{ "metadata": { "name": "03-presentation-intro" }, "nbformat": 3, "nbformat_minor": 0, "worksheets": [ { "cells": [ { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "Using iPython Notebook for Live Memory Forensics" ] }, { "cell_type": "code", "collapsed": false, "input": [ "from IPython.core.display import Image\n", "from IPython.core.display import HTML\n", "from IPython.lib.display import YouTubeVideo\n" ], "language": "python", "metadata": {}, "outputs": [], "prompt_number": 1 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "iPython Notebook with Volatility 2.3 Alpha" ] }, { "cell_type": "code", "collapsed": false, "input": [ "'''\n", " apihooks \tDetect API hooks in process and kernel memory\n", "\t\tatoms \tPrint session and window station atom tables\n", "\t\tatomscan \tPool scanner for _RTL_ATOM_TABLE\n", "\t\tbioskbd \tReads the keyboard buffer from Real Mode memory\n", "\t\tcallbacks \tPrint system-wide notification routines\n", "\t\tclipboard \tExtract the contents of the windows clipboard\n", "\t\tcmdscan \tExtract command history by scanning for _COMMAND_HISTORY\n", "\t\tconnections \tPrint list of open connections [Windows XP and 2003 Only]\n", "\t\tconnscan \tScan Physical memory for _TCPT_OBJECT objects (tcp connections)\n", "\t\tconsoles \tExtract command history by scanning for _CONSOLE_INFORMATION\n", "\t\tcrashinfo \tDump crash-dump information\n", "\t\tdeskscan \tPoolscaner for tagDESKTOP (desktops)\n", "\t\tdevicetree \tShow device tree\n", "\t\tdlldump \tDump DLLs from a process address space\n", "\t\tdlllist \tPrint list of loaded dlls for each process\n", "\t\tdriverirp \tDriver IRP hook detection\n", "\t\tdriverscan \tScan for driver objects _DRIVER_OBJECT \n", "\t\tenvars \tDisplay process environment variables\n", "\t\teventhooks \tPrint details on windows event hooks\n", "\t\tevtlogs \tExtract Windows Event Logs (XP/2003 only)\n", "\t\tfilescan \tScan Physical memory for _FILE_OBJECT pool allocations\n", "\t\tgahti \tDump the USER handle type information\n", "\t\tgditimers \tPrint installed GDI timers and callbacks\n", "\t\tgdt \tDisplay Global Descriptor Table\n", "\t\tgetservicesids \tGet the names of services in the Registry and return Calculated SID\n", "\t\tgetsids \tPrint the SIDs owning each process\n", "\t\thandles \tPrint list of open handles for each process\n", "\t\thashdump \tDumps passwords hashes (LM/NTLM) from memory\n", "\t\thibinfo \tDump hibernation file information\n", "\t\thivedump \tPrints out a hive\n", "\t\thivelist \tPrint list of registry hives.\n", "\t\thivescan \tScan Physical memory for _CMHIVE objects (registry hives)\n", "\t\thpakextract \tExtract physical memory from an HPAK file\n", "\t\thpakinfo \tInfo on an HPAK file\n", "\t\tidt \tDisplay Interrupt Descriptor Table\n", "\t\tiehistory \tReconstruct Internet Explorer cache / history\n", "\t\timagecopy \tCopies a physical address space out as a raw DD image\n", "\t\timageinfo \tIdentify information for the image \n", "\t\timpscan \tScan for calls to imported functions\n", "\t\tkdbgscan \tSearch for and dump potential KDBG values\n", "\t\tkpcrscan \tSearch for and dump potential KPCR values\n", "\t\tldrmodules \tDetect unlinked DLLs\n", "\t\tlsadump \tDump (decrypted) LSA secrets from the registry\n", "\t\tmalfind \tFind hidden and injected code\n", "\t\tmbrparser \tScans for and parses potential Master Boot Records (MBRs) \n", "\t\tmemdump \tDump the addressable memory for a process\n", "\t\tmemmap \tPrint the memory map\n", "\t\tmessagehooks \tList desktop and thread window message hooks\n", "\t\tmftparser \tScans for and parses potential MFT entries \n", "\t\tmoddump \tDump a kernel driver to an executable file sample\n", "\t\tmodscan \tScan Physical memory for _LDR_DATA_TABLE_ENTRY objects\n", "\t\tmodules \tPrint list of loaded modules\n", "\t\tmutantscan \tScan for mutant objects _KMUTANT \n", "\t\tpatcher \tPatches memory based on page scans\n", "\t\tprintkey \tPrint a registry key, and its subkeys and values\n", "\t\tprivs \tDisplay process privileges\n", "\t\tprocexedump \tDump a process to an executable file sample\n", "\t\tprocmemdump \tDump a process to an executable memory sample\n", "\t\tpslist \tPrint all running processes by following the EPROCESS lists \n", "\t\tpsscan \tScan Physical memory for _EPROCESS pool allocations\n", "\t\tpstree \tPrint process list as a tree\n", "\t\tpsxview \tFind hidden processes with various process listings\n", "\t\traw2dmp \tConverts a physical memory sample to a windbg crash dump\n", "\t\tscreenshot \tSave a pseudo-screenshot based on GDI windows\n", "\t\tsessions \tList details on _MM_SESSION_SPACE (user logon sessions)\n", "\t\tshellbags \tPrints ShellBags info\n", "\t\tshimcache \tParses the Application Compatibility Shim Cache registry key\n", "\t\tsockets \tPrint list of open sockets\n", "\t\tsockscan \tScan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)\n", "\t\tssdt \tDisplay SSDT entries\n", "\t\tstrings \tMatch physical offsets to virtual addresses (may take a while, VERY verbose)\n", "\t\tsvcscan \tScan for Windows services\n", "\t\tsymlinkscan \tScan for symbolic link objects \n", "\t\tthrdscan \tScan physical memory for _ETHREAD objects\n", "\t\tthreads \tInvestigate _ETHREAD and _KTHREADs\n", "\t\ttimers \tPrint kernel timers and associated module DPCs\n", "\t\tunloadedmodules\tPrint list of unloaded modules\n", "\t\tuserassist \tPrint userassist registry keys and information\n", "\t\tuserhandles \tDump the USER handle tables\n", "\t\tvaddump \tDumps out the vad sections to a file\n", "\t\tvadinfo \tDump the VAD info\n", "\t\tvadtree \tWalk the VAD tree and display in tree format\n", "\t\tvadwalk \tWalk the VAD tree\n", "\t\tvboxinfo \tDump virtualbox information\n", "\t\tvmwareinfo \tDump VMware VMSS/VMSN information\n", "\t\tvolshell \tShell in the memory image\n", "\t\twindows \tPrint Desktop Windows (verbose details)\n", "\t\twintree \tPrint Z-Order Desktop Windows Tree\n", "\t\twndscan \tPool scanner for tagWINDOWSTATION (window stations)\n", "\t\tyarascan \tScan process or kernel memory with Yara signatures\n", "'''\n" ], "language": "python", "metadata": {}, "outputs": [], "prompt_number": 8 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "imageinfo - Identify information for the image " ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem imageinfo" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Determining profile based on KDBG search...\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ " Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)\r\n", " AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)\r\n", " AS Layer2 : FileAddressSpace (/root/Desktop/mem/memdump.mem)\r\n", " PAE type : PAE\r\n", " DTB : 0x334000L\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ " KDBG : 0x80544ce0L\r\n", " Number of Processors : 1\r\n", " Image Type (Service Pack) : 2\r\n", " KPCR for CPU 0 : 0xffdff000L\r\n", " KUSER_SHARED_DATA : 0xffdf0000L\r\n", " Image date and time : 2013-02-25 18:16:01 UTC+0000\r\n", " Image local date and time : 2013-02-25 13:16:01 -0500\r\n" ] } ], "prompt_number": 2 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "pslist - Print all running processes by following the EPROCESS lists " ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem pslist" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit " ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89c73830 System 4 0 56 327 ------ 0 \r\n", "0x8979b020 smss.exe 384 4 3 21 ------ 0 2013-02-20 21:52:20 UTC+0000 \r\n", "0x8978e238 csrss.exe 608 384 12 448 0 0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x8978e660 winlogon.exe 632 384 19 565 0 0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x89635610 services.exe 676 632 16 283 0 0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x89af0880 lsass.exe 688 632 19 341 0 0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x897a06e8 vmacthlp.exe 896 676 1 24 0 0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x89b54388 svchost.exe 908 676 17 197 0 0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x896f4a78 svchost.exe 972 676 9 276 0 0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x89b04da0 svchost.exe 1120 676 61 1583 0 0 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b02578 svchost.exe 1176 676 5 87 0 0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x89be0460 svchost.exe 1216 676 15 214 0 0 2013-02-20 21:52:23 UTC+0000 \r\n", "0x89bc9618 spoolsv.exe 1548 676 10 127 0 0 2013-02-20 21:52:24 UTC+0000 \r\n", "0x896fc980 svchost.exe 1684 676 6 89 0 0 2013-02-20 21:52:41 UTC+0000 \r\n", "0x8963e980 vmtoolsd.exe 1848 676 7 270 0 0 2013-02-20 21:52:41 UTC+0000 \r\n", "0x89844020 TPAutoConnSvc.e 452 676 5 101 0 0 2013-02-20 21:52:49 UTC+0000 \r\n", "0x899fd6e0 alg.exe 588 676 6 106 0 0 2013-02-20 21:52:50 UTC+0000 \r\n", "0x89653da0 explorer.exe 2012 1860 13 492 0 0 2013-02-20 21:53:00 UTC+0000 \r\n", "0x89b5eda0 rundll32.exe 808 2012 5 75 0 0 2013-02-20 21:53:01 UTC+0000 \r\n", "0x8979ac20 vmtoolsd.exe 692 2012 6 242 0 0 2013-02-20 21:53:01 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x8979a3c0 TPAutoConnect.e 1032 452 1 63 0 0 2013-02-20 21:53:01 UTC+0000 \r\n", "0x8979a7e8 wscntfy.exe 1168 1120 1 27 0 0 2013-02-20 21:53:02 UTC+0000 \r\n", "0x89838600 wuauclt.exe 2524 1120 3 132 0 0 2013-02-20 21:53:49 UTC+0000 \r\n", "0x89b3a328 chrome.exe 1796 2012 27 814 0 0 2013-02-20 22:02:12 UTC+0000 \r\n", "0x89aae9c8 chrome.exe 1704 1796 6 97 0 0 2013-02-20 22:02:13 UTC+0000 \r\n", "0x88e51358 chrome.exe 1480 1796 7 92 0 0 2013-02-20 22:18:49 UTC+0000 \r\n", "0x89442020 chrome.exe 1308 1796 7 94 0 0 2013-02-20 22:35:57 UTC+0000 \r\n", "0x88cfa970 chrome.exe 1788 1796 7 97 0 0 2013-02-20 22:37:38 UTC+0000 \r\n", "0x88970da0 cmd.exe 2384 2012 1 30 0 0 2013-02-25 05:19:24 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x88f81da0 chrome.exe 856 1796 7 94 0 0 2013-02-25 07:33:05 UTC+0000 \r\n", "0x8853dda0 FTK Imager.exe 3168 2012 8 223 0 0 2013-02-25 18:15:37 UTC+0000 \r\n" ] } ], "prompt_number": 6 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "psscan - Scan Physical memory for _EPROCESS pool allocationsRun BASH commands" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f ~/Desktop/mem/memdump.mem psscan" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Offset(P) Name PID PPID PDB Time created Time exited \r\n", "---------- ---------------- ------ ------ ---------- ------------------------------ ------------------------------\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x086c19c8 chrome.exe 1704 1796 0x0ff80400 2013-02-20 22:02:13 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x0873dda0 FTK Imager.exe 3168 2012 0x0ff80340 2013-02-25 18:15:37 UTC+0000 \r\n", "0x08b70da0 cmd.exe 2384 2012 0x0ff80300 2013-02-25 05:19:24 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x08efa970 chrome.exe 1788 1796 0x0ff80360 2013-02-20 22:37:38 UTC+0000 \r\n", "0x09051358 chrome.exe 1480 1796 0x0ff803c0 2013-02-20 22:18:49 UTC+0000 \r\n", "0x09181da0 chrome.exe 856 1796 0x0ff80460 2013-02-25 07:33:05 UTC+0000 \r\n", "0x095a7380 (?s?@?$? ?s?\bu:? 23...8 23...0 0x893a73a0 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x09642020 chrome.exe 1308 1796 0x0ff80320 2013-02-20 22:35:57 UTC+0000 \r\n", "0x09787da0 alg.exe 1484 676 0x0fe80180 2013-02-20 21:28:44 UTC+0000 \r\n", "0x09835610 services.exe 676 632 0x0ff80080 2013-02-20 21:52:22 UTC+0000 " ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "0x0983e980 vmtoolsd.exe 1848 676 0x0ff80200 2013-02-20 21:52:41 UTC+0000 \r\n", "0x09853da0 explorer.exe 2012 1860 0x0ff80260 2013-02-20 21:53:00 UTC+0000 \r\n", "0x098f4a78 svchost.exe 972 676 0x0ff80100 2013-02-20 21:52:22 UTC+0000 \r\n", "0x098fc980 svchost.exe 1684 676 0x0ff801c0 2013-02-20 21:52:41 UTC+0000 \r\n", "0x0998e238 csrss.exe 608 384 0x0ff80040 2013-02-20 21:52:22 UTC+0000 \r\n", "0x0998e660 winlogon.exe 632 384 0x0ff80060 2013-02-20 21:52:22 UTC+0000 \r\n", "0x0999a3c0 TPAutoConnect.e 1032 452 0x0ff802e0 2013-02-20 21:53:01 UTC+0000 \r\n", "0x0999a7e8 wscntfy.exe 1168 1120 0x0ff80220 2013-02-20 21:53:02 UTC+0000 \r\n", "0x0999ac20 vmtoolsd.exe 692 2012 0x0ff802c0 2013-02-20 21:53:01 UTC+0000 \r\n", "0x0999b020 smss.exe 384 4 0x0ff80020 2013-02-20 21:52:20 UTC+0000 \r\n", "0x099a06e8 vmacthlp.exe 896 676 0x0ff800c0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x09a2f6e8 vmacthlp.exe 896 676 0x0ff800c0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x09a38600 wuauclt.exe 2524 1120 0x0ff80380 2013-02-20 21:53:49 UTC+0000 \r\n", "0x09a44020 TPAutoConnSvc.e 452 676 0x0ff802a0 2013-02-20 21:52:49 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x09bfd6e0 alg.exe 588 676 0x0ff801e0 2013-02-20 21:52:50 UTC+0000 \r\n", "0x09cae9c8 chrome.exe 1704 1796 0x0ff80400 2013-02-20 22:02:13 UTC+0000 \r\n", "0x09cf0880 lsass.exe 688 632 0x0ff800a0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x09d02578 svchost.exe 1176 676 0x0ff80140 2013-02-20 21:52:22 UTC+0000 \r\n", "0x09d04da0 svchost.exe 1120 676 0x0ff80120 2013-02-20 21:52:22 UTC+0000 \r\n", "0x09d3a328 chrome.exe 1796 2012 0x0ff80280 2013-02-20 22:02:12 UTC+0000 \r\n", "0x09d54388 svchost.exe 908 676 0x0ff800e0 2013-02-20 21:52:22 UTC+0000 \r\n", "0x09d5eda0 rundll32.exe 808 2012 0x0ff80180 2013-02-20 21:53:01 UTC+0000 \r\n", "0x09dc9618 spoolsv.exe 1548 676 0x0ff801a0 2013-02-20 21:52:24 UTC+0000 \r\n", "0x09de0460 svchost.exe 1216 676 0x0ff80160 2013-02-20 21:52:23 UTC+0000 \r\n", "0x09e73830 System 4 0 0x00334000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x130d59c8 chrome.exe 1704 1796 0x0ff80400 2013-02-20 22:02:13 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x13ac03c0 TPAutoConnect.e 1032 452 0x0ff802e0 2013-02-20 21:53:01 UTC+0000 \r\n", "0x13ac07e8 wscntfy.exe 1168 1120 0x0ff80220 2013-02-20 21:53:02 UTC+0000 \r\n", "0x13ac0c20 vmtoolsd.exe 692 2012 0x0ff802c0 2013-02-20 21:53:01 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x1a2f8da0 explorer.exe 2012 1860 0x0ff80260 2013-02-20 21:53:00 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x1d263980 vmtoolsd.exe 1848 676 0x0ff80200 2013-02-20 21:52:41 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x2006a020 TPAutoConnSvc.e 452 676 0x0ff802a0 2013-02-20 21:52:49 UTC+0000 \r\n", "0x200866e8 vmacthlp.exe 896 676 0x0ff800c0 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x23400980 vmtoolsd.exe 1848 676 0x0ff80200 2013-02-20 21:52:41 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x278f1618 spoolsv.exe 1548 676 0x0ff801a0 2013-02-20 21:52:24 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x281d8970 chrome.exe 1788 1796 0x0ff80360 2013-02-20 22:37:38 UTC+0000 \r\n", "0x287989c8 chrome.exe 1704 1796 0x0ff80400 2013-02-20 22:02:13 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x2b16e970 chrome.exe 1788 1796 0x0ff80360 2013-02-20 22:37:38 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x2be156e8 vmacthlp.exe 896 676 0x0ff800c0 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x31bacda0 alg.exe 1484 676 0x0fe80180 2013-02-20 21:28:44 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x321e5020 TPAutoConnSvc.e 452 676 0x0ff802a0 2013-02-20 21:52:49 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x35aacda0 svchost.exe 1120 676 0x0ff80120 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x3cbea578 svchost.exe 1176 676 0x0ff80140 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x43923da0 svchost.exe 1120 676 0x0ff80120 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x45fa5020 chrome.exe 1308 1796 0x0ff80320 2013-02-20 22:35:57 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x47370358 chrome.exe 1480 1796 0x0ff803c0 2013-02-20 22:18:49 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x4a546da0 rundll32.exe 808 2012 0x0ff80180 2013-02-20 21:53:01 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x4a8da610 services.exe 676 632 0x0ff80080 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x4d51b830 System 4 0 0x00334000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x4db3c388 svchost.exe 908 676 0x0ff800e0 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x4e64a380 (?s?@?$? ?s?\bu:? 23...8 23...0 0x893a73a0 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x54457880 lsass.exe 688 632 0x0ff800a0 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x57f9f970 chrome.exe 1788 1796 0x0ff80360 2013-02-20 22:37:38 UTC+0000 " ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x586abda0 alg.exe 1484 676 0x0fe80180 2013-02-20 21:28:44 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x5b2dfda0 rundll32.exe 808 2012 0x0ff80180 2013-02-20 21:53:01 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x5b9e0020 TPAutoConnSvc.e 452 676 0x0ff802a0 2013-02-20 21:52:49 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x5d400618 spoolsv.exe 1548 676 0x0ff801a0 2013-02-20 21:52:24 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x65a816e8 vmacthlp.exe 896 676 0x0ff800c0 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x6db39da0 explorer.exe 2012 1860 0x0ff80260 2013-02-20 21:53:00 UTC+0000 " ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "0x6df34610 services.exe 676 632 0x0ff80080 2013-02-20 21:52:22 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x7494d020 chrome.exe 1308 1796 0x0ff80320 2013-02-20 22:35:57 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x77b5d020 TPAutoConnSvc.e 452 676 0x0ff802a0 2013-02-20 21:52:49 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x7c64c6e8 vmacthlp.exe 896 676 0x0ff800c0 2013-02-20 21:52:22 UTC+0000 \r\n" ] } ], "prompt_number": 8 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "pstree - Print process list as a tree" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem pstree" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Name Pid PPid Thds Hnds Time \r\n", "-------------------------------------------------- ------ ------ ------ ------ --------------------\r\n", " 0x89c73830:System 4 0 56 327 1970-01-0...UTC+0000\r\n", ". 0x8979b020:smss.exe 384 4 3 21 2013-02-2...UTC+0000\r\n", ".. 0x8978e238:csrss.exe 608 384 12 448 2013-02-2...UTC+0000\r\n", ".. 0x8978e660:winlogon.exe 632 384 19 565 2013-02-2...UTC+0000\r\n", "... 0x89635610:services.exe 676 632 16 283 2013-02-2...UTC+0000\r\n", ".... 0x897a06e8:vmacthlp.exe 896 676 1 24 2013-02-2...UTC+0000\r\n", ".... 0x89b54388:svchost.exe 908 676 17 197 2013-02-2...UTC+0000\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ ".... 0x896fc980:svchost.exe 1684 676 6 89 2013-02-2...UTC+0000\r\n", ".... 0x89b02578:svchost.exe 1176 676 5 87 2013-02-2...UTC+0000\r\n", ".... 0x89bc9618:spoolsv.exe 1548 676 10 127 2013-02-2...UTC+0000\r\n", ".... 0x8963e980:vmtoolsd.exe 1848 676 7 270 2013-02-2...UTC+0000\r\n", ".... 0x89be0460:svchost.exe 1216 676 15 214 2013-02-2...UTC+0000\r\n", ".... 0x89b04da0:svchost.exe 1120 676 61 1583 2013-02-2...UTC+0000\r\n", "..... 0x8979a7e8:wscntfy.exe 1168 1120 1 27 2013-02-2...UTC+0000\r\n", "..... 0x89838600:wuauclt.exe 2524 1120 3 132 2013-02-2...UTC+0000\r\n", ".... 0x89844020:TPAutoConnSvc.e 452 676 5 101 2013-02-2...UTC+0000\r\n", "..... 0x8979a3c0:TPAutoConnect.e 1032 452 1 63 2013-02-2...UTC+0000\r\n", ".... 0x896f4a78:svchost.exe 972 676 9 276 2013-02-2...UTC+0000\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ ".... 0x899fd6e0:alg.exe 588 676 6 106 2013-02-2...UTC+0000\r\n", "... 0x89af0880:lsass.exe 688 632 19 341 2013-02-2...UTC+0000\r\n", " 0x89653da0:explorer.exe 2012 1860 13 492 2013-02-2...UTC+0000\r\n", ". 0x89b3a328:chrome.exe 1796 2012 27 814 2013-02-2...UTC+0000\r\n", ".. 0x89442020:chrome.exe 1308 1796 7 94 2013-02-2...UTC+0000\r\n", ".. 0x88e51358:chrome.exe 1480 1796 7 92 2013-02-2...UTC+0000\r\n", ".. 0x88f81da0:chrome.exe 856 1796 7 94 2013-02-2...UTC+0000\r\n", ".. 0x89aae9c8:chrome.exe 1704 1796 6 97 2013-02-2...UTC+0000\r\n", ".. 0x88cfa970:chrome.exe 1788 1796 7 97 2013-02-2...UTC+0000\r\n", ". 0x89b5eda0:rundll32.exe 808 2012 5 75 2013-02-2...UTC+0000\r\n", ". 0x8979ac20:vmtoolsd.exe 692 2012 6 242 2013-02-2...UTC+0000\r\n", ". 0x88970da0:cmd.exe 2384 2012 1 30 2013-02-2...UTC+0000\r\n", ". 0x8853dda0:FTK Imager.exe 3168 2012 8 223 2013-02-2...UTC+0000\r\n" ] } ], "prompt_number": 9 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "clipboard - Extract the contents of the windows clipboard" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem clipboard" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Session WindowStation Format Handle Object Data \r\n", "---------- ------------- ------------------ ---------- ---------- --------------------------------------------------\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ " 0 WinSta0 0xc009L 0x25e1013f 0xe182d1b8 \r\n", " 0 WinSta0 CF_UNICODETEXT 0x0 ---------- \r\n", " 0 WinSta0 0xc013L 0xed00b3 0xe1ebf220 \r\n", " 0 WinSta0 CF_LOCALE 0xbae014b 0xe2498d00 " ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", " 0 WinSta0 CF_TEXT 0x1 ---------- \r\n", " 0 WinSta0 CF_OEMTEXT 0x1 ---------- \r\n" ] } ], "prompt_number": 10 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "connections - Print list of open connections [Windows XP and 2003 Only]" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem connections" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Offset(V) Local Address Remote Address Pid\r\n", "---------- ------------------------- ------------------------- ---\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x888e3e70 172.16.158.137:1853 172.16.158.144:4444 1120\r\n", "0x88559e70 172.16.158.137:1854 172.16.158.144:4444 1120\r\n", "0x88570e70 172.16.158.137:2130 172.16.158.144:4444 1120\r\n", "0x88f3c008 172.16.158.137:1855 172.16.158.144:4444 1120\r\n", "0x89681dd8 172.16.158.137:1852 172.16.158.144:4444 1120\r\n", "0x89afea68 172.16.158.137:1856 172.16.158.144:4444 1120\r\n" ] } ], "prompt_number": 12 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "sockets - Print list of open sockets" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem sockets" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Offset(V) PID Port Proto Protocol Address Create Time\r\n", "---------- -------- ------ ------ --------------- --------------- -----------\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x8963a008 1176 1031 17 UDP 0.0.0.0 2013-02-20 21:53:01 UTC+0000\r\n", "0x89ba36c8 4 137 17 UDP 172.16.158.137 2013-02-25 01:32:26 UTC+0000\r\n", "0x89a98008 688 500 17 UDP 0.0.0.0 2013-02-20 21:52:42 UTC+0000\r\n", "0x89b963c8 1120 1852 6 TCP 0.0.0.0 2013-02-25 05:06:47 UTC+0000\r\n", "0x889fe008 1120 1856 6 TCP 0.0.0.0 2013-02-25 05:17:07 UTC+0000\r\n", "0x89b027e0 4 445 6 TCP 0.0.0.0 2013-02-20 21:52:20 UTC+0000\r\n", "0x896f2e98 972 135 6 TCP 0.0.0.0 2013-02-20 21:52:22 UTC+0000\r\n", "0x893ec880 1176 1121 17 UDP 0.0.0.0 2013-02-20 21:57:42 UTC+0000\r\n", "0x8921be98 4 138 17 UDP 172.16.158.137 2013-02-25 01:32:26 UTC+0000\r\n", "0x89b047e8 1120 1853 6 TCP 0.0.0.0 2013-02-25 05:14:29 UTC+0000\r\n", "0x890eee98 1120 123 17 UDP 172.16.158.137 2013-02-25 01:32:26 UTC+0000\r\n", "0x88c8c008 1120 123 17 UDP 127.0.0.1 2013-02-25 01:32:26 UTC+0000\r\n", "0x89569820 688 0 255 Reserved 0.0.0.0 2013-02-20 21:52:42 UTC+0000\r\n", "0x88930608 1176 1405 17 UDP 0.0.0.0 2013-02-20 22:40:27 UTC+0000\r\n", "0x89aaad08 1176 1122 17 UDP 0.0.0.0 2013-02-20 21:57:42 UTC+0000\r\n", "0x89718650 1176 1037 17 UDP 0.0.0.0 2013-02-20 21:53:27 UTC+0000\r\n", "0x88667008 1120 1854 6 TCP 0.0.0.0 2013-02-25 05:15:35 UTC+0000\r\n", "0x89551420 588 1026 6 TCP 127.0.0.1 2013-02-20 21:52:50 UTC+0000\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x88df7dc0 1216 1900 17 UDP 172.16.158.137 2013-02-25 01:32:26 UTC+0000\r\n", "0x88bdbab0 1216 1900 17 UDP 127.0.0.1 2013-02-25 01:32:26 UTC+0000\r\n", "0x89aa8530 1120 2130 6 TCP 0.0.0.0 2013-02-25 18:12:13 UTC+0000\r\n", "0x89644e98 1176 1038 17 UDP 0.0.0.0 2013-02-20 21:53:27 UTC+0000\r\n", "0x897a4200 4 139 6 TCP 172.16.158.137 2013-02-25 01:32:26 UTC+0000\r\n", "0x897afe98 688 4500 17 UDP 0.0.0.0 2013-02-20 21:52:42 UTC+0000\r\n", "0x89bcc548 1120 1855 6 TCP 0.0.0.0 2013-02-25 05:16:28 UTC+0000\r\n", "0x89b02c08 4 445 17 UDP 0.0.0.0 2013-02-20 21:52:20 UTC+0000\r\n" ] } ], "prompt_number": 11 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "hivelist - Print list of registry hives." ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem hivelist\n" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Virtual Physical Name\r\n", "---------- ---------- ----\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xe1eeeb60 0x14902b60 \\Device\\HarddiskVolume1\\Documents and Settings\\test\\Local Settings\\Application Data\\Microsoft\\Windows\\UsrClass.dat\r\n", "0xe1f1d008 0x16215008 \\Device\\HarddiskVolume1\\Documents and Settings\\test\\NTUSER.DAT\r\n", "0xe19a57c8 0x121777c8 \\Device\\HarddiskVolume1\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\Microsoft\\Windows\\UsrClass.dat\r\n", "0xe199c008 0x121eb008 \\Device\\HarddiskVolume1\\Documents and Settings\\LocalService\\NTUSER.DAT\r\n", "0xe1980008 0x11d68008 \\Device\\HarddiskVolume1\\Documents and Settings\\NetworkService\\Local Settings\\Application Data\\Microsoft\\Windows\\UsrClass.dat\r\n", "0xe1974b60 0x11cd8b60 \\Device\\HarddiskVolume1\\Documents and Settings\\NetworkService\\NTUSER.DAT\r\n", "0xe1635b60 0x0fde0b60 \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\software\r\n", "0xe1603758 0x0f8d9758 \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\default\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xe162ab60 0x0fe1bb60 \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\SAM\r\n", "0xe16176c8 0x0f8e46c8 \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\SECURITY\r\n", "0xe13e2b60 0x0a720b60 [no name]\r\n", "0xe1035b60 0x0a370b60 \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\system\r\n", "0xe102e008 0x0a36a008 [no name]\r\n" ] } ], "prompt_number": 13 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "hashdump - Dumps passwords hashes (LM/NTLM) from memory" ] }, { "cell_type": "code", "collapsed": false, "input": [ "# -y = \\WINDOWS\\system32\\config\\SAM\n", "# -s = \\WINDOWS\\system32\\config\\system\n", "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem --profile WinXPSP2x86 hashdump -s 0xe162ab60 -y 0xe1035b60\n" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "HelpAssistant:1000:2861afb8a23acec288415edc5b39e173:e85590fb00de5f6acb4bf7594cebd405:::\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:03755d08479681fbedac638963d0d87b:::\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "test:1004:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::\r\n" ] } ], "prompt_number": 14 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "Getting help" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -h" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Usage: Volatility - A memory forensics analysis platform." ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "\r\n", "Options:\r\n", " -h, --help list all available options and their default values.\r\n", " Default values may be set in the configuration file\r\n", " (/etc/volatilityrc)\r\n", " --conf-file=/root/.volatilityrc\r\n", " User based configuration file\r\n", " -d, --debug Debug volatility\r\n", " --plugins=PLUGINS Additional plugin directories to use (colon separated)\r\n", " --info Print information about all registered objects\r\n", " --cache-directory=/root/.cache/volatility\r\n", " Directory where cache files are stored\r\n", " --cache Use caching\r\n", " --tz=TZ Sets the timezone for displaying timestamps\r\n", " -f FILENAME, --filename=FILENAME\r\n", " Filename to use when opening an image\r\n", " --profile=WinXPSP2x86\r\n", " Name of the profile to load\r\n", " -l LOCATION, --location=LOCATION\r\n", " A URN location from which to load an address space\r\n", " -w, --write Enable write support\r\n", " --use-old-as Use the legacy address spaces\r\n", " --dtb=DTB DTB Address\r\n", " --cache-dtb Cache virtual to physical mappings\r\n", " --shift=SHIFT Mac KASLR shift address\r\n", " --output=text Output in this format (format support is module\r\n", " specific)\r\n", " --output-file=OUTPUT_FILE\r\n", " write output in this file\r\n", " -v, --verbose Verbose information\r\n", " -g KDBG, --kdbg=KDBG Specify a specific KDBG virtual address\r\n", " -k KPCR, --kpcr=KPCR Specify a specific KPCR address\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "\tSupported Plugin Commands:\r\n", "\r\n", "\t\tapihooks \tDetect API hooks in process and kernel memory\r\n", "\t\tatoms \tPrint session and window station atom tables\r\n", "\t\tatomscan \tPool scanner for _RTL_ATOM_TABLE\r\n", "\t\tbioskbd \tReads the keyboard buffer from Real Mode memory\r\n", "\t\tcallbacks \tPrint system-wide notification routines\r\n", "\t\tclipboard \tExtract the contents of the windows clipboard\r\n", "\t\tcmdscan \tExtract command history by scanning for _COMMAND_HISTORY\r\n", "\t\tconnections \tPrint list of open connections [Windows XP and 2003 Only]\r\n", "\t\tconnscan \tScan Physical memory for _TCPT_OBJECT objects (tcp connections)\r\n", "\t\tconsoles \tExtract command history by scanning for _CONSOLE_INFORMATION\r\n", "\t\tcrashinfo \tDump crash-dump information\r\n", "\t\tdeskscan \tPoolscaner for tagDESKTOP (desktops)\r\n", "\t\tdevicetree \tShow device tree\r\n", "\t\tdlldump \tDump DLLs from a process address space\r\n", "\t\tdlllist \tPrint list of loaded dlls for each process\r\n", "\t\tdriverirp \tDriver IRP hook detection\r\n", "\t\tdriverscan \tScan for driver objects _DRIVER_OBJECT \r\n", "\t\tenvars \tDisplay process environment variables\r\n", "\t\teventhooks \tPrint details on windows event hooks\r\n", "\t\tevtlogs \tExtract Windows Event Logs (XP/2003 only)\r\n", "\t\tfilescan \tScan Physical memory for _FILE_OBJECT pool allocations\r\n", "\t\tgahti \tDump the USER handle type information\r\n", "\t\tgditimers \tPrint installed GDI timers and callbacks\r\n", "\t\tgdt \tDisplay Global Descriptor Table\r\n", "\t\tgetservicesids \tGet the names of services in the Registry and return Calculated SID\r\n", "\t\tgetsids \tPrint the SIDs owning each process\r\n", "\t\thandles \tPrint list of open handles for each process\r\n", "\t\thashdump \tDumps passwords hashes (LM/NTLM) from memory\r\n", "\t\thibinfo \tDump hibernation file information\r\n", "\t\thivedump \tPrints out a hive\r\n", "\t\thivelist \tPrint list of registry hives.\r\n", "\t\thivescan \tScan Physical memory for _CMHIVE objects (registry hives)\r\n", "\t\thpakextract \tExtract physical memory from an HPAK file\r\n", "\t\thpakinfo \tInfo on an HPAK file\r\n", "\t\tidt \tDisplay Interrupt Descriptor Table\r\n", "\t\tiehistory \tReconstruct Internet Explorer cache / history\r\n", "\t\timagecopy \tCopies a physical address space out as a raw DD image\r\n", "\t\timageinfo \tIdentify information for the image \r\n", "\t\timpscan \tScan for calls to imported functions\r\n", "\t\tkdbgscan \tSearch for and dump potential KDBG values\r\n", "\t\tkpcrscan \tSearch for and dump potential KPCR values\r\n", "\t\tldrmodules \tDetect unlinked DLLs\r\n", "\t\tlsadump \tDump (decrypted) LSA secrets from the registry\r\n", "\t\tmalfind \tFind hidden and injected code\r\n", "\t\tmbrparser \tScans for and parses potential Master Boot Records (MBRs) \r\n", "\t\tmemdump \tDump the addressable memory for a process\r\n", "\t\tmemmap \tPrint the memory map\r\n", "\t\tmessagehooks \tList desktop and thread window message hooks\r\n", "\t\tmftparser \tScans for and parses potential MFT entries \r\n", "\t\tmoddump \tDump a kernel driver to an executable file sample\r\n", "\t\tmodscan \tScan Physical memory for _LDR_DATA_TABLE_ENTRY objects\r\n", "\t\tmodules \tPrint list of loaded modules\r\n", "\t\tmutantscan \tScan for mutant objects _KMUTANT \r\n", "\t\tpatcher \tPatches memory based on page scans\r\n", "\t\tprintkey \tPrint a registry key, and its subkeys and values\r\n", "\t\tprivs \tDisplay process privileges\r\n", "\t\tprocexedump \tDump a process to an executable file sample\r\n", "\t\tprocmemdump \tDump a process to an executable memory sample\r\n", "\t\tpslist \tPrint all running processes by following the EPROCESS lists \r\n", "\t\tpsscan \tScan Physical memory for _EPROCESS pool allocations\r\n", "\t\tpstree \tPrint process list as a tree\r\n", "\t\tpsxview \tFind hidden processes with various process listings\r\n", "\t\traw2dmp \tConverts a physical memory sample to a windbg crash dump\r\n", "\t\tscreenshot \tSave a pseudo-screenshot based on GDI windows\r\n", "\t\tsessions \tList details on _MM_SESSION_SPACE (user logon sessions)\r\n", "\t\tshellbags \tPrints ShellBags info\r\n", "\t\tshimcache \tParses the Application Compatibility Shim Cache registry key\r\n", "\t\tsockets \tPrint list of open sockets\r\n", "\t\tsockscan \tScan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)\r\n", "\t\tssdt \tDisplay SSDT entries\r\n", "\t\tstrings \tMatch physical offsets to virtual addresses (may take a while, VERY verbose)\r\n", "\t\tsvcscan \tScan for Windows services\r\n", "\t\tsymlinkscan \tScan for symbolic link objects \r\n", "\t\tthrdscan \tScan physical memory for _ETHREAD objects\r\n", "\t\tthreads \tInvestigate _ETHREAD and _KTHREADs\r\n", "\t\ttimers \tPrint kernel timers and associated module DPCs\r\n", "\t\tunloadedmodules\tPrint list of unloaded modules\r\n", "\t\tuserassist \tPrint userassist registry keys and information\r\n", "\t\tuserhandles \tDump the USER handle tables\r\n", "\t\tvaddump \tDumps out the vad sections to a file\r\n", "\t\tvadinfo \tDump the VAD info\r\n", "\t\tvadtree \tWalk the VAD tree and display in tree format\r\n", "\t\tvadwalk \tWalk the VAD tree\r\n", "\t\tvboxinfo \tDump virtualbox information\r\n", "\t\tvmwareinfo \tDump VMware VMSS/VMSN information\r\n", "\t\tvolshell \tShell in the memory image\r\n", "\t\twindows \tPrint Desktop Windows (verbose details)\r\n", "\t\twintree \tPrint Z-Order Desktop Windows Tree\r\n", "\t\twndscan \tPool scanner for tagWINDOWSTATION (window stations)\r\n", "\t\tyarascan \tScan process or kernel memory with Yara signatures\r\n" ] } ], "prompt_number": 15 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "sessions - List details on _MM_SESSION_SPACE (user logon sessions)" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem sessions" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "**************************************************\r\n", "Session(V): badcc000 ID: 0 Processes: 29\r\n", "PagedPoolStart: bc000000 PagedPoolEnd bc3fffff\r\n", " Process: 608 csrss.exe 2013-02-20 21:52:22 UTC+0000\r\n", " Process: 632 winlogon.exe 2013-02-20 21:52:22 UTC+0000\r\n", " Process: 676 services.exe 2013-02-20 21:52:22 UTC+0000\r\n", " Process: 688 lsass.exe 2013-02-20 21:52:22 UTC+0000\r\n", " Process: 896 vmacthlp.exe 2013-02-20 21:52:22 UTC+0000\r\n", " Process: 908 svchost.exe 2013-02-20 21:52:22 UTC+0000\r\n", " Process: 972 svchost.exe 2013-02-20 21:52:22 UTC+0000\r\n", " Process: 1120 svchost.exe 2013-02-20 21:52:22 UTC+0000\r\n", " Process: 1176 svchost.exe 2013-02-20 21:52:22 UTC+0000\r\n", " Process: 1216 svchost.exe 2013-02-20 21:52:23 UTC+0000\r\n", " Process: 1548 spoolsv.exe 2013-02-20 21:52:24 UTC+0000\r\n", " Process: 1684 svchost.exe 2013-02-20 21:52:41 UTC+0000\r\n", " Process: 1848 vmtoolsd.exe 2013-02-20 21:52:41 UTC+0000\r\n", " Process: 452 TPAutoConnSvc.e 2013-02-20 21:52:49 UTC+0000\r\n", " Process: 588 alg.exe 2013-02-20 21:52:50 UTC+0000\r\n", " Process: 2012 explorer.exe 2013-02-20 21:53:00 UTC+0000\r\n", " Process: 808 rundll32.exe 2013-02-20 21:53:01 UTC+0000\r\n", " Process: 692 vmtoolsd.exe 2013-02-20 21:53:01 UTC+0000\r\n", " Process: 1032 TPAutoConnect.e 2013-02-20 21:53:01 UTC+0000\r\n", " Process: 1168 wscntfy.exe 2013-02-20 21:53:02 UTC+0000\r\n", " Process: 2524 wuauclt.exe 2013-02-20 21:53:49 UTC+0000\r\n", " Process: 1796 chrome.exe 2013-02-20 22:02:12 UTC+0000\r\n", " Process: 1704 chrome.exe 2013-02-20 22:02:13 UTC+0000\r\n", " Process: 1480 chrome.exe 2013-02-20 22:18:49 UTC+0000\r\n", " Process: 1308 chrome.exe 2013-02-20 22:35:57 UTC+0000\r\n", " Process: 1788 chrome.exe 2013-02-20 22:37:38 UTC+0000\r\n", " Process: 2384 cmd.exe 2013-02-25 05:19:24 UTC+0000\r\n", " Process: 856 chrome.exe 2013-02-25 07:33:05 UTC+0000\r\n", " Process: 3168 FTK Imager.exe 2013-02-25 18:15:37 UTC+0000\r\n", " Image: 0x898e17b8, Address bf800000, Name: win32k.sys\r\n", " Image: 0x89923590, Address bf9c1000, Name: dxg.sys\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ " Image: 0x89abb3b8, Address bf9d3000, Name: vmx_fb.dll\r\n", " Image: 0x89534a58, Address bffa0000, Name: ATMFD.DLL\r\n", " Image: 0xbf7f009c, Address c05d6e60, Name: \r\n" ] } ], "prompt_number": 17 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "Manipulating data into python data structures" ] }, { "cell_type": "code", "collapsed": false, "input": [ "data = !python /pentest/forensics/volatility/vol.py -f ~/Desktop/mem/memdump.mem pslist\n", "data" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "pyout", "prompt_number": 19, "text": [ "['Volatile Systems Volatility Framework 2.3_alpha',\n", " 'Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ',\n", " '---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------',\n", " '0x89c73830 System 4 0 56 327 ------ 0 ',\n", " '0x8979b020 smss.exe 384 4 3 21 ------ 0 2013-02-20 21:52:20 UTC+0000 ',\n", " '0x8978e238 csrss.exe 608 384 12 448 0 0 2013-02-20 21:52:22 UTC+0000 ',\n", " '0x8978e660 winlogon.exe 632 384 19 565 0 0 2013-02-20 21:52:22 UTC+0000 ',\n", " '0x89635610 services.exe 676 632 16 283 0 0 2013-02-20 21:52:22 UTC+0000 ',\n", " '0x89af0880 lsass.exe 688 632 19 341 0 0 2013-02-20 21:52:22 UTC+0000 ',\n", " '0x897a06e8 vmacthlp.exe 896 676 1 24 0 0 2013-02-20 21:52:22 UTC+0000 ',\n", " '0x89b54388 svchost.exe 908 676 17 197 0 0 2013-02-20 21:52:22 UTC+0000 ',\n", " '0x896f4a78 svchost.exe 972 676 9 276 0 0 2013-02-20 21:52:22 UTC+0000 ',\n", " '0x89b04da0 svchost.exe 1120 676 61 1583 0 0 2013-02-20 21:52:22 UTC+0000 ',\n", " '0x89b02578 svchost.exe 1176 676 5 87 0 0 2013-02-20 21:52:22 UTC+0000 ',\n", " '0x89be0460 svchost.exe 1216 676 15 214 0 0 2013-02-20 21:52:23 UTC+0000 ',\n", " '0x89bc9618 spoolsv.exe 1548 676 10 127 0 0 2013-02-20 21:52:24 UTC+0000 ',\n", " '0x896fc980 svchost.exe 1684 676 6 89 0 0 2013-02-20 21:52:41 UTC+0000 ',\n", " '0x8963e980 vmtoolsd.exe 1848 676 7 270 0 0 2013-02-20 21:52:41 UTC+0000 ',\n", " '0x89844020 TPAutoConnSvc.e 452 676 5 101 0 0 2013-02-20 21:52:49 UTC+0000 ',\n", " '0x899fd6e0 alg.exe 588 676 6 106 0 0 2013-02-20 21:52:50 UTC+0000 ',\n", " '0x89653da0 explorer.exe 2012 1860 13 492 0 0 2013-02-20 21:53:00 UTC+0000 ',\n", " '0x89b5eda0 rundll32.exe 808 2012 5 75 0 0 2013-02-20 21:53:01 UTC+0000 ',\n", " '0x8979ac20 vmtoolsd.exe 692 2012 6 242 0 0 2013-02-20 21:53:01 UTC+0000 ',\n", " '0x8979a3c0 TPAutoConnect.e 1032 452 1 63 0 0 2013-02-20 21:53:01 UTC+0000 ',\n", " '0x8979a7e8 wscntfy.exe 1168 1120 1 27 0 0 2013-02-20 21:53:02 UTC+0000 ',\n", " '0x89838600 wuauclt.exe 2524 1120 3 132 0 0 2013-02-20 21:53:49 UTC+0000 ',\n", " '0x89b3a328 chrome.exe 1796 2012 27 814 0 0 2013-02-20 22:02:12 UTC+0000 ',\n", " '0x89aae9c8 chrome.exe 1704 1796 6 97 0 0 2013-02-20 22:02:13 UTC+0000 ',\n", " '0x88e51358 chrome.exe 1480 1796 7 92 0 0 2013-02-20 22:18:49 UTC+0000 ',\n", " '0x89442020 chrome.exe 1308 1796 7 94 0 0 2013-02-20 22:35:57 UTC+0000 ',\n", " '0x88cfa970 chrome.exe 1788 1796 7 97 0 0 2013-02-20 22:37:38 UTC+0000 ',\n", " '0x88970da0 cmd.exe 2384 2012 1 30 0 0 2013-02-25 05:19:24 UTC+0000 ',\n", " '0x88f81da0 chrome.exe 856 1796 7 94 0 0 2013-02-25 07:33:05 UTC+0000 ',\n", " '0x8853dda0 FTK Imager.exe 3168 2012 8 223 0 0 2013-02-25 18:15:37 UTC+0000 ']" ] } ], "prompt_number": 19 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "Looking at all the strings in the memory dump" ] }, { "cell_type": "code", "collapsed": false, "input": [ "text_strings = !strings /root/Desktop/mem/memdump.mem" ], "language": "python", "metadata": {}, "outputs": [], "prompt_number": 21 }, { "cell_type": "code", "collapsed": false, "input": [ "text_strings[0:10]" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "pyout", "prompt_number": 22, "text": [ "['msvcrt.dll',\n", " 'GDI32.dll',\n", " 'KERNEL32.dll',\n", " 'USER32.dll',\n", " 'ADVAPI32.dll',\n", " 'ole32.dll',\n", " 'SHLWAPI.dll',\n", " 'SHDOCVW.dll',\n", " 'msls31.dll',\n", " '__dllonexit']" ] } ], "prompt_number": 22 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "Created a small grep function to look for \"Visited:\"" ] }, { "cell_type": "code", "collapsed": false, "input": [ "def greppy(search_term, text_strings):\n", " temp_list=[]\n", " for item in text_strings:\n", " if search_term in item:\n", " temp_list.append(item)\n", " return temp_list\n", "\n", "greppy(\"Visited: test@\", text_strings)" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "pyout", "prompt_number": 26, "text": [ "['wwVisited: test@hcp://system/compatctr/compatmode.htm',\n", " 'Visited: test@http://code.google.com/p/volatility/wiki/VolatilityBranches',\n", " 'Visited: test@http://www.bing.com/search?srch=106&FORM=AS6&q=ftk+imager+lite',\n", " 'Visited: test@http://www.accessdata.com/downloads.html',\n", " 'Visited: test@http://www.forensicswiki.org/wiki/FTK_Imager',\n", " 'Visited: test@http://www.securitynewsportal.com/itsecurity/index.html?title=FTK_Imager_Lite_2.6.1',\n", " 'Visited: test@about:blank',\n", " 'Visited: test@https://www.google.com/intl/en/chrome/browser/thankyou.html',\n", " 'Visited: test@http://www.bing.com/search?srch=106&FORM=AS6&q=chrome',\n", " 'Visited: test@http://support.google.com/chrome/bin/answer.py?hl=en&answer=95346',\n", " 'Visited: test@https://www.google.com/intl/en/chrome',\n", " 'Visited: test@file:///C:/Documents%20and%20Settings/test/Desktop/winpmem-1.3.1.zip',\n", " 'Visited: test@about:Home',\n", " 'Visited: test@res://C:\\\\WINDOWS\\\\system32\\\\shdoclc.dll/dnserror.htm',\n", " 'Visited: test@http://www.bing.com/search?srch=106&FORM=AS6&q=mozilla',\n", " 'Visited: test@https://code.google.com/p/volatility/downloads/detail?name=winpmem-1.3.1.zip',\n", " 'Visited: test@http://docs.python.org/faq/windows',\n", " 'Visited: test@https://volatility.googlecode.com/files/winpmem-1.3.1.zip',\n", " 'Visited: test@http://auto.search.msn.com/response.asp?MT=python+window+xp&srch=3&prov=&utf8',\n", " 'Visited: test@http://www.bing.com/search?srch=106&FORM=AS6&q=python+window+xp',\n", " 'Visited: test@http://docs.python.org/2/faq/windows',\n", " 'Visited: test@http://www.bing.com/search?srch=106&FORM=AS6&q=volatility+3+tech+preview+windows',\n", " 'Visited: test@http://www.securitynewsportal.com/securityblogs/article.php?title=FTK_Imager_Lite_2.6.1',\n", " 'Visited: test@http://code.google.com/p/volatility/wiki/VolatilityRoadmap',\n", " 'Visited: test@http://code.google.com/p/volatility/wiki/SampleMemoryImages',\n", " 'Visited: test@https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B86869B5E-2813-D371-C73C-4998ABD3006E%7D%26lang%3Den%26browser%3D2%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers/update2/installers/ChromeSetup.exe',\n", " 'Visited: test@http://code.google.com/p/volatility/wiki/VolatilityBranches',\n", " 'Visited: test@http://www.bing.com/search?srch=106&FORM=AS6&q=ftk+imager+lite',\n", " 'Visited: test@http://www.accessdata.com/downloads.html',\n", " 'Visited: test@http://www.forensicswiki.org/wiki/FTK_Imager',\n", " 'Visited: test@http://www.securitynewsportal.com/itsecurity/index.html?title=FTK_Imager_Lite_2.6.1',\n", " 'Visited: test@about:blank',\n", " 'Visited: test@https://www.google.com/intl/en/chrome/browser/thankyou.html',\n", " 'Visited: test@http://www.bing.com/search?srch=106&FORM=AS6&q=chrome',\n", " 'Visited: test@http://support.google.com/chrome/bin/answer.py?hl=en&answer=95346',\n", " 'Visited: test@https://www.google.com/intl/en/chrome',\n", " 'Visited: test@http://code.google.com/p/volatility/wiki/SampleMemoryImages',\n", " 'Visited: test@https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B86869B5E-2813-D371-C73C-4998ABD3006E%7D%26lang%3Den%26browser%3D2%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers/update2/installers/ChromeSetup.exe',\n", " 'wwVisited: test@about:blank',\n", " 'wwVisited: test@about:blank',\n", " 'Visited: test@http://code.google.com/p/volatility/wiki/SampleMemoryImages',\n", " 'Visited: test@https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7B86869B5E-2813-D371-C73C-4998ABD3006E%7D%26lang%3Den%26browser%3D2%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers/update2/installers/ChromeSetup.exe']" ] } ], "prompt_number": 26 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "Searching for data in sockets" ] }, { "cell_type": "code", "collapsed": false, "input": [ "sockets_list = !python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem sockets" ], "language": "python", "metadata": {}, "outputs": [], "prompt_number": 23 }, { "cell_type": "code", "collapsed": false, "input": [ "for item in sockets_list[3:]:\n", " item = item.split()\n", " if \"172.16.158.137\" in item: \n", " print item[5], item[6], item[7]" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "172.16.158.137 2013-02-25 01:32:26\n", "172.16.158.137 2013-02-25 01:32:26\n", "172.16.158.137 2013-02-25 01:32:26\n", "172.16.158.137 2013-02-25 01:32:26\n", "172.16.158.137 2013-02-25 01:32:26\n" ] } ], "prompt_number": 25 }, { "cell_type": "code", "collapsed": false, "input": [ "sockets_list" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "pyout", "prompt_number": 26, "text": [ "['Volatile Systems Volatility Framework 2.3_alpha',\n", " 'Offset(V) PID Port Proto Protocol Address Create Time',\n", " '---------- -------- ------ ------ --------------- --------------- -----------',\n", " '0x8963a008 1176 1031 17 UDP 0.0.0.0 2013-02-20 21:53:01 UTC+0000',\n", " '0x89ba36c8 4 137 17 UDP 172.16.158.137 2013-02-25 01:32:26 UTC+0000',\n", " '0x89a98008 688 500 17 UDP 0.0.0.0 2013-02-20 21:52:42 UTC+0000',\n", " '0x89b963c8 1120 1852 6 TCP 0.0.0.0 2013-02-25 05:06:47 UTC+0000',\n", " '0x889fe008 1120 1856 6 TCP 0.0.0.0 2013-02-25 05:17:07 UTC+0000',\n", " '0x89b027e0 4 445 6 TCP 0.0.0.0 2013-02-20 21:52:20 UTC+0000',\n", " '0x896f2e98 972 135 6 TCP 0.0.0.0 2013-02-20 21:52:22 UTC+0000',\n", " '0x893ec880 1176 1121 17 UDP 0.0.0.0 2013-02-20 21:57:42 UTC+0000',\n", " '0x8921be98 4 138 17 UDP 172.16.158.137 2013-02-25 01:32:26 UTC+0000',\n", " '0x89b047e8 1120 1853 6 TCP 0.0.0.0 2013-02-25 05:14:29 UTC+0000',\n", " '0x890eee98 1120 123 17 UDP 172.16.158.137 2013-02-25 01:32:26 UTC+0000',\n", " '0x88c8c008 1120 123 17 UDP 127.0.0.1 2013-02-25 01:32:26 UTC+0000',\n", " '0x89569820 688 0 255 Reserved 0.0.0.0 2013-02-20 21:52:42 UTC+0000',\n", " '0x88930608 1176 1405 17 UDP 0.0.0.0 2013-02-20 22:40:27 UTC+0000',\n", " '0x89aaad08 1176 1122 17 UDP 0.0.0.0 2013-02-20 21:57:42 UTC+0000',\n", " '0x89718650 1176 1037 17 UDP 0.0.0.0 2013-02-20 21:53:27 UTC+0000',\n", " '0x88667008 1120 1854 6 TCP 0.0.0.0 2013-02-25 05:15:35 UTC+0000',\n", " '0x89551420 588 1026 6 TCP 127.0.0.1 2013-02-20 21:52:50 UTC+0000',\n", " '0x88df7dc0 1216 1900 17 UDP 172.16.158.137 2013-02-25 01:32:26 UTC+0000',\n", " '0x88bdbab0 1216 1900 17 UDP 127.0.0.1 2013-02-25 01:32:26 UTC+0000',\n", " '0x89aa8530 1120 2130 6 TCP 0.0.0.0 2013-02-25 18:12:13 UTC+0000',\n", " '0x89644e98 1176 1038 17 UDP 0.0.0.0 2013-02-20 21:53:27 UTC+0000',\n", " '0x897a4200 4 139 6 TCP 172.16.158.137 2013-02-25 01:32:26 UTC+0000',\n", " '0x897afe98 688 4500 17 UDP 0.0.0.0 2013-02-20 21:52:42 UTC+0000',\n", " '0x89bcc548 1120 1855 6 TCP 0.0.0.0 2013-02-25 05:16:28 UTC+0000',\n", " '0x89b02c08 4 445 17 UDP 0.0.0.0 2013-02-20 21:52:20 UTC+0000']" ] } ], "prompt_number": 26 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "Malfind plugin" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem malfind" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: csrss.exe Pid: 608 Address: 0x7f6f0000\r\n", "Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: Protection: 6\r\n", "\r\n", "0x7f6f0000 c8 00 00 00 9c 01 00 00 ff ee ff ee 08 70 00 00 .............p..\r\n", "0x7f6f0010 08 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................\r\n", "0x7f6f0020 00 02 00 00 00 20 00 00 8d 01 00 00 ff ef fd 7f ................\r\n", "0x7f6f0030 03 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x7f6f0000 c8000000 ENTER 0x0, 0x0\r\n", "0x7f6f0004 9c PUSHF\r\n", "0x7f6f0005 0100 ADD [EAX], EAX\r\n", "0x7f6f0007 00ff ADD BH, BH\r\n", "0x7f6f0009 ee OUT DX, AL\r\n", "0x7f6f000a ff DB 0xff\r\n", "0x7f6f000b ee OUT DX, AL\r\n", "0x7f6f000c 087000 OR [EAX+0x0], DH\r\n", "0x7f6f000f 0008 ADD [EAX], CL\r\n", "0x7f6f0011 0000 ADD [EAX], AL\r\n", "0x7f6f0013 0000 ADD [EAX], AL\r\n", "0x7f6f0015 fe00 INC BYTE [EAX]\r\n", "0x7f6f0017 0000 ADD [EAX], AL\r\n", "0x7f6f0019 0010 ADD [EAX], DL\r\n", "0x7f6f001b 0000 ADD [EAX], AL\r\n", "0x7f6f001d 2000 AND [EAX], AL\r\n", "0x7f6f001f 0000 ADD [EAX], AL\r\n", "0x7f6f0021 0200 ADD AL, [EAX]\r\n", "0x7f6f0023 0000 ADD [EAX], AL\r\n", "0x7f6f0025 2000 AND [EAX], AL\r\n", "0x7f6f0027 008d010000ff ADD [EBP-0xffffff], CL\r\n", "0x7f6f002d ef OUT DX, EAX\r\n", "0x7f6f002e fd STD\r\n", "0x7f6f002f 7f03 JG 0x7f6f0034\r\n", "0x7f6f0031 0008 ADD [EAX], CL\r\n", "0x7f6f0033 06 PUSH ES\r\n", "0x7f6f0034 0000 ADD [EAX], AL\r\n", "0x7f6f0036 0000 ADD [EAX], AL\r\n", "0x7f6f0038 0000 ADD [EAX], AL\r\n", "0x7f6f003a 0000 ADD [EAX], AL\r\n", "0x7f6f003c 0000 ADD [EAX], AL\r\n", "0x7f6f003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: svchost.exe Pid: 1120 Address: 0x8b40000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 184, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x08b40000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x08b40010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x08b40020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x08b40030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0x8b40000 4d DEC EBP\r\n", "0x8b40001 5a POP EDX\r\n", "0x8b40002 e800000000 CALL 0x8b40007\r\n", "0x8b40007 5b POP EBX\r\n", "0x8b40008 52 PUSH EDX\r\n", "0x8b40009 45 INC EBP\r\n", "0x8b4000a 55 PUSH EBP\r\n", "0x8b4000b 89e5 MOV EBP, ESP\r\n", "0x8b4000d 81c337150000 ADD EBX, 0x1537\r\n", "0x8b40013 ffd3 CALL EBX\r\n", "0x8b40015 89c3 MOV EBX, EAX\r\n", "0x8b40017 57 PUSH EDI\r\n", "0x8b40018 6804000000 PUSH DWORD 0x4\r\n", "0x8b4001d 50 PUSH EAX\r\n", "0x8b4001e ffd0 CALL EAX\r\n", "0x8b40020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0x8b40025 6805000000 PUSH DWORD 0x5\r\n", "0x8b4002a 50 PUSH EAX\r\n", "0x8b4002b ffd3 CALL EBX\r\n", "0x8b4002d 0000 ADD [EAX], AL\r\n", "0x8b4002f 0000 ADD [EAX], AL\r\n", "0x8b40031 0000 ADD [EAX], AL\r\n", "0x8b40033 0000 ADD [EAX], AL\r\n", "0x8b40035 0000 ADD [EAX], AL\r\n", "0x8b40037 0000 ADD [EAX], AL\r\n", "0x8b40039 0000 ADD [EAX], AL\r\n", "0x8b4003b 00e0 ADD AL, AH\r\n", "0x8b4003d 0000 ADD [EAX], AL\r\n", "0x8b4003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: svchost.exe Pid: 1120 Address: 0x16d0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 28, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x016d0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x016d0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x016d0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x016d0030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................\r\n", "\r\n", "0x16d0000 4d DEC EBP\r\n", "0x16d0001 5a POP EDX\r\n", "0x16d0002 90 NOP\r\n", "0x16d0003 0003 ADD [EBX], AL\r\n", "0x16d0005 0000 ADD [EAX], AL\r\n", "0x16d0007 000400 ADD [EAX+EAX], AL\r\n", "0x16d000a 0000 ADD [EAX], AL\r\n", "0x16d000c ff DB 0xff\r\n", "0x16d000d ff00 INC DWORD [EAX]\r\n", "0x16d000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0x16d0015 0000 ADD [EAX], AL\r\n", "0x16d0017 004000 ADD [EAX+0x0], AL\r\n", "0x16d001a 0000 ADD [EAX], AL\r\n", "0x16d001c 0000 ADD [EAX], AL\r\n", "0x16d001e 0000 ADD [EAX], AL\r\n", "0x16d0020 0000 ADD [EAX], AL\r\n", "0x16d0022 0000 ADD [EAX], AL\r\n", "0x16d0024 0000 ADD [EAX], AL\r\n", "0x16d0026 0000 ADD [EAX], AL\r\n", "0x16d0028 0000 ADD [EAX], AL\r\n", "0x16d002a 0000 ADD [EAX], AL\r\n", "0x16d002c 0000 ADD [EAX], AL\r\n", "0x16d002e 0000 ADD [EAX], AL\r\n", "0x16d0030 0000 ADD [EAX], AL\r\n", "0x16d0032 0000 ADD [EAX], AL\r\n", "0x16d0034 0000 ADD [EAX], AL\r\n", "0x16d0036 0000 ADD [EAX], AL\r\n", "0x16d0038 0000 ADD [EAX], AL\r\n", "0x16d003a 0000 ADD [EAX], AL\r\n", "0x16d003c f00000 LOCK ADD [EAX], AL\r\n", "0x16d003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x16f0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 28, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x016f0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x016f0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x016f0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x016f0030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................\r\n", "\r\n", "0x16f0000 4d DEC EBP\r\n", "0x16f0001 5a POP EDX\r\n", "0x16f0002 90 NOP\r\n", "0x16f0003 0003 ADD [EBX], AL\r\n", "0x16f0005 0000 ADD [EAX], AL\r\n", "0x16f0007 000400 ADD [EAX+EAX], AL\r\n", "0x16f000a 0000 ADD [EAX], AL\r\n", "0x16f000c ff DB 0xff\r\n", "0x16f000d ff00 INC DWORD [EAX]\r\n", "0x16f000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0x16f0015 0000 ADD [EAX], AL\r\n", "0x16f0017 004000 ADD [EAX+0x0], AL\r\n", "0x16f001a 0000 ADD [EAX], AL\r\n", "0x16f001c 0000 ADD [EAX], AL\r\n", "0x16f001e 0000 ADD [EAX], AL\r\n", "0x16f0020 0000 ADD [EAX], AL\r\n", "0x16f0022 0000 ADD [EAX], AL\r\n", "0x16f0024 0000 ADD [EAX], AL\r\n", "0x16f0026 0000 ADD [EAX], AL\r\n", "0x16f0028 0000 ADD [EAX], AL\r\n", "0x16f002a 0000 ADD [EAX], AL\r\n", "0x16f002c 0000 ADD [EAX], AL\r\n", "0x16f002e 0000 ADD [EAX], AL\r\n", "0x16f0030 0000 ADD [EAX], AL\r\n", "0x16f0032 0000 ADD [EAX], AL\r\n", "0x16f0034 0000 ADD [EAX], AL\r\n", "0x16f0036 0000 ADD [EAX], AL\r\n", "0x16f0038 0000 ADD [EAX], AL\r\n", "0x16f003a 0000 ADD [EAX], AL\r\n", "0x16f003c f00000 LOCK ADD [EAX], AL\r\n", "0x16f003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: svchost.exe Pid: 1120 Address: 0x2110000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 28, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x02110000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x02110010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x02110020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x02110030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................\r\n", "\r\n", "0x2110000 4d DEC EBP\r\n", "0x2110001 5a POP EDX\r\n", "0x2110002 90 NOP\r\n", "0x2110003 0003 ADD [EBX], AL\r\n", "0x2110005 0000 ADD [EAX], AL\r\n", "0x2110007 000400 ADD [EAX+EAX], AL\r\n", "0x211000a 0000 ADD [EAX], AL\r\n", "0x211000c ff DB 0xff\r\n", "0x211000d ff00 INC DWORD [EAX]\r\n", "0x211000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0x2110015 0000 ADD [EAX], AL\r\n", "0x2110017 004000 ADD [EAX+0x0], AL\r\n", "0x211001a 0000 ADD [EAX], AL\r\n", "0x211001c 0000 ADD [EAX], AL\r\n", "0x211001e 0000 ADD [EAX], AL\r\n", "0x2110020 0000 ADD [EAX], AL\r\n", "0x2110022 0000 ADD [EAX], AL\r\n", "0x2110024 0000 ADD [EAX], AL\r\n", "0x2110026 0000 ADD [EAX], AL\r\n", "0x2110028 0000 ADD [EAX], AL\r\n", "0x211002a 0000 ADD [EAX], AL\r\n", "0x211002c 0000 ADD [EAX], AL\r\n", "0x211002e 0000 ADD [EAX], AL\r\n", "0x2110030 0000 ADD [EAX], AL\r\n", "0x2110032 0000 ADD [EAX], AL\r\n", "0x2110034 0000 ADD [EAX], AL\r\n", "0x2110036 0000 ADD [EAX], AL\r\n", "0x2110038 0000 ADD [EAX], AL\r\n", "0x211003a 0000 ADD [EAX], AL\r\n", "0x211003c f00000 LOCK ADD [EAX], AL\r\n", "0x211003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x2130000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 28, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x02130000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x02130010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x02130020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x02130030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................\r\n", "\r\n", "0x2130000 4d DEC EBP\r\n", "0x2130001 5a POP EDX\r\n", "0x2130002 90 NOP\r\n", "0x2130003 0003 ADD [EBX], AL\r\n", "0x2130005 0000 ADD [EAX], AL\r\n", "0x2130007 000400 ADD [EAX+EAX], AL\r\n", "0x213000a 0000 ADD [EAX], AL\r\n", "0x213000c ff DB 0xff\r\n", "0x213000d ff00 INC DWORD [EAX]\r\n", "0x213000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0x2130015 0000 ADD [EAX], AL\r\n", "0x2130017 004000 ADD [EAX+0x0], AL\r\n", "0x213001a 0000 ADD [EAX], AL\r\n", "0x213001c 0000 ADD [EAX], AL\r\n", "0x213001e 0000 ADD [EAX], AL\r\n", "0x2130020 0000 ADD [EAX], AL\r\n", "0x2130022 0000 ADD [EAX], AL\r\n", "0x2130024 0000 ADD [EAX], AL\r\n", "0x2130026 0000 ADD [EAX], AL\r\n", "0x2130028 0000 ADD [EAX], AL\r\n", "0x213002a 0000 ADD [EAX], AL\r\n", "0x213002c 0000 ADD [EAX], AL\r\n", "0x213002e 0000 ADD [EAX], AL\r\n", "0x2130030 0000 ADD [EAX], AL\r\n", "0x2130032 0000 ADD [EAX], AL\r\n", "0x2130034 0000 ADD [EAX], AL\r\n", "0x2130036 0000 ADD [EAX], AL\r\n", "0x2130038 0000 ADD [EAX], AL\r\n", "0x213003a 0000 ADD [EAX], AL\r\n", "0x213003c f00000 LOCK ADD [EAX], AL\r\n", "0x213003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: svchost.exe Pid: 1120 Address: 0x3160000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 28, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x03160000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x03160010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x03160020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x03160030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................\r\n", "\r\n", "0x3160000 4d DEC EBP\r\n", "0x3160001 5a POP EDX\r\n", "0x3160002 90 NOP\r\n", "0x3160003 0003 ADD [EBX], AL\r\n", "0x3160005 0000 ADD [EAX], AL\r\n", "0x3160007 000400 ADD [EAX+EAX], AL\r\n", "0x316000a 0000 ADD [EAX], AL\r\n", "0x316000c ff DB 0xff\r\n", "0x316000d ff00 INC DWORD [EAX]\r\n", "0x316000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0x3160015 0000 ADD [EAX], AL\r\n", "0x3160017 004000 ADD [EAX+0x0], AL\r\n", "0x316001a 0000 ADD [EAX], AL\r\n", "0x316001c 0000 ADD [EAX], AL\r\n", "0x316001e 0000 ADD [EAX], AL\r\n", "0x3160020 0000 ADD [EAX], AL\r\n", "0x3160022 0000 ADD [EAX], AL\r\n", "0x3160024 0000 ADD [EAX], AL\r\n", "0x3160026 0000 ADD [EAX], AL\r\n", "0x3160028 0000 ADD [EAX], AL\r\n", "0x316002a 0000 ADD [EAX], AL\r\n", "0x316002c 0000 ADD [EAX], AL\r\n", "0x316002e 0000 ADD [EAX], AL\r\n", "0x3160030 0000 ADD [EAX], AL\r\n", "0x3160032 0000 ADD [EAX], AL\r\n", "0x3160034 0000 ADD [EAX], AL\r\n", "0x3160036 0000 ADD [EAX], AL\r\n", "0x3160038 0000 ADD [EAX], AL\r\n", "0x316003a 0000 ADD [EAX], AL\r\n", "0x316003c f00000 LOCK ADD [EAX], AL\r\n", "0x316003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: svchost.exe Pid: 1120 Address: 0x3430000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 39, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x03430000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x03430010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x03430020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x03430030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 ................\r\n", "\r\n", "0x3430000 4d DEC EBP\r\n", "0x3430001 5a POP EDX\r\n", "0x3430002 90 NOP\r\n", "0x3430003 0003 ADD [EBX], AL\r\n", "0x3430005 0000 ADD [EAX], AL\r\n", "0x3430007 000400 ADD [EAX+EAX], AL\r\n", "0x343000a 0000 ADD [EAX], AL\r\n", "0x343000c ff DB 0xff\r\n", "0x343000d ff00 INC DWORD [EAX]\r\n", "0x343000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0x3430015 0000 ADD [EAX], AL\r\n", "0x3430017 004000 ADD [EAX+0x0], AL\r\n", "0x343001a 0000 ADD [EAX], AL\r\n", "0x343001c 0000 ADD [EAX], AL\r\n", "0x343001e 0000 ADD [EAX], AL\r\n", "0x3430020 0000 ADD [EAX], AL\r\n", "0x3430022 0000 ADD [EAX], AL\r\n", "0x3430024 0000 ADD [EAX], AL\r\n", "0x3430026 0000 ADD [EAX], AL\r\n", "0x3430028 0000 ADD [EAX], AL\r\n", "0x343002a 0000 ADD [EAX], AL\r\n", "0x343002c 0000 ADD [EAX], AL\r\n", "0x343002e 0000 ADD [EAX], AL\r\n", "0x3430030 0000 ADD [EAX], AL\r\n", "0x3430032 0000 ADD [EAX], AL\r\n", "0x3430034 0000 ADD [EAX], AL\r\n", "0x3430036 0000 ADD [EAX], AL\r\n", "0x3430038 0000 ADD [EAX], AL\r\n", "0x343003a 0000 ADD [EAX], AL\r\n", "0x343003c e8 DB 0xe8\r\n", "0x343003d 0000 ADD [EAX], AL\r\n", "0x343003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x7900000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 191, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x07900000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x07900010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x07900020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x07900030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0x7900000 4d DEC EBP\r\n", "0x7900001 5a POP EDX\r\n", "0x7900002 e800000000 CALL 0x7900007\r\n", "0x7900007 5b POP EBX\r\n", "0x7900008 52 PUSH EDX\r\n", "0x7900009 45 INC EBP\r\n", "0x790000a 55 PUSH EBP\r\n", "0x790000b 89e5 MOV EBP, ESP\r\n", "0x790000d 81c337150000 ADD EBX, 0x1537\r\n", "0x7900013 ffd3 CALL EBX\r\n", "0x7900015 89c3 MOV EBX, EAX\r\n", "0x7900017 57 PUSH EDI\r\n", "0x7900018 6804000000 PUSH DWORD 0x4\r\n", "0x790001d 50 PUSH EAX\r\n", "0x790001e ffd0 CALL EAX\r\n", "0x7900020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0x7900025 6805000000 PUSH DWORD 0x5\r\n", "0x790002a 50 PUSH EAX\r\n", "0x790002b ffd3 CALL EBX\r\n", "0x790002d 0000 ADD [EAX], AL\r\n", "0x790002f 0000 ADD [EAX], AL\r\n", "0x7900031 0000 ADD [EAX], AL\r\n", "0x7900033 0000 ADD [EAX], AL\r\n", "0x7900035 0000 ADD [EAX], AL\r\n", "0x7900037 0000 ADD [EAX], AL\r\n", "0x7900039 0000 ADD [EAX], AL\r\n", "0x790003b 00e0 ADD AL, AH\r\n", "0x790003d 0000 ADD [EAX], AL\r\n", "0x790003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x6540000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 184, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x06540000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x06540010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x06540020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x06540030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0x6540000 4d DEC EBP\r\n", "0x6540001 5a POP EDX\r\n", "0x6540002 e800000000 CALL 0x6540007\r\n", "0x6540007 5b POP EBX\r\n", "0x6540008 52 PUSH EDX\r\n", "0x6540009 45 INC EBP\r\n", "0x654000a 55 PUSH EBP\r\n", "0x654000b 89e5 MOV EBP, ESP\r\n", "0x654000d 81c337150000 ADD EBX, 0x1537\r\n", "0x6540013 ffd3 CALL EBX\r\n", "0x6540015 89c3 MOV EBX, EAX\r\n", "0x6540017 57 PUSH EDI\r\n", "0x6540018 6804000000 PUSH DWORD 0x4\r\n", "0x654001d 50 PUSH EAX\r\n", "0x654001e ffd0 CALL EAX\r\n", "0x6540020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0x6540025 6805000000 PUSH DWORD 0x5\r\n", "0x654002a 50 PUSH EAX\r\n", "0x654002b ffd3 CALL EBX\r\n", "0x654002d 0000 ADD [EAX], AL\r\n", "0x654002f 0000 ADD [EAX], AL\r\n", "0x6540031 0000 ADD [EAX], AL\r\n", "0x6540033 0000 ADD [EAX], AL\r\n", "0x6540035 0000 ADD [EAX], AL\r\n", "0x6540037 0000 ADD [EAX], AL\r\n", "0x6540039 0000 ADD [EAX], AL\r\n", "0x654003b 00e0 ADD AL, AH\r\n", "0x654003d 0000 ADD [EAX], AL\r\n", "0x654003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x5520000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4113, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x05520000 c8 00 00 00 b8 01 00 00 ff ee ff ee 00 10 04 00 ................\r\n", "0x05520010 00 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................\r\n", "0x05520020 00 02 00 00 00 20 00 00 30 21 20 00 ff ef fd 7f ........0!......\r\n", "0x05520030 19 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x5520000 c8000000 ENTER 0x0, 0x0\r\n", "0x5520004 b8010000ff MOV EAX, 0xff000001\r\n", "0x5520009 ee OUT DX, AL\r\n", "0x552000a ff DB 0xff\r\n", "0x552000b ee OUT DX, AL\r\n", "0x552000c 0010 ADD [EAX], DL\r\n", "0x552000e 0400 ADD AL, 0x0\r\n", "0x5520010 0000 ADD [EAX], AL\r\n", "0x5520012 0000 ADD [EAX], AL\r\n", "0x5520014 00fe ADD DH, BH\r\n", "0x5520016 0000 ADD [EAX], AL\r\n", "0x5520018 0000 ADD [EAX], AL\r\n", "0x552001a 1000 ADC [EAX], AL\r\n", "0x552001c 0020 ADD [EAX], AH\r\n", "0x552001e 0000 ADD [EAX], AL\r\n", "0x5520020 0002 ADD [EDX], AL\r\n", "0x5520022 0000 ADD [EAX], AL\r\n", "0x5520024 0020 ADD [EAX], AH\r\n", "0x5520026 0000 ADD [EAX], AL\r\n", "0x5520028 3021 XOR [ECX], AH\r\n", "0x552002a 2000 AND [EAX], AL\r\n", "0x552002c ff DB 0xff\r\n", "0x552002d ef OUT DX, EAX\r\n", "0x552002e fd STD\r\n", "0x552002f 7f19 JG 0x552004a\r\n", "0x5520031 0008 ADD [EAX], CL\r\n", "0x5520033 06 PUSH ES\r\n", "0x5520034 0000 ADD [EAX], AL\r\n", "0x5520036 0000 ADD [EAX], AL\r\n", "0x5520038 0000 ADD [EAX], AL\r\n", "0x552003a 0000 ADD [EAX], AL\r\n", "0x552003c 0000 ADD [EAX], AL\r\n", "0x552003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x6600000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Flags: CommitCharge: 191, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x06600000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x06600010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x06600020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x06600030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0x6600000 4d DEC EBP\r\n", "0x6600001 5a POP EDX\r\n", "0x6600002 e800000000 CALL 0x6600007\r\n", "0x6600007 5b POP EBX\r\n", "0x6600008 52 PUSH EDX\r\n", "0x6600009 45 INC EBP\r\n", "0x660000a 55 PUSH EBP\r\n", "0x660000b 89e5 MOV EBP, ESP\r\n", "0x660000d 81c337150000 ADD EBX, 0x1537\r\n", "0x6600013 ffd3 CALL EBX\r\n", "0x6600015 89c3 MOV EBX, EAX\r\n", "0x6600017 57 PUSH EDI\r\n", "0x6600018 6804000000 PUSH DWORD 0x4\r\n", "0x660001d 50 PUSH EAX\r\n", "0x660001e ffd0 CALL EAX\r\n", "0x6600020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0x6600025 6805000000 PUSH DWORD 0x5\r\n", "0x660002a 50 PUSH EAX\r\n", "0x660002b ffd3 CALL EBX\r\n", "0x660002d 0000 ADD [EAX], AL\r\n", "0x660002f 0000 ADD [EAX], AL\r\n", "0x6600031 0000 ADD [EAX], AL\r\n", "0x6600033 0000 ADD [EAX], AL\r\n", "0x6600035 0000 ADD [EAX], AL\r\n", "0x6600037 0000 ADD [EAX], AL\r\n", "0x6600039 0000 ADD [EAX], AL\r\n", "0x660003b 00e0 ADD AL, AH\r\n", "0x660003d 0000 ADD [EAX], AL\r\n", "0x660003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x6820000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4113, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x06820000 c8 00 00 00 49 01 00 00 ff ee ff ee 00 10 04 00 ....I...........\r\n", "0x06820010 00 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................\r\n", "0x06820020 00 02 00 00 00 20 00 00 30 21 20 00 ff ef fd 7f ........0!......\r\n", "0x06820030 1d 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x6820000 c8000000 ENTER 0x0, 0x0\r\n", "0x6820004 49 DEC ECX\r\n", "0x6820005 0100 ADD [EAX], EAX\r\n", "0x6820007 00ff ADD BH, BH\r\n", "0x6820009 ee OUT DX, AL\r\n", "0x682000a ff DB 0xff\r\n", "0x682000b ee OUT DX, AL\r\n", "0x682000c 0010 ADD [EAX], DL\r\n", "0x682000e 0400 ADD AL, 0x0\r\n", "0x6820010 0000 ADD [EAX], AL\r\n", "0x6820012 0000 ADD [EAX], AL\r\n", "0x6820014 00fe ADD DH, BH\r\n", "0x6820016 0000 ADD [EAX], AL\r\n", "0x6820018 0000 ADD [EAX], AL\r\n", "0x682001a 1000 ADC [EAX], AL\r\n", "0x682001c 0020 ADD [EAX], AH\r\n", "0x682001e 0000 ADD [EAX], AL\r\n", "0x6820020 0002 ADD [EDX], AL\r\n", "0x6820022 0000 ADD [EAX], AL\r\n", "0x6820024 0020 ADD [EAX], AH\r\n", "0x6820026 0000 ADD [EAX], AL\r\n", "0x6820028 3021 XOR [ECX], AH\r\n", "0x682002a 2000 AND [EAX], AL\r\n", "0x682002c ff DB 0xff\r\n", "0x682002d ef OUT DX, EAX\r\n", "0x682002e fd STD\r\n", "0x682002f 7f1d JG 0x682004e\r\n", "0x6820031 0008 ADD [EAX], CL\r\n", "0x6820033 06 PUSH ES\r\n", "0x6820034 0000 ADD [EAX], AL\r\n", "0x6820036 0000 ADD [EAX], AL\r\n", "0x6820038 0000 ADD [EAX], AL\r\n", "0x682003a 0000 ADD [EAX], AL\r\n", "0x682003c 0000 ADD [EAX], AL\r\n", "0x682003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x67c0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 85, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x067c0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x067c0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x067c0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x067c0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................\r\n", "\r\n", "0x67c0000 4d DEC EBP\r\n", "0x67c0001 5a POP EDX\r\n", "0x67c0002 90 NOP\r\n", "0x67c0003 0003 ADD [EBX], AL\r\n", "0x67c0005 0000 ADD [EAX], AL\r\n", "0x67c0007 000400 ADD [EAX+EAX], AL\r\n", "0x67c000a 0000 ADD [EAX], AL\r\n", "0x67c000c ff DB 0xff\r\n", "0x67c000d ff00 INC DWORD [EAX]\r\n", "0x67c000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0x67c0015 0000 ADD [EAX], AL\r\n", "0x67c0017 004000 ADD [EAX+0x0], AL\r\n", "0x67c001a 0000 ADD [EAX], AL\r\n", "0x67c001c 0000 ADD [EAX], AL\r\n", "0x67c001e 0000 ADD [EAX], AL\r\n", "0x67c0020 0000 ADD [EAX], AL\r\n", "0x67c0022 0000 ADD [EAX], AL\r\n", "0x67c0024 0000 ADD [EAX], AL\r\n", "0x67c0026 0000 ADD [EAX], AL\r\n", "0x67c0028 0000 ADD [EAX], AL\r\n", "0x67c002a 0000 ADD [EAX], AL\r\n", "0x67c002c 0000 ADD [EAX], AL\r\n", "0x67c002e 0000 ADD [EAX], AL\r\n", "0x67c0030 0000 ADD [EAX], AL\r\n", "0x67c0032 0000 ADD [EAX], AL\r\n", "0x67c0034 0000 ADD [EAX], AL\r\n", "0x67c0036 0000 ADD [EAX], AL\r\n", "0x67c0038 0000 ADD [EAX], AL\r\n", "0x67c003a 0000 ADD [EAX], AL\r\n", "0x67c003c 0001 ADD [ECX], AL\r\n", "0x67c003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x7840000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 184, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x07840000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x07840010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x07840020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x07840030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0x7840000 4d DEC EBP\r\n", "0x7840001 5a POP EDX\r\n", "0x7840002 e800000000 CALL 0x7840007\r\n", "0x7840007 5b POP EBX\r\n", "0x7840008 52 PUSH EDX\r\n", "0x7840009 45 INC EBP\r\n", "0x784000a 55 PUSH EBP\r\n", "0x784000b 89e5 MOV EBP, ESP\r\n", "0x784000d 81c337150000 ADD EBX, 0x1537\r\n", "0x7840013 ffd3 CALL EBX\r\n", "0x7840015 89c3 MOV EBX, EAX\r\n", "0x7840017 57 PUSH EDI\r\n", "0x7840018 6804000000 PUSH DWORD 0x4\r\n", "0x784001d 50 PUSH EAX\r\n", "0x784001e ffd0 CALL EAX\r\n", "0x7840020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0x7840025 6805000000 PUSH DWORD 0x5\r\n", "0x784002a 50 PUSH EAX\r\n", "0x784002b ffd3 CALL EBX\r\n", "0x784002d 0000 ADD [EAX], AL\r\n", "0x784002f 0000 ADD [EAX], AL\r\n", "0x7840031 0000 ADD [EAX], AL\r\n", "0x7840033 0000 ADD [EAX], AL\r\n", "0x7840035 0000 ADD [EAX], AL\r\n", "0x7840037 0000 ADD [EAX], AL\r\n", "0x7840039 0000 ADD [EAX], AL\r\n", "0x784003b 00e0 ADD AL, AH\r\n", "0x784003d 0000 ADD [EAX], AL\r\n", "0x784003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x7ac0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 85, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x07ac0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x07ac0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x07ac0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x07ac0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................\r\n", "\r\n", "0x7ac0000 4d DEC EBP\r\n", "0x7ac0001 5a POP EDX\r\n", "0x7ac0002 90 NOP\r\n", "0x7ac0003 0003 ADD [EBX], AL\r\n", "0x7ac0005 0000 ADD [EAX], AL\r\n", "0x7ac0007 000400 ADD [EAX+EAX], AL\r\n", "0x7ac000a 0000 ADD [EAX], AL\r\n", "0x7ac000c ff DB 0xff\r\n", "0x7ac000d ff00 INC DWORD [EAX]\r\n", "0x7ac000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0x7ac0015 0000 ADD [EAX], AL\r\n", "0x7ac0017 004000 ADD [EAX+0x0], AL\r\n", "0x7ac001a 0000 ADD [EAX], AL\r\n", "0x7ac001c 0000 ADD [EAX], AL\r\n", "0x7ac001e 0000 ADD [EAX], AL\r\n", "0x7ac0020 0000 ADD [EAX], AL\r\n", "0x7ac0022 0000 ADD [EAX], AL\r\n", "0x7ac0024 0000 ADD [EAX], AL\r\n", "0x7ac0026 0000 ADD [EAX], AL\r\n", "0x7ac0028 0000 ADD [EAX], AL\r\n", "0x7ac002a 0000 ADD [EAX], AL\r\n", "0x7ac002c 0000 ADD [EAX], AL\r\n", "0x7ac002e 0000 ADD [EAX], AL\r\n", "0x7ac0030 0000 ADD [EAX], AL\r\n", "0x7ac0032 0000 ADD [EAX], AL\r\n", "0x7ac0034 0000 ADD [EAX], AL\r\n", "0x7ac0036 0000 ADD [EAX], AL\r\n", "0x7ac0038 0000 ADD [EAX], AL\r\n", "0x7ac003a 0000 ADD [EAX], AL\r\n", "0x7ac003c 0001 ADD [ECX], AL\r\n", "0x7ac003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x7b20000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4113, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x07b20000 c8 00 00 00 0f 01 00 00 ff ee ff ee 00 10 04 00 ................\r\n", "0x07b20010 00 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................\r\n", "0x07b20020 00 02 00 00 00 20 00 00 30 21 20 00 ff ef fd 7f ........0!......\r\n", "0x07b20030 21 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 !...............\r\n", "\r\n", "0x7b20000 c8000000 ENTER 0x0, 0x0\r\n", "0x7b20004 0f0100 SGDT DWORD [EAX]\r\n", "0x7b20007 00ff ADD BH, BH\r\n", "0x7b20009 ee OUT DX, AL\r\n", "0x7b2000a ff DB 0xff\r\n", "0x7b2000b ee OUT DX, AL\r\n", "0x7b2000c 0010 ADD [EAX], DL\r\n", "0x7b2000e 0400 ADD AL, 0x0\r\n", "0x7b20010 0000 ADD [EAX], AL\r\n", "0x7b20012 0000 ADD [EAX], AL\r\n", "0x7b20014 00fe ADD DH, BH\r\n", "0x7b20016 0000 ADD [EAX], AL\r\n", "0x7b20018 0000 ADD [EAX], AL\r\n", "0x7b2001a 1000 ADC [EAX], AL\r\n", "0x7b2001c 0020 ADD [EAX], AH\r\n", "0x7b2001e 0000 ADD [EAX], AL\r\n", "0x7b20020 0002 ADD [EDX], AL\r\n", "0x7b20022 0000 ADD [EAX], AL\r\n", "0x7b20024 0020 ADD [EAX], AH\r\n", "0x7b20026 0000 ADD [EAX], AL\r\n", "0x7b20028 3021 XOR [ECX], AH\r\n", "0x7b2002a 2000 AND [EAX], AL\r\n", "0x7b2002c ff DB 0xff\r\n", "0x7b2002d ef OUT DX, EAX\r\n", "0x7b2002e fd STD\r\n", "0x7b2002f 7f21 JG 0x7b20052\r\n", "0x7b20031 0008 ADD [EAX], CL\r\n", "0x7b20033 06 PUSH ES\r\n", "0x7b20034 0000 ADD [EAX], AL\r\n", "0x7b20036 0000 ADD [EAX], AL\r\n", "0x7b20038 0000 ADD [EAX], AL\r\n", "0x7b2003a 0000 ADD [EAX], AL\r\n", "0x7b2003c 0000 ADD [EAX], AL\r\n", "0x7b2003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: svchost.exe Pid: 1120 Address: 0xb200000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 191, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0b200000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x0b200010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x0b200020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x0b200030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0xb200000 4d DEC EBP\r\n", "0xb200001 5a POP EDX\r\n", "0xb200002 e800000000 CALL 0xb200007\r\n", "0xb200007 5b POP EBX\r\n", "0xb200008 52 PUSH EDX\r\n", "0xb200009 45 INC EBP\r\n", "0xb20000a 55 PUSH EBP\r\n", "0xb20000b 89e5 MOV EBP, ESP\r\n", "0xb20000d 81c337150000 ADD EBX, 0x1537\r\n", "0xb200013 ffd3 CALL EBX\r\n", "0xb200015 89c3 MOV EBX, EAX\r\n", "0xb200017 57 PUSH EDI\r\n", "0xb200018 6804000000 PUSH DWORD 0x4\r\n", "0xb20001d 50 PUSH EAX\r\n", "0xb20001e ffd0 CALL EAX\r\n", "0xb200020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0xb200025 6805000000 PUSH DWORD 0x5\r\n", "0xb20002a 50 PUSH EAX\r\n", "0xb20002b ffd3 CALL EBX\r\n", "0xb20002d 0000 ADD [EAX], AL\r\n", "0xb20002f 0000 ADD [EAX], AL\r\n", "0xb200031 0000 ADD [EAX], AL\r\n", "0xb200033 0000 ADD [EAX], AL\r\n", "0xb200035 0000 ADD [EAX], AL\r\n", "0xb200037 0000 ADD [EAX], AL\r\n", "0xb200039 0000 ADD [EAX], AL\r\n", "0xb20003b 00e0 ADD AL, AH\r\n", "0xb20003d 0000 ADD [EAX], AL\r\n", "0xb20003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x9e40000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 184, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x09e40000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x09e40010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x09e40020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x09e40030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0x9e40000 4d DEC EBP\r\n", "0x9e40001 5a POP EDX\r\n", "0x9e40002 e800000000 CALL 0x9e40007\r\n", "0x9e40007 5b POP EBX\r\n", "0x9e40008 52 PUSH EDX\r\n", "0x9e40009 45 INC EBP\r\n", "0x9e4000a 55 PUSH EBP\r\n", "0x9e4000b 89e5 MOV EBP, ESP\r\n", "0x9e4000d 81c337150000 ADD EBX, 0x1537\r\n", "0x9e40013 ffd3 CALL EBX\r\n", "0x9e40015 89c3 MOV EBX, EAX\r\n", "0x9e40017 57 PUSH EDI\r\n", "0x9e40018 6804000000 PUSH DWORD 0x4\r\n", "0x9e4001d 50 PUSH EAX\r\n", "0x9e4001e ffd0 CALL EAX\r\n", "0x9e40020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0x9e40025 6805000000 PUSH DWORD 0x5\r\n", "0x9e4002a 50 PUSH EAX\r\n", "0x9e4002b ffd3 CALL EBX\r\n", "0x9e4002d 0000 ADD [EAX], AL\r\n", "0x9e4002f 0000 ADD [EAX], AL\r\n", "0x9e40031 0000 ADD [EAX], AL\r\n", "0x9e40033 0000 ADD [EAX], AL\r\n", "0x9e40035 0000 ADD [EAX], AL\r\n", "0x9e40037 0000 ADD [EAX], AL\r\n", "0x9e40039 0000 ADD [EAX], AL\r\n", "0x9e4003b 00e0 ADD AL, AH\r\n", "0x9e4003d 0000 ADD [EAX], AL\r\n", "0x9e4003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x8dc0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 85, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x08dc0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x08dc0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x08dc0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x08dc0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................\r\n", "\r\n", "0x8dc0000 4d DEC EBP\r\n", "0x8dc0001 5a POP EDX\r\n", "0x8dc0002 90 NOP\r\n", "0x8dc0003 0003 ADD [EBX], AL\r\n", "0x8dc0005 0000 ADD [EAX], AL\r\n", "0x8dc0007 000400 ADD [EAX+EAX], AL\r\n", "0x8dc000a 0000 ADD [EAX], AL\r\n", "0x8dc000c ff DB 0xff\r\n", "0x8dc000d ff00 INC DWORD [EAX]\r\n", "0x8dc000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0x8dc0015 0000 ADD [EAX], AL\r\n", "0x8dc0017 004000 ADD [EAX+0x0], AL\r\n", "0x8dc001a 0000 ADD [EAX], AL\r\n", "0x8dc001c 0000 ADD [EAX], AL\r\n", "0x8dc001e 0000 ADD [EAX], AL\r\n", "0x8dc0020 0000 ADD [EAX], AL\r\n", "0x8dc0022 0000 ADD [EAX], AL\r\n", "0x8dc0024 0000 ADD [EAX], AL\r\n", "0x8dc0026 0000 ADD [EAX], AL\r\n", "0x8dc0028 0000 ADD [EAX], AL\r\n", "0x8dc002a 0000 ADD [EAX], AL\r\n", "0x8dc002c 0000 ADD [EAX], AL\r\n", "0x8dc002e 0000 ADD [EAX], AL\r\n", "0x8dc0030 0000 ADD [EAX], AL\r\n", "0x8dc0032 0000 ADD [EAX], AL\r\n", "0x8dc0034 0000 ADD [EAX], AL\r\n", "0x8dc0036 0000 ADD [EAX], AL\r\n", "0x8dc0038 0000 ADD [EAX], AL\r\n", "0x8dc003a 0000 ADD [EAX], AL\r\n", "0x8dc003c 0001 ADD [ECX], AL\r\n", "0x8dc003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x8c00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 191, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x08c00000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x08c00010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x08c00020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x08c00030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0x8c00000 4d DEC EBP\r\n", "0x8c00001 5a POP EDX\r\n", "0x8c00002 e800000000 CALL 0x8c00007\r\n", "0x8c00007 5b POP EBX\r\n", "0x8c00008 52 PUSH EDX\r\n", "0x8c00009 45 INC EBP\r\n", "0x8c0000a 55 PUSH EBP\r\n", "0x8c0000b 89e5 MOV EBP, ESP\r\n", "0x8c0000d 81c337150000 ADD EBX, 0x1537\r\n", "0x8c00013 ffd3 CALL EBX\r\n", "0x8c00015 89c3 MOV EBX, EAX\r\n", "0x8c00017 57 PUSH EDI\r\n", "0x8c00018 6804000000 PUSH DWORD 0x4\r\n", "0x8c0001d 50 PUSH EAX\r\n", "0x8c0001e ffd0 CALL EAX\r\n", "0x8c00020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0x8c00025 6805000000 PUSH DWORD 0x5\r\n", "0x8c0002a 50 PUSH EAX\r\n", "0x8c0002b ffd3 CALL EBX\r\n", "0x8c0002d 0000 ADD [EAX], AL\r\n", "0x8c0002f 0000 ADD [EAX], AL\r\n", "0x8c00031 0000 ADD [EAX], AL\r\n", "0x8c00033 0000 ADD [EAX], AL\r\n", "0x8c00035 0000 ADD [EAX], AL\r\n", "0x8c00037 0000 ADD [EAX], AL\r\n", "0x8c00039 0000 ADD [EAX], AL\r\n", "0x8c0003b 00e0 ADD AL, AH\r\n", "0x8c0003d 0000 ADD [EAX], AL\r\n", "0x8c0003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x8e20000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4113, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x08e20000 c8 00 00 00 6f 01 00 00 ff ee ff ee 00 10 04 00 ....o...........\r\n", "0x08e20010 00 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................\r\n", "0x08e20020 00 02 00 00 00 20 00 00 30 21 20 00 ff ef fd 7f ........0!......\r\n", "0x08e20030 25 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 %...............\r\n", "\r\n", "0x8e20000 c8000000 ENTER 0x0, 0x0\r\n", "0x8e20004 6f OUTS DX, DWORD [ESI]\r\n", "0x8e20005 0100 ADD [EAX], EAX\r\n", "0x8e20007 00ff ADD BH, BH\r\n", "0x8e20009 ee OUT DX, AL\r\n", "0x8e2000a ff DB 0xff\r\n", "0x8e2000b ee OUT DX, AL\r\n", "0x8e2000c 0010 ADD [EAX], DL\r\n", "0x8e2000e 0400 ADD AL, 0x0\r\n", "0x8e20010 0000 ADD [EAX], AL\r\n", "0x8e20012 0000 ADD [EAX], AL\r\n", "0x8e20014 00fe ADD DH, BH\r\n", "0x8e20016 0000 ADD [EAX], AL\r\n", "0x8e20018 0000 ADD [EAX], AL\r\n", "0x8e2001a 1000 ADC [EAX], AL\r\n", "0x8e2001c 0020 ADD [EAX], AH\r\n", "0x8e2001e 0000 ADD [EAX], AL\r\n", "0x8e20020 0002 ADD [EDX], AL\r\n", "0x8e20022 0000 ADD [EAX], AL\r\n", "0x8e20024 0020 ADD [EAX], AH\r\n", "0x8e20026 0000 ADD [EAX], AL\r\n", "0x8e20028 3021 XOR [ECX], AH\r\n", "0x8e2002a 2000 AND [EAX], AL\r\n", "0x8e2002c ff DB 0xff\r\n", "0x8e2002d ef OUT DX, EAX\r\n", "0x8e2002e fd STD\r\n", "0x8e2002f 7f25 JG 0x8e20056\r\n", "0x8e20031 0008 ADD [EAX], CL\r\n", "0x8e20033 06 PUSH ES\r\n", "0x8e20034 0000 ADD [EAX], AL\r\n", "0x8e20036 0000 ADD [EAX], AL\r\n", "0x8e20038 0000 ADD [EAX], AL\r\n", "0x8e2003a 0000 ADD [EAX], AL\r\n", "0x8e2003c 0000 ADD [EAX], AL\r\n", "0x8e2003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: svchost.exe Pid: 1120 Address: 0xa120000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4113, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0a120000 c8 00 00 00 0b 01 00 00 ff ee ff ee 00 10 04 00 ................\r\n", "0x0a120010 00 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................\r\n", "0x0a120020 00 02 00 00 00 20 00 00 30 21 20 00 ff ef fd 7f ........0!......\r\n", "0x0a120030 29 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 )...............\r\n", "\r\n", "0xa120000 c8000000 ENTER 0x0, 0x0\r\n", "0xa120004 0b01 OR EAX, [ECX]\r\n", "0xa120006 0000 ADD [EAX], AL\r\n", "0xa120008 ff DB 0xff\r\n", "0xa120009 ee OUT DX, AL\r\n", "0xa12000a ff DB 0xff\r\n", "0xa12000b ee OUT DX, AL\r\n", "0xa12000c 0010 ADD [EAX], DL\r\n", "0xa12000e 0400 ADD AL, 0x0\r\n", "0xa120010 0000 ADD [EAX], AL\r\n", "0xa120012 0000 ADD [EAX], AL\r\n", "0xa120014 00fe ADD DH, BH\r\n", "0xa120016 0000 ADD [EAX], AL\r\n", "0xa120018 0000 ADD [EAX], AL\r\n", "0xa12001a 1000 ADC [EAX], AL\r\n", "0xa12001c 0020 ADD [EAX], AH\r\n", "0xa12001e 0000 ADD [EAX], AL\r\n", "0xa120020 0002 ADD [EDX], AL\r\n", "0xa120022 0000 ADD [EAX], AL\r\n", "0xa120024 0020 ADD [EAX], AH\r\n", "0xa120026 0000 ADD [EAX], AL\r\n", "0xa120028 3021 XOR [ECX], AH\r\n", "0xa12002a 2000 AND [EAX], AL\r\n", "0xa12002c ff DB 0xff\r\n", "0xa12002d ef OUT DX, EAX\r\n", "0xa12002e fd STD\r\n", "0xa12002f 7f29 JG 0xa12005a\r\n", "0xa120031 0008 ADD [EAX], CL\r\n", "0xa120033 06 PUSH ES\r\n", "0xa120034 0000 ADD [EAX], AL\r\n", "0xa120036 0000 ADD [EAX], AL\r\n", "0xa120038 0000 ADD [EAX], AL\r\n", "0xa12003a 0000 ADD [EAX], AL\r\n", "0xa12003c 0000 ADD [EAX], AL\r\n", "0xa12003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0x9f00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 191, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x09f00000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x09f00010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x09f00020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x09f00030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0x9f00000 4d DEC EBP\r\n", "0x9f00001 5a POP EDX\r\n", "0x9f00002 e800000000 CALL 0x9f00007\r\n", "0x9f00007 5b POP EBX\r\n", "0x9f00008 52 PUSH EDX\r\n", "0x9f00009 45 INC EBP\r\n", "0x9f0000a 55 PUSH EBP\r\n", "0x9f0000b 89e5 MOV EBP, ESP\r\n", "0x9f0000d 81c337150000 ADD EBX, 0x1537\r\n", "0x9f00013 ffd3 CALL EBX\r\n", "0x9f00015 89c3 MOV EBX, EAX\r\n", "0x9f00017 57 PUSH EDI\r\n", "0x9f00018 6804000000 PUSH DWORD 0x4\r\n", "0x9f0001d 50 PUSH EAX\r\n", "0x9f0001e ffd0 CALL EAX\r\n", "0x9f00020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0x9f00025 6805000000 PUSH DWORD 0x5\r\n", "0x9f0002a 50 PUSH EAX\r\n", "0x9f0002b ffd3 CALL EBX\r\n", "0x9f0002d 0000 ADD [EAX], AL\r\n", "0x9f0002f 0000 ADD [EAX], AL\r\n", "0x9f00031 0000 ADD [EAX], AL\r\n", "0x9f00033 0000 ADD [EAX], AL\r\n", "0x9f00035 0000 ADD [EAX], AL\r\n", "0x9f00037 0000 ADD [EAX], AL\r\n", "0x9f00039 0000 ADD [EAX], AL\r\n", "0x9f0003b 00e0 ADD AL, AH\r\n", "0x9f0003d 0000 ADD [EAX], AL\r\n", "0x9f0003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0xa0c0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 85, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0a0c0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x0a0c0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x0a0c0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x0a0c0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................\r\n", "\r\n", "0xa0c0000 4d DEC EBP\r\n", "0xa0c0001 5a POP EDX\r\n", "0xa0c0002 90 NOP\r\n", "0xa0c0003 0003 ADD [EBX], AL\r\n", "0xa0c0005 0000 ADD [EAX], AL\r\n", "0xa0c0007 000400 ADD [EAX+EAX], AL\r\n", "0xa0c000a 0000 ADD [EAX], AL\r\n", "0xa0c000c ff DB 0xff\r\n", "0xa0c000d ff00 INC DWORD [EAX]\r\n", "0xa0c000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0xa0c0015 0000 ADD [EAX], AL\r\n", "0xa0c0017 004000 ADD [EAX+0x0], AL\r\n", "0xa0c001a 0000 ADD [EAX], AL\r\n", "0xa0c001c 0000 ADD [EAX], AL\r\n", "0xa0c001e 0000 ADD [EAX], AL\r\n", "0xa0c0020 0000 ADD [EAX], AL\r\n", "0xa0c0022 0000 ADD [EAX], AL\r\n", "0xa0c0024 0000 ADD [EAX], AL\r\n", "0xa0c0026 0000 ADD [EAX], AL\r\n", "0xa0c0028 0000 ADD [EAX], AL\r\n", "0xa0c002a 0000 ADD [EAX], AL\r\n", "0xa0c002c 0000 ADD [EAX], AL\r\n", "0xa0c002e 0000 ADD [EAX], AL\r\n", "0xa0c0030 0000 ADD [EAX], AL\r\n", "0xa0c0032 0000 ADD [EAX], AL\r\n", "0xa0c0034 0000 ADD [EAX], AL\r\n", "0xa0c0036 0000 ADD [EAX], AL\r\n", "0xa0c0038 0000 ADD [EAX], AL\r\n", "0xa0c003a 0000 ADD [EAX], AL\r\n", "0xa0c003c 0001 ADD [ECX], AL\r\n", "0xa0c003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0xb140000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 184, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0b140000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x0b140010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x0b140020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x0b140030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0xb140000 4d DEC EBP\r\n", "0xb140001 5a POP EDX\r\n", "0xb140002 e800000000 CALL 0xb140007\r\n", "0xb140007 5b POP EBX\r\n", "0xb140008 52 PUSH EDX\r\n", "0xb140009 45 INC EBP\r\n", "0xb14000a 55 PUSH EBP\r\n", "0xb14000b 89e5 MOV EBP, ESP\r\n", "0xb14000d 81c337150000 ADD EBX, 0x1537\r\n", "0xb140013 ffd3 CALL EBX\r\n", "0xb140015 89c3 MOV EBX, EAX\r\n", "0xb140017 57 PUSH EDI\r\n", "0xb140018 6804000000 PUSH DWORD 0x4\r\n", "0xb14001d 50 PUSH EAX\r\n", "0xb14001e ffd0 CALL EAX\r\n", "0xb140020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0xb140025 6805000000 PUSH DWORD 0x5\r\n", "0xb14002a 50 PUSH EAX\r\n", "0xb14002b ffd3 CALL EBX\r\n", "0xb14002d 0000 ADD [EAX], AL\r\n", "0xb14002f 0000 ADD [EAX], AL\r\n", "0xb140031 0000 ADD [EAX], AL\r\n", "0xb140033 0000 ADD [EAX], AL\r\n", "0xb140035 0000 ADD [EAX], AL\r\n", "0xb140037 0000 ADD [EAX], AL\r\n", "0xb140039 0000 ADD [EAX], AL\r\n", "0xb14003b 00e0 ADD AL, AH\r\n", "0xb14003d 0000 ADD [EAX], AL\r\n", "0xb14003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0xb3c0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 85, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0b3c0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x0b3c0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x0b3c0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x0b3c0030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................\r\n", "\r\n", "0xb3c0000 4d DEC EBP\r\n", "0xb3c0001 5a POP EDX\r\n", "0xb3c0002 90 NOP\r\n", "0xb3c0003 0003 ADD [EBX], AL\r\n", "0xb3c0005 0000 ADD [EAX], AL\r\n", "0xb3c0007 000400 ADD [EAX+EAX], AL\r\n", "0xb3c000a 0000 ADD [EAX], AL\r\n", "0xb3c000c ff DB 0xff\r\n", "0xb3c000d ff00 INC DWORD [EAX]\r\n", "0xb3c000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0xb3c0015 0000 ADD [EAX], AL\r\n", "0xb3c0017 004000 ADD [EAX+0x0], AL\r\n", "0xb3c001a 0000 ADD [EAX], AL\r\n", "0xb3c001c 0000 ADD [EAX], AL\r\n", "0xb3c001e 0000 ADD [EAX], AL\r\n", "0xb3c0020 0000 ADD [EAX], AL\r\n", "0xb3c0022 0000 ADD [EAX], AL\r\n", "0xb3c0024 0000 ADD [EAX], AL\r\n", "0xb3c0026 0000 ADD [EAX], AL\r\n", "0xb3c0028 0000 ADD [EAX], AL\r\n", "0xb3c002a 0000 ADD [EAX], AL\r\n", "0xb3c002c 0000 ADD [EAX], AL\r\n", "0xb3c002e 0000 ADD [EAX], AL\r\n", "0xb3c0030 0000 ADD [EAX], AL\r\n", "0xb3c0032 0000 ADD [EAX], AL\r\n", "0xb3c0034 0000 ADD [EAX], AL\r\n", "0xb3c0036 0000 ADD [EAX], AL\r\n", "0xb3c0038 0000 ADD [EAX], AL\r\n", "0xb3c003a 0000 ADD [EAX], AL\r\n", "0xb3c003c 0001 ADD [ECX], AL\r\n", "0xb3c003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0xb4a0000" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 43, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0b4a0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x0b4a0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x0b4a0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x0b4a0030 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 ................\r\n", "\r\n", "0xb4a0000 4d DEC EBP\r\n", "0xb4a0001 5a POP EDX\r\n", "0xb4a0002 90 NOP\r\n", "0xb4a0003 0003 ADD [EBX], AL\r\n", "0xb4a0005 0000 ADD [EAX], AL\r\n", "0xb4a0007 000400 ADD [EAX+EAX], AL\r\n", "0xb4a000a 0000 ADD [EAX], AL\r\n", "0xb4a000c ff DB 0xff\r\n", "0xb4a000d ff00 INC DWORD [EAX]\r\n", "0xb4a000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0xb4a0015 0000 ADD [EAX], AL\r\n", "0xb4a0017 004000 ADD [EAX+0x0], AL\r\n", "0xb4a001a 0000 ADD [EAX], AL\r\n", "0xb4a001c 0000 ADD [EAX], AL\r\n", "0xb4a001e 0000 ADD [EAX], AL\r\n", "0xb4a0020 0000 ADD [EAX], AL\r\n", "0xb4a0022 0000 ADD [EAX], AL\r\n", "0xb4a0024 0000 ADD [EAX], AL\r\n", "0xb4a0026 0000 ADD [EAX], AL\r\n", "0xb4a0028 0000 ADD [EAX], AL\r\n", "0xb4a002a 0000 ADD [EAX], AL\r\n", "0xb4a002c 0000 ADD [EAX], AL\r\n", "0xb4a002e 0000 ADD [EAX], AL\r\n", "0xb4a0030 0000 ADD [EAX], AL\r\n", "0xb4a0032 0000 ADD [EAX], AL\r\n", "0xb4a0034 0000 ADD [EAX], AL\r\n", "0xb4a0036 0000 ADD [EAX], AL\r\n", "0xb4a0038 0000 ADD [EAX], AL\r\n", "0xb4a003a 0000 ADD [EAX], AL\r\n", "0xb4a003c e8 DB 0xe8\r\n", "0xb4a003d 0000 ADD [EAX], AL\r\n", "0xb4a003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0xb420000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 85, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0b420000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x0b420010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x0b420020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x0b420030 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ................\r\n", "\r\n", "0xb420000 4d DEC EBP\r\n", "0xb420001 5a POP EDX\r\n", "0xb420002 90 NOP\r\n", "0xb420003 0003 ADD [EBX], AL\r\n", "0xb420005 0000 ADD [EAX], AL\r\n", "0xb420007 000400 ADD [EAX+EAX], AL\r\n", "0xb42000a 0000 ADD [EAX], AL\r\n", "0xb42000c ff DB 0xff\r\n", "0xb42000d ff00 INC DWORD [EAX]\r\n", "0xb42000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0xb420015 0000 ADD [EAX], AL\r\n", "0xb420017 004000 ADD [EAX+0x0], AL\r\n", "0xb42001a 0000 ADD [EAX], AL\r\n", "0xb42001c 0000 ADD [EAX], AL\r\n", "0xb42001e 0000 ADD [EAX], AL\r\n", "0xb420020 0000 ADD [EAX], AL\r\n", "0xb420022 0000 ADD [EAX], AL\r\n", "0xb420024 0000 ADD [EAX], AL\r\n", "0xb420026 0000 ADD [EAX], AL\r\n", "0xb420028 0000 ADD [EAX], AL\r\n", "0xb42002a 0000 ADD [EAX], AL\r\n", "0xb42002c 0000 ADD [EAX], AL\r\n", "0xb42002e 0000 ADD [EAX], AL\r\n", "0xb420030 0000 ADD [EAX], AL\r\n", "0xb420032 0000 ADD [EAX], AL\r\n", "0xb420034 0000 ADD [EAX], AL\r\n", "0xb420036 0000 ADD [EAX], AL\r\n", "0xb420038 0000 ADD [EAX], AL\r\n", "0xb42003a 0000 ADD [EAX], AL\r\n", "0xb42003c 0001 ADD [ECX], AL\r\n", "0xb42003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0xb480000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 28, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0b480000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x0b480010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x0b480020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x0b480030 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 ................\r\n", "\r\n", "0xb480000 4d DEC EBP\r\n", "0xb480001 5a POP EDX\r\n", "0xb480002 90 NOP\r\n", "0xb480003 0003 ADD [EBX], AL\r\n", "0xb480005 0000 ADD [EAX], AL\r\n", "0xb480007 000400 ADD [EAX+EAX], AL\r\n", "0xb48000a 0000 ADD [EAX], AL\r\n", "0xb48000c ff DB 0xff\r\n", "0xb48000d ff00 INC DWORD [EAX]\r\n", "0xb48000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0xb480015 0000 ADD [EAX], AL\r\n", "0xb480017 004000 ADD [EAX+0x0], AL\r\n", "0xb48001a 0000 ADD [EAX], AL\r\n", "0xb48001c 0000 ADD [EAX], AL\r\n", "0xb48001e 0000 ADD [EAX], AL\r\n", "0xb480020 0000 ADD [EAX], AL\r\n", "0xb480022 0000 ADD [EAX], AL\r\n", "0xb480024 0000 ADD [EAX], AL\r\n", "0xb480026 0000 ADD [EAX], AL\r\n", "0xb480028 0000 ADD [EAX], AL\r\n", "0xb48002a 0000 ADD [EAX], AL\r\n", "0xb48002c 0000 ADD [EAX], AL\r\n", "0xb48002e 0000 ADD [EAX], AL\r\n", "0xb480030 0000 ADD [EAX], AL\r\n", "0xb480032 0000 ADD [EAX], AL\r\n", "0xb480034 0000 ADD [EAX], AL\r\n", "0xb480036 0000 ADD [EAX], AL\r\n", "0xb480038 0000 ADD [EAX], AL\r\n", "0xb48003a 0000 ADD [EAX], AL\r\n", "0xb48003c f00000 LOCK ADD [EAX], AL\r\n", "0xb48003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0xb4d0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 184, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0b4d0000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x0b4d0010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x0b4d0020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x0b4d0030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0xb4d0000 4d DEC EBP\r\n", "0xb4d0001 5a POP EDX\r\n", "0xb4d0002 e800000000 CALL 0xb4d0007\r\n", "0xb4d0007 5b POP EBX\r\n", "0xb4d0008 52 PUSH EDX\r\n", "0xb4d0009 45 INC EBP\r\n", "0xb4d000a 55 PUSH EBP\r\n", "0xb4d000b 89e5 MOV EBP, ESP\r\n", "0xb4d000d 81c337150000 ADD EBX, 0x1537\r\n", "0xb4d0013 ffd3 CALL EBX\r\n", "0xb4d0015 89c3 MOV EBX, EAX\r\n", "0xb4d0017 57 PUSH EDI\r\n", "0xb4d0018 6804000000 PUSH DWORD 0x4\r\n", "0xb4d001d 50 PUSH EAX\r\n", "0xb4d001e ffd0 CALL EAX\r\n", "0xb4d0020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0xb4d0025 6805000000 PUSH DWORD 0x5\r\n", "0xb4d002a 50 PUSH EAX\r\n", "0xb4d002b ffd3 CALL EBX\r\n", "0xb4d002d 0000 ADD [EAX], AL\r\n", "0xb4d002f 0000 ADD [EAX], AL\r\n", "0xb4d0031 0000 ADD [EAX], AL\r\n", "0xb4d0033 0000 ADD [EAX], AL\r\n", "0xb4d0035 0000 ADD [EAX], AL\r\n", "0xb4d0037 0000 ADD [EAX], AL\r\n", "0xb4d0039 0000 ADD [EAX], AL\r\n", "0xb4d003b 00e0 ADD AL, AH\r\n", "0xb4d003d 0000 ADD [EAX], AL\r\n", "0xb4d003f 00 DB 0x0\r\n", "\r\n", "Process: svchost.exe Pid: 1120 Address: 0xb590000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 191, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0b590000 4d 5a e8 00 00 00 00 5b 52 45 55 89 e5 81 c3 37 MZ.....[REU....7\r\n", "0x0b590010 15 00 00 ff d3 89 c3 57 68 04 00 00 00 50 ff d0 .......Wh....P..\r\n", "0x0b590020 68 e0 1d 2a 0a 68 05 00 00 00 50 ff d3 00 00 00 h..*.h....P.....\r\n", "0x0b590030 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 ................\r\n", "\r\n", "0xb590000 4d DEC EBP\r\n", "0xb590001 5a POP EDX\r\n", "0xb590002 e800000000 CALL 0xb590007\r\n", "0xb590007 5b POP EBX\r\n", "0xb590008 52 PUSH EDX\r\n", "0xb590009 45 INC EBP\r\n", "0xb59000a 55 PUSH EBP\r\n", "0xb59000b 89e5 MOV EBP, ESP\r\n", "0xb59000d 81c337150000 ADD EBX, 0x1537\r\n", "0xb590013 ffd3 CALL EBX\r\n", "0xb590015 89c3 MOV EBX, EAX\r\n", "0xb590017 57 PUSH EDI\r\n", "0xb590018 6804000000 PUSH DWORD 0x4\r\n", "0xb59001d 50 PUSH EAX\r\n", "0xb59001e ffd0 CALL EAX\r\n", "0xb590020 68e01d2a0a PUSH DWORD 0xa2a1de0\r\n", "0xb590025 6805000000 PUSH DWORD 0x5\r\n", "0xb59002a 50 PUSH EAX\r\n", "0xb59002b ffd3 CALL EBX\r\n", "0xb59002d 0000 ADD [EAX], AL\r\n", "0xb59002f 0000 ADD [EAX], AL\r\n", "0xb590031 0000 ADD [EAX], AL\r\n", "0xb590033 0000 ADD [EAX], AL\r\n", "0xb590035 0000 ADD [EAX], AL\r\n", "0xb590037 0000 ADD [EAX], AL\r\n", "0xb590039 0000 ADD [EAX], AL\r\n", "0xb59003b 00e0 ADD AL, AH\r\n", "0xb59003d 0000 ADD [EAX], AL\r\n", "0xb59003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: svchost.exe Pid: 1120 Address: 0xbf60000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4113, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0bf60000 c8 00 00 00 61 01 00 00 ff ee ff ee 00 10 04 00 ....a...........\r\n", "0x0bf60010 00 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................\r\n", "0x0bf60020 00 02 00 00 00 20 00 00 30 21 20 00 ff ef fd 7f ........0!......\r\n", "0x0bf60030 2e 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xbf60000 c8000000 ENTER 0x0, 0x0\r\n", "0xbf60004 61 POPA\r\n", "0xbf60005 0100 ADD [EAX], EAX\r\n", "0xbf60007 00ff ADD BH, BH\r\n", "0xbf60009 ee OUT DX, AL\r\n", "0xbf6000a ff DB 0xff\r\n", "0xbf6000b ee OUT DX, AL\r\n", "0xbf6000c 0010 ADD [EAX], DL\r\n", "0xbf6000e 0400 ADD AL, 0x0\r\n", "0xbf60010 0000 ADD [EAX], AL\r\n", "0xbf60012 0000 ADD [EAX], AL\r\n", "0xbf60014 00fe ADD DH, BH\r\n", "0xbf60016 0000 ADD [EAX], AL\r\n", "0xbf60018 0000 ADD [EAX], AL\r\n", "0xbf6001a 1000 ADC [EAX], AL\r\n", "0xbf6001c 0020 ADD [EAX], AH\r\n", "0xbf6001e 0000 ADD [EAX], AL\r\n", "0xbf60020 0002 ADD [EDX], AL\r\n", "0xbf60022 0000 ADD [EAX], AL\r\n", "0xbf60024 0020 ADD [EAX], AH\r\n", "0xbf60026 0000 ADD [EAX], AL\r\n", "0xbf60028 3021 XOR [ECX], AH\r\n", "0xbf6002a 2000 AND [EAX], AL\r\n", "0xbf6002c ff DB 0xff\r\n", "0xbf6002d ef OUT DX, EAX\r\n", "0xbf6002e fd STD\r\n", "0xbf6002f 7f2e JG 0xbf6005f\r\n", "0xbf60031 0008 ADD [EAX], CL\r\n", "0xbf60033 06 PUSH ES\r\n", "0xbf60034 0000 ADD [EAX], AL\r\n", "0xbf60036 0000 ADD [EAX], AL\r\n", "0xbf60038 0000 ADD [EAX], AL\r\n", "0xbf6003a 0000 ADD [EAX], AL\r\n", "0xbf6003c 0000 ADD [EAX], AL\r\n", "0xbf6003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: explorer.exe Pid: 2012 Address: 0x1930000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01930000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01930010 00 00 93 01 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01930020 10 00 93 01 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01930030 20 00 93 01 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1930000 0000 ADD [EAX], AL\r\n", "0x1930002 0000 ADD [EAX], AL\r\n", "0x1930004 0000 ADD [EAX], AL\r\n", "0x1930006 0000 ADD [EAX], AL\r\n", "0x1930008 0000 ADD [EAX], AL\r\n", "0x193000a 0000 ADD [EAX], AL\r\n", "0x193000c 0000 ADD [EAX], AL\r\n", "0x193000e 0000 ADD [EAX], AL\r\n", "0x1930010 0000 ADD [EAX], AL\r\n", "0x1930012 93 XCHG EBX, EAX\r\n", "0x1930013 0100 ADD [EAX], EAX\r\n", "0x1930015 0000 ADD [EAX], AL\r\n", "0x1930017 0000 ADD [EAX], AL\r\n", "0x1930019 0000 ADD [EAX], AL\r\n", "0x193001b 0000 ADD [EAX], AL\r\n", "0x193001d 0000 ADD [EAX], AL\r\n", "0x193001f 0010 ADD [EAX], DL\r\n", "0x1930021 009301000000 ADD [EBX+0x1], DL\r\n", "0x1930027 0000 ADD [EAX], AL\r\n", "0x1930029 0000 ADD [EAX], AL\r\n", "0x193002b 0000 ADD [EAX], AL\r\n", "0x193002d 0000 ADD [EAX], AL\r\n", "0x193002f 0020 ADD [EAX], AH\r\n", "0x1930031 009301000000 ADD [EBX+0x1], DL\r\n", "0x1930037 0000 ADD [EAX], AL\r\n", "0x1930039 0000 ADD [EAX], AL\r\n", "0x193003b 0000 ADD [EAX], AL\r\n", "0x193003d 0000 ADD [EAX], AL\r\n", "0x193003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: chrome.exe Pid: 1796 Address: 0x63a0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x063a0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x063a0010 00 00 3a 06 00 00 00 00 00 00 00 00 00 00 00 00 ..:.............\r\n", "0x063a0020 10 00 3a 06 00 00 00 00 00 00 00 00 00 00 00 00 ..:.............\r\n", "0x063a0030 20 00 3a 06 00 00 00 00 00 00 00 00 00 00 00 00 ..:.............\r\n", "\r\n", "0x63a0000 0000 ADD [EAX], AL\r\n", "0x63a0002 0000 ADD [EAX], AL\r\n", "0x63a0004 0000 ADD [EAX], AL\r\n", "0x63a0006 0000 ADD [EAX], AL\r\n", "0x63a0008 0000 ADD [EAX], AL\r\n", "0x63a000a 0000 ADD [EAX], AL\r\n", "0x63a000c 0000 ADD [EAX], AL\r\n", "0x63a000e 0000 ADD [EAX], AL\r\n", "0x63a0010 0000 ADD [EAX], AL\r\n", "0x63a0012 3a06 CMP AL, [ESI]\r\n", "0x63a0014 0000 ADD [EAX], AL\r\n", "0x63a0016 0000 ADD [EAX], AL\r\n", "0x63a0018 0000 ADD [EAX], AL\r\n", "0x63a001a 0000 ADD [EAX], AL\r\n", "0x63a001c 0000 ADD [EAX], AL\r\n", "0x63a001e 0000 ADD [EAX], AL\r\n", "0x63a0020 1000 ADC [EAX], AL\r\n", "0x63a0022 3a06 CMP AL, [ESI]\r\n", "0x63a0024 0000 ADD [EAX], AL\r\n", "0x63a0026 0000 ADD [EAX], AL\r\n", "0x63a0028 0000 ADD [EAX], AL\r\n", "0x63a002a 0000 ADD [EAX], AL\r\n", "0x63a002c 0000 ADD [EAX], AL\r\n", "0x63a002e 0000 ADD [EAX], AL\r\n", "0x63a0030 2000 AND [EAX], AL\r\n", "0x63a0032 3a06 CMP AL, [ESI]\r\n", "0x63a0034 0000 ADD [EAX], AL\r\n", "0x63a0036 0000 ADD [EAX], AL\r\n", "0x63a0038 0000 ADD [EAX], AL\r\n", "0x63a003a 0000 ADD [EAX], AL\r\n", "0x63a003c 0000 ADD [EAX], AL\r\n", "0x63a003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: chrome.exe Pid: 1480 Address: 0x7500000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x07500000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x07500010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x07500020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x07500030 dd 04 24 83 c4 08 eb 25 89 c7 d9 eb dc c0 d9 c1 ..$....%........\r\n", "\r\n", "0x7500000 53 PUSH EBX\r\n", "0x7500001 52 PUSH EDX\r\n", "0x7500002 57 PUSH EDI\r\n", "0x7500003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x7500007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x750000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x750000f 89d7 MOV EDI, EDX\r\n", "0x7500011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x7500017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x750001d 723c JB 0x750005b\r\n", "0x750001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x7500025 7511 JNZ 0x7500038\r\n", "0x7500027 ddd8 FSTP ST0\r\n", "0x7500029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x750002e 6a00 PUSH 0x0\r\n", "0x7500030 dd0424 FLD QWORD [ESP]\r\n", "0x7500033 83c408 ADD ESP, 0x8\r\n", "0x7500036 eb25 JMP 0x750005d\r\n", "0x7500038 89c7 MOV EDI, EAX\r\n", "0x750003a d9eb FLDPI\r\n", "0x750003c dcc0 FADD ST0, ST0\r\n", "0x750003e d9c1 FLD ST1\r\n", "\r\n", "Process: chrome.exe Pid: 1480 Address: 0xd700000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0d700000 57 56 8b 7c 24 0c 8b 74 24 10 8b 4c 24 14 f3 0f WV.|$..t$..L$...\r\n", "0x0d700010 6f 06 f3 0f 7f 07 89 fa 83 e2 0f f7 da 83 c2 10 o...............\r\n", "0x0d700020 03 fa 03 f2 2b ca f7 c6 0f 00 00 00 0f 85 5e 00 ....+.........^.\r\n", "0x0d700030 00 00 89 ca c1 e9 05 0f 18 4e 20 66 0f 6f 06 66 .........N.f.o.f\r\n", "\r\n", "0xd700000 57 PUSH EDI\r\n", "0xd700001 56 PUSH ESI\r\n", "0xd700002 8b7c240c MOV EDI, [ESP+0xc]\r\n", "0xd700006 8b742410 MOV ESI, [ESP+0x10]\r\n", "0xd70000a 8b4c2414 MOV ECX, [ESP+0x14]\r\n", "0xd70000e f30f6f06 MOVDQU XMM0, [ESI]\r\n", "0xd700012 f30f7f07 MOVDQU [EDI], XMM0\r\n", "0xd700016 89fa MOV EDX, EDI\r\n", "0xd700018 83e20f AND EDX, 0xf\r\n", "0xd70001b f7da NEG EDX\r\n", "0xd70001d 83c210 ADD EDX, 0x10\r\n", "0xd700020 03fa ADD EDI, EDX\r\n", "0xd700022 03f2 ADD ESI, EDX\r\n", "0xd700024 2bca SUB ECX, EDX\r\n", "0xd700026 f7c60f000000 TEST ESI, 0xf\r\n", "0xd70002c 0f855e000000 JNZ 0xd700090\r\n", "0xd700032 89ca MOV EDX, ECX\r\n", "0xd700034 c1e905 SHR ECX, 0x5\r\n", "0xd700037 0f184e20 PREFETCHT0 [ESI+0x20]\r\n", "0xd70003b 660f6f06 MOVDQA XMM0, [ESI]\r\n", "0xd70003f 66 DB 0x66\r\n", "\r\n", "Process: chrome.exe Pid: 1480 Address: 0x2dd00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x2dd00000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x2dd00010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x2dd00020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x2dd00030 dd 04 24 83 c4 08 eb 25 89 c7 d9 eb dc c0 d9 c1 ..$....%........\r\n", "\r\n", "0x2dd00000 53 PUSH EBX\r\n", "0x2dd00001 52 PUSH EDX\r\n", "0x2dd00002 57 PUSH EDI\r\n", "0x2dd00003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x2dd00007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x2dd0000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x2dd0000f 89d7 MOV EDI, EDX\r\n", "0x2dd00011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x2dd00017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x2dd0001d 723c JB 0x2dd0005b\r\n", "0x2dd0001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x2dd00025 7511 JNZ 0x2dd00038\r\n", "0x2dd00027 ddd8 FSTP ST0\r\n", "0x2dd00029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x2dd0002e 6a00 PUSH 0x0\r\n", "0x2dd00030 dd0424 FLD QWORD [ESP]\r\n", "0x2dd00033 83c408 ADD ESP, 0x8\r\n", "0x2dd00036 eb25 JMP 0x2dd0005d\r\n", "0x2dd00038 89c7 MOV EDI, EAX\r\n", "0x2dd0003a d9eb FLDPI\r\n", "0x2dd0003c dcc0 FADD ST0, ST0\r\n", "0x2dd0003e d9c1 FLD ST1\r\n", "\r\n", "Process: chrome.exe Pid: 1480 Address: 0x17800000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x17800000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x17800010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x17800020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x17800030 dd 04 24 83 c4 08 eb 27 89 c7 d9 eb dc c0 d9 c1 ..$....'........\r\n", "\r\n", "0x17800000 53 PUSH EBX\r\n", "0x17800001 52 PUSH EDX\r\n", "0x17800002 57 PUSH EDI\r\n", "0x17800003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x17800007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x1780000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x1780000f 89d7 MOV EDI, EDX\r\n", "0x17800011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x17800017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x1780001d 723c JB 0x1780005b\r\n", "0x1780001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x17800025 7511 JNZ 0x17800038\r\n", "0x17800027 ddd8 FSTP ST0\r\n", "0x17800029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x1780002e 6a00 PUSH 0x0\r\n", "0x17800030 dd0424 FLD QWORD [ESP]\r\n", "0x17800033 83c408 ADD ESP, 0x8\r\n", "0x17800036 eb27 JMP 0x1780005f\r\n", "0x17800038 89c7 MOV EDI, EAX\r\n", "0x1780003a d9eb FLDPI\r\n", "0x1780003c dcc0 FADD ST0, ST0\r\n", "0x1780003e d9c1 FLD ST1\r\n", "\r\n", "Process: chrome.exe Pid: 1480 Address: 0x24700000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x24700000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 d9 SRW.D$..\\$..T$..\r\n", "0x24700010 ed d9 c9 d9 f1 5f 5a 5b c3 00 00 00 00 00 00 00 ....._Z[........\r\n", "0x24700020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x24700030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x24700000 53 PUSH EBX\r\n", "0x24700001 52 PUSH EDX\r\n", "0x24700002 57 PUSH EDI\r\n", "0x24700003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x24700007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x2470000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x2470000f d9ed FLDLN2\r\n", "0x24700011 d9c9 FXCH\r\n", "0x24700013 d9f1 FYL2X\r\n", "0x24700015 5f POP EDI\r\n", "0x24700016 5a POP EDX\r\n", "0x24700017 5b POP EBX\r\n", "0x24700018 c3 RET\r\n", "0x24700019 0000 ADD [EAX], AL\r\n", "0x2470001b 0000 ADD [EAX], AL\r\n", "0x2470001d 0000 ADD [EAX], AL\r\n", "0x2470001f 0000 ADD [EAX], AL\r\n", "0x24700021 0000 ADD [EAX], AL\r\n", "0x24700023 0000 ADD [EAX], AL\r\n", "0x24700025 0000 ADD [EAX], AL\r\n", "0x24700027 0000 ADD [EAX], AL\r\n", "0x24700029 0000 ADD [EAX], AL\r\n", "0x2470002b 0000 ADD [EAX], AL\r\n", "0x2470002d 0000 ADD [EAX], AL\r\n", "0x2470002f 0000 ADD [EAX], AL\r\n", "0x24700031 0000 ADD [EAX], AL\r\n", "0x24700033 0000 ADD [EAX], AL\r\n", "0x24700035 0000 ADD [EAX], AL\r\n", "0x24700037 0000 ADD [EAX], AL\r\n", "0x24700039 0000 ADD [EAX], AL\r\n", "0x2470003b 0000 ADD [EAX], AL\r\n", "0x2470003d 0000 ADD [EAX], AL\r\n", "0x2470003f 00 DB 0x0\r\n", "\r\n", "Process: chrome.exe Pid: 1480 Address: 0x3c000000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x3c000000 f2 0f 10 44 24 04 f2 0f 51 c0 f2 0f 11 44 24 04 ...D$...Q....D$.\r\n", "0x3c000010 dd 44 24 04 c3 00 00 00 00 00 00 00 00 00 00 00 .D$.............\r\n", "0x3c000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x3c000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x3c000000 f20f10442404 MOVSD XMM0, [ESP+0x4]\r\n", "0x3c000006 f20f51c0 SQRTSD XMM0, XMM0\r\n", "0x3c00000a f20f11442404 MOVSD [ESP+0x4], XMM0\r\n", "0x3c000010 dd442404 FLD QWORD [ESP+0x4]\r\n", "0x3c000014 c3 RET\r\n", "0x3c000015 0000 ADD [EAX], AL\r\n", "0x3c000017 0000 ADD [EAX], AL\r\n", "0x3c000019 0000 ADD [EAX], AL\r\n", "0x3c00001b 0000 ADD [EAX], AL\r\n", "0x3c00001d 0000 ADD [EAX], AL\r\n", "0x3c00001f 0000 ADD [EAX], AL\r\n", "0x3c000021 0000 ADD [EAX], AL\r\n", "0x3c000023 0000 ADD [EAX], AL\r\n", "0x3c000025 0000 ADD [EAX], AL\r\n", "0x3c000027 0000 ADD [EAX], AL\r\n", "0x3c000029 0000 ADD [EAX], AL\r\n", "0x3c00002b 0000 ADD [EAX], AL\r\n", "0x3c00002d 0000 ADD [EAX], AL\r\n", "0x3c00002f 0000 ADD [EAX], AL\r\n", "0x3c000031 0000 ADD [EAX], AL\r\n", "0x3c000033 0000 ADD [EAX], AL\r\n", "0x3c000035 0000 ADD [EAX], AL\r\n", "0x3c000037 0000 ADD [EAX], AL\r\n", "0x3c000039 0000 ADD [EAX], AL\r\n", "0x3c00003b 0000 ADD [EAX], AL\r\n", "0x3c00003d 0000 ADD [EAX], AL\r\n", "0x3c00003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: chrome.exe Pid: 1308 Address: 0xed00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x0ed00000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x0ed00010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x0ed00020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x0ed00030 dd 04 24 83 c4 08 eb 27 89 c7 d9 eb dc c0 d9 c1 ..$....'........\r\n", "\r\n", "0xed00000 53 PUSH EBX\r\n", "0xed00001 52 PUSH EDX\r\n", "0xed00002 57 PUSH EDI\r\n", "0xed00003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0xed00007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0xed0000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0xed0000f 89d7 MOV EDI, EDX\r\n", "0xed00011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0xed00017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0xed0001d 723c JB 0xed0005b\r\n", "0xed0001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0xed00025 7511 JNZ 0xed00038\r\n", "0xed00027 ddd8 FSTP ST0\r\n", "0xed00029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0xed0002e 6a00 PUSH 0x0\r\n", "0xed00030 dd0424 FLD QWORD [ESP]\r\n", "0xed00033 83c408 ADD ESP, 0x8\r\n", "0xed00036 eb27 JMP 0xed0005f\r\n", "0xed00038 89c7 MOV EDI, EAX\r\n", "0xed0003a d9eb FLDPI\r\n", "0xed0003c dcc0 FADD ST0, ST0\r\n", "0xed0003e d9c1 FLD ST1\r\n", "\r\n", "Process: chrome.exe Pid: 1308 Address: 0x36800000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x36800000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x36800010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x36800020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x36800030 dd 04 24 83 c4 08 eb 25 89 c7 d9 eb dc c0 d9 c1 ..$....%........\r\n", "\r\n", "0x36800000 53 PUSH EBX\r\n", "0x36800001 52 PUSH EDX\r\n", "0x36800002 57 PUSH EDI\r\n", "0x36800003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x36800007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x3680000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x3680000f 89d7 MOV EDI, EDX\r\n", "0x36800011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x36800017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x3680001d 723c JB 0x3680005b\r\n", "0x3680001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x36800025 7511 JNZ 0x36800038\r\n", "0x36800027 ddd8 FSTP ST0\r\n", "0x36800029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x3680002e 6a00 PUSH 0x0\r\n", "0x36800030 dd0424 FLD QWORD [ESP]\r\n", "0x36800033 83c408 ADD ESP, 0x8\r\n", "0x36800036 eb25 JMP 0x3680005d\r\n", "0x36800038 89c7 MOV EDI, EAX\r\n", "0x3680003a d9eb FLDPI\r\n", "0x3680003c dcc0 FADD ST0, ST0\r\n", "0x3680003e d9c1 FLD ST1\r\n", "\r\n", "Process: chrome.exe Pid: 1308 Address: 0x2fa00000" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x2fa00000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x2fa00010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x2fa00020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x2fa00030 dd 04 24 83 c4 08 eb 25 89 c7 d9 eb dc c0 d9 c1 ..$....%........\r\n", "\r\n", "0x2fa00000 53 PUSH EBX\r\n", "0x2fa00001 52 PUSH EDX\r\n", "0x2fa00002 57 PUSH EDI\r\n", "0x2fa00003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x2fa00007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x2fa0000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x2fa0000f 89d7 MOV EDI, EDX\r\n", "0x2fa00011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x2fa00017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x2fa0001d 723c JB 0x2fa0005b\r\n", "0x2fa0001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x2fa00025 7511 JNZ 0x2fa00038\r\n", "0x2fa00027 ddd8 FSTP ST0\r\n", "0x2fa00029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x2fa0002e 6a00 PUSH 0x0\r\n", "0x2fa00030 dd0424 FLD QWORD [ESP]\r\n", "0x2fa00033 83c408 ADD ESP, 0x8\r\n", "0x2fa00036 eb25 JMP 0x2fa0005d\r\n", "0x2fa00038 89c7 MOV EDI, EAX\r\n", "0x2fa0003a d9eb FLDPI\r\n", "0x2fa0003c dcc0 FADD ST0, ST0\r\n", "0x2fa0003e d9c1 FLD ST1\r\n", "\r\n", "Process: chrome.exe Pid: 1308 Address: 0x1f800000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x1f800000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 d9 SRW.D$..\\$..T$..\r\n", "0x1f800010 ed d9 c9 d9 f1 5f 5a 5b c3 00 00 00 00 00 00 00 ....._Z[........\r\n", "0x1f800020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x1f800030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1f800000 53 PUSH EBX\r\n", "0x1f800001 52 PUSH EDX\r\n", "0x1f800002 57 PUSH EDI\r\n", "0x1f800003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x1f800007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x1f80000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x1f80000f d9ed FLDLN2\r\n", "0x1f800011 d9c9 FXCH\r\n", "0x1f800013 d9f1 FYL2X\r\n", "0x1f800015 5f POP EDI\r\n", "0x1f800016 5a POP EDX\r\n", "0x1f800017 5b POP EBX\r\n", "0x1f800018 c3 RET\r\n", "0x1f800019 0000 ADD [EAX], AL\r\n", "0x1f80001b 0000 ADD [EAX], AL\r\n", "0x1f80001d 0000 ADD [EAX], AL\r\n", "0x1f80001f 0000 ADD [EAX], AL\r\n", "0x1f800021 0000 ADD [EAX], AL\r\n", "0x1f800023 0000 ADD [EAX], AL\r\n", "0x1f800025 0000 ADD [EAX], AL\r\n", "0x1f800027 0000 ADD [EAX], AL\r\n", "0x1f800029 0000 ADD [EAX], AL\r\n", "0x1f80002b 0000 ADD [EAX], AL\r\n", "0x1f80002d 0000 ADD [EAX], AL\r\n", "0x1f80002f 0000 ADD [EAX], AL\r\n", "0x1f800031 0000 ADD [EAX], AL\r\n", "0x1f800033 0000 ADD [EAX], AL\r\n", "0x1f800035 0000 ADD [EAX], AL\r\n", "0x1f800037 0000 ADD [EAX], AL\r\n", "0x1f800039 0000 ADD [EAX], AL\r\n", "0x1f80003b 0000 ADD [EAX], AL\r\n", "0x1f80003d 0000 ADD [EAX], AL\r\n", "0x1f80003f 00 DB 0x0\r\n", "\r\n", "Process: chrome.exe Pid: 1308 Address: 0x1de00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x1de00000 f2 0f 10 44 24 04 f2 0f 51 c0 f2 0f 11 44 24 04 ...D$...Q....D$.\r\n", "0x1de00010 dd 44 24 04 c3 00 00 00 00 00 00 00 00 00 00 00 .D$.............\r\n", "0x1de00020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x1de00030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1de00000 f20f10442404 MOVSD XMM0, [ESP+0x4]\r\n", "0x1de00006 f20f51c0 SQRTSD XMM0, XMM0\r\n", "0x1de0000a f20f11442404 MOVSD [ESP+0x4], XMM0\r\n", "0x1de00010 dd442404 FLD QWORD [ESP+0x4]\r\n", "0x1de00014 c3 RET\r\n", "0x1de00015 0000 ADD [EAX], AL\r\n", "0x1de00017 0000 ADD [EAX], AL\r\n", "0x1de00019 0000 ADD [EAX], AL\r\n", "0x1de0001b 0000 ADD [EAX], AL\r\n", "0x1de0001d 0000 ADD [EAX], AL\r\n", "0x1de0001f 0000 ADD [EAX], AL\r\n", "0x1de00021 0000 ADD [EAX], AL\r\n", "0x1de00023 0000 ADD [EAX], AL\r\n", "0x1de00025 0000 ADD [EAX], AL\r\n", "0x1de00027 0000 ADD [EAX], AL\r\n", "0x1de00029 0000 ADD [EAX], AL\r\n", "0x1de0002b 0000 ADD [EAX], AL\r\n", "0x1de0002d 0000 ADD [EAX], AL\r\n", "0x1de0002f 0000 ADD [EAX], AL\r\n", "0x1de00031 0000 ADD [EAX], AL\r\n", "0x1de00033 0000 ADD [EAX], AL\r\n", "0x1de00035 0000 ADD [EAX], AL\r\n", "0x1de00037 0000 ADD [EAX], AL\r\n", "0x1de00039 0000 ADD [EAX], AL\r\n", "0x1de0003b 0000 ADD [EAX], AL\r\n", "0x1de0003d 0000 ADD [EAX], AL\r\n", "0x1de0003f 00 DB 0x0\r\n", "\r\n", "Process: chrome.exe Pid: 1308 Address: 0x2ce00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x2ce00000 57 56 8b 7c 24 0c 8b 74 24 10 8b 4c 24 14 f3 0f WV.|$..t$..L$...\r\n", "0x2ce00010 6f 06 f3 0f 7f 07 89 fa 83 e2 0f f7 da 83 c2 10 o...............\r\n", "0x2ce00020 03 fa 03 f2 2b ca f7 c6 0f 00 00 00 0f 85 5e 00 ....+.........^.\r\n", "0x2ce00030 00 00 89 ca c1 e9 05 0f 18 4e 20 66 0f 6f 06 66 .........N.f.o.f\r\n", "\r\n", "0x2ce00000 57 PUSH EDI\r\n", "0x2ce00001 56 PUSH ESI\r\n", "0x2ce00002 8b7c240c MOV EDI, [ESP+0xc]\r\n", "0x2ce00006 8b742410 MOV ESI, [ESP+0x10]\r\n", "0x2ce0000a 8b4c2414 MOV ECX, [ESP+0x14]\r\n", "0x2ce0000e f30f6f06 MOVDQU XMM0, [ESI]\r\n", "0x2ce00012 f30f7f07 MOVDQU [EDI], XMM0\r\n", "0x2ce00016 89fa MOV EDX, EDI\r\n", "0x2ce00018 83e20f AND EDX, 0xf\r\n", "0x2ce0001b f7da NEG EDX\r\n", "0x2ce0001d 83c210 ADD EDX, 0x10\r\n", "0x2ce00020 03fa ADD EDI, EDX\r\n", "0x2ce00022 03f2 ADD ESI, EDX\r\n", "0x2ce00024 2bca SUB ECX, EDX\r\n", "0x2ce00026 f7c60f000000 TEST ESI, 0xf\r\n", "0x2ce0002c 0f855e000000 JNZ 0x2ce00090\r\n", "0x2ce00032 89ca MOV EDX, ECX\r\n", "0x2ce00034 c1e905 SHR ECX, 0x5\r\n", "0x2ce00037 0f184e20 PREFETCHT0 [ESI+0x20]\r\n", "0x2ce0003b 660f6f06 MOVDQA XMM0, [ESI]\r\n", "0x2ce0003f 66 DB 0x66\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: chrome.exe Pid: 1788 Address: 0x1f300000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x1f300000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x1f300010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x1f300020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x1f300030 dd 04 24 83 c4 08 eb 27 89 c7 d9 eb dc c0 d9 c1 ..$....'........\r\n", "\r\n", "0x1f300000 53 PUSH EBX\r\n", "0x1f300001 52 PUSH EDX\r\n", "0x1f300002 57 PUSH EDI\r\n", "0x1f300003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x1f300007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x1f30000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x1f30000f 89d7 MOV EDI, EDX\r\n", "0x1f300011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x1f300017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x1f30001d 723c JB 0x1f30005b\r\n", "0x1f30001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x1f300025 7511 JNZ 0x1f300038\r\n", "0x1f300027 ddd8 FSTP ST0\r\n", "0x1f300029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x1f30002e 6a00 PUSH 0x0\r\n", "0x1f300030 dd0424 FLD QWORD [ESP]\r\n", "0x1f300033 83c408 ADD ESP, 0x8\r\n", "0x1f300036 eb27 JMP 0x1f30005f\r\n", "0x1f300038 89c7 MOV EDI, EAX\r\n", "0x1f30003a d9eb FLDPI\r\n", "0x1f30003c dcc0 FADD ST0, ST0\r\n", "0x1f30003e d9c1 FLD ST1\r\n", "\r\n", "Process: chrome.exe Pid: 1788 Address: 0x14c00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x14c00000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x14c00010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x14c00020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x14c00030 dd 04 24 83 c4 08 eb 25 89 c7 d9 eb dc c0 d9 c1 ..$....%........\r\n", "\r\n", "0x14c00000 53 PUSH EBX\r\n", "0x14c00001 52 PUSH EDX\r\n", "0x14c00002 57 PUSH EDI\r\n", "0x14c00003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x14c00007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x14c0000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x14c0000f 89d7 MOV EDI, EDX\r\n", "0x14c00011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x14c00017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x14c0001d 723c JB 0x14c0005b\r\n", "0x14c0001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x14c00025 7511 JNZ 0x14c00038\r\n", "0x14c00027 ddd8 FSTP ST0\r\n", "0x14c00029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x14c0002e 6a00 PUSH 0x0\r\n", "0x14c00030 dd0424 FLD QWORD [ESP]\r\n", "0x14c00033 83c408 ADD ESP, 0x8\r\n", "0x14c00036 eb25 JMP 0x14c0005d\r\n", "0x14c00038 89c7 MOV EDI, EAX\r\n", "0x14c0003a d9eb FLDPI\r\n", "0x14c0003c dcc0 FADD ST0, ST0\r\n", "0x14c0003e d9c1 FLD ST1\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: chrome.exe Pid: 1788 Address: 0x3c000000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x3c000000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x3c000010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x3c000020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x3c000030 dd 04 24 83 c4 08 eb 25 89 c7 d9 eb dc c0 d9 c1 ..$....%........\r\n", "\r\n", "0x3c000000 53 PUSH EBX\r\n", "0x3c000001 52 PUSH EDX\r\n", "0x3c000002 57 PUSH EDI\r\n", "0x3c000003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x3c000007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x3c00000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x3c00000f 89d7 MOV EDI, EDX\r\n", "0x3c000011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x3c000017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x3c00001d 723c JB 0x3c00005b\r\n", "0x3c00001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x3c000025 7511 JNZ 0x3c000038\r\n", "0x3c000027 ddd8 FSTP ST0\r\n", "0x3c000029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x3c00002e 6a00 PUSH 0x0\r\n", "0x3c000030 dd0424 FLD QWORD [ESP]\r\n", "0x3c000033 83c408 ADD ESP, 0x8\r\n", "0x3c000036 eb25 JMP 0x3c00005d\r\n", "0x3c000038 89c7 MOV EDI, EAX\r\n", "0x3c00003a d9eb FLDPI\r\n", "0x3c00003c dcc0 FADD ST0, ST0\r\n", "0x3c00003e d9c1 FLD ST1\r\n", "\r\n", "Process: chrome.exe Pid: 1788 Address: 0x2c600000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x2c600000 57 56 8b 7c 24 0c 8b 74 24 10 8b 4c 24 14 f3 0f WV.|$..t$..L$...\r\n", "0x2c600010 6f 06 f3 0f 7f 07 89 fa 83 e2 0f f7 da 83 c2 10 o...............\r\n", "0x2c600020 03 fa 03 f2 2b ca f7 c6 0f 00 00 00 0f 85 5e 00 ....+.........^.\r\n", "0x2c600030 00 00 89 ca c1 e9 05 0f 18 4e 20 66 0f 6f 06 66 .........N.f.o.f\r\n", "\r\n", "0x2c600000 57 PUSH EDI\r\n", "0x2c600001 56 PUSH ESI\r\n", "0x2c600002 8b7c240c MOV EDI, [ESP+0xc]\r\n", "0x2c600006 8b742410 MOV ESI, [ESP+0x10]\r\n", "0x2c60000a 8b4c2414 MOV ECX, [ESP+0x14]\r\n", "0x2c60000e f30f6f06 MOVDQU XMM0, [ESI]\r\n", "0x2c600012 f30f7f07 MOVDQU [EDI], XMM0\r\n", "0x2c600016 89fa MOV EDX, EDI\r\n", "0x2c600018 83e20f AND EDX, 0xf\r\n", "0x2c60001b f7da NEG EDX\r\n", "0x2c60001d 83c210 ADD EDX, 0x10\r\n", "0x2c600020 03fa ADD EDI, EDX\r\n", "0x2c600022 03f2 ADD ESI, EDX\r\n", "0x2c600024 2bca SUB ECX, EDX\r\n", "0x2c600026 f7c60f000000 TEST ESI, 0xf\r\n", "0x2c60002c 0f855e000000 JNZ 0x2c600090\r\n", "0x2c600032 89ca MOV EDX, ECX\r\n", "0x2c600034 c1e905 SHR ECX, 0x5\r\n", "0x2c600037 0f184e20 PREFETCHT0 [ESI+0x20]\r\n", "0x2c60003b 660f6f06 MOVDQA XMM0, [ESI]\r\n", "0x2c60003f 66 DB 0x66\r\n", "\r\n", "Process: chrome.exe Pid: 1788 Address: 0x24800000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x24800000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 d9 SRW.D$..\\$..T$..\r\n", "0x24800010 ed d9 c9 d9 f1 5f 5a 5b c3 00 00 00 00 00 00 00 ....._Z[........\r\n", "0x24800020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x24800030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x24800000 53 PUSH EBX\r\n", "0x24800001 52 PUSH EDX\r\n", "0x24800002 57 PUSH EDI\r\n", "0x24800003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x24800007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x2480000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x2480000f d9ed FLDLN2\r\n", "0x24800011 d9c9 FXCH\r\n", "0x24800013 d9f1 FYL2X\r\n", "0x24800015 5f POP EDI\r\n", "0x24800016 5a POP EDX\r\n", "0x24800017 5b POP EBX\r\n", "0x24800018 c3 RET\r\n", "0x24800019 0000 ADD [EAX], AL\r\n", "0x2480001b 0000 ADD [EAX], AL\r\n", "0x2480001d 0000 ADD [EAX], AL\r\n", "0x2480001f 0000 ADD [EAX], AL\r\n", "0x24800021 0000 ADD [EAX], AL\r\n", "0x24800023 0000 ADD [EAX], AL\r\n", "0x24800025 0000 ADD [EAX], AL\r\n", "0x24800027 0000 ADD [EAX], AL\r\n", "0x24800029 0000 ADD [EAX], AL\r\n", "0x2480002b 0000 ADD [EAX], AL\r\n", "0x2480002d 0000 ADD [EAX], AL\r\n", "0x2480002f 0000 ADD [EAX], AL\r\n", "0x24800031 0000 ADD [EAX], AL\r\n", "0x24800033 0000 ADD [EAX], AL\r\n", "0x24800035 0000 ADD [EAX], AL\r\n", "0x24800037 0000 ADD [EAX], AL\r\n", "0x24800039 0000 ADD [EAX], AL\r\n", "0x2480003b 0000 ADD [EAX], AL\r\n", "0x2480003d 0000 ADD [EAX], AL\r\n", "0x2480003f 00 DB 0x0\r\n", "\r\n", "Process: chrome.exe Pid: 1788 Address: 0x1f600000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x1f600000 f2 0f 10 44 24 04 f2 0f 51 c0 f2 0f 11 44 24 04 ...D$...Q....D$.\r\n", "0x1f600010 dd 44 24 04 c3 00 00 00 00 00 00 00 00 00 00 00 .D$.............\r\n", "0x1f600020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x1f600030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1f600000 f20f10442404 MOVSD XMM0, [ESP+0x4]\r\n", "0x1f600006 f20f51c0 SQRTSD XMM0, XMM0\r\n", "0x1f60000a f20f11442404 MOVSD [ESP+0x4], XMM0\r\n", "0x1f600010 dd442404 FLD QWORD [ESP+0x4]\r\n", "0x1f600014 c3 RET\r\n", "0x1f600015 0000 ADD [EAX], AL\r\n", "0x1f600017 0000 ADD [EAX], AL\r\n", "0x1f600019 0000 ADD [EAX], AL\r\n", "0x1f60001b 0000 ADD [EAX], AL\r\n", "0x1f60001d 0000 ADD [EAX], AL\r\n", "0x1f60001f 0000 ADD [EAX], AL\r\n", "0x1f600021 0000 ADD [EAX], AL\r\n", "0x1f600023 0000 ADD [EAX], AL\r\n", "0x1f600025 0000 ADD [EAX], AL\r\n", "0x1f600027 0000 ADD [EAX], AL\r\n", "0x1f600029 0000 ADD [EAX], AL\r\n", "0x1f60002b 0000 ADD [EAX], AL\r\n", "0x1f60002d 0000 ADD [EAX], AL\r\n", "0x1f60002f 0000 ADD [EAX], AL\r\n", "0x1f600031 0000 ADD [EAX], AL\r\n", "0x1f600033 0000 ADD [EAX], AL\r\n", "0x1f600035 0000 ADD [EAX], AL\r\n", "0x1f600037 0000 ADD [EAX], AL\r\n", "0x1f600039 0000 ADD [EAX], AL\r\n", "0x1f60003b 0000 ADD [EAX], AL\r\n", "0x1f60003d 0000 ADD [EAX], AL\r\n", "0x1f60003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: chrome.exe Pid: 856 Address: 0x7b00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x07b00000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x07b00010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x07b00020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x07b00030 dd 04 24 83 c4 08 eb 27 89 c7 d9 eb dc c0 d9 c1 ..$....'........\r\n", "\r\n", "0x7b00000 53 PUSH EBX\r\n", "0x7b00001 52 PUSH EDX\r\n", "0x7b00002 57 PUSH EDI\r\n", "0x7b00003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x7b00007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x7b0000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x7b0000f 89d7 MOV EDI, EDX\r\n", "0x7b00011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x7b00017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x7b0001d 723c JB 0x7b0005b\r\n", "0x7b0001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x7b00025 7511 JNZ 0x7b00038\r\n", "0x7b00027 ddd8 FSTP ST0\r\n", "0x7b00029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x7b0002e 6a00 PUSH 0x0\r\n", "0x7b00030 dd0424 FLD QWORD [ESP]\r\n", "0x7b00033 83c408 ADD ESP, 0x8\r\n", "0x7b00036 eb27 JMP 0x7b0005f\r\n", "0x7b00038 89c7 MOV EDI, EAX\r\n", "0x7b0003a d9eb FLDPI\r\n", "0x7b0003c dcc0 FADD ST0, ST0\r\n", "0x7b0003e d9c1 FLD ST1\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: chrome.exe Pid: 856 Address: 0x3d500000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x3d500000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x3d500010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x3d500020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x3d500030 dd 04 24 83 c4 08 eb 25 89 c7 d9 eb dc c0 d9 c1 ..$....%........\r\n", "\r\n", "0x3d500000 53 PUSH EBX\r\n", "0x3d500001 52 PUSH EDX\r\n", "0x3d500002 57 PUSH EDI\r\n", "0x3d500003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x3d500007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x3d50000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x3d50000f 89d7 MOV EDI, EDX\r\n", "0x3d500011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x3d500017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x3d50001d 723c JB 0x3d50005b\r\n", "0x3d50001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x3d500025 7511 JNZ 0x3d500038\r\n", "0x3d500027 ddd8 FSTP ST0\r\n", "0x3d500029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x3d50002e 6a00 PUSH 0x0\r\n", "0x3d500030 dd0424 FLD QWORD [ESP]\r\n", "0x3d500033 83c408 ADD ESP, 0x8\r\n", "0x3d500036 eb25 JMP 0x3d50005d\r\n", "0x3d500038 89c7 MOV EDI, EAX\r\n", "0x3d50003a d9eb FLDPI\r\n", "0x3d50003c dcc0 FADD ST0, ST0\r\n", "0x3d50003e d9c1 FLD ST1\r\n", "\r\n", "Process: chrome.exe Pid: 856 Address: 0x14f00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x14f00000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 d9 SRW.D$..\\$..T$..\r\n", "0x14f00010 ed d9 c9 d9 f1 5f 5a 5b c3 00 00 00 00 00 00 00 ....._Z[........\r\n", "0x14f00020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x14f00030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x14f00000 53 PUSH EBX\r\n", "0x14f00001 52 PUSH EDX\r\n", "0x14f00002 57 PUSH EDI\r\n", "0x14f00003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x14f00007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x14f0000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x14f0000f d9ed FLDLN2\r\n", "0x14f00011 d9c9 FXCH\r\n", "0x14f00013 d9f1 FYL2X\r\n", "0x14f00015 5f POP EDI\r\n", "0x14f00016 5a POP EDX\r\n", "0x14f00017 5b POP EBX\r\n", "0x14f00018 c3 RET\r\n", "0x14f00019 0000 ADD [EAX], AL\r\n", "0x14f0001b 0000 ADD [EAX], AL\r\n", "0x14f0001d 0000 ADD [EAX], AL\r\n", "0x14f0001f 0000 ADD [EAX], AL\r\n", "0x14f00021 0000 ADD [EAX], AL\r\n", "0x14f00023 0000 ADD [EAX], AL\r\n", "0x14f00025 0000 ADD [EAX], AL\r\n", "0x14f00027 0000 ADD [EAX], AL\r\n", "0x14f00029 0000 ADD [EAX], AL\r\n", "0x14f0002b 0000 ADD [EAX], AL\r\n", "0x14f0002d 0000 ADD [EAX], AL\r\n", "0x14f0002f 0000 ADD [EAX], AL\r\n", "0x14f00031 0000 ADD [EAX], AL\r\n", "0x14f00033 0000 ADD [EAX], AL\r\n", "0x14f00035 0000 ADD [EAX], AL\r\n", "0x14f00037 0000 ADD [EAX], AL\r\n", "0x14f00039 0000 ADD [EAX], AL\r\n", "0x14f0003b 0000 ADD [EAX], AL\r\n", "0x14f0003d 0000 ADD [EAX], AL\r\n", "0x14f0003f 00 DB 0x0\r\n", "\r\n", "Process: chrome.exe Pid: 856 Address: 0x37600000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "\r\n", "0x37600000 f2 0f 10 44 24 04 f2 0f 51 c0 f2 0f 11 44 24 04 ...D$...Q....D$.\r\n", "0x37600010 dd 44 24 04 c3 00 00 00 00 00 00 00 00 00 00 00 .D$.............\r\n", "0x37600020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x37600030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x37600000 f20f10442404 MOVSD XMM0, [ESP+0x4]\r\n", "0x37600006 f20f51c0 SQRTSD XMM0, XMM0\r\n", "0x3760000a f20f11442404 MOVSD [ESP+0x4], XMM0\r\n", "0x37600010 dd442404 FLD QWORD [ESP+0x4]\r\n", "0x37600014 c3 RET\r\n", "0x37600015 0000 ADD [EAX], AL\r\n", "0x37600017 0000 ADD [EAX], AL\r\n", "0x37600019 0000 ADD [EAX], AL\r\n", "0x3760001b 0000 ADD [EAX], AL\r\n", "0x3760001d 0000 ADD [EAX], AL\r\n", "0x3760001f 0000 ADD [EAX], AL\r\n", "0x37600021 0000 ADD [EAX], AL\r\n", "0x37600023 0000 ADD [EAX], AL\r\n", "0x37600025 0000 ADD [EAX], AL\r\n", "0x37600027 0000 ADD [EAX], AL\r\n", "0x37600029 0000 ADD [EAX], AL\r\n", "0x3760002b 0000 ADD [EAX], AL\r\n", "0x3760002d 0000 ADD [EAX], AL\r\n", "0x3760002f 0000 ADD [EAX], AL\r\n", "0x37600031 0000 ADD [EAX], AL\r\n", "0x37600033 0000 ADD [EAX], AL\r\n", "0x37600035 0000 ADD [EAX], AL\r\n", "0x37600037 0000 ADD [EAX], AL\r\n", "0x37600039 0000 ADD [EAX], AL\r\n", "0x3760003b 0000 ADD [EAX], AL\r\n", "0x3760003d 0000 ADD [EAX], AL\r\n", "0x3760003f 00 DB 0x0\r\n", "\r\n", "Process: chrome.exe Pid: 856 Address: 0x1ee00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x1ee00000 57 56 8b 7c 24 0c 8b 74 24 10 8b 4c 24 14 f3 0f WV.|$..t$..L$...\r\n", "0x1ee00010 6f 06 f3 0f 7f 07 89 fa 83 e2 0f f7 da 83 c2 10 o...............\r\n", "0x1ee00020 03 fa 03 f2 2b ca f7 c6 0f 00 00 00 0f 85 5e 00 ....+.........^.\r\n", "0x1ee00030 00 00 89 ca c1 e9 05 0f 18 4e 20 66 0f 6f 06 66 .........N.f.o.f\r\n", "\r\n", "0x1ee00000 57 PUSH EDI\r\n", "0x1ee00001 56 PUSH ESI\r\n", "0x1ee00002 8b7c240c MOV EDI, [ESP+0xc]\r\n", "0x1ee00006 8b742410 MOV ESI, [ESP+0x10]\r\n", "0x1ee0000a 8b4c2414 MOV ECX, [ESP+0x14]\r\n", "0x1ee0000e f30f6f06 MOVDQU XMM0, [ESI]\r\n", "0x1ee00012 f30f7f07 MOVDQU [EDI], XMM0\r\n", "0x1ee00016 89fa MOV EDX, EDI\r\n", "0x1ee00018 83e20f AND EDX, 0xf\r\n", "0x1ee0001b f7da NEG EDX\r\n", "0x1ee0001d 83c210 ADD EDX, 0x10\r\n", "0x1ee00020 03fa ADD EDI, EDX\r\n", "0x1ee00022 03f2 ADD ESI, EDX\r\n", "0x1ee00024 2bca SUB ECX, EDX\r\n", "0x1ee00026 f7c60f000000 TEST ESI, 0xf\r\n", "0x1ee0002c 0f855e000000 JNZ 0x1ee00090\r\n", "0x1ee00032 89ca MOV EDX, ECX\r\n", "0x1ee00034 c1e905 SHR ECX, 0x5\r\n", "0x1ee00037 0f184e20 PREFETCHT0 [ESI+0x20]\r\n", "0x1ee0003b 660f6f06 MOVDQA XMM0, [ESI]\r\n", "0x1ee0003f 66 DB 0x66\r\n", "\r\n", "Process: chrome.exe Pid: 856 Address: 0x3fb00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x3fb00000 53 52 57 dd 44 24 10 8b 5c 24 10 8b 54 24 14 89 SRW.D$..\\$..T$..\r\n", "0x3fb00010 d7 81 e7 00 00 f0 7f 81 ff 00 00 e0 43 72 3c 81 ............Cr<.\r\n", "0x3fb00020 ff 00 00 f0 7f 75 11 dd d8 68 00 00 f8 7f 6a 00 .....u...h....j.\r\n", "0x3fb00030 dd 04 24 83 c4 08 eb 25 89 c7 d9 eb dc c0 d9 c1 ..$....%........\r\n", "\r\n", "0x3fb00000 53 PUSH EBX\r\n", "0x3fb00001 52 PUSH EDX\r\n", "0x3fb00002 57 PUSH EDI\r\n", "0x3fb00003 dd442410 FLD QWORD [ESP+0x10]\r\n", "0x3fb00007 8b5c2410 MOV EBX, [ESP+0x10]\r\n", "0x3fb0000b 8b542414 MOV EDX, [ESP+0x14]\r\n", "0x3fb0000f 89d7 MOV EDI, EDX\r\n", "0x3fb00011 81e70000f07f AND EDI, 0x7ff00000\r\n", "0x3fb00017 81ff0000e043 CMP EDI, 0x43e00000\r\n", "0x3fb0001d 723c JB 0x3fb0005b\r\n", "0x3fb0001f 81ff0000f07f CMP EDI, 0x7ff00000\r\n", "0x3fb00025 7511 JNZ 0x3fb00038\r\n", "0x3fb00027 ddd8 FSTP ST0\r\n", "0x3fb00029 680000f87f PUSH DWORD 0x7ff80000\r\n", "0x3fb0002e 6a00 PUSH 0x0\r\n", "0x3fb00030 dd0424 FLD QWORD [ESP]\r\n", "0x3fb00033 83c408 ADD ESP, 0x8\r\n", "0x3fb00036 eb25 JMP 0x3fb0005d\r\n", "0x3fb00038 89c7 MOV EDI, EAX\r\n", "0x3fb0003a d9eb FLDPI\r\n", "0x3fb0003c dcc0 FADD ST0, ST0\r\n", "0x3fb0003e d9c1 FLD ST1\r\n", "\r\n" ] } ], "prompt_number": 27 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "Extracting dll's for process ID 1120" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem dlldump -p 1120 --dump-dir /root/Desktop/asdf" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stderr", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process(V) Name Module Base Module Name Result\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "---------- -------------------- ----------- -------------------- ------\n", "0x89b04da0 svchost.exe 0x001000000 svchost.exe OK: module.1120.9d04da0.1000000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x07c900000 ntdll.dll OK: module.1120.9d04da0.7c900000.dll\n", "0x89b04da0 svchost.exe 0x077b90000 certcli.dll OK: module.1120.9d04da0.77b90000.dll\n", "0x89b04da0 svchost.exe 0x076d30000 WMI.dll OK: module.1120.9d04da0.76d30000.dll\n", "0x89b04da0 svchost.exe 0x077f60000 SHLWAPI.dll OK: module.1120.9d04da0.77f60000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077fe0000 Secur32.dll OK: module.1120.9d04da0.77fe0000.dll\n", "0x89b04da0 svchost.exe 0x077c00000 VERSION.dll OK: module.1120.9d04da0.77c00000.dll\n", "0x89b04da0 svchost.exe 0x020000000 xpsp2res.dll OK: module.1120.9d04da0.20000000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x0773d0000 comctl32.dll OK: module.1120.9d04da0.773d0000.dll\n", "0x89b04da0 svchost.exe 0x071a50000 mswsock.dll OK: module.1120.9d04da0.71a50000.dll\n", "0x89b04da0 svchost.exe 0x071ad0000 WSOCK32.dll OK: module.1120.9d04da0.71ad0000.dll\n", "0x89b04da0 svchost.exe 0x071c80000 NETRAP.dll OK: module.1120.9d04da0.71c80000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x075290000 wbemcomn.dll OK: module.1120.9d04da0.75290000.dll\n", "0x89b04da0 svchost.exe 0x076eb0000 TAPI32.dll OK: module.1120.9d04da0.76eb0000.dll\n", "0x89b04da0 svchost.exe 0x076f60000 WLDAP32.dll OK: module.1120.9d04da0.76f60000.dll\n", "0x89b04da0 svchost.exe 0x074ad0000 POWRPROF.dll OK: module.1120.9d04da0.74ad0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077d00000 netman.dll OK: module.1120.9d04da0.77d00000.dll\n", "0x89b04da0 svchost.exe 0x073000000 WINSPOOL.DRV OK: module.1120.9d04da0.73000000.dll\n", "0x89b04da0 svchost.exe 0x075310000 esscli.dll OK: module.1120.9d04da0.75310000.dll\n", "0x89b04da0 svchost.exe 0x077920000 SETUPAPI.dll OK: module.1120.9d04da0.77920000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x071b20000 MPR.dll OK: module.1120.9d04da0.71b20000.dll\n", "0x89b04da0 svchost.exe 0x05f770000 NCObjAPI.DLL OK: module.1120.9d04da0.5f770000.dll\n", "0x89b04da0 svchost.exe 0x076d80000 dhcpcsvc.dll OK: module.1120.9d04da0.76d80000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x075390000 wbemess.dll OK: module.1120.9d04da0.75390000.dll\n", "0x89b04da0 svchost.exe 0x076fd0000 CLBCATQ.DLL OK: module.1120.9d04da0.76fd0000.dll\n", "0x89b04da0 svchost.exe 0x076bd0000 raschap.dll OK: module.1120.9d04da0.76bd0000.dll\n", "0x89b04da0 svchost.exe 0x07d1e0000 msi.dll OK: module.1120.9d04da0.7d1e0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x0767f0000 SCHANNEL.dll OK: module.1120.9d04da0.767f0000.dll\n", "0x89b04da0 svchost.exe 0x074f90000 dmserver.dll OK: module.1120.9d04da0.74f90000.dll\n", "0x89b04da0 svchost.exe 0x073030000 WZCSAPI.DLL OK: module.1120.9d04da0.73030000.dll\n", "0x89b04da0 svchost.exe 0x050640000 wups.dll OK: module.1120.9d04da0.50640000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x075260000 ADVPACK.dll OK: module.1120.9d04da0.75260000.dll\n", "0x89b04da0 svchost.exe 0x076e80000 rtutils.dll OK: module.1120.9d04da0.76e80000.dll\n", "0x89b04da0 svchost.exe 0x059490000 wmisvc.dll OK: module.1120.9d04da0.59490000.dll\n", "0x89b04da0 svchost.exe 0x071aa0000 WS2HELP.dll OK: module.1120.9d04da0.71aa0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x0750b0000 RESUTILS.DLL OK: module.1120.9d04da0.750b0000.dll\n", "0x89b04da0 svchost.exe 0x0776c0000 AUTHZ.dll OK: module.1120.9d04da0.776c0000.dll\n", "0x89b04da0 svchost.exe 0x074f00000 SSDPAPI.dll OK: module.1120.9d04da0.74f00000.dll\n", "0x89b04da0 svchost.exe 0x072080000 xactsrv.dll OK: module.1120.9d04da0.72080000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x076b20000 ATL.DLL OK: module.1120.9d04da0.76b20000.dll\n", "0x89b04da0 svchost.exe 0x075130000 colbact.DLL OK: module.1120.9d04da0.75130000.dll\n", "0x89b04da0 svchost.exe 0x05f740000 ncprov.dll OK: module.1120.9d04da0.5f740000.dll\n", "0x89b04da0 svchost.exe 0x076360000 WINSTA.dll OK: module.1120.9d04da0.76360000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x074f80000 ersvc.dll OK: module.1120.9d04da0.74f80000.dll\n", "0x89b04da0 svchost.exe 0x077b40000 Apphelp.dll OK: module.1120.9d04da0.77b40000.dll\n", "0x89b04da0 svchost.exe 0x0753e0000 VSSAPI.DLL OK: module.1120.9d04da0.753e0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x050000000 wuauserv.dll OK: module.1120.9d04da0.50000000.dll\n", "0x89b04da0 svchost.exe 0x0767a0000 NTDSAPI.dll OK: module.1120.9d04da0.767a0000.dll\n", "0x89b04da0 svchost.exe 0x076bf0000 PSAPI.DLL OK: module.1120.9d04da0.76bf0000.dll\n", "0x89b04da0 svchost.exe 0x066460000 ipnathlp.dll OK: module.1120.9d04da0.66460000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x06fbd0000 catsrv.dll OK: module.1120.9d04da0.6fbd0000.dll\n", "0x89b04da0 svchost.exe 0x076080000 MSVCP60.dll OK: module.1120.9d04da0.76080000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077690000 NTMARTA.DLL OK: module.1120.9d04da0.77690000.dll\n", "0x89b04da0 svchost.exe 0x04c0a0000 wscsvc.dll OK: module.1120.9d04da0.4c0a0000.dll\n", "0x89b04da0 svchost.exe 0x0662b0000 hnetcfg.dll OK: module.1120.9d04da0.662b0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x0774e0000 ole32.dll OK: module.1120.9d04da0.774e0000.dll\n", "0x89b04da0 svchost.exe 0x075690000 FastProx.dll OK: module.1120.9d04da0.75690000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077710000 es.dll OK: module.1120.9d04da0.77710000.dll\n", "0x89b04da0 svchost.exe 0x073d20000 seclogon.dll OK: module.1120.9d04da0.73d20000.dll\n", "0x89b04da0 svchost.exe 0x074f50000 MSIDLE.DLL OK: module.1120.9d04da0.74f50000.dll\n", "0x89b04da0 svchost.exe 0x076620000 comsvcs.dll OK: module.1120.9d04da0.76620000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x076b70000 rastls.dll OK: module.1120.9d04da0.76b70000.dll\n", "0x89b04da0 svchost.exe 0x076da0000 browser.dll OK: module.1120.9d04da0.76da0000.dll\n", "0x89b04da0 svchost.exe 0x0769c0000 USERENV.dll OK: module.1120.9d04da0.769c0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x00ffd0000 rsaenh.dll OK: module.1120.9d04da0.ffd0000.dll\n", "0x89b04da0 svchost.exe 0x071bf0000 SAMLIB.dll OK: module.1120.9d04da0.71bf0000.dll\n", "0x89b04da0 svchost.exe 0x075200000 repdrvfs.dll OK: module.1120.9d04da0.75200000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x0771b0000 WININET.dll OK: module.1120.9d04da0.771b0000.dll\n", "0x89b04da0 svchost.exe 0x05cb70000 ShimEng.dll OK: module.1120.9d04da0.5cb70000.dll\n", "0x89b04da0 svchost.exe 0x077050000 COMRes.dll OK: module.1120.9d04da0.77050000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077c70000 msv1_0.dll OK: module.1120.9d04da0.77c70000.dll\n", "0x89b04da0 svchost.exe 0x075090000 srvsvc.dll OK: module.1120.9d04da0.75090000.dll\n", "0x89b04da0 svchost.exe 0x0776e0000 shsvcs.dll OK: module.1120.9d04da0.776e0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077300000 schedsvc.dll OK: module.1120.9d04da0.77300000.dll\n", "0x89b04da0 svchost.exe 0x076f20000 DNSAPI.dll OK: module.1120.9d04da0.76f20000.dll\n", "0x89b04da0 svchost.exe 0x076b40000 WINMM.dll OK: module.1120.9d04da0.76b40000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x075150000 Cabinet.dll OK: module.1120.9d04da0.75150000.dll\n", "0x89b04da0 svchost.exe 0x061990000 MfcSubs.dll OK: module.1120.9d04da0.61990000.dll\n", "0x89b04da0 svchost.exe 0x076400000 netshell.dll OK: module.1120.9d04da0.76400000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x0767c0000 w32time.dll OK: module.1120.9d04da0.767c0000.dll\n", "0x89b04da0 svchost.exe 0x075020000 wmiutils.dll OK: module.1120.9d04da0.75020000.dll\n", "0x89b04da0 svchost.exe 0x05b860000 NETAPI32.dll OK: module.1120.9d04da0.5b860000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077e70000 RPCRT4.dll OK: module.1120.9d04da0.77e70000.dll\n", "0x89b04da0 svchost.exe 0x071a90000 wshtcpip.dll OK: module.1120.9d04da0.71a90000.dll\n", "0x89b04da0 svchost.exe 0x0600a0000 mspatcha.dll OK: module.1120.9d04da0.600a0000.dll\n", "0x89b04da0 svchost.exe 0x0606b0000 ESENT.dll OK: module.1120.9d04da0.606b0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077cc0000 ACTIVEDS.dll OK: module.1120.9d04da0.77cc0000.dll\n", "0x89b04da0 svchost.exe 0x0722d0000 sens.dll OK: module.1120.9d04da0.722d0000.dll\n", "0x89b04da0 svchost.exe 0x06fb10000 catsrvut.dll OK: module.1120.9d04da0.6fb10000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077120000 OLEAUT32.dll OK: module.1120.9d04da0.77120000.dll\n", "0x89b04da0 svchost.exe 0x077d40000 USER32.dll OK: module.1120.9d04da0.77d40000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x073d30000 wbemcons.dll OK: module.1120.9d04da0.73d30000.dll\n", "0x89b04da0 svchost.exe 0x076f50000 WTSAPI32.dll OK: module.1120.9d04da0.76f50000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x0751a0000 srsvc.dll OK: module.1120.9d04da0.751a0000.dll\n", "0x89b04da0 svchost.exe 0x0723d0000 WinSCard.dll OK: module.1120.9d04da0.723d0000.dll\n", "0x89b04da0 svchost.exe 0x0597f0000 wmiprvsd.dll OK: module.1120.9d04da0.597f0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077c10000 msvcrt.dll OK: module.1120.9d04da0.77c10000.dll\n", "0x89b04da0 svchost.exe 0x077dd0000 ADVAPI32.dll OK: module.1120.9d04da0.77dd0000.dll\n", "0x89b04da0 svchost.exe 0x076e40000 wkssvc.dll OK: module.1120.9d04da0.76e40000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x075070000 trkwks.dll OK: module.1120.9d04da0.75070000.dll\n", "0x89b04da0 svchost.exe 0x076c90000 IMAGEHLP.dll OK: module.1120.9d04da0.76c90000.dll\n", "0x89b04da0 svchost.exe 0x0708b0000 audiosrv.dll OK: module.1120.9d04da0.708b0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x0754d0000 CRYPTUI.dll OK: module.1120.9d04da0.754d0000.dll\n", "0x89b04da0 svchost.exe 0x05d090000 comctl32.dll OK: module.1120.9d04da0.5d090000.dll\n", "0x89b04da0 svchost.exe 0x0750f0000 MTXCLU.DLL OK: module.1120.9d04da0.750f0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077260000 urlmon.dll OK: module.1120.9d04da0.77260000.dll\n", "0x89b04da0 svchost.exe 0x076d10000 CLUSAPI.DLL OK: module.1120.9d04da0.76d10000.dll\n", "0x89b04da0 svchost.exe 0x074f40000 pchsvc.dll OK: module.1120.9d04da0.74f40000.dll\n", "0x89b04da0 svchost.exe 0x076780000 SHFOLDER.dll OK: module.1120.9d04da0.76780000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x076fc0000 rasadhlp.dll OK: module.1120.9d04da0.76fc0000.dll\n", "0x89b04da0 svchost.exe 0x077be0000 MSACM32.dll OK: module.1120.9d04da0.77be0000.dll\n", "0x89b04da0 svchost.exe 0x07c800000 kernel32.dll OK: module.1120.9d04da0.7c800000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x076e10000 adsldpc.dll OK: module.1120.9d04da0.76e10000.dll\n", "0x89b04da0 svchost.exe 0x076ce0000 cryptsvc.dll OK: module.1120.9d04da0.76ce0000.dll\n", "0x89b04da0 svchost.exe 0x050040000 wuaueng.dll OK: module.1120.9d04da0.50040000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x076c60000 sfc_os.dll OK: module.1120.9d04da0.76c60000.dll\n", "0x89b04da0 svchost.exe 0x06f880000 AcGenral.DLL OK: module.1120.9d04da0.6f880000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x076e90000 rasman.dll OK: module.1120.9d04da0.76e90000.dll\n", "0x89b04da0 svchost.exe 0x071ab0000 WS2_32.dll OK: module.1120.9d04da0.71ab0000.dll\n", "0x89b04da0 svchost.exe 0x077f10000 GDI32.dll OK: module.1120.9d04da0.77f10000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x076d40000 MPRAPI.dll OK: module.1120.9d04da0.76d40000.dll\n", "0x89b04da0 svchost.exe 0x075e90000 SXS.DLL OK: module.1120.9d04da0.75e90000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x076d60000 iphlpapi.dll OK: module.1120.9d04da0.76d60000.dll\n", "0x89b04da0 svchost.exe 0x076bb0000 sfc.dll OK: module.1120.9d04da0.76bb0000.dll\n", "0x89b04da0 svchost.exe 0x076de0000 upnp.dll OK: module.1120.9d04da0.76de0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x05ad70000 UxTheme.dll OK: module.1120.9d04da0.5ad70000.dll\n", "0x89b04da0 svchost.exe 0x077620000 wzcsvc.dll OK: module.1120.9d04da0.77620000.dll\n", "0x89b04da0 svchost.exe 0x076c30000 WINTRUST.dll OK: module.1120.9d04da0.76c30000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077a80000 CRYPT32.dll OK: module.1120.9d04da0.77a80000.dll\n", "0x89b04da0 svchost.exe 0x07c9c0000 SHELL32.dll OK: module.1120.9d04da0.7c9c0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x0762c0000 wbemcore.dll OK: module.1120.9d04da0.762c0000.dll\n", "0x89b04da0 svchost.exe 0x0768d0000 RASDLG.dll OK: module.1120.9d04da0.768d0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x076ee0000 RASAPI32.dll OK: module.1120.9d04da0.76ee0000.dll\n", "0x89b04da0 svchost.exe 0x076c00000 credui.dll OK: module.1120.9d04da0.76c00000.dll\n", "0x89b04da0 svchost.exe 0x04d4f0000 WINHTTP.dll OK: module.1120.9d04da0.4d4f0000.dll\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b04da0 svchost.exe 0x077b20000 MSASN1.dll OK: module.1120.9d04da0.77b20000.dll\n" ] } ], "prompt_number": 51 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "Extracting executables from memory" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem procexedump --dump-dir /root/Desktop/asdf" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stderr", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process(V) ImageBase Name Result\n", "---------- ---------- -------------------- ------\n", "0x89c73830 ---------- System Error: PEB at 0x0 is paged\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x8979b020 0x48580000 smss.exe OK: executable.384.exe\n", "0x8978e238 0x4a680000 csrss.exe OK: executable.608.exe\n", "0x8978e660 0x01000000 winlogon.exe OK: executable.632.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89635610 0x01000000 services.exe OK: executable.676.exe\n", "0x89af0880 0x01000000 lsass.exe OK: executable.688.exe\n", "0x897a06e8 0x00400000 vmacthlp.exe OK: executable.896.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b54388 0x01000000 svchost.exe OK: executable.908.exe\n", "0x896f4a78 0x01000000 svchost.exe OK: executable.972.exe\n", "0x89b04da0 0x01000000 svchost.exe OK: executable.1120.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b02578 0x01000000 svchost.exe OK: executable.1176.exe\n", "0x89be0460 0x01000000 svchost.exe OK: executable.1216.exe\n", "0x89bc9618 0x01000000 spoolsv.exe OK: executable.1548.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x896fc980 0x01000000 svchost.exe OK: executable.1684.exe\n", "0x8963e980 0x00400000 vmtoolsd.exe OK: executable.1848.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89844020 0x00400000 TPAutoConnSvc.e OK: executable.452.exe\n", "0x899fd6e0 0x01000000 alg.exe OK: executable.588.exe\n", "0x89653da0 0x01000000 explorer.exe OK: executable.2012.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89b5eda0 0x01000000 rundll32.exe OK: executable.808.exe\n", "0x8979ac20 0x00400000 vmtoolsd.exe OK: executable.692.exe\n", "0x8979a3c0 0x00400000 TPAutoConnect.e OK: executable.1032.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x8979a7e8 0x01000000 wscntfy.exe OK: executable.1168.exe\n", "0x89838600 0x00400000 wuauclt.exe OK: executable.2524.exe\n", "0x89b3a328 0x00400000 chrome.exe OK: executable.1796.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89aae9c8 0x00400000 chrome.exe OK: executable.1704.exe\n", "0x88e51358 0x00400000 chrome.exe OK: executable.1480.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x89442020 0x00400000 chrome.exe OK: executable.1308.exe\n", "0x88cfa970 0x00400000 chrome.exe OK: executable.1788.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x88970da0 0x4ad00000 cmd.exe Error: ImageBaseAddress at 0x4ad00000 is paged\n", "0x88f81da0 0x00400000 chrome.exe OK: executable.856.exe\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x8853dda0 0x00400000 FTK Imager.exe OK: executable.3168.exe\n" ] } ], "prompt_number": 52 }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "." ] }, { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "netstat -an history found in cmd.exe sessions" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/memdump.mem consoles" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "**************************************************\r\n", "ConsoleProcess: csrss.exe Pid: 608\r\n", "Console: 0x4e23b0 CommandHistorySize: 50\r\n", "HistoryBufferCount: 1 HistoryBufferMax: 4\r\n", "OriginalTitle: C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe\r\n", "Title: C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "AttachedProcess: TPAutoConnect.e Pid: 1032 Handle: 0x5f8" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "----\r\n", "CommandHistory: 0xf986f8 Application: TPAutoConnect.exe Flags: Allocated\r\n", "CommandCount: 0 LastAdded: -1 LastDisplayed: -1\r\n", "FirstCommand: 0 CommandCountMax: 50\r\n", "ProcessHandle: 0x5f8\r\n", "----\r\n", "Screen 0x4e2ab0 X:80 Y:25\r\n", "Dump:\r\n", "ThinPrint AutoConnect component, Copyright (c) 1999-2012 Cortado AG, 8.8.734.1 \r\n", "**************************************************\r\n", "ConsoleProcess: csrss.exe Pid: 608\r\n", "Console: 0x4e26d8 CommandHistorySize: 50\r\n", "HistoryBufferCount: 2 HistoryBufferMax: 4\r\n", "OriginalTitle: Command Prompt\r\n", "Title: Command Prompt\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "AttachedProcess: cmd.exe Pid: 2384 Handle: 0x588\r\n", "----\r\n", "CommandHistory: 0xfb0a38 Application: netstat.exe Flags: \r\n", "CommandCount: 0 LastAdded: -1 LastDisplayed: -1\r\n", "FirstCommand: 0 CommandCountMax: 50\r\n", "ProcessHandle: 0x0\r\n", "----\r\n", "CommandHistory: 0x4e46c8 Application: cmd.exe Flags: Allocated, Reset\r\n", "CommandCount: 1 LastAdded: 0 LastDisplayed: 0\r\n", "FirstCommand: 0 CommandCountMax: 50\r\n", "ProcessHandle: 0x588\r\n", "Cmd #0 at 0x4e3350: netstat -an\r\n", "----\r\n", "Screen 0xf98e10 X:80 Y:300\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Dump:\r\n", "Microsoft Windows XP [Version 5.1.2600] \r\n", "(C) Copyright 1985-2001 Microsoft Corp. \r\n", " \r\n", "C:\\Documents and Settings\\test>netstat -an \r\n", " \r\n", "Active Connections \r\n", " \r\n", " Proto Local Address Foreign Address State \r\n", " TCP 0.0.0.0:135 0.0.0.0:0 LISTENING \r\n", " TCP 0.0.0.0:445 0.0.0.0:0 LISTENING \r\n", " TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING \r\n", " TCP 172.16.158.137:139 0.0.0.0:0 LISTENING \r\n", " TCP 172.16.158.137:1852 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1853 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1854 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1855 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1856 172.16.158.144:4444 ESTABLISHED \r\n", " UDP 0.0.0.0:445 *:* \r\n", " UDP 0.0.0.0:500 *:* \r\n", " UDP 0.0.0.0:1031 *:* \r\n", " UDP 0.0.0.0:1037 *:* \r\n", " UDP 0.0.0.0:1038 *:* \r\n", " UDP 0.0.0.0:1121 *:* \r\n", " UDP 0.0.0.0:1122 *:* \r\n", " UDP 0.0.0.0:1405 *:* \r\n", " UDP 0.0.0.0:4500 *:* \r\n", " UDP 127.0.0.1:123 *:* \r\n", " UDP 127.0.0.1:1900 *:* \r\n", " UDP 172.16.158.137:123 *:* \r\n", " UDP 172.16.158.137:137 *:* \r\n", " UDP 172.16.158.137:138 *:* \r\n", " UDP 172.16.158.137:1900 *:* \r\n", " \r\n", "C:\\Documents and Settings\\test>netstat -an \r\n", " \r\n", "Active Connections \r\n", " \r\n", " Proto Local Address Foreign Address State \r\n", " TCP 0.0.0.0:135 0.0.0.0:0 LISTENING \r\n", " TCP 0.0.0.0:445 0.0.0.0:0 LISTENING \r\n", " TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING \r\n", " TCP 172.16.158.137:139 0.0.0.0:0 LISTENING \r\n", " TCP 172.16.158.137:1852 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1853 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1854 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1855 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1856 172.16.158.144:4444 ESTABLISHED \r\n", " UDP 0.0.0.0:445 *:* \r\n", " UDP 0.0.0.0:500 *:* " ] }, { "output_type": "stream", "stream": "stdout", "text": [ " \r\n", " UDP 0.0.0.0:1031 *:* \r\n", " UDP 0.0.0.0:1037 *:* \r\n", " UDP 0.0.0.0:1038 *:* \r\n", " UDP 0.0.0.0:1121 *:* \r\n", " UDP 0.0.0.0:1122 *:* \r\n", " UDP 0.0.0.0:1405 *:* \r\n", " UDP 0.0.0.0:4500 *:* \r\n", " UDP 127.0.0.1:123 *:* \r\n", " UDP 127.0.0.1:1900 *:* \r\n", " UDP 172.16.158.137:123 *:* \r\n", " UDP 172.16.158.137:137 *:* \r\n", " UDP 172.16.158.137:138 *:* \r\n", " UDP 172.16.158.137:1900 *:* \r\n", " \r\n", "C:\\Documents and Settings\\test>netstat -an \r\n", " \r\n", "Active Connections \r\n", " \r\n", " Proto Local Address Foreign Address State \r\n", " TCP 0.0.0.0:135 0.0.0.0:0 LISTENING \r\n", " TCP 0.0.0.0:445 0.0.0.0:0 LISTENING \r\n", " TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING \r\n", " TCP 172.16.158.137:139 0.0.0.0:0 LISTENING \r\n", " TCP 172.16.158.137:1852 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1853 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1854 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1855 172.16.158.144:4444 CLOSE_WAIT \r\n", " TCP 172.16.158.137:1856 172.16.158.144:4444 ESTABLISHED \r\n", " UDP 0.0.0.0:445 *:* \r\n", " UDP 0.0.0.0:500 *:* \r\n", " UDP 0.0.0.0:1031 *:* \r\n", " UDP 0.0.0.0:1037 *:* \r\n", " UDP 0.0.0.0:1038 *:* \r\n", " UDP 0.0.0.0:1121 *:* \r\n", " UDP 0.0.0.0:1122 *:* \r\n", " UDP 0.0.0.0:1405 *:* \r\n", " UDP 0.0.0.0:4500 *:* \r\n", " UDP 127.0.0.1:123 *:* \r\n", " UDP 127.0.0.1:1900 *:* \r\n", " UDP 172.16.158.137:123 *:* \r\n", " UDP 172.16.158.137:137 *:* \r\n", " UDP 172.16.158.137:138 *:* \r\n", " UDP 172.16.158.137:1900 *:* \r\n", " \r\n", "C:\\Documents and Settings\\test> \r\n", "**************************************************\r\n", "ConsoleProcess: csrss.exe Pid: 608\r\n", "Console: 0x4e4e28 CommandHistorySize: 50\r\n", "HistoryBufferCount: 1 HistoryBufferMax: 4\r\n", "OriginalTitle: Command Prompt\r\n", "Title: ?Nmmand Prompt\r\n", "**************************************************\r\n", "ConsoleProcess: csrss.exe Pid: 608\r\n", "Console: 0x4e69a0 CommandHistorySize: 50\r\n", "HistoryBufferCount: 1 HistoryBufferMax: 4\r\n", "OriginalTitle: ?NystemRoot%\\system32\\defrag.exe\r\n", "Title: ?N\\WINDOWS\\system32\\defrag.exe\r\n" ] } ], "prompt_number": 28 } ], "metadata": {} } ] }