Comments on: Crash Dump Analysis Patterns (Part 75) https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/ Structural and Behavioral Patterns for Software Diagnostics, Forensics and Prognostics Wed, 06 May 2026 00:19:17 +0000 http://wordpress.org/?v=2.3.3 By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-676544 Dmitry Vostokov Fri, 18 Jan 2013 22:12:30 +0000 https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-676544 .imgscan might not be able to find all hidden modules: http://www.dumpanalysis.org/blog/index.php/2013/01/18/crash-dump-analysis-patterns-part-194/ .imgscan might not be able to find all hidden modules:
http://www.dumpanalysis.org/blog/index.php/2013/01/18/crash-dump-analysis-patterns-part-194/

]]> By: Crash Dump Analysis » Blog Archive » Crash Dump Analysis of Defective Malware: A Case Study https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-194870 Crash Dump Analysis » Blog Archive » Crash Dump Analysis of Defective Malware: A Case Study Wed, 20 Oct 2010 10:11:21 +0000 https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-194870 [...] This address range was not on a loaded module list so I used image scanning command to detect Hidden Module: [...] […] This address range was not on a loaded module list so I used image scanning command to detect Hidden Module: […]

]]> By: Crash Dump Analysis » Blog Archive » The Memory Visualization Question from Webinar https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-180318 Crash Dump Analysis » Blog Archive » The Memory Visualization Question from Webinar Wed, 01 Sep 2010 14:59:33 +0000 https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-180318 [...] lm command didn’t show any duplicated loaded and unloaded modules as well as any hidden modules. So I looked at address information and found two identical relatively large regions at the [...] […] lm command didn’t show any duplicated loaded and unloaded modules as well as any hidden modules. So I looked at address information and found two identical relatively large regions at the […]

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-37760 Dmitry Vostokov Tue, 12 Aug 2008 10:02:15 +0000 https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-37760 No it wasn't loaded at its preferred address which is in PE header specified as: 0000000000400000 image base No it wasn’t loaded at its preferred address which is in PE header specified as:

0000000000400000 image base

]]> By: Crash Dump Analysis » Blog Archive » Hooksware https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-37544 Crash Dump Analysis » Blog Archive » Hooksware Sun, 10 Aug 2008 11:27:29 +0000 https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-37544 [...] - Hidden Module [...] […] - Hidden Module […]

]]> By: Marc Sherman https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-37314 Marc Sherman Fri, 08 Aug 2008 17:57:03 +0000 https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-37314 Did you notice if usrxcptn.dll was loaded at its preferred address? Otherwise manual fixups of global addresses within the module would have to be done (the OS loader takes care of this for you). Unless of course they know the code to execute doesn't reference any globals. Marc Did you notice if usrxcptn.dll was loaded at its preferred address? Otherwise manual fixups of global addresses within the module would have to be done (the OS loader takes care of this for you). Unless of course they know the code to execute doesn’t reference any globals.

Marc

]]> By: Dmitry Vostokov https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-37309 Dmitry Vostokov Fri, 08 Aug 2008 16:13:27 +0000 https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-37309 I've just checked that this DLL is present in address space only if we add the application to Process Dumper applet in Control Panel. Process Dumper applet is installed when we do full installation of userdump package. Actually I added notepad.exe there and open it under WinDbg with loader snaps enabled in gflags.exe and I don't see this DLL in loader traces. The alternative to OS loader is widely used. You can just read the file into memory and jump to its code (of course after changing page protection and some other stuff). You can also map the file from the disk into virtual memory and in this case OS will load entire file contents for you. usrxcptn.dll is a Microsoft DLL - you can find it in their userdump package. I’ve just checked that this DLL is present in address space only if we add the application to Process Dumper applet in Control Panel. Process Dumper applet is installed when we do full installation of userdump package. Actually I added notepad.exe there and open it under WinDbg with loader snaps enabled in gflags.exe and I don’t see this DLL in loader traces.

The alternative to OS loader is widely used. You can just read the file into memory and jump to its code (of course after changing page protection and some other stuff). You can also map the file from the disk into virtual memory and in this case OS will load entire file contents for you.

usrxcptn.dll is a Microsoft DLL - you can find it in their userdump package.

]]> By: Marc Sherman https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-37297 Marc Sherman Fri, 08 Aug 2008 13:57:29 +0000 https://www.dumpanalysis.org/blog/index.php/2008/08/07/crash-dump-analysis-patterns-part-75/#comment-37297 Every once in a while someone will ask how to execute code in a PE image without having to use the OS loader. For ex, someone will ask how to read a DLL from a socket and then execute it (without saving to disk and then calling LoadLibrary). This post implies that it can be done and it *is* done with usrxcptn.dll ("it" referring to not using the OS loader). Is usrxcptn.dll a Microsoft DLL? If so, do they have an alternative to the OS loader? thanks, Marc Every once in a while someone will ask how to execute code in a PE image without having to use the OS loader. For ex, someone will ask how to read a DLL from a socket and then execute it (without saving to disk and then calling LoadLibrary).

This post implies that it can be done and it *is* done with usrxcptn.dll (”it” referring to not using the OS loader).

Is usrxcptn.dll a Microsoft DLL? If so, do they have an alternative to the OS loader?

thanks,
Marc

]]>