WEBVTT 00:00.620 --> 00:01.030 Hello. 00:01.040 --> 00:01.910 Welcome back. 00:01.940 --> 00:10.310 In the last video we did an API enumeration to count how many times the API has been hit and we found 00:10.310 --> 00:14.750 that he was hit three times for Virtualalloc and six times for Virtualprotect. 00:14.750 --> 00:22.430 And the Watcher Protect was the last one to be hit just before it went into first chance exception. 00:22.430 --> 00:29.600 So we know that when we see Virtualalloc hit for the sixth time, we can dump just before it hits the 00:29.600 --> 00:31.100 first chance exception. 00:31.100 --> 00:32.500 So that is a trick. 00:32.510 --> 00:36.440 So now we are going to put the. 00:37.910 --> 00:47.720 Send the options for x32 DBS before check system breakpoints callbacks and then open the dridex trojan. 01:01.180 --> 01:04.000 And we put our two breakpoints. 01:05.800 --> 01:13.720 Breakpoint on virtual lock and breakpoint on virtual protect. 01:17.380 --> 01:21.010 We don't need to put create process internal because it was never hit. 01:21.310 --> 01:28.390 So we go and see now in the breakpoint tab confirm that both has been set and now the count is zero 01:28.390 --> 01:29.100 and zero. 01:29.110 --> 01:35.930 So we can continue to F9 until it becomes six for virtual protect six over here. 01:35.950 --> 01:38.590 That's when we know that we are ready to dump. 01:39.550 --> 01:43.050 So let's run, hit, watch. 01:43.060 --> 01:44.620 You can ignore that. 01:45.160 --> 01:47.470 Run which Ignore that. 01:47.800 --> 01:48.520 Run. 01:48.970 --> 01:50.860 Ignore that run. 01:51.460 --> 01:51.760 Watch. 01:51.760 --> 01:52.150 Protect. 01:52.480 --> 01:56.250 Okay, look at the second parameter. 01:56.260 --> 01:57.880 Let's step over first. 02:01.180 --> 02:01.780 Step over. 02:02.410 --> 02:04.660 Stem over until we come to the call. 02:05.320 --> 02:07.240 Now, you look at the second parameter. 02:07.270 --> 02:08.770 This region of memory. 02:09.130 --> 02:09.430 Okay. 02:09.430 --> 02:14.980 If you want, you can follow this region of memory following number one. 02:15.220 --> 02:16.300 If we want to do. 02:16.300 --> 02:17.290 But it's optional. 02:17.830 --> 02:22.270 So now we continue to step over. 02:23.680 --> 02:32.550 And run and then still watch, protect and if we keep on stepping jump. 02:35.900 --> 02:37.130 After the call here. 02:37.430 --> 02:42.860 Second parameter, it is continuing to unpack that run. 02:45.100 --> 02:45.460 Again. 02:45.460 --> 02:46.090 We should rotate. 02:46.750 --> 02:47.500 Step over. 02:48.700 --> 02:49.150 Jump. 02:50.440 --> 02:52.990 Step until the conservation project. 02:53.110 --> 02:54.340 Second parameter. 02:54.370 --> 02:54.700 See that? 02:54.700 --> 02:55.900 It continues on back there. 02:56.590 --> 02:59.230 And look at the breakpoint count. 02:59.470 --> 03:00.580 Three, three. 03:00.670 --> 03:01.330 Not yet. 03:01.330 --> 03:03.610 So we need to wait until it is three six. 03:04.150 --> 03:07.450 Remember from our previous enumeration. 03:07.690 --> 03:09.910 Three six. 03:11.020 --> 03:12.070 Okay, let's run now. 03:13.940 --> 03:15.530 Step all this and. 03:18.190 --> 03:20.440 And step over this and run. 03:23.270 --> 03:24.500 What's important again. 03:26.970 --> 03:27.600 Step over 03:32.670 --> 03:33.810 until we come here. 03:34.560 --> 03:34.980 See that? 03:34.980 --> 03:39.720 Continue to unpack in the same memory region, starting from one followed by seven zeros. 03:40.950 --> 03:41.790 Run again. 03:42.120 --> 03:43.050 Look at the count. 03:43.380 --> 03:44.220 Three, four. 03:49.040 --> 03:49.970 Again we can protect. 03:50.960 --> 03:51.650 Step over. 03:54.620 --> 03:55.280 Step over. 03:55.760 --> 03:57.740 Step over until we come to the call. 03:58.310 --> 03:59.600 Second parameter. 04:00.930 --> 04:05.120 Same same regional memory and a higher address. 04:05.130 --> 04:06.360 2830. 04:07.830 --> 04:10.170 Hit on break .35. 04:10.200 --> 04:11.910 That means one more hit to go. 04:12.870 --> 04:14.310 Okay, so run again. 04:16.360 --> 04:16.960 Step over. 04:19.510 --> 04:20.680 Jump to protect. 04:21.460 --> 04:22.840 Jump to protect. 04:23.980 --> 04:25.510 And now step over. 04:26.260 --> 04:28.030 And I think it has finished. 04:28.390 --> 04:31.990 So now we go to break point six. 04:32.020 --> 04:34.390 That means we are ready to dump memory. 04:34.630 --> 04:38.530 So because this is self-injecting, we do not dump from here. 04:38.560 --> 04:45.550 Previously we used to do this right click follow in memory map and then we dump from here, right click. 04:46.480 --> 04:52.920 That may be the file, but because this is self injection, that means it's overwriting its own process. 04:52.930 --> 04:59.830 So what we do is we go to process hacker, so we open flag, go to utilities. 05:07.690 --> 05:09.520 And then open up process Hacker. 05:16.420 --> 05:23.850 And then search for the dialexia and then double click on the annex and then go to the memory folder. 05:24.910 --> 05:32.380 Now we are going to dump from here at the address of one followed by seven zeros. 05:32.410 --> 05:34.970 This one you can expand and see. 05:34.990 --> 05:37.480 So all this is the unpack code. 05:37.510 --> 05:43.210 It has self-injected the unpack code to its own process over here. 05:43.420 --> 05:48.760 And you can see protection bits are writable and executable. 05:48.910 --> 05:52.030 So we can right click on this now and then. 05:52.870 --> 05:53.500 Save. 05:56.410 --> 06:02.530 And then go to the desktop, save in the Dridex folder so we can call this Dridex dump. 06:04.760 --> 06:08.530 Write X underscore dump. 06:09.290 --> 06:09.770 Save. 06:11.150 --> 06:14.060 Okay, so now that you can close everything. 06:14.990 --> 06:19.760 Close this, and then you can close your xdb as well. 06:24.740 --> 06:26.150 We have already done this here. 06:26.300 --> 06:33.620 So in the next video, I'm going to show you the process of unmapping it using PEB. 06:34.580 --> 06:35.720 Thank you for watching.