Archive for February, 2013
Thursday, February 28th, 2013
Software Diagnostics Services launches its first cyber satellite to survey the state of cyber space and mine its patterns:
http://www.dumpanalysis.com/cybervostok
Notice a satellite logo: it has an UML 2.0 interface sink similar to Software Diagnostics Institute logo:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Announcements, Cyber Intelligence, Cyber Problems, Cyber Security, Cyber Space, Cyber Warfare, Logos, Software Diagnostics Services, Uses of UML | No Comments »
Wednesday, February 27th, 2013
Injected Symbols pattern can be used to add missing symbols when we have Reduced Symbol Information like it was done previously in this old case study. For example, TestWER module was compiled with static MFC and CRT libraries and its private PDB file contains all necessary symbols including MSG structure. We can load that module into notepad.exe process space and apply symbols:
0:000:x86> lm
start end module name
00fc0000 00ff0000 notepad (pdb symbols) c:\mss\notepad.pdb\E325F5195AE94FAEB58D25C9DF8C0CFD2\notepad.pdb
10000000 10039000 WinCRT (deferred)
727f0000 7298e000 comctl32 (deferred)
72aa0000 72af1000 winspool (deferred)
72b10000 72b19000 version (deferred)
72e40000 72e48000 wow64cpu (deferred)
72e50000 72eac000 wow64win (pdb symbols) c:\mss\wow64win.pdb\B2D08CC152D64E71B79167DC0A0A53E91\wow64win.pdb
72eb0000 72eef000 wow64 (deferred)
733d0000 733e3000 dwmapi (deferred)
735b0000 73606000 uxtheme (deferred)
746f0000 746fc000 CRYPTBASE (deferred)
74700000 74760000 sspicli (deferred)
747c0000 74817000 shlwapi (deferred)
74830000 7547a000 shell32 (deferred)
755d0000 7564b000 comdlg32 (deferred)
75650000 7567e000 imm32 (deferred)
75770000 75810000 advapi32 (deferred)
75810000 75920000 kernel32 (pdb symbols) c:\mss\wkernel32.pdb\1C690A8592304467BB15A09CEA7180FA2\wkernel32.pdb
75920000 759b0000 gdi32 (deferred)
759b0000 759f7000 KERNELBASE (deferred)
75a00000 75b00000 user32 (pdb symbols) c:\mss\wuser32.pdb\0FCE9CC301ED4567A819705B2718E1D62\wuser32.pdb
75b00000 75b8f000 oleaut32 (deferred)
75be0000 75c7d000 usp10 (deferred)
75ff0000 76009000 sechost (deferred)
76010000 76100000 rpcrt4 (deferred)
76230000 762dc000 msvcrt (deferred)
76470000 7647a000 lpk (deferred)
76480000 7654c000 msctf (deferred)
76550000 766ac000 ole32 (deferred)
766d0000 76753000 clbcatq (deferred)
76e40000 76fe9000 ntdll (deferred)
77020000 771a0000 ntdll_77020000 (pdb symbols) c:\mss\wntdll.pdb\D74F79EB1F8D4A45ABCD2F476CCABACC2\wntdll.pdb
0:000:x86> .sympath+ C:\DebuggingTV\TestWER\x86
Symbol search path is: srv*;C:\DebuggingTV\TestWER\x86
Expanded Symbol search path is: SRV*c:\mss*http://msdl.microsoft.com/download/symbols;c:\debuggingtv\testwer\x86
0:000:x86> .reload /f /i C:\DebuggingTV\TestWER\x86\TestWER.exe=10000000
0:000:x86> lm
start end module name
00fc0000 00ff0000 notepad (pdb symbols) c:\mss\notepad.pdb\E325F5195AE94FAEB58D25C9DF8C0CFD2\notepad.pdb
10000000 10039000 TestWER (private pdb symbols) c:\debuggingtv\testwer\x86\TestWER.pdb
727f0000 7298e000 comctl32 (deferred)
72aa0000 72af1000 winspool (deferred)
72b10000 72b19000 version (deferred)
72e40000 72e48000 wow64cpu (deferred)
72e50000 72eac000 wow64win (pdb symbols) c:\mss\wow64win.pdb\B2D08CC152D64E71B79167DC0A0A53E91\wow64win.pdb
72eb0000 72eef000 wow64 (deferred)
733d0000 733e3000 dwmapi (deferred)
735b0000 73606000 uxtheme (deferred)
746f0000 746fc000 CRYPTBASE (deferred)
74700000 74760000 sspicli (deferred)
747c0000 74817000 shlwapi (deferred)
74830000 7547a000 shell32 (deferred)
755d0000 7564b000 comdlg32 (deferred)
75650000 7567e000 imm32 (deferred)
75770000 75810000 advapi32 (deferred)
75810000 75920000 kernel32 (pdb symbols) c:\mss\wkernel32.pdb\1C690A8592304467BB15A09CEA7180FA2\wkernel32.pdb
75920000 759b0000 gdi32 (deferred)
759b0000 759f7000 KERNELBASE (deferred)
75a00000 75b00000 user32 (pdb symbols) c:\mss\wuser32.pdb\0FCE9CC301ED4567A819705B2718E1D62\wuser32.pdb
75b00000 75b8f000 oleaut32 (deferred)
75be0000 75c7d000 usp10 (deferred)
75ff0000 76009000 sechost (deferred)
76010000 76100000 rpcrt4 (deferred)
76230000 762dc000 msvcrt (deferred)
76470000 7647a000 lpk (deferred)
76480000 7654c000 msctf (deferred)
76550000 766ac000 ole32 (deferred)
766d0000 76753000 clbcatq (deferred)
76e40000 76fe9000 ntdll (deferred)
77020000 771a0000 ntdll_77020000 (pdb symbols) c:\mss\wntdll.pdb\D74F79EB1F8D4A45ABCD2F476CCABACC2\wntdll.pdb
0:000:x86> kv
ChildEBP RetAddr Args to Child
0013fe34 75a1790d 0013fe74 00000000 00000000 user32!NtUserGetMessage+0x15
0013fe50 00fc148a 0013fe74 00000000 00000000 user32!GetMessageW+0×33
0013fe90 00fc16ec 00fc0000 00000000 00354082 notepad!WinMain+0xe6
0013ff20 758233aa 7efde000 0013ff6c 77059ef2 notepad!_initterm_e+0×1a1
0013ff2c 77059ef2 7efde000 57785ae5 00000000 kernel32!BaseThreadInitThunk+0xe
0013ff6c 77059ec5 00fc3689 7efde000 00000000 ntdll_77020000!__RtlUserThreadStart+0×70
0013ff84 00000000 00fc3689 7efde000 00000000 ntdll_77020000!_RtlUserThreadStart+0×1b
0:000:x86> dt -r MSG 0013fe74
TestWER!MSG
+0x000 hwnd : 0x0007149c HWND__
+0x000 unused : ??
+0×004 message : 0×113
+0×008 wParam : 0×38a508
+0×00c lParam : 0n1921500630
+0×010 time : 0×2079a177
+0×014 pt : tagPOINT
+0×000 x : 0n1337
+0×004 y : 0n448
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Crash Dump Analysis, Crash Dump Patterns | No Comments »
Tuesday, February 26th, 2013
Sometimes we have Reduced Symbolic Information for modules which can range from stripped or public symbol files to exported only function names. In such cases we can use API function prototypes, structure definitions and possible String Parameters to make sense of function arguments:
0:000:x86> kv
ChildEBP RetAddr Args to Child
0013fe34 75a1790d 0013fe74 00000000 00000000 user32!NtUserGetMessage+0x15
0013fe50 00fc148a 0013fe74 00000000 00000000 user32!GetMessageW+0×33
0013fe90 00fc16ec 00fc0000 00000000 00354082 notepad!WinMain+0xe6
0013ff20 758233aa 7efde000 0013ff6c 77059ef2 notepad!_initterm_e+0×1a1
0013ff2c 77059ef2 7efde000 57785ae5 00000000 kernel32!BaseThreadInitThunk+0xe
0013ff6c 77059ec5 00fc3689 7efde000 00000000 ntdll_77020000!__RtlUserThreadStart+0×70
0013ff84 00000000 00fc3689 7efde000 00000000 ntdll_77020000!_RtlUserThreadStart+0×1b
The first parameter of GetMessage API is a pointer to MSG structure:
0:000:x86> dt MSG 0013fe74
Symbol MSG not found.
From MSDN we find this structure definition:
typedef struct tagMSG {
HWND hwnd;
UINT message;
WPARAM wParam;
LPARAM lParam;
DWORD time;
POINT pt;
} MSG, *PMSG, *LPMSG;
0:000:x86> dc 0013fe74 L7
0013fe74 0007149c 00000113 0038a508 7287c5d6 ……….8….r
0013fe84 2079a177 00000539 000001c0 w.y 9…….
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Crash Dump Analysis, Crash Dump Patterns | No Comments »
Tuesday, February 26th, 2013
Sometimes we have a Truncated Stack Trace and need to perform manual stack trace reconstruction of the missing part to get approximate full stack trace. Often we are only able to reconstruct some parts and glue them together perhaps with some missing intermediate frames:

For example, we have this truncated stack trace due to the lack of symbols:
1: kd> k
ChildEBP RetAddr
97543b6c 85adf579 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
97543be8 85adf770 myfault+0x579
97543bf4 85adf7fc myfault+0x770
97543c2c 81827ecf myfault+0x7fc
97543c44 81988f65 nt!IofCallDriver+0x63
97543c64 81989f25 nt!IopSynchronousServiceTail+0x1e0
97543d00 8198ee8d nt!IopXxxControlFile+0x6b7
97543d34 8188c96a nt!NtDeviceIoControlFile+0x2a
97543d34 77510f34 nt!KiFastCallEntry+0x12a
0012f9a0 7750f850 ntdll!KiFastSystemCallRet
0012f9a4 77417c92 ntdll!NtDeviceIoControlFile+0xc
0012fa04 00401a5b kernel32!DeviceIoControl+0x14a
0012fa94 7700becf NotMyfault+0x1a5b
0012facc 00000000 USER32!xxxDrawButton+0xc1
Manual stack reconstruction brings this fragment:
1: kd> k L=0012fb94 0012fb94 0012fb94
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fb94 77001ae8 0x12fb94
0012fc0c 7700286a USER32!UserCallWinProcCheckWow+0x14b
0012fc4c 77002bba USER32!SendMessageWorker+0x4b7
0012fc6c 7700c6b4 USER32!SendMessageW+0x7c
0012fc84 7700c7c9 USER32!xxxButtonNotifyParent+0x41
0012fca0 7700c7e8 USER32!xxxBNReleaseCapture+0xf7
0012fd24 7701632e USER32!ButtonWndProcWorker+0x910
0012fd44 77001a10 USER32!ButtonWndProcA+0x4c
0012fd70 77001ae8 USER32!InternalCallWinProc+0x23
0012fde8 77002a47 USER32!UserCallWinProcCheckWow+0x14b
0012fe4c 77002a98 USER32!DispatchMessageWorker+0x322
0012fe5c 76ff11fc USER32!DispatchMessageW+0xf
0012fe80 76fe98d2 USER32!IsDialogMessageW+0x586
0012fea0 00401cc9 USER32!IsDialogMessageA+0xff
0012ff10 004022ec NotMyfault+0x1cc9
00000000 00000000 NotMyfault+0x22ec
And finally we get the 3rd usual thread start fragment:
1: kd> k L=0012ffa0 0012ffa0 0012ffa0
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012ffa0 77413833 0x12ffa0
0012ffac 774ea9bd kernel32!BaseThreadInitThunk+0xe
0012ffec 00000000 ntdll!_RtlUserThreadStart+0x23
Gluing them together we get this approx. stack trace:
97543b6c 85adf579 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
97543be8 85adf770 myfault+0x579
97543bf4 85adf7fc myfault+0x770
97543c2c 81827ecf myfault+0x7fc
97543c44 81988f65 nt!IofCallDriver+0x63
97543c64 81989f25 nt!IopSynchronousServiceTail+0x1e0
97543d00 8198ee8d nt!IopXxxControlFile+0x6b7
97543d34 8188c96a nt!NtDeviceIoControlFile+0x2a
97543d34 77510f34 nt!KiFastCallEntry+0x12a
0012f9a0 7750f850 ntdll!KiFastSystemCallRet
0012f9a4 77417c92 ntdll!NtDeviceIoControlFile+0xc
0012fa04 00401a5b kernel32!DeviceIoControl+0x14a
0012fa94 7700becf NotMyfault+0x1a5b
0012fc0c 7700286a USER32!UserCallWinProcCheckWow+0x14b
0012fc4c 77002bba USER32!SendMessageWorker+0x4b7
0012fc6c 7700c6b4 USER32!SendMessageW+0x7c
0012fc84 7700c7c9 USER32!xxxButtonNotifyParent+0x41
0012fca0 7700c7e8 USER32!xxxBNReleaseCapture+0xf7
0012fd24 7701632e USER32!ButtonWndProcWorker+0x910
0012fd44 77001a10 USER32!ButtonWndProcA+0x4c
0012fd70 77001ae8 USER32!InternalCallWinProc+0x23
0012fde8 77002a47 USER32!UserCallWinProcCheckWow+0x14b
0012fe4c 77002a98 USER32!DispatchMessageWorker+0x322
0012fe5c 76ff11fc USER32!DispatchMessageW+0xf
0012fe80 76fe98d2 USER32!IsDialogMessageW+0x586
0012fea0 00401cc9 USER32!IsDialogMessageA+0xff
0012ff10 004022ec NotMyfault+0x1cc9
0012ffac 774ea9bd kernel32!BaseThreadInitThunk+0xe
0012ffec 00000000 ntdll!_RtlUserThreadStart+0x23
We call this pattern Glued Stack Trace.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Crash Dump Analysis, Crash Dump Patterns, Debugging | No Comments »
Friday, February 15th, 2013
Inter-Correlation analysis between a normal and a problem logs to find a Bifurcation Point (and a possible root cause) becomes a difficult task when both traces come from different environments with widely differing Background Components. Here a new analysis pattern called Sheaf of Activities (borrowed from sheaves from mathematics) can help. Basically this pattern is also a tool in tracking properties of trace message subsets. First we find out important message types around some Activity Region where we hope to find a difference between two traces:

Then we create several Adjoint Threads from different message types, for example, based on operation type or function name:

Then we analyze subtraces separately to find out a bifurcation point in each of them and then use this knowledge to find out differences between the original full traces.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Debugging, Process Monitor Log Analysis, Software Trace Analysis, Software Trace Reading, Trace Analysis Patterns | No Comments »
Sunday, February 10th, 2013
The discovery of a “black hole horizon” in a complete memory dump inspired this fictitious malware. There in a dump we discovered an innocuous ASCII message:
fffff880`15925010 fffff880`159250d0 "Dumping physical memory to disk: 80% ."
A little thought and we realized that this page was saved to a page file at the time when only 80% of memory were dumped. So we do not know what were in that page during the rest of the time (and would never know). I guess Cadaver Worms live there spreading from PC to PC and causing blue screens immediately upon infection to minimize discovery. They are not in crash dumps because they relocate themselves during the system dump procedure. They thaw frozen CPUs and send themselves to network. Who would suspect a computer showing a blue screen sending network packets?

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Fun with Malware, Malware Analysis, Malware Fiction | No Comments »
Sunday, February 10th, 2013
Out-of-Module Pointer pattern is about pointers to addresses outside the container module range. Typical example here would be some kernel table or structure, for example, a driver IRP dispatch table having pointers to outside that driver module address range. Other examples may include 32-bit SSDT pointing outside nt module range and IDT entries pointing outside hal and expected drivers:
[...]
818809dc 8193c4e7 nt!NtQueryOpenSubKeys
818809e0 8193c76b nt!NtQueryOpenSubKeysEx
818809e4 81a909b0 nt!NtQueryPerformanceCounter
818809e8 819920e7 nt!NtQueryQuotaInformationFile
818809ec 819e34f2 nt!NtQuerySection
818809f0 819f470b nt!NtQuerySecurityObject
818809f4 81a882fe nt!NtQuerySemaphore
818809f8 819eff54 nt!NtQuerySymbolicLinkObject
818809fc 81a8a223 nt!NtQuerySystemEnvironmentValue
81880a00 81a8a831 nt!NtQuerySystemEnvironmentValueEx
81880a04 96ca1a73
81880a08 81a7ac06 nt!NtQuerySystemTime
81880a0c 81a8f913 nt!NtQueryTimer
81880a10 81a7aeeb nt!NtQueryTimerResolution
81880a14 8193985a nt!NtQueryValueKey
81880a18 819e9273 nt!NtQueryVirtualMemory
81880a1c 8199274e nt!NtQueryVolumeInformationFile
81880a20 81a1a655 nt!NtQueueApcThread
[…]
0: kd> lm m nt
start end module name
81800000 81ba1000 nt
Such pointers may also be Raw Pointers but it also could be the case that all pointers are raw in the absence of symbols with only a few outside of the expected range.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Core Dump Analysis, Malware Analysis, Malware Patterns, Victimware, Victimware Analysis | No Comments »
Saturday, February 9th, 2013
Raw Pointer pattern is about pointers without matching symbol files. They may be in the expected module range or in some other known module range in the form of module+offset or can be completely out of range of any module from the loaded module list and therefore just a number. For example, usually we have certain structures or arrays (tables) where we expect pointers with matching symbols such as IAT, IDT and 32-bit SSDT where an occurrence of a raw pointer immediately triggers a suspicion such as in this Import Address Table from ProcessA:
[...]
00000001`3f8a9048 00000000`76e282d0 ntdll!RtlSizeHeap
00000001`3f8a9050 00000000`76bf9070 kernel32!GetStringTypeWStub
00000001`3f8a9058 00000000`76c03580 kernel32!WideCharToMultiByteStub
00000001`3f8a9060 00000000`76e33f20 ntdll!RtlReAllocateHeap
00000001`3f8a9068 00000000`76e533a0 ntdll!RtlAllocateHeap
00000001`3f8a9070 00000000`76bfc420 kernel32!GetCommandLineWStub
00000001`3f8a9078 00000001`3f8a1638 ProcessA+0×10ac
00000001`3f8a9080 00000000`76c2cc50 kernel32!IsProcessorFeaturePresent
00000001`3f8a9088 00000000`76c02d60 kernel32!GetLastErrorStub
00000001`3f8a9090 00000000`76c02d80 kernel32!SetLastError
00000001`3f8a9098 00000000`76bf3ee0 kernel32!GetCurrentThreadIdStub
[…]
Note that structures are not limited to the above and can me any OS or even application specific structure where we have symbol files. Raw pointers that are outside of expected module range are covered in the next pattern.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Crash Dump Analysis, Malware Analysis, Malware Patterns, Victimware, Victimware Analysis | No Comments »
Saturday, February 9th, 2013
Hooksware pattern originally came from memory dump analysis pattern catalog and is too general for malware analysis pattern catalog. So we decided to factor out 3 separate patterns. The first one is called Patched Code and includes cases such as in-place patching:
0:004> u ntdll!ZwQueryDirectoryFile
ntdll!ZwQueryDirectoryFile:
77814db4 b8da000000 mov eax,0DAh
77814db9 bae8af0500 mov edx,5AFE8h
77814dbe ff12 call dword ptr [edx]
77814dc0 c22c00 ret 2Ch
77814dc3 90 nop
ntdll!NtQueryDirectoryObject:
77814dc4 b8db000000 mov eax,0DBh
77814dc9 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
77814dce ff12 call dword ptr [edx]
and detour patching:
0:004> u wininet!InternetReadFile
wininet!InternetReadFile:
7758654b e98044ac88 jmp 0004a9d0
77586550 83ec24 sub esp,24h
77586553 53 push ebx
77586554 56 push esi
77586555 57 push edi
77586556 33ff xor edi,edi
77586558 393db8116277 cmp dword ptr [wininet!GlobalDataInitialized (776211b8)],edi
7758655e 897df4 mov dword ptr [ebp-0Ch],edi
In case of WinDbg such pattern is usually detected on the crash spot such as from RIP Stack Trace or from !chkimg command output.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Assembly Language, Crash Dump Analysis, Malware Analysis, Malware Patterns, Victimware, Victimware Analysis | No Comments »
Friday, February 8th, 2013
Indexical Trace pattern describes an Inter-Correlation pattern variant when we have a trace that has messages of interest pointing to specific activity regions in another trace. The latter trace can be very huge, from another computer and split into many parts (Split Trace). This pattern is very helpful when the problem needs to be diagnosed in the large split trace but we don’t know when it happened. Then an index trace that may have recorded software execution account (for example, in the case of a broker-like architecture) and can point to the right trace fragment from the split trace.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in CDF Analysis Tips and Tricks, Debugging, Software Architecture, Software Trace Analysis, Software Trace Reading, Trace Analysis Patterns | No Comments »
Thursday, February 7th, 2013
Posted in Art, Computicart (Computical Art), Fun with Crash Dumps, Fun with Debugging, Fun with Software Diagnostics, Fun with Software Traces, Fun with WinDbg, Windows 8, x64 Windows | No Comments »
Thursday, February 7th, 2013
If debugging were profitable, everybody would be debugging.
Thomas More
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Bugtations, Debugging, Fun with Debugging | No Comments »
Wednesday, February 6th, 2013
Steps:
1. Open a crash dump or attach WinDbg to a process you can sacrifice.
2. Enter this command: eb rsp <UNICODE string> [00 00]
0: kd> eb rsp 42 00 65 00 65 00 74 00 68 00 6F 00 76 00 65 00 6E 00 3A 00 20 00 53 00 79 00 6D 00 70 00 68 00 6F 00 6E 00 69 00 65 00 73 00 20 00 31 00 20 00 61 00 6E 00 64 00 20 00 33 00 00 00
Note: use esp for a 32-bit dump. Last NULL terminators 00 00 are not necessary if the string already has them.
3. Enter this command: du rsp
0: kd> du rsp
fffff880`15925ae8 "Beethoven: Symphonies 1 and 3"
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Fun with WinDbg, WinDbg Tips and Tricks | No Comments »
Tuesday, February 5th, 2013
As usual a new pattern arises with the need to communicate analysis findings. Most often when analyzing malware we don’t have symbol files (No Component Symbols) for an Unknown Module. By looking at IAT (if any present) we can guess module purpose. Sometimes a module itself is not malicious but is used in the larger malicious context such as screen grabbing:
[...]
10002000 76376101 gdi32!CreateCompatibleDC
10002004 763793d6 gdi32!StretchBlt
10002008 76377461 gdi32!CreateDIBSection
1000200c 763762a0 gdi32!SelectObject
10002010 00000000
10002024 77429ced user32!ReleaseDC
10002028 77423ba7 user32!NtUserGetWindowDC
1000202c 77430e21 user32!GetWindowRect
10002030 00000000
10002034 744a75e9 GdiPlus!GdiplusStartup
10002038 744976dd GdiPlus!GdipSaveImageToStream
1000203c 744cdd38 GdiPlus!GdipGetImageEncodersSize
10002040 744971cf GdiPlus!GdipDisposeImage
10002044 744a8591 GdiPlus!GdipCreateBitmapFromHBITMAP
10002048 744cdbae GdiPlus!GdipGetImageEncoders
[...]
There are also cases where these API names are not in IAT but found as String Hint in raw data such LoadLibrary / GetProcAddress and even a group of modules themselves as a collective API:
[...]
00058e20 "kernel32.dll"
00058e3c "user32.dll"
00058e54 "ws2_32.dll"
00058e6c "ntdll.dll"
00058e80 "wininet.dll"
00058e98 "nspr4.dll"
00058eac "ssl3.dll"
[...]
We name this pattern Namespace.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Crash Dump Analysis, Malware Analysis, Malware Patterns, Victimware, Victimware Analysis | No Comments »
Sunday, February 3rd, 2013
It is a well-known fact that page heap is implemented by placing allocations at the end of pages with the next non-accessible page to catch buffer overruns leading to heap corruption. The best way to see it is to use !address command that dumps all such allocations:
0:004> !gflag
Current NtGlobalFlag contents: 0x02000000
hpa - Place heap allocations at ends of pages
0:004> !address
[...]
20b10000 20b11000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b11000 20b12000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b12000 20b13000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b13000 20b14000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b14000 20b15000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b15000 20b1a000 5000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1a000 20b1b000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1b000 20b1c000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1c000 20b1d000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1d000 20b1e000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1e000 20b1f000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1f000 20b20000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
+ 20b20000 20b21000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b21000 20b26000 5000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b26000 20b27000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b27000 20b28000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b28000 20b29000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b29000 20b2a000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b2a000 20b2b000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b2b000 20b2f000 4000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b2f000 20b30000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b30000 20b3f000 f000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b3f000 20b40000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b40000 20b41000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b41000 20b42000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b42000 20b45000 3000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b45000 20b46000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b46000 20b4b000 5000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b4b000 20b4c000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b4c000 20b4d000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b4d000 20b4e000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b4e000 20b4f000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b4f000 20b50000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b50000 20b51000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b51000 20b52000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b52000 20b57000 5000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b57000 20b58000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b58000 20b5d000 5000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b5d000 20b5e000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b5e000 20b5f000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b5f000 20b60000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b60000 20b61000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b61000 20b62000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b62000 20b6b000 9000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b6b000 20b6f000 4000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b6f000 20b71000 2000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b71000 20b72000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b72000 20b73000 1000 MEM_PRIVATE MEM_RESERVE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
20b73000 20b74000 1000 MEM_PRIVATE MEM_COMMIT PAGE_READWRITE PageHeap [PageHeap: 1f241000; NormalHeap: 1f410000]
[…]
0:004> dc 20b26000 20b27000
20b26000 00000000 00000000 00000000 00000000 …………….
20b26010 00000000 00000000 00000000 00000000 …………….
20b26020 00000000 00000000 00000000 00000000 …………….
20b26030 00000000 00000000 00000000 00000000 …………….
20b26040 00000000 00000000 00000000 00000000 …………….
20b26050 00000000 00000000 00000000 00000000 …………….
20b26060 00000000 00000000 00000000 00000000 …………….
20b26070 00000000 00000000 00000000 00000000 …………….
20b26080 00000000 00000000 00000000 00000000 …………….
20b26090 00000000 00000000 00000000 00000000 …………….
20b260a0 00000000 00000000 00000000 00000000 …………….
20b260b0 00000000 00000000 00000000 00000000 …………….
20b260c0 00000000 00000000 00000000 00000000 …………….
20b260d0 00000000 00000000 00000000 00000000 …………….
20b260e0 00000000 00000000 00000000 00000000 …………….
20b260f0 00000000 00000000 00000000 00000000 …………….
20b26100 00000000 00000000 00000000 00000000 …………….
20b26110 00000000 00000000 00000000 00000000 …………….
20b26120 00000000 00000000 00000000 00000000 …………….
20b26130 00000000 00000000 00000000 00000000 …………….
20b26140 00000000 00000000 00000000 00000000 …………….
20b26150 00000000 00000000 00000000 00000000 …………….
20b26160 00000000 00000000 00000000 00000000 …………….
20b26170 00000000 00000000 00000000 00000000 …………….
20b26180 00000000 00000000 00000000 00000000 …………….
20b26190 00000000 00000000 00000000 00000000 …………….
20b261a0 00000000 00000000 00000000 00000000 …………….
20b261b0 00000000 00000000 00000000 00000000 …………….
20b261c0 00000000 00000000 00000000 00000000 …………….
20b261d0 00000000 00000000 00000000 00000000 …………….
20b261e0 00000000 00000000 00000000 00000000 …………….
20b261f0 00000000 00000000 00000000 00000000 …………….
20b26200 00000000 00000000 00000000 00000000 …………….
20b26210 00000000 00000000 00000000 00000000 …………….
20b26220 00000000 00000000 00000000 00000000 …………….
20b26230 00000000 00000000 00000000 00000000 …………….
20b26240 00000000 00000000 00000000 00000000 …………….
20b26250 00000000 00000000 00000000 00000000 …………….
20b26260 00000000 00000000 00000000 00000000 …………….
20b26270 00000000 00000000 00000000 00000000 …………….
20b26280 00000000 00000000 00000000 00000000 …………….
20b26290 00000000 00000000 00000000 00000000 …………….
20b262a0 00000000 00000000 00000000 00000000 …………….
20b262b0 00000000 00000000 00000000 00000000 …………….
20b262c0 00000000 00000000 00000000 00000000 …………….
20b262d0 00000000 00000000 00000000 00000000 …………….
20b262e0 00000000 00000000 00000000 00000000 …………….
20b262f0 00000000 00000000 00000000 00000000 …………….
20b26300 00000000 00000000 00000000 00000000 …………….
20b26310 00000000 00000000 00000000 00000000 …………….
20b26320 00000000 00000000 00000000 00000000 …………….
20b26330 00000000 00000000 00000000 00000000 …………….
20b26340 00000000 00000000 00000000 00000000 …………….
20b26350 00000000 00000000 00000000 00000000 …………….
20b26360 00000000 00000000 00000000 00000000 …………….
20b26370 00000000 00000000 00000000 00000000 …………….
20b26380 00000000 00000000 00000000 00000000 …………….
20b26390 00000000 00000000 00000000 00000000 …………….
20b263a0 00000000 00000000 00000000 00000000 …………….
20b263b0 00000000 00000000 00000000 00000000 …………….
20b263c0 00000000 00000000 00000000 00000000 …………….
20b263d0 00000000 00000000 00000000 00000000 …………….
20b263e0 00000000 00000000 00000000 00000000 …………….
20b263f0 00000000 00000000 00000000 00000000 …………….
20b26400 00000000 00000000 00000000 00000000 …………….
20b26410 00000000 00000000 00000000 00000000 …………….
20b26420 00000000 00000000 00000000 00000000 …………….
20b26430 00000000 00000000 00000000 00000000 …………….
20b26440 00000000 00000000 00000000 00000000 …………….
20b26450 00000000 00000000 00000000 00000000 …………….
20b26460 00000000 00000000 00000000 00000000 …………….
20b26470 00000000 00000000 00000000 00000000 …………….
20b26480 00000000 00000000 00000000 00000000 …………….
20b26490 00000000 00000000 00000000 00000000 …………….
20b264a0 00000000 00000000 00000000 00000000 …………….
20b264b0 00000000 00000000 00000000 00000000 …………….
20b264c0 00000000 00000000 00000000 00000000 …………….
20b264d0 00000000 00000000 00000000 00000000 …………….
20b264e0 00000000 00000000 00000000 00000000 …………….
20b264f0 00000000 00000000 00000000 00000000 …………….
20b26500 00000000 00000000 00000000 00000000 …………….
20b26510 00000000 00000000 00000000 00000000 …………….
20b26520 00000000 00000000 00000000 00000000 …………….
20b26530 00000000 00000000 00000000 00000000 …………….
20b26540 00000000 00000000 00000000 00000000 …………….
20b26550 00000000 00000000 00000000 00000000 …………….
20b26560 00000000 00000000 00000000 00000000 …………….
20b26570 00000000 00000000 00000000 00000000 …………….
20b26580 00000000 00000000 00000000 00000000 …………….
20b26590 00000000 00000000 00000000 00000000 …………….
20b265a0 00000000 00000000 00000000 00000000 …………….
20b265b0 00000000 00000000 00000000 00000000 …………….
20b265c0 00000000 00000000 00000000 00000000 …………….
20b265d0 00000000 00000000 00000000 00000000 …………….
20b265e0 00000000 00000000 00000000 00000000 …………….
20b265f0 00000000 00000000 00000000 00000000 …………….
20b26600 00000000 00000000 00000000 00000000 …………….
20b26610 00000000 00000000 00000000 00000000 …………….
20b26620 00000000 00000000 00000000 00000000 …………….
20b26630 00000000 00000000 00000000 00000000 …………….
20b26640 00000000 00000000 00000000 00000000 …………….
20b26650 00000000 00000000 00000000 00000000 …………….
20b26660 00000000 00000000 00000000 00000000 …………….
20b26670 00000000 00000000 00000000 00000000 …………….
20b26680 00000000 00000000 00000000 00000000 …………….
20b26690 00000000 00000000 00000000 00000000 …………….
20b266a0 00000000 00000000 00000000 00000000 …………….
20b266b0 00000000 00000000 00000000 00000000 …………….
20b266c0 00000000 00000000 00000000 00000000 …………….
20b266d0 00000000 00000000 00000000 00000000 …………….
20b266e0 00000000 00000000 00000000 00000000 …………….
20b266f0 00000000 00000000 00000000 00000000 …………….
20b26700 00000000 00000000 00000000 00000000 …………….
20b26710 00000000 00000000 00000000 00000000 …………….
20b26720 00000000 00000000 00000000 00000000 …………….
20b26730 00000000 00000000 00000000 00000000 …………….
20b26740 00000000 00000000 00000000 00000000 …………….
20b26750 00000000 00000000 00000000 00000000 …………….
20b26760 00000000 00000000 00000000 00000000 …………….
20b26770 00000000 00000000 00000000 00000000 …………….
20b26780 00000000 00000000 00000000 00000000 …………….
20b26790 00000000 00000000 00000000 00000000 …………….
20b267a0 00000000 00000000 00000000 00000000 …………….
20b267b0 00000000 00000000 00000000 00000000 …………….
20b267c0 00000000 00000000 00000000 00000000 …………….
20b267d0 00000000 00000000 00000000 00000000 …………….
20b267e0 00000000 00000000 00000000 00000000 …………….
20b267f0 00000000 00000000 00000000 00000000 …………….
20b26800 00000000 00000000 00000000 00000000 …………….
20b26810 00000000 00000000 00000000 00000000 …………….
20b26820 00000000 00000000 00000000 00000000 …………….
20b26830 00000000 00000000 00000000 00000000 …………….
20b26840 00000000 00000000 00000000 00000000 …………….
20b26850 00000000 00000000 00000000 00000000 …………….
20b26860 00000000 00000000 00000000 00000000 …………….
20b26870 00000000 00000000 00000000 00000000 …………….
20b26880 00000000 00000000 00000000 00000000 …………….
20b26890 00000000 00000000 00000000 00000000 …………….
20b268a0 00000000 00000000 00000000 00000000 …………….
20b268b0 00000000 00000000 00000000 00000000 …………….
20b268c0 00000000 00000000 00000000 00000000 …………….
20b268d0 00000000 00000000 00000000 00000000 …………….
20b268e0 00000000 00000000 00000000 00000000 …………….
20b268f0 00000000 00000000 00000000 00000000 …………….
20b26900 00000000 00000000 00000000 00000000 …………….
20b26910 00000000 00000000 00000000 00000000 …………….
20b26920 00000000 00000000 00000000 00000000 …………….
20b26930 00000000 00000000 00000000 00000000 …………….
20b26940 00000000 00000000 00000000 00000000 …………….
20b26950 00000000 00000000 00000000 00000000 …………….
20b26960 00000000 00000000 00000000 00000000 …………….
20b26970 00000000 00000000 00000000 00000000 …………….
20b26980 00000000 00000000 00000000 00000000 …………….
20b26990 00000000 00000000 00000000 00000000 …………….
20b269a0 00000000 00000000 00000000 00000000 …………….
20b269b0 00000000 00000000 00000000 00000000 …………….
20b269c0 00000000 00000000 00000000 00000000 …………….
20b269d0 00000000 00000000 00000000 00000000 …………….
20b269e0 00000000 00000000 00000000 00000000 …………….
20b269f0 00000000 00000000 00000000 00000000 …………….
20b26a00 00000000 00000000 00000000 00000000 …………….
20b26a10 00000000 00000000 00000000 00000000 …………….
20b26a20 00000000 00000000 00000000 00000000 …………….
20b26a30 00000000 00000000 00000000 00000000 …………….
20b26a40 00000000 00000000 00000000 00000000 …………….
20b26a50 00000000 00000000 00000000 00000000 …………….
20b26a60 00000000 00000000 00000000 00000000 …………….
20b26a70 00000000 00000000 00000000 00000000 …………….
20b26a80 00000000 00000000 00000000 00000000 …………….
20b26a90 00000000 00000000 00000000 00000000 …………….
20b26aa0 00000000 00000000 00000000 00000000 …………….
20b26ab0 00000000 00000000 00000000 00000000 …………….
20b26ac0 00000000 00000000 00000000 00000000 …………….
20b26ad0 00000000 00000000 00000000 00000000 …………….
20b26ae0 00000000 00000000 00000000 00000000 …………….
20b26af0 00000000 00000000 00000000 00000000 …………….
20b26b00 00000000 00000000 00000000 00000000 …………….
20b26b10 00000000 00000000 00000000 00000000 …………….
20b26b20 00000000 00000000 00000000 00000000 …………….
20b26b30 00000000 00000000 00000000 00000000 …………….
20b26b40 00000000 00000000 00000000 00000000 …………….
20b26b50 00000000 00000000 00000000 00000000 …………….
20b26b60 00000000 00000000 00000000 00000000 …………….
20b26b70 00000000 00000000 00000000 00000000 …………….
20b26b80 00000000 00000000 00000000 00000000 …………….
20b26b90 00000000 00000000 00000000 00000000 …………….
20b26ba0 00000000 00000000 00000000 00000000 …………….
20b26bb0 00000000 00000000 00000000 00000000 …………….
20b26bc0 00000000 00000000 00000000 00000000 …………….
20b26bd0 00000000 00000000 00000000 00000000 …………….
20b26be0 00000000 00000000 00000000 00000000 …………….
20b26bf0 00000000 00000000 00000000 00000000 …………….
20b26c00 00000000 00000000 00000000 00000000 …………….
20b26c10 00000000 00000000 00000000 00000000 …………….
20b26c20 00000000 00000000 00000000 00000000 …………….
20b26c30 00000000 00000000 00000000 00000000 …………….
20b26c40 00000000 00000000 00000000 00000000 …………….
20b26c50 00000000 00000000 00000000 00000000 …………….
20b26c60 00000000 00000000 00000000 00000000 …………….
20b26c70 00000000 00000000 00000000 00000000 …………….
20b26c80 00000000 00000000 00000000 00000000 …………….
20b26c90 00000000 00000000 00000000 00000000 …………….
20b26ca0 00000000 00000000 00000000 00000000 …………….
20b26cb0 00000000 00000000 00000000 00000000 …………….
20b26cc0 00000000 00000000 00000000 00000000 …………….
20b26cd0 00000000 00000000 00000000 00000000 …………….
20b26ce0 00000000 00000000 00000000 00000000 …………….
20b26cf0 00000000 00000000 00000000 00000000 …………….
20b26d00 00000000 00000000 00000000 00000000 …………….
20b26d10 00000000 00000000 00000000 00000000 …………….
20b26d20 00000000 00000000 00000000 00000000 …………….
20b26d30 00000000 00000000 00000000 00000000 …………….
20b26d40 00000000 00000000 00000000 00000000 …………….
20b26d50 00000000 00000000 00000000 00000000 …………….
20b26d60 00000000 00000000 00000000 00000000 …………….
20b26d70 00000000 00000000 00000000 00000000 …………….
20b26d80 00000000 00000000 00000000 00000000 …………….
20b26d90 00000000 00000000 00000000 00000000 …………….
20b26da0 00000000 00000000 00000000 00000000 …………….
20b26db0 00000000 00000000 00000000 00000000 …………….
20b26dc0 00000000 00000000 00000000 00000000 …………….
20b26dd0 00000000 00000000 00000000 00000000 …………….
20b26de0 00000000 00000000 00000000 00000000 …………….
20b26df0 00000000 00000000 00000000 00000000 …………….
20b26e00 00000000 00000000 00000000 00000000 …………….
20b26e10 00000000 00000000 00000000 00000000 …………….
20b26e20 00000000 00000000 00000000 00000000 …………….
20b26e30 00000000 00000000 00000000 00000000 …………….
20b26e40 00000000 00000000 00000000 00000000 …………….
20b26e50 00000000 00000000 00000000 00000000 …………….
20b26e60 00000000 00000000 00000000 00000000 …………….
20b26e70 00000000 00000000 00000000 00000000 …………….
20b26e80 00000000 00000000 00000000 00000000 …………….
20b26e90 00000000 00000000 00000000 00000000 …………….
20b26ea0 00000000 00000000 00000000 00000000 …………….
20b26eb0 00000000 00000000 00000000 00000000 …………….
20b26ec0 00000000 00000000 00000000 00000000 …………….
20b26ed0 00000000 00000000 abcdbbbb 1f241000 …………..$.
20b26ee0 00000108 00000108 00000000 00000000 …………….
20b26ef0 011c6b10 dcbabbbb 1f1bc8b4 00000002 .k…………..
20b26f00 20b79fd0 20b85fd0 20b28fe8 20b2ffe0 … ._. … …
20b26f10 20b3ffe0 20b4bfe8 20b51fe8 20b57fe8 … … … …
20b26f20 00000000 00000000 20b5dfa8 00000000 ……….. ….
20b26f30 00000000 00000000 1f1bcbf0 00000000 …………….
20b26f40 20b71ff8 00000010 1f1bcbf0 00000000 … …………
20b26f50 20b73ff8 00000010 1f1bcbf0 00000000 .?. …………
20b26f60 20b75ff8 00000010 1f1bcbf0 00000000 ._. …………
20b26f70 20b77ff8 00000010 00000000 00000000 … …………
20b26f80 c0c0c001 00000000 c0c00000 00000002 …………….
20b26f90 01000000 00000101 00000000 00000000 …………….
20b26fa0 00000000 c0c0c000 00000000 00000001 …………….
20b26fb0 00000000 00000000 00000000 00000000 …………….
20b26fc0 00000000 00000000 00000000 00000000 …………….
20b26fd0 00000000 00000000 00000000 00000000 …………….
20b26fe0 00000000 00000000 00000000 00000000 …………….
20b26ff0 00000000 00000000 00000000 c0c0c000 …………….
20b27000 ???????? ????
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Crash Dump Analysis, Debugging | No Comments »
Friday, February 1st, 2013
Memorianic prophecy 0m3 says: “Memory is infinitude of memories.” In monistic aspect plural interpretation of Memoidealism memory is also an attribute of itself. Memorianity considers all memories of the same substance as eternal Memory. All memories are distinct, yet they are one essence. There is only one Memory in memories. Each memory is only distinct in relation to other memories. In M-Memory M stands for Multiplicity. One analogy here is the concept of Trinity with the infinite number of hypostases instead of just 3.
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Memoidealism, Memorianic Pilgrimages, Memory Religion (Memorianity), Philosophy, Religion | No Comments »
Friday, February 1st, 2013
This pattern (we call it String Hint) covers traces of ASCII and UNICODE strings that look suspicious such as website, password and HTTP forms or strange names that intuitively shouldn’t be present according to the purpose of a module or its container process (example is taken from Victimware presentation case study):
0:005> s-sa 00040000 L1d000
0004004d "!This program cannot be run in D"
0004006d "OS mode."
00040081 "3y@"
000400b8 "Rich"
000401d0 ".text"
000401f7 "`.rdata"
0004021f "@.data"
00040248 ".reloc"
[...]
00054018 "GET /stat?uptime=%d&downlink=%d&"
00054038 "uplink=%d&id=%s&statpass=%s&comm"
00054058 "ent=%s HTTP/1.0"
000540ac "%s%s%s"
000540d8 "ftp://%s:%s@%s:%d"
000540fc "Accept-Encoding:"
00054118 "Accept-Encoding:"
00054130 "0123456789ABCDEF"
00054144 "://"
00054160 "POST %s HTTP/1.0"
00054172 "Host: %s"
0005417c "User-Agent: %s"
0005418c "Accept: text/html"
0005419f "Connection: Close"
000541b2 "Content-Type: application/x-www-"
000541d2 "form-urlencoded"
000541e3 "Content-Length: %d"
000541fc "id="
00054208 "POST %s HTTP/1.1"
0005421a "Host: %s"
00054224 "User-Agent: %s"
00054234 "Accept: text/html"
00054247 "Connection: Close"
0005425a "Content-Type: application/x-www-"
0005427a "form-urlencoded"
0005428b "Content-Length: %d"
000542a4 "id=%s&base="
000542b8 "id=%s&brw=%d&type=%d&data="
000542d8 "POST %s HTTP/1.1"
000542ea "Host: %s"
000542f4 "User-Agent: %s"
00054304 "Accept: text/html"
00054317 "Connection: Close"
0005432a "Content-Type: application/x-www-"
0005434a "form-urlencoded"
0005435b "Content-Length: %d"
00054378 "id=%s&os=%s&plist="
00054390 "POST %s HTTP/1.1"
000543a2 "Host: %s"
000543ac "User-Agent: %s"
000543bc "Accept: text/html"
000543cf "Connection: Close"
000543e2 "Content-Type: application/x-www-"
00054402 "form-urlencoded"
00054413 "Content-Length: %d"
00054430 "id=%s&data=%s"
00054440 "POST %s HTTP/1.1"
00054452 "Host: %s"
0005445c "User-Agent: %s"
0005446c "Accept: text/html"
0005447f "Connection: Close"
00054492 "Content-Type: application/x-www-"
000544b2 "form-urlencoded"
000544c3 "Content-Length: %d"
000544e0 "GET %s HTTP/1.0"
000544f1 "Host: %s"
000544fb "User-Agent: %s"
0005450b "Connection: close"
00054528 "POST /get/scr.html HTTP/1.0"
00054545 "Host: %s"
0005454f "User-Agent: %s"
0005455f "Connection: close"
00054572 "Content-Length: %d"
00054586 "Content-Type: multipart/form-dat"
000545a6 "a; boundary=--------------------"
000545c6 "-------%d"
000545d4 "-----------------------------%d"
000545f8 "%sContent-Disposition: form-data"
00054618 "; name="id""
00054630 "%sContent-Disposition: form-data"
00054650 "; name="screen"; filename="%d""
00054670 "Content-Type: application/octet-"
00054690 "stream"
000546a0 "%s(%d) : %s"
000546ac "%s failed with error %d: %s"
000546c8 "%02X"
000546d8 "BlackwoodPRO"
000546e8 "FinamDirect"
000546f4 "GrayBox"
000546fc "MbtPRO"
00054704 "Laser"
0005470c "LightSpeed"
00054718 "LTGroup"
00054720 "Mbt"
00054724 "ScotTrader"
00054730 "SaxoTrader"
00054740 "Program: %s"
0005474f "Username: %s"
0005475e "Password: %s"
0005476d "AccountNO: %s"
[...]
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -
Posted in Crash Dump Analysis, Malware Analysis, Malware Patterns, Victimware, Victimware Analysis, x64 Windows | No Comments »