 Yes. So, let me introduce myself. So I'm currently working in cyber warfare lab as a red team security researcher. And I have, sorry. And I have three years of three plus years of experience in reverse engineering. And mostly I'm interested in reversing the internals and malwares. And right now, I'm currently focusing the Windows internal Sandal. So I hope you guys all have downloaded all the prerequisite that that that we have mentioned here. Yeah, okay. So, so let me just begin with the solid just begin the session now. So I'm going to go quick on this P file format because we have a lot to cover here. You can see we are covering seven injection technique, which is which is a lot more to cover in the in a day. So I'm just going to go quick in the P file format. So P file format is particularly particularly a file format for the executable DLLs of the code in the Windows operating system. So there are few importance header on the P file format, which are the header, anti header and inside the anti header, there are file header and optional header. And the last error is the section header. Let me just turn on the laser now. So you can see these are the these are the headers that we that I just talked about. So those header is the first header of the P file format. And this is the 64 byte long structure. And you can see there are lots of member here, but we are only interested in magic and then Elfanyu. The magic is the first members and it hold the signature of the does file, which is the AMZ. We all know that it's the AMZ. So the another member is the Elfanyu, which hold the opposite to the start of the anti header. So let's say whenever we are parsing the P header in our code. So if we parse the does header, and if we add the Elfanyu offset to that does header, we will reach to the anti headers. That's why the Elfanyu header is important to us. So this is the so this is the P sorry, this is the does header, and all the members are here, which is which is in the PE view. So the another header is the anti header. This is the primary structure for the P header and it is of type image anti headers. So this consists of three members which are signature file header and optional header. So signature is a four byte keyword and it holds the value P followed by the two terminating zero. You can see there's a P and followed by two terminating zero here. So the next header is the file header file header is a 20 byte long structure. And this header contains basic information of the PE file. And the one that is important for us is the number of section for our project. But the few other informations are here, which are these are the machine architecture and the time date stamp pointed to the symbol table, table number of symbols, size of optional header and characteristics. So let's come to the optional header. This is the most crucial this the most crucial fields are contained in this optional header, even though the name of this header is the optional. So some of the important fields are image based address of the entry point subsystem section alignment file alignment size of the code and the image data directory. So data directory is an array of the image data directory structure. This is structure holds two members which are virtual address and the size. So this is the structure of the optional header, you can see. So the virtual address points to the relative personal address of the particular directory and the size holds the size of that particular directory. So in the data directory array, there is elements point to some of some important information such as import address table, export address table, resource table. So here are the list of the directories. So the last header is the section header which contains the important information related to the related to the section such as name of sections, virtual address, virtual size and size of the raw data pointed to the raw data, etc. So these are the common these are the common section of the executables, the section, the R data section, data section, resource section and the relocation section. So now we weave is the first injection technique of this video session. So let's just get started with this injection technique. So this is the APC code injection technique. So APC stands for the asynchronous procedure call, which is a really nice feature of the Windows operating system that allows us to place a job in a queue for execution in context of the particular thread. So basically, in this state, we are placing our cell code in a APC queue of the process thread and whenever this process thread enters into the allotable state, our cell code will get executed. So some of the routing that might put the thread in allotable states are sleepy x single object and wait, wait for single object EX, wait for multiple object EX and there are a few others. So these are the steps for the APC injection. First we need to find the target process to inject our payload. And after that, we need to perform the relocation, sorry, we need to perform the remote allocation. After that, we will write our payload into that newly allocated memory in the in the target process. So after writing the payload, we have to find all the threads which is present in that target process. Once we find all the threads, we will place our cell code in the queue for all the threads. And whenever the threads enter into the allotable state, our cell code will get executed. So this is to note that this this technique is quite unstable. So there is a there is a different variant of this APC injection, which is also known as the early board APC injection, which we will be going to cover in the lab session. So so these are all the API calls that are used in this APC injection. So let's move to the lab. Is my VM visible? Yes. Okay, okay. So here in the so here in the line number 300, 200, 20, 27. I have commented this out. So let's just uncomment this line. And I will comment this line number 236. So this is the just the this is just the variable which will allow us to switch between early board and the normal APC injection. So I hope you guys have have all the VM ready to go with to go to go with me. So before executing this application, I will just put the break point. So the break point, I have already put the break point here at line number 117. So I'll just execute this application. So the target process for our for our implant is the notepad.exe. So I will just open this 32 bit notepad, which is which is in the syswall directory. So this is our victim process. Yeah, so we have the victim process open. So let me just go into this fine target process function. So here we can see using the of using the API called great tool help 32 snapshot, we are taking the snapshot of the process as well as the snapshot of the thread. So let me just step over this code. And with the help of this process 32 first, we are retrieving the first process from the snapshot. And after that we are comparing whether the whether the process from the snapshot is equal to our target process. So our target process is not bad and and currently it's pointing to the system process. So once this is equal to the process or target process, it will enter this if block. So if it is not equal to our target process, it will just simply go and call the process 32 next function, which will retrieve the next process from the snapshot. So this process goes until it is equal to our notepad. So I'm just going to put the break point at line number 27. And I will continue the execution. So now you can see we are inside the if block. So we are doing the same thing for the thread as well. So we are just getting the first thread and here here there is a if block you can see. So we are checking whether the the way that the threads owner is whether the trade owner ID is equal to our target process ID. So if the trade owner ID is equal to our target process ID, we will push that trade ID into the into into the vector or we or we can just add this thread ID into the arrays also. So here basically we are just collecting all the threads that are that are inside the notepad. So let me just go here and show you. So there is only one thread currently. So it will just get that thread for us. So our trade owner is for like because we want to get all the threads of the notepad, right? This is our target process. So this is checking the trade owner is checking that whether this the process ID of the trade owner is equal to our process ID, which is 12200. So no, not core thread, but yeah, it's the like we have the process you can see it's the notepad.exe right? So the process ID is 12200 and let's see here we are checking let's say we have got this thread from this snapshot. So this is checking that whether this whether this trade owner ID is 12200 or not if it's if it is equal to 12200 then then the process then the owner ID processes will be equal to the on this this target process on ID. So here basically we are just collecting this thread ID from our target process and putting it into the vector array. So I will just go over here. So yeah, you can see I have put the break point already here in line number 126 26. So I will just continue this application. So now you can see there in the T IDs in the vector array. So we have got the we have got all the trade IDs. So let me just come from here. This is it. So once we get all the trade IDs for the from the particular process from our target process, we will open we will open the we will open this target process using the process ID and with the process all access right. So we are trying to get all the access right from of that process subject. So basically we're just getting the handle to this particular particular process this target process here. Now once we got the target process we will allocate the memory. So here you can see the base address is all zero zero. So we are allocating the we are allocating the new memory in the target process for our cell code. So you can see the silk the base addresses of 460 and four zeros. Let me just go to the process hacker and in the memory, let me just add to us. So yeah, this is the one that we just allocated and you can see it's all zeros here. So after that using the API right process memory we are writing our payload into that into this memory. So let me just execute this code and I will just read this memory here and you can see our cell code is our successfully written here. Now you can see the the the protection for the memory is read and write. So we need to change this protection to read and execute so that our payload will be able to execute so it's in the process. So you can see we have successfully changed the memory protection of this of this memory. So it's now read and execute. Now we are converting our now we are converting our cell code to the start routing. So we will look through we will look through all this thread ID that we collected from the process and we will put our cell code in each in its APC queue for the for the threads using the queue user APC function. So let me just execute it. So you can see nothing happened because this technique is not reliable. So so our thread might so it is not it is not confirmed that the thread might enter into the allotable state. So our cell code might not get executed. So we have to be really lucky on this one. So if we try this a few a few different times then we might able to execute our cell code. So so let let us switch this switch this application to the early bird. So for so let me run this application again and this time we will be going into this early bird function and you can see I have already put the back wind at the line number 59. So here you can see we are how we are creating the process in the suspended mode. You can see the flag we are using is great suspended. So if I just step over and you can see the notepad is created in the suspended mode. After that we will allocate the memory for the for the payload in the remote process in this process. So let me just open this one and if I execute this virtual outlook so you can see the memory is allocated here and it's all zero. Now we will write our payload into that. So you can see I have executed this right process memory. So our cell code should be written here. So you can see our cell code is successfully written here. So after this we are changing the memory protection from read write to page read and execute. So at this moment you can see it's RW. So let me just refresh this box and let's see. So you can see the the memory region is now read and execute. So now we can just put our cell code in a queue using the queue user APC and we can resume the main thread of the suspended process. So now we can see our cell code is successfully injected and you can see the you can see the process is still in notepad and nothing is changed here but our cell code is successfully get executed. So this is it for the APC injection. So if you have any question you can ask. So let's take a two minute break and we can start with the another technique called model stomping. So if you have any question you can just drop the question in the comment box. So if you have any queries then you can just drop in the chat box. Okay so I will start the another technique which is called model stomping. So let's start with the another technique called model stomping. So in this technique Fris or legitimate DLL is loaded into the target process and the cell code will be injected into that loaded target DLL and when we create a new thread the cell code will get executed from the legitimate DLL and the one and one of the advantages of this technique is there will no need to be changed. There will no need to change memory protection like we did in the APC injection. So these are the steps for the model stomping. First we will get the handle to the target process and after that we will load our target DLL into the target process. After that we will write our payload at the entry point address of the loaded DLL. This one this state is really important and after that the thread is created and the thread will execute our payload. So these are all the API calls that are used in the model stomping technique. So let's just jump into the lab. So we are running this application in a 32 bit mode. So it will require the target process to be in a 32 bit mode. So I'm running the 32 bit notepad here. So the process ID is 13520 for this notepad. So I have put the breakpoint in this at the line number 64. So I'll just execute this program now. So using the open process we are trying to get the handle to this target process and our process ID is 0 sorry 3 4th D0 in hex which is 13520 in decimal. So let me just execute this code. So we can see we have successfully got the handle to the target process, this process. Now we will here you can see at the line number 72 we are allocating the memory but the target but the allocation size is the length of the target library. So which means we are going to load we are not going to load our or we are not going to copy our DLL into the into the remote process but we are writing our module file path to the target process memory. So before selecting this DLL this is the target DLL and this is the legitimate DLL from the Microsoft. So before selecting the DLL we must be sure that the DLL must not be loaded already into this process target process. So we can see there is no source DLL called file MGMT DLL here and this DLL must be larger than our cell code. So after that we will allocate the memory for writing this file path into the target primary. So you can see we have allocated the memory in this address which is E4 and 40s. So if I just execute this line of code to write process memory we will be write the file path to the target process memory. So we can see we have written the file path for the file management DLL which is our target DLL to be loaded into this process. So using this load library A functions we are going to load this DLL into the remote process memory into the remote process which is not bad. So at this point we are retrieving this load library from the local address of the load library function from the local memory local process but most of the time the kernel 32.DLL is loaded at the same base address in many other processes as well. So you can see the base address for the load library A function is 76340BD0 and we are assuming that the load library A is in the same address is in the same address space in the target process as well. So after that we will create the remote thread. So the function will be the load library A and the parameter will be the file path. So in the model here you can see there is nothing there is there is no DLL such as there is no DLL the there is no file mz and DLL here. So if I just execute this code so this create remote thread we are going to execute the remote thread into the target process. So if I just create the remote thread here so you can see the file mz empty.DLL is loaded into this target process memory. Now we have loaded our target DLL into the target process we have to find the base address of the DLL because we have to write our cell code at the entry point at the entry point of this DLL. So let me just go into this file module based function. So here we can see using the enum process modules we are reading all the we are reading all the modules all the modules of this target process. So here you can see right now it's all the all the values are 0xccc all the zonks value. So if I just execute this function you can see we have got all the all the base address of this all these of these modules. So using the gate module file name ex we are looping through each modules and using this gate module file name ex we are trying to get the full path of the we are trying to get the full path of this DLL and here we are checking whether it contains the we are just checking the sub string and we are just checking that whether the file path contains the contents our file which is file mz empty.DLL. So let me just execute this function and see here we can see we have got the full path for the modpad.exe and it's checking whether the whether the path contains the file mz empty.DLL or not. So I will just continue this application and you can see the module name is now file mz empty.DLL and it is equal. So we are returning the base address of the file mz empty.DLL. So you can see the base address for the file mz empty.DLL is 62f9 and 40s. So if I just execute this line you can see we have got the base address of the of the loaded DLL which is 62f900. Let me just put this in the watts. You can see it's 62f9 and 40s and here it's the 62f940s. So we are good to go. So after this after that we have to find the entry point of the target DLL. So using the read process memory we are reading the thousand bytes from this base address. So here we are parsing the dos header of this target DLL and we are retrieving the anti-haters. Now from the optional header there is a member called address of entry point. So this is the offset of the entry point. So once we add this value to the module base address then we will get the exact entry point of the loaded DLL in the target process. So here we can see the entry point is 2LB40. Let me just add this to the watts as well. So we will just add this entry point with the module base. So here at this point we have got the entry point of the DLL which is loaded in the remote process. Now we have got the entry point. We will just write our cell code in that entry point. Now it looks like the payload is returned to the entry point of the target DLL. We will just execute the remote thread now. So you can see our cell code is executed successfully and to confirm this we can just go to the thread here and you can see there is a file mg empty DLL loaded here and you can see the message box is in the stack trace. So this is it for the module stomping. So if you have any queries you can ask. So I will start the process solving now. So this is one of the famous technique and this has few different variants but the one that we are going to talk here is the original one. So in this technique we will just replace the executable section of the legitimate process with the malicious executable and all the replacement will take place in the memory. So these are the steps for the process solving. So the first the important step is to create the process in the suspended mode. After that we have we need to find the image base address of the target process because we we have to hollow out that target image. So after we hollow out that target image we will allocate a new memory into the same image base address for our payload. So after that we will copy all the payload section and header to the newly allocated memory in the target process. Then we will sense the context of the target process. After that we will resume the main thread of the target process. So these are the API that are used in this technique. So the one that is important is this anti unmapped view of section API. With the help of this API we are going to unmap the unmapped target image from the process. So let's jump into the lab. So you can see I have put the breakpoint at line number 103. So I'll just execute this application. So using the create process API we are we are going to create the target process in a suspended mode. So you can see the target process is created in a suspended mode. Now using this antiquary information process we are going to read the we are going to read the information about this process because we need one thing here the we need to get the data here and as well as the image space. So here this is pointing to the pave of the remote process and in 32 bit at the opposite of the 8 we will find the image base address of the particular process. So let me just go here. So you can see the image base address of the so the image base address of the notepad is f0 and 4 zeros. So we are hollowing this image. So we are just hollowing this image. So let me just show you something here first. So this is the 32 bit baby structure and at the opposite 8 you can see it's pointing to the image address which is this image address here. So if I just execute this code I will be pointing at the opposite 8 right now. Now using the read process memory we will read the image base from that opposite. So right now you can see the target image base is 0 zeros. So if I just execute this one you can see it's a f and all zeros which is equal to our target image base. So now we will unmap this section from the process. So just look at this carefully. Right now we can see there is a f and 5 zeros and you can also notice the type is the image here. So from here to here we are just reading our payload buffer from the file and writing and putting that buffer into the heap. And from the payload buffer we are reading the size of the image of that payload buffer here by parsing the peheter. So you can see we have got the size of the image of that payload. This is important because after unmapping this section we have to allocate a new memory. So that's why this is important to allocate the new memory. So here you can see using the ZW on map view up section we are going to unmap this section. Right now you can see f zero zero is still here. So if I just execute this API you can see the f zero zero is unmapped and it's vanished from here. So now we can reallocate the memory in the same image space. So we can see we are allocating the image at this f zero zero offset now. So if I just execute this virtual allocates function you can see the f and five zero zero we have allocated the new memory and it's all zeros and the type is the private you can see. And the memory protection is read write and execute. So after that we will be calculating the database for the relocation. So now we will be writing the header to this memory address. You can see right now it's all zeros. So if I just execute this line you can see we have written the payload header here. Now from line 172 to 177 we are writing all the sections into this address into this memory location. So let me just continue the execution. So if I read this you can see all the sections are written here now. So after that we need to fix the we need to perform the relocation. So what is exactly happening is here. So what exactly happening here is there are some constants in the image. So we are repatching all those. We are fixing all those constants to execute the process peacefully. So if you are really interested to know what's happening here in this line of code. So you can comment. So you can just drop the comment because like I have to go through the different tools to make you understand this because from the from the code perspective it's really hard to understand what's going on here. So if you are really interested you can just drop the comment and at the end of this video session I'm going to explain what's really happening here. So for now just understand that we are fixing some constant in the remote process memory of in the payload which is loaded in the remote process memory. So once the relocation is done we will get the entry point of our payload which is in the target process memory. So here we have got the offset and we have added the offset to the image base of the payload. So this is the exact entry point of our payload in the target process memory. Now we will get the context of that process. So you can see here the here the eax register is holding the holding the entry point of the previous holding the entry point of the original image but we already have replaced that image with our payload. So we have to replace the entry point entry point of the original image base with our payload image base with our payload entry point. So whenever the process is created in the suspended mode the eax register holds the entry point of that particular process. So that's why we need to replace the entry point here. So we are replacing the entry point we are replacing the entry point of the original process which is f21860 with the entry point of our payload which is f01260 which is in the target process memory. So once we pass the eax register here we will just apply the patches using the set thread context. After that we will just resume the thread. So you can see we have successfully loaded the cell code here. So you can see nothing is changed here. The image file is still the notepad.exe command line is still the notepad.exe and our cell code is loaded from the notepad process. So this is it for the process halloween. So if you have any queries about this you can just drop the comment. Okay so I will start with the process table right now. So this technique utilizes the windows API calls which are related to ntfs transactions. So ntfs transaction brings the concept of the atomic transaction to the ntfs file system. So for instance let's say we are performing some file operation in a transaction right. So suppose we are writing 100 bytes of the buffer in a file and assume that we have written we we managed to successfully write all those 100 bytes into that file in a transaction. However that operation will not be fully successful until the operation is committed for the transaction. So this means that the operation should be committed to for the operation to be fully successful. So if any so if any issue arises during the right operation the transaction will roll back and entire operation will fail. So this is to maintain the integrity of the data on the disk. So process halloween has four process halloween is broken down into four step transact load rollback and the animate. So in the transact section we are going to open our file legitimate file for the transaction and then we will write our payload into that transacted file and after that with the help of that transacted file we will create an image section here and once we created the image section we do not need that transacted file so as I mentioned before if we commit the transaction the operation will be successful. So in this case if we commit the transaction our payload will get written into those sticks which we do not want that to happen. So in the party step we will just roll back the transaction which will completely remove the malicious code from the anti-fac system and there will be nothing left on the disk and after that the last part is to animate the process. So until now we have the image section here so using this image section we are going to create the process. So we have to fix something in that process so basically let's assume that we have to give we have to give the life to that process and this find this fourth step is really important step and I want everyone to understand this step because this is literally same in upcoming techniques like process harbor doping and process costing. So we will be going in depth in this step in process table ganging lab. So please save energy for this lab because we will be spending more time in this process table ganging lab as compared to others. So these are all the APIs so these are all the APIs that I use in the process table ganging some are missing but no worries we will cover that in the lab. So if you understand the process Halloween and process table ganging it will be really easy to understand all the upcoming techniques because all those techniques are somewhat similar to these two techniques. So let's just move to the lab and this one is a little bit complex. So for this technique we need to turn off the Windows Defender completely because it will get detected by the Windows Defender. Since I do not have the permission here let me just go away. So in the administrative template and inside the Windows component there you can see the Microsoft Defender Antivirus and you just have to enable this this policy. So we are just turning off the Microsoft Defender so it will not work in my case because I'm not running in the administrative user so this will not work. I have to log into the admin account and then I have to do that but even though let's start this technique. So once you turn off the policy you can just restart the PC and then the antivirus will be completely turned off but at the end I will be getting some error because the antivirus is not turned off in my case. So you can see I'm putting this in the debugging mode and the architecture is 64-bit so it's compulsory. If you are using 64-bit architecture you need to run this application in a 64-bit as well. If you run this application in a 32-bit then it will fail. So for the 32-bit application you have to you need to have 32-bit operating system and for the 64-bit you need to have 64-bit operating system for this technique. So let me just put the breakpoint at line number 173 and these are all the APIs which are loaded dynamically. So let's not worry about this. So I'll just execute this code here. So here you can see our target process is the minode.txt which is in the dem folder, the cd.3. This is the target, this is the latest estimate file. So let's step into this function. So at the line number 43 using the anti-crate transaction we are creating the anti-fase transaction object. So let me just go over here to programming and in the handle. So if I let me just execute this code and you can see we have created the transaction, sorry, a transaction object and we will be opening our target file for the transaction and here you can see we have passed the handle to the transaction and using the create file transacted.w we are just opening the file for the transaction and the permission. We are requesting the read and write permission for this transacted file. So here you can see we have got the handle to the file which is a C8. You can see it's a C8 here. So after that we are just returning this transaction handle to the transaction and handle to the transacted file. So now we will write our payload buffer into that transacted file. So if I just go over, if I just go here and open the file and see it's 0kb and because nothing is written here because this transaction is not committed. So we need to commit the transaction for the successful operation. Otherwise, nothing will be done to the file. So the buffer is still in the transacted file. So let's enter this create section from transacted file function. So using the anti create section, we are creating the image section here and the flag we are using is sake image here. This will confirm that the file that we are passing here must have the valid PE header. So if the transacted file doesn't have the valid PE header then it will fail to create the section because of the sake image flag. So this transacted file must have the valid PE header. So here you can see if I execute this line of code, you can see the section is created successfully. If I just go and click on read and write, you can see our payload is successfully written in the section. So we have created the section out of the transacted file. So now we have the image section. We do not need the transacted file. So we will just roll back the transaction using anti rollback transaction function. So here you can see we will be rolling back the transaction using the anti rollback transaction. Now we will close handle to these transaction and the transacted file. Here you can see our transaction object is destroyed and the file handle is also destroyed. So using the section, you can see using the sections we are creating the process body with the help of the anti create process EX API. We are using this API because this API requires the section rather than the file path. So since we have this section, so we are using this anti create process EX. So we'll just look at here. If I just execute the code here, you can see we have got the process body now. Right? So you can see there is nothing in the properties of this process. So we have to fix this process. Now with the help of the anti query information, we are reading the process information because we want two things here. Our first one is the page itself and the second one is the entry point of that particular process, the entry point of our payload, which is in this particular process. So after that, we are reading the pave here. So here after reading the pave, we are just typecasting this to the pave structure. If I just go over here, you can see this is the very large structure and this is the similar structure that I just showed you before in here. You can see this is the structure. So we are typecasting this retrieve data with the pave. And in here, we can see we are getting the image base address. So using the RTL image antehater, we will reach to the antehater of the payload. And from there, we will try to get the address of the entry point. So once we get the entry point, you can see we have got the entry point. Once we get the entry point, we will add this with the image base address of our payload, which is loaded in this target process. So as you can see, this is our entry point of our payload in the target process. So here comes the important part. Using the RTL create process parameter EX, we are creating the process parameter here. So at this point, you can see it's all zeros. So and we are passing the command line argument. And I think it's a current directory path, which I'm not sure. But you can always fill this null values with the required argument. It's not necessary, but you can always work on this one. So I'm just giving the command line argument and the image file path. I'm not sure. So if I just execute this API, you can see we have created the process parameter. So the second one was the current directory. And the first one was the command line. So this was the command line and this was the current directory. So you could just fill all this null with the parameter as you want. So once we have created the process, we need to we need to transfer this process parameter into this remote process, newly allocated a newly created process. So here we can see we are allocating the we are allocating the memory for the parameter process parameter in the remote process. So you can see the the address is addresses one CC 960 and 9605 and four zeros. So let me just go here and look at that address. This is one CC. Yeah, this is the one. So in here, or at this point, you can see it's all empty. So in here, we are going to write the process parameter. So you can see using the right Watson memory, we are going to write the process parameter into the remote process. So if I just execute this function and look into the memory, so somewhere around here, you can see we have we have written our we have written our process parameter in the remote process. So this is the address where the process parameter is written. So let me just add this in the watch as well. So after this, we will get the pave of that remote process. Now we have to now they're in the in the pave. There is a member called process parameter. So we have to give the address of the process parameter to this member. So let me just go over here. This one, this one, the other one, this is the 34 64 bit pave. And you can see at the opposite, there is a process parameter. So we have to give this address to the process parameter member. So let me just open the pave here. This is the one. So at the 20th offset, you can see it's empty right now. So we will be writing this value here using this right process memory. So if I just execute this code and read this. So you can see at the 20th offset, we have written the address of the process parameter. So now everything is set. So using the anti create 3DX, we will be creating a new thread. And the start routing of the thread will be the entry point of our payload. So yeah, you can see we will get the error, which is C 000022. So this is because this is we are getting this error from the Windows Defender. So we have to turn off the Windows Defender to successfully execute this process. So if we just turn off the Windows Defender from the group policy, we will be able to execute this code. So this is it for the process table ganking. So if you have any queries, you can just drop the queries in the chat. So yeah, you can see it's disabled because of the because I'm not the admin right now. I'm not in the admin user right now. That's why. So you can just disable this, you can just enable this and the code will work. So now we will look into the, so now we'll look into the another technique, which is the transacted Halloween. So it's not the transacted Halloween, it's transact Halloween. Sorry for the typo. So this is, this is the combination of the two technique, which is process Halloween and process table ganking. The advantage of this technique is this technique will solve the issues of both the technique. So in the process Halloween, when we unmapped the section, we needed to allocate the new memory for our payload, right? So, so if you have noticed, you might have noticed that the memory section that we created is of type private. So but normally, if we look into the process, the process has the memory section of type image for the executable section. So this looks really suspicious from the perspective of the security peoples and security tools. So process table ganking will fix this issue. And on the other hand, as we just saw in the lab, it's a little bit complex to create the processing process table ganking. So the process Halloween will help on this one. So from here to here, you can see this flow. This is literally same as the process table ganking from transact to rollback. And after that, the process is created using the process Halloween technique. So first, we will create an anti-FS transaction object. After that, we will open the target file for the transaction, and we will write our payload into this transacted file. So once we created the transacted file with our payload, so once we write our payload into that transacted file, we will create an image section out of that transacted file. So after we created the image section, we do not need the transacted file. So we will just roll back the transaction, which will completely remove the file from the anti-FS system. So after that, we have the image section. So we will create the target process in a suspended mode, and we will map that image into that target process. So we will map that image section into that target process. So as I mentioned before, process Halloween has quite different variant. So this is the another variant of the process Halloween technique. So in this technique, we are not going to un-map anything. So after we map the image section into that target process memory, we have to fix the context of the process. So we just need to replace the entry point as we did it before. And after that, we after that, we have to update the email space address at the pave of the target process, and we will resume the thread. So these are all the API calls that I use in this technique. So let's move into the lab. So I will put the breakpoint at the line number 171, and I will execute this program. So let's just step into this function. So here, I'm just retrieving the function dynamically. So here, using the anti-create transaction, we are creating the anti-FS transaction object like we did in the process table hanging. And after that, we will open the target file for the transaction using the create file transacted w and the transaction. And we are requesting the read and write permission. And we are not creating or we are just opening the file. So file must be here. Yeah, you can see the file is there. So after that, we after we get the handle to that transacted file, we will write our payload to that transacted file this process. So we can see we have the transaction of transaction object, and we have open the we have open the file. So using the transacted file, we are creating the section. So again, we have used the sake image. So this will, this will make sure that the this this will make sure that the transacted file has the valid theater. If the transacted file doesn't have valid theater, then it will fail to create the anti quiz. It will fail to create the section. So we can see the section is created. If we just enter, if we just hit control and enter, we can see we have created the section from the transacted file. And this is our payload. Now we will just close the transacted file because we do not need that. After that, we will roll back the transaction because we do not want to save our save the payload in the Dix on the Dix. So after that, we will close all the handles. Now we will now we are left with this section here. So using the anti process query, sorry, anti query information process. Basically, we are not using here right now, but we will be using here at line number 191. But before that, here we can see we we are creating the process in a suspended mode. So if I just step into this process into this function, you can see we are creating the cal.exe in the suspended mode. So the cal.exe will be created in a suspended mode. So you can see the processes in the suspended mode right now. Now you can see we have stepped into this map section image map section into process VA function. So using this anti map view of section, we are going to map the image that we have into this target process memory. So let's let's just open this one and so here you can see the section basis 000. So if I just execute this function anti map view of section, you can see our our payload is mapped into this address in a target process. So let's just refresh this. I think this is the one. So you can see this is our payload here. It's successfully mapped into the process and it's the image is the type is the image here you can see. So so this is the base address for the payload as well for the which is in the target process. So this is the base address of the target. So we do not have to go we don't have to retrieve this base address from the target process from the paper the from the from reading the target process memory. So we have the base address of the payload which is in the target process. So using this anti query information again we are reading the process information because at this point we have to we have to I'll tell you later. So let's just get into this function or we are getting the entry point of the payload in the target process. So we have the base address. We just need to calculate the address of the entry point offset. So you can see the address of the top set of the entry point is one to be it. So we just need to add this subset here with the section base address which is the base address of the payload in the remote basis. So now you can see we have got the entry point here. So after that using the gate rate context we are getting the process context here. So in 32 bit the RAX was holding the entry point but in case of the 64 bit RCX will hold the entry point. So at this point it is pointing to the original entry point of the original image which is the calc the offset entry point of the calc 30xc. But we want to replace that entry point with our payload entry point. So let's us replace that R6 with our payload entry point you can see 912b8 and it is 912b8. After that we have to apply this context which will be done by the set rate context. So now we have to do one thing before executing the thread we have to update the image base address in the pave also because right now it's pointing to the it's pointing to the notepad image base. So we have to replace that with the we have to replace that with the payload image base. So here we are just reading the pave here. So the image base offset is at the 10th 0x 10th offset in the hexadecimal 10th offset in the hexadecimal and 64 bit let me just go to the desktop and from this figure here. So you can see at 10th offset in hexadecimal we have the image base address member. So here we are just adding the we are just adding the 10 in the in the remote pave we can see. So you can see it's a d409fc0 and we have just added 10 here and this points to the remote image base. So let me just open the pave here. So right now this is the 10th offset you can see it's pointing to the original image base which is 7ff712ca007ff712ca and four zeros which is pointing to the cal 30xc. But we want this to point to the our payload base which is 7ff67b9 and four zeros. So using the right process memory we are going to replace this address replace the address of image image base address of the payload in the pave here. So if I just execute this right process memory API and reread the memory you can see it's changed. Now it's pointing to the pointing to our image base of the payload. So it's 7b9 you can see d7b9 and four zeros. Now it's pointing to our payload. After that we will just resume the thread and we can see our cell code is executed and it's in the cal 30xc. So you can see nothing is changed. The command line is not changed and the image file name is also not changed here. So this is the transacted this is the transacted hollowing. So this is it for this lab. So if you have any queries you can just drop the comment drop in the comment. So let's start the another technique which is process harperderping. So in this technique the file under Dixie is modified after the image has been mapped into the target process. So let's assume that the file under Dixie is our payload. So using that payload file we have created the email section and using that email section using that email section and the API antiprocess EX we have created the process body here. So let's suppose here we have created the process very using the email section. And let's come to the second line. The modification is done before creating an initial thread which means that before starting the initial thread we have to modify our payload which is on the Dixie. So the question is why do we need to modify the file on the Dixie because we already have the process body. We could just fix the process parameter and using the thread right like we did in the process table hanging. So the answer is whenever. So the answer is many security products register the kernel callbacks. So whenever the initial thread is created the kernel callback will get triggered and it will notify the security products. So then security products go over. So then security product will go and scan the email section which is in the memory and as well as the file which is on the Dixie. So if we modify the file which is on the Dixie before creating an initial thread what will happen is the antivirus will go and scan the email section and as well as the file on the Dixie and the security product will find that the file on the Dixie is different than the file or different than the email section which is executed in the memory. So this will fool and evade the most of the security products. That's why it is necessary to modify the file on the Dixie in this process hard part open technique. So these are the steps for the process hard part open. So first we will create the temporary or decoy file in which we are going to write our payload. After that we will create an email section using that decoy file. So using this image section we are going to create a new process body. So we are going to create a process which will be just the body process body at this point. So after creating the process we will modify the decoy file which is on the Dixie and then we will set up the process parameter and create the remote thread as we did in the process topo ganging. And after that we will close the handle to the decoy file. So decoy file should be closed only after creating the new thread because security products do not only monitor the process but they do but they also do monitor the file changes in the system. So this is why it is important to close the file handle after creating the thread. So this will evade the most of the security products. So these are all the API calls for the process hard part open. So let's move into the lab for this one. So you can see I have put the break minute line number 121 and I will execute this process for execute this program. So you can see we have created the decoy file in this directory. So let me just go to this directory. So we haven't created it but we will be creating now using this create file W and we are asking the read and write permission as well. So now we have got the handle to this file. So this is the file. This is the decoy file you can see std61. So once we get the handle to this file we will just write our payload into that decoy file. So using the write file. So you can see we have written the payload buffer into this file which is now it's 11 kb here. So after that using the anti-create section and the decoy file we are creating the image section here. So you can see we have created the image section and this is our payload. So using that image section we are going to create the process body using the anti-create process EX API. So you can see the process is created here now. So using the anti-query information we are reading this processing information because we need the entry point of this particular process like we did in the process of organing. So let me just step into this function. Here we can see we are reading the page of this target process using the anti-reversal memory. After that we are typecasting this this pay buffer with the pay restructure. So from the address from the optional header we have we are retrieving the address of the entry point of the payload. You can see it's 1 to be it and here we are adding the image base. Here we are adding the offset of the entry point with the image base address and which will give us the exact entry point of the payload which is in the target process. So now we have got the entry point. So it's time to modify the file on the dicks. So at this point you can see I'd say I'm the header here. So here we are placing the cursor at the beginning of the file. You can see. So now we are going to write the buffer which is of size 1000 bytes in hex. Let me just break it down here and I'll continue this application. So you can see the write file is successfully write file API has successfully done its tasks. So let me just go over here and you can see we have overwritten our file payload file and you can see we have written the hello world from cyber warfare lab which is this buffer and here we have only uh overwritten the half of the or less than the half of the buffer but this will be okay. So after this we have to create the process parameter like we did in the process table ganging. After that we will be allocating the voxel memory for the process parameter in the remote process. Now we will move our process process parameter into the remote process using the write and rewrite voxel memory. After that we will get the paid address here. So as you can see in process hopper doting in the memory you can see at the opposite 20 there is all zeros. So I'll just write the address of the process parameter there. So you can see we have overwritten this value with the process parameter address. Now all we have to do is to create the remote thread and the and the start routing will be our entry point payload entry point. So I think this is this is because of the this is because of the Windows Defender. So let me read on this again because whenever whenever we fail so whenever we fail to create the remote thread in source technique it's probably some antivirus might be blocking us from creating the thread. I'll comment all of this. Yeah I think it's because of the it's because of the I think it's because of the thread I think it's because of the antivirus. Let me just print the let me just put the break point here. So yeah it's the status code is same as the process to programming. So the thread creation has been blocked by the Windows Defender. So I think this technique it's not working in the latest version of the Windows because it's getting blocked by the Windows Defender. So from the group policy if you disable the Microsoft Defender the process will work. The thread creation will work. This might be probably this will this this issue might be probably this issue will happen in the process costing as well because in process costing it's the same thing. So let's just try it out in the process costing as well. So if you see the status code 0xc and I think it's 60 and 22 that means the thread creation has been blocked by the Windows Defender. So if you have any queries you can just drop that in the comment section. So I suggest you to turn off the Defender to practice all these injection techniques because there are other ways to create the thread. So no worries about that part. So let's begin with the process costing. So this technique is literally similar to the process table ganging. The only difference is that the section is created using the delete pending file instead of the transaction. So whenever we put the file in the delete pending state it will make antivirus too difficult to scan and delete it. But we just seen that the Defender was blocking us from creating the thread using this technique, using the process fixing technique. So let's see if this will bypass or let's say this will allow us to execute the thread. So in the process costing we will be creating a dummy file like we did in the process harper derping. After that using the anti-sat information file and the file disposes an information plus as a parameter we will be putting our file into the delete pending state. And after that we will write our buffer into the delete pending file. So using the delete pending file we will create the image section. And once the image section is created we do not need the pending file so we will just close the handle to the delete pending file. So once we close the handle to the delete pending file the file will be automatically deleted from the system. And after that we will be doing the same thing which we did in the process table ganging, creating the image, creating the process using the image section and updating and fixing the process parameters. And after that we will be using the thread. So during the thread while resuming the thread we were facing the issue in process harper derping. Let's see if we face an issue in this process costing because let's see if Windows Defender is going to block us in this technique as well or not. So these are all the API data used for the process costing. So let's move on to the lab. So you can see we have hit the break point at line number 220. So we will just step into this function. So here using the anti-open file we are opening the file. So if there is no file, if there is an old file then it will just delete that file and create a new file because of the supersede flag here. So we have got the handle to the file. Let me just go over here and so this is the file that we just created. So let me just go over there. So this is the file and you can see it's accessed by our application so we cannot open. So here you can see using the anti-set information file API and the file disposition information plus as a parameter. We are setting the file into the delete pending state. Now the file is in the delete pending state. Now we will write the payload into that file. So if I just go over here and so you can see we have already set our file in the delete pending state. That's why we do not have to permission to open this file. So this will be the same thing will happen to the anti-viruses as well. So they will not able to scan the file and or delete the file. Now using the file handle we are going to create the section here. So here you can see we have created the section and you can see this is our payload. So let me just go to this file. You can see so whenever I step over this code so whenever I close this handle to the file this file this file will get deleted permanently. You can see the PZ6DD1. So you can see the file has been deleted successfully from the system. So after that we are just creating the process with the section. The section that we just created. So let's go over here. You can see we have created the section now. Now everything will be similar to the process table ganking and process power dipping. We are just setting up the process parameters here. So using the antiquary information process we are reading the process information. Then we are getting the entry point of our payload in the target process. Here we can see we are just adding the entry point offset with the image base address to get the entry point like we did in the process double ganking and hardware dipping. Now we have the entry point. Let's just put this into words. After that we will create the process parameter. So you can see we have created the process parameter with the current directory, DLL path, image path and the command line. So at this point we are giving the target path and file path as the SVC host in the process parameter you can see. Now we have to allocate the memory for the process parameter in the remote process memory. So now we have allocated the remote process for the parameter. The remote process memory for the parameter. Now we will write our parameter into that newly allocated memory in the remote process. So you can see this is the 1DD3 of 5, 3 of F78940. This is the process parameter address. Now here we are writing the address of the process parameter using the write process memory. So at the 20th offset of the page we can see once I click the redid there will be the process parameter address written. So you can see. After that we can just resume the thread. So yeah the same thing happened. The Windows Defender is blocking us from creating the thread. So this is it for the for the processed grossing. Now let me just restart this VM and I'll try to turn off the Windows Defender completely. So I'll turn off the Windows Defender completely here. And now we'll restart the VM and we can confirm that the process that the thread creation was blocked by the Windows Defender. So let's test this with the process grossing now. I think the Defender is completely turned off now. Let me just turn off from here as well. So let's put the break point here. So as you can see our our cell code is successfully executed. So it was because of the Windows Defender. We were getting that error. So you could always try this at home like we could always try some new things to bypass this bypass the Defender using the different technique. So let me just run this again. So let me just rerun this again. So yeah I just wanted to show you this. So at this point you can see we have our process parameter is set as the SPC host 30x. So if I just continue you can see the process is successfully equipped. Our cell code is successfully executed. So let's try this with the Harper Derping as well. Put the break point here. So we can see the process is executed successfully. Sorry the cell code is executed successfully. So the Windows Defender was blocking us to create a new thread or the remote thread. So thank you everyone for attending this webinar and this is it for the process injection technique. So if you have any queries you can just drop into this app.