960 --> 00:19:38,280 Shell Code has been run so we can hit 521 00:19:35,520 --> 00:19:39,840 space and then uh paste that line into 522 00:19:38,280 --> 00:19:42,120 there obviously it won't work so you'll 523 00:19:39,840 --> 00:19:45,120 have to delete those carrots and then 524 00:19:42,120 --> 00:19:47,340 delete that uh main dot stuff in front 525 00:19:45,120 --> 00:19:49,740 of it just so that way it's exactly the 526 00:19:47,340 --> 00:19:52,380 same of how it used to be so we can hit 527 00:19:49,740 --> 00:19:54,780 OK and then now it will reformat itself 528 00:19:52,380 --> 00:19:59,039 back to the main dot underscore main 529 00:19:54,780 --> 00:20:01,320 cert startup uh Command right cool so 530 00:19:59,039 --> 00:20:03,419 now that that's done we have one more 531 00:20:01,320 --> 00:20:05,940 job we need to do right so basically 532 00:20:03,419 --> 00:20:07,919 what we've done so far is um we've 533 00:20:05,940 --> 00:20:10,260 replaced our entry point to jump to our 534 00:20:07,919 --> 00:20:12,660 cocave and then our cocave is now 535 00:20:10,260 --> 00:20:14,400 executing shell count now that that we 536 00:20:12,660 --> 00:20:16,200 finished executing your shell code and 537 00:20:14,400 --> 00:20:18,419 we ran the original command that the 538 00:20:16,200 --> 00:20:22,500 instrument was supposed to execute we 539 00:20:18,419 --> 00:20:24,240 can have our code cave jump back to the 540 00:20:22,500 --> 00:20:27,000 second address and then it can just 541 00:20:24,240 --> 00:20:28,980 continue execution as normal going down 542 00:20:27,000 --> 00:20:30,960 the rest of the program so all we need 543 00:20:28,980 --> 00:20:33,299 to do is just jump back to this address 544 00:20:30,960 --> 00:20:36,059 right here so that way the program can 545 00:20:33,299 --> 00:20:39,120 continue to execute as normal right so 546 00:20:36,059 --> 00:20:42,059 we'll go ahead and hit space jump spit 547 00:20:39,120 --> 00:20:44,940 and paste in the address right here hit 548 00:20:42,059 --> 00:20:46,559 OK and that should be it right so that's 549 00:20:44,940 --> 00:20:48,120 part one right because we're not done 550 00:20:46,559 --> 00:20:50,220 yet because this 551 00:20:48,120 --> 00:20:53,100 um some there's a bug that we have here 552 00:20:50,220 --> 00:20:55,140 that I will disclose in a little bit 553 00:20:53,100 --> 00:20:57,059 if we go ahead and look at this jump 554 00:20:55,140 --> 00:20:58,860 right here this last jump if I double 555 00:20:57,059 --> 00:21:00,480 click on it it will take us right under 556 00:20:58,860 --> 00:21:01,919 the entry point if I scroll up you'll 557 00:21:00,480 --> 00:21:03,660 see we are right under the entry point 558 00:21:01,919 --> 00:21:05,400 which is perfect right so what's going 559 00:21:03,660 --> 00:21:07,620 to happen with the code is that it's 560 00:21:05,400 --> 00:21:09,299 going to execute hit our entry point of 561 00:21:07,620 --> 00:21:10,860 the program if we double click it's 562 00:21:09,299 --> 00:21:13,919 going to jump down it's going to do our 563 00:21:10,860 --> 00:21:16,020 push ID push FD execute our Shell Code 564 00:21:13,919 --> 00:21:19,200 and then it's going to have the null 565 00:21:16,020 --> 00:21:21,419 byte to indicate that the end of the 566 00:21:19,200 --> 00:21:22,919 um shell codes has executed then we're 567 00:21:21,419 --> 00:21:25,799 going to restore 568 00:21:22,919 --> 00:21:27,780 um those flags and registers execute the 569 00:21:25,799 --> 00:21:29,640 original code of the entry point and 570 00:21:27,780 --> 00:21:32,100 then we're going to jump back up as if 571 00:21:29,640 --> 00:21:33,659 it never happened to the rest of the 572 00:21:32,100 --> 00:21:34,799 execution of the program right it's 573 00:21:33,659 --> 00:21:35,760 going to go here and it's going to go 574 00:21:34,799 --> 00:21:37,919 here and it's going to continue 575 00:21:35,760 --> 00:21:39,780 executing down 576 00:21:37,919 --> 00:21:41,880 there's a little Band-Aid icon right 577 00:21:39,780 --> 00:21:43,380 here we can click on that and then this 578 00:21:41,880 --> 00:21:45,240 is going to allow us to patch our file 579 00:21:43,380 --> 00:21:46,200 right so we can go ahead and hit patch 580 00:21:45,240 --> 00:21:51,140 file 581 00:21:46,200 --> 00:21:53,520 and then we'll call this uh main Tech 582 00:21:51,140 --> 00:21:56,640 patched.exe right same 583 00:21:53,520 --> 00:21:58,559 cool so this file will not work right if 584 00:21:56,640 --> 00:21:59,940 we if we run it it might open up the 585 00:21:58,559 --> 00:22:02,580 calculator 586 00:21:59,940 --> 00:22:04,500 um but it won't actually execute 587 00:22:02,580 --> 00:22:06,299 um the program right you see it opens a 588 00:22:04,500 --> 00:22:08,340 calculator which is good but it didn't 589 00:22:06,299 --> 00:22:10,620 execute the original code right and 590 00:22:08,340 --> 00:22:14,100 that's because somewhere in this code 591 00:22:10,620 --> 00:22:16,200 our shell code is exiting right so it's 592 00:22:14,100 --> 00:22:17,520 exiting the program right and I'll kind 593 00:22:16,200 --> 00:22:20,460 of show you guys this right so if we 594 00:22:17,520 --> 00:22:22,200 open up our patched executable let's go 595 00:22:20,460 --> 00:22:24,059 ahead and run it and we hit the entry 596 00:22:22,200 --> 00:22:26,220 point and then we'll hit the entry point 597 00:22:24,059 --> 00:22:29,220 run it again 598 00:22:26,220 --> 00:22:31,140 and you see how it just exits right you 599 00:22:29,220 --> 00:22:33,299 see how it just exits the code because 600 00:22:31,140 --> 00:22:35,760 it just hit termination what's happening 601 00:22:33,299 --> 00:22:38,820 is our shell code is exiting the program 602 00:22:35,760 --> 00:22:40,980 before the normal code can continue so 603 00:22:38,820 --> 00:22:42,299 what we need to do is go to our entry 604 00:22:40,980 --> 00:22:44,580 point 605 00:22:42,299 --> 00:22:46,080 um and I guess step into that 606 00:22:44,580 --> 00:22:47,039 instruction right so when you step into 607 00:22:46,080 --> 00:22:49,799 it 608 00:22:47,039 --> 00:22:51,600 um we'll hit our push ad and push FD 609 00:22:49,799 --> 00:22:54,120 um and what we're going to do is we can 610 00:22:51,600 --> 00:22:55,500 flag uh a lot of or break add Brain 611 00:22:54,120 --> 00:22:58,440 Points to a lot of these calls right 612 00:22:55,500 --> 00:23:00,720 just hit F2 on these calls and it'll 613 00:22:58,440 --> 00:23:01,740 allow you to break point them if you 614 00:23:00,720 --> 00:23:03,480 need to 615 00:23:01,740 --> 00:23:06,000 um I already know the call that's going 616 00:23:03,480 --> 00:23:08,460 to stop its execution is likely this 617 00:23:06,000 --> 00:23:11,460 last call uh right here so I'll go ahead 618 00:23:08,460 --> 00:23:13,559 hit this call and this call right here 619 00:23:11,460 --> 00:23:16,679 but again if you guys want to you guys 620 00:23:13,559 --> 00:23:18,900 can breakpoint all of these uh calls to 621 00:23:16,679 --> 00:23:20,580 see if it's being executed properly or 622 00:23:18,900 --> 00:23:22,080 not right the breakpoints are basically 623 00:23:20,580 --> 00:23:23,880 going to break the execution of the code 624 00:23:22,080 --> 00:23:25,799 for a little bit halted stuff where you 625 00:23:23,880 --> 00:23:27,000 can inspect what's going on 626 00:23:25,799 --> 00:23:28,200 um but yeah let's go ahead and restart 627 00:23:27,000 --> 00:23:30,120 the program 628 00:23:28,200 --> 00:23:32,880 right if I run it we'll hit the entry 629 00:23:30,120 --> 00:23:35,640 point I hit run again and we hit into 630 00:23:32,880 --> 00:23:37,080 the uh first break point right you can 631 00:23:35,640 --> 00:23:38,760 see the code is still executing so 632 00:23:37,080 --> 00:23:40,799 there's nothing to worry about uh that 633 00:23:38,760 --> 00:23:42,840 we can hit the run again and you can see 634 00:23:40,799 --> 00:23:45,360 it executed the calculator so this call 635 00:23:42,840 --> 00:23:47,940 right here up until this point it 636 00:23:45,360 --> 00:23:50,700 executes our shelter but as soon as I 637 00:23:47,940 --> 00:23:52,740 hit run again it'll hit this call and I 638 00:23:50,700 --> 00:23:54,240 hit run one more time and it exits the 639 00:23:52,740 --> 00:23:57,059 program right it didn't it was never 640 00:23:54,240 --> 00:23:59,179 able to continue and jump back up and 641 00:23:57,059 --> 00:24:01,440 all the other stuff because the code 642 00:23:59,179 --> 00:24:02,580 exited all right so now we're at the 643 00:24:01,440 --> 00:24:04,380 point where we kind of have an 644 00:24:02,580 --> 00:24:05,820 understanding of what's going on but now 645 00:24:04,380 --> 00:24:07,260 we're doing all these pushes and stuff 646 00:24:05,820 --> 00:24:08,760 with Registries that we don't want to 647 00:24:07,260 --> 00:24:10,559 happen because this is the last call 648 00:24:08,760 --> 00:24:12,720 that is made and this executes the 649 00:24:10,559 --> 00:24:13,860 shotgun we know it executes at this 650 00:24:12,720 --> 00:24:15,900 point so we don't have to worry about 651 00:24:13,860 --> 00:24:17,400 the rest of the execution here from this 652 00:24:15,900 --> 00:24:19,080 point on right so we're going to go to 653 00:24:17,400 --> 00:24:22,500 this push zero and we're going to 654 00:24:19,080 --> 00:24:24,900 replace this by zero with a jump to the 655 00:24:22,500 --> 00:24:27,659 uh pop FD address right so I'll go ahead 656 00:24:24,900 --> 00:24:29,460 and copy this pop FD address and I'll 657 00:24:27,659 --> 00:24:31,500 paste it right here just so we can 658 00:24:29,460 --> 00:24:34,860 quickly access it right I'll copy this 659 00:24:31,500 --> 00:24:38,760 pop FD address and if we go on to this 660 00:24:34,860 --> 00:24:41,820 post zero hit space and then JMP into 661 00:24:38,760 --> 00:24:43,740 that address okay and close so what's 662 00:24:41,820 --> 00:24:45,720 going to happen here is that it's going 663 00:24:43,740 --> 00:24:47,820 to prevent that push from happening and 664 00:24:45,720 --> 00:24:51,179 messing up with any of the actual exit 665 00:24:47,820 --> 00:24:53,460 calls of the Shell Code because at this 666 00:24:51,179 --> 00:24:55,860 call right here our Shell Code executes 667 00:24:53,460 --> 00:24:58,380 right so now we just needed to do 668 00:24:55,860 --> 00:24:59,640 restore those flags and registers and 669 00:24:58,380 --> 00:25:01,500 call it the deck in fact if we double 670 00:24:59,640 --> 00:25:04,679 click on this jump you'll see it takes 671 00:25:01,500 --> 00:25:06,900 us to the pop FD just the pop ad it runs 672 00:25:04,679 --> 00:25:09,360 the original entry point code and jumps 673 00:25:06,900 --> 00:25:11,580 back up as if nothing ever happened and 674 00:25:09,360 --> 00:25:14,159 continuous execution which is great so 675 00:25:11,580 --> 00:25:17,039 let's go ahead and Patch this and then 676 00:25:14,159 --> 00:25:21,780 patch file and then we'll call this Main 677 00:25:17,039 --> 00:25:21,780 and then we'll call this trojan.exe 678 00:25:22,320 --> 00:25:28,500 cool so now if we go to our file 679 00:25:25,559 --> 00:25:30,659 explorer and we run our main.exe you'll 680 00:25:28,500 --> 00:25:34,740 know this is just the normal subscribe 681 00:25:30,659 --> 00:25:36,960 but if we run this thing and run the uh 682 00:25:34,740 --> 00:25:39,720 Main trojan.exe 683 00:25:36,960 --> 00:25:42,419 you'll know this it not only runs the 684 00:25:39,720 --> 00:25:44,220 message box but it now also runs that 685 00:25:42,419 --> 00:25:46,020 calculator 686 00:25:44,220 --> 00:25:48,120 I'll go ahead and close this and let's 687 00:25:46,020 --> 00:25:50,039 go ahead and try it again but we'll do 688 00:25:48,120 --> 00:25:52,460 it on a different executable right so 689 00:25:50,039 --> 00:25:55,140 let's go ahead if I go into a toolbox 690 00:25:52,460 --> 00:25:59,159 tools this is internal Suite if you guys 691 00:25:55,140 --> 00:26:01,740 don't have the uh system tunnel Suite uh 692 00:25:59,159 --> 00:26:03,659 you guys can just go ahead so Central 693 00:26:01,740 --> 00:26:05,400 Suite is an amazing Suite by the way I 694 00:26:03,659 --> 00:26:07,679 just say download it has a lot of Cool 695 00:26:05,400 --> 00:26:09,480 Tools helpful for malware analysis and 696 00:26:07,679 --> 00:26:10,980 stuff I'll probably leave this in the 697 00:26:09,480 --> 00:26:12,779 description stuff but the assistant 698 00:26:10,980 --> 00:26:15,059 Channel Suite just has a bunch of random 699 00:26:12,779 --> 00:26:16,380 uh executables that we can play with and 700 00:26:15,059 --> 00:26:18,779 if I scroll all the way to the bottom 701 00:26:16,380 --> 00:26:20,760 you'll see a zoomit.exe you can double 702 00:26:18,779 --> 00:26:22,799 click it and it'll open up this little 703 00:26:20,760 --> 00:26:25,320 thing that just helps you zoom in on 704 00:26:22,799 --> 00:26:27,600 stuff it's a very basic uh program but 705 00:26:25,320 --> 00:26:29,580 it's an actual executable and I want to 706 00:26:27,600 --> 00:26:33,179 see if we can you know make this 707 00:26:29,580 --> 00:26:35,159 executable a Trojan uh virus so what 708 00:26:33,179 --> 00:26:37,679 I'll go ahead and do is copy this one 709 00:26:35,159 --> 00:26:41,580 the reason I'm choosing zoom in.exe and 710 00:26:37,679 --> 00:26:43,860 not zoom it64.exe is because this one is 711 00:26:41,580 --> 00:26:46,380 32-bit right so if I go ahead and open 712 00:26:43,860 --> 00:26:49,260 up my Studio or something we can drag 713 00:26:46,380 --> 00:26:51,600 and drop our zuma.exe into PE studio and 714 00:26:49,260 --> 00:26:54,480 we can see that it says right here is 715 00:26:51,600 --> 00:26:56,760 32-bit so I'm going to go ahead and copy 716 00:26:54,480 --> 00:26:59,520 this executable and I'll go into 717 00:26:56,760 --> 00:27:01,919 development our basic Trojan and paste 718 00:26:59,520 --> 00:27:03,720 the zuma.exe in here just so we can have 719 00:27:01,919 --> 00:27:04,919 it in this directory so we can work with 720 00:27:03,720 --> 00:27:07,140 it all right so let's take our zoom 721 00:27:04,919 --> 00:27:09,900 in.exe and start working with this one 722 00:27:07,140 --> 00:27:13,080 right so I will go ahead that file icon 723 00:27:09,900 --> 00:27:14,640 double click on zoom in.exe and if we 724 00:27:13,080 --> 00:27:18,240 scroll all the way down to the bottom 725 00:27:14,640 --> 00:27:19,799 again we can see a giant code here at 726 00:27:18,240 --> 00:27:22,440 the bottom of the file go ahead and 727 00:27:19,799 --> 00:27:24,720 restart the file jump to the entry point 728 00:27:22,440 --> 00:27:25,919 so let's go ahead and save that 729 00:27:24,720 --> 00:27:27,960 information right so I'll go ahead and 730 00:27:25,919 --> 00:27:29,279 copy the next few lines just so in case 731 00:27:27,960 --> 00:27:31,080 if anything gets overwritten or anything 732 00:27:29,279 --> 00:27:33,840 we can account for it right I'll just 733 00:27:31,080 --> 00:27:37,140 use the same uh the same file here we'll 734 00:27:33,840 --> 00:27:40,080 call this uh Zoom it.exe so we'll go 735 00:27:37,140 --> 00:27:42,120 ahead and get our entry point 736 00:27:40,080 --> 00:27:44,760 and paste in 737 00:27:42,120 --> 00:27:45,960 um our entry point into there right 738 00:27:44,760 --> 00:27:48,000 um now let's go ahead and get the code 739 00:27:45,960 --> 00:27:49,799 Cave of the actual file cool so we found 740 00:27:48,000 --> 00:27:52,679 the cocave address we'll go into copy 741 00:27:49,799 --> 00:27:54,240 this and paste it right there now that 742 00:27:52,679 --> 00:27:56,039 we have that information let's go ahead 743 00:27:54,240 --> 00:27:57,840 and copy the code cave address because 744 00:27:56,039 --> 00:28:00,539 this is what we want to jump to right so 745 00:27:57,840 --> 00:28:02,760 let's go let's just restart hit run we 746 00:28:00,539 --> 00:28:06,600 hit the entry point and then we can hit 747 00:28:02,760 --> 00:28:08,700 space do that jump and enter 748 00:28:06,600 --> 00:28:11,640 um the address to which we want to jump 749 00:28:08,700 --> 00:28:14,039 to I'll hit okay right close this so now 750 00:28:11,640 --> 00:28:18,000 our entry point right now if I double 751 00:28:14,039 --> 00:28:22,380 click it jumps to our code address right 752 00:28:18,000 --> 00:28:26,760 so now we can push our registers push 753 00:28:22,380 --> 00:28:28,260 our flags and now we can start executing 754 00:28:26,760 --> 00:28:30,360 um our Shell Code so what we want to 755 00:28:28,260 --> 00:28:32,039 want to do is hold down shift hit that 756 00:28:30,360 --> 00:28:32,940 down arrow and we're just going to 757 00:28:32,039 --> 00:28:34,500 highlight 758 00:28:32,940 --> 00:28:36,480 um a fair amount of this obviously you 759 00:28:34,500 --> 00:28:37,500 would want to calculate the kill cave 760 00:28:36,480 --> 00:28:40,200 and make sure that there's enough 761 00:28:37,500 --> 00:28:42,179 allocation in there but honestly I kind 762 00:28:40,200 --> 00:28:44,400 of just like to try and see if it works 763 00:28:42,179 --> 00:28:48,000 or not hit Ctrl e so we can edit this 764 00:28:44,400 --> 00:28:51,000 right and uh we'll go ahead onto our hex 765 00:28:48,000 --> 00:28:53,940 editor go ahead and Ctrl a copy all this 766 00:28:51,000 --> 00:28:56,700 code and paste it into here right so hit 767 00:28:53,940 --> 00:28:58,440 okay and now you guys will see that we 768 00:28:56,700 --> 00:29:00,140 have our Shell Code in here awesome so 769 00:28:58,440 --> 00:29:03,059 we 770 00:29:00,140 --> 00:29:05,580 have our Shell Code again you guys need 771 00:29:03,059 --> 00:29:07,440 to have that no byte right after it so 772 00:29:05,580 --> 00:29:09,720 make sure you guys have that no bite 773 00:29:07,440 --> 00:29:13,020 right after and now we can go ahead and 774 00:29:09,720 --> 00:29:14,520 pop FD pop ad so at this point right 775 00:29:13,020 --> 00:29:16,740 here right we want to execute the 776 00:29:14,520 --> 00:29:20,279 original entry point because we replace 777 00:29:16,740 --> 00:29:21,960 the entry point with uh with our jump so 778 00:29:20,279 --> 00:29:23,640 we want to do whatever it was trying to 779 00:29:21,960 --> 00:29:24,960 do so whatever this was what I was 780 00:29:23,640 --> 00:29:27,179 trying to do it was trying to do a call 781 00:29:24,960 --> 00:29:29,640 to this address so let's go ahead and 782 00:29:27,179 --> 00:29:31,020 copy and paste that call obviously it 783 00:29:29,640 --> 00:29:33,360 won't work so you have to get rid of the 784 00:29:31,020 --> 00:29:35,520 zoom it dot to make sure that it 785 00:29:33,360 --> 00:29:37,080 executes the call to that address and 786 00:29:35,520 --> 00:29:39,299 when you add it it will automatically 787 00:29:37,080 --> 00:29:42,059 format that zoom in there for you all we 788 00:29:39,299 --> 00:29:44,220 have now is the jump back to the rest of 789 00:29:42,059 --> 00:29:45,899 the normal execution of the code so 790 00:29:44,220 --> 00:29:49,320 we'll go ahead and copy this address 791 00:29:45,899 --> 00:29:52,020 right here and we'll just do a JMP to 792 00:29:49,320 --> 00:29:53,940 that address right there and hit okay uh 793 00:29:52,020 --> 00:29:55,740 this jump again will take you right 794 00:29:53,940 --> 00:29:57,720 under the entry point and this jump 795 00:29:55,740 --> 00:30:00,539 right here will take you to the push ad 796 00:29:57,720 --> 00:30:01,799 push FD of the coated that we're working 797 00:30:00,539 --> 00:30:04,320 with so let's go ahead and make this 798 00:30:01,799 --> 00:30:07,320 patch we'll call this Zoom it 799 00:30:04,320 --> 00:30:09,720 patched.exe 800 00:30:07,320 --> 00:30:13,799 okay and then we'll go ahead and open up 801 00:30:09,720 --> 00:30:15,720 our uh Zoom it patch.exe and we're going 802 00:30:13,799 --> 00:30:17,760 to run it double click on this code 803 00:30:15,720 --> 00:30:19,860 right here right we can see a lot of the 804 00:30:17,760 --> 00:30:21,299 different calls those codes making we 805 00:30:19,860 --> 00:30:22,980 already know it's the push zero right 806 00:30:21,299 --> 00:30:24,840 here go ahead and copy our pop FD 807 00:30:22,980 --> 00:30:28,440 address so 808 00:30:24,840 --> 00:30:31,080 copy and then we want to go ahead and 809 00:30:28,440 --> 00:30:34,799 have our push zero hit that space and we 810 00:30:31,080 --> 00:30:36,899 want to jump to that pop FD and hit okay 811 00:30:34,799 --> 00:30:39,179 and that's it there you go so we can go 812 00:30:36,899 --> 00:30:41,460 ahead and close this off uh patch the 813 00:30:39,179 --> 00:30:44,460 file and we'll call this Zoom it 814 00:30:41,460 --> 00:30:44,460 trojin.exe 815 00:30:45,240 --> 00:30:48,840 okay so that's it so we can actually go 816 00:30:47,340 --> 00:30:50,460 to our 817 00:30:48,840 --> 00:30:51,960 um file explorer right here right I'll 818 00:30:50,460 --> 00:30:53,880 kind of go ahead and minimize a lot of 819 00:30:51,960 --> 00:30:55,740 these uh programs I'll actually look 820 00:30:53,880 --> 00:30:58,080 I'll just go ahead and load the original 821 00:30:55,740 --> 00:31:00,240 Zoom it onto the desktop and then the 822 00:30:58,080 --> 00:31:03,480 zoom at Trojan onto the desktop as well 823 00:31:00,240 --> 00:31:06,179 so we can kind of see their execution 824 00:31:03,480 --> 00:31:09,179 so if we run the normal Zoom it 825 00:31:06,179 --> 00:31:11,159 it opens up the zoom it executable from 826 00:31:09,179 --> 00:31:14,039 the sys internal Suite to some random 827 00:31:11,159 --> 00:31:16,020 zooming in random program right we can 828 00:31:14,039 --> 00:31:18,960 close it and then if we run the zoom at 829 00:31:16,020 --> 00:31:21,480 Trojan it will run our Zoom it but it'll 830 00:31:18,960 --> 00:31:23,640 also run our calculator right because we 831 00:31:21,480 --> 00:31:25,200 are having this is a trojan virus where 832 00:31:23,640 --> 00:31:29,159 we execute 833 00:31:25,200 --> 00:31:30,659 um the calc.exe as a part of this 834 00:31:29,159 --> 00:31:33,000 program right 835 00:31:30,659 --> 00:31:34,620 um yeah that's it that's that's how the 836 00:31:33,000 --> 00:31:37,860 Trojan works and of course you can 837 00:31:34,620 --> 00:31:40,200 replace this cow.exe with a Shell Code 838 00:31:37,860 --> 00:31:42,299 of different executables or shell codes 839 00:31:40,200 --> 00:31:44,399 of different uh command line arguments 840 00:31:42,299 --> 00:31:45,539 or whatever you want really uh I'll 841 00:31:44,399 --> 00:31:47,880 probably make some more videos about 842 00:31:45,539 --> 00:31:49,200 Shell Code assembly debuggers if this 843 00:31:47,880 --> 00:31:50,520 video was too advanced free let me know 844 00:31:49,200 --> 00:31:52,200 and I can probably make some more 845 00:31:50,520 --> 00:31:54,120 beginner friendly 846 00:31:52,200 --> 00:31:56,100 um videos towards kind of getting into 847 00:31:54,120 --> 00:31:57,779 this level of development hopefully 848 00:31:56,100 --> 00:31:58,980 something new and interesting from my 849 00:31:57,779 --> 00:32:00,840 perspective 850 00:31:58,980 --> 00:32:02,880 um I've been trying to produce more of 851 00:32:00,840 --> 00:32:05,460 my my hour projects on YouTube I know 852 00:32:02,880 --> 00:32:07,080 YouTube isn't too fond of malware so I'm 853 00:32:05,460 --> 00:32:08,640 kind of testing the one items with these 854 00:32:07,080 --> 00:32:10,500 videos but hopefully this was something 855 00:32:08,640 --> 00:32:12,539 you guys enjoyed please kind of support 856 00:32:10,500 --> 00:32:14,039 me give me a little like and comment and 857 00:32:12,539 --> 00:32:15,600 leave a little subscribe with this kind 858 00:32:14,039 --> 00:32:17,279 of content interests you guys but uh 859 00:32:15,600 --> 00:32:19,760 yeah thank you so much and uh Happy 860 00:32:17,279 --> 00:32:19,760 hacking61393