{ "metadata": { "name": "04-presentation-SBtrojan" }, "nbformat": 3, "nbformat_minor": 0, "worksheets": [ { "cells": [ { "cell_type": "heading", "level": 2, "metadata": {}, "source": [ "Using Volatility to explore for signs of the SilentBanker Trojan" ] }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/silentbanker.vmem pslist" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit \r\n", "---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x810b1660 System 4 0 59 183 ------ 0 \r\n", "0xff2ab020 smss.exe 544 4 3 21 ------ 0 2010-08-11 06:06:21 UTC+0000 \r\n", "0xff1ecda0 csrss.exe 608 544 11 365 0 0 2010-08-11 06:06:23 UTC+0000 \r\n", "0xff1ec978 winlogon.exe 632 544 18 511 0 0 2010-08-11 06:06:23 UTC+0000 " ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "0xff247020 services.exe 676 632 16 269 0 0 2010-08-11 06:06:24 UTC+0000 \r\n", "0xff255020 lsass.exe 688 632 19 345 0 0 2010-08-11 06:06:24 UTC+0000 \r\n", "0xff218230 vmacthlp.exe 844 676 1 24 0 0 2010-08-11 06:06:24 UTC+0000 \r\n", "0x80ff88d8 svchost.exe 856 676 17 199 0 0 2010-08-11 06:06:24 UTC+0000 \r\n", "0xff217560 svchost.exe 936 676 10 270 0 0 2010-08-11 06:06:24 UTC+0000 \r\n", "0x80fbf910 svchost.exe 1028 676 71 1355 0 0 2010-08-11 06:06:24 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xff22d558 svchost.exe 1088 676 4 79 0 0 2010-08-11 06:06:25 UTC+0000 \r\n", "0xff203b80 svchost.exe 1148 676 14 208 0 0 2010-08-11 06:06:26 UTC+0000 \r\n", "0xff1d7da0 spoolsv.exe 1432 676 13 135 0 0 2010-08-11 06:06:26 UTC+0000 \r\n", "0xff1b8b28 vmtoolsd.exe 1668 676 5 222 0 0 2010-08-11 06:06:35 UTC+0000 \r\n", "0xff1fdc88 VMUpgradeHelper 1788 676 4 100 0 0 2010-08-11 06:06:38 UTC+0000 \r\n", "0xff143b28 TPAutoConnSvc.e 1968 676 5 100 0 0 2010-08-11 06:06:39 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xff25a7e0 alg.exe 216 676 6 105 0 0 2010-08-11 06:06:39 UTC+0000 \r\n", "0xff364310 wscntfy.exe 888 1028 1 27 0 0 2010-08-11 06:06:49 UTC+0000 \r\n", "0xff38b5f8 TPAutoConnect.e 1084 1968 1 61 0 0 2010-08-11 06:06:52 UTC+0000 \r\n", "0xff3865d0 explorer.exe 1724 1708 12 317 0 0 2010-08-11 06:09:29 UTC+0000 \r\n", "0xff3667e8 VMwareTray.exe 432 1724 1 49 0 0 2010-08-11 06:09:31 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xff374980 VMwareUser.exe 452 1724 7 192 0 0 2010-08-11 06:09:32 UTC+0000 \r\n", "0x80f94588 wuauclt.exe 468 1028 4 135 0 0 2010-08-11 06:09:37 UTC+0000 \r\n", "0x80f1b020 IEXPLORE.EXE 1884 1724 9 351 0 0 2010-08-15 18:54:05 UTC+0000 \r\n", "0xff3856c0 cmd.exe 1136 1668 0 -------- 0 0 2010-08-15 19:01:51 UTC+0000 2010-08-15 19:01:51 UTC+0000 \r\n" ] } ], "prompt_number": 1 }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/silentbanker.vmem psscan" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Offset(P) Name PID PPID PDB Time created Time exited \r\n", "---------- ---------------- ------ ------ ---------- ------------------------------ ------------------------------\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x0107e020 IEXPLORE.EXE 1884 1724 0x06cc02a0 2010-08-15 18:54:05 UTC+0000 \r\n", "0x010c3da0 wuauclt.exe 1732 1028 0x06cc02c0 2010-08-11 06:07:44 UTC+0000 2010-08-15 18:58:53 UTC+0000 \r\n", "0x010f7588 wuauclt.exe 468 1028 0x06cc0180 2010-08-11 06:09:37 UTC+0000 \r\n", "0x01122910 svchost.exe 1028 676 0x06cc0120 2010-08-11 06:06:24 UTC+0000 \r\n", "0x0115b8d8 svchost.exe 856 676 0x06cc00e0 2010-08-11 06:06:24 UTC+0000 \r\n", "0x01214660 System 4 0 0x00319000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x0211ab28 TPAutoConnSvc.e 1968 676 0x06cc0260 2010-08-11 06:06:39 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x049c15f8 TPAutoConnect.e 1084 1968 0x06cc0220 2010-08-11 06:06:52 UTC+0000 \r\n", "0x04a065d0 explorer.exe 1724 1708 0x06cc0280 2010-08-11 06:09:29 UTC+0000 \r\n", "0x04a076c0 cmd.exe 1136 1668 0x06cc02c0 2010-08-15 19:01:51 UTC+0000 2010-08-15 19:01:51 UTC+0000 \r\n", "0x04b5a980 VMwareUser.exe 452 1724 0x06cc0300 2010-08-11 06:09:32 UTC+0000 \r\n", "0x04be97e8 VMwareTray.exe 432 1724 0x06cc02e0 2010-08-11 06:09:31 UTC+0000 \r\n", "0x04c2b310 wscntfy.exe 888 1028 0x06cc0200 2010-08-11 06:06:49 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x05471020 smss.exe 544 4 0x06cc0020 2010-08-11 06:06:21 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x05f027e0 alg.exe 216 676 0x06cc0240 2010-08-11 06:06:39 UTC+0000 \r\n", "0x05f47020 lsass.exe 688 632 0x06cc00a0 2010-08-11 06:06:24 UTC+0000 \r\n", "0x06015020 services.exe 676 632 0x06cc0080 2010-08-11 06:06:24 UTC+0000 \r\n", "0x061ef558 svchost.exe 1088 676 0x06cc0140 2010-08-11 06:06:25 UTC+0000 \r\n", "0x06384230 vmacthlp.exe 844 676 0x06cc00c0 2010-08-11 06:06:24 UTC+0000 \r\n", "0x063c5560 svchost.exe 936 676 0x06cc0100 2010-08-11 06:06:24 UTC+0000 \r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x06499b80 svchost.exe 1148 676 0x06cc0160 2010-08-11 06:06:26 UTC+0000 " ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "0x0655fc88 VMUpgradeHelper 1788 676 0x06cc01e0 2010-08-11 06:06:38 UTC+0000 \r\n", "0x066f0978 winlogon.exe 632 544 0x06cc0060 2010-08-11 06:06:23 UTC+0000 \r\n", "0x066f0da0 csrss.exe 608 544 0x06cc0040 2010-08-11 06:06:23 UTC+0000 \r\n", "0x06945da0 spoolsv.exe 1432 676 0x06cc01a0 2010-08-11 06:06:26 UTC+0000 \r\n", "0x069d5b28 vmtoolsd.exe 1668 676 0x06cc01c0 2010-08-11 06:06:35 UTC+0000 \r\n" ] } ], "prompt_number": 2 }, { "cell_type": "code", "collapsed": false, "input": [ "data = !python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/silentbanker.vmem pslist\n", "data" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "pyout", "prompt_number": 3, "text": [ "['Volatile Systems Volatility Framework 2.3_alpha',\n", " 'Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ',\n", " '---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------',\n", " '0x810b1660 System 4 0 59 183 ------ 0 ',\n", " '0xff2ab020 smss.exe 544 4 3 21 ------ 0 2010-08-11 06:06:21 UTC+0000 ',\n", " '0xff1ecda0 csrss.exe 608 544 11 365 0 0 2010-08-11 06:06:23 UTC+0000 ',\n", " '0xff1ec978 winlogon.exe 632 544 18 511 0 0 2010-08-11 06:06:23 UTC+0000 ',\n", " '0xff247020 services.exe 676 632 16 269 0 0 2010-08-11 06:06:24 UTC+0000 ',\n", " '0xff255020 lsass.exe 688 632 19 345 0 0 2010-08-11 06:06:24 UTC+0000 ',\n", " '0xff218230 vmacthlp.exe 844 676 1 24 0 0 2010-08-11 06:06:24 UTC+0000 ',\n", " '0x80ff88d8 svchost.exe 856 676 17 199 0 0 2010-08-11 06:06:24 UTC+0000 ',\n", " '0xff217560 svchost.exe 936 676 10 270 0 0 2010-08-11 06:06:24 UTC+0000 ',\n", " '0x80fbf910 svchost.exe 1028 676 71 1355 0 0 2010-08-11 06:06:24 UTC+0000 ',\n", " '0xff22d558 svchost.exe 1088 676 4 79 0 0 2010-08-11 06:06:25 UTC+0000 ',\n", " '0xff203b80 svchost.exe 1148 676 14 208 0 0 2010-08-11 06:06:26 UTC+0000 ',\n", " '0xff1d7da0 spoolsv.exe 1432 676 13 135 0 0 2010-08-11 06:06:26 UTC+0000 ',\n", " '0xff1b8b28 vmtoolsd.exe 1668 676 5 222 0 0 2010-08-11 06:06:35 UTC+0000 ',\n", " '0xff1fdc88 VMUpgradeHelper 1788 676 4 100 0 0 2010-08-11 06:06:38 UTC+0000 ',\n", " '0xff143b28 TPAutoConnSvc.e 1968 676 5 100 0 0 2010-08-11 06:06:39 UTC+0000 ',\n", " '0xff25a7e0 alg.exe 216 676 6 105 0 0 2010-08-11 06:06:39 UTC+0000 ',\n", " '0xff364310 wscntfy.exe 888 1028 1 27 0 0 2010-08-11 06:06:49 UTC+0000 ',\n", " '0xff38b5f8 TPAutoConnect.e 1084 1968 1 61 0 0 2010-08-11 06:06:52 UTC+0000 ',\n", " '0xff3865d0 explorer.exe 1724 1708 12 317 0 0 2010-08-11 06:09:29 UTC+0000 ',\n", " '0xff3667e8 VMwareTray.exe 432 1724 1 49 0 0 2010-08-11 06:09:31 UTC+0000 ',\n", " '0xff374980 VMwareUser.exe 452 1724 7 192 0 0 2010-08-11 06:09:32 UTC+0000 ',\n", " '0x80f94588 wuauclt.exe 468 1028 4 135 0 0 2010-08-11 06:09:37 UTC+0000 ',\n", " '0x80f1b020 IEXPLORE.EXE 1884 1724 9 351 0 0 2010-08-15 18:54:05 UTC+0000 ',\n", " '0xff3856c0 cmd.exe 1136 1668 0 -------- 0 0 2010-08-15 19:01:51 UTC+0000 2010-08-15 19:01:51 UTC+0000 ']" ] } ], "prompt_number": 3 }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/silentbanker.vmem connections" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Offset(V) Local Address Remote Address Pid\r\n", "---------- ------------------------- ------------------------- ---\r\n" ] } ], "prompt_number": 6 }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/silentbanker.vmem sockets" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Offset(V) PID Port Proto Protocol Address Create Time\r\n", "---------- -------- ------ ------ --------------- --------------- -----------\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x80fd1008 4 0 47 GRE 0.0.0.0 2010-08-11 06:08:00 UTC+0000\r\n", "0xff362d18 1088 1066 17 UDP 0.0.0.0 2010-08-15 18:54:13 UTC+0000\r\n", "0xff258008 688 500 17 UDP 0.0.0.0 2010-08-11 06:06:35 UTC+0000\r\n", "0xff367008 4 445 6 TCP 0.0.0.0 2010-08-11 06:06:17 UTC+0000\r\n", "0x80ffc128 936 135 6 TCP 0.0.0.0 2010-08-11 06:06:24 UTC+0000\r\n", "0xff225b70 688 0 255 Reserved 0.0.0.0 2010-08-11 06:06:35 UTC+0000\r\n", "0xff254008 1028 123 17 UDP 127.0.0.1 2010-08-15 19:01:51 UTC+0000\r\n", "0x80fce930 1088 1025 17 UDP 0.0.0.0 2010-08-11 06:06:38 UTC+0000\r\n", "0xff127d28 216 1026 6 TCP 127.0.0.1 2010-08-11 06:06:39 UTC+0000\r\n", "0xff2608c0 1088 1053 17 UDP 0.0.0.0 2010-08-15 18:54:09 UTC+0000\r\n", "0x80fdc708 1884 1051 17 UDP 127.0.0.1 2010-08-15 18:54:07 UTC+0000\r\n", "0xff248220 1148 1900 17 UDP 127.0.0.1 2010-08-15 19:01:51 UTC+0000\r\n", "0xff1b8250 688 4500 17 UDP 0.0.0.0 2010-08-11 06:06:35 UTC+0000\r\n", "0xff382e98 4 1033 6 TCP 0.0.0.0 2010-08-11 06:08:00 UTC+0000\r\n", "0x80fbdc40 4 445 17 UDP 0.0.0.0 2010-08-11 06:06:17 UTC+0000\r\n" ] } ], "prompt_number": 7 }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/silentbanker.vmem hivelist\n" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Virtual Physical Name\r\n", "---------- ---------- ----\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xe1c49008 0x036dc008 \\Device\\HarddiskVolume1\\Documents and Settings\\LocalService\\Local Settings\\Application Data\\Microsoft\\Windows\\UsrClass.dat\r\n", "0xe1c41b60 0x04010b60 \\Device\\HarddiskVolume1\\Documents and Settings\\LocalService\\NTUSER.DAT\r\n", "0xe1a39638 0x021eb638 \\Device\\HarddiskVolume1\\Documents and Settings\\NetworkService\\Local Settings\\Application Data\\Microsoft\\Windows\\UsrClass.dat\r\n", "0xe1a33008 0x01f98008 \\Device\\HarddiskVolume1\\Documents and Settings\\NetworkService\\NTUSER.DAT" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "0xe153ab60 0x06b7db60 \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\software\r\n", "0xe1542008 0x06c48008 \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\default\r\n", "0xe1537b60 0x06ae4b60 \\SystemRoot\\System32\\Config\\SECURITY\r\n", "0xe1544008 0x06c4b008 \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\SAM\r\n", "0xe13ae580 0x01bbd580 [no name]\r\n", "0xe101b008 0x01867008 \\Device\\HarddiskVolume1\\WINDOWS\\system32\\config\\system\r\n", "0xe1008978 0x01824978 [no name]\r\n", "0xe1e158c0 0x009728c0 \\Device\\HarddiskVolume1\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Windows\\UsrClass.dat\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xe1da4008 0x00f6e008 \\Device\\HarddiskVolume1\\Documents and Settings\\Administrator\\NTUSER.DAT\r\n" ] } ], "prompt_number": 9 }, { "cell_type": "code", "collapsed": false, "input": [ "# -y = \\WINDOWS\\system32\\config\\SAM\n", "# -s = \\WINDOWS\\system32\\config\\system\n", "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/silentbanker.vmem --profile WinXPSP2x86 hashdump -y 0xe101b008 -s 0xe1544008\n" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "HelpAssistant:1000:4e857c004024e53cd538de64dedac36b:842b4013c45a3b8fec76ca54e5910581:::\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:8f57385a61425fc7874c3268aa249ea1:::\r\n" ] } ], "prompt_number": 10 }, { "cell_type": "code", "collapsed": false, "input": [ "text_strings = !strings /root/Desktop/mem/silentbanker.vmem" ], "language": "python", "metadata": {}, "outputs": [], "prompt_number": 11 }, { "cell_type": "code", "collapsed": false, "input": [ "text_strings[0:10]" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "pyout", "prompt_number": 12, "text": [ "['sQOtN2',\n", " 't+a`$',\n", " 'Invalid partition ta',\n", " 'r loading operating system',\n", " 'Missing operating system',\n", " ',DcL',\n", " 'FILE0',\n", " 'FILE0',\n", " 'FILE0',\n", " 'FILE0']" ] } ], "prompt_number": 12 }, { "cell_type": "code", "collapsed": false, "input": [ "def greppy(search_term, text_strings):\n", " temp_list=[]\n", " for item in text_strings:\n", " if search_term in item:\n", " temp_list.append(item)\n", " return temp_list\n", "\n", "greppy(\"Visited: \", text_strings)" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "pyout", "prompt_number": 13, "text": [ "['Visited: Administrator@http://home.microsoft.com',\n", " 'Visited: Administrator@about:Home',\n", " 'Visited: Administrator@http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome',\n", " 'Visited: Administrator@http://www.msn.com',\n", " 'Visited: Administrator@http://home.microsoft.com',\n", " 'Visited: Administrator@about:Home',\n", " 'Visited: Administrator@http://www.msn.com',\n", " 'Visited: Administrator@file:///C:/WINDOWS/system32/oobe/actshell.htm',\n", " 'wwVisited: Administrator@hcp://system/compatctr/compatmode.htm',\n", " 'wwVisited: Administrator@hcp://system/compatctr/compatmode.htm']" ] } ], "prompt_number": 13 }, { "cell_type": "code", "collapsed": false, "input": [ "sockets_list = !python /pentest/forensics/volatility/vol.py -f ~/Desktop/mem/silentbanker.vmem sockets" ], "language": "python", "metadata": {}, "outputs": [], "prompt_number": 14 }, { "cell_type": "code", "collapsed": false, "input": [ "for item in sockets_list[3:]:\n", " item = item.split()\n", " print item[5], item[6], item[7]" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "0.0.0.0" ] }, { "output_type": "stream", "stream": "stdout", "text": [ " 2010-08-11 06:08:00\n", "0.0.0.0 2010-08-15 18:54:13\n", "0.0.0.0 2010-08-11 06:06:35\n", "0.0.0.0 2010-08-11 06:06:17\n", "0.0.0.0 2010-08-11 06:06:24\n", "0.0.0.0 2010-08-11 06:06:35\n", "127.0.0.1 2010-08-15 19:01:51\n", "0.0.0.0 2010-08-11 06:06:38\n", "127.0.0.1 2010-08-11 06:06:39\n", "0.0.0.0 2010-08-15 18:54:09\n", "127.0.0.1 2010-08-15 18:54:07\n", "127.0.0.1 2010-08-15 19:01:51\n", "0.0.0.0 2010-08-11 06:06:35\n", "0.0.0.0 2010-08-11 06:08:00\n", "0.0.0.0 2010-08-11 06:06:17\n" ] } ], "prompt_number": 15 }, { "cell_type": "code", "collapsed": false, "input": [ "sockets_list" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "pyout", "prompt_number": 16, "text": [ "['Volatile Systems Volatility Framework 2.3_alpha',\n", " 'Offset(V) PID Port Proto Protocol Address Create Time',\n", " '---------- -------- ------ ------ --------------- --------------- -----------',\n", " '0x80fd1008 4 0 47 GRE 0.0.0.0 2010-08-11 06:08:00 UTC+0000',\n", " '0xff362d18 1088 1066 17 UDP 0.0.0.0 2010-08-15 18:54:13 UTC+0000',\n", " '0xff258008 688 500 17 UDP 0.0.0.0 2010-08-11 06:06:35 UTC+0000',\n", " '0xff367008 4 445 6 TCP 0.0.0.0 2010-08-11 06:06:17 UTC+0000',\n", " '0x80ffc128 936 135 6 TCP 0.0.0.0 2010-08-11 06:06:24 UTC+0000',\n", " '0xff225b70 688 0 255 Reserved 0.0.0.0 2010-08-11 06:06:35 UTC+0000',\n", " '0xff254008 1028 123 17 UDP 127.0.0.1 2010-08-15 19:01:51 UTC+0000',\n", " '0x80fce930 1088 1025 17 UDP 0.0.0.0 2010-08-11 06:06:38 UTC+0000',\n", " '0xff127d28 216 1026 6 TCP 127.0.0.1 2010-08-11 06:06:39 UTC+0000',\n", " '0xff2608c0 1088 1053 17 UDP 0.0.0.0 2010-08-15 18:54:09 UTC+0000',\n", " '0x80fdc708 1884 1051 17 UDP 127.0.0.1 2010-08-15 18:54:07 UTC+0000',\n", " '0xff248220 1148 1900 17 UDP 127.0.0.1 2010-08-15 19:01:51 UTC+0000',\n", " '0xff1b8250 688 4500 17 UDP 0.0.0.0 2010-08-11 06:06:35 UTC+0000',\n", " '0xff382e98 4 1033 6 TCP 0.0.0.0 2010-08-11 06:08:00 UTC+0000',\n", " '0x80fbdc40 4 445 17 UDP 0.0.0.0 2010-08-11 06:06:17 UTC+0000']" ] } ], "prompt_number": 16 }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f ~/Desktop/mem/silentbanker.vmem malfind" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: csrss.exe Pid: 608 Address: 0x7f6f0000\r\n", "Vad Tag: Vad Protection: PAGE_EXECUTE_READWRITE\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Flags: Protection: 6\r\n", "\r\n", "0x7f6f0000 c8 00 00 00 ff 01 00 00 ff ee ff ee 08 70 00 00 .............p..\r\n", "0x7f6f0010 08 00 00 00 00 fe 00 00 00 00 10 00 00 20 00 00 ................\r\n", "0x7f6f0020 00 02 00 00 00 20 00 00 8d 01 00 00 ff ef fd 7f ................\r\n", "0x7f6f0030 03 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x7f6f0000 c8000000 ENTER 0x0, 0x0\r\n", "0x7f6f0004 ff01 INC DWORD [ECX]\r\n", "0x7f6f0006 0000 ADD [EAX], AL\r\n", "0x7f6f0008 ff DB 0xff\r\n", "0x7f6f0009 ee OUT DX, AL\r\n", "0x7f6f000a ff DB 0xff\r\n", "0x7f6f000b ee OUT DX, AL\r\n", "0x7f6f000c 087000 OR [EAX+0x0], DH\r\n", "0x7f6f000f 0008 ADD [EAX], CL\r\n", "0x7f6f0011 0000 ADD [EAX], AL\r\n", "0x7f6f0013 0000 ADD [EAX], AL\r\n", "0x7f6f0015 fe00 INC BYTE [EAX]\r\n", "0x7f6f0017 0000 ADD [EAX], AL\r\n", "0x7f6f0019 0010 ADD [EAX], DL\r\n", "0x7f6f001b 0000 ADD [EAX], AL\r\n", "0x7f6f001d 2000 AND [EAX], AL\r\n", "0x7f6f001f 0000 ADD [EAX], AL\r\n", "0x7f6f0021 0200 ADD AL, [EAX]\r\n", "0x7f6f0023 0000 ADD [EAX], AL\r\n", "0x7f6f0025 2000 AND [EAX], AL\r\n", "0x7f6f0027 008d010000ff ADD [EBP-0xffffff], CL\r\n", "0x7f6f002d ef OUT DX, EAX\r\n", "0x7f6f002e fd STD\r\n", "0x7f6f002f 7f03 JG 0x7f6f0034\r\n", "0x7f6f0031 0008 ADD [EAX], CL\r\n", "0x7f6f0033 06 PUSH ES\r\n", "0x7f6f0034 0000 ADD [EAX], AL\r\n", "0x7f6f0036 0000 ADD [EAX], AL\r\n", "0x7f6f0038 0000 ADD [EAX], AL\r\n", "0x7f6f003a 0000 ADD [EAX], AL\r\n", "0x7f6f003c 0000 ADD [EAX], AL\r\n", "0x7f6f003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: winlogon.exe Pid: 632 Address: 0x2c930000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x2c930000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x2c930010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x2c930020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x2c930030 00 00 00 00 25 00 25 00 01 00 00 00 00 00 00 00 ....%.%.........\r\n", "\r\n", "0x2c930000 0000 ADD [EAX], AL\r\n", "0x2c930002 0000 ADD [EAX], AL\r\n", "0x2c930004 0000 ADD [EAX], AL\r\n", "0x2c930006 0000 ADD [EAX], AL\r\n", "0x2c930008 0000 ADD [EAX], AL\r\n", "0x2c93000a 0000 ADD [EAX], AL\r\n", "0x2c93000c 0000 ADD [EAX], AL\r\n", "0x2c93000e 0000 ADD [EAX], AL\r\n", "0x2c930010 0000 ADD [EAX], AL\r\n", "0x2c930012 0000 ADD [EAX], AL\r\n", "0x2c930014 0000 ADD [EAX], AL\r\n", "0x2c930016 0000 ADD [EAX], AL\r\n", "0x2c930018 0000 ADD [EAX], AL\r\n", "0x2c93001a 0000 ADD [EAX], AL\r\n", "0x2c93001c 0000 ADD [EAX], AL\r\n", "0x2c93001e 0000 ADD [EAX], AL\r\n", "0x2c930020 0000 ADD [EAX], AL\r\n", "0x2c930022 0000 ADD [EAX], AL\r\n", "0x2c930024 0000 ADD [EAX], AL\r\n", "0x2c930026 0000 ADD [EAX], AL\r\n", "0x2c930028 0000 ADD [EAX], AL\r\n", "0x2c93002a 0000 ADD [EAX], AL\r\n", "0x2c93002c 0000 ADD [EAX], AL\r\n", "0x2c93002e 0000 ADD [EAX], AL\r\n", "0x2c930030 0000 ADD [EAX], AL\r\n", "0x2c930032 0000 ADD [EAX], AL\r\n", "0x2c930034 2500250001 AND EAX, 0x1002500\r\n", "0x2c930039 0000 ADD [EAX], AL\r\n", "0x2c93003b 0000 ADD [EAX], AL\r\n", "0x2c93003d 0000 ADD [EAX], AL\r\n", "0x2c93003f 00 DB 0x0\r\n", "\r\n", "Process: winlogon.exe Pid: 632 Address: 0x37ec0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x37ec0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x37ec0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x37ec0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x37ec0030 00 00 00 00 2b 00 2b 00 01 00 00 00 00 00 00 00 ....+.+.........\r\n", "\r\n", "0x37ec0000 0000 ADD [EAX], AL\r\n", "0x37ec0002 0000 ADD [EAX], AL\r\n", "0x37ec0004 0000 ADD [EAX], AL\r\n", "0x37ec0006 0000 ADD [EAX], AL\r\n", "0x37ec0008 0000 ADD [EAX], AL\r\n", "0x37ec000a 0000 ADD [EAX], AL\r\n", "0x37ec000c 0000 ADD [EAX], AL\r\n", "0x37ec000e 0000 ADD [EAX], AL\r\n", "0x37ec0010 0000 ADD [EAX], AL\r\n", "0x37ec0012 0000 ADD [EAX], AL\r\n", "0x37ec0014 0000 ADD [EAX], AL\r\n", "0x37ec0016 0000 ADD [EAX], AL\r\n", "0x37ec0018 0000 ADD [EAX], AL\r\n", "0x37ec001a 0000 ADD [EAX], AL\r\n", "0x37ec001c 0000 ADD [EAX], AL\r\n", "0x37ec001e 0000 ADD [EAX], AL\r\n", "0x37ec0020 0000 ADD [EAX], AL\r\n", "0x37ec0022 0000 ADD [EAX], AL\r\n", "0x37ec0024 0000 ADD [EAX], AL\r\n", "0x37ec0026 0000 ADD [EAX], AL\r\n", "0x37ec0028 0000 ADD [EAX], AL\r\n", "0x37ec002a 0000 ADD [EAX], AL\r\n", "0x37ec002c 0000 ADD [EAX], AL\r\n", "0x37ec002e 0000 ADD [EAX], AL\r\n", "0x37ec0030 0000 ADD [EAX], AL\r\n", "0x37ec0032 0000 ADD [EAX], AL\r\n", "0x37ec0034 2b00 SUB EAX, [EAX]\r\n", "0x37ec0036 2b00 SUB EAX, [EAX]\r\n", "0x37ec0038 0100 ADD [EAX], EAX\r\n", "0x37ec003a 0000 ADD [EAX], AL\r\n", "0x37ec003c 0000 ADD [EAX], AL\r\n", "0x37ec003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: winlogon.exe Pid: 632 Address: 0x33470000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4, MemCommit: 1, PrivateMemory: 1, Protection: 6" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "\r\n", "0x33470000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x33470010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x33470020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x33470030 00 00 00 00 29 00 29 00 01 00 00 00 00 00 00 00 ....).).........\r\n", "\r\n", "0x33470000 0000 ADD [EAX], AL\r\n", "0x33470002 0000 ADD [EAX], AL\r\n", "0x33470004 0000 ADD [EAX], AL\r\n", "0x33470006 0000 ADD [EAX], AL\r\n", "0x33470008 0000 ADD [EAX], AL\r\n", "0x3347000a 0000 ADD [EAX], AL\r\n", "0x3347000c 0000 ADD [EAX], AL\r\n", "0x3347000e 0000 ADD [EAX], AL\r\n", "0x33470010 0000 ADD [EAX], AL\r\n", "0x33470012 0000 ADD [EAX], AL\r\n", "0x33470014 0000 ADD [EAX], AL\r\n", "0x33470016 0000 ADD [EAX], AL\r\n", "0x33470018 0000 ADD [EAX], AL\r\n", "0x3347001a 0000 ADD [EAX], AL\r\n", "0x3347001c 0000 ADD [EAX], AL\r\n", "0x3347001e 0000 ADD [EAX], AL\r\n", "0x33470020 0000 ADD [EAX], AL\r\n", "0x33470022 0000 ADD [EAX], AL\r\n", "0x33470024 0000 ADD [EAX], AL\r\n", "0x33470026 0000 ADD [EAX], AL\r\n", "0x33470028 0000 ADD [EAX], AL\r\n", "0x3347002a 0000 ADD [EAX], AL\r\n", "0x3347002c 0000 ADD [EAX], AL\r\n", "0x3347002e 0000 ADD [EAX], AL\r\n", "0x33470030 0000 ADD [EAX], AL\r\n", "0x33470032 0000 ADD [EAX], AL\r\n", "0x33470034 2900 SUB [EAX], EAX\r\n", "0x33470036 2900 SUB [EAX], EAX\r\n", "0x33470038 0100 ADD [EAX], EAX\r\n", "0x3347003a 0000 ADD [EAX], AL\r\n", "0x3347003c 0000 ADD [EAX], AL\r\n", "0x3347003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: winlogon.exe Pid: 632 Address: 0x71ee0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x71ee0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x71ee0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x71ee0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x71ee0030 00 00 00 00 29 00 29 00 01 00 00 00 00 00 00 00 ....).).........\r\n", "\r\n", "0x71ee0000 0000 ADD [EAX], AL\r\n", "0x71ee0002 0000 ADD [EAX], AL\r\n", "0x71ee0004 0000 ADD [EAX], AL\r\n", "0x71ee0006 0000 ADD [EAX], AL\r\n", "0x71ee0008 0000 ADD [EAX], AL\r\n", "0x71ee000a 0000 ADD [EAX], AL\r\n", "0x71ee000c 0000 ADD [EAX], AL\r\n", "0x71ee000e 0000 ADD [EAX], AL\r\n", "0x71ee0010 0000 ADD [EAX], AL\r\n", "0x71ee0012 0000 ADD [EAX], AL\r\n", "0x71ee0014 0000 ADD [EAX], AL\r\n", "0x71ee0016 0000 ADD [EAX], AL\r\n", "0x71ee0018 0000 ADD [EAX], AL\r\n", "0x71ee001a 0000 ADD [EAX], AL\r\n", "0x71ee001c 0000 ADD [EAX], AL\r\n", "0x71ee001e 0000 ADD [EAX], AL\r\n", "0x71ee0020 0000 ADD [EAX], AL\r\n", "0x71ee0022 0000 ADD [EAX], AL\r\n", "0x71ee0024 0000 ADD [EAX], AL\r\n", "0x71ee0026 0000 ADD [EAX], AL\r\n", "0x71ee0028 0000 ADD [EAX], AL\r\n", "0x71ee002a 0000 ADD [EAX], AL\r\n", "0x71ee002c 0000 ADD [EAX], AL\r\n", "0x71ee002e 0000 ADD [EAX], AL\r\n", "0x71ee0030 0000 ADD [EAX], AL\r\n", "0x71ee0032 0000 ADD [EAX], AL\r\n", "0x71ee0034 2900 SUB [EAX], EAX\r\n", "0x71ee0036 2900 SUB [EAX], EAX\r\n", "0x71ee0038 0100 ADD [EAX], EAX\r\n", "0x71ee003a 0000 ADD [EAX], AL\r\n", "0x71ee003c 0000 ADD [EAX], AL\r\n", "0x71ee003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: winlogon.exe Pid: 632 Address: 0x78850000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x78850000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x78850010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x78850020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x78850030 00 00 00 00 27 00 27 00 01 00 00 00 00 00 00 00 ....'.'.........\r\n", "\r\n", "0x78850000 0000 ADD [EAX], AL\r\n", "0x78850002 0000 ADD [EAX], AL\r\n", "0x78850004 0000 ADD [EAX], AL\r\n", "0x78850006 0000 ADD [EAX], AL\r\n", "0x78850008 0000 ADD [EAX], AL\r\n", "0x7885000a 0000 ADD [EAX], AL\r\n", "0x7885000c 0000 ADD [EAX], AL\r\n", "0x7885000e 0000 ADD [EAX], AL\r\n", "0x78850010 0000 ADD [EAX], AL\r\n", "0x78850012 0000 ADD [EAX], AL\r\n", "0x78850014 0000 ADD [EAX], AL\r\n", "0x78850016 0000 ADD [EAX], AL\r\n", "0x78850018 0000 ADD [EAX], AL\r\n", "0x7885001a 0000 ADD [EAX], AL\r\n", "0x7885001c 0000 ADD [EAX], AL\r\n", "0x7885001e 0000 ADD [EAX], AL\r\n", "0x78850020 0000 ADD [EAX], AL\r\n", "0x78850022 0000 ADD [EAX], AL\r\n", "0x78850024 0000 ADD [EAX], AL\r\n", "0x78850026 0000 ADD [EAX], AL\r\n", "0x78850028 0000 ADD [EAX], AL\r\n", "0x7885002a 0000 ADD [EAX], AL\r\n", "0x7885002c 0000 ADD [EAX], AL\r\n", "0x7885002e 0000 ADD [EAX], AL\r\n", "0x78850030 0000 ADD [EAX], AL\r\n", "0x78850032 0000 ADD [EAX], AL\r\n", "0x78850034 27 DAA\r\n", "0x78850035 0027 ADD [EDI], AH\r\n", "0x78850037 0001 ADD [ECX], AL\r\n", "0x78850039 0000 ADD [EAX], AL\r\n", "0x7885003b 0000 ADD [EAX], AL\r\n", "0x7885003d 0000 ADD [EAX], AL\r\n", "0x7885003f 00 DB 0x0\r\n", "\r\n", "Process: winlogon.exe Pid: 632 Address: 0x793e0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 4, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x793e0000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x793e0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x793e0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x793e0030 00 00 00 00 2b 00 2b 00 01 00 00 00 00 00 00 00 ....+.+.........\r\n", "\r\n", "0x793e0000 0000 ADD [EAX], AL\r\n", "0x793e0002 0000 ADD [EAX], AL\r\n", "0x793e0004 0000 ADD [EAX], AL\r\n", "0x793e0006 0000 ADD [EAX], AL\r\n", "0x793e0008 0000 ADD [EAX], AL\r\n", "0x793e000a 0000 ADD [EAX], AL\r\n", "0x793e000c 0000 ADD [EAX], AL\r\n", "0x793e000e 0000 ADD [EAX], AL\r\n", "0x793e0010 0000 ADD [EAX], AL\r\n", "0x793e0012 0000 ADD [EAX], AL\r\n", "0x793e0014 0000 ADD [EAX], AL\r\n", "0x793e0016 0000 ADD [EAX], AL\r\n", "0x793e0018 0000 ADD [EAX], AL\r\n", "0x793e001a 0000 ADD [EAX], AL\r\n", "0x793e001c 0000 ADD [EAX], AL\r\n", "0x793e001e 0000 ADD [EAX], AL\r\n", "0x793e0020 0000 ADD [EAX], AL\r\n", "0x793e0022 0000 ADD [EAX], AL\r\n", "0x793e0024 0000 ADD [EAX], AL\r\n", "0x793e0026 0000 ADD [EAX], AL\r\n", "0x793e0028 0000 ADD [EAX], AL\r\n", "0x793e002a 0000 ADD [EAX], AL\r\n", "0x793e002c 0000 ADD [EAX], AL\r\n", "0x793e002e 0000 ADD [EAX], AL\r\n", "0x793e0030 0000 ADD [EAX], AL\r\n", "0x793e0032 0000 ADD [EAX], AL\r\n", "0x793e0034 2b00 SUB EAX, [EAX]\r\n", "0x793e0036 2b00 SUB EAX, [EAX]\r\n", "0x793e0038 0100 ADD [EAX], EAX\r\n", "0x793e003a 0000 ADD [EAX], AL\r\n", "0x793e003c 0000 ADD [EAX], AL\r\n", "0x793e003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: IEXPLORE.EXE Pid: 1884 Address: 0x10c0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x010c0000 58 68 05 00 0d 01 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x010c0010 68 28 18 03 10 50 68 bc 9f 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x010c0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x010c0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x10c0000 58 POP EAX\r\n", "0x10c0001 6805000d01 PUSH DWORD 0x10d0005\r\n", "0x10c0006 6800000000 PUSH DWORD 0x0\r\n", "0x10c000b 680000807c PUSH DWORD 0x7c800000\r\n", "0x10c0010 6828180310 PUSH DWORD 0x10031828\r\n", "0x10c0015 50 PUSH EAX\r\n", "0x10c0016 68bc9f0210 PUSH DWORD 0x10029fbc\r\n", "0x10c001b c3 RET\r\n", "0x10c001c 0000 ADD [EAX], AL\r\n", "0x10c001e 0000 ADD [EAX], AL\r\n", "0x10c0020 0000 ADD [EAX], AL\r\n", "0x10c0022 0000 ADD [EAX], AL\r\n", "0x10c0024 0000 ADD [EAX], AL\r\n", "0x10c0026 0000 ADD [EAX], AL\r\n", "0x10c0028 0000 ADD [EAX], AL\r\n", "0x10c002a 0000 ADD [EAX], AL\r\n", "0x10c002c 0000 ADD [EAX], AL\r\n", "0x10c002e 0000 ADD [EAX], AL\r\n", "0x10c0030 0000 ADD [EAX], AL\r\n", "0x10c0032 0000 ADD [EAX], AL\r\n", "0x10c0034 0000 ADD [EAX], AL\r\n", "0x10c0036 0000 ADD [EAX], AL\r\n", "0x10c0038 0000 ADD [EAX], AL\r\n", "0x10c003a 0000 ADD [EAX], AL\r\n", "0x10c003c 0000 ADD [EAX], AL\r\n", "0x10c003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: IEXPLORE.EXE Pid: 1884 Address: 0xf50000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00f50000 58 68 05 00 f6 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00f50010 68 28 18 03 10 50 68 4f 9a 02 10 c3 00 00 00 00 h(...PhO........\r\n", "0x00f50020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f50030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xf50000 58 POP EAX\r\n", "0xf50001 680500f600 PUSH DWORD 0xf60005\r\n", "0xf50006 6800000000 PUSH DWORD 0x0\r\n", "0xf5000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xf50010 6828180310 PUSH DWORD 0x10031828\r\n", "0xf50015 50 PUSH EAX\r\n", "0xf50016 684f9a0210 PUSH DWORD 0x10029a4f\r\n", "0xf5001b c3 RET\r\n", "0xf5001c 0000 ADD [EAX], AL\r\n", "0xf5001e 0000 ADD [EAX], AL\r\n", "0xf50020 0000 ADD [EAX], AL\r\n", "0xf50022 0000 ADD [EAX], AL\r\n", "0xf50024 0000 ADD [EAX], AL\r\n", "0xf50026 0000 ADD [EAX], AL\r\n", "0xf50028 0000 ADD [EAX], AL\r\n", "0xf5002a 0000 ADD [EAX], AL\r\n", "0xf5002c 0000 ADD [EAX], AL\r\n", "0xf5002e 0000 ADD [EAX], AL\r\n", "0xf50030 0000 ADD [EAX], AL\r\n", "0xf50032 0000 ADD [EAX], AL\r\n", "0xf50034 0000 ADD [EAX], AL\r\n", "0xf50036 0000 ADD [EAX], AL\r\n", "0xf50038 0000 ADD [EAX], AL\r\n", "0xf5003a 0000 ADD [EAX], AL\r\n", "0xf5003c 0000 ADD [EAX], AL\r\n", "0xf5003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xe60000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00e60000 a2 ca 81 7c 05 8b ff 55 8b ec e9 98 ca 9b 7b 00 ...|...U......{.\r\n", "0x00e60010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00e60020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00e60030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xe60000 a2ca817c05 MOV [0x57c81ca], AL\r\n", "0xe60005 8bff MOV EDI, EDI\r\n", "0xe60007 55 PUSH EBP\r\n", "0xe60008 8bec MOV EBP, ESP\r\n", "0xe6000a e998ca9b7b JMP 0x7c81caa7\r\n", "0xe6000f 0000 ADD [EAX], AL\r\n", "0xe60011 0000 ADD [EAX], AL\r\n", "0xe60013 0000 ADD [EAX], AL\r\n", "0xe60015 0000 ADD [EAX], AL\r\n", "0xe60017 0000 ADD [EAX], AL\r\n", "0xe60019 0000 ADD [EAX], AL\r\n", "0xe6001b 0000 ADD [EAX], AL\r\n", "0xe6001d 0000 ADD [EAX], AL\r\n", "0xe6001f 0000 ADD [EAX], AL\r\n", "0xe60021 0000 ADD [EAX], AL\r\n", "0xe60023 0000 ADD [EAX], AL\r\n", "0xe60025 0000 ADD [EAX], AL\r\n", "0xe60027 0000 ADD [EAX], AL\r\n", "0xe60029 0000 ADD [EAX], AL\r\n", "0xe6002b 0000 ADD [EAX], AL\r\n", "0xe6002d 0000 ADD [EAX], AL\r\n", "0xe6002f 0000 ADD [EAX], AL\r\n", "0xe60031 0000 ADD [EAX], AL\r\n", "0xe60033 0000 ADD [EAX], AL\r\n", "0xe60035 0000 ADD [EAX], AL\r\n", "0xe60037 0000 ADD [EAX], AL\r\n", "0xe60039 0000 ADD [EAX], AL\r\n", "0xe6003b 0000 ADD [EAX], AL\r\n", "0xe6003d 0000 ADD [EAX], AL\r\n", "0xe6003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: IEXPLORE.EXE Pid: 1884 Address: 0xb90000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00b90000 68 01 00 00 10 6a 01 68 00 00 02 10 b8 cf 4c 02 h....j.h......L.\r\n", "0x00b90010 10 ff d0 c3 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00b90020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00b90030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xb90000 6801000010 PUSH DWORD 0x10000001\r\n", "0xb90005 6a01 PUSH 0x1\r\n", "0xb90007 6800000210 PUSH DWORD 0x10020000\r\n", "0xb9000c b8cf4c0210 MOV EAX, 0x10024ccf\r\n", "0xb90011 ffd0 CALL EAX\r\n", "0xb90013 c3 RET\r\n", "0xb90014 0000 ADD [EAX], AL\r\n", "0xb90016 0000 ADD [EAX], AL\r\n", "0xb90018 0000 ADD [EAX], AL\r\n", "0xb9001a 0000 ADD [EAX], AL\r\n", "0xb9001c 0000 ADD [EAX], AL\r\n", "0xb9001e 0000 ADD [EAX], AL\r\n", "0xb90020 0000 ADD [EAX], AL\r\n", "0xb90022 0000 ADD [EAX], AL\r\n", "0xb90024 0000 ADD [EAX], AL\r\n", "0xb90026 0000 ADD [EAX], AL\r\n", "0xb90028 0000 ADD [EAX], AL\r\n", "0xb9002a 0000 ADD [EAX], AL\r\n", "0xb9002c 0000 ADD [EAX], AL\r\n", "0xb9002e 0000 ADD [EAX], AL\r\n", "0xb90030 0000 ADD [EAX], AL\r\n", "0xb90032 0000 ADD [EAX], AL\r\n", "0xb90034 0000 ADD [EAX], AL\r\n", "0xb90036 0000 ADD [EAX], AL\r\n", "0xb90038 0000 ADD [EAX], AL\r\n", "0xb9003a 0000 ADD [EAX], AL\r\n", "0xb9003c 0000 ADD [EAX], AL\r\n", "0xb9003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xe50000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00e50000 58 68 05 00 e6 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "0x00e50010 68 28 18 03 10 50 68 8e 9b 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x00e50020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00e50030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xe50000 58 POP EAX\r\n", "0xe50001 680500e600 PUSH DWORD 0xe60005\r\n", "0xe50006 6800000000 PUSH DWORD 0x0\r\n", "0xe5000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xe50010 6828180310 PUSH DWORD 0x10031828\r\n", "0xe50015 50 PUSH EAX\r\n", "0xe50016 688e9b0210 PUSH DWORD 0x10029b8e\r\n", "0xe5001b c3 RET\r\n", "0xe5001c 0000 ADD [EAX], AL\r\n", "0xe5001e 0000 ADD [EAX], AL\r\n", "0xe50020 0000 ADD [EAX], AL\r\n", "0xe50022 0000 ADD [EAX], AL\r\n", "0xe50024 0000 ADD [EAX], AL\r\n", "0xe50026 0000 ADD [EAX], AL\r\n", "0xe50028 0000 ADD [EAX], AL\r\n", "0xe5002a 0000 ADD [EAX], AL\r\n", "0xe5002c 0000 ADD [EAX], AL\r\n", "0xe5002e 0000 ADD [EAX], AL\r\n", "0xe50030 0000 ADD [EAX], AL\r\n", "0xe50032 0000 ADD [EAX], AL\r\n", "0xe50034 0000 ADD [EAX], AL\r\n", "0xe50036 0000 ADD [EAX], AL\r\n", "0xe50038 0000 ADD [EAX], AL\r\n", "0xe5003a 0000 ADD [EAX], AL\r\n", "0xe5003c 0000 ADD [EAX], AL\r\n", "0xe5003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xee0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00ee0000 79 a8 de 77 07 6a 2c 68 80 a9 de 77 e9 6f a8 f0 y..w.j,h...w.o..\r\n", "0x00ee0010 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 v...............\r\n", "0x00ee0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00ee0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xee0000 79a8 JNS 0xedffaa\r\n", "0xee0002 de7707 FIDIV WORD [EDI+0x7]\r\n", "0xee0005 6a2c PUSH 0x2c\r\n", "0xee0007 6880a9de77 PUSH DWORD 0x77dea980\r\n", "0xee000c e96fa8f076 JMP 0x77dea880\r\n", "0xee0011 0000 ADD [EAX], AL\r\n", "0xee0013 0000 ADD [EAX], AL\r\n", "0xee0015 0000 ADD [EAX], AL\r\n", "0xee0017 0000 ADD [EAX], AL\r\n", "0xee0019 0000 ADD [EAX], AL\r\n", "0xee001b 0000 ADD [EAX], AL\r\n", "0xee001d 0000 ADD [EAX], AL\r\n", "0xee001f 0000 ADD [EAX], AL\r\n", "0xee0021 0000 ADD [EAX], AL\r\n", "0xee0023 0000 ADD [EAX], AL\r\n", "0xee0025 0000 ADD [EAX], AL\r\n", "0xee0027 0000 ADD [EAX], AL\r\n", "0xee0029 0000 ADD [EAX], AL\r\n", "0xee002b 0000 ADD [EAX], AL\r\n", "0xee002d 0000 ADD [EAX], AL\r\n", "0xee002f 0000 ADD [EAX], AL\r\n", "0xee0031 0000 ADD [EAX], AL\r\n", "0xee0033 0000 ADD [EAX], AL\r\n", "0xee0035 0000 ADD [EAX], AL\r\n", "0xee0037 0000 ADD [EAX], AL\r\n", "0xee0039 0000 ADD [EAX], AL\r\n", "0xee003b 0000 ADD [EAX], AL\r\n", "0xee003d 0000 ADD [EAX], AL\r\n", "0xee003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xe90000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00e90000 58 68 05 00 ea 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00e90010 68 28 18 03 10 50 68 18 a0 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x00e90020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00e90030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xe90000 58 POP EAX\r\n", "0xe90001 680500ea00 PUSH DWORD 0xea0005\r\n", "0xe90006 6800000000 PUSH DWORD 0x0\r\n", "0xe9000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xe90010 6828180310 PUSH DWORD 0x10031828\r\n", "0xe90015 50 PUSH EAX\r\n", "0xe90016 6818a00210 PUSH DWORD 0x1002a018\r\n", "0xe9001b c3 RET\r\n", "0xe9001c 0000 ADD [EAX], AL\r\n", "0xe9001e 0000 ADD [EAX], AL\r\n", "0xe90020 0000 ADD [EAX], AL\r\n", "0xe90022 0000 ADD [EAX], AL\r\n", "0xe90024 0000 ADD [EAX], AL\r\n", "0xe90026 0000 ADD [EAX], AL\r\n", "0xe90028 0000 ADD [EAX], AL\r\n", "0xe9002a 0000 ADD [EAX], AL\r\n", "0xe9002c 0000 ADD [EAX], AL\r\n", "0xe9002e 0000 ADD [EAX], AL\r\n", "0xe90030 0000 ADD [EAX], AL\r\n", "0xe90032 0000 ADD [EAX], AL\r\n", "0xe90034 0000 ADD [EAX], AL\r\n", "0xe90036 0000 ADD [EAX], AL\r\n", "0xe90038 0000 ADD [EAX], AL\r\n", "0xe9003a 0000 ADD [EAX], AL\r\n", "0xe9003c 0000 ADD [EAX], AL\r\n", "0xe9003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xe70000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00e70000 58 68 05 00 e8 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00e70010 68 28 18 03 10 50 68 b9 99 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x00e70020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00e70030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xe70000 58 POP EAX\r\n", "0xe70001 680500e800 PUSH DWORD 0xe80005\r\n", "0xe70006 6800000000 PUSH DWORD 0x0\r\n", "0xe7000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xe70010 6828180310 PUSH DWORD 0x10031828\r\n", "0xe70015 50 PUSH EAX\r\n", "0xe70016 68b9990210 PUSH DWORD 0x100299b9\r\n", "0xe7001b c3 RET\r\n", "0xe7001c 0000 ADD [EAX], AL\r\n", "0xe7001e 0000 ADD [EAX], AL\r\n", "0xe70020 0000 ADD [EAX], AL\r\n", "0xe70022 0000 ADD [EAX], AL\r\n", "0xe70024 0000 ADD [EAX], AL\r\n", "0xe70026 0000 ADD [EAX], AL\r\n", "0xe70028 0000 ADD [EAX], AL\r\n", "0xe7002a 0000 ADD [EAX], AL\r\n", "0xe7002c 0000 ADD [EAX], AL\r\n", "0xe7002e 0000 ADD [EAX], AL\r\n", "0xe70030 0000 ADD [EAX], AL\r\n", "0xe70032 0000 ADD [EAX], AL\r\n", "0xe70034 0000 ADD [EAX], AL\r\n", "0xe70036 0000 ADD [EAX], AL\r\n", "0xe70038 0000 ADD [EAX], AL\r\n", "0xe7003a 0000 ADD [EAX], AL\r\n", "0xe7003c 0000 ADD [EAX], AL\r\n", "0xe7003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xe80000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00e80000 8a 42 ab 71 05 8b ff 55 8b ec e9 80 42 c3 70 00 .B.q...U....B.p." ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "0x00e80010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00e80020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00e80030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xe80000 8a42ab MOV AL, [EDX-0x55]\r\n", "0xe80003 7105 JNO 0xe8000a\r\n", "0xe80005 8bff MOV EDI, EDI\r\n", "0xe80007 55 PUSH EBP\r\n", "0xe80008 8bec MOV EBP, ESP\r\n", "0xe8000a e98042c370 JMP 0x71ab428f\r\n", "0xe8000f 0000 ADD [EAX], AL\r\n", "0xe80011 0000 ADD [EAX], AL\r\n", "0xe80013 0000 ADD [EAX], AL\r\n", "0xe80015 0000 ADD [EAX], AL\r\n", "0xe80017 0000 ADD [EAX], AL\r\n", "0xe80019 0000 ADD [EAX], AL\r\n", "0xe8001b 0000 ADD [EAX], AL\r\n", "0xe8001d 0000 ADD [EAX], AL\r\n", "0xe8001f 0000 ADD [EAX], AL\r\n", "0xe80021 0000 ADD [EAX], AL\r\n", "0xe80023 0000 ADD [EAX], AL\r\n", "0xe80025 0000 ADD [EAX], AL\r\n", "0xe80027 0000 ADD [EAX], AL\r\n", "0xe80029 0000 ADD [EAX], AL\r\n", "0xe8002b 0000 ADD [EAX], AL\r\n", "0xe8002d 0000 ADD [EAX], AL\r\n", "0xe8002f 0000 ADD [EAX], AL\r\n", "0xe80031 0000 ADD [EAX], AL\r\n", "0xe80033 0000 ADD [EAX], AL\r\n", "0xe80035 0000 ADD [EAX], AL\r\n", "0xe80037 0000 ADD [EAX], AL\r\n", "0xe80039 0000 ADD [EAX], AL\r\n", "0xe8003b 0000 ADD [EAX], AL\r\n", "0xe8003d 0000 ADD [EAX], AL\r\n", "0xe8003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xeb0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00eb0000 58 68 05 00 ec 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00eb0010 68 28 18 03 10 50 68 7f a0 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x00eb0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00eb0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xeb0000 58 POP EAX\r\n", "0xeb0001 680500ec00 PUSH DWORD 0xec0005\r\n", "0xeb0006 6800000000 PUSH DWORD 0x0\r\n", "0xeb000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xeb0010 6828180310 PUSH DWORD 0x10031828\r\n", "0xeb0015 50 PUSH EAX\r\n", "0xeb0016 687fa00210 PUSH DWORD 0x1002a07f\r\n", "0xeb001b c3 RET\r\n", "0xeb001c 0000 ADD [EAX], AL\r\n", "0xeb001e 0000 ADD [EAX], AL\r\n", "0xeb0020 0000 ADD [EAX], AL\r\n", "0xeb0022 0000 ADD [EAX], AL\r\n", "0xeb0024 0000 ADD [EAX], AL\r\n", "0xeb0026 0000 ADD [EAX], AL\r\n", "0xeb0028 0000 ADD [EAX], AL\r\n", "0xeb002a 0000 ADD [EAX], AL\r\n", "0xeb002c 0000 ADD [EAX], AL\r\n", "0xeb002e 0000 ADD [EAX], AL\r\n", "0xeb0030 0000 ADD [EAX], AL\r\n", "0xeb0032 0000 ADD [EAX], AL\r\n", "0xeb0034 0000 ADD [EAX], AL\r\n", "0xeb0036 0000 ADD [EAX], AL\r\n", "0xeb0038 0000 ADD [EAX], AL\r\n", "0xeb003a 0000 ADD [EAX], AL\r\n", "0xeb003c 0000 ADD [EAX], AL\r\n", "0xeb003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xea0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00ea0000 6a 40 ab 71 05 8b ff 55 8b ec e9 60 40 c1 70 00 j@.q...U...`@.p.\r\n", "0x00ea0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00ea0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00ea0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xea0000 6a40 PUSH 0x40\r\n", "0xea0002 ab STOSD\r\n", "0xea0003 7105 JNO 0xea000a\r\n", "0xea0005 8bff MOV EDI, EDI\r\n", "0xea0007 55 PUSH EBP\r\n", "0xea0008 8bec MOV EBP, ESP\r\n", "0xea000a e96040c170 JMP 0x71ab406f\r\n", "0xea000f 0000 ADD [EAX], AL\r\n", "0xea0011 0000 ADD [EAX], AL\r\n", "0xea0013 0000 ADD [EAX], AL\r\n", "0xea0015 0000 ADD [EAX], AL\r\n", "0xea0017 0000 ADD [EAX], AL\r\n", "0xea0019 0000 ADD [EAX], AL\r\n", "0xea001b 0000 ADD [EAX], AL\r\n", "0xea001d 0000 ADD [EAX], AL\r\n", "0xea001f 0000 ADD [EAX], AL\r\n", "0xea0021 0000 ADD [EAX], AL\r\n", "0xea0023 0000 ADD [EAX], AL\r\n", "0xea0025 0000 ADD [EAX], AL\r\n", "0xea0027 0000 ADD [EAX], AL\r\n", "0xea0029 0000 ADD [EAX], AL\r\n", "0xea002b 0000 ADD [EAX], AL\r\n", "0xea002d 0000 ADD [EAX], AL\r\n", "0xea002f 0000 ADD [EAX], AL\r\n", "0xea0031 0000 ADD [EAX], AL\r\n", "0xea0033 0000 ADD [EAX], AL\r\n", "0xea0035 0000 ADD [EAX], AL\r\n", "0xea0037 0000 ADD [EAX], AL\r\n", "0xea0039 0000 ADD [EAX], AL\r\n", "0xea003b 0000 ADD [EAX], AL\r\n", "0xea003d 0000 ADD [EAX], AL\r\n", "0xea003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xed0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00ed0000 58 68 05 00 ee 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00ed0010 68 28 18 03 10 50 68 f2 a0 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x00ed0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00ed0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xed0000 58 POP EAX\r\n", "0xed0001 680500ee00 PUSH DWORD 0xee0005\r\n", "0xed0006 6800000000 PUSH DWORD 0x0\r\n", "0xed000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xed0010 6828180310 PUSH DWORD 0x10031828\r\n", "0xed0015 50 PUSH EAX\r\n", "0xed0016 68f2a00210 PUSH DWORD 0x1002a0f2\r\n", "0xed001b c3 RET\r\n", "0xed001c 0000 ADD [EAX], AL\r\n", "0xed001e 0000 ADD [EAX], AL\r\n", "0xed0020 0000 ADD [EAX], AL\r\n", "0xed0022 0000 ADD [EAX], AL\r\n", "0xed0024 0000 ADD [EAX], AL\r\n", "0xed0026 0000 ADD [EAX], AL\r\n", "0xed0028 0000 ADD [EAX], AL\r\n", "0xed002a 0000 ADD [EAX], AL\r\n", "0xed002c 0000 ADD [EAX], AL\r\n", "0xed002e 0000 ADD [EAX], AL\r\n", "0xed0030 0000 ADD [EAX], AL\r\n", "0xed0032 0000 ADD [EAX], AL\r\n", "0xed0034 0000 ADD [EAX], AL\r\n", "0xed0036 0000 ADD [EAX], AL\r\n", "0xed0038 0000 ADD [EAX], AL\r\n", "0xed003a 0000 ADD [EAX], AL\r\n", "0xed003c 0000 ADD [EAX], AL\r\n", "0xed003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xec0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00ec0000 85 a6 de 77 07 6a 30 68 a0 a7 de 77 e9 7b a6 f2 ...w.j0h...w.{..\r\n", "0x00ec0010 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 v...............\r\n", "0x00ec0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00ec0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xec0000 85a6de77076a TEST [ESI+0x6a0777de], ESP\r\n", "0xec0006 3068a0 XOR [EAX-0x60], CH\r\n", "0xec0009 a7 CMPSD\r\n", "0xec000a de77e9 FIDIV WORD [EDI-0x17]\r\n", "0xec000d 7ba6 JNP 0xebffb5\r\n", "0xec000f f27600 JBE 0xec0012\r\n", "0xec0012 0000 ADD [EAX], AL\r\n", "0xec0014 0000 ADD [EAX], AL\r\n", "0xec0016 0000 ADD [EAX], AL\r\n", "0xec0018 0000 ADD [EAX], AL\r\n", "0xec001a 0000 ADD [EAX], AL\r\n", "0xec001c 0000 ADD [EAX], AL\r\n", "0xec001e 0000 ADD [EAX], AL\r\n", "0xec0020 0000 ADD [EAX], AL\r\n", "0xec0022 0000 ADD [EAX], AL\r\n", "0xec0024 0000 ADD [EAX], AL\r\n", "0xec0026 0000 ADD [EAX], AL\r\n", "0xec0028 0000 ADD [EAX], AL\r\n", "0xec002a 0000 ADD [EAX], AL\r\n", "0xec002c 0000 ADD [EAX], AL\r\n", "0xec002e 0000 ADD [EAX], AL\r\n", "0xec0030 0000 ADD [EAX], AL\r\n", "0xec0032 0000 ADD [EAX], AL\r\n", "0xec0034 0000 ADD [EAX], AL\r\n", "0xec0036 0000 ADD [EAX], AL\r\n", "0xec0038 0000 ADD [EAX], AL\r\n", "0xec003a 0000 ADD [EAX], AL\r\n", "0xec003c 0000 ADD [EAX], AL\r\n", "0xec003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xf20000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00f20000 c5 4a 1c 77 05 8b ff 55 8b ec e9 bb 4a 2a 76 00 .J.w...U....J*v.\r\n", "0x00f20010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f20020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f20030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xf20000 c54a1c LDS ECX, [EDX+0x1c]\r\n", "0xf20003 7705 JA 0xf2000a\r\n", "0xf20005 8bff MOV EDI, EDI\r\n", "0xf20007 55 PUSH EBP\r\n", "0xf20008 8bec MOV EBP, ESP\r\n", "0xf2000a e9bb4a2a76 JMP 0x771c4aca\r\n", "0xf2000f 0000 ADD [EAX], AL\r\n", "0xf20011 0000 ADD [EAX], AL\r\n", "0xf20013 0000 ADD [EAX], AL\r\n", "0xf20015 0000 ADD [EAX], AL\r\n", "0xf20017 0000 ADD [EAX], AL\r\n", "0xf20019 0000 ADD [EAX], AL\r\n", "0xf2001b 0000 ADD [EAX], AL\r\n", "0xf2001d 0000 ADD [EAX], AL\r\n", "0xf2001f 0000 ADD [EAX], AL\r\n", "0xf20021 0000 ADD [EAX], AL\r\n", "0xf20023 0000 ADD [EAX], AL\r\n", "0xf20025 0000 ADD [EAX], AL\r\n", "0xf20027 0000 ADD [EAX], AL\r\n", "0xf20029 0000 ADD [EAX], AL\r\n", "0xf2002b 0000 ADD [EAX], AL\r\n", "0xf2002d 0000 ADD [EAX], AL\r\n", "0xf2002f 0000 ADD [EAX], AL\r\n", "0xf20031 0000 ADD [EAX], AL\r\n", "0xf20033 0000 ADD [EAX], AL\r\n", "0xf20035 0000 ADD [EAX], AL\r\n", "0xf20037 0000 ADD [EAX], AL\r\n", "0xf20039 0000 ADD [EAX], AL\r\n", "0xf2003b 0000 ADD [EAX], AL\r\n", "0xf2003d 0000 ADD [EAX], AL\r\n", "0xf2003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xf00000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00f00000 b1 14 e1 77 07 6a 18 68 90 15 e1 77 e9 a7 14 f1 ...w.j.h...w....\r\n", "0x00f00010 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 v...............\r\n", "0x00f00020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f00030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xf00000 b114 MOV CL, 0x14\r\n", "0xf00002 e177 LOOPZ 0xf0007b\r\n", "0xf00004 07 POP ES\r\n", "0xf00005 6a18 PUSH 0x18\r\n", "0xf00007 689015e177 PUSH DWORD 0x77e11590\r\n", "0xf0000c e9a714f176 JMP 0x77e114b8\r\n", "0xf00011 0000 ADD [EAX], AL\r\n", "0xf00013 0000 ADD [EAX], AL\r\n", "0xf00015 0000 ADD [EAX], AL\r\n", "0xf00017 0000 ADD [EAX], AL\r\n", "0xf00019 0000 ADD [EAX], AL\r\n", "0xf0001b 0000 ADD [EAX], AL\r\n", "0xf0001d 0000 ADD [EAX], AL\r\n", "0xf0001f 0000 ADD [EAX], AL\r\n", "0xf00021 0000 ADD [EAX], AL\r\n", "0xf00023 0000 ADD [EAX], AL\r\n", "0xf00025 0000 ADD [EAX], AL\r\n", "0xf00027 0000 ADD [EAX], AL\r\n", "0xf00029 0000 ADD [EAX], AL\r\n", "0xf0002b 0000 ADD [EAX], AL\r\n", "0xf0002d 0000 ADD [EAX], AL\r\n", "0xf0002f 0000 ADD [EAX], AL\r\n", "0xf00031 0000 ADD [EAX], AL\r\n", "0xf00033 0000 ADD [EAX], AL\r\n", "0xf00035 0000 ADD [EAX], AL\r\n", "0xf00037 0000 ADD [EAX], AL\r\n", "0xf00039 0000 ADD [EAX], AL\r\n", "0xf0003b 0000 ADD [EAX], AL\r\n", "0xf0003d 0000 ADD [EAX], AL\r\n", "0xf0003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: IEXPLORE.EXE Pid: 1884 Address: 0xef0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00ef0000 58 68 05 00 f0 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00ef0010 68 28 18 03 10 50 68 62 a1 02 10 c3 00 00 00 00 h(...Phb........\r\n", "0x00ef0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00ef0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xef0000 58 POP EAX\r\n", "0xef0001 680500f000 PUSH DWORD 0xf00005\r\n", "0xef0006 6800000000 PUSH DWORD 0x0\r\n", "0xef000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xef0010 6828180310 PUSH DWORD 0x10031828\r\n", "0xef0015 50 PUSH EAX\r\n", "0xef0016 6862a10210 PUSH DWORD 0x1002a162\r\n", "0xef001b c3 RET\r\n", "0xef001c 0000 ADD [EAX], AL\r\n", "0xef001e 0000 ADD [EAX], AL\r\n", "0xef0020 0000 ADD [EAX], AL\r\n", "0xef0022 0000 ADD [EAX], AL\r\n", "0xef0024 0000 ADD [EAX], AL\r\n", "0xef0026 0000 ADD [EAX], AL\r\n", "0xef0028 0000 ADD [EAX], AL\r\n", "0xef002a 0000 ADD [EAX], AL\r\n", "0xef002c 0000 ADD [EAX], AL\r\n", "0xef002e 0000 ADD [EAX], AL\r\n", "0xef0030 0000 ADD [EAX], AL\r\n", "0xef0032 0000 ADD [EAX], AL\r\n", "0xef0034 0000 ADD [EAX], AL\r\n", "0xef0036 0000 ADD [EAX], AL\r\n", "0xef0038 0000 ADD [EAX], AL\r\n", "0xef003a 0000 ADD [EAX], AL\r\n", "0xef003c 0000 ADD [EAX], AL\r\n", "0xef003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xf10000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00f10000 58 68 05 00 f2 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00f10010 68 28 18 03 10 50 68 9b 9e 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x00f10020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f10030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xf10000 58 POP EAX\r\n", "0xf10001 680500f200 PUSH DWORD 0xf20005\r\n", "0xf10006 6800000000 PUSH DWORD 0x0\r\n", "0xf1000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xf10010 6828180310 PUSH DWORD 0x10031828\r\n", "0xf10015 50 PUSH EAX\r\n", "0xf10016 689b9e0210 PUSH DWORD 0x10029e9b\r\n", "0xf1001b c3 RET\r\n", "0xf1001c 0000 ADD [EAX], AL\r\n", "0xf1001e 0000 ADD [EAX], AL\r\n", "0xf10020 0000 ADD [EAX], AL\r\n", "0xf10022 0000 ADD [EAX], AL\r\n", "0xf10024 0000 ADD [EAX], AL\r\n", "0xf10026 0000 ADD [EAX], AL\r\n", "0xf10028 0000 ADD [EAX], AL\r\n", "0xf1002a 0000 ADD [EAX], AL\r\n", "0xf1002c 0000 ADD [EAX], AL\r\n", "0xf1002e 0000 ADD [EAX], AL\r\n", "0xf10030 0000 ADD [EAX], AL\r\n", "0xf10032 0000 ADD [EAX], AL\r\n", "0xf10034 0000 ADD [EAX], AL\r\n", "0xf10036 0000 ADD [EAX], AL\r\n", "0xf10038 0000 ADD [EAX], AL\r\n", "0xf1003a 0000 ADD [EAX], AL\r\n", "0xf1003c 0000 ADD [EAX], AL\r\n", "0xf1003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xf40000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00f40000 45 63 1d 77 05 8b ff 55 8b ec e9 3b 63 29 76 00 Ec.w...U...;c)v.\r\n", "0x00f40010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f40020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f40030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xf40000 45 INC EBP\r\n", "0xf40001 631d77058bff ARPL [0xff8b0577], BX\r\n", "0xf40007 55 PUSH EBP\r\n", "0xf40008 8bec MOV EBP, ESP\r\n", "0xf4000a e93b632976 JMP 0x771d634a\r\n", "0xf4000f 0000 ADD [EAX], AL\r\n", "0xf40011 0000 ADD [EAX], AL\r\n", "0xf40013 0000 ADD [EAX], AL\r\n", "0xf40015 0000 ADD [EAX], AL\r\n", "0xf40017 0000 ADD [EAX], AL\r\n", "0xf40019 0000 ADD [EAX], AL\r\n", "0xf4001b 0000 ADD [EAX], AL\r\n", "0xf4001d 0000 ADD [EAX], AL\r\n", "0xf4001f 0000 ADD [EAX], AL\r\n", "0xf40021 0000 ADD [EAX], AL\r\n", "0xf40023 0000 ADD [EAX], AL\r\n", "0xf40025 0000 ADD [EAX], AL\r\n", "0xf40027 0000 ADD [EAX], AL\r\n", "0xf40029 0000 ADD [EAX], AL\r\n", "0xf4002b 0000 ADD [EAX], AL\r\n", "0xf4002d 0000 ADD [EAX], AL\r\n", "0xf4002f 0000 ADD [EAX], AL\r\n", "0xf40031 0000 ADD [EAX], AL\r\n", "0xf40033 0000 ADD [EAX], AL\r\n", "0xf40035 0000 ADD [EAX], AL\r\n", "0xf40037 0000 ADD [EAX], AL\r\n", "0xf40039 0000 ADD [EAX], AL\r\n", "0xf4003b 0000 ADD [EAX], AL\r\n", "0xf4003d 0000 ADD [EAX], AL\r\n", "0xf4003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xf30000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00f30000 58 68 05 00 f4 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00f30010 68 28 18 03 10 50 68 6b 9e 02 10 c3 00 00 00 00 h(...Phk........\r\n", "0x00f30020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f30030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xf30000 58 POP EAX\r\n", "0xf30001 680500f400 PUSH DWORD 0xf40005\r\n", "0xf30006 6800000000 PUSH DWORD 0x0\r\n", "0xf3000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xf30010 6828180310 PUSH DWORD 0x10031828\r\n", "0xf30015 50 PUSH EAX\r\n", "0xf30016 686b9e0210 PUSH DWORD 0x10029e6b\r\n", "0xf3001b c3 RET\r\n", "0xf3001c 0000 ADD [EAX], AL\r\n", "0xf3001e 0000 ADD [EAX], AL\r\n", "0xf30020 0000 ADD [EAX], AL\r\n", "0xf30022 0000 ADD [EAX], AL\r\n", "0xf30024 0000 ADD [EAX], AL\r\n", "0xf30026 0000 ADD [EAX], AL\r\n", "0xf30028 0000 ADD [EAX], AL\r\n", "0xf3002a 0000 ADD [EAX], AL\r\n", "0xf3002c 0000 ADD [EAX], AL\r\n", "0xf3002e 0000 ADD [EAX], AL\r\n", "0xf30030 0000 ADD [EAX], AL\r\n", "0xf30032 0000 ADD [EAX], AL\r\n", "0xf30034 0000 ADD [EAX], AL\r\n", "0xf30036 0000 ADD [EAX], AL\r\n", "0xf30038 0000 ADD [EAX], AL\r\n", "0xf3003a 0000 ADD [EAX], AL\r\n", "0xf3003c 0000 ADD [EAX], AL\r\n", "0xf3003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xfc0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00fc0000 41 5e 1d 77 05 8b ff 55 8b ec e9 37 5e 21 76 00 A^.w...U...7^!v.\r\n", "0x00fc0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00fc0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00fc0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xfc0000 41 INC ECX\r\n", "0xfc0001 5e POP ESI\r\n", "0xfc0002 1d77058bff SBB EAX, 0xff8b0577\r\n", "0xfc0007 55 PUSH EBP\r\n", "0xfc0008 8bec MOV EBP, ESP\r\n", "0xfc000a e9375e2176 JMP 0x771d5e46\r\n", "0xfc000f 0000 ADD [EAX], AL\r\n", "0xfc0011 0000 ADD [EAX], AL\r\n", "0xfc0013 0000 ADD [EAX], AL\r\n", "0xfc0015 0000 ADD [EAX], AL\r\n", "0xfc0017 0000 ADD [EAX], AL\r\n", "0xfc0019 0000 ADD [EAX], AL\r\n", "0xfc001b 0000 ADD [EAX], AL\r\n", "0xfc001d 0000 ADD [EAX], AL\r\n", "0xfc001f 0000 ADD [EAX], AL\r\n", "0xfc0021 0000 ADD [EAX], AL\r\n", "0xfc0023 0000 ADD [EAX], AL\r\n", "0xfc0025 0000 ADD [EAX], AL\r\n", "0xfc0027 0000 ADD [EAX], AL\r\n", "0xfc0029 0000 ADD [EAX], AL\r\n", "0xfc002b 0000 ADD [EAX], AL\r\n", "0xfc002d 0000 ADD [EAX], AL\r\n", "0xfc002f 0000 ADD [EAX], AL\r\n", "0xfc0031 0000 ADD [EAX], AL\r\n", "0xfc0033 0000 ADD [EAX], AL\r\n", "0xfc0035 0000 ADD [EAX], AL\r\n", "0xfc0037 0000 ADD [EAX], AL\r\n", "0xfc0039 0000 ADD [EAX], AL\r\n", "0xfc003b 0000 ADD [EAX], AL\r\n", "0xfc003d 0000 ADD [EAX], AL\r\n", "0xfc003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xf90000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00f90000 58 68 05 00 fa 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00f90010 68 28 18 03 10 50 68 96 9d 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x00f90020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f90030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xf90000 58 POP EAX\r\n", "0xf90001 680500fa00 PUSH DWORD 0xfa0005\r\n", "0xf90006 6800000000 PUSH DWORD 0x0\r\n", "0xf9000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xf90010 6828180310 PUSH DWORD 0x10031828\r\n", "0xf90015 50 PUSH EAX\r\n", "0xf90016 68969d0210 PUSH DWORD 0x10029d96\r\n", "0xf9001b c3 RET\r\n", "0xf9001c 0000 ADD [EAX], AL\r\n", "0xf9001e 0000 ADD [EAX], AL\r\n", "0xf90020 0000 ADD [EAX], AL\r\n", "0xf90022 0000 ADD [EAX], AL\r\n", "0xf90024 0000 ADD [EAX], AL\r\n", "0xf90026 0000 ADD [EAX], AL\r\n", "0xf90028 0000 ADD [EAX], AL\r\n", "0xf9002a 0000 ADD [EAX], AL\r\n", "0xf9002c 0000 ADD [EAX], AL\r\n", "0xf9002e 0000 ADD [EAX], AL\r\n", "0xf90030 0000 ADD [EAX], AL\r\n", "0xf90032 0000 ADD [EAX], AL\r\n", "0xf90034 0000 ADD [EAX], AL\r\n", "0xf90036 0000 ADD [EAX], AL\r\n", "0xf90038 0000 ADD [EAX], AL\r\n", "0xf9003a 0000 ADD [EAX], AL\r\n", "0xf9003c 0000 ADD [EAX], AL\r\n", "0xf9003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: IEXPLORE.EXE Pid: 1884 Address: 0xf70000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00f70000 58 68 05 00 f8 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00f70010 68 28 18 03 10 50 68 28 9a 02 10 c3 00 00 00 00 h(...Ph(........\r\n", "0x00f70020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f70030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xf70000 58 POP EAX\r\n", "0xf70001 680500f800 PUSH DWORD 0xf80005\r\n", "0xf70006 6800000000 PUSH DWORD 0x0\r\n", "0xf7000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xf70010 6828180310 PUSH DWORD 0x10031828\r\n", "0xf70015 50 PUSH EAX\r\n", "0xf70016 68289a0210 PUSH DWORD 0x10029a28\r\n", "0xf7001b c3 RET\r\n", "0xf7001c 0000 ADD [EAX], AL\r\n", "0xf7001e 0000 ADD [EAX], AL\r\n", "0xf70020 0000 ADD [EAX], AL\r\n", "0xf70022 0000 ADD [EAX], AL\r\n", "0xf70024 0000 ADD [EAX], AL\r\n", "0xf70026 0000 ADD [EAX], AL\r\n", "0xf70028 0000 ADD [EAX], AL\r\n", "0xf7002a 0000 ADD [EAX], AL\r\n", "0xf7002c 0000 ADD [EAX], AL\r\n", "0xf7002e 0000 ADD [EAX], AL\r\n", "0xf70030 0000 ADD [EAX], AL\r\n", "0xf70032 0000 ADD [EAX], AL\r\n", "0xf70034 0000 ADD [EAX], AL\r\n", "0xf70036 0000 ADD [EAX], AL\r\n", "0xf70038 0000 ADD [EAX], AL\r\n", "0xf7003a 0000 ADD [EAX], AL\r\n", "0xf7003c 0000 ADD [EAX], AL\r\n", "0xf7003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xf60000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00f60000 b8 76 1c 77 05 8b ff 55 8b ec e9 ae 76 26 76 00 .v.w...U....v&v.\r\n", "0x00f60010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f60020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f60030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xf60000 b8761c7705 MOV EAX, 0x5771c76\r\n", "0xf60005 8bff MOV EDI, EDI\r\n", "0xf60007 55 PUSH EBP\r\n", "0xf60008 8bec MOV EBP, ESP\r\n", "0xf6000a e9ae762676 JMP 0x771c76bd\r\n", "0xf6000f 0000 ADD [EAX], AL\r\n", "0xf60011 0000 ADD [EAX], AL\r\n", "0xf60013 0000 ADD [EAX], AL\r\n", "0xf60015 0000 ADD [EAX], AL\r\n", "0xf60017 0000 ADD [EAX], AL\r\n", "0xf60019 0000 ADD [EAX], AL\r\n", "0xf6001b 0000 ADD [EAX], AL\r\n", "0xf6001d 0000 ADD [EAX], AL\r\n", "0xf6001f 0000 ADD [EAX], AL\r\n", "0xf60021 0000 ADD [EAX], AL\r\n", "0xf60023 0000 ADD [EAX], AL\r\n", "0xf60025 0000 ADD [EAX], AL\r\n", "0xf60027 0000 ADD [EAX], AL\r\n", "0xf60029 0000 ADD [EAX], AL\r\n", "0xf6002b 0000 ADD [EAX], AL\r\n", "0xf6002d 0000 ADD [EAX], AL\r\n", "0xf6002f 0000 ADD [EAX], AL\r\n", "0xf60031 0000 ADD [EAX], AL\r\n", "0xf60033 0000 ADD [EAX], AL\r\n", "0xf60035 0000 ADD [EAX], AL\r\n", "0xf60037 0000 ADD [EAX], AL\r\n", "0xf60039 0000 ADD [EAX], AL\r\n", "0xf6003b 0000 ADD [EAX], AL\r\n", "0xf6003d 0000 ADD [EAX], AL\r\n", "0xf6003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xf80000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00f80000 08 18 21 77 05 8b ff 55 8b ec e9 fe 17 29 76 00 ..!w...U.....)v.\r\n", "0x00f80010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f80020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00f80030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xf80000 0818 OR [EAX], BL\r\n", "0xf80002 217705 AND [EDI+0x5], ESI\r\n", "0xf80005 8bff MOV EDI, EDI\r\n", "0xf80007 55 PUSH EBP\r\n", "0xf80008 8bec MOV EBP, ESP\r\n", "0xf8000a e9fe172976 JMP 0x7721180d\r\n", "0xf8000f 0000 ADD [EAX], AL\r\n", "0xf80011 0000 ADD [EAX], AL\r\n", "0xf80013 0000 ADD [EAX], AL\r\n", "0xf80015 0000 ADD [EAX], AL\r\n", "0xf80017 0000 ADD [EAX], AL\r\n", "0xf80019 0000 ADD [EAX], AL\r\n", "0xf8001b 0000 ADD [EAX], AL\r\n", "0xf8001d 0000 ADD [EAX], AL\r\n", "0xf8001f 0000 ADD [EAX], AL\r\n", "0xf80021 0000 ADD [EAX], AL\r\n", "0xf80023 0000 ADD [EAX], AL\r\n", "0xf80025 0000 ADD [EAX], AL\r\n", "0xf80027 0000 ADD [EAX], AL\r\n", "0xf80029 0000 ADD [EAX], AL\r\n", "0xf8002b 0000 ADD [EAX], AL\r\n", "0xf8002d 0000 ADD [EAX], AL\r\n", "0xf8002f 0000 ADD [EAX], AL\r\n", "0xf80031 0000 ADD [EAX], AL\r\n", "0xf80033 0000 ADD [EAX], AL\r\n", "0xf80035 0000 ADD [EAX], AL\r\n", "0xf80037 0000 ADD [EAX], AL\r\n", "0xf80039 0000 ADD [EAX], AL\r\n", "0xf8003b 0000 ADD [EAX], AL\r\n", "0xf8003d 0000 ADD [EAX], AL\r\n", "0xf8003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xfb0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00fb0000 58 68 05 00 fc 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00fb0010 68 28 18 03 10 50 68 2b 9d 02 10 c3 00 00 00 00 h(...Ph+........\r\n", "0x00fb0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00fb0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xfb0000 58 POP EAX\r\n", "0xfb0001 680500fc00 PUSH DWORD 0xfc0005\r\n", "0xfb0006 6800000000 PUSH DWORD 0x0\r\n", "0xfb000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xfb0010 6828180310 PUSH DWORD 0x10031828\r\n", "0xfb0015 50 PUSH EAX\r\n", "0xfb0016 682b9d0210 PUSH DWORD 0x10029d2b\r\n", "0xfb001b c3 RET\r\n", "0xfb001c 0000 ADD [EAX], AL\r\n", "0xfb001e 0000 ADD [EAX], AL\r\n", "0xfb0020 0000 ADD [EAX], AL\r\n", "0xfb0022 0000 ADD [EAX], AL\r\n", "0xfb0024 0000 ADD [EAX], AL\r\n", "0xfb0026 0000 ADD [EAX], AL\r\n", "0xfb0028 0000 ADD [EAX], AL\r\n", "0xfb002a 0000 ADD [EAX], AL\r\n", "0xfb002c 0000 ADD [EAX], AL\r\n", "0xfb002e 0000 ADD [EAX], AL\r\n", "0xfb0030 0000 ADD [EAX], AL\r\n", "0xfb0032 0000 ADD [EAX], AL\r\n", "0xfb0034 0000 ADD [EAX], AL\r\n", "0xfb0036 0000 ADD [EAX], AL\r\n", "0xfb0038 0000 ADD [EAX], AL\r\n", "0xfb003a 0000 ADD [EAX], AL\r\n", "0xfb003c 0000 ADD [EAX], AL\r\n", "0xfb003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xfa0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00fa0000 ca 54 1c 77 07 6a 24 68 88 55 1c 77 e9 c0 54 22 .T.w.j$h.U.w..T\"\r\n", "0x00fa0010 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 v...............\r\n", "0x00fa0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00fa0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xfa0000 ca541c RETF 0x1c54\r\n", "0xfa0003 7707 JA 0xfa000c\r\n", "0xfa0005 6a24 PUSH 0x24\r\n", "0xfa0007 6888551c77 PUSH DWORD 0x771c5588\r\n", "0xfa000c e9c0542276 JMP 0x771c54d1\r\n", "0xfa0011 0000 ADD [EAX], AL\r\n", "0xfa0013 0000 ADD [EAX], AL\r\n", "0xfa0015 0000 ADD [EAX], AL\r\n", "0xfa0017 0000 ADD [EAX], AL\r\n", "0xfa0019 0000 ADD [EAX], AL\r\n", "0xfa001b 0000 ADD [EAX], AL\r\n", "0xfa001d 0000 ADD [EAX], AL\r\n", "0xfa001f 0000 ADD [EAX], AL\r\n", "0xfa0021 0000 ADD [EAX], AL\r\n", "0xfa0023 0000 ADD [EAX], AL\r\n", "0xfa0025 0000 ADD [EAX], AL\r\n", "0xfa0027 0000 ADD [EAX], AL\r\n", "0xfa0029 0000 ADD [EAX], AL\r\n", "0xfa002b 0000 ADD [EAX], AL\r\n", "0xfa002d 0000 ADD [EAX], AL\r\n", "0xfa002f 0000 ADD [EAX], AL\r\n", "0xfa0031 0000 ADD [EAX], AL\r\n", "0xfa0033 0000 ADD [EAX], AL\r\n", "0xfa0035 0000 ADD [EAX], AL\r\n", "0xfa0037 0000 ADD [EAX], AL\r\n", "0xfa0039 0000 ADD [EAX], AL\r\n", "0xfa003b 0000 ADD [EAX], AL\r\n", "0xfa003d 0000 ADD [EAX], AL\r\n", "0xfa003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1000000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01000000 d6 88 1f 77 08 6a 78 ff e6 bc 33 91 77 e9 cc 88 ...w.jx...3.w...\r\n", "0x01000010 1f 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .v..............\r\n", "0x01000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1000000 d6 SALC\r\n", "0x1000001 881f MOV [EDI], BL\r\n", "0x1000003 7708 JA 0x100000d\r\n", "0x1000005 6a78 PUSH 0x78\r\n", "0x1000007 ffe6 JMP ESI\r\n", "0x1000009 bc339177e9 MOV ESP, 0xe9779133\r\n", "0x100000e cc INT 3\r\n", "0x100000f 881f MOV [EDI], BL\r\n", "0x1000011 7600 JBE 0x1000013\r\n", "0x1000013 0000 ADD [EAX], AL\r\n", "0x1000015 0000 ADD [EAX], AL\r\n", "0x1000017 0000 ADD [EAX], AL\r\n", "0x1000019 0000 ADD [EAX], AL\r\n", "0x100001b 0000 ADD [EAX], AL\r\n", "0x100001d 0000 ADD [EAX], AL\r\n", "0x100001f 0000 ADD [EAX], AL\r\n", "0x1000021 0000 ADD [EAX], AL\r\n", "0x1000023 0000 ADD [EAX], AL\r\n", "0x1000025 0000 ADD [EAX], AL\r\n", "0x1000027 0000 ADD [EAX], AL\r\n", "0x1000029 0000 ADD [EAX], AL\r\n", "0x100002b 0000 ADD [EAX], AL\r\n", "0x100002d 0000 ADD [EAX], AL\r\n", "0x100002f 0000 ADD [EAX], AL\r\n", "0x1000031 0000 ADD [EAX], AL\r\n", "0x1000033 0000 ADD [EAX], AL\r\n", "0x1000035 0000 ADD [EAX], AL\r\n", "0x1000037 0000 ADD [EAX], AL\r\n", "0x1000039 0000 ADD [EAX], AL\r\n", "0x100003b 0000 ADD [EAX], AL\r\n", "0x100003d 0000 ADD [EAX], AL\r\n", "0x100003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: IEXPLORE.EXE Pid: 1884 Address: 0xfe0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00fe0000 9a 7e 1f 77 05 8b ff 55 8b ec e9 90 7e 21 76 00 .~.w...U....~!v.\r\n", "0x00fe0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00fe0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00fe0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xfe0000 9a7e1f77058bff CALL FAR 0xff8b:0x5771f7e\r\n", "0xfe0007 55 PUSH EBP\r\n", "0xfe0008 8bec MOV EBP, ESP\r\n", "0xfe000a e9907e2176 JMP 0x771f7e9f\r\n", "0xfe000f 0000 ADD [EAX], AL\r\n", "0xfe0011 0000 ADD [EAX], AL\r\n", "0xfe0013 0000 ADD [EAX], AL\r\n", "0xfe0015 0000 ADD [EAX], AL\r\n", "0xfe0017 0000 ADD [EAX], AL\r\n", "0xfe0019 0000 ADD [EAX], AL\r\n", "0xfe001b 0000 ADD [EAX], AL\r\n", "0xfe001d 0000 ADD [EAX], AL\r\n", "0xfe001f 0000 ADD [EAX], AL\r\n", "0xfe0021 0000 ADD [EAX], AL\r\n", "0xfe0023 0000 ADD [EAX], AL\r\n", "0xfe0025 0000 ADD [EAX], AL\r\n", "0xfe0027 0000 ADD [EAX], AL\r\n", "0xfe0029 0000 ADD [EAX], AL\r\n", "0xfe002b 0000 ADD [EAX], AL\r\n", "0xfe002d 0000 ADD [EAX], AL\r\n", "0xfe002f 0000 ADD [EAX], AL\r\n", "0xfe0031 0000 ADD [EAX], AL\r\n", "0xfe0033 0000 ADD [EAX], AL\r\n", "0xfe0035 0000 ADD [EAX], AL\r\n", "0xfe0037 0000 ADD [EAX], AL\r\n", "0xfe0039 0000 ADD [EAX], AL\r\n", "0xfe003b 0000 ADD [EAX], AL\r\n", "0xfe003d 0000 ADD [EAX], AL\r\n", "0xfe003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xfd0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00fd0000 58 68 05 00 fe 00 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00fd0010 68 28 18 03 10 50 68 ff 9b 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x00fd0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00fd0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xfd0000 58 POP EAX\r\n", "0xfd0001 680500fe00 PUSH DWORD 0xfe0005\r\n", "0xfd0006 6800000000 PUSH DWORD 0x0\r\n", "0xfd000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xfd0010 6828180310 PUSH DWORD 0x10031828\r\n", "0xfd0015 50 PUSH EAX\r\n", "0xfd0016 68ff9b0210 PUSH DWORD 0x10029bff\r\n", "0xfd001b c3 RET\r\n", "0xfd001c 0000 ADD [EAX], AL\r\n", "0xfd001e 0000 ADD [EAX], AL\r\n", "0xfd0020 0000 ADD [EAX], AL\r\n", "0xfd0022 0000 ADD [EAX], AL\r\n", "0xfd0024 0000 ADD [EAX], AL\r\n", "0xfd0026 0000 ADD [EAX], AL\r\n", "0xfd0028 0000 ADD [EAX], AL\r\n", "0xfd002a 0000 ADD [EAX], AL\r\n", "0xfd002c 0000 ADD [EAX], AL\r\n", "0xfd002e 0000 ADD [EAX], AL\r\n", "0xfd0030 0000 ADD [EAX], AL\r\n", "0xfd0032 0000 ADD [EAX], AL\r\n", "0xfd0034 0000 ADD [EAX], AL\r\n", "0xfd0036 0000 ADD [EAX], AL\r\n", "0xfd0038 0000 ADD [EAX], AL\r\n", "0xfd003a 0000 ADD [EAX], AL\r\n", "0xfd003c 0000 ADD [EAX], AL\r\n", "0xfd003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0xff0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x00ff0000 58 68 05 00 00 01 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x00ff0010 68 28 18 03 10 50 68 db 9b 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x00ff0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x00ff0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0xff0000 58 POP EAX\r\n", "0xff0001 6805000001 PUSH DWORD 0x1000005\r\n", "0xff0006 6800000000 PUSH DWORD 0x0\r\n", "0xff000b 680000807c PUSH DWORD 0x7c800000\r\n", "0xff0010 6828180310 PUSH DWORD 0x10031828\r\n", "0xff0015 50 PUSH EAX\r\n", "0xff0016 68db9b0210 PUSH DWORD 0x10029bdb\r\n", "0xff001b c3 RET\r\n", "0xff001c 0000 ADD [EAX], AL\r\n", "0xff001e 0000 ADD [EAX], AL\r\n", "0xff0020 0000 ADD [EAX], AL\r\n", "0xff0022 0000 ADD [EAX], AL\r\n", "0xff0024 0000 ADD [EAX], AL\r\n", "0xff0026 0000 ADD [EAX], AL\r\n", "0xff0028 0000 ADD [EAX], AL\r\n", "0xff002a 0000 ADD [EAX], AL\r\n", "0xff002c 0000 ADD [EAX], AL\r\n", "0xff002e 0000 ADD [EAX], AL\r\n", "0xff0030 0000 ADD [EAX], AL\r\n", "0xff0032 0000 ADD [EAX], AL\r\n", "0xff0034 0000 ADD [EAX], AL\r\n", "0xff0036 0000 ADD [EAX], AL\r\n", "0xff0038 0000 ADD [EAX], AL\r\n", "0xff003a 0000 ADD [EAX], AL\r\n", "0xff003c 0000 ADD [EAX], AL\r\n", "0xff003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1020000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01020000 55 95 1c 77 05 8b ff 55 8b ec e9 4b 95 1a 76 00 U..w...U...K..v.\r\n", "0x01020010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01020020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01020030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1020000 55 PUSH EBP\r\n", "0x1020001 95 XCHG EBP, EAX\r\n", "0x1020002 1c77 SBB AL, 0x77\r\n", "0x1020004 058bff558b ADD EAX, 0x8b55ff8b\r\n", "0x1020009 ec IN AL, DX\r\n", "0x102000a e94b951a76 JMP 0x771c955a\r\n", "0x102000f 0000 ADD [EAX], AL\r\n", "0x1020011 0000 ADD [EAX], AL\r\n", "0x1020013 0000 ADD [EAX], AL\r\n", "0x1020015 0000 ADD [EAX], AL\r\n", "0x1020017 0000 ADD [EAX], AL\r\n", "0x1020019 0000 ADD [EAX], AL\r\n", "0x102001b 0000 ADD [EAX], AL\r\n", "0x102001d 0000 ADD [EAX], AL\r\n", "0x102001f 0000 ADD [EAX], AL\r\n", "0x1020021 0000 ADD [EAX], AL\r\n", "0x1020023 0000 ADD [EAX], AL\r\n", "0x1020025 0000 ADD [EAX], AL\r\n", "0x1020027 0000 ADD [EAX], AL\r\n", "0x1020029 0000 ADD [EAX], AL\r\n", "0x102002b 0000 ADD [EAX], AL\r\n", "0x102002d 0000 ADD [EAX], AL\r\n", "0x102002f 0000 ADD [EAX], AL\r\n", "0x1020031 0000 ADD [EAX], AL\r\n", "0x1020033 0000 ADD [EAX], AL\r\n", "0x1020035 0000 ADD [EAX], AL\r\n", "0x1020037 0000 ADD [EAX], AL\r\n", "0x1020039 0000 ADD [EAX], AL\r\n", "0x102003b 0000 ADD [EAX], AL\r\n", "0x102003d 0000 ADD [EAX], AL\r\n", "0x102003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1010000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01010000 58 68 05 00 02 01 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x01010010 68 28 18 03 10 50 68 64 9c 02 10 c3 00 00 00 00 h(...Phd........\r\n", "0x01010020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01010030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1010000 58 POP EAX\r\n", "0x1010001 6805000201 PUSH DWORD 0x1020005\r\n", "0x1010006 6800000000 PUSH DWORD 0x0\r\n", "0x101000b 680000807c PUSH DWORD 0x7c800000\r\n", "0x1010010 6828180310 PUSH DWORD 0x10031828\r\n", "0x1010015 50 PUSH EAX\r\n", "0x1010016 68649c0210 PUSH DWORD 0x10029c64\r\n", "0x101001b c3 RET\r\n", "0x101001c 0000 ADD [EAX], AL\r\n", "0x101001e 0000 ADD [EAX], AL\r\n", "0x1010020 0000 ADD [EAX], AL\r\n", "0x1010022 0000 ADD [EAX], AL\r\n", "0x1010024 0000 ADD [EAX], AL\r\n", "0x1010026 0000 ADD [EAX], AL\r\n", "0x1010028 0000 ADD [EAX], AL\r\n", "0x101002a 0000 ADD [EAX], AL\r\n", "0x101002c 0000 ADD [EAX], AL\r\n", "0x101002e 0000 ADD [EAX], AL\r\n", "0x1010030 0000 ADD [EAX], AL\r\n", "0x1010032 0000 ADD [EAX], AL\r\n", "0x1010034 0000 ADD [EAX], AL\r\n", "0x1010036 0000 ADD [EAX], AL\r\n", "0x1010038 0000 ADD [EAX], AL\r\n", "0x101003a 0000 ADD [EAX], AL\r\n", "0x101003c 0000 ADD [EAX], AL\r\n", "0x101003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1030000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01030000 58 68 05 00 04 01 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x01030010 68 28 18 03 10 50 68 c9 9c 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x01030020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01030030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1030000 58 POP EAX\r\n", "0x1030001 6805000401 PUSH DWORD 0x1040005\r\n", "0x1030006 6800000000 PUSH DWORD 0x0\r\n", "0x103000b 680000807c PUSH DWORD 0x7c800000\r\n", "0x1030010 6828180310 PUSH DWORD 0x10031828\r\n", "0x1030015 50 PUSH EAX\r\n", "0x1030016 68c99c0210 PUSH DWORD 0x10029cc9\r\n", "0x103001b c3 RET\r\n", "0x103001c 0000 ADD [EAX], AL\r\n", "0x103001e 0000 ADD [EAX], AL\r\n", "0x1030020 0000 ADD [EAX], AL\r\n", "0x1030022 0000 ADD [EAX], AL\r\n", "0x1030024 0000 ADD [EAX], AL\r\n", "0x1030026 0000 ADD [EAX], AL\r\n", "0x1030028 0000 ADD [EAX], AL\r\n", "0x103002a 0000 ADD [EAX], AL\r\n", "0x103002c 0000 ADD [EAX], AL\r\n", "0x103002e 0000 ADD [EAX], AL\r\n", "0x1030030 0000 ADD [EAX], AL\r\n", "0x1030032 0000 ADD [EAX], AL\r\n", "0x1030034 0000 ADD [EAX], AL\r\n", "0x1030036 0000 ADD [EAX], AL\r\n", "0x1030038 0000 ADD [EAX], AL\r\n", "0x103003a 0000 ADD [EAX], AL\r\n", "0x103003c 0000 ADD [EAX], AL\r\n", "0x103003e 0000 ADD [EAX], AL\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1040000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01040000 5f 32 1d 77 05 8b ff 55 8b ec e9 55 32 19 76 00 _2.w...U...U2.v.\r\n", "0x01040010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01040020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01040030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1040000 5f POP EDI\r\n", "0x1040001 321d77058bff XOR BL, [0xff8b0577]\r\n", "0x1040007 55 PUSH EBP\r\n", "0x1040008 8bec MOV EBP, ESP\r\n", "0x104000a e955321976 JMP 0x771d3264\r\n", "0x104000f 0000 ADD [EAX], AL\r\n", "0x1040011 0000 ADD [EAX], AL\r\n", "0x1040013 0000 ADD [EAX], AL\r\n", "0x1040015 0000 ADD [EAX], AL\r\n", "0x1040017 0000 ADD [EAX], AL\r\n", "0x1040019 0000 ADD [EAX], AL\r\n", "0x104001b 0000 ADD [EAX], AL\r\n", "0x104001d 0000 ADD [EAX], AL\r\n", "0x104001f 0000 ADD [EAX], AL\r\n", "0x1040021 0000 ADD [EAX], AL\r\n", "0x1040023 0000 ADD [EAX], AL\r\n", "0x1040025 0000 ADD [EAX], AL\r\n", "0x1040027 0000 ADD [EAX], AL\r\n", "0x1040029 0000 ADD [EAX], AL\r\n", "0x104002b 0000 ADD [EAX], AL\r\n", "0x104002d 0000 ADD [EAX], AL\r\n", "0x104002f 0000 ADD [EAX], AL\r\n", "0x1040031 0000 ADD [EAX], AL\r\n", "0x1040033 0000 ADD [EAX], AL\r\n", "0x1040035 0000 ADD [EAX], AL\r\n", "0x1040037 0000 ADD [EAX], AL\r\n", "0x1040039 0000 ADD [EAX], AL\r\n", "0x104003b 0000 ADD [EAX], AL\r\n", "0x104003d 0000 ADD [EAX], AL\r\n", "0x104003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1090000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01090000 19 53 1b 77 05 8b ff 55 8b ec e9 0f 53 12 76 00 .S.w...U....S.v.\r\n", "0x01090010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01090020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01090030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1090000 19531b SBB [EBX+0x1b], EDX\r\n", "0x1090003 7705 JA 0x109000a\r\n", "0x1090005 8bff MOV EDI, EDI\r\n", "0x1090007 55 PUSH EBP\r\n", "0x1090008 8bec MOV EBP, ESP\r\n", "0x109000a e90f531276 JMP 0x771b531e\r\n", "0x109000f 0000 ADD [EAX], AL\r\n", "0x1090011 0000 ADD [EAX], AL\r\n", "0x1090013 0000 ADD [EAX], AL\r\n", "0x1090015 0000 ADD [EAX], AL\r\n", "0x1090017 0000 ADD [EAX], AL\r\n", "0x1090019 0000 ADD [EAX], AL\r\n", "0x109001b 0000 ADD [EAX], AL\r\n", "0x109001d 0000 ADD [EAX], AL\r\n", "0x109001f 0000 ADD [EAX], AL\r\n", "0x1090021 0000 ADD [EAX], AL\r\n", "0x1090023 0000 ADD [EAX], AL\r\n", "0x1090025 0000 ADD [EAX], AL\r\n", "0x1090027 0000 ADD [EAX], AL\r\n", "0x1090029 0000 ADD [EAX], AL\r\n", "0x109002b 0000 ADD [EAX], AL\r\n", "0x109002d 0000 ADD [EAX], AL\r\n", "0x109002f 0000 ADD [EAX], AL\r\n", "0x1090031 0000 ADD [EAX], AL\r\n", "0x1090033 0000 ADD [EAX], AL\r\n", "0x1090035 0000 ADD [EAX], AL\r\n", "0x1090037 0000 ADD [EAX], AL\r\n", "0x1090039 0000 ADD [EAX], AL\r\n", "0x109003b 0000 ADD [EAX], AL\r\n", "0x109003d 0000 ADD [EAX], AL\r\n", "0x109003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1070000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01070000 5d bc 22 77 05 8b ff 55 8b ec e9 53 bc 1b 76 00 ].\"w...U...S..v.\r\n", "0x01070010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01070020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01070030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1070000 5d POP EBP\r\n", "0x1070001 bc2277058b MOV ESP, 0x8b057722\r\n", "0x1070006 ff558b CALL DWORD [EBP-0x75]\r\n", "0x1070009 ec IN AL, DX\r\n", "0x107000a e953bc1b76 JMP 0x7722bc62\r\n", "0x107000f 0000 ADD [EAX], AL\r\n", "0x1070011 0000 ADD [EAX], AL\r\n", "0x1070013 0000 ADD [EAX], AL\r\n", "0x1070015 0000 ADD [EAX], AL\r\n", "0x1070017 0000 ADD [EAX], AL\r\n", "0x1070019 0000 ADD [EAX], AL\r\n", "0x107001b 0000 ADD [EAX], AL\r\n", "0x107001d 0000 ADD [EAX], AL\r\n", "0x107001f 0000 ADD [EAX], AL\r\n", "0x1070021 0000 ADD [EAX], AL\r\n", "0x1070023 0000 ADD [EAX], AL\r\n", "0x1070025 0000 ADD [EAX], AL\r\n", "0x1070027 0000 ADD [EAX], AL\r\n", "0x1070029 0000 ADD [EAX], AL\r\n", "0x107002b 0000 ADD [EAX], AL\r\n", "0x107002d 0000 ADD [EAX], AL\r\n", "0x107002f 0000 ADD [EAX], AL\r\n", "0x1070031 0000 ADD [EAX], AL\r\n", "0x1070033 0000 ADD [EAX], AL\r\n", "0x1070035 0000 ADD [EAX], AL\r\n", "0x1070037 0000 ADD [EAX], AL\r\n", "0x1070039 0000 ADD [EAX], AL\r\n", "0x107003b 0000 ADD [EAX], AL\r\n", "0x107003d 0000 ADD [EAX], AL\r\n", "0x107003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1060000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01060000 58 68 05 00 07 01 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x01060010 68 28 18 03 10 50 68 fb 9d 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x01060020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01060030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1060000 58 POP EAX\r\n", "0x1060001 6805000701 PUSH DWORD 0x1070005\r\n", "0x1060006 6800000000 PUSH DWORD 0x0\r\n", "0x106000b 680000807c PUSH DWORD 0x7c800000\r\n", "0x1060010 6828180310 PUSH DWORD 0x10031828\r\n", "0x1060015 50 PUSH EAX\r\n", "0x1060016 68fb9d0210 PUSH DWORD 0x10029dfb\r\n", "0x106001b c3 RET\r\n", "0x106001c 0000 ADD [EAX], AL\r\n", "0x106001e 0000 ADD [EAX], AL\r\n", "0x1060020 0000 ADD [EAX], AL\r\n", "0x1060022 0000 ADD [EAX], AL\r\n", "0x1060024 0000 ADD [EAX], AL\r\n", "0x1060026 0000 ADD [EAX], AL\r\n", "0x1060028 0000 ADD [EAX], AL\r\n", "0x106002a 0000 ADD [EAX], AL\r\n", "0x106002c 0000 ADD [EAX], AL\r\n", "0x106002e 0000 ADD [EAX], AL\r\n", "0x1060030 0000 ADD [EAX], AL\r\n", "0x1060032 0000 ADD [EAX], AL\r\n", "0x1060034 0000 ADD [EAX], AL\r\n", "0x1060036 0000 ADD [EAX], AL\r\n", "0x1060038 0000 ADD [EAX], AL\r\n", "0x106003a 0000 ADD [EAX], AL\r\n", "0x106003c 0000 ADD [EAX], AL\r\n", "0x106003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1080000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01080000 58 68 05 00 09 01 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x01080010 68 28 18 03 10 50 68 d2 a1 02 10 c3 00 00 00 00 h(...Ph.........\r\n", "0x01080020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01080030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1080000 58 POP EAX\r\n", "0x1080001 6805000901 PUSH DWORD 0x1090005\r\n", "0x1080006 6800000000 PUSH DWORD 0x0\r\n", "0x108000b 680000807c PUSH DWORD 0x7c800000\r\n", "0x1080010 6828180310 PUSH DWORD 0x10031828\r\n", "0x1080015 50 PUSH EAX\r\n", "0x1080016 68d2a10210 PUSH DWORD 0x1002a1d2\r\n", "0x108001b c3 RET\r\n", "0x108001c 0000 ADD [EAX], AL\r\n", "0x108001e 0000 ADD [EAX], AL\r\n", "0x1080020 0000 ADD [EAX], AL\r\n", "0x1080022 0000 ADD [EAX], AL\r\n", "0x1080024 0000 ADD [EAX], AL\r\n", "0x1080026 0000 ADD [EAX], AL\r\n", "0x1080028 0000 ADD [EAX], AL\r\n", "0x108002a 0000 ADD [EAX], AL\r\n", "0x108002c 0000 ADD [EAX], AL\r\n", "0x108002e 0000 ADD [EAX], AL\r\n", "0x1080030 0000 ADD [EAX], AL\r\n", "0x1080032 0000 ADD [EAX], AL\r\n", "0x1080034 0000 ADD [EAX], AL\r\n", "0x1080036 0000 ADD [EAX], AL\r\n", "0x1080038 0000 ADD [EAX], AL\r\n", "0x108003a 0000 ADD [EAX], AL\r\n", "0x108003c 0000 ADD [EAX], AL\r\n", "0x108003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x10b0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x010b0000 3b f2 21 77 05 8b ff 55 8b ec e9 31 f2 16 76 00 ;.!w...U...1..v.\r\n", "0x010b0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x010b0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x010b0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x10b0000 3bf2 CMP ESI, EDX\r\n", "0x10b0002 217705 AND [EDI+0x5], ESI\r\n", "0x10b0005 8bff MOV EDI, EDI\r\n", "0x10b0007 55 PUSH EBP\r\n", "0x10b0008 8bec MOV EBP, ESP\r\n", "0x10b000a e931f21676 JMP 0x7721f240\r\n", "0x10b000f 0000 ADD [EAX], AL\r\n", "0x10b0011 0000 ADD [EAX], AL\r\n", "0x10b0013 0000 ADD [EAX], AL\r\n", "0x10b0015 0000 ADD [EAX], AL\r\n", "0x10b0017 0000 ADD [EAX], AL\r\n", "0x10b0019 0000 ADD [EAX], AL\r\n", "0x10b001b 0000 ADD [EAX], AL\r\n", "0x10b001d 0000 ADD [EAX], AL\r\n", "0x10b001f 0000 ADD [EAX], AL\r\n", "0x10b0021 0000 ADD [EAX], AL\r\n", "0x10b0023 0000 ADD [EAX], AL\r\n", "0x10b0025 0000 ADD [EAX], AL\r\n", "0x10b0027 0000 ADD [EAX], AL\r\n", "0x10b0029 0000 ADD [EAX], AL\r\n", "0x10b002b 0000 ADD [EAX], AL\r\n", "0x10b002d 0000 ADD [EAX], AL\r\n", "0x10b002f 0000 ADD [EAX], AL\r\n", "0x10b0031 0000 ADD [EAX], AL\r\n", "0x10b0033 0000 ADD [EAX], AL\r\n", "0x10b0035 0000 ADD [EAX], AL\r\n", "0x10b0037 0000 ADD [EAX], AL\r\n", "0x10b0039 0000 ADD [EAX], AL\r\n", "0x10b003b 0000 ADD [EAX], AL\r\n", "0x10b003d 0000 ADD [EAX], AL\r\n", "0x10b003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x10a0000" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x010a0000 58 68 05 00 0b 01 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x010a0010 68 28 18 03 10 50 68 5f a2 02 10 c3 00 00 00 00 h(...Ph_........\r\n", "0x010a0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x010a0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x10a0000 58 POP EAX\r\n", "0x10a0001 6805000b01 PUSH DWORD 0x10b0005\r\n", "0x10a0006 6800000000 PUSH DWORD 0x0\r\n", "0x10a000b 680000807c PUSH DWORD 0x7c800000\r\n", "0x10a0010 6828180310 PUSH DWORD 0x10031828\r\n", "0x10a0015 50 PUSH EAX\r\n", "0x10a0016 685fa20210 PUSH DWORD 0x1002a25f\r\n", "0x10a001b c3 RET\r\n", "0x10a001c 0000 ADD [EAX], AL\r\n", "0x10a001e 0000 ADD [EAX], AL\r\n", "0x10a0020 0000 ADD [EAX], AL\r\n", "0x10a0022 0000 ADD [EAX], AL\r\n", "0x10a0024 0000 ADD [EAX], AL\r\n", "0x10a0026 0000 ADD [EAX], AL\r\n", "0x10a0028 0000 ADD [EAX], AL\r\n", "0x10a002a 0000 ADD [EAX], AL\r\n", "0x10a002c 0000 ADD [EAX], AL\r\n", "0x10a002e 0000 ADD [EAX], AL\r\n", "0x10a0030 0000 ADD [EAX], AL\r\n", "0x10a0032 0000 ADD [EAX], AL\r\n", "0x10a0034 0000 ADD [EAX], AL\r\n", "0x10a0036 0000 ADD [EAX], AL\r\n", "0x10a0038 0000 ADD [EAX], AL\r\n", "0x10a003a 0000 ADD [EAX], AL\r\n", "0x10a003c 0000 ADD [EAX], AL\r\n", "0x10a003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1100000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01100000 58 68 05 00 11 01 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x01100010 68 28 18 03 10 50 68 61 9f 02 10 c3 00 00 00 00 h(...Pha........\r\n", "0x01100020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01100030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1100000 58 POP EAX\r\n", "0x1100001 6805001101 PUSH DWORD 0x1110005\r\n", "0x1100006 6800000000 PUSH DWORD 0x0\r\n", "0x110000b 680000807c PUSH DWORD 0x7c800000\r\n", "0x1100010 6828180310 PUSH DWORD 0x10031828\r\n", "0x1100015 50 PUSH EAX\r\n", "0x1100016 68619f0210 PUSH DWORD 0x10029f61\r\n", "0x110001b c3 RET\r\n", "0x110001c 0000 ADD [EAX], AL\r\n", "0x110001e 0000 ADD [EAX], AL\r\n", "0x1100020 0000 ADD [EAX], AL\r\n", "0x1100022 0000 ADD [EAX], AL\r\n", "0x1100024 0000 ADD [EAX], AL\r\n", "0x1100026 0000 ADD [EAX], AL\r\n", "0x1100028 0000 ADD [EAX], AL\r\n", "0x110002a 0000 ADD [EAX], AL\r\n", "0x110002c 0000 ADD [EAX], AL\r\n", "0x110002e 0000 ADD [EAX], AL\r\n", "0x1100030 0000 ADD [EAX], AL\r\n", "0x1100032 0000 ADD [EAX], AL\r\n", "0x1100034 0000 ADD [EAX], AL\r\n", "0x1100036 0000 ADD [EAX], AL\r\n", "0x1100038 0000 ADD [EAX], AL\r\n", "0x110003a 0000 ADD [EAX], AL\r\n", "0x110003c 0000 ADD [EAX], AL\r\n", "0x110003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x10e0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x010e0000 58 68 05 00 0f 01 68 00 00 00 00 68 00 00 80 7c Xh....h....h...|\r\n", "0x010e0010 68 28 18 03 10 50 68 61 9f 02 10 c3 00 00 00 00 h(...Pha........\r\n", "0x010e0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x010e0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x10e0000 58 POP EAX\r\n", "0x10e0001 6805000f01 PUSH DWORD 0x10f0005\r\n", "0x10e0006 6800000000 PUSH DWORD 0x0\r\n", "0x10e000b 680000807c PUSH DWORD 0x7c800000\r\n", "0x10e0010 6828180310 PUSH DWORD 0x10031828\r\n", "0x10e0015 50 PUSH EAX\r\n", "0x10e0016 68619f0210 PUSH DWORD 0x10029f61\r\n", "0x10e001b c3 RET\r\n", "0x10e001c 0000 ADD [EAX], AL\r\n", "0x10e001e 0000 ADD [EAX], AL\r\n", "0x10e0020 0000 ADD [EAX], AL\r\n", "0x10e0022 0000 ADD [EAX], AL\r\n", "0x10e0024 0000 ADD [EAX], AL\r\n", "0x10e0026 0000 ADD [EAX], AL\r\n", "0x10e0028 0000 ADD [EAX], AL\r\n", "0x10e002a 0000 ADD [EAX], AL\r\n", "0x10e002c 0000 ADD [EAX], AL\r\n", "0x10e002e 0000 ADD [EAX], AL\r\n", "0x10e0030 0000 ADD [EAX], AL\r\n", "0x10e0032 0000 ADD [EAX], AL\r\n", "0x10e0034 0000 ADD [EAX], AL\r\n", "0x10e0036 0000 ADD [EAX], AL\r\n", "0x10e0038 0000 ADD [EAX], AL\r\n", "0x10e003a 0000 ADD [EAX], AL\r\n", "0x10e003c 0000 ADD [EAX], AL\r\n", "0x10e003e 0000 ADD [EAX], AL\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x10d0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x010d0000 b2 fc d6 77 05 8b ff 55 8b ec e9 a8 fc c9 76 00 ...w...U......v.\r\n", "0x010d0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x010d0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x010d0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x10d0000 b2fc MOV DL, 0xfc\r\n", "0x10d0002 d6 SALC\r\n", "0x10d0003 7705 JA 0x10d000a\r\n", "0x10d0005 8bff MOV EDI, EDI\r\n", "0x10d0007 55 PUSH EBP\r\n", "0x10d0008 8bec MOV EBP, ESP\r\n", "0x10d000a e9a8fcc976 JMP 0x77d6fcb7\r\n", "0x10d000f 0000 ADD [EAX], AL\r\n", "0x10d0011 0000 ADD [EAX], AL\r\n", "0x10d0013 0000 ADD [EAX], AL\r\n", "0x10d0015 0000 ADD [EAX], AL\r\n", "0x10d0017 0000 ADD [EAX], AL\r\n", "0x10d0019 0000 ADD [EAX], AL\r\n", "0x10d001b 0000 ADD [EAX], AL\r\n", "0x10d001d 0000 ADD [EAX], AL\r\n", "0x10d001f 0000 ADD [EAX], AL\r\n", "0x10d0021 0000 ADD [EAX], AL\r\n", "0x10d0023 0000 ADD [EAX], AL\r\n", "0x10d0025 0000 ADD [EAX], AL\r\n", "0x10d0027 0000 ADD [EAX], AL\r\n", "0x10d0029 0000 ADD [EAX], AL\r\n", "0x10d002b 0000 ADD [EAX], AL\r\n", "0x10d002d 0000 ADD [EAX], AL\r\n", "0x10d002f 0000 ADD [EAX], AL\r\n", "0x10d0031 0000 ADD [EAX], AL\r\n", "0x10d0033 0000 ADD [EAX], AL\r\n", "0x10d0035 0000 ADD [EAX], AL\r\n", "0x10d0037 0000 ADD [EAX], AL\r\n", "0x10d0039 0000 ADD [EAX], AL\r\n", "0x10d003b 0000 ADD [EAX], AL\r\n", "0x10d003d 0000 ADD [EAX], AL\r\n", "0x10d003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x10f0000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x010f0000 bd bc d4 77 05 8b ff 55 8b ec e9 b3 bc c5 76 00 ...w...U......v.\r\n", "0x010f0010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x010f0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x010f0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x10f0000 bdbcd47705 MOV EBP, 0x577d4bc\r\n", "0x10f0005 8bff MOV EDI, EDI\r\n", "0x10f0007 55 PUSH EBP\r\n", "0x10f0008 8bec MOV EBP, ESP\r\n", "0x10f000a e9b3bcc576 JMP 0x77d4bcc2\r\n", "0x10f000f 0000 ADD [EAX], AL\r\n", "0x10f0011 0000 ADD [EAX], AL\r\n", "0x10f0013 0000 ADD [EAX], AL\r\n", "0x10f0015 0000 ADD [EAX], AL\r\n", "0x10f0017 0000 ADD [EAX], AL\r\n", "0x10f0019 0000 ADD [EAX], AL\r\n", "0x10f001b 0000 ADD [EAX], AL\r\n", "0x10f001d 0000 ADD [EAX], AL\r\n", "0x10f001f 0000 ADD [EAX], AL\r\n", "0x10f0021 0000 ADD [EAX], AL\r\n", "0x10f0023 0000 ADD [EAX], AL\r\n", "0x10f0025 0000 ADD [EAX], AL\r\n", "0x10f0027 0000 ADD [EAX], AL\r\n", "0x10f0029 0000 ADD [EAX], AL\r\n", "0x10f002b 0000 ADD [EAX], AL\r\n", "0x10f002d 0000 ADD [EAX], AL\r\n", "0x10f002f 0000 ADD [EAX], AL\r\n", "0x10f0031 0000 ADD [EAX], AL\r\n", "0x10f0033 0000 ADD [EAX], AL\r\n", "0x10f0035 0000 ADD [EAX], AL\r\n", "0x10f0037 0000 ADD [EAX], AL\r\n", "0x10f0039 0000 ADD [EAX], AL\r\n", "0x10f003b 0000 ADD [EAX], AL\r\n", "0x10f003d 0000 ADD [EAX], AL\r\n", "0x10f003f 00 DB 0x0\r\n", "\r\n", "Process: IEXPLORE.EXE Pid: 1884 Address: 0x1110000" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n", "0x01110000 d9 89 d4 77 05 8b ff 55 8b ec e9 cf 89 c3 76 00 ...w...U......v.\r\n", "0x01110010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01110020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x01110030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "\r\n", "0x1110000 d9 DB 0xd9\r\n", "0x1110001 89d4 MOV ESP, EDX\r\n", "0x1110003 7705 JA 0x111000a\r\n", "0x1110005 8bff MOV EDI, EDI\r\n", "0x1110007 55 PUSH EBP\r\n", "0x1110008 8bec MOV EBP, ESP\r\n", "0x111000a e9cf89c376 JMP 0x77d489de\r\n", "0x111000f 0000 ADD [EAX], AL\r\n", "0x1110011 0000 ADD [EAX], AL\r\n", "0x1110013 0000 ADD [EAX], AL\r\n", "0x1110015 0000 ADD [EAX], AL\r\n", "0x1110017 0000 ADD [EAX], AL\r\n", "0x1110019 0000 ADD [EAX], AL\r\n", "0x111001b 0000 ADD [EAX], AL\r\n", "0x111001d 0000 ADD [EAX], AL\r\n", "0x111001f 0000 ADD [EAX], AL\r\n", "0x1110021 0000 ADD [EAX], AL\r\n", "0x1110023 0000 ADD [EAX], AL\r\n", "0x1110025 0000 ADD [EAX], AL\r\n", "0x1110027 0000 ADD [EAX], AL\r\n", "0x1110029 0000 ADD [EAX], AL\r\n", "0x111002b 0000 ADD [EAX], AL\r\n", "0x111002d 0000 ADD [EAX], AL\r\n", "0x111002f 0000 ADD [EAX], AL\r\n", "0x1110031 0000 ADD [EAX], AL\r\n", "0x1110033 0000 ADD [EAX], AL\r\n", "0x1110035 0000 ADD [EAX], AL\r\n", "0x1110037 0000 ADD [EAX], AL\r\n", "0x1110039 0000 ADD [EAX], AL\r\n", "0x111003b 0000 ADD [EAX], AL\r\n", "0x111003d 0000 ADD [EAX], AL\r\n", "0x111003f 00 DB 0x0\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process: IEXPLORE.EXE Pid: 1884 Address: 0x10020000\r\n", "Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE\r\n", "Flags: CommitCharge: 22, MemCommit: 1, PrivateMemory: 1, Protection: 6\r\n", "\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x10020000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............\r\n", "0x10020010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......\r\n", "0x10020020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\r\n", "0x10020030 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 ................\r\n", "\r\n", "0x10020000 4d DEC EBP\r\n", "0x10020001 5a POP EDX\r\n", "0x10020002 90 NOP\r\n", "0x10020003 0003 ADD [EBX], AL\r\n", "0x10020005 0000 ADD [EAX], AL\r\n", "0x10020007 000400 ADD [EAX+EAX], AL\r\n", "0x1002000a 0000 ADD [EAX], AL\r\n", "0x1002000c ff DB 0xff\r\n", "0x1002000d ff00 INC DWORD [EAX]\r\n", "0x1002000f 00b800000000 ADD [EAX+0x0], BH\r\n", "0x10020015 0000 ADD [EAX], AL\r\n", "0x10020017 004000 ADD [EAX+0x0], AL\r\n", "0x1002001a 0000 ADD [EAX], AL\r\n", "0x1002001c 0000 ADD [EAX], AL\r\n", "0x1002001e 0000 ADD [EAX], AL\r\n", "0x10020020 0000 ADD [EAX], AL\r\n", "0x10020022 0000 ADD [EAX], AL\r\n", "0x10020024 0000 ADD [EAX], AL\r\n", "0x10020026 0000 ADD [EAX], AL\r\n", "0x10020028 0000 ADD [EAX], AL\r\n", "0x1002002a 0000 ADD [EAX], AL\r\n", "0x1002002c 0000 ADD [EAX], AL\r\n", "0x1002002e 0000 ADD [EAX], AL\r\n", "0x10020030 0000 ADD [EAX], AL\r\n", "0x10020032 0000 ADD [EAX], AL\r\n", "0x10020034 0000 ADD [EAX], AL\r\n", "0x10020036 0000 ADD [EAX], AL\r\n", "0x10020038 0000 ADD [EAX], AL\r\n", "0x1002003a 0000 ADD [EAX], AL\r\n", "0x1002003c d800 FADD DWORD [EAX]\r\n", "0x1002003e 0000 ADD [EAX], AL\r\n", "\r\n" ] } ], "prompt_number": 17 }, { "cell_type": "code", "collapsed": false, "input": [ "dlldump_list = !python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/silentbanker.vmem dlldump -p 1884 --dump-dir /root/Desktop/asdf" ], "language": "python", "metadata": {}, "outputs": [], "prompt_number": 18 }, { "cell_type": "code", "collapsed": false, "input": [ "dlldump_list" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "pyout", "prompt_number": 19, "text": [ "['Volatile Systems Volatility Framework 2.3_alpha',\n", " 'Process(V) Name Module Base Module Name Result',\n", " '---------- -------------------- ----------- -------------------- ------',\n", " '0x80f1b020 IEXPLORE.EXE 0x000400000 iexplore.exe OK: module.1884.107e020.400000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x07c900000 ntdll.dll OK: module.1884.107e020.7c900000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077be0000 MSACM32.dll OK: module.1884.107e020.77be0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077b40000 appHelp.dll OK: module.1884.107e020.77b40000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076c30000 WINTRUST.dll OK: module.1884.107e020.76c30000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077760000 SHDOCVW.dll OK: module.1884.107e020.77760000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x05ad70000 uxtheme.dll OK: module.1884.107e020.5ad70000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076e80000 rtutils.dll OK: module.1884.107e020.76e80000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x075f80000 BROWSEUI.dll OK: module.1884.107e020.75f80000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x020000000 browselc.dll OK: module.1884.107e020.20000000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x0769c0000 USERENV.dll OK: module.1884.107e020.769c0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x0771b0000 WININET.dll OK: module.1884.107e020.771b0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x0746f0000 msimtf.dll OK: module.1884.107e020.746f0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076fc0000 rasadhlp.dll OK: module.1884.107e020.76fc0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077dd0000 ADVAPI32.dll OK: module.1884.107e020.77dd0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076f20000 DNSAPI.dll OK: module.1884.107e020.76f20000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076f60000 WLDAP32.dll OK: module.1884.107e020.76f60000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x071a90000 wshtcpip.dll OK: module.1884.107e020.71a90000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x05e310000 pngfilt.dll OK: module.1884.107e020.5e310000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077c00000 VERSION.dll OK: module.1884.107e020.77c00000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x0722b0000 sensapi.dll OK: module.1884.107e020.722b0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076fd0000 CLBCATQ.DLL OK: module.1884.107e020.76fd0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077f60000 SHLWAPI.dll OK: module.1884.107e020.77f60000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x074720000 MSCTF.dll OK: module.1884.107e020.74720000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x071a50000 mswsock.dll OK: module.1884.107e020.71a50000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076200000 mshtmled.dll OK: module.1884.107e020.76200000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x05b860000 NETAPI32.dll OK: module.1884.107e020.5b860000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077e70000 RPCRT4.dll OK: module.1884.107e020.77e70000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x066880000 ImgUtil.dll OK: module.1884.107e020.66880000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x066e50000 iepeers.dll OK: module.1884.107e020.66e50000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076e90000 rasman.dll OK: module.1884.107e020.76e90000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x001520000 shdoclc.dll OK: module.1884.107e020.1520000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x0015b0000 xpsp2res.dll OK: module.1884.107e020.15b0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x071ab0000 ws2_32.dll OK: module.1884.107e020.71ab0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x071ad0000 wsock32.dll OK: module.1884.107e020.71ad0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x04d4f0000 WINHTTP.dll OK: module.1884.107e020.4d4f0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x0774e0000 ole32.dll OK: module.1884.107e020.774e0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077920000 SETUPAPI.dll OK: module.1884.107e020.77920000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076b40000 WINMM.dll OK: module.1884.107e020.76b40000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x073000000 WINSPOOL.DRV OK: module.1884.107e020.73000000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077f10000 GDI32.dll OK: module.1884.107e020.77f10000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077120000 OLEAUT32.dll OK: module.1884.107e020.77120000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077d40000 USER32.dll OK: module.1884.107e020.77d40000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x075e90000 SXS.DLL OK: module.1884.107e020.75e90000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076ee0000 RASAPI32.DLL OK: module.1884.107e020.76ee0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076d60000 iphlpapi.dll OK: module.1884.107e020.76d60000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x074980000 msxml3.dll OK: module.1884.107e020.74980000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076390000 IMM32.DLL OK: module.1884.107e020.76390000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x07c9c0000 SHELL32.dll OK: module.1884.107e020.7c9c0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x07c800000 kernel32.dll OK: module.1884.107e020.7c800000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x0773d0000 comctl32.dll OK: module.1884.107e020.773d0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x075c50000 jscript.dll OK: module.1884.107e020.75c50000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076600000 CSCDLL.dll OK: module.1884.107e020.76600000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x0662b0000 hnetcfg.dll OK: module.1884.107e020.662b0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077c10000 msvcrt.dll OK: module.1884.107e020.77c10000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x0754d0000 CRYPTUI.dll OK: module.1884.107e020.754d0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077a20000 cscui.dll OK: module.1884.107e020.77a20000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x07dc30000 mshtml.dll OK: module.1884.107e020.7dc30000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077bd0000 midimap.dll OK: module.1884.107e020.77bd0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077050000 COMRes.dll OK: module.1884.107e020.77050000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077260000 urlmon.dll OK: module.1884.107e020.77260000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076eb0000 TAPI32.dll OK: module.1884.107e020.76eb0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077c70000 msv1_0.dll OK: module.1884.107e020.77c70000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x072d20000 wdmaud.drv OK: module.1884.107e020.72d20000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077a80000 CRYPT32.dll OK: module.1884.107e020.77a80000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x076c90000 IMAGEHLP.dll OK: module.1884.107e020.76c90000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x071aa0000 WS2HELP.dll OK: module.1884.107e020.71aa0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x0746c0000 msls31.dll OK: module.1884.107e020.746c0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x05d090000 comctl32.dll OK: module.1884.107e020.5d090000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077fe0000 Secur32.dll OK: module.1884.107e020.77fe0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x075cf0000 mlang.dll OK: module.1884.107e020.75cf0000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x077b20000 MSASN1.dll OK: module.1884.107e020.77b20000.dll',\n", " '0x80f1b020 IEXPLORE.EXE 0x072d10000 msacm32.drv OK: module.1884.107e020.72d10000.dll']" ] } ], "prompt_number": 19 }, { "cell_type": "code", "collapsed": false, "input": [ "!python /pentest/forensics/volatility/vol.py -f /root/Desktop/mem/silentbanker.vmem procexedump --dump-dir /root/Desktop/asdf" ], "language": "python", "metadata": {}, "outputs": [ { "output_type": "stream", "stream": "stdout", "text": [ "Volatile Systems Volatility Framework 2.3_alpha\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "Process(V) ImageBase Name Result\r\n", "---------- ---------- -------------------- ------\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x810b1660 ---------- System Error: PEB at 0x0 is paged\r\n", "0xff2ab020 0x48580000 smss.exe Error: ImageBaseAddress at 0x48580000 is paged\r\n", "0xff1ecda0 0x4a680000 csrss.exe OK: executable.608.exe\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xff1ec978 0x01000000 winlogon.exe OK: executable.632.exe\r\n", "0xff247020 0x01000000 services.exe OK: executable.676.exe\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xff255020 0x01000000 lsass.exe OK: executable.688.exe\r\n", "0xff218230 0x00400000 vmacthlp.exe Error: e_magic 0064 is not a valid DOS signature.\r\n", "0x80ff88d8 0x01000000 svchost.exe OK: executable.856.exe\r\n", "0xff217560 0x01000000 svchost.exe OK: executable.936.exe\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0x80fbf910 0x01000000 svchost.exe OK: executable.1028.exe\r\n", "0xff22d558 0x01000000 svchost.exe OK: executable.1088.exe\r\n", "0xff203b80 0x01000000 svchost.exe OK: executable.1148.exe" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "\r\n", "0xff1d7da0 0x01000000 spoolsv.exe OK: executable.1432.exe\r\n", "0xff1b8b28 0x00400000 vmtoolsd.exe OK: executable.1668.exe\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xff1fdc88 0x00400000 VMUpgradeHelper OK: executable.1788.exe\r\n", "0xff143b28 0x00400000 TPAutoConnSvc.e Error: ImageBaseAddress at 0x400000 is paged\r\n", "0xff25a7e0 0x01000000 alg.exe OK: executable.216.exe\r\n", "0xff364310 0x01000000 wscntfy.exe Error: ImageBaseAddress at 0x1000000 is paged\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xff38b5f8 0x00400000 TPAutoConnect.e OK: executable.1084.exe\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xff3865d0 0x01000000 explorer.exe OK: executable.1724.exe\r\n", "0xff3667e8 0x00400000 VMwareTray.exe OK: executable.432.exe\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xff374980 0x00400000 VMwareUser.exe OK: executable.452.exe\r\n", "0x80f94588 0x00400000 wuauclt.exe OK: executable.468.exe\r\n", "0x80f1b020 0x00400000 IEXPLORE.EXE OK: executable.1884.exe\r\n" ] }, { "output_type": "stream", "stream": "stdout", "text": [ "0xff3856c0 ---------- cmd.exe Error: PEB at 0x7ffdf000 is paged\r\n" ] } ], "prompt_number": 20 } ], "metadata": {} } ] }