Automated Malware Analysis Report For

Total Page:16

File Type:pdf, Size:1020Kb

Automated Malware Analysis Report For ID: 39901 Sample Name: GUf5eGGUpw.000 Cookbook: default.jbs Time: 00:06:11 Date: 13/12/2017 Version: 20.0.0 Table of Contents Table of Contents 2 Analysis Report 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Signature Overview 6 Key, Mouse, Clipboard, Microphone and Screen Capturing: 6 Software Vulnerabilities: 6 Networking: 6 Boot Survival: 6 Persistence and Installation Behavior: 6 Data Obfuscation: 6 Spreading: 7 System Summary: 7 HIPS / PFW / Operating System Protection Evasion: 7 Anti Debugging: 7 Malware Analysis System Evasion: 7 Hooking and other Techniques for Hiding and Protection: 8 Language, Device and Operating System Detection: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus Detection 9 Initial Sample 9 Dropped Files 9 Domains 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 10 Dropped Files 10 Screenshot 11 Startup 11 Created / dropped Files 11 Contacted Domains/Contacted IPs 14 Contacted Domains 14 Contacted IPs 15 Static File Info 15 General 15 File Icon 15 Static PE Info 16 General 16 Entrypoint Preview 16 Data Directories 17 Sections 17 Resources 18 Copyright Joe Security LLC 2017 Page 2 of 34 Imports 18 Possible Origin 19 Network Behavior 19 Network Port Distribution 19 TCP Packets 19 UDP Packets 19 DNS Queries 20 DNS Answers 20 HTTP Request Dependency Graph 20 HTTP Packets 20 Code Manipulations 20 Statistics 20 Behavior 20 System Behavior 20 Analysis Process: GUf5eGGUpw.exe PID: 3256 Parent PID: 2972 21 General 21 File Activities 21 File Created 21 File Deleted 23 File Written 23 Analysis Process: DiskGenius.exe PID: 3272 Parent PID: 3256 33 General 33 File Activities 33 Registry Activities 33 Disassembly 33 Code Analysis 34 Copyright Joe Security LLC 2017 Page 3 of 34 Analysis Report Overview General Information Joe Sandbox Version: 20.0.0 Analysis ID: 39901 Start time: 00:06:11 Joe Sandbox Product: CloudBasic Start date: 13.12.2017 Overall analysis duration: 0h 6m 9s Hypervisor based Inspection enabled: false Report type: light Sample file name: GUf5eGGUpw.000 (renamed file extension from 000 to exe) Cookbook file name: default.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Detection: MAL Classification: mal60.evad.spyw.winEXE@3/20@1/1 HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 2.9% (good quality ratio 2.9%) Quality average: 86.1% Quality standard deviation: 22.3% Warnings: Show All Exclude process from analysis (whitelisted): WmiApSrv.exe, dllhost.exe Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Detection Strategy Score Range Reporting Detection Threshold 60 0 - 100 Report FP / FN Confidence Copyright Joe Security LLC 2017 Page 4 of 34 Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook Copyright Joe Security LLC 2017 Page 5 of 34 Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior Signature Overview • Key, Mouse, Clipboard, Microphone and Screen Capturing • Software Vulnerabilities • Networking • Boot Survival • Persistence and Installation Behavior • Data Obfuscation • Spreading • System Summary • HIPS / PFW / Operating System Protection Evasion • Anti Debugging • Malware Analysis System Evasion • Hooking and other Techniques for Hiding and Protection • Language, Device and Operating System Detection Click to jump to signature section Key, Mouse, Clipboard, Microphone and Screen Capturing: Contains functionality for read data from the clipboard Contains functionality to record screenshots Creates a window with clipboard capturing capabilities Contains functionality to register a low level keyboard hook Installs a global keyboard hook Software Vulnerabilities: Found inlined nop instructions (likely shell or obfuscated code) Networking: Contains functionality to download additional files from the internet Downloads files Downloads files from webservers via HTTP Performs DNS lookups Urls found in memory or binary data Boot Survival: Contains functionality to infect the boot sector Persistence and Installation Behavior: Creates license or readme file Contains functionality to read ini properties file for application configuration Drops PE files May use bcdedit to modify the Windows boot settings Contains functionality to infect the boot sector Drops PE files with a suspicious file extension Data Obfuscation: Contains functionality to dynamically determine API calls Copyright Joe Security LLC 2017 Page 6 of 34 File is packed with WinRar Uses code obfuscation techniques (call, push, ret) Spreading: Contains functionality to enumerate / list files inside a directory Contains functionality to get notified if a device is plugged in / out System Summary: Executable creates window controls seldom found in malware Uses Rich Edit Controls Found graphical window changes (likely an installer) Submission file is bigger than most known malware samples PE file contains a debug data directory Binary contains paths to debug symbols Classification label Contains functionality for error logging Contains functionality to adjust token privileges (e.g. debug / backup) Contains functionality to instantiate COM classes Contains functionality to load and extract PE file embedded resources Creates temporary files PE file has an executable .text section and no other executable section Reads ini files Reads software policies Sample is known by Antivirus (Virustotal or Metascan) Spawns processes Uses an in-process (OLE) Automation server Contains functionality to communicate with device drivers Creates driver files Found potential string decryption / allocating functions PE file contains executable resources (Code or Archives) PE file contains strange resources PE file does not import any functions Reads the hosts file Tries to load missing DLLs HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Anti Debugging: Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) Contains functionality to dynamically determine API calls Contains functionality which may be used to detect a debugger (GetProcessHeap) Malware Analysis System Evasion: Contains functionality to enumerate / list files inside a directory May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Program exit points Found dropped PE file which has not been started or loaded Found large amount of non-executed APIs May sleep (evasive loops) to hinder dynamic analysis Copyright Joe Security LLC 2017 Page 7 of 34 Queries disk information (often used to detect virtual machines) Tries to detect virtual machines Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) Extensive use of GetProcAddress (often used to hide API calls) Language, Device and Operating System Detection: Contains functionality to query local / system time Contains functionality to query windows version Queries the cryptographic machine GUID Contains functionality locales information (e.g. system language) Behavior Graph Hide Legend Behavior Graph Legend: ID: 39901 Process Sample: GUf5eGGUpw.000 Signature Startdate: 13/12/2017 Created File Architecture: WINDOWS DNS/IP Info Score: 60 Is Dropped started Is Windows Process GUf5eGGUpw.exe Number of created Registry Values Number of created Files 32 Visual Basic dropped dropped dropped dropped Delphi Java Dropped files exeeded maximum capacity for this level. Hdrw.dll, PE32 HdrwImg.dll, PE32 Hdrwnt.dll, PE32 12 dropped files have been hidden. .Net C# or VB.NET C, C++ or other language started Is malicious Drops PE files with a suspicious file extension DiskGenius.exe 11 www.diskman.cc 120.27.53.36, 80 www.diskman.cc CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China Contains functionality Contains functionality Installs a global to infect the to register keyboard hook boot sector a low level keyboard hook Simulations Behavior and APIs No simulations Copyright Joe Security LLC 2017 Page 8 of 34 Antivirus Detection Initial Sample Source Detection Cloud Link GUf5eGGUp.exe 3% virustotal Browse Dropped Files
Recommended publications
  • Asmc Macro Assembler Reference Asmc Macro Assembler Reference
    Asmc Macro Assembler Reference Asmc Macro Assembler Reference This document lists some of the differences between Asmc, JWasm, and Masm. In This Section Asmc Command-Line Option Describes the Asmc command-line option. Asmc Error Messages Describes Asmc fatal and nonfatal error messages and warnings. Asmc Extensions Provides links to topics discussing Masm versus Asmc. Directives Reference Provides links to topics discussing the use of directives in Asmc. Symbols Reference Provides links to topics discussing the use of symbols in Asmc. Change Log | Forum Asmc Macro Assembler Reference Asmc Command-Line Reference Assembles and links one or more assembly-language source files. The command-line options are case sensitive. ASMC [[options]] filename [[ [[options]] filename]] options The options listed in the following table. Set CPU: 0=8086 (default), 1=80186, 2=80286, 3=80386, 4=80486, /[0|1|..|10][p] 5=Pentium,6=PPro,7=P2,8=P3,9=P4,10=x86-64. [p] allows privileged instructions. /assert Generate .assert(code). Same as .assert:on. /bin Generate plain binary file. Push user registers before stack-frame is created in a /Cs proc. /coff Generate COFF format object file. /Cp Preserves case of all user identifiers. /Cu Maps all identifiers to upper case (default). Link switch used with /pe -- subsystem:console /cui (default). /Cx Preserves case in public and extern symbols. Defines a text macro with the given name. If value is /Dsymbol[[=value]] missing, it is blank. Multiple tokens separated by spaces must be enclosed in quotation marks. /enumber Set error limit number. /elf Generate 32-bit ELF object file. /elf64 Generate 64-bit ELF object file.
    [Show full text]
  • EZ-USB® FX3™ Technical Reference Manual
    EZ-USB® FX3™ Technical Reference Manual Spec No.: 001-76074 Rev. *E May 31, 2017 Cypress Semiconductor 198 Champion Court San Jose, CA 95134-1709 www.cypress.com Copyrights Copyrights © Cypress Semiconductor Corporation, 2012-2017. This document is the property of Cypress Semiconductor Corporation and its subsidiaries, including Spansion LLC ("Cypress"). This document, including any software or firmware included or refer- enced in this document ("Software"), is owned by Cypress under the intellectual property laws and treaties of the United States and other countries worldwide. Cypress reserves all rights under such laws and treaties and does not, except as spe- cifically stated in this paragraph, grant any license under its patents, copyrights, trademarks, or other intellectual property rights. If the Software is not accompanied by a license agreement and you do not otherwise have a written agreement with Cypress governing the use of the Software, then Cypress hereby grants you a personal, non-exclusive, nontransferable license (without the right to sublicense) (1) under its copyright rights in the Software (a) for Software provided in source code form, to modify and reproduce the Software solely for use with Cypress hardware products, only internally within your organi- zation, and (b) to distribute the Software in binary code form externally to end users (either directly or indirectly through resell- ers and distributors), solely for use on Cypress hardware product units, and (2) under those claims of Cypress's patents that are infringed by the Software (as provided by Cypress, unmodified) to make, use, distribute, and import the Software solely for use with Cypress hardware products.
    [Show full text]
  • Epi Info, Version 6
    Epi Info, Version 6 A Word-Processing, Database, and Statistics Program for Public Health on IBM-compatible Microcomputers Program design by Andrew G. Dean, Jeffrey A. Dean, Denis Coulombier, Anthony H. Burton, Karl A. Brendel, Donald C. Smith, Richard C. Dicker, Kevin M. Sullivan, Robert F. Fagan, Programming by Jeffrey A. Dean, Denis Coulombier, Donald C. Smith, Karl A. Brendel, Thomas G. Arner, and Andrew G. Dean Manual by Andrew G. Dean Revised for Version 6.03, January 1996 Produced by: The Division of Surveillance and Epidemiology Epidemiology Program Office Centers for Disease Control and Prevention (CDC) Atlanta, Georgia 30333 in collaboration with The Global Programme on AIDS World Health Organization (WHO) Geneva, Switzerland This manual and the programs are in the public domain and may be freely copied, translated, and distributed without restriction. They are available on the Internet at ftp.cdc.gov Suggested citation: Dean AG, Dean JA, Coulombier D, Brendel KA, SmithDC, Burton AH, Dicker RC, Sullivan K, Fagan RF, Arner, TG. Epi Info, Version 6: a word processing, database, and statistics program for public health on IBM- compatible microcomputers. Centers for Disease Control and Prevention, Atlanta, Georgia, U.S.A., 1996. Epi Info Hotline for Technical Assistance (404) 728-0545 FAX (404) 315-6440 [email protected] Acknowledgements Dr. David Martin, Brookline, Mass, and A. Ray Simons, Atlanta, Georgia, provided Turbo Pascal procedures for exact confidence limits. Ruth A. Etzel, M.D., and Daniel C. Rodrigue, M.D., of the Centers for Disease Control and Prevention provided the materials for Chapter 12. S. Kathleen Egan of the Epidemiology Program Office produced portions of the EPED tutorials.
    [Show full text]
  • GAWK: Effective AWK Programming a User’S Guide for GNU Awk Edition 3 October, 2007
    GAWK: Effective AWK Programming A User's Guide for GNU Awk Edition 3 October, 2007 Arnold D. Robbins \To boldly go where no man has gone before" is a Registered Trademark of Paramount Pictures Corporation. Published by: Free Software Foundation 51 Franklin Street, Fifth Floor Boston, MA 02110-1301 USA Phone: +1-617-542-5942 Fax: +1-617-542-2652 Email: [email protected] URL: http://www.gnu.org/ ISBN 1-882114-28-0 Copyright c 1989, 1991, 1992, 1993, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2007 Free Software Foundation, Inc. This is Edition 3 of GAWK: Effective AWK Programming: A User's Guide for GNUAwk, for the 3.1.6 (or later) version of the GNU implementation of AWK. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being \GNU General Public License", the Front-Cover texts being (a) (see below), and with the Back-Cover Texts being (b) (see below). A copy of the license is included in the section entitled \GNU Free Documentation License". a. \A GNU Manual" b. \You have freedom to copy and modify this GNU Manual, like GNU software. Copies published by the Free Software Foundation raise funds for GNU development." Cover art by Etienne Suvasa. i Short Contents Foreword::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 1 Preface :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: 3 1 Getting Started with awk :::::::::::::::::::::::::::::::::::::::::::::
    [Show full text]
  • Interphase V/FDDI 5211 Manual
    Full-service, independent repair center -~ ARTISAN® with experienced engineers and technicians on staff. TECHNOLOGY GROUP ~I We buy your excess, underutilized, and idle equipment along with credit for buybacks and trade-ins. Custom engineering Your definitive source so your equipment works exactly as you specify. for quality pre-owned • Critical and expedited services • Leasing / Rentals/ Demos equipment. • In stock/ Ready-to-ship • !TAR-certified secure asset solutions Expert team I Trust guarantee I 100% satisfaction Artisan Technology Group (217) 352-9330 | [email protected] | artisantg.com All trademarks, brand names, and brands appearing herein are the property o f their respective owners. Find the Interphase V/FDDI 5211 at our website: Click HERE V/FDDI 5211 Adapter Installation and Software Developers Guide Document No. UG05211-000-E Print Date: January 2000 Artisan Technology Group - Quality Instrumentation ... Guaranteed | (888) 88-SOURCE | www.artisantg.com NOTE See Appendix E for Regulatory Statements/Conditions that affect the operation of this product. The CE Declaration of Conformity can be found at www.iphase.com. Artisan Technology Group - Quality Instrumentation ... Guaranteed | (888) 88-SOURCE | www.artisantg.com Copyright Notice © 2000 by Interphase Corporation. All rights reserved. Printed in the United States of America, 2000. This manual is licensed by Interphase to the user for internal use only and is protected by copyright. The user is authorized to download and print a copy of this manual if the user has purchased one or more of the Interphase adapters described herein. All copies of this manual shall include the copyright notice contained herein. No part of this manual, whether modified or not, may be incorporated into user’s documentation without prior written approval of Interphase Corporation 13800 Senlac Dallas, Texas 75234 Phone: (214) 654-5000 Fax: (214) 654-5500 Disclaimer Information in this manual supersedes any preliminary specifications, preliminary data sheets, and prior versions of this manual.
    [Show full text]
  • IBM Thinkpad 365X/365XD User's Guide
    IBM ThinkPad 365X/365XD S76H-7579-00 User's Guide IBM ThinkPad 365X/365XD S76H-7579-00 IBM User's Guide Note Before using this information and the product it supports, be sure to read the general information in Appendix E, Product Warranties and Notices. You should also read the safety guidelines on page xii. First Edition, April 1996 The following paragraph does not apply to the United Kingdom or any country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION “AS IS” WITHOUT ANY WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE LIMITED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer, or express or implied warranties in certain transactions; therefore, this statement may not apply to you. This publication could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements or changes in the products or the programs described in this publication at any time. It is possible that this publication may contain reference to, or information about, IBM products (machines and programs), programming, or services that are not announced in your country. Such references or information must not be construed to mean that IBM intends to announce such IBM products, programming, or services in your country. Requests for technical information about IBM products should be made to your IBM Authorized Dealer or your IBM Marketing Representative. IBM may have patents or pending patent applications covering the subject matter in this document.
    [Show full text]
  • Attacks on Virtual Machine Emulators
    SYMANTEC ADVANCED THREAT RESEARCH 1 Attacks on Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher, Symantec Advanced Threat Research [email protected] Abstract As virtual machine emulators have become machine emulators, it is clearly difficult to develop a virtual commonplace in the analysis of malicious code, malicious code machine emulator that cannot be detected. Some descriptions has started to fight back. This paper describes known attacks and samples of how to detect Hydra are included in this paper. against the most widely used virtual machine emulators (VMware and VirtualPC). This paper also demonstrates newly discovered The interest in detecting virtual machine emulators is also attacks on other virtual machine emulators (Bochs, Hydra, not limited to the authors of malicious code. If malicious code QEMU, and Xen), and describes how to defend against them. is released that makes use of its own virtual machine emulator, Index Terms Hardware-assisted, Hypervisor, Para- then it will become necessary for anti-malware researchers to virtualization, Virtual Machine find ways to detect the virtual machine emulator, too. Sample detection code is presented in the appendix. For I. INTRODUCTION simplicity and to prohibit trivial copying, only 16-bit real mode assembler code for .COM-format files is supplied. irtual machine emulators have many uses. For anti- V malware researchers, the most common use is to place Virtual machine emulators come in two forms: "hardware- unknown code inside a virtual environment, and watch bound" (also known as para-virtualization) and "pure how it behaves. Once the analysis is complete, the software" (via CPU emulation). The "hardware-bound" environment can be destroyed, essentially without risk to the category can be split into two subcategories: "hardware- real environment that hosts it.
    [Show full text]
  • Peter Ferrie. Attacks on More Virtual Machine Emulators
    SYMANTEC ADVANCED THREAT RESEARCH 1 Attacks on More Virtual Machine Emulators Peter Ferrie, Senior Principal Researcher, Symantec Advanced Threat Research [email protected] Abstract As virtual machine emulators have become knowledge of what has been used to detect existing virtual commonplace in the analysis of malicious code, malicious code machine emulators, it is clearly difficult to develop a virtual has started to fight back. This paper describes known attacks machine emulator that cannot be detected. Some descriptions against the most widely used virtual machine emulators (VMware and samples of how to detect Hydra are included in this paper. and VirtualPC). This paper also demonstrates newly discovered attacks on other virtual machine emulators (Bochs, Hydra, The interest in detecting virtual machine emulators is also QEMU, Sandbox, VirtualBox, and CWSandbox), and describes how to defend against them. not limited to the authors of malicious code. If malicious code is released that makes use of its own virtual machine emulator, Index Terms Hardware-assisted, Hypervisor, Para- then it will become necessary for anti-malware researchers to virtualization, Virtual Machine find ways to detect the virtual machine emulator, too. Sample detection code is presented in Appendix A. For I. INTRODUCTION simplicity and to prohibit trivial copying, only 16-bit real mode assembler code for .COM-format files is supplied. irtual machine emulators have many uses. For anti- malware researchers, the most common use is to place V Virtual machine emulators come in two forms: "hardware- unknown code inside a virtual environment, and watch bound" (also known as para-virtualization) and "pure how it behaves.
    [Show full text]
  • Ÿþe S S B a S E a P I R E F E R E N C E R E L E a S E 1 2 . 2 . 1 . 0
    Oracle® Essbase API Reference Release 12.2.1.0.0 Essbase API Reference, 12.2.1.0.0 Copyright © 1996, 2015, Oracle and/or its affiliates. All rights reserved. Authors: EPM Information Development Team This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
    [Show full text]
  • Memory Management Algorithms and Implementation in C/C++
    Everything about Internet Technology! Chose your section ● Auctions ● Network Marketing ● Business ● Online Promotion ● Computers ● Search Engines ● Domain Names ● Site Promotion ● Downloads ● Software ● eBay ● Technology ● Ebooks ● Video Conferencing ● Ecommerce ● VOIP ● Email Marketing ● Web Design ● Internet Marketing ● Web Development ● HTML ● Web Hosting ● JavaScript ● WIFI ● MP3 Memory Management Algorithms and Implementation in C/C++ by Bill Blunden Wordware Publishing, Inc. Library of Congress Cataloging-in-Publication Data Blunden, Bill, 1969- Memory management: algorithms and implementation in C/C++ / by Bill Blunden. p. cm. Includes bibliographical references and index. ISBN 1-55622-347-1 1. Memory management (Computer science) 2. Computer algorithms. 3. C (Computer program language) 4. C++ (Computer program language) I. Title. QA76.9.M45 .B558 2002 005.4'35--dc21 2002012447 CIP © 2003, Wordware Publishing, Inc. All Rights Reserved 2320 Los Rios Boulevard Plano, Texas 75074 No part of this book may be reproduced in any form or by any means without permission in writing from Wordware Publishing, Inc. Printed in the United States of America ISBN 1-55622-347-1 10987654321 0208 Product names mentioned are used for identification purposes only and may be trademarks of their respective companies. All inquiries for volume purchases of this book should be addressed to Wordware Publishing, Inc., at the above address. Telephone inquiries may be made by calling: (972) 423-0090 This book is dedicated to Rob, Julie, and Theo. And also to David M. Lee “I came to learn physics, and I got Jimmy Stewart” iii Table of Contents Acknowledgments......................xi Introduction.........................xiii Chapter 1 Memory Management Mechanisms. 1 MechanismVersusPolicy..................1 MemoryHierarchy......................3 AddressLinesandBuses...................9 Intel Pentium Architecture .
    [Show full text]
  • Intel® X86/X64 Debugger
    Intel® x86/x64 Debugger TRACE32 Online Help TRACE32 Directory TRACE32 Index TRACE32 Documents ...................................................................................................................... ICD In-Circuit Debugger ................................................................................................................ Processor Architecture Manuals .............................................................................................. x86 ............................................................................................................................................ Intel® x86/x64 Debugger ...................................................................................................... 1 History ................................................................................................................................ 6 Brief Overview of Documents for New Users ................................................................. 7 Welcome Dialog 7 Help Menu 8 Further Documents 9 Warning .............................................................................................................................. 11 Quick Start ......................................................................................................................... 12 Troubleshooting ................................................................................................................ 15 FAQ ....................................................................................................................................
    [Show full text]
  • Graphics in Pmode Video Timing VGA Super VGA (SVGA)
    Graphics in pmode 'How do I enable graphics from protected mode?' 1. You don't. Graphics programming is fun, but graphics are hardly essential for an OS. Don't get side-tracked. 2. Call the BIOS mode-set interrupt in the 16-bit boot code, before the pmode kernel starts. 3. Use protected-mode code to program the VGA directly, without using the BIOS. This works only with VGA- compatible video boards and VGA-compatible video modes. 4. Add a virtual 8086 mode monitor (VMM) to your OS. Call the BIOS mode-set interrupt in virtual 8086 mode. 5. Switch from pmode to real mode, call the BIOS mode-set interrupt in real mode, then return to pmode. 6. Write a protected-mode driver specifically for the SVGA chip used in your video board. Someone else who wants to use your OS must have the same video board (or they must write a new driver for their own video board). 7. Call VBE 3.x BIOS functions in 16-bit protected mode. Few video cards support VBE 3.x. Video timing Dot clock (pixel clock) Character clock = dot clock divided by 8 or 9 Horizontal sync (retrace) frequency = character clock / horizontal total Horizontal total / horizontal displayed ~ 1.2 (20% overscan) Vertical sync (retrace) frequency = horizontal sync frequency / vertical total Vertical total / vertical displayed ~ 1.1 (10% overscan) VGA INT 10h VGA BIOS interrupts which work in real or virtual-8086 mode only, to set mode, change font, etc. Dot clock is one of: 28.35, 25.2, 14.175, or 12.6 MHz Character clock is dot clock divided by 8 or 9 Horizontal sync frequency for very old VGA monitors is always 31.5 kHz.
    [Show full text]