WEBVTT 00:00.350 --> 00:02.060 Hello and welcome back. 00:02.090 --> 00:05.110 In the previous video, we used Xdebug. 00:05.510 --> 00:08.900 To run this demonstration. 00:08.900 --> 00:12.530 And we didn't until we hit her first chance. 00:12.530 --> 00:14.060 Exception on the bottom left corner. 00:14.720 --> 00:18.320 So now when we see this, we can continue to run again. 00:18.320 --> 00:19.010 No problem. 00:19.010 --> 00:20.600 Just click on this run. 00:24.000 --> 00:25.450 Again, first chance exception. 00:25.470 --> 00:27.360 Never mind continuing to click Run. 00:29.360 --> 00:31.130 And now it is really running. 00:32.570 --> 00:35.330 And this time it hits the API. 00:35.360 --> 00:46.160 Create process internal W and you can see here the parameter for it is this one ram cost dot x. 00:47.030 --> 00:52.400 So this means that it is going to spawn a child process. 00:53.370 --> 00:55.760 From his own cell, Graham Cox. 00:56.550 --> 01:02.970 And we can confirm that by going to process hacker and keep an eye on it. 01:03.810 --> 01:06.120 So let's open process Hacker. 01:11.390 --> 01:19.490 And keep an eye on this course as it is going to spawn another child process out of itself. 01:20.460 --> 01:20.600 It. 01:23.060 --> 01:23.750 Hey, over here. 01:24.170 --> 01:30.400 So after a child processes his phone, it might call anti resume thread. 01:30.530 --> 01:37.040 For most of the time when malware spawns a child process, it will be in a suspended state and we can 01:37.040 --> 01:44.090 confirm that by looking at the parameters for this create process internal, we can see the parameters 01:44.090 --> 01:46.610 to it either here or here. 01:47.120 --> 01:51.020 Now create process internal over here, create process. 01:51.020 --> 01:58.850 Internal has got 12 parameters and the important one would be the seventh parameter W creation flag. 01:59.570 --> 02:07.460 The creation flag would be to indicate whether you want to create in a suspended state or otherwise. 02:07.670 --> 02:15.920 So if we look at the seventh parameter here, this is the first parameter second, third, fourth, 02:15.920 --> 02:23.910 five, six, seven, four four means that it is going to create this process in the suspended state. 02:24.750 --> 02:32.790 So if we know that we can put another breakpoint on anti resume thread because anti resume thread would 02:32.790 --> 02:36.720 then bring it out of the suspended state eventually. 02:37.140 --> 02:43.740 So now we can set a breakpoint be on anti resume thread 02:46.500 --> 02:56.010 hit enter make sure it's set to resume thread is there and one more will be write process memory. 02:56.010 --> 03:06.330 So breakpoint on write process memory so anti resume read and write process memory goes hand in hand. 03:07.890 --> 03:15.540 We create process internal so these three create process internal write process memory anti resume thread 03:16.060 --> 03:22.860 are used to spawn a child process create process internal is to create separate process child process 03:23.030 --> 03:29.570 write process memory is to overwrite a section of the child process with some other code and anti racism 03:29.600 --> 03:31.820 thread is to resume a suspended thread. 03:32.530 --> 03:38.290 So createprocess internal creates and suspends a thread so that it can write to it and then it will 03:38.290 --> 03:42.670 resume it in order to bring it out of the suspended state. 03:42.700 --> 03:49.540 So that's why these three works together hand in hand, and that's why we are putting API breakpoints 03:49.570 --> 03:50.680 on these three. 03:51.160 --> 03:55.030 So now after having done that, we can run. 03:55.030 --> 03:57.220 So let us run now, F9. 03:58.100 --> 03:59.360 And there you go. 03:59.660 --> 04:01.190 Write process memory. 04:01.370 --> 04:08.750 So write process, memory is going to write to the child process, which has spawned if you go back 04:08.750 --> 04:09.830 to here now. 04:10.700 --> 04:11.150 Process. 04:11.150 --> 04:14.810 Hacker You will see that the parent has spawned a child. 04:15.500 --> 04:16.970 Just as we expected. 04:17.570 --> 04:23.210 So now if we go back here, it's going to write something into the child memory. 04:23.690 --> 04:26.870 If you look at the API for this. 04:28.140 --> 04:28.680 I possess. 04:28.680 --> 04:31.200 Memory has five parameters. 04:31.410 --> 04:35.610 The first is the handle for the process for the child. 04:36.360 --> 04:39.630 And then the second is the base address. 04:39.780 --> 04:45.330 So we can compare that with the parameter here or here. 04:46.050 --> 04:49.020 First is the handle to the child process. 04:49.320 --> 04:51.600 Second is the base address of the child. 04:52.500 --> 04:54.540 And third is your buffer. 04:54.870 --> 04:59.580 That means what it is going to use to write into the child process. 05:00.540 --> 05:06.390 That means it's going to write buffer number three, this one. 05:07.710 --> 05:12.840 So we can follow this in dump number three if we want. 05:12.960 --> 05:20.130 So let's go follow this select dump number three and right click on this one and follow the word in 05:20.130 --> 05:20.460 dump. 05:21.690 --> 05:26.320 Follow the word in current dump, which is done number three. 05:26.340 --> 05:33.860 And as you can see, there is a header and the complete exe is now found in here. 05:33.880 --> 05:35.920 As you scroll down, you can see. 05:38.760 --> 05:38.970 Okay. 05:38.970 --> 05:41.310 Let's go back to the start of this. 05:42.500 --> 05:44.900 Follow river in Canada. 05:45.080 --> 05:48.590 Okay, so now this is a good place to dump. 05:49.430 --> 05:56.060 So if you want to dump this, you will need to select all this region of memory. 05:56.090 --> 06:04.910 That means you click on the first byte here for the and then you scroll all the way down, press shift 06:05.090 --> 06:09.260 on your keyboard, hold down shift, and then click on the last byte. 06:10.250 --> 06:14.630 That means you select and the entire thing, and now you can dump it. 06:14.900 --> 06:15.890 Right click. 06:15.890 --> 06:21.200 And then you can click on binary Go to save to a file. 06:23.000 --> 06:26.180 So we can now dump this to a file. 06:27.710 --> 06:30.860 So I'm going to dump it in my folder. 06:30.910 --> 06:32.030 Ram course folder. 06:32.540 --> 06:34.730 And I'm going to call it Ram course. 06:35.970 --> 06:41.240 Dump dot bin and click on Save. 06:43.630 --> 06:48.200 Now, please be aware that the address that you get might be different from mine. 06:48.220 --> 06:52.630 So just follow what what you see and what you get for your case. 06:53.020 --> 07:01.420 So now, since we have already done this, if we go to the desktop, the folder and then have done the 07:01.420 --> 07:04.570 size is about 256kB. 07:05.200 --> 07:09.820 So in the next video, we will continue with this analysis. 07:10.420 --> 07:12.130 Thank you for watching.