UGOTAG | Videos with Chapter Markers  
  
× ANCIENT WORLD ANIMALS AQUARIUM ARCHERY ARCHITECTURE ART ARTIFICIAL INTELLIGENCE AUDIO BOOKS AVIATION BABY BEAUTY BIG THOUGHTS BIKING BIOLOGY BIRDS BLOCKCHAIN BUSINESS AUTOMOTIVE CATS CHRISTMAS COLD WAR COMPUTER SECURITY CRAFTS CRIME STORIES CRYPTOCURRENCY CSGO DIGITAL COMBAT SIMULATOR DINOSAUR DOGS EASTER ECONOMICS ELECTRONICS ENGINEERING ENVIRONMENT FAR CRY 5 FARMING FASHION FISHING FITNESS FOOD & DRINK FORTNITE BATTLE ROYALE FREEDOM OF SPEECH FUNNY GAMBLING GAMING GARDENING GEOPOLITICS GOD OF WAR GUITAR GUNS HALLOWEEN HARRY POTTER HEALTH & WELLNESS HISTORY YOUR HOME HOME REPAIR HOMEBREW INSECTS INTERESTING KIDS KITCHEN KNITTING LAWNCARE LEGO LIQUOR LOCKSPORT MARKETING MARTIAL ARTS MATH MENS STYLE MINECRAFT MOBILE DEVICES MOTORBIKES MOVIES MULTIPLICATION MUSIC MYSTERY NEUROSCIENCE OLYMPICS ORGANIZATION OUTDOORS PETS PHILOSOPHY PHOTOGRAPHY PHYSICS PI DAY POLITICS POTTERY PRIVACY PROGRAMMING PSYCHOLOGY RECIPE RED DEAD REDEMPTION RELAXING RELIGION REMOTE CONTROL ROCKCLIMBING SCI FI SCI FY SCIENCE SHOOTING SPORTS SKATEBOARDING SPECIAL FORCES SPEECHES SPORTS STAR WARS STEM STPATRICKS STYLE TECHNOLOGY THANKSGIVING TOYS TRAVEL TV VALENTINE'S DAY WAR WEDDING WOODWORKING WW1 WORLD WAR 2
HOME  |  TECHNOLOGY  |  HEALTH  |  FOOD  |  MORE

Episode Markers
  • 00:15
     
    #early bird code injection   
    early bird code injection works prior to the process begins, enabling it to evade antivirus hooks.
  • 00:25
     
    #Step 1: Create a suspended process    #IDA screen   
    EarlyBird attack Step 1: Create a suspended process -- IDA screen showing a call to CreateProcess svchost.exe in a suspended state.
  • 00:35
     
    #Step 2: Allocate and write malicious code into that process    #Process Hacker   
    EarlyBird attack Step 2: Allocate and write malicious code into that process -- Process Hacker showing explorer.exe that the malware injected into.
  • 00:60
     
    #Step 3: queue an APC    #Call to NtQueueApcThread   
    EarlyBird attack Step 3: queue an APC -- Call to NtQueueApcThread
  • 01:06
     
    #62F5B in the ECX register   
    The Asynchronous Procedure Call (APC) address is at 62F5B in the ECX register.
  • 01:36
     
    #Step 4: ResumeThread to execute the APC   
    EarlyBird attack Step 4: ResumeThread to execute the APC -- On ResumeThread, there should be a hit on the breakpoint.

Early Bird Malware Code Injection Technique HD

Cyberbit malware researchers discovered a new malware injection technique that allows execution of malicious code before the entry point of the main thread of a process, hence – it can bypass security product hooks if they are not placed before the main thread has its execution resumed.






Community tags: computer_security     HOME     SIGN UP     CONTACT US