Archive for February, 2013

Cyber Vostok Missions

Thursday, February 28th, 2013

Software Diagnostics Services launches its first cyber satellite to survey the state of cyber space and mine its patterns:

http://www.dumpanalysis.com/cybervostok

Notice a satellite logo: it has an UML 2.0 interface sink similar to Software Diagnostics Institute logo:

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 197)

Wednesday, February 27th, 2013

Injected Symbols pattern can be used to add missing symbols when we have Reduced Symbol Information like it was done previously in this old case study. For example, TestWER module was compiled with static MFC and CRT libraries and its private PDB file contains all necessary symbols including MSG structure. We can load that module into notepad.exe process space and apply symbols:

0:000:x86> lm
start             end                 module name
00fc0000 00ff0000   notepad    (pdb symbols)          c:\mss\notepad.pdb\E325F5195AE94FAEB58D25C9DF8C0CFD2\notepad.pdb
10000000 10039000   WinCRT     (deferred)
727f0000 7298e000   comctl32   (deferred)
72aa0000 72af1000   winspool   (deferred)
72b10000 72b19000   version    (deferred)
72e40000 72e48000   wow64cpu   (deferred)
72e50000 72eac000   wow64win   (pdb symbols)          c:\mss\wow64win.pdb\B2D08CC152D64E71B79167DC0A0A53E91\wow64win.pdb
72eb0000 72eef000   wow64      (deferred)
733d0000 733e3000   dwmapi     (deferred)
735b0000 73606000   uxtheme    (deferred)
746f0000 746fc000   CRYPTBASE   (deferred)
74700000 74760000   sspicli    (deferred)
747c0000 74817000   shlwapi    (deferred)
74830000 7547a000   shell32    (deferred)
755d0000 7564b000   comdlg32   (deferred)
75650000 7567e000   imm32      (deferred)
75770000 75810000   advapi32   (deferred)
75810000 75920000   kernel32   (pdb symbols)          c:\mss\wkernel32.pdb\1C690A8592304467BB15A09CEA7180FA2\wkernel32.pdb
75920000 759b0000   gdi32      (deferred)
759b0000 759f7000   KERNELBASE   (deferred)
75a00000 75b00000   user32     (pdb symbols)          c:\mss\wuser32.pdb\0FCE9CC301ED4567A819705B2718E1D62\wuser32.pdb
75b00000 75b8f000   oleaut32   (deferred)
75be0000 75c7d000   usp10      (deferred)
75ff0000 76009000   sechost    (deferred)
76010000 76100000   rpcrt4     (deferred)
76230000 762dc000   msvcrt     (deferred)
76470000 7647a000   lpk        (deferred)
76480000 7654c000   msctf      (deferred)
76550000 766ac000   ole32      (deferred)
766d0000 76753000   clbcatq    (deferred)
76e40000 76fe9000   ntdll      (deferred)
77020000 771a0000   ntdll_77020000   (pdb symbols)          c:\mss\wntdll.pdb\D74F79EB1F8D4A45ABCD2F476CCABACC2\wntdll.pdb

0:000:x86> .sympath+ C:\DebuggingTV\TestWER\x86
Symbol search path is: srv*;C:\DebuggingTV\TestWER\x86
Expanded Symbol search path is: SRV*c:\mss*http://msdl.microsoft.com/download/symbols;c:\debuggingtv\testwer\x86

0:000:x86> .reload /f /i C:\DebuggingTV\TestWER\x86\TestWER.exe=10000000

0:000:x86> lm
start             end                 module name
00fc0000 00ff0000   notepad    (pdb symbols)          c:\mss\notepad.pdb\E325F5195AE94FAEB58D25C9DF8C0CFD2\notepad.pdb
10000000 10039000   TestWER    (private pdb symbols)  c:\debuggingtv\testwer\x86\TestWER.pdb
727f0000 7298e000   comctl32   (deferred)
72aa0000 72af1000   winspool   (deferred)
72b10000 72b19000   version    (deferred)
72e40000 72e48000   wow64cpu   (deferred)
72e50000 72eac000   wow64win   (pdb symbols)          c:\mss\wow64win.pdb\B2D08CC152D64E71B79167DC0A0A53E91\wow64win.pdb
72eb0000 72eef000   wow64      (deferred)
733d0000 733e3000   dwmapi     (deferred)
735b0000 73606000   uxtheme    (deferred)
746f0000 746fc000   CRYPTBASE   (deferred)
74700000 74760000   sspicli    (deferred)
747c0000 74817000   shlwapi    (deferred)
74830000 7547a000   shell32    (deferred)
755d0000 7564b000   comdlg32   (deferred)
75650000 7567e000   imm32      (deferred)
75770000 75810000   advapi32   (deferred)
75810000 75920000   kernel32   (pdb symbols)          c:\mss\wkernel32.pdb\1C690A8592304467BB15A09CEA7180FA2\wkernel32.pdb
75920000 759b0000   gdi32      (deferred)
759b0000 759f7000   KERNELBASE   (deferred)
75a00000 75b00000   user32     (pdb symbols)          c:\mss\wuser32.pdb\0FCE9CC301ED4567A819705B2718E1D62\wuser32.pdb
75b00000 75b8f000   oleaut32   (deferred)
75be0000 75c7d000   usp10      (deferred)
75ff0000 76009000   sechost    (deferred)
76010000 76100000   rpcrt4     (deferred)
76230000 762dc000   msvcrt     (deferred)
76470000 7647a000   lpk        (deferred)
76480000 7654c000   msctf      (deferred)
76550000 766ac000   ole32      (deferred)
766d0000 76753000   clbcatq    (deferred)
76e40000 76fe9000   ntdll      (deferred)
77020000 771a0000   ntdll_77020000   (pdb symbols)          c:\mss\wntdll.pdb\D74F79EB1F8D4A45ABCD2F476CCABACC2\wntdll.pdb

0:000:x86> kv
ChildEBP RetAddr  Args to Child
0013fe34 75a1790d 0013fe74 00000000 00000000 user32!NtUserGetMessage+0x15
0013fe50 00fc148a 0013fe74 00000000 00000000 user32!GetMessageW+0×33
0013fe90 00fc16ec 00fc0000 00000000 00354082 notepad!WinMain+0xe6
0013ff20 758233aa 7efde000 0013ff6c 77059ef2 notepad!_initterm_e+0×1a1
0013ff2c 77059ef2 7efde000 57785ae5 00000000 kernel32!BaseThreadInitThunk+0xe
0013ff6c 77059ec5 00fc3689 7efde000 00000000 ntdll_77020000!__RtlUserThreadStart+0×70
0013ff84 00000000 00fc3689 7efde000 00000000 ntdll_77020000!_RtlUserThreadStart+0×1b

0:000:x86> dt -r MSG 0013fe74
TestWER!MSG
  +0x000 hwnd             : 0x0007149c HWND__
    +0x000 unused           : ??
  +0×004 message          : 0×113
  +0×008 wParam           : 0×38a508
  +0×00c lParam           : 0n1921500630
  +0×010 time             : 0×2079a177
  +0×014 pt               : tagPOINT
    +0×000 x                : 0n1337
    +0×004 y                : 0n448

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 196)

Tuesday, February 26th, 2013

Sometimes we have Reduced Symbolic Information for modules which can range from stripped or public symbol files to exported only function names. In such cases we can use API function prototypes, structure definitions and possible String Parameters to make sense of function arguments:

0:000:x86> kv
ChildEBP RetAddr  Args to Child
0013fe34 75a1790d 0013fe74 00000000 00000000 user32!NtUserGetMessage+0x15
0013fe50 00fc148a 0013fe74 00000000 00000000 user32!GetMessageW+0×33
0013fe90 00fc16ec 00fc0000 00000000 00354082 notepad!WinMain+0xe6
0013ff20 758233aa 7efde000 0013ff6c 77059ef2 notepad!_initterm_e+0×1a1
0013ff2c 77059ef2 7efde000 57785ae5 00000000 kernel32!BaseThreadInitThunk+0xe
0013ff6c 77059ec5 00fc3689 7efde000 00000000 ntdll_77020000!__RtlUserThreadStart+0×70
0013ff84 00000000 00fc3689 7efde000 00000000 ntdll_77020000!_RtlUserThreadStart+0×1b

The first parameter of GetMessage API is a pointer to MSG structure:

0:000:x86> dt MSG 0013fe74
Symbol MSG not found.

From MSDN we find this structure definition:

typedef struct tagMSG { HWND   hwnd; UINT   message; WPARAM wParam; LPARAM lParam; DWORD  time; POINT  pt; } MSG, *PMSG, *LPMSG;

0:000:x86> dc 0013fe74 L7
0013fe74  0007149c 00000113 0038a508 7287c5d6  ……….8….r
0013fe84  2079a177 00000539 000001c0           w.y 9…….

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Crash Dump Analysis Patterns (Part 195)

Tuesday, February 26th, 2013

Sometimes we have a Truncated Stack Trace and need to perform manual stack trace reconstruction of the missing part to get approximate full stack trace. Often we are only able to reconstruct some parts and glue them together perhaps with some missing intermediate frames:

For example, we have this truncated stack trace due to the lack of symbols:

1: kd> k
ChildEBP RetAddr
97543b6c 85adf579 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
97543be8 85adf770 myfault+0x579
97543bf4 85adf7fc myfault+0x770
97543c2c 81827ecf myfault+0x7fc
97543c44 81988f65 nt!IofCallDriver+0x63
97543c64 81989f25 nt!IopSynchronousServiceTail+0x1e0
97543d00 8198ee8d nt!IopXxxControlFile+0x6b7
97543d34 8188c96a nt!NtDeviceIoControlFile+0x2a
97543d34 77510f34 nt!KiFastCallEntry+0x12a
0012f9a0 7750f850 ntdll!KiFastSystemCallRet
0012f9a4 77417c92 ntdll!NtDeviceIoControlFile+0xc
0012fa04 00401a5b kernel32!DeviceIoControl+0x14a
0012fa94 7700becf NotMyfault+0x1a5b
0012facc 00000000 USER32!xxxDrawButton+0xc1

Manual stack reconstruction brings this fragment:

1: kd> k L=0012fb94 0012fb94 0012fb94
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012fb94 77001ae8 0x12fb94
0012fc0c 7700286a USER32!UserCallWinProcCheckWow+0x14b
0012fc4c 77002bba USER32!SendMessageWorker+0x4b7
0012fc6c 7700c6b4 USER32!SendMessageW+0x7c
0012fc84 7700c7c9 USER32!xxxButtonNotifyParent+0x41
0012fca0 7700c7e8 USER32!xxxBNReleaseCapture+0xf7
0012fd24 7701632e USER32!ButtonWndProcWorker+0x910
0012fd44 77001a10 USER32!ButtonWndProcA+0x4c
0012fd70 77001ae8 USER32!InternalCallWinProc+0x23
0012fde8 77002a47 USER32!UserCallWinProcCheckWow+0x14b
0012fe4c 77002a98 USER32!DispatchMessageWorker+0x322
0012fe5c 76ff11fc USER32!DispatchMessageW+0xf
0012fe80 76fe98d2 USER32!IsDialogMessageW+0x586
0012fea0 00401cc9 USER32!IsDialogMessageA+0xff
0012ff10 004022ec NotMyfault+0x1cc9
00000000 00000000 NotMyfault+0x22ec

And finally we get the 3rd usual thread start fragment:

1: kd> k L=0012ffa0 0012ffa0 0012ffa0
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012ffa0 77413833 0x12ffa0
0012ffac 774ea9bd kernel32!BaseThreadInitThunk+0xe
0012ffec 00000000 ntdll!_RtlUserThreadStart+0x23

Gluing them together we get this approx. stack trace:

97543b6c 85adf579 nt!KiTrap0E+0x2ac
WARNING: Stack unwind information not available. Following frames may be wrong.
97543be8 85adf770 myfault+0x579
97543bf4 85adf7fc myfault+0x770
97543c2c 81827ecf myfault+0x7fc
97543c44 81988f65 nt!IofCallDriver+0x63
97543c64 81989f25 nt!IopSynchronousServiceTail+0x1e0
97543d00 8198ee8d nt!IopXxxControlFile+0x6b7
97543d34 8188c96a nt!NtDeviceIoControlFile+0x2a
97543d34 77510f34 nt!KiFastCallEntry+0x12a
0012f9a0 7750f850 ntdll!KiFastSystemCallRet
0012f9a4 77417c92 ntdll!NtDeviceIoControlFile+0xc
0012fa04 00401a5b kernel32!DeviceIoControl+0x14a
0012fa94 7700becf NotMyfault+0x1a5b
0012fc0c 7700286a USER32!UserCallWinProcCheckWow+0x14b
0012fc4c 77002bba USER32!SendMessageWorker+0x4b7
0012fc6c 7700c6b4 USER32!SendMessageW+0x7c
0012fc84 7700c7c9 USER32!xxxButtonNotifyParent+0x41
0012fca0 7700c7e8 USER32!xxxBNReleaseCapture+0xf7
0012fd24 7701632e USER32!ButtonWndProcWorker+0x910
0012fd44 77001a10 USER32!ButtonWndProcA+0x4c
0012fd70 77001ae8 USER32!InternalCallWinProc+0x23
0012fde8 77002a47 USER32!UserCallWinProcCheckWow+0x14b
0012fe4c 77002a98 USER32!DispatchMessageWorker+0x322
0012fe5c 76ff11fc USER32!DispatchMessageW+0xf
0012fe80 76fe98d2 USER32!IsDialogMessageW+0x586
0012fea0 00401cc9 USER32!IsDialogMessageA+0xff
0012ff10 004022ec NotMyfault+0x1cc9
0012ffac 774ea9bd kernel32!BaseThreadInitThunk+0xe
0012ffec 00000000 ntdll!_RtlUserThreadStart+0x23

We call this pattern Glued Stack Trace.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

A Dump Machine

Friday, February 15th, 2013

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 64)

Friday, February 15th, 2013

Inter-Correlation analysis between a normal and a problem logs to find a Bifurcation Point (and a possible root cause) becomes a difficult task when both traces come from different environments with widely differing Background Components. Here a new analysis pattern called Sheaf of Activities (borrowed from sheaves from mathematics) can help. Basically this pattern is also a tool in tracking properties of trace message subsets. First we find out important message types around some Activity Region where we hope to find a difference between two traces:

Then we create several Adjoint Threads from different message types, for example, based on operation type or function name:

Then we analyze subtraces separately to find out a bifurcation point in each of them and then use this knowledge to find out differences between the original full traces.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Cadaver Worm: An Exercise in Malware Fiction

Sunday, February 10th, 2013

The discovery of a “black hole horizon” in a complete memory dump inspired this fictitious malware. There in a dump we discovered an innocuous ASCII message:

fffff880`15925010  fffff880`159250d0 "Dumping physical memory to disk:  80% ."

A little thought and we realized that this page was saved to a page file at the time when only 80% of memory were dumped. So we do not know what were in that page during the rest of the time (and would never know). I guess Cadaver Worms live there spreading from PC to PC and causing blue screens immediately upon infection to minimize discovery. They are not in crash dumps because they relocate themselves during the system dump procedure. They thaw frozen CPUs and send themselves to network. Who would suspect a computer showing a blue screen sending network packets?

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 23)

Sunday, February 10th, 2013

Out-of-Module Pointer pattern is about pointers to addresses outside the container module range. Typical example here would be some kernel table or structure, for example, a driver IRP dispatch table having pointers to outside that driver module address range. Other examples may include 32-bit SSDT pointing outside nt module range and IDT entries pointing outside hal and expected drivers:

[...]
818809dc 8193c4e7 nt!NtQueryOpenSubKeys
818809e0 8193c76b nt!NtQueryOpenSubKeysEx
818809e4 81a909b0 nt!NtQueryPerformanceCounter
818809e8 819920e7 nt!NtQueryQuotaInformationFile
818809ec 819e34f2 nt!NtQuerySection
818809f0 819f470b nt!NtQuerySecurityObject
818809f4 81a882fe nt!NtQuerySemaphore
818809f8 819eff54 nt!NtQuerySymbolicLinkObject
818809fc 81a8a223 nt!NtQuerySystemEnvironmentValue
81880a00 81a8a831 nt!NtQuerySystemEnvironmentValueEx
81880a04 96ca1a73
81880a08 81a7ac06 nt!NtQuerySystemTime
81880a0c 81a8f913 nt!NtQueryTimer
81880a10 81a7aeeb nt!NtQueryTimerResolution
81880a14 8193985a nt!NtQueryValueKey
81880a18 819e9273 nt!NtQueryVirtualMemory
81880a1c 8199274e nt!NtQueryVolumeInformationFile
81880a20 81a1a655 nt!NtQueueApcThread
[…]

0: kd> lm m nt
start end module name
81800000 81ba1000 nt

Such pointers may also be Raw Pointers but it also could be the case that all pointers are raw in the absence of symbols with only a few outside of the expected range.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 22)

Saturday, February 9th, 2013

Raw Pointer pattern is about pointers without matching symbol files. They may be in the expected module range or in some other known module range in the form of module+offset or can be completely out of range of any module from the loaded module list and therefore just a number. For example, usually we have certain structures or arrays (tables) where we expect pointers with matching symbols such as IAT, IDT and 32-bit SSDT where an occurrence of a raw pointer immediately triggers a suspicion such as in this Import Address Table from ProcessA:

[...]
00000001`3f8a9048 00000000`76e282d0 ntdll!RtlSizeHeap
00000001`3f8a9050 00000000`76bf9070 kernel32!GetStringTypeWStub
00000001`3f8a9058 00000000`76c03580 kernel32!WideCharToMultiByteStub
00000001`3f8a9060 00000000`76e33f20 ntdll!RtlReAllocateHeap
00000001`3f8a9068 00000000`76e533a0 ntdll!RtlAllocateHeap
00000001`3f8a9070 00000000`76bfc420 kernel32!GetCommandLineWStub
00000001`3f8a9078 00000001`3f8a1638 ProcessA+0×10ac
00000001`3f8a9080 00000000`76c2cc50 kernel32!IsProcessorFeaturePresent
00000001`3f8a9088 00000000`76c02d60 kernel32!GetLastErrorStub
00000001`3f8a9090 00000000`76c02d80 kernel32!SetLastError
00000001`3f8a9098 00000000`76bf3ee0 kernel32!GetCurrentThreadIdStub
[…]

Note that structures are not limited to the above and can me any OS or even application specific structure where we have symbol files. Raw pointers that are outside of expected module range are covered in the next pattern.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 21)

Saturday, February 9th, 2013

Hooksware pattern originally came from memory dump analysis pattern catalog and is too general for malware analysis pattern catalog. So we decided to factor out 3 separate patterns. The first one is called Patched Code and includes cases such as in-place patching:

0:004> u ntdll!ZwQueryDirectoryFile
ntdll!ZwQueryDirectoryFile:
77814db4 b8da000000      mov     eax,0DAh
77814db9 bae8af0500      mov     edx,5AFE8h
77814dbe ff12            call    dword ptr [edx]
77814dc0 c22c00          ret     2Ch
77814dc3 90              nop
ntdll!NtQueryDirectoryObject:
77814dc4 b8db000000      mov     eax,0DBh
77814dc9 ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
77814dce ff12            call    dword ptr [edx]

and detour patching:

0:004> u wininet!InternetReadFile
wininet!InternetReadFile:
7758654b e98044ac88      jmp     0004a9d0
77586550 83ec24          sub     esp,24h
77586553 53              push    ebx
77586554 56              push    esi
77586555 57              push    edi
77586556 33ff            xor     edi,edi
77586558 393db8116277    cmp     dword ptr [wininet!GlobalDataInitialized (776211b8)],edi
7758655e 897df4          mov     dword ptr [ebp-0Ch],edi

In case of WinDbg such pattern is usually detected on the crash spot such as from RIP Stack Trace or from !chkimg command output.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Trace Analysis Patterns (Part 63)

Friday, February 8th, 2013

Indexical Trace pattern describes an Inter-Correlation pattern variant when we have a trace that has messages of interest pointing to specific activity regions in another trace. The latter trace can be very huge, from another computer and split into many parts (Split Trace). This pattern is very helpful when the problem needs to be diagnosed in the large split trace but we don’t know when it happened. Then an index trace that may have recorded software execution account (for example, in the case of a broker-like architecture) and can point to the right trace fragment from the split trace.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

The Power of Simplicity

Thursday, February 7th, 2013

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Bugtation No.162

Thursday, February 7th, 2013

If debugging were profitable, everybody would be debugging.

Thomas More

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

WinDbg as UNICODE to ASCII Converter

Wednesday, February 6th, 2013

Steps:

1. Open a crash dump or attach WinDbg to a process you can sacrifice.

2. Enter this command: eb rsp <UNICODE string> [00 00]

0: kd> eb rsp 42 00 65 00 65 00 74 00 68 00 6F 00 76 00 65 00 6E 00 3A 00 20 00 53 00 79 00 6D 00 70 00 68 00 6F 00 6E 00 69 00 65 00 73 00 20 00 31 00 20 00 61 00 6E 00 64 00 20 00 33 00 00 00

Note: use esp for a 32-bit dump. Last NULL terminators 00 00 are not necessary if the string already has them.

3. Enter this command: du rsp

0: kd> du rsp
fffff880`15925ae8  "Beethoven: Symphonies 1 and 3"

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 20)

Tuesday, February 5th, 2013

As usual a new pattern arises with the need to communicate analysis findings. Most often when analyzing malware we don’t have symbol files (No Component Symbols) for an Unknown Module. By looking at IAT (if any present) we can guess module purpose. Sometimes a module itself is not malicious but is used in the larger malicious context such as screen grabbing:

[...]
10002000  76376101 gdi32!CreateCompatibleDC
10002004  763793d6 gdi32!StretchBlt
10002008  76377461 gdi32!CreateDIBSection
1000200c  763762a0 gdi32!SelectObject
10002010  00000000
10002024  77429ced user32!ReleaseDC
10002028  77423ba7 user32!NtUserGetWindowDC
1000202c  77430e21 user32!GetWindowRect
10002030  00000000
10002034  744a75e9 GdiPlus!GdiplusStartup
10002038  744976dd GdiPlus!GdipSaveImageToStream
1000203c  744cdd38 GdiPlus!GdipGetImageEncodersSize
10002040  744971cf GdiPlus!GdipDisposeImage
10002044  744a8591 GdiPlus!GdipCreateBitmapFromHBITMAP
10002048  744cdbae GdiPlus!GdipGetImageEncoders
[...]

There are also cases where these API names are not in IAT but found as String Hint in raw data such LoadLibrary / GetProcAddress and even a group of modules themselves as a collective API:

[...]
00058e20  "kernel32.dll"
00058e3c  "user32.dll"
00058e54  "ws2_32.dll"
00058e6c  "ntdll.dll"
00058e80  "wininet.dll"
00058e98  "nspr4.dll"
00058eac  "ssl3.dll"
[...]

We name this pattern Namespace.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Page Heap Implementation

Sunday, February 3rd, 2013

It is a well-known fact that page heap is implemented by placing allocations at the end of pages with the next non-accessible page to catch buffer overruns leading to heap corruption. The best way to see it is to use !address command that dumps all such allocations:

0:004> !gflag
Current NtGlobalFlag contents: 0x02000000
hpa - Place heap allocations at ends of pages

0:004> !address
[...]
20b10000 20b11000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b11000 20b12000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b12000 20b13000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b13000 20b14000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b14000 20b15000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b15000 20b1a000     5000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1a000 20b1b000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1b000 20b1c000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1c000 20b1d000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1d000 20b1e000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1e000 20b1f000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b1f000 20b20000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
+ 20b20000 20b21000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b21000 20b26000     5000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b26000 20b27000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b27000 20b28000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b28000 20b29000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b29000 20b2a000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b2a000 20b2b000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b2b000 20b2f000     4000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b2f000 20b30000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b30000 20b3f000     f000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b3f000 20b40000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b40000 20b41000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b41000 20b42000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b42000 20b45000     3000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b45000 20b46000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b46000 20b4b000     5000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b4b000 20b4c000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b4c000 20b4d000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b4d000 20b4e000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b4e000 20b4f000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b4f000 20b50000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b50000 20b51000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b51000 20b52000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b52000 20b57000     5000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b57000 20b58000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b58000 20b5d000     5000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b5d000 20b5e000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b5e000 20b5f000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b5f000 20b60000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b60000 20b61000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b61000 20b62000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b62000 20b6b000     9000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b6b000 20b6f000     4000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b6f000 20b71000     2000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b71000 20b72000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b72000 20b73000     1000 MEM_PRIVATE MEM_RESERVE                                    PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
20b73000 20b74000     1000 MEM_PRIVATE MEM_COMMIT  PAGE_READWRITE                     PageHeap   [PageHeap: 1f241000; NormalHeap: 1f410000]
[…]

0:004> dc 20b26000 20b27000
20b26000  00000000 00000000 00000000 00000000  …………….
20b26010  00000000 00000000 00000000 00000000  …………….
20b26020  00000000 00000000 00000000 00000000  …………….
20b26030  00000000 00000000 00000000 00000000  …………….
20b26040  00000000 00000000 00000000 00000000  …………….
20b26050  00000000 00000000 00000000 00000000  …………….
20b26060  00000000 00000000 00000000 00000000  …………….
20b26070  00000000 00000000 00000000 00000000  …………….
20b26080  00000000 00000000 00000000 00000000  …………….
20b26090  00000000 00000000 00000000 00000000  …………….
20b260a0  00000000 00000000 00000000 00000000  …………….
20b260b0  00000000 00000000 00000000 00000000  …………….
20b260c0  00000000 00000000 00000000 00000000  …………….
20b260d0  00000000 00000000 00000000 00000000  …………….
20b260e0  00000000 00000000 00000000 00000000  …………….
20b260f0  00000000 00000000 00000000 00000000  …………….
20b26100  00000000 00000000 00000000 00000000  …………….
20b26110  00000000 00000000 00000000 00000000  …………….
20b26120  00000000 00000000 00000000 00000000  …………….
20b26130  00000000 00000000 00000000 00000000  …………….
20b26140  00000000 00000000 00000000 00000000  …………….
20b26150  00000000 00000000 00000000 00000000  …………….
20b26160  00000000 00000000 00000000 00000000  …………….
20b26170  00000000 00000000 00000000 00000000  …………….
20b26180  00000000 00000000 00000000 00000000  …………….
20b26190  00000000 00000000 00000000 00000000  …………….
20b261a0  00000000 00000000 00000000 00000000  …………….
20b261b0  00000000 00000000 00000000 00000000  …………….
20b261c0  00000000 00000000 00000000 00000000  …………….
20b261d0  00000000 00000000 00000000 00000000  …………….
20b261e0  00000000 00000000 00000000 00000000  …………….
20b261f0  00000000 00000000 00000000 00000000  …………….
20b26200  00000000 00000000 00000000 00000000  …………….
20b26210  00000000 00000000 00000000 00000000  …………….
20b26220  00000000 00000000 00000000 00000000  …………….
20b26230  00000000 00000000 00000000 00000000  …………….
20b26240  00000000 00000000 00000000 00000000  …………….
20b26250  00000000 00000000 00000000 00000000  …………….
20b26260  00000000 00000000 00000000 00000000  …………….
20b26270  00000000 00000000 00000000 00000000  …………….
20b26280  00000000 00000000 00000000 00000000  …………….
20b26290  00000000 00000000 00000000 00000000  …………….
20b262a0  00000000 00000000 00000000 00000000  …………….
20b262b0  00000000 00000000 00000000 00000000  …………….
20b262c0  00000000 00000000 00000000 00000000  …………….
20b262d0  00000000 00000000 00000000 00000000  …………….
20b262e0  00000000 00000000 00000000 00000000  …………….
20b262f0  00000000 00000000 00000000 00000000  …………….
20b26300  00000000 00000000 00000000 00000000  …………….
20b26310  00000000 00000000 00000000 00000000  …………….
20b26320  00000000 00000000 00000000 00000000  …………….
20b26330  00000000 00000000 00000000 00000000  …………….
20b26340  00000000 00000000 00000000 00000000  …………….
20b26350  00000000 00000000 00000000 00000000  …………….
20b26360  00000000 00000000 00000000 00000000  …………….
20b26370  00000000 00000000 00000000 00000000  …………….
20b26380  00000000 00000000 00000000 00000000  …………….
20b26390  00000000 00000000 00000000 00000000  …………….
20b263a0  00000000 00000000 00000000 00000000  …………….
20b263b0  00000000 00000000 00000000 00000000  …………….
20b263c0  00000000 00000000 00000000 00000000  …………….
20b263d0  00000000 00000000 00000000 00000000  …………….
20b263e0  00000000 00000000 00000000 00000000  …………….
20b263f0  00000000 00000000 00000000 00000000  …………….
20b26400  00000000 00000000 00000000 00000000  …………….
20b26410  00000000 00000000 00000000 00000000  …………….
20b26420  00000000 00000000 00000000 00000000  …………….
20b26430  00000000 00000000 00000000 00000000  …………….
20b26440  00000000 00000000 00000000 00000000  …………….
20b26450  00000000 00000000 00000000 00000000  …………….
20b26460  00000000 00000000 00000000 00000000  …………….
20b26470  00000000 00000000 00000000 00000000  …………….
20b26480  00000000 00000000 00000000 00000000  …………….
20b26490  00000000 00000000 00000000 00000000  …………….
20b264a0  00000000 00000000 00000000 00000000  …………….
20b264b0  00000000 00000000 00000000 00000000  …………….
20b264c0  00000000 00000000 00000000 00000000  …………….
20b264d0  00000000 00000000 00000000 00000000  …………….
20b264e0  00000000 00000000 00000000 00000000  …………….
20b264f0  00000000 00000000 00000000 00000000  …………….
20b26500  00000000 00000000 00000000 00000000  …………….
20b26510  00000000 00000000 00000000 00000000  …………….
20b26520  00000000 00000000 00000000 00000000  …………….
20b26530  00000000 00000000 00000000 00000000  …………….
20b26540  00000000 00000000 00000000 00000000  …………….
20b26550  00000000 00000000 00000000 00000000  …………….
20b26560  00000000 00000000 00000000 00000000  …………….
20b26570  00000000 00000000 00000000 00000000  …………….
20b26580  00000000 00000000 00000000 00000000  …………….
20b26590  00000000 00000000 00000000 00000000  …………….
20b265a0  00000000 00000000 00000000 00000000  …………….
20b265b0  00000000 00000000 00000000 00000000  …………….
20b265c0  00000000 00000000 00000000 00000000  …………….
20b265d0  00000000 00000000 00000000 00000000  …………….
20b265e0  00000000 00000000 00000000 00000000  …………….
20b265f0  00000000 00000000 00000000 00000000  …………….
20b26600  00000000 00000000 00000000 00000000  …………….
20b26610  00000000 00000000 00000000 00000000  …………….
20b26620  00000000 00000000 00000000 00000000  …………….
20b26630  00000000 00000000 00000000 00000000  …………….
20b26640  00000000 00000000 00000000 00000000  …………….
20b26650  00000000 00000000 00000000 00000000  …………….
20b26660  00000000 00000000 00000000 00000000  …………….
20b26670  00000000 00000000 00000000 00000000  …………….
20b26680  00000000 00000000 00000000 00000000  …………….
20b26690  00000000 00000000 00000000 00000000  …………….
20b266a0  00000000 00000000 00000000 00000000  …………….
20b266b0  00000000 00000000 00000000 00000000  …………….
20b266c0  00000000 00000000 00000000 00000000  …………….
20b266d0  00000000 00000000 00000000 00000000  …………….
20b266e0  00000000 00000000 00000000 00000000  …………….
20b266f0  00000000 00000000 00000000 00000000  …………….
20b26700  00000000 00000000 00000000 00000000  …………….
20b26710  00000000 00000000 00000000 00000000  …………….
20b26720  00000000 00000000 00000000 00000000  …………….
20b26730  00000000 00000000 00000000 00000000  …………….
20b26740  00000000 00000000 00000000 00000000  …………….
20b26750  00000000 00000000 00000000 00000000  …………….
20b26760  00000000 00000000 00000000 00000000  …………….
20b26770  00000000 00000000 00000000 00000000  …………….
20b26780  00000000 00000000 00000000 00000000  …………….
20b26790  00000000 00000000 00000000 00000000  …………….
20b267a0  00000000 00000000 00000000 00000000  …………….
20b267b0  00000000 00000000 00000000 00000000  …………….
20b267c0  00000000 00000000 00000000 00000000  …………….
20b267d0  00000000 00000000 00000000 00000000  …………….
20b267e0  00000000 00000000 00000000 00000000  …………….
20b267f0  00000000 00000000 00000000 00000000  …………….
20b26800  00000000 00000000 00000000 00000000  …………….
20b26810  00000000 00000000 00000000 00000000  …………….
20b26820  00000000 00000000 00000000 00000000  …………….
20b26830  00000000 00000000 00000000 00000000  …………….
20b26840  00000000 00000000 00000000 00000000  …………….
20b26850  00000000 00000000 00000000 00000000  …………….
20b26860  00000000 00000000 00000000 00000000  …………….
20b26870  00000000 00000000 00000000 00000000  …………….
20b26880  00000000 00000000 00000000 00000000  …………….
20b26890  00000000 00000000 00000000 00000000  …………….
20b268a0  00000000 00000000 00000000 00000000  …………….
20b268b0  00000000 00000000 00000000 00000000  …………….
20b268c0  00000000 00000000 00000000 00000000  …………….
20b268d0  00000000 00000000 00000000 00000000  …………….
20b268e0  00000000 00000000 00000000 00000000  …………….
20b268f0  00000000 00000000 00000000 00000000  …………….
20b26900  00000000 00000000 00000000 00000000  …………….
20b26910  00000000 00000000 00000000 00000000  …………….
20b26920  00000000 00000000 00000000 00000000  …………….
20b26930  00000000 00000000 00000000 00000000  …………….
20b26940  00000000 00000000 00000000 00000000  …………….
20b26950  00000000 00000000 00000000 00000000  …………….
20b26960  00000000 00000000 00000000 00000000  …………….
20b26970  00000000 00000000 00000000 00000000  …………….
20b26980  00000000 00000000 00000000 00000000  …………….
20b26990  00000000 00000000 00000000 00000000  …………….
20b269a0  00000000 00000000 00000000 00000000  …………….
20b269b0  00000000 00000000 00000000 00000000  …………….
20b269c0  00000000 00000000 00000000 00000000  …………….
20b269d0  00000000 00000000 00000000 00000000  …………….
20b269e0  00000000 00000000 00000000 00000000  …………….
20b269f0  00000000 00000000 00000000 00000000  …………….
20b26a00  00000000 00000000 00000000 00000000  …………….
20b26a10  00000000 00000000 00000000 00000000  …………….
20b26a20  00000000 00000000 00000000 00000000  …………….
20b26a30  00000000 00000000 00000000 00000000  …………….
20b26a40  00000000 00000000 00000000 00000000  …………….
20b26a50  00000000 00000000 00000000 00000000  …………….
20b26a60  00000000 00000000 00000000 00000000  …………….
20b26a70  00000000 00000000 00000000 00000000  …………….
20b26a80  00000000 00000000 00000000 00000000  …………….
20b26a90  00000000 00000000 00000000 00000000  …………….
20b26aa0  00000000 00000000 00000000 00000000  …………….
20b26ab0  00000000 00000000 00000000 00000000  …………….
20b26ac0  00000000 00000000 00000000 00000000  …………….
20b26ad0  00000000 00000000 00000000 00000000  …………….
20b26ae0  00000000 00000000 00000000 00000000  …………….
20b26af0  00000000 00000000 00000000 00000000  …………….
20b26b00  00000000 00000000 00000000 00000000  …………….
20b26b10  00000000 00000000 00000000 00000000  …………….
20b26b20  00000000 00000000 00000000 00000000  …………….
20b26b30  00000000 00000000 00000000 00000000  …………….
20b26b40  00000000 00000000 00000000 00000000  …………….
20b26b50  00000000 00000000 00000000 00000000  …………….
20b26b60  00000000 00000000 00000000 00000000  …………….
20b26b70  00000000 00000000 00000000 00000000  …………….
20b26b80  00000000 00000000 00000000 00000000  …………….
20b26b90  00000000 00000000 00000000 00000000  …………….
20b26ba0  00000000 00000000 00000000 00000000  …………….
20b26bb0  00000000 00000000 00000000 00000000  …………….
20b26bc0  00000000 00000000 00000000 00000000  …………….
20b26bd0  00000000 00000000 00000000 00000000  …………….
20b26be0  00000000 00000000 00000000 00000000  …………….
20b26bf0  00000000 00000000 00000000 00000000  …………….
20b26c00  00000000 00000000 00000000 00000000  …………….
20b26c10  00000000 00000000 00000000 00000000  …………….
20b26c20  00000000 00000000 00000000 00000000  …………….
20b26c30  00000000 00000000 00000000 00000000  …………….
20b26c40  00000000 00000000 00000000 00000000  …………….
20b26c50  00000000 00000000 00000000 00000000  …………….
20b26c60  00000000 00000000 00000000 00000000  …………….
20b26c70  00000000 00000000 00000000 00000000  …………….
20b26c80  00000000 00000000 00000000 00000000  …………….
20b26c90  00000000 00000000 00000000 00000000  …………….
20b26ca0  00000000 00000000 00000000 00000000  …………….
20b26cb0  00000000 00000000 00000000 00000000  …………….
20b26cc0  00000000 00000000 00000000 00000000  …………….
20b26cd0  00000000 00000000 00000000 00000000  …………….
20b26ce0  00000000 00000000 00000000 00000000  …………….
20b26cf0  00000000 00000000 00000000 00000000  …………….
20b26d00  00000000 00000000 00000000 00000000  …………….
20b26d10  00000000 00000000 00000000 00000000  …………….
20b26d20  00000000 00000000 00000000 00000000  …………….
20b26d30  00000000 00000000 00000000 00000000  …………….
20b26d40  00000000 00000000 00000000 00000000  …………….
20b26d50  00000000 00000000 00000000 00000000  …………….
20b26d60  00000000 00000000 00000000 00000000  …………….
20b26d70  00000000 00000000 00000000 00000000  …………….
20b26d80  00000000 00000000 00000000 00000000  …………….
20b26d90  00000000 00000000 00000000 00000000  …………….
20b26da0  00000000 00000000 00000000 00000000  …………….
20b26db0  00000000 00000000 00000000 00000000  …………….
20b26dc0  00000000 00000000 00000000 00000000  …………….
20b26dd0  00000000 00000000 00000000 00000000  …………….
20b26de0  00000000 00000000 00000000 00000000  …………….
20b26df0  00000000 00000000 00000000 00000000  …………….
20b26e00  00000000 00000000 00000000 00000000  …………….
20b26e10  00000000 00000000 00000000 00000000  …………….
20b26e20  00000000 00000000 00000000 00000000  …………….
20b26e30  00000000 00000000 00000000 00000000  …………….
20b26e40  00000000 00000000 00000000 00000000  …………….
20b26e50  00000000 00000000 00000000 00000000  …………….
20b26e60  00000000 00000000 00000000 00000000  …………….
20b26e70  00000000 00000000 00000000 00000000  …………….
20b26e80  00000000 00000000 00000000 00000000  …………….
20b26e90  00000000 00000000 00000000 00000000  …………….
20b26ea0  00000000 00000000 00000000 00000000  …………….
20b26eb0  00000000 00000000 00000000 00000000  …………….
20b26ec0  00000000 00000000 00000000 00000000  …………….
20b26ed0  00000000 00000000 abcdbbbb 1f241000  …………..$.
20b26ee0  00000108 00000108 00000000 00000000  …………….
20b26ef0  011c6b10 dcbabbbb 1f1bc8b4 00000002  .k…………..
20b26f00  20b79fd0 20b85fd0 20b28fe8 20b2ffe0  … ._. … …
20b26f10  20b3ffe0 20b4bfe8 20b51fe8 20b57fe8  … … … …
20b26f20  00000000 00000000 20b5dfa8 00000000  ……….. ….
20b26f30  00000000 00000000 1f1bcbf0 00000000  …………….
20b26f40  20b71ff8 00000010 1f1bcbf0 00000000  … …………
20b26f50  20b73ff8 00000010 1f1bcbf0 00000000  .?. …………
20b26f60  20b75ff8 00000010 1f1bcbf0 00000000  ._. …………
20b26f70  20b77ff8 00000010 00000000 00000000  … …………
20b26f80  c0c0c001 00000000 c0c00000 00000002  …………….
20b26f90  01000000 00000101 00000000 00000000  …………….
20b26fa0  00000000 c0c0c000 00000000 00000001  …………….
20b26fb0  00000000 00000000 00000000 00000000  …………….
20b26fc0  00000000 00000000 00000000 00000000  …………….
20b26fd0  00000000 00000000 00000000 00000000  …………….
20b26fe0  00000000 00000000 00000000 00000000  …………….
20b26ff0  00000000 00000000 00000000 c0c0c000  …………….
20b27000 ???????? ????

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

M-Memory

Friday, February 1st, 2013

Memorianic prophecy 0m3 says: “Memory is infinitude of memories.” In monistic aspect plural interpretation of Memoidealism memory is also an attribute of itself. Memorianity considers all memories of the same substance as eternal Memory. All memories are distinct, yet they are one essence. There is only one Memory in memories. Each memory is only distinct in relation to other memories. In M-Memory M stands for Multiplicity. One analogy here is the concept of Trinity with the infinite number of hypostases instead of just 3.

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -

Malware Analysis Patterns (Part 18)

Friday, February 1st, 2013

This pattern (we call it String Hint) covers traces of ASCII and UNICODE strings that look suspicious such as website, password and HTTP forms or strange names that intuitively shouldn’t be present according to the purpose of a module or its container process (example is taken from Victimware presentation case study):

0:005> s-sa 00040000 L1d000
0004004d  "!This program cannot be run in D"
0004006d  "OS mode."
00040081  "3y@"
000400b8  "Rich"
000401d0  ".text"
000401f7  "`.rdata"
0004021f  "@.data"
00040248  ".reloc"
[...]
00054018  "GET /stat?uptime=%d&downlink=%d&"
00054038  "uplink=%d&id=%s&statpass=%s&comm"
00054058  "ent=%s HTTP/1.0"
000540ac  "%s%s%s"
000540d8  "ftp://%s:%s@%s:%d"
000540fc  "Accept-Encoding:"
00054118  "Accept-Encoding:"
00054130  "0123456789ABCDEF"
00054144  "://"
00054160  "POST %s HTTP/1.0"
00054172  "Host: %s"
0005417c  "User-Agent: %s"
0005418c  "Accept: text/html"
0005419f  "Connection: Close"
000541b2  "Content-Type: application/x-www-"
000541d2  "form-urlencoded"
000541e3  "Content-Length: %d"
000541fc  "id="
00054208  "POST %s HTTP/1.1"
0005421a  "Host: %s"
00054224  "User-Agent: %s"
00054234  "Accept: text/html"
00054247  "Connection: Close"
0005425a  "Content-Type: application/x-www-"
0005427a  "form-urlencoded"
0005428b  "Content-Length: %d"
000542a4  "id=%s&base="
000542b8  "id=%s&brw=%d&type=%d&data="
000542d8  "POST %s HTTP/1.1"
000542ea  "Host: %s"
000542f4  "User-Agent: %s"
00054304  "Accept: text/html"
00054317  "Connection: Close"
0005432a  "Content-Type: application/x-www-"
0005434a  "form-urlencoded"
0005435b  "Content-Length: %d"
00054378  "id=%s&os=%s&plist="
00054390  "POST %s HTTP/1.1"
000543a2  "Host: %s"
000543ac  "User-Agent: %s"
000543bc  "Accept: text/html"
000543cf  "Connection: Close"
000543e2  "Content-Type: application/x-www-"
00054402  "form-urlencoded"
00054413  "Content-Length: %d"
00054430  "id=%s&data=%s"
00054440  "POST %s HTTP/1.1"
00054452  "Host: %s"
0005445c  "User-Agent: %s"
0005446c  "Accept: text/html"
0005447f  "Connection: Close"
00054492  "Content-Type: application/x-www-"
000544b2  "form-urlencoded"
000544c3  "Content-Length: %d"
000544e0  "GET %s HTTP/1.0"
000544f1  "Host: %s"
000544fb  "User-Agent: %s"
0005450b  "Connection: close"
00054528  "POST /get/scr.html HTTP/1.0"
00054545  "Host: %s"
0005454f  "User-Agent: %s"
0005455f  "Connection: close"
00054572  "Content-Length: %d"
00054586  "Content-Type: multipart/form-dat"
000545a6  "a; boundary=--------------------"
000545c6  "-------%d"
000545d4  "-----------------------------%d"
000545f8  "%sContent-Disposition: form-data"
00054618  "; name="id""
00054630  "%sContent-Disposition: form-data"
00054650  "; name="screen"; filename="%d""
00054670  "Content-Type: application/octet-"
00054690  "stream"
000546a0  "%s(%d) : %s"
000546ac  "%s failed with error %d: %s"
000546c8  "%02X"
000546d8  "BlackwoodPRO"
000546e8  "FinamDirect"
000546f4  "GrayBox"
000546fc  "MbtPRO"
00054704  "Laser"
0005470c  "LightSpeed"
00054718  "LTGroup"
00054720  "Mbt"
00054724  "ScotTrader"
00054730  "SaxoTrader"
00054740  "Program:   %s"
0005474f  "Username:  %s"
0005475e  "Password:  %s"
0005476d  "AccountNO: %s"
[...]

- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -