概要
volatilityの作法、調べてみた。
実習してみた。
参考にしたページ
volatility --profile=Win7SP0x86 -f lab01/memdump.mem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86 (Instantiated with Win7SP0x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/home/testuser/lab01/memdump.mem)
PAE type : PAE
DTB : 0x185000L
KDBG : 0x8333dbe8L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0x8333ec00L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2017-10-07 02:59:02 UTC+0000
Image local date and time : 2017-10-07 11:59:02 +0900
volatility --profile=Win7SP0x86 -f lab01/memdump.mem pstree
Volatility Foundation Volatility Framework 2.6
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ ----
0x871b3c88:wininit.exe 400 332 3 76 2017-10-07 02:30:45 UTC+0000
. 0x87315908:lsm.exe 516 400 9 143 2017-10-07 02:30:45 UTC+0000
. 0x878076b8:services.exe 500 400 8 206 2017-10-07 02:30:45 UTC+0000
.. 0x87567760:svchost.exe 1048 500 12 538 2017-10-07 02:30:46 UTC+0000
.. 0x874c93b8:svchost.exe 772 500 15 407 2017-10-07 02:30:45 UTC+0000
.. 0x877bea58:dllhost.exe 1824 500 14 188 2017-10-07 02:30:47 UTC+0000
.. 0x878089f8:msdtc.exe 1956 500 12 143 2017-10-07 02:30:48 UTC+0000
.. 0x86cf24d0:svchost.exe 936 500 40 1002 2017-10-07 02:30:46 UTC+0000
.. 0x874701c0:vmacthlp.exe 684 500 3 53 2017-10-07 02:30:45 UTC+0000
.. 0x874962c8:taskhost.exe 3248 500 9 171 2017-10-07 02:36:29 UTC+0000
.. 0x8586d030:SearchIndexer. 200 500 13 659 2017-10-07 02:32:48 UTC+0000
.. 0x8789a8d8:svchost.exe 960 500 10 314 2017-10-07 02:32:47 UTC+0000
.. 0x876c9030:vmtoolsd.exe 1476 500 9 290 2017-10-07 02:30:46 UTC+0000
.. 0x8737d8f0:svchost.exe 720 500 10 275 2017-10-07 02:30:45 UTC+0000
.. 0x87445488:svchost.exe 888 500 21 424 2017-10-07 02:30:46 UTC+0000
... 0x86032d40:dwm.exe 3348 888 3 70 2017-10-07 02:36:29 UTC+0000
.. 0x875c6030:spoolsv.exe 1236 500 13 326 2017-10-07 02:30:46 UTC+0000
.. 0x876e0550:wlms.exe 1508 500 4 43 2017-10-07 02:30:47 UTC+0000
.. 0x87577bb8:svchost.exe 1124 500 19 490 2017-10-07 02:30:46 UTC+0000
.. 0x86ec8bd8:svchost.exe 1772 500 12 140 2017-10-07 02:32:47 UTC+0000
.. 0x872dd1a8:sppsvc.exe 1392 500 4 145 2017-10-07 02:30:46 UTC+0000
.. 0x8765bc18:VGAuthService. 1448 500 3 87 2017-10-07 02:30:46 UTC+0000
.. 0x87450030:svchost.exe 628 500 11 348 2017-10-07 02:30:45 UTC+0000
... 0x86ec88b0:WmiPrvSE.exe 1792 628 10 192 2017-10-07 02:30:47 UTC+0000
.. 0x875fed40:svchost.exe 1272 500 19 306 2017-10-07 02:30:46 UTC+0000
. 0x872db6c8:lsass.exe 508 400 6 586 2017-10-07 02:30:45 UTC+0000
0x86baea60:csrss.exe 348 332 9 435 2017-10-07 02:30:45 UTC+0000
0x86032030:explorer.exe 3376 3340 30 899 2017-10-07 02:36:29 UTC+0000
. 0x87658030:iexplore.exe 3968 3376 15 621 2017-10-07 02:37:22 UTC+0000
.. 0x8586c5b0:iexplore.exe 4044 3968 22 653 2017-10-07 02:37:23 UTC+0000
. 0x87817418:FTK Imager.exe 3632 3376 17 376 2017-10-07 02:58:45 UTC+0000
. 0x85873310:vmtoolsd.exe 3480 3376 7 186 2017-10-07 02:36:30 UTC+0000
. 0x859e1280:thunderbird.ex 3012 3376 42 657 2017-10-07 02:50:26 UTC+0000
0x8574b958:System 4 0 86 354 2017-10-07 02:30:44 UTC+0000
. 0x876c42f8:smss.exe 268 4 2 29 2017-10-07 02:30:44 UTC+0000
0x85a4fc78:svchost.exe 2184 1140 5 307 2017-10-07 02:51:23 UTC+0000
0x86ad9d40:csrss.exe 408 392 10 284 2017-10-07 02:30:45 UTC+0000
0x87255b10:winlogon.exe 456 392 5 120 2017-10-07 02:30:45 UTC+0000
volatility --profile=Win7SP0x86 -f lab01/memdump.mem netscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Proto Local Address Foreign Address State Pid Owner Created
0x23c90b70 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 936 svchost.exe
0x24585318 UDPv4 127.0.0.1:62123 *:* 1772 svchost.exe 2017-10-07 02:58:08 UTC+0000
0x3d7e5a00 UDPv6 ::1:62122 *:* 1772 svchost.exe 2017-10-07 02:58:08 UTC+0000
0x3dc32930 UDPv4 0.0.0.0:0 *:* 1124 svchost.exe 2017-10-07 02:58:08 UTC+0000
0x3dc32930 UDPv6 :::0 *:* 1124 svchost.exe 2017-10-07 02:58:08 UTC+0000
0x3dc017a0 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 508 lsass.exe
0x3dc017a0 TCPv6 :::49156 :::0 LISTENING 508 lsass.exe
0x3df7c390 UDPv6 ::1:1900 *:* 1772 svchost.exe 2017-10-07 02:58:08 UTC+0000
0x3dfb85e0 TCPv4 0.0.0.0:49156 0.0.0.0:0 LISTENING 508 lsass.exe
0x3e0c1960 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 720 svchost.exe
0x3e0c4f38 TCPv4 0.0.0.0:135 0.0.0.0:0 LISTENING 720 svchost.exe
0x3e0c4f38 TCPv6 :::135 :::0 LISTENING 720 svchost.exe
0x3e0d07d0 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 400 wininit.exe
0x3e0d1f60 TCPv4 0.0.0.0:49152 0.0.0.0:0 LISTENING 400 wininit.exe
0x3e0d1f60 TCPv6 :::49152 :::0 LISTENING 400 wininit.exe
0x3e1e7230 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 500 services.exe
0x3e1e7230 TCPv6 :::49155 :::0 LISTENING 500 services.exe
0x3e1e74d8 TCPv4 0.0.0.0:49155 0.0.0.0:0 LISTENING 500 services.exe
0x3e1f5df8 TCPv4 0.0.0.0:445 0.0.0.0:0 LISTENING 4 System
0x3e1f5df8 TCPv6 :::445 :::0 LISTENING 4 System
0x3e33bb70 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 772 svchost.exe
0x3e33bde0 TCPv4 0.0.0.0:49153 0.0.0.0:0 LISTENING 772 svchost.exe
0x3e33bde0 TCPv6 :::49153 :::0 LISTENING 772 svchost.exe
0x3e162b48 TCPv4 172.16.0.132:49839 192.168.100.50:3128 CLOSED 3012 thunderbird.ex
0x3eaebbb8 TCPv4 0.0.0.0:49154 0.0.0.0:0 LISTENING 936 svchost.exe
0x3eaebbb8 TCPv6 :::49154 :::0 LISTENING 936 svchost.exe
0x3ea2c008 TCPv4 127.0.0.1:49836 127.0.0.1:49835 ESTABLISHED 3012 thunderbird.ex
0x3f7f9d60 UDPv4 127.0.0.1:57064 *:* 4044 iexplore.exe 2017-10-07 02:37:29 UTC+0000
0x3fa3fdf8 TCPv4 172.16.0.132:49851 192.168.100.50:3128 CLOSED 3012 thunderbird.ex
0x3fa8f568 TCPv4 172.16.0.132:49850 192.168.100.50:3128 ESTABLISHED 2184 svchost.exe
0x3fc513e0 UDPv4 127.0.0.1:1900 *:* 1772 svchost.exe 2017-10-07 02:58:08 UTC+0000
0x3fc98330 UDPv4 127.0.0.1:57063 *:* 3968 iexplore.exe 2017-10-07 02:37:23 UTC+0000
0x3fd53df8 TCPv4 172.16.0.132:49858 192.168.100.50:3128 ESTABLISHED 1124 svchost.exe
0x3fd95df8 TCPv4 172.16.0.132:49840 192.168.100.50:3128 CLOSED 3012 thunderbird.ex
0x3fd989f8 TCPv4 127.0.0.1:49835 127.0.0.1:49836 ESTABLISHED 3012 thunderbird.ex
volatility --profile=Win7SP0x86 -f lab01/memdump.mem yarascan --yara-rules="c2.hacker.com"
Volatility Foundation Volatility Framework 2.6
Rule: r1
Owner: Process svchost.exe Pid 2184
0x0040169f 63 32 2e 68 61 63 6b 65 72 2e 63 6f 6d 00 bb 01 c2.hacker.com...
0x004016af 8c 01 04 00 00 00 00 00 c1 02 04 00 ff ff ff ff ................
0x004016bf 45 01 05 00 61 64 6d 69 6e fb 03 09 00 29 21 56 E...admin....)!V
0x004016cf 6f 71 41 2e 49 34 f4 0a 01 00 01 f5 0a 01 00 01 oqA.I4..........
0x004016df 00 00 f6 0a 08 01 55 8b ec 81 c4 fc ef ff ff 56 ......U........V
0x004016ef 57 c7 85 fc ef ff ff 00 10 00 00 8b 7d 08 e8 08 W...........}...
0x004016ff 00 00 00 77 69 6e 69 6e 65 74 00 ff 97 9d 00 00 ...wininet......
0x0040170f 00 68 de 79 77 b7 50 50 ff 97 dd 00 00 00 8d 8d .h.yw.PP........
0x0040171f fc ef ff ff 51 8d b5 00 f0 ff ff 56 6a 26 6a 00 ....Q......Vj&j.
0x0040172f ff d0 85 c0 0f 84 ae 00 00 00 8b 76 04 56 ff 97 ...........v.V..
0x0040173f f0 0a 00 00 85 c0 0f 84 9c 00 00 00 91 8b 55 10 ..............U.
0x0040174f 33 c0 83 c0 01 3b c1 75 04 33 c0 eb 1f 80 3c 30 3....;.u.3....<0
0x0040175f 3d 75 ef 33 c0 83 c0 01 3b c1 75 08 33 c0 5f 5e =u.3....;.u.3._^
0x0040176f c9 c2 0c 00 39 14 30 75 ec 83 c0 04 50 83 c0 01 ....9.0u....P...
0x0040177f 80 3c 30 3a 75 f7 5a 50 51 2b c2 03 d6 50 03 45 .<0:u.ZPQ+...P.E
0x0040178f 0c c6 00 00 52 ff 75 0c ff 97 a9 00 00 00 59 58 ....R.u.......YX
Rule: r1
Owner: Process svchost.exe Pid 2184
0x001d9060 63 32 2e 68 61 63 6b 65 72 2e 63 6f 6d 00 00 00 c2.hacker.com...
0x001d9070 c8 9d 30 5d 00 00 00 80 e2 00 82 76 99 ad de 99 ..0].......v....
0x001d9080 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x001d9090 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
0x001d90a0 00 00 00 00 00 00 00 00 d3 9d 30 5d 00 00 00 88 ..........0]....
0x001d90b0 43 3a 5c 55 73 65 72 73 5c 75 73 65 72 30 31 5c C:\Users\user01\
0x001d90c0 44 65 73 6b 74 6f 70 5c 20 20 20 20 20 90 bf 8b Desktop\........
0x001d90d0 81 8f 91 5c 73 76 63 68 6f 73 74 2e 65 78 65 00 ...\svchost.exe.
0x001d90e0 da 9d 30 5d 00 00 00 80 cd 00 3a 00 5c 00 55 00 ..0]......:.\.U.
0x001d90f0 73 00 65 00 72 00 73 00 5c 00 75 00 73 00 65 00 s.e.r.s.\.u.s.e.
0x001d9100 72 00 30 00 31 00 5c 00 56 00 69 00 64 00 65 00 r.0.1.\.V.i.d.e.
0x001d9110 6f 00 73 00 00 00 00 00 e5 9d 30 5d 00 00 00 80 o.s.......0]....
0x001d9120 b8 00 52 00 50 00 43 00 2d 00 61 00 64 00 32 00 ..R.P.C.-.a.d.2.
0x001d9130 30 00 64 00 62 00 34 00 62 00 61 00 34 00 64 00 0.d.b.4.b.a.4.d.
0x001d9140 61 00 62 00 63 00 64 00 64 00 61 00 39 00 00 00 a.b.c.d.d.a.9...
0x001d9150 ec 9d 30 5d 00 00 00 88 08 90 1d 00 48 62 3c 75 ..0]........Hb<u
Rule: r1
Owner: Process svchost.exe Pid 2184
0x0012db5c 63 32 2e 68 61 63 6b 65 72 2e 63 6f 6d 00 85 77 c2.hacker.com..w
0x0012db6c 38 01 ab 01 6f 31 85 77 2c 8c 8c 77 00 00 00 00 8...o1.w,..w....
0x0012db7c 00 00 ab 01 40 09 ab 01 02 00 00 00 00 00 00 00 ....@...........
0x0012db8c 06 00 00 06 5a 20 1f 00 06 00 00 06 89 75 ae 75 ....Z........u.u
0x0012db9c 00 00 1b 00 08 00 14 00 50 01 ab 01 00 00 ab 01 ........P.......
0x0012dbac 50 01 ab 01 50 01 ab 01 c4 00 ab 01 00 00 00 00 P...P...........
0x0012dbbc 00 00 00 00 00 00 00 00 00 00 00 00 c8 e1 12 00 ................
0x0012dbcc 70 57 87 76 7f 00 00 00 04 00 00 00 fe 10 b4 b0 pW.v............
0x0012dbdc fe ff ff ff 9a 75 ae 75 00 08 ab 01 c0 01 1f 00 .....u.u........
0x0012dbec f8 03 00 00 7f 00 00 00 c0 01 1f 00 c3 00 00 c3 ................
0x0012dbfc 7f 00 00 00 80 01 ab 01 f0 f4 1e 00 00 00 00 00 ................
0x0012dc0c 69 5a 39 75 50 01 ab 01 f0 f4 1e 00 f0 08 ab 01 iZ9uP...........
0x0012dc1c 9c e2 12 00 c4 00 ab 01 df 00 00 00 00 00 00 00 ................
0x0012dc2c 00 00 00 01 00 00 00 00 7f 00 00 00 01 00 01 00 ................
0x0012dc3c 94 e1 12 00 c0 a8 0f 0a e4 e6 12 00 4d d7 81 77 ............M..w
0x0012dc4c e0 66 1b 00 fe ff ff ff 6f 31 85 77 68 2d 85 77 .f......o1.wh-.w
Rule: r1
Owner: Process svchost.exe Pid 2184
0x0012e17c 63 32 2e 68 61 63 6b 65 72 2e 63 6f 6d 00 85 77 c2.hacker.com..w
0x0012e18c 38 01 ab 01 6f 31 85 77 2c 8c 8c 77 00 00 00 00 8...o1.w,..w....
0x0012e19c 00 00 ab 01 40 09 ab 01 02 00 00 00 00 00 00 00 ....@...........
0x0012e1ac 06 00 00 06 5a 20 1f 00 06 00 00 06 89 75 ae 75 ....Z........u.u
0x0012e1bc 00 00 1b 00 08 00 14 00 50 01 ab 01 00 00 ab 01 ........P.......
0x0012e1cc 50 01 ab 01 50 01 ab 01 c4 00 ab 01 00 00 00 00 P...P...........
0x0012e1dc 00 00 00 00 00 00 00 00 00 00 00 00 c8 e1 12 00 ................
0x0012e1ec 70 57 87 76 7f 00 00 00 04 00 00 00 fe 10 b4 b0 pW.v............
0x0012e1fc fe ff ff ff 9a 75 ae 75 00 08 ab 01 c0 01 1f 00 .....u.u........
0x0012e20c f8 03 00 00 7f 00 00 00 c0 01 1f 00 c3 00 00 c3 ................
0x0012e21c 7f 00 00 00 80 01 ab 01 f0 f4 1e 00 00 00 00 00 ................
0x0012e22c 69 5a 39 75 50 01 ab 01 f0 f4 1e 00 f0 08 ab 01 iZ9uP...........
0x0012e23c 9c e2 12 00 c4 00 ab 01 df 00 00 00 00 00 00 00 ................
0x0012e24c 00 00 00 01 00 00 00 00 7f 00 00 00 01 00 01 00 ................
0x0012e25c 94 e1 12 00 c0 a8 0f 0a e4 e6 12 00 4d d7 81 77 ............M..w
0x0012e26c e0 66 1b 00 fe ff ff ff 6f 31 85 77 68 2d 85 77 .f......o1.wh-.w
Rule: r1
Owner: Process svchost.exe Pid 2184
0x0012ebc9 63 32 2e 68 61 63 6b 65 72 2e 63 6f 6d 00 00 00 c2.hacker.com...
0x0012ebd9 00 00 00 18 00 1a 00 60 f3 46 6d 78 ed 12 00 00 .......`.Fmx....
0x0012ebe9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012ebf9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012ec09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012ec19 00 00 00 00 00 00 00 00 00 20 00 c4 ec 12 00 c4 ................
0x0012ec29 ec 12 00 c4 ec 12 00 20 00 00 00 20 00 00 00 00 ................
0x0012ec39 00 46 6d 2c ed 12 00 01 00 00 00 10 ec 12 00 24 .Fm,...........$
0x0012ec49 ec 12 00 60 ed 12 00 74 8f 47 6d 5f 93 4b a8 fe ...`...t.Gm_.K..
0x0012ec59 ff ff ff 4c 15 46 6d 24 af 85 77 00 00 46 6d 01 ...L.Fm$..w..Fm.
0x0012ec69 00 00 00 00 00 00 00 88 ec 12 00 38 23 1b 00 74 ...........8#..t
0x0012ec79 23 1b 00 a0 a6 8d 77 a0 ec 12 00 c2 e5 85 77 78 #.....w.......wx
0x0012ec89 f3 46 6d 64 23 1b 00 b0 2f d4 92 00 00 00 00 78 .Fmd#.../......x
0x0012ec99 ed 12 00 00 00 00 00 2c ed 12 00 ee f6 85 77 78 .......,......wx
0x0012eca9 ed 12 00 00 00 00 00 8c ed 12 00 00 00 00 00 0c ................
0x0012ecb9 00 00 00 08 47 1c 00 00 00 1b 00 e0 4f 1c 00 00 ....G.......O...
Rule: r1
Owner: Process svchost.exe Pid 2184
0x0012f199 63 32 2e 68 61 63 6b 65 72 2e 63 6f 6d 00 bb 01 c2.hacker.com...
0x0012f1a9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f1b9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f1c9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f1d9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f1e9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f1f9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f209 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f219 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f229 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f239 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f249 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f259 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f269 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f279 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f289 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Rule: r1
Owner: Process svchost.exe Pid 2184
0x0012f2ce 63 32 2e 68 61 63 6b 65 72 2e 63 6f 6d 00 bb 01 c2.hacker.com...
0x0012f2de 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f2ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f2fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f30e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f31e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f32e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f33e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f34e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f35e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f36e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f37e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f38e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f39e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f3ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x0012f3be 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
volatility --profile=Win7SP0x86 -f lab01/memdump.mem dlllist --pid 2184
Volatility Foundation Volatility Framework 2.6
************************************************************************
svchost.exe pid: 2184
Command line : svchost.exe
Base Size LoadCount Path
---------- ---------- ---------- ----
0x00400000 0x1800 0xffff C:\Users\user01\Desktop\ 請求書\svchost.exe
0x77800000 0x13c000 0xffff C:\Windows\SYSTEM32\ntdll.dll
0x76660000 0xd4000 0xffff C:\Windows\system32\kernel32.dll
0x75ae0000 0x4a000 0xffff C:\Windows\system32\KERNELBASE.dll
0x76740000 0xa0000 0x10 C:\Windows\system32\advapi32.DLL
0x75ef0000 0xac000 0x8c C:\Windows\system32\msvcrt.dll
0x765e0000 0x19000 0x2d C:\Windows\SYSTEM32\sechost.dll
0x767e0000 0xa1000 0x50 C:\Windows\system32\RPCRT4.dll
0x76280000 0xc9000 0x77 C:\Windows\system32\user32.DLL
0x76430000 0x4e000 0x6a C:\Windows\system32\GDI32.dll
0x761a0000 0xa000 0x17 C:\Windows\system32\LPK.dll
0x76480000 0x9d000 0x17 C:\Windows\system32\USP10.dll
0x77a10000 0x1f000 0x4 C:\Windows\system32\IMM32.DLL
0x761b0000 0xcc000 0x2 C:\Windows\system32\MSCTF.dll
0x6d460000 0x2e000 0x1 C:\Windows\system32\advpack.DLL
0x75d90000 0x15c000 0xd C:\Windows\system32\ole32.dll
0x74d00000 0x9000 0x2 C:\Windows\system32\VERSION.dll
0x77660000 0x19d000 0x1 C:\Windows\system32\SETUPAPI.dll
0x75a80000 0x27000 0x2 C:\Windows\system32\CFGMGR32.dll
0x76350000 0x8f000 0x5 C:\Windows\system32\OLEAUT32.dll
0x759d0000 0x12000 0x1 C:\Windows\system32\DEVOBJ.dll
0x76600000 0x57000 0xc C:\Windows\system32\SHLWAPI.dll
0x77960000 0x35000 0xc C:\Windows\system32\ws2_32.DLL
0x77950000 0x6000 0x14 C:\Windows\system32\NSI.dll
0x77560000 0xf4000 0x2 C:\Windows\system32\wininet.DLL
0x77940000 0x3000 0x2 C:\Windows\system32\Normaliz.dll
0x75c50000 0x135000 0x2 C:\Windows\system32\urlmon.dll
0x75b30000 0x11c000 0x3 C:\Windows\system32\CRYPT32.dll
0x759c0000 0xc000 0x3 C:\Windows\system32\MSASN1.dll
0x75fa0000 0x1f9000 0x4 C:\Windows\system32\iertutil.dll
0x74790000 0x19e000 0x1 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll
0x75830000 0x1a000 0x1 C:\Windows\system32\SspiCli.dll
0x76910000 0xc49000 0x3 C:\Windows\system32\SHELL32.dll
0x75950000 0xb000 0x2 C:\Windows\system32\profapi.dll
0x75250000 0x44000 0x2 C:\Windows\system32\dnsapi.DLL
0x739f0000 0x1c000 0x3 C:\Windows\system32\iphlpapi.DLL
0x739e0000 0x7000 0x3 C:\Windows\system32\WINNSI.DLL
0x73050000 0x52000 0x1 C:\Windows\system32\RASAPI32.dll
0x73f30000 0x15000 0x3 C:\Windows\system32\rasman.dll
0x73f20000 0xd000 0x2 C:\Windows\system32\rtutils.dll
0x72ac0000 0x6000 0x1 C:\Windows\system32\sensapi.dll
0x758a0000 0xc000 0x1 C:\Windows\system32\CRYPTBASE.dll
0x75390000 0x3c000 0x3 C:\Windows\system32\mswsock.dll
0x74d90000 0x5000 0x1 C:\Windows\System32\wshtcpip.dll
0x73b30000 0x10000 0x1 C:\Windows\system32\NLAapi.dll
0x6fed0000 0x8000 0x1 C:\Windows\System32\winrnr.dll
0x6fec0000 0x10000 0x1 C:\Windows\system32\napinsp.dll
0x6fea0000 0x12000 0x2 C:\Windows\system32\pnrpnsp.dll
0x73880000 0x38000 0x1 C:\Windows\System32\fwpuclnt.dll
0x70980000 0x6000 0x1 C:\Windows\system32\rasadhlp.dll
0x71530000 0x12000 0x1 C:\Windows\system32\mpr.dll
0x6f560000 0x13000 0x1 C:\Windows\system32\avicap32.dll
0x73d20000 0x32000 0x3 C:\Windows\system32\WINMM.dll
0x66660000 0x21000 0x1 C:\Windows\system32\MSVFW32.dll
0x759f0000 0x84000 0x1 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7600.16385_none_ebf82fc36c758ad5\COMCTL32.dll
0x6f770000 0xd000 0x1 C:\Windows\system32\pstorec.dll
0x73aa0000 0x14000 0x1 C:\Windows\system32\ATL.DLL
0x74300000 0x39000 0x1 C:\Windows\system32\MMDevAPI.DLL
0x74650000 0xf5000 0x2 C:\Windows\system32\PROPSYS.dll
volatility --profile=Win7SP0x86 -f lab01/memdump.mem malfind --pid 2184
Volatility Foundation Volatility Framework 2.6
Process: svchost.exe Pid: 2184 Address: 0x370000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 2, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x00370000 55 8b ec 50 b8 10 00 00 00 81 c4 04 f0 ff ff 50 U..P...........P
0x00370010 48 75 f6 8b 45 fc 83 c4 b8 53 56 57 8b 75 08 33 Hu..E....SVW.u.3
0x00370020 c0 89 86 b9 08 00 00 33 c0 89 45 e4 68 4d 4b 58 .......3..E.hMKX
0x00370030 5a 8b 86 db 0a 00 00 50 8b 86 e1 00 00 00 50 ff Z......P......P.
0x00370000 55 PUSH EBP
0x00370001 8bec MOV EBP, ESP
0x00370003 50 PUSH EAX
0x00370004 b810000000 MOV EAX, 0x10
0x00370009 81c404f0ffff ADD ESP, 0xfffff004
0x0037000f 50 PUSH EAX
0x00370010 48 DEC EAX
0x00370011 75f6 JNZ 0x370009
0x00370013 8b45fc MOV EAX, [EBP-0x4]
0x00370016 83c4b8 ADD ESP, -0x48
0x00370019 53 PUSH EBX
0x0037001a 56 PUSH ESI
0x0037001b 57 PUSH EDI
0x0037001c 8b7508 MOV ESI, [EBP+0x8]
0x0037001f 33c0 XOR EAX, EAX
0x00370021 8986b9080000 MOV [ESI+0x8b9], EAX
0x00370027 33c0 XOR EAX, EAX
0x00370029 8945e4 MOV [EBP-0x1c], EAX
0x0037002c 684d4b585a PUSH DWORD 0x5a584b4d
0x00370031 8b86db0a0000 MOV EAX, [ESI+0xadb]
0x00370037 50 PUSH EAX
0x00370038 8b86e1000000 MOV EAX, [ESI+0xe1]
0x0037003e 50 PUSH EAX
0x0037003f ff DB 0xff
Process: svchost.exe Pid: 2184 Address: 0x380000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x00380000 e8 00 00 00 28 49 1f 00 ff ff ff ff 00 00 00 00 ....(I..........
0x00380010 00 00 00 00 00 00 00 00 00 00 00 00 d8 bd 1e 00 ................
0x00380020 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x00380030 00 00 00 00 00 00 3a 00 00 00 00 00 01 00 00 00 ......:.........
0x00380000 e800000028 CALL 0x28380005
0x00380005 49 DEC ECX
0x00380006 1f POP DS
0x00380007 00ff ADD BH, BH
0x00380009 ff DB 0xff
0x0038000a ff DB 0xff
0x0038000b ff00 INC DWORD [EAX]
0x0038000d 0000 ADD [EAX], AL
0x0038000f 0000 ADD [EAX], AL
0x00380011 0000 ADD [EAX], AL
0x00380013 0000 ADD [EAX], AL
0x00380015 0000 ADD [EAX], AL
0x00380017 0000 ADD [EAX], AL
0x00380019 0000 ADD [EAX], AL
0x0038001b 00d8 ADD AL, BL
0x0038001d bd1e00ffff MOV EBP, 0xffff001e
0x00380022 ff DB 0xff
0x00380023 ff00 INC DWORD [EAX]
0x00380025 0000 ADD [EAX], AL
0x00380027 0000 ADD [EAX], AL
0x00380029 0000 ADD [EAX], AL
0x0038002b 0000 ADD [EAX], AL
0x0038002d 0000 ADD [EAX], AL
0x0038002f 0000 ADD [EAX], AL
0x00380031 0000 ADD [EAX], AL
0x00380033 0000 ADD [EAX], AL
0x00380035 003a ADD [EDX], BH
0x00380037 0000 ADD [EAX], AL
0x00380039 0000 ADD [EAX], AL
0x0038003b 0001 ADD [ECX], AL
0x0038003d 0000 ADD [EAX], AL
0x0038003f 00 DB 0x0
Process: svchost.exe Pid: 2184 Address: 0x3c0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x003c0000 55 8b ec 50 b8 10 00 00 00 81 c4 04 f0 ff ff 50 U..P...........P
0x003c0010 48 75 f6 8b 45 fc 81 c4 48 fe ff ff 53 56 57 8b Hu..E...H...SVW.
0x003c0020 45 08 89 45 bc 8b 45 bc 8b 80 b4 08 00 00 8b f8 E..E..E.........
0x003c0030 8b 40 34 89 45 b8 8b 45 b8 8b 80 24 03 00 00 89 .@4.E..E...$....
0x003c0000 55 PUSH EBP
0x003c0001 8bec MOV EBP, ESP
0x003c0003 50 PUSH EAX
0x003c0004 b810000000 MOV EAX, 0x10
0x003c0009 81c404f0ffff ADD ESP, 0xfffff004
0x003c000f 50 PUSH EAX
0x003c0010 48 DEC EAX
0x003c0011 75f6 JNZ 0x3c0009
0x003c0013 8b45fc MOV EAX, [EBP-0x4]
0x003c0016 81c448feffff ADD ESP, 0xfffffe48
0x003c001c 53 PUSH EBX
0x003c001d 56 PUSH ESI
0x003c001e 57 PUSH EDI
0x003c001f 8b4508 MOV EAX, [EBP+0x8]
0x003c0022 8945bc MOV [EBP-0x44], EAX
0x003c0025 8b45bc MOV EAX, [EBP-0x44]
0x003c0028 8b80b4080000 MOV EAX, [EAX+0x8b4]
0x003c002e 8bf8 MOV EDI, EAX
0x003c0030 8b4034 MOV EAX, [EAX+0x34]
0x003c0033 8945b8 MOV [EBP-0x48], EAX
0x003c0036 8b45b8 MOV EAX, [EBP-0x48]
0x003c0039 8b8024030000 MOV EAX, [EAX+0x324]
0x003c003f 89 DB 0x89
Process: svchost.exe Pid: 2184 Address: 0x3b0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x003b0000 55 8b ec 83 c4 c8 53 56 57 8b 5d 08 8b 73 08 33 U.....SVW.]..s.3
0x003b0010 c0 89 45 f0 c6 45 e3 00 80 be b8 08 00 00 00 0f ..E..E..........
0x003b0020 84 b2 00 00 00 c6 86 b8 08 00 00 00 8b 86 b4 08 ................
0x003b0030 00 00 33 d2 89 50 38 6a 01 8b 03 03 45 f0 50 8d ..3..P8j....E.P.
0x003b0000 55 PUSH EBP
0x003b0001 8bec MOV EBP, ESP
0x003b0003 83c4c8 ADD ESP, -0x38
0x003b0006 53 PUSH EBX
0x003b0007 56 PUSH ESI
0x003b0008 57 PUSH EDI
0x003b0009 8b5d08 MOV EBX, [EBP+0x8]
0x003b000c 8b7308 MOV ESI, [EBX+0x8]
0x003b000f 33c0 XOR EAX, EAX
0x003b0011 8945f0 MOV [EBP-0x10], EAX
0x003b0014 c645e300 MOV BYTE [EBP-0x1d], 0x0
0x003b0018 80beb808000000 CMP BYTE [ESI+0x8b8], 0x0
0x003b001f 0f84b2000000 JZ 0x3b00d7
0x003b0025 c686b808000000 MOV BYTE [ESI+0x8b8], 0x0
0x003b002c 8b86b4080000 MOV EAX, [ESI+0x8b4]
0x003b0032 33d2 XOR EDX, EDX
0x003b0034 895038 MOV [EAX+0x38], EDX
0x003b0037 6a01 PUSH 0x1
0x003b0039 8b03 MOV EAX, [EBX]
0x003b003b 0345f0 ADD EAX, [EBP-0x10]
0x003b003e 50 PUSH EAX
0x003b003f 8d DB 0x8d
Process: svchost.exe Pid: 2184 Address: 0x3a0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x003a0000 00 00 00 00 00 00 00 00 00 00 9d 01 00 00 a5 01 ................
0x003a0010 00 00 8c 01 00 00 91 01 00 00 92 01 00 00 00 00 ................
0x003a0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x003a0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x003a0000 0000 ADD [EAX], AL
0x003a0002 0000 ADD [EAX], AL
0x003a0004 0000 ADD [EAX], AL
0x003a0006 0000 ADD [EAX], AL
0x003a0008 0000 ADD [EAX], AL
0x003a000a 9d POPF
0x003a000b 0100 ADD [EAX], EAX
0x003a000d 00a50100008c ADD [EBP-0x73ffffff], AH
0x003a0013 0100 ADD [EAX], EAX
0x003a0015 009101000092 ADD [ECX-0x6dffffff], DL
0x003a001b 0100 ADD [EAX], EAX
0x003a001d 0000 ADD [EAX], AL
0x003a001f 0000 ADD [EAX], AL
0x003a0021 0000 ADD [EAX], AL
0x003a0023 0000 ADD [EAX], AL
0x003a0025 0000 ADD [EAX], AL
0x003a0027 0000 ADD [EAX], AL
0x003a0029 0000 ADD [EAX], AL
0x003a002b 0000 ADD [EAX], AL
0x003a002d 0000 ADD [EAX], AL
0x003a002f 0000 ADD [EAX], AL
0x003a0031 0000 ADD [EAX], AL
0x003a0033 0000 ADD [EAX], AL
0x003a0035 0000 ADD [EAX], AL
0x003a0037 0000 ADD [EAX], AL
0x003a0039 0000 ADD [EAX], AL
0x003a003b 0000 ADD [EAX], AL
0x003a003d 0000 ADD [EAX], AL
0x003a003f 00 DB 0x0
Process: svchost.exe Pid: 2184 Address: 0x3d0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x003d0000 55 8b ec 81 c4 e4 fe ff ff 53 56 57 8b f0 89 75 U........SVW...u
0x003d0010 cc 8b 45 cc 8b 80 b4 08 00 00 8b f8 8b 58 34 8b ..E..........X4.
0x003d0020 83 24 03 00 00 89 45 e8 8b 83 4c 03 00 00 05 fd .$....E...L.....
0x003d0030 01 00 00 89 45 e4 64 ff 35 00 00 00 00 8f 45 ec ....E.d.5.....E.
0x003d0000 55 PUSH EBP
0x003d0001 8bec MOV EBP, ESP
0x003d0003 81c4e4feffff ADD ESP, 0xfffffee4
0x003d0009 53 PUSH EBX
0x003d000a 56 PUSH ESI
0x003d000b 57 PUSH EDI
0x003d000c 8bf0 MOV ESI, EAX
0x003d000e 8975cc MOV [EBP-0x34], ESI
0x003d0011 8b45cc MOV EAX, [EBP-0x34]
0x003d0014 8b80b4080000 MOV EAX, [EAX+0x8b4]
0x003d001a 8bf8 MOV EDI, EAX
0x003d001c 8b5834 MOV EBX, [EAX+0x34]
0x003d001f 8b8324030000 MOV EAX, [EBX+0x324]
0x003d0025 8945e8 MOV [EBP-0x18], EAX
0x003d0028 8b834c030000 MOV EAX, [EBX+0x34c]
0x003d002e 05fd010000 ADD EAX, 0x1fd
0x003d0033 8945e4 MOV [EBP-0x1c], EAX
0x003d0036 64ff3500000000 PUSH DWORD [FS:0x0]
0x003d003d 8f45ec POP DWORD [EBP-0x14]
Process: svchost.exe Pid: 2184 Address: 0x3f0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x003f0000 53 56 57 83 c4 cc 8b f8 89 7c 24 0c 8b 44 24 0c SVW......|$..D$.
0x003f0010 8b 80 b4 08 00 00 89 44 24 10 8b 58 34 8d 54 24 .......D$..X4.T$
0x003f0020 24 8b c7 ff 93 c8 01 00 00 8b 44 24 10 83 c0 1c $.........D$....
0x003f0030 50 ff 93 e0 02 00 00 8b 44 24 10 8b 40 50 89 04 P.......D$..@P..
0x003f0000 53 PUSH EBX
0x003f0001 56 PUSH ESI
0x003f0002 57 PUSH EDI
0x003f0003 83c4cc ADD ESP, -0x34
0x003f0006 8bf8 MOV EDI, EAX
0x003f0008 897c240c MOV [ESP+0xc], EDI
0x003f000c 8b44240c MOV EAX, [ESP+0xc]
0x003f0010 8b80b4080000 MOV EAX, [EAX+0x8b4]
0x003f0016 89442410 MOV [ESP+0x10], EAX
0x003f001a 8b5834 MOV EBX, [EAX+0x34]
0x003f001d 8d542424 LEA EDX, [ESP+0x24]
0x003f0021 8bc7 MOV EAX, EDI
0x003f0023 ff93c8010000 CALL DWORD [EBX+0x1c8]
0x003f0029 8b442410 MOV EAX, [ESP+0x10]
0x003f002d 83c01c ADD EAX, 0x1c
0x003f0030 50 PUSH EAX
0x003f0031 ff93e0020000 CALL DWORD [EBX+0x2e0]
0x003f0037 8b442410 MOV EAX, [ESP+0x10]
0x003f003b 8b4050 MOV EAX, [EAX+0x50]
0x003f003e 89 DB 0x89
0x003f003f 04 DB 0x4
Process: svchost.exe Pid: 2184 Address: 0x1910000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01910000 53 56 57 81 c4 b8 fe ff ff 8b f1 8d 7c 24 08 b9 SVW.........|$..
0x01910010 50 00 00 00 f3 a5 8b fa 8b d8 8b c3 8b 90 b4 08 P...............
0x01910020 00 00 8b 72 34 8d 4c 24 34 8b d7 8b c3 ff 56 6c ...r4.L$4.....Vl
0x01910030 6a 04 8d 44 24 0c 50 57 53 ff 96 cc 01 00 00 6a j..D$.PWS......j
0x01910000 53 PUSH EBX
0x01910001 56 PUSH ESI
0x01910002 57 PUSH EDI
0x01910003 81c4b8feffff ADD ESP, 0xfffffeb8
0x01910009 8bf1 MOV ESI, ECX
0x0191000b 8d7c2408 LEA EDI, [ESP+0x8]
0x0191000f b950000000 MOV ECX, 0x50
0x01910014 f3a5 REP MOVSD
0x01910016 8bfa MOV EDI, EDX
0x01910018 8bd8 MOV EBX, EAX
0x0191001a 8bc3 MOV EAX, EBX
0x0191001c 8b90b4080000 MOV EDX, [EAX+0x8b4]
0x01910022 8b7234 MOV ESI, [EDX+0x34]
0x01910025 8d4c2434 LEA ECX, [ESP+0x34]
0x01910029 8bd7 MOV EDX, EDI
0x0191002b 8bc3 MOV EAX, EBX
0x0191002d ff566c CALL DWORD [ESI+0x6c]
0x01910030 6a04 PUSH 0x4
0x01910032 8d44240c LEA EAX, [ESP+0xc]
0x01910036 50 PUSH EAX
0x01910037 57 PUSH EDI
0x01910038 53 PUSH EBX
0x01910039 ff96cc010000 CALL DWORD [ESI+0x1cc]
0x0191003f 6a DB 0x6a
Process: svchost.exe Pid: 2184 Address: 0x18c0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x018c0000 55 8b ec 83 c4 b4 53 56 57 89 45 e0 8b 45 e0 89 U.....SVW.E..E..
0x018c0010 45 c4 8b 45 c4 8b 80 b4 08 00 00 8b 58 34 8b 83 E..E........X4..
0x018c0020 24 03 00 00 89 45 e8 8b 43 10 05 5f 01 00 00 89 $....E..C.._....
0x018c0030 45 e4 64 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f E.d.5.....E..u..
0x018c0000 55 PUSH EBP
0x018c0001 8bec MOV EBP, ESP
0x018c0003 83c4b4 ADD ESP, -0x4c
0x018c0006 53 PUSH EBX
0x018c0007 56 PUSH ESI
0x018c0008 57 PUSH EDI
0x018c0009 8945e0 MOV [EBP-0x20], EAX
0x018c000c 8b45e0 MOV EAX, [EBP-0x20]
0x018c000f 8945c4 MOV [EBP-0x3c], EAX
0x018c0012 8b45c4 MOV EAX, [EBP-0x3c]
0x018c0015 8b80b4080000 MOV EAX, [EAX+0x8b4]
0x018c001b 8b5834 MOV EBX, [EAX+0x34]
0x018c001e 8b8324030000 MOV EAX, [EBX+0x324]
0x018c0024 8945e8 MOV [EBP-0x18], EAX
0x018c0027 8b4310 MOV EAX, [EBX+0x10]
0x018c002a 055f010000 ADD EAX, 0x15f
0x018c002f 8945e4 MOV [EBP-0x1c], EAX
0x018c0032 64ff3500000000 PUSH DWORD [FS:0x0]
0x018c0039 8f45ec POP DWORD [EBP-0x14]
0x018c003c ff75e8 PUSH DWORD [EBP-0x18]
0x018c003f 8f DB 0x8f
Process: svchost.exe Pid: 2184 Address: 0x18d0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x018d0000 55 8b ec 81 c4 60 fc ff ff 53 56 57 89 4d dc 8b U....`...SVW.M..
0x018d0010 fa 89 45 e0 8b 75 e0 8b 86 b4 08 00 00 8b 58 34 ..E..u........X4
0x018d0020 8b 83 24 03 00 00 89 45 e8 8b 83 10 04 00 00 05 ..$....E........
0x018d0030 5e 02 00 00 89 45 e4 64 ff 35 00 00 00 00 8f 45 ^....E.d.5.....E
0x018d0000 55 PUSH EBP
0x018d0001 8bec MOV EBP, ESP
0x018d0003 81c460fcffff ADD ESP, 0xfffffc60
0x018d0009 53 PUSH EBX
0x018d000a 56 PUSH ESI
0x018d000b 57 PUSH EDI
0x018d000c 894ddc MOV [EBP-0x24], ECX
0x018d000f 8bfa MOV EDI, EDX
0x018d0011 8945e0 MOV [EBP-0x20], EAX
0x018d0014 8b75e0 MOV ESI, [EBP-0x20]
0x018d0017 8b86b4080000 MOV EAX, [ESI+0x8b4]
0x018d001d 8b5834 MOV EBX, [EAX+0x34]
0x018d0020 8b8324030000 MOV EAX, [EBX+0x324]
0x018d0026 8945e8 MOV [EBP-0x18], EAX
0x018d0029 8b8310040000 MOV EAX, [EBX+0x410]
0x018d002f 055e020000 ADD EAX, 0x25e
0x018d0034 8945e4 MOV [EBP-0x1c], EAX
0x018d0037 64ff3500000000 PUSH DWORD [FS:0x0]
0x018d003e 8f DB 0x8f
0x018d003f 45 INC EBP
Process: svchost.exe Pid: 2184 Address: 0x19c0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x019c0000 55 8b ec 83 c4 a4 53 56 57 89 4d e0 8b fa 8b f0 U.....SVW.M.....
0x019c0010 8b c6 8b 90 b4 08 00 00 8b 5a 34 8b 83 24 03 00 .........Z4..$..
0x019c0020 00 89 45 e8 8b 43 54 05 ad 01 00 00 89 45 e4 64 ..E..CT......E.d
0x019c0030 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 f0 ff .5.....E..u..E..
0x019c0000 55 PUSH EBP
0x019c0001 8bec MOV EBP, ESP
0x019c0003 83c4a4 ADD ESP, -0x5c
0x019c0006 53 PUSH EBX
0x019c0007 56 PUSH ESI
0x019c0008 57 PUSH EDI
0x019c0009 894de0 MOV [EBP-0x20], ECX
0x019c000c 8bfa MOV EDI, EDX
0x019c000e 8bf0 MOV ESI, EAX
0x019c0010 8bc6 MOV EAX, ESI
0x019c0012 8b90b4080000 MOV EDX, [EAX+0x8b4]
0x019c0018 8b5a34 MOV EBX, [EDX+0x34]
0x019c001b 8b8324030000 MOV EAX, [EBX+0x324]
0x019c0021 8945e8 MOV [EBP-0x18], EAX
0x019c0024 8b4354 MOV EAX, [EBX+0x54]
0x019c0027 05ad010000 ADD EAX, 0x1ad
0x019c002c 8945e4 MOV [EBP-0x1c], EAX
0x019c002f 64ff3500000000 PUSH DWORD [FS:0x0]
0x019c0036 8f45ec POP DWORD [EBP-0x14]
0x019c0039 ff75e8 PUSH DWORD [EBP-0x18]
0x019c003c 8f45f0 POP DWORD [EBP-0x10]
0x019c003f ff DB 0xff
Process: svchost.exe Pid: 2184 Address: 0x1920000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01920000 55 8b ec 81 c4 04 f0 ff ff 50 53 56 57 89 4d cc U........PSVW.M.
0x01920010 8b fa 89 45 d0 8b 75 d0 8b 86 b4 08 00 00 8b 58 ...E..u........X
0x01920020 34 8b 83 24 03 00 00 89 45 e8 8b 43 18 05 55 05 4..$....E..C..U.
0x01920030 00 00 89 45 e4 64 ff 35 00 00 00 00 8f 45 ec ff ...E.d.5.....E..
0x01920000 55 PUSH EBP
0x01920001 8bec MOV EBP, ESP
0x01920003 81c404f0ffff ADD ESP, 0xfffff004
0x01920009 50 PUSH EAX
0x0192000a 53 PUSH EBX
0x0192000b 56 PUSH ESI
0x0192000c 57 PUSH EDI
0x0192000d 894dcc MOV [EBP-0x34], ECX
0x01920010 8bfa MOV EDI, EDX
0x01920012 8945d0 MOV [EBP-0x30], EAX
0x01920015 8b75d0 MOV ESI, [EBP-0x30]
0x01920018 8b86b4080000 MOV EAX, [ESI+0x8b4]
0x0192001e 8b5834 MOV EBX, [EAX+0x34]
0x01920021 8b8324030000 MOV EAX, [EBX+0x324]
0x01920027 8945e8 MOV [EBP-0x18], EAX
0x0192002a 8b4318 MOV EAX, [EBX+0x18]
0x0192002d 0555050000 ADD EAX, 0x555
0x01920032 8945e4 MOV [EBP-0x1c], EAX
0x01920035 64ff3500000000 PUSH DWORD [FS:0x0]
0x0192003c 8f45ec POP DWORD [EBP-0x14]
0x0192003f ff DB 0xff
Process: svchost.exe Pid: 2184 Address: 0x19e0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x019e0000 55 8b ec 83 c4 e4 53 56 57 8b 5d 10 8b 45 08 8b U.....SVW.]..E..
0x019e0010 90 b4 08 00 00 8b 72 34 8b 86 24 03 00 00 89 45 ......r4..$....E
0x019e0020 e8 8b 86 d8 01 00 00 05 e0 00 00 00 89 45 e4 64 .............E.d
0x019e0030 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 f0 ff .5.....E..u..E..
0x019e0000 55 PUSH EBP
0x019e0001 8bec MOV EBP, ESP
0x019e0003 83c4e4 ADD ESP, -0x1c
0x019e0006 53 PUSH EBX
0x019e0007 56 PUSH ESI
0x019e0008 57 PUSH EDI
0x019e0009 8b5d10 MOV EBX, [EBP+0x10]
0x019e000c 8b4508 MOV EAX, [EBP+0x8]
0x019e000f 8b90b4080000 MOV EDX, [EAX+0x8b4]
0x019e0015 8b7234 MOV ESI, [EDX+0x34]
0x019e0018 8b8624030000 MOV EAX, [ESI+0x324]
0x019e001e 8945e8 MOV [EBP-0x18], EAX
0x019e0021 8b86d8010000 MOV EAX, [ESI+0x1d8]
0x019e0027 05e0000000 ADD EAX, 0xe0
0x019e002c 8945e4 MOV [EBP-0x1c], EAX
0x019e002f 64ff3500000000 PUSH DWORD [FS:0x0]
0x019e0036 8f45ec POP DWORD [EBP-0x14]
0x019e0039 ff75e8 PUSH DWORD [EBP-0x18]
0x019e003c 8f45f0 POP DWORD [EBP-0x10]
0x019e003f ff DB 0xff
Process: svchost.exe Pid: 2184 Address: 0x19d0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x019d0000 55 8b ec 83 c4 cc 53 56 57 89 4d dc 89 55 e0 33 U.....SVW.M..U.3
0x019d0010 d2 8b f8 8b 87 b4 08 00 00 8b f0 8b 40 34 89 45 ............@4.E
0x019d0020 cc 8b 45 cc 8b 80 24 03 00 00 89 45 e8 8b 45 cc ..E...$....E..E.
0x019d0030 8b 40 08 05 b0 01 00 00 89 45 e4 64 ff 35 00 00 .@.......E.d.5..
0x019d0000 55 PUSH EBP
0x019d0001 8bec MOV EBP, ESP
0x019d0003 83c4cc ADD ESP, -0x34
0x019d0006 53 PUSH EBX
0x019d0007 56 PUSH ESI
0x019d0008 57 PUSH EDI
0x019d0009 894ddc MOV [EBP-0x24], ECX
0x019d000c 8955e0 MOV [EBP-0x20], EDX
0x019d000f 33d2 XOR EDX, EDX
0x019d0011 8bf8 MOV EDI, EAX
0x019d0013 8b87b4080000 MOV EAX, [EDI+0x8b4]
0x019d0019 8bf0 MOV ESI, EAX
0x019d001b 8b4034 MOV EAX, [EAX+0x34]
0x019d001e 8945cc MOV [EBP-0x34], EAX
0x019d0021 8b45cc MOV EAX, [EBP-0x34]
0x019d0024 8b8024030000 MOV EAX, [EAX+0x324]
0x019d002a 8945e8 MOV [EBP-0x18], EAX
0x019d002d 8b45cc MOV EAX, [EBP-0x34]
0x019d0030 8b4008 MOV EAX, [EAX+0x8]
0x019d0033 05b0010000 ADD EAX, 0x1b0
0x019d0038 8945e4 MOV [EBP-0x1c], EAX
0x019d003b 64 DB 0x64
0x019d003c ff DB 0xff
0x019d003d 35 DB 0x35
0x019d003e 0000 ADD [EAX], AL
Process: svchost.exe Pid: 2184 Address: 0x19f0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x019f0000 53 56 8b c8 8b 99 b4 08 00 00 8b 73 34 8b da 33 SV.........s4..3
0x019f0010 c9 ff 96 d4 01 00 00 33 c0 89 43 04 33 c0 89 43 .......3..C.3..C
0x019f0020 08 5e 5b c3 00 00 00 00 00 00 00 00 00 00 00 00 .^[.............
0x019f0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x019f0000 53 PUSH EBX
0x019f0001 56 PUSH ESI
0x019f0002 8bc8 MOV ECX, EAX
0x019f0004 8b99b4080000 MOV EBX, [ECX+0x8b4]
0x019f000a 8b7334 MOV ESI, [EBX+0x34]
0x019f000d 8bda MOV EBX, EDX
0x019f000f 33c9 XOR ECX, ECX
0x019f0011 ff96d4010000 CALL DWORD [ESI+0x1d4]
0x019f0017 33c0 XOR EAX, EAX
0x019f0019 894304 MOV [EBX+0x4], EAX
0x019f001c 33c0 XOR EAX, EAX
0x019f001e 894308 MOV [EBX+0x8], EAX
0x019f0021 5e POP ESI
0x019f0022 5b POP EBX
0x019f0023 c3 RET
0x019f0024 0000 ADD [EAX], AL
0x019f0026 0000 ADD [EAX], AL
0x019f0028 0000 ADD [EAX], AL
0x019f002a 0000 ADD [EAX], AL
0x019f002c 0000 ADD [EAX], AL
0x019f002e 0000 ADD [EAX], AL
0x019f0030 0000 ADD [EAX], AL
0x019f0032 0000 ADD [EAX], AL
0x019f0034 0000 ADD [EAX], AL
0x019f0036 0000 ADD [EAX], AL
0x019f0038 0000 ADD [EAX], AL
0x019f003a 0000 ADD [EAX], AL
0x019f003c 0000 ADD [EAX], AL
0x019f003e 0000 ADD [EAX], AL
Process: svchost.exe Pid: 2184 Address: 0x1a30000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01a30000 55 8b ec 83 c4 e4 53 56 57 8b 7d 14 8b 55 08 8b U.....SVW.}..U..
0x01a30010 82 b4 08 00 00 8b 40 34 8b 88 24 03 00 00 89 4d ......@4..$....M
0x01a30020 e8 8b 80 d0 01 00 00 05 88 00 00 00 89 45 e4 64 .............E.d
0x01a30030 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 f0 ff .5.....E..u..E..
0x01a30000 55 PUSH EBP
0x01a30001 8bec MOV EBP, ESP
0x01a30003 83c4e4 ADD ESP, -0x1c
0x01a30006 53 PUSH EBX
0x01a30007 56 PUSH ESI
0x01a30008 57 PUSH EDI
0x01a30009 8b7d14 MOV EDI, [EBP+0x14]
0x01a3000c 8b5508 MOV EDX, [EBP+0x8]
0x01a3000f 8b82b4080000 MOV EAX, [EDX+0x8b4]
0x01a30015 8b4034 MOV EAX, [EAX+0x34]
0x01a30018 8b8824030000 MOV ECX, [EAX+0x324]
0x01a3001e 894de8 MOV [EBP-0x18], ECX
0x01a30021 8b80d0010000 MOV EAX, [EAX+0x1d0]
0x01a30027 0588000000 ADD EAX, 0x88
0x01a3002c 8945e4 MOV [EBP-0x1c], EAX
0x01a3002f 64ff3500000000 PUSH DWORD [FS:0x0]
0x01a30036 8f45ec POP DWORD [EBP-0x14]
0x01a30039 ff75e8 PUSH DWORD [EBP-0x18]
0x01a3003c 8f45f0 POP DWORD [EBP-0x10]
0x01a3003f ff DB 0xff
Process: svchost.exe Pid: 2184 Address: 0x1a20000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01a20000 55 8b ec 51 53 56 57 8b 7d 0c 8b 55 08 8b f2 8b U..QSVW.}..U....
0x01a20010 86 b4 08 00 00 8b 40 34 8b df 83 7b 08 00 7c 56 ......@4...{..|V
0x01a20020 83 7d 14 00 7c 50 8b 4b 08 03 4d 14 89 4d fc 83 .}..|P.K..M..M..
0x01a20030 7d fc 00 7e 41 8b 4d fc 3b 4b 04 7e 1a 8b 4d fc }..~A.M.;K.~..M.
0x01a20000 55 PUSH EBP
0x01a20001 8bec MOV EBP, ESP
0x01a20003 51 PUSH ECX
0x01a20004 53 PUSH EBX
0x01a20005 56 PUSH ESI
0x01a20006 57 PUSH EDI
0x01a20007 8b7d0c MOV EDI, [EBP+0xc]
0x01a2000a 8b5508 MOV EDX, [EBP+0x8]
0x01a2000d 8bf2 MOV ESI, EDX
0x01a2000f 8b86b4080000 MOV EAX, [ESI+0x8b4]
0x01a20015 8b4034 MOV EAX, [EAX+0x34]
0x01a20018 8bdf MOV EBX, EDI
0x01a2001a 837b0800 CMP DWORD [EBX+0x8], 0x0
0x01a2001e 7c56 JL 0x1a20076
0x01a20020 837d1400 CMP DWORD [EBP+0x14], 0x0
0x01a20024 7c50 JL 0x1a20076
0x01a20026 8b4b08 MOV ECX, [EBX+0x8]
0x01a20029 034d14 ADD ECX, [EBP+0x14]
0x01a2002c 894dfc MOV [EBP-0x4], ECX
0x01a2002f 837dfc00 CMP DWORD [EBP-0x4], 0x0
0x01a20033 7e41 JLE 0x1a20076
0x01a20035 8b4dfc MOV ECX, [EBP-0x4]
0x01a20038 3b4b04 CMP ECX, [EBX+0x4]
0x01a2003b 7e1a JLE 0x1a20057
0x01a2003d 8b4dfc MOV ECX, [EBP-0x4]
Process: svchost.exe Pid: 2184 Address: 0x1a10000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01a10000 53 56 8b c8 8b 99 b4 08 00 00 8b 73 34 8b ca 33 SV.........s4..3
0x01a10010 db 89 19 33 db 89 59 04 33 db 89 59 08 33 db 89 ...3..Y.3..Y.3..
0x01a10020 59 0c 33 c9 ff 96 d4 01 00 00 5e 5b c3 00 00 00 Y.3.......^[....
0x01a10030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x01a10000 53 PUSH EBX
0x01a10001 56 PUSH ESI
0x01a10002 8bc8 MOV ECX, EAX
0x01a10004 8b99b4080000 MOV EBX, [ECX+0x8b4]
0x01a1000a 8b7334 MOV ESI, [EBX+0x34]
0x01a1000d 8bca MOV ECX, EDX
0x01a1000f 33db XOR EBX, EBX
0x01a10011 8919 MOV [ECX], EBX
0x01a10013 33db XOR EBX, EBX
0x01a10015 895904 MOV [ECX+0x4], EBX
0x01a10018 33db XOR EBX, EBX
0x01a1001a 895908 MOV [ECX+0x8], EBX
0x01a1001d 33db XOR EBX, EBX
0x01a1001f 89590c MOV [ECX+0xc], EBX
0x01a10022 33c9 XOR ECX, ECX
0x01a10024 ff96d4010000 CALL DWORD [ESI+0x1d4]
0x01a1002a 5e POP ESI
0x01a1002b 5b POP EBX
0x01a1002c c3 RET
0x01a1002d 0000 ADD [EAX], AL
0x01a1002f 0000 ADD [EAX], AL
0x01a10031 0000 ADD [EAX], AL
0x01a10033 0000 ADD [EAX], AL
0x01a10035 0000 ADD [EAX], AL
0x01a10037 0000 ADD [EAX], AL
0x01a10039 0000 ADD [EAX], AL
0x01a1003b 0000 ADD [EAX], AL
0x01a1003d 0000 ADD [EAX], AL
0x01a1003f 00 DB 0x0
Process: svchost.exe Pid: 2184 Address: 0x1a40000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01a40000 53 56 57 55 51 89 0c 24 8b fa 8b f0 8b c6 8b 90 SVWUQ..$........
0x01a40010 b4 08 00 00 8b 6a 34 8b df 54 57 56 ff 95 d8 01 .....j4..TWV....
0x01a40020 00 00 89 03 8b 04 24 89 43 0c 5a 5d 5f 5e 5b c3 ......$.C.Z]_^[.
0x01a40030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x01a40000 53 PUSH EBX
0x01a40001 56 PUSH ESI
0x01a40002 57 PUSH EDI
0x01a40003 55 PUSH EBP
0x01a40004 51 PUSH ECX
0x01a40005 890c24 MOV [ESP], ECX
0x01a40008 8bfa MOV EDI, EDX
0x01a4000a 8bf0 MOV ESI, EAX
0x01a4000c 8bc6 MOV EAX, ESI
0x01a4000e 8b90b4080000 MOV EDX, [EAX+0x8b4]
0x01a40014 8b6a34 MOV EBP, [EDX+0x34]
0x01a40017 8bdf MOV EBX, EDI
0x01a40019 54 PUSH ESP
0x01a4001a 57 PUSH EDI
0x01a4001b 56 PUSH ESI
0x01a4001c ff95d8010000 CALL DWORD [EBP+0x1d8]
0x01a40022 8903 MOV [EBX], EAX
0x01a40024 8b0424 MOV EAX, [ESP]
0x01a40027 89430c MOV [EBX+0xc], EAX
0x01a4002a 5a POP EDX
0x01a4002b 5d POP EBP
0x01a4002c 5f POP EDI
0x01a4002d 5e POP ESI
0x01a4002e 5b POP EBX
0x01a4002f c3 RET
0x01a40030 0000 ADD [EAX], AL
0x01a40032 0000 ADD [EAX], AL
0x01a40034 0000 ADD [EAX], AL
0x01a40036 0000 ADD [EAX], AL
0x01a40038 0000 ADD [EAX], AL
0x01a4003a 0000 ADD [EAX], AL
0x01a4003c 0000 ADD [EAX], AL
0x01a4003e 0000 ADD [EAX], AL
Process: svchost.exe Pid: 2184 Address: 0x1a50000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01a50000 55 8b ec 81 c4 b0 fe ff ff 53 56 57 8b fa 89 45 U........SVW...E
0x01a50010 d8 8b 75 d8 8b 86 b4 08 00 00 8b 58 34 8b 83 24 ..u........X4..$
0x01a50020 03 00 00 89 45 e8 8b 43 0c 05 c9 04 00 00 89 45 ....E..C.......E
0x01a50030 e4 64 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 .d.5.....E..u..E
0x01a50000 55 PUSH EBP
0x01a50001 8bec MOV EBP, ESP
0x01a50003 81c4b0feffff ADD ESP, 0xfffffeb0
0x01a50009 53 PUSH EBX
0x01a5000a 56 PUSH ESI
0x01a5000b 57 PUSH EDI
0x01a5000c 8bfa MOV EDI, EDX
0x01a5000e 8945d8 MOV [EBP-0x28], EAX
0x01a50011 8b75d8 MOV ESI, [EBP-0x28]
0x01a50014 8b86b4080000 MOV EAX, [ESI+0x8b4]
0x01a5001a 8b5834 MOV EBX, [EAX+0x34]
0x01a5001d 8b8324030000 MOV EAX, [EBX+0x324]
0x01a50023 8945e8 MOV [EBP-0x18], EAX
0x01a50026 8b430c MOV EAX, [EBX+0xc]
0x01a50029 05c9040000 ADD EAX, 0x4c9
0x01a5002e 8945e4 MOV [EBP-0x1c], EAX
0x01a50031 64ff3500000000 PUSH DWORD [FS:0x0]
0x01a50038 8f45ec POP DWORD [EBP-0x14]
0x01a5003b ff75e8 PUSH DWORD [EBP-0x18]
0x01a5003e 8f DB 0x8f
0x01a5003f 45 INC EBP
Process: svchost.exe Pid: 2184 Address: 0x1a80000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01a80000 55 8b ec 83 c4 a4 53 56 57 89 55 dc 89 45 e0 8b U.....SVW.U..E..
0x01a80010 45 e0 8b 90 b4 08 00 00 8b 5a 34 8b 83 24 03 00 E........Z4..$..
0x01a80020 00 89 45 e8 8b 83 54 04 00 00 05 41 01 00 00 89 ..E...T....A....
0x01a80030 45 e4 64 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f E.d.5.....E..u..
0x01a80000 55 PUSH EBP
0x01a80001 8bec MOV EBP, ESP
0x01a80003 83c4a4 ADD ESP, -0x5c
0x01a80006 53 PUSH EBX
0x01a80007 56 PUSH ESI
0x01a80008 57 PUSH EDI
0x01a80009 8955dc MOV [EBP-0x24], EDX
0x01a8000c 8945e0 MOV [EBP-0x20], EAX
0x01a8000f 8b45e0 MOV EAX, [EBP-0x20]
0x01a80012 8b90b4080000 MOV EDX, [EAX+0x8b4]
0x01a80018 8b5a34 MOV EBX, [EDX+0x34]
0x01a8001b 8b8324030000 MOV EAX, [EBX+0x324]
0x01a80021 8945e8 MOV [EBP-0x18], EAX
0x01a80024 8b8354040000 MOV EAX, [EBX+0x454]
0x01a8002a 0541010000 ADD EAX, 0x141
0x01a8002f 8945e4 MOV [EBP-0x1c], EAX
0x01a80032 64ff3500000000 PUSH DWORD [FS:0x0]
0x01a80039 8f45ec POP DWORD [EBP-0x14]
0x01a8003c ff75e8 PUSH DWORD [EBP-0x18]
0x01a8003f 8f DB 0x8f
Process: svchost.exe Pid: 2184 Address: 0x1a70000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01a70000 55 8b ec 83 c4 80 53 56 57 89 4d d8 89 55 dc 89 U.....SVW.M..U..
0x01a70010 45 e0 8b 5d 08 8b 45 e0 89 45 c0 8b 45 c0 8b 80 E..]..E..E..E...
0x01a70020 b4 08 00 00 89 45 bc 8b 70 34 8b 86 24 03 00 00 .....E..p4..$...
0x01a70030 89 45 e8 8b 46 58 05 6e 03 00 00 89 45 e4 64 ff .E..FX.n....E.d.
0x01a70000 55 PUSH EBP
0x01a70001 8bec MOV EBP, ESP
0x01a70003 83c480 ADD ESP, -0x80
0x01a70006 53 PUSH EBX
0x01a70007 56 PUSH ESI
0x01a70008 57 PUSH EDI
0x01a70009 894dd8 MOV [EBP-0x28], ECX
0x01a7000c 8955dc MOV [EBP-0x24], EDX
0x01a7000f 8945e0 MOV [EBP-0x20], EAX
0x01a70012 8b5d08 MOV EBX, [EBP+0x8]
0x01a70015 8b45e0 MOV EAX, [EBP-0x20]
0x01a70018 8945c0 MOV [EBP-0x40], EAX
0x01a7001b 8b45c0 MOV EAX, [EBP-0x40]
0x01a7001e 8b80b4080000 MOV EAX, [EAX+0x8b4]
0x01a70024 8945bc MOV [EBP-0x44], EAX
0x01a70027 8b7034 MOV ESI, [EAX+0x34]
0x01a7002a 8b8624030000 MOV EAX, [ESI+0x324]
0x01a70030 8945e8 MOV [EBP-0x18], EAX
0x01a70033 8b4658 MOV EAX, [ESI+0x58]
0x01a70036 056e030000 ADD EAX, 0x36e
0x01a7003b 8945e4 MOV [EBP-0x1c], EAX
0x01a7003e 64 DB 0x64
0x01a7003f ff DB 0xff
Process: svchost.exe Pid: 2184 Address: 0x1aa0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01aa0000 55 8b ec 8b 55 10 8b 45 0c 8b 48 08 89 8a b8 00 U...U..E..H.....
0x01aa0010 00 00 8b 48 0c 89 8a c4 00 00 00 8b 40 10 89 82 ...H........@...
0x01aa0020 b4 00 00 00 33 c0 5d c2 10 00 8b c0 55 8b ec 83 ....3.].....U...
0x01aa0030 c4 e4 53 56 57 8b 5d 10 8b 45 08 8b 90 b4 08 00 ..SVW.]..E......
0x01aa0000 55 PUSH EBP
0x01aa0001 8bec MOV EBP, ESP
0x01aa0003 8b5510 MOV EDX, [EBP+0x10]
0x01aa0006 8b450c MOV EAX, [EBP+0xc]
0x01aa0009 8b4808 MOV ECX, [EAX+0x8]
0x01aa000c 898ab8000000 MOV [EDX+0xb8], ECX
0x01aa0012 8b480c MOV ECX, [EAX+0xc]
0x01aa0015 898ac4000000 MOV [EDX+0xc4], ECX
0x01aa001b 8b4010 MOV EAX, [EAX+0x10]
0x01aa001e 8982b4000000 MOV [EDX+0xb4], EAX
0x01aa0024 33c0 XOR EAX, EAX
0x01aa0026 5d POP EBP
0x01aa0027 c21000 RET 0x10
0x01aa002a 8bc0 MOV EAX, EAX
0x01aa002c 55 PUSH EBP
0x01aa002d 8bec MOV EBP, ESP
0x01aa002f 83c4e4 ADD ESP, -0x1c
0x01aa0032 53 PUSH EBX
0x01aa0033 56 PUSH ESI
0x01aa0034 57 PUSH EDI
0x01aa0035 8b5d10 MOV EBX, [EBP+0x10]
0x01aa0038 8b4508 MOV EAX, [EBP+0x8]
0x01aa003b 8b DB 0x8b
0x01aa003c 90 NOP
0x01aa003d b408 MOV AH, 0x8
0x01aa003f 00 DB 0x0
Process: svchost.exe Pid: 2184 Address: 0x1a90000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01a90000 53 56 57 55 51 8b e9 8b fa 8b f0 8b c6 8b 90 b4 SVWUQ...........
0x01a90010 08 00 00 8b 5a 34 55 ff 53 70 88 04 24 6a 01 8d ....Z4U.Sp..$j..
0x01a90020 44 24 04 50 57 56 ff 93 cc 01 00 00 33 c0 8a 04 D$.PWV......3...
0x01a90030 24 50 55 57 56 ff 93 cc 01 00 00 5a 5d 5f 5e 5b $PUWV......Z]_^[
0x01a90000 53 PUSH EBX
0x01a90001 56 PUSH ESI
0x01a90002 57 PUSH EDI
0x01a90003 55 PUSH EBP
0x01a90004 51 PUSH ECX
0x01a90005 8be9 MOV EBP, ECX
0x01a90007 8bfa MOV EDI, EDX
0x01a90009 8bf0 MOV ESI, EAX
0x01a9000b 8bc6 MOV EAX, ESI
0x01a9000d 8b90b4080000 MOV EDX, [EAX+0x8b4]
0x01a90013 8b5a34 MOV EBX, [EDX+0x34]
0x01a90016 55 PUSH EBP
0x01a90017 ff5370 CALL DWORD [EBX+0x70]
0x01a9001a 880424 MOV [ESP], AL
0x01a9001d 6a01 PUSH 0x1
0x01a9001f 8d442404 LEA EAX, [ESP+0x4]
0x01a90023 50 PUSH EAX
0x01a90024 57 PUSH EDI
0x01a90025 56 PUSH ESI
0x01a90026 ff93cc010000 CALL DWORD [EBX+0x1cc]
0x01a9002c 33c0 XOR EAX, EAX
0x01a9002e 8a0424 MOV AL, [ESP]
0x01a90031 50 PUSH EAX
0x01a90032 55 PUSH EBP
0x01a90033 57 PUSH EDI
0x01a90034 56 PUSH ESI
0x01a90035 ff93cc010000 CALL DWORD [EBX+0x1cc]
0x01a9003b 5a POP EDX
0x01a9003c 5d POP EBP
0x01a9003d 5f POP EDI
0x01a9003e 5e POP ESI
0x01a9003f 5b POP EBX
Process: svchost.exe Pid: 2184 Address: 0x2000000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x02000000 55 8b ec 81 c4 d0 fe ff ff 53 56 57 89 55 e0 8b U........SVW.U..
0x02000010 d8 8b f3 8b 86 b4 08 00 00 89 45 d8 8b 78 34 8b ..........E..x4.
0x02000020 87 24 03 00 00 89 45 e8 8b 87 e8 03 00 00 05 13 .$....E.........
0x02000030 01 00 00 89 45 e4 64 ff 35 00 00 00 00 8f 45 ec ....E.d.5.....E.
0x02000000 55 PUSH EBP
0x02000001 8bec MOV EBP, ESP
0x02000003 81c4d0feffff ADD ESP, 0xfffffed0
0x02000009 53 PUSH EBX
0x0200000a 56 PUSH ESI
0x0200000b 57 PUSH EDI
0x0200000c 8955e0 MOV [EBP-0x20], EDX
0x0200000f 8bd8 MOV EBX, EAX
0x02000011 8bf3 MOV ESI, EBX
0x02000013 8b86b4080000 MOV EAX, [ESI+0x8b4]
0x02000019 8945d8 MOV [EBP-0x28], EAX
0x0200001c 8b7834 MOV EDI, [EAX+0x34]
0x0200001f 8b8724030000 MOV EAX, [EDI+0x324]
0x02000025 8945e8 MOV [EBP-0x18], EAX
0x02000028 8b87e8030000 MOV EAX, [EDI+0x3e8]
0x0200002e 0513010000 ADD EAX, 0x113
0x02000033 8945e4 MOV [EBP-0x1c], EAX
0x02000036 64ff3500000000 PUSH DWORD [FS:0x0]
0x0200003d 8f45ec POP DWORD [EBP-0x14]
Process: svchost.exe Pid: 2184 Address: 0x1ff0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 1, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x01ff0000 55 8b ec 83 c4 d0 53 56 57 be 39 05 00 00 8b c6 U.....SVW.9.....
0x01ff0010 8b 90 b4 08 00 00 8b 5a 34 8b 83 24 03 00 00 89 .......Z4..$....
0x01ff0020 45 e8 8b 83 ec 03 00 00 05 cd 00 00 00 89 45 e4 E.............E.
0x01ff0030 64 ff 35 00 00 00 00 8f 45 ec ff 75 e8 8f 45 f0 d.5.....E..u..E.
0x01ff0000 55 PUSH EBP
0x01ff0001 8bec MOV EBP, ESP
0x01ff0003 83c4d0 ADD ESP, -0x30
0x01ff0006 53 PUSH EBX
0x01ff0007 56 PUSH ESI
0x01ff0008 57 PUSH EDI
0x01ff0009 be39050000 MOV ESI, 0x539
0x01ff000e 8bc6 MOV EAX, ESI
0x01ff0010 8b90b4080000 MOV EDX, [EAX+0x8b4]
0x01ff0016 8b5a34 MOV EBX, [EDX+0x34]
0x01ff0019 8b8324030000 MOV EAX, [EBX+0x324]
0x01ff001f 8945e8 MOV [EBP-0x18], EAX
0x01ff0022 8b83ec030000 MOV EAX, [EBX+0x3ec]
0x01ff0028 05cd000000 ADD EAX, 0xcd
0x01ff002d 8945e4 MOV [EBP-0x1c], EAX
0x01ff0030 64ff3500000000 PUSH DWORD [FS:0x0]
0x01ff0037 8f45ec POP DWORD [EBP-0x14]
0x01ff003a ff75e8 PUSH DWORD [EBP-0x18]
0x01ff003d 8f45f0 POP DWORD [EBP-0x10]
Process: svchost.exe Pid: 2184 Address: 0x2090000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 9, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x02090000 00 00 94 01 f0 01 94 01 82 00 00 00 cf 01 94 01 ................
0x02090010 de 01 94 01 b9 01 94 01 7b 69 8b 02 c7 62 8b 02 ........{i...b..
0x02090020 2b 30 8c 02 ad 27 8c 02 a8 22 8c 02 dd 79 8b 02 +0...'..."...y..
0x02090030 4a a3 8b 02 7d 61 8b 02 1b 4b 8c 02 f0 3b 8c 02 J...}a...K...;..
0x02090000 0000 ADD [EAX], AL
0x02090002 94 XCHG ESP, EAX
0x02090003 01f0 ADD EAX, ESI
0x02090005 01940182000000 ADD [ECX+EAX+0x82], EDX
0x0209000c cf IRET
0x0209000d 019401de019401 ADD [ECX+EAX+0x19401de], EDX
0x02090014 b90194017b MOV ECX, 0x7b019401
0x02090019 698b02c7628b022b308c IMUL ECX, [EBX-0x749d38fe], 0x8c302b02
0x02090023 02ad278c02a8 ADD CH, [EBP-0x57fd73d9]
0x02090029 228c02dd798b02 AND CL, [EDX+EAX+0x28b79dd]
0x02090030 4a DEC EDX
0x02090031 a38b027d61 MOV [0x617d028b], EAX
0x02090036 8b02 MOV EAX, [EDX]
0x02090038 1b4b8c SBB ECX, [EBX-0x74]
0x0209003b 02f0 ADD DH, AL
0x0209003d 3b DB 0x3b
0x0209003e 8c02 MOV [EDX], ES
Process: svchost.exe Pid: 2184 Address: 0x2ca0000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 711, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x02ca0000 aa 94 81 aa 94 81 aa 94 81 aa 94 81 aa 94 81 aa ................
0x02ca0010 94 81 aa 94 81 aa 94 81 aa 94 81 aa 94 81 aa 94 ................
0x02ca0020 81 aa 94 81 aa 94 81 aa 94 81 aa 94 81 aa 94 81 ................
0x02ca0030 aa 94 81 aa 94 81 aa 94 81 aa 94 81 aa 94 81 aa ................
0x02ca0000 aa STOSB
0x02ca0001 94 XCHG ESP, EAX
0x02ca0002 81aa9481aa9481aa9481 SUB DWORD [EDX-0x6b557e6c], 0x8194aa81
0x02ca000c aa STOSB
0x02ca000d 94 XCHG ESP, EAX
0x02ca000e 81aa9481aa9481aa9481 SUB DWORD [EDX-0x6b557e6c], 0x8194aa81
0x02ca0018 aa STOSB
0x02ca0019 94 XCHG ESP, EAX
0x02ca001a 81aa9481aa9481aa9481 SUB DWORD [EDX-0x6b557e6c], 0x8194aa81
0x02ca0024 aa STOSB
0x02ca0025 94 XCHG ESP, EAX
0x02ca0026 81aa9481aa9481aa9481 SUB DWORD [EDX-0x6b557e6c], 0x8194aa81
0x02ca0030 aa STOSB
0x02ca0031 94 XCHG ESP, EAX
0x02ca0032 81aa9481aa9481aa9481 SUB DWORD [EDX-0x6b557e6c], 0x8194aa81
0x02ca003c aa STOSB
0x02ca003d 94 XCHG ESP, EAX
0x02ca003e 81 DB 0x81
0x02ca003f aa STOSB
testuser@debian:~$
以上。