Crash Dump Analysis Patterns (Part 75)

Sometimes we look for modules that were loaded and unloaded at some time. lm command lists unloaded modules but some of them could be mapped to address space without using runtime loader. The latter case is common for drm-type protection tools, rootkits, malware or crimeware which can influence a process execution. In such cases we can hope that they still remain in virtual memory and search for them. WinDbg .imgscan command greatly helps in identifying MZ/PE module headers. The following example just illustrates this command without implying that the found module did any harm:

0:000> .imgscan
MZ at 000d0000, prot 00000002, type 01000000 - size 6000
  Name: usrxcptn.dll

MZ at 00350000, prot 00000002, type 01000000 - size 9b000
  Name: ADVAPI32.dll
MZ at 00400000, prot 00000002, type 01000000 - size 23000
  Name: javaw.exe
MZ at 01df0000, prot 00000002, type 01000000 - size 8b000
  Name: OLEAUT32.dll
MZ at 01e80000, prot 00000002, type 01000000 - size 52000
  Name: SHLWAPI.dll
[…]

We don’t see usrxcptn in either loaded or unloaded module lists:

0:002> lm
start    end        module name
00350000 003eb000   advapi32  
00400000 00423000   javaw    
01df0000 01e7b000   oleaut32 
01e80000 01ed2000   shlwapi 
[...]

Unloaded modules:

This is why I call this pattern Hidden Module. We can use Unknown Component pattern to see the module resources if present in memory:

0:002> !dh 000d0000

[...]

SECTION HEADER #4
   .rsrc name
     418 virtual size
    4000 virtual address

     600 size of raw data
    1600 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)
         Read Only

[...]

0:002> dc 000d0000+4000 L418
[…]
000d4140  […] n…z.)…F.i.l.
000d4150  […] e.D.e.s.c.r.i.p.
000d4160  […] t.i.o.n…..U.s.
000d4170  […]   e.r. .D.u.m.p. .
000d4180  […] U.s.e.r. .M.o.d.
000d4190  […] e. .E.x.c.e.p.t.
000d41a0  […] i.o.n. .D.i.s.p.
000d41b0  […] a.t.c.h.e.r…..

0:002> du 000d416C
000d416c  "User Dump User Mode Exception Di"
000d41ac  "spatcher"

This component seems to be loaded or mapped only if userdump package was fully installed where usrxcptn.dll is a part of its redistribution. Although from the memory dump comment we also see that the dump was taken manually using command line userdump.exe we see that the full userdump package was additionally installed which was probably not necessary (see Correcting Microsoft article about userdump.exe):

Loading Dump File [javaw.dmp]
User Mini Dump File with Full Memory: Only application data is available

Comment: 'Userdump generated complete user-mode minidump with Standalone function on COMPUTER-NAME'

- Dmitry Vostokov @ DumpAnalysis.org -

8 Responses to “Crash Dump Analysis Patterns (Part 75)”

  1. Marc Sherman Says:

    Every once in a while someone will ask how to execute code in a PE image without having to use the OS loader. For ex, someone will ask how to read a DLL from a socket and then execute it (without saving to disk and then calling LoadLibrary).

    This post implies that it can be done and it *is* done with usrxcptn.dll (”it” referring to not using the OS loader).

    Is usrxcptn.dll a Microsoft DLL? If so, do they have an alternative to the OS loader?

    thanks,
    Marc

  2. Dmitry Vostokov Says:

    I’ve just checked that this DLL is present in address space only if we add the application to Process Dumper applet in Control Panel. Process Dumper applet is installed when we do full installation of userdump package. Actually I added notepad.exe there and open it under WinDbg with loader snaps enabled in gflags.exe and I don’t see this DLL in loader traces.

    The alternative to OS loader is widely used. You can just read the file into memory and jump to its code (of course after changing page protection and some other stuff). You can also map the file from the disk into virtual memory and in this case OS will load entire file contents for you.

    usrxcptn.dll is a Microsoft DLL - you can find it in their userdump package.

  3. Marc Sherman Says:

    Did you notice if usrxcptn.dll was loaded at its preferred address? Otherwise manual fixups of global addresses within the module would have to be done (the OS loader takes care of this for you). Unless of course they know the code to execute doesn’t reference any globals.

    Marc

  4. Crash Dump Analysis » Blog Archive » Hooksware Says:

    […] - Hidden Module […]

  5. Dmitry Vostokov Says:

    No it wasn’t loaded at its preferred address which is in PE header specified as:

    0000000000400000 image base

  6. Crash Dump Analysis » Blog Archive » The Memory Visualization Question from Webinar Says:

    […] lm command didn’t show any duplicated loaded and unloaded modules as well as any hidden modules. So I looked at address information and found two identical relatively large regions at the […]

  7. Crash Dump Analysis » Blog Archive » Crash Dump Analysis of Defective Malware: A Case Study Says:

    […] This address range was not on a loaded module list so I used image scanning command to detect Hidden Module: […]

  8. Dmitry Vostokov Says:

    .imgscan might not be able to find all hidden modules:
    http://www.dumpanalysis.org/blog/index.php/2013/01/18/crash-dump-analysis-patterns-part-194/

Leave a Reply