tag:blogger.com,1999:blog-88708063230645765402024-03-19T05:28:28.505-04:00Debugging and reverse engineeringOn this blog, you''ll find postmortem/live bug check (BSOD) debugging, malware analysis, and reverse engineering.Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.comBlogger519125tag:blogger.com,1999:blog-8870806323064576540.post-69262502002693394842015-06-23T03:04:00.003-04:002015-06-28T13:06:28.071-04:00Samsung deliberately disabling Windows Update the way the user intends it to<i>Last updated 6/26/2015 - 4:49 PM EST.</i><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<b>-- Windows Update will be abbreviated as "WU" in text from myself.</b><br />
<br />
First of all, I had this included in my post since the get-go, but it was overlooked as it wasn't at the beginning of the post. With that said, I'm moving it here, and clarifying a bit more. I was not the sole person involved, it was a multiple-person discovery. Here were the people involved:<br />
<br />
<b>wavly </b>- The user that had the problem, and the reason we had anything to even discover in the first place.<br />
<b>BrianDrab </b>- Assisted wavly in their Windows Update problem, and investigated with us why it was resetting and disabling the user from keeping it the setting they wanted to.<br />
<b>niemiro </b>- Was largely involved in the discovery by investigating/reverse engineering SW Update.<br />
<b>zcomputerwiz </b>- Was largely involved in the discovery by suggesting registry auditing.<br />
<b>tom982 </b>- Was largely involved in the discovery by investigating/reverse engineering SW Update.<br />
<b>Tekno Venus</b> - Was largely involved in the discovery by investigating/reverse engineering SW Update.<br />
<b>Me (Patrick Barker)</b> - Was involved in the discovery by further reverse engineering and investigating SW Update and its behavior after the above people, and creating the blog post.<br />
<br />
I've also seen a few (very few) articles even say I was the individual who was helping with the Windows Update issue(s) wavly was having. For the record, I personally don't know a damn thing about the technicalities of Windows Update, how to fix broken updates, etc. The user that was assisting wavly with the Windows Update issue(s) was BrianDrab, as I had mentioned in this post, just apparently not mentioned enough (or clearly enough). I merely further investigated and reverse engineered SW Update, and brought <b>Disable_Windowsupdate.exe </b>and its silent behavior to light.<br />
<br />
<i>Onto the post...</i><br />
<br />
On my home forum <a href="http://www.sysnative.com/forums/windows-update/14653-windows-update-problems.html" target="_blank">Sysnative</a>, a user (wavly) was being assisted with a WU issue, which was going well, aside from the fact that wavly's WU kept getting randomly reset to "Check for updates but let me choose whether to download or install them" after every single reboot of Windows. It was figured out eventually after using auditpol.exe and registry security auditing (shown below later) that the program that was responsible for resetting WU was <b>Disable_Windowsupdate.exe</b>, which is part of Samsung's SW Update software.<br />
<br />
SW Update is your typical OEM updating software that will update your Samsung drivers, the bloatware that came on your Samsung machine, etc. The only difference between other OEM updating software is, Samsung's disables WU from working as the user intends it to.<br />
<br />
<u><b>SW Update will install on:</b></u><br />
<br />
Windows XP (all Service Packs) - Update service will not be installed whatsoever.<br />
Windows Vista (x86/x64)<br />
Windows 7/SP1 (x86/x64)<br />
Windows 8/8.1 (x86/x64) <br />
<br />
Do note that it does check for a Samsung environment, and if one is not detected, the program will in general run <i>really </i>buggy. A lot of its features won't drop or work as intended either, which is why a lot of manual work needs to be done to investigate this program.<br />
<br />
<u><b>What devices does SW Update run on?</b></u><br />
<br />
Samsung notes:<br />
<blockquote class="tr_bq">
<i><b> </b>SW Update allows you to download and install the newest drivers, updates, and software for your Windows PC.</i></blockquote>
So most likely only desktop and laptop type devices that run the Windows OS.<br />
<br />
<b><u>Uninstalling SW Update</u></b><br />
<br />
<b>UPDATE</b>: I've received confirmation from a Samsung NP350V5C-A06UK user (Windows 8.1) that uninstalling SW Update via the Programs and Features list <i><b>does in fact</b></i> remove all of its installed parts, including the service. With that said, it does indeed stop resetting Windows Update's settings after reboots. So the solution to having SW Update constantly reset your Windows Update settings and disabling it from working as you intended, is to simply uninstall SW Update.<br />
<br />
<b>-- Initially today I had this saying it did not stop it from resetting, but wavly got back to me and said they were mistaken.</b><br />
<br />
First off, here's how it was found:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> A registry value was modified.
Subject:
Security ID: SYSTEM
Account Name: PURGED
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Object Value Name: UpdatesAvailableForDownloadLogon
Handle ID: 0xecc
Operation Type: <span style="color: red;">Registry value deleted </span>
Process Information:
Process ID: 0x5c
Process Name: C:\Windows\System32\svchost.exe
Change Information:
Old Value Type: REG_DWORD
Old Value: 0
New Value Type: -
New Value: -
</code></pre>
<br />
And then shortly after...<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> A registry value was modified.
Subject:
Security ID: SYSTEM
Account Name: </code><code style="color: black; word-wrap: normal;"><code style="color: black; word-wrap: normal;">PURGED</code>
Account Domain: WORKGROUP
Logon ID: 0x3E7
Object:
Object Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Object Value Name: UpdatesAvailableForDownloadLogon
Handle ID: 0x135c
Operation Type: <span style="color: red;">New registry value created</span>
Process Information:
Process ID: 0x5c
Process Name: C:\Windows\System32\svchost.exe
Change Information:
Old Value Type: -
Old Value: -
New Value Type: REG_DWORD
New Value: 0
</code></pre>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Object:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
Handle ID: 0x144
Resource Attributes: -
Process Information:
Process ID: 0x1ae4
Process Name: <span style="color: red;">C:\ProgramData\SAMSUNG\SWUpdate\Temp\Packages\BASW-A0394A05\64\Disable_Windowsupdate.exe</span>
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query key value
Set key value
Create sub-key
Enumerate sub-keys
Notify about changes to keys
Create Link
Access Reasons: -
Access Mask: 0xF003F
Privileges Used for Access Check: -
Restricted SID Count: 0
</code></pre>
<br />
Etc..<br />
<br />
There were other Object Value Names, such as:<br />
<ul>
<li>CachedAUOptions </li>
<li>InstallInProgress,</li>
<li>UpdatesAvailableForInstallLogon </li>
<li>UpdatesAvailableWithUiLogon </li>
<li>UpdatesAvailableWithUiOrEulaLogon</li>
<li>FirmwareUpdatesNotDownloaded</li>
<li>FirmwareUpdatesNotInstalled</li>
</ul>
Anyway, moving on, let's take a look!<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\AuthorizedCDFPrefix: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Comments: "SW Update Setup"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Contact: "Samsung Electronics CO., LTD."
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\DisplayVersion: "2.2.9"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\HelpLink: "http://www.samsung.com"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\HelpTelephone: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\InstallDate: "20150623"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\InstallLocation: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\InstallSource: "C:\ProgramData\Samsung\SWUpdate\Temp\"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\ModifyPath: "MsiExec.exe /I{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Publisher: "Samsung Electronics CO., LTD."
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Readme: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Size: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\EstimatedSize: 0x00008172
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\UninstallString: "MsiExec.exe /I{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\URLInfoAbout: "http://www.samsung.com"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\URLUpdateInfo: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\VersionMajor: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\VersionMinor: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\WindowsInstaller: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Version: 0x02020009
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\Language: 0x00000409
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AAFEFB05-CF98-48FC-985E-F04CD8AD620D}\DisplayName: "SW Update"
</code></pre>
<br />
Here's its basic information from a comparison of registry changes after installation.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> HKLM\SOFTWARE\Samsung\CurrentPath\20000: ""C:\Program Files\Samsung\SW Update\sManager.exe""
HKLM\SOFTWARE\Samsung\SW Update\AgentPath: "C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe"
HKLM\SOFTWARE\Samsung\SW Update\InstallPath: "C:\Program Files\Samsung\SW Update\sManager.exe"
HKLM\SOFTWARE\Samsung\SW Update\TrafficDecentralize: "Y"
HKLM\SOFTWARE\Samsung\SW Update\LastORCAServerUpdateDateTime: "2015-06-22T02:28:42"
HKLM\SOFTWARE\Samsung\SW Update\AgentSleepSec: "300"
HKLM\SOFTWARE\Samsung\SWMCommon\FirstAgentExecDateTime: "2015-06-23T01:47:42"
HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\Type: 0x00000110
HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\ErrorControl: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\ImagePath: "C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe /SERVICE"
HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\DisplayName: "SW Update Service"
HKLM\SYSTEM\ControlSet001\Services\SWUpdateService\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\Type: 0x00000110
HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\ImagePath: "C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe /SERVICE"
HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\DisplayName: "SW Update Service"
HKLM\SYSTEM\CurrentControlSet\Services\SWUpdateService\ObjectName: "LocalSystem"
</code></pre>
<br />
Here we can see some more information, such as its agent's sleep is set to 300 seconds, its first execution timestamp, and the creation of the "SW Update" service. I'll break down the service stuff:<br />
<br />
<b>Type (0x00000110)</b>: As far as I know, this implies it's a Win32 program that can be started by Windows' Service Controller, and that it obeys the service control protocol. This type of Win32 service runs in a process by itself.<br />
<br />
<b>Start: (0x00000002</b>): This implies it's set to load or startup automatically for all startups, regardless of the service type. Its loader is the Service Control Manager, where as the 0x0 (boot) would be the kernel, and 0x1 (system) would be the I/O Subsystem.<br />
<br />
<b>ErrorControl: (0x00000001)</b>: This implies if the driver fails to load or initialize, proceed regardless with startup, however display a warning.<br />
<br />
We note that its ImagePath is:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> C:\ProgramData\Samsung
</code></pre>
<br />
If you show hidden files & folder and navigate here, you have two folders - "SW Update Service", and "SWUpdate". If you actually have a Samsung machine, you instead have <i>two </i>"SWUpdate" folders, and they both contain XML files. If we take a look at one (<b>BASW-A0394A05_1B33BCEB.xml</b>):<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 200px; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <?xml version="1.0" encoding="UTF-8"?>
-<MaxList>
-<Head>
<BOMID/>
<CISCode/>
<Product/>
<Project/>
<Model/>
<DevStep/>
<BaseMRT/>
<BaseBOM/>
<Region/>
<OS/>
<Language/>
<ROLString/>
<Date/>
<Time/>
<Test>Yes</Test>
</Head>
-<Item>
<CISCode>BASW-A0394A05</CISCode>
<ItemType>SOFTWARE</ItemType>
<DisplayName>Disable_AutoWindowsUpdate1.0</DisplayName>
<Region>DNC</Region>
<OS>WBPR64/WBSL64/WBST64</OS>
<Lang>DNC</Lang>
<ROLString>ALL</ROLString>
<InstallType>PSTEXE</InstallType>
<InstallPath>BASW-A0394A\BASW-A0394A04.ZIP</InstallPath>
<InstallFile>Inst.exe</InstallFile>
<InstallPara1>/pbr /na</InstallPara1>
<InstallPara2/>
<InstallOrgFileSize>4678908</InstallOrgFileSize>
<InstallFileSize>2055424</InstallFileSize>
<ImageCate>C2P1</ImageCate>
<ImageType>GCP</ImageType>
<ImageSequence/>
<MediaType>SM1</MediaType>
<MediaSubCate>ITMOPT</MediaSubCate>
<MediaSequence/>
<CheckType>NoVerify</CheckType>
<CheckRoot/>
<VerifyAttribute>1.0</VerifyAttribute>
<VerifyPara1/>
<VerifyPara2/>
<System/>
<Selectable>Y</Selectable>
<AND/>
<XOR/>
<DistributionPriority>1</DistributionPriority>
<FURL>http://orcaservice.samsungmobile.com/FileDownloader.aspx?Type=PATCH&FILENAME=BASW-A0394A04.ZIP</FURL>
-<MultiLangDisplayName>
<Default>ENG</Default>
-<Value>
<Lang>ENG</Lang>
<Str>Windows Configuration</Str>
</Value>
-<Value>
<Lang>KOR</Lang>
<Str>Windows Configuration</Str>
</Value>
</MultiLangDisplayName>
<Version>1.0</Version>
-<DDesc>
<Default>ENG</Default>
-<Value>
<Lang>ENG</Lang>
<Str>This program helps your windows configuration settings.</Str>
</Value>
-<Value>
<Lang>KOR</Lang>
<Str>이 프로그램은 Windows configuration 프로그램입니다.</Str>
</Value>
</DDesc>
<RemoveFilePath/>
<RemovePara1/>
<RemovePara2/>
-<RemoveComment>
<Default>ENG</Default>
</RemoveComment>
<UpdatePara1/>
<UpdatePara2/>
<TargetCISCode> </TargetCISCode>
<MutualExclusiveCISCode/>
<SWCate2>Miscellaneous</SWCate2>
<Keyword1>SDR</Keyword1>
<Keyword2>SDR</Keyword2>
<Keyword3>SDR</Keyword3>
<AutoInstall>Y</AutoInstall>
<SingleInstall>Y</SingleInstall>
-<PatchSequence>
-<InstCmd>
<InstCmdType>GENERAL_EXECUTION</InstCmdType>
-<InstCmdParam>
<Name>EXCUTION_FILE_NAME</Name>
<Value>64\Disable_Windowsupdate.exe</Value>
</InstCmdParam>
</InstCmd>
</PatchSequence>
<FromProductDate/>
<ToProductDate/>
<BulletineDate>2015-05-12 17:12:43</BulletineDate>
-<ProcCondition>
-<ProcInfo>
<ProcType>REG_VALUE</ProcType>
-<ProcParam>
<Name>BASE_OP</Name>
<Value>AND</Value>
</ProcParam>
-<ProcParam>
<Name>REG_KEY</Name>
<Value>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update</Value>
</ProcParam>
-<ProcParam>
<Name>REG_VALUE_NAME</Name>
<Value>AUOptions</Value>
</ProcParam>
-<ProcParam>
<Name>REG_VALUE_TYPE</Name>
<Value>REG_DWORD</Value>
</ProcParam>
-<ProcParam>
<Name>REG_VALUE</Name>
<Value>2</Value>
</ProcParam>
-<ProcParam>
<Name>OP_RELATION</Name>
<Value>!=</Value>
</ProcParam>
</ProcInfo>
-<ProcInfo>
<ProcType>REG_VALUE</ProcType>
-<ProcParam>
<Name>BASE_OP</Name>
<Value>AND</Value>
</ProcParam>
-<ProcParam>
<Name>REG_KEY</Name>
<Value>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update</Value>
</ProcParam>
-<ProcParam>
<Name>REG_VALUE_NAME</Name>
<Value>AUOptions</Value>
</ProcParam>
-<ProcParam>
<Name>REG_VALUE_TYPE</Name>
<Value>REG_DWORD</Value>
</ProcParam>
-<ProcParam>
<Name>REG_VALUE</Name>
<Value>4</Value>
</ProcParam>
-<ProcParam>
<Name>OP_RELATION</Name>
<Value>=</Value>
</ProcParam>
</ProcInfo>
</ProcCondition>
<Thumbnail/>
<Screenshot1/>
<Screenshot2/>
<Screenshot3/>
-<AdURL>
<URL/>
<FromDate>1900-01-01 오전 12:00:00</FromDate>
<ToDate>1900-01-01 오전 12:00:00</ToDate>
</AdURL>
</Item>
</MaxList>
</code></pre>
<br />
Note its installer file. <br />
<br />
We can see now how <b>Disable_Windowsupdate.exe </b>begins the process to its "drop", which is downloading the zip its contained in from:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> http://orcaservice.samsungmobile.com/FileDownloader.aspx?Type=PATCH&FILENAME=BASW-A0394A04.ZIP
</code></pre>
<br />
I find this string excerpt particularly funny:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <Str>This program helps your windows configuration settings.</Str>
</code></pre>
<br />
Once the zip is dropped, we can inspect its contents as well:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhneoGH_bMdH0BJYePLDlta7c8q7pcapdoeO1JdCRg0OCLq8DfJgoO5IOut0cJlNngIdOXnNC_eHdFJ8Cvt9XTmZ_j2HtMEGModuDovqOu4hGzNb0o0yxw7rCDsDo936DWnVAkQcnlP4iRF/s1600/zip+contents.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhneoGH_bMdH0BJYePLDlta7c8q7pcapdoeO1JdCRg0OCLq8DfJgoO5IOut0cJlNngIdOXnNC_eHdFJ8Cvt9XTmZ_j2HtMEGModuDovqOu4hGzNb0o0yxw7rCDsDo936DWnVAkQcnlP4iRF/s320/zip+contents.png" width="320" /></a></div>
<br />
If we check the config file for the installer file:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> ;HowTo : The registry location of the installed language....
;[HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language]
;InstallLanguage=????
;%CD%\ = Current Folder Location Variable
;%WinDir% = Windows Folder ex) C:\Windows C:\Winnt
;%ProgramFiles% = Program Files Folder ex) C:\Program Files, C:\Archivo de program, C:\Programme
;%LangID%
;HowTo : The registry location of the installed language....
;[HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language]
;LangID Lang / Export to
;0412 KOR / KOR
;0409 ENG / UK, HKG
;040C FRN / FRN
;0407 GER / GER
;0411 JPN / JPN
;0404 CHT / CHT
;0804 CHS / CHS
;0C0A SPA / SPA
;0816 POR / POR
;0419 RUS / RUS
[BaseSettings]
OSConditional= TRUE
ShowWin = FALSE
RunInAuditMode = TRUE
[32Win8]
Setup1=xcopy 32\Disable_Windowsupdate.exe "%ALLUSERSPROFILE%\Samsung\" /y
Setup2=schtasks /create /XML "%CD%\Dis_AU.xml" /tn "Dis_AU"
[64Win8]
Setup1=xcopy 64\Disable_Windowsupdate.exe "%ALLUSERSPROFILE%\Samsung\" /y
Setup2=schtasks /create /XML "%CD%\Dis_AU.xml" /tn "Dis_AU"
</code></pre>
<br />
We can see its using the xcopy command to inevitably "drop" <b>Disable_Windowsupdate.exe </b>in \ProgramData\Samsung. <b>%ALLUSERPROFILE%</b> is an environment variable for \ProgramData on >Vista, and \Documents and Settings\All Users on XP.<br />
<br />
We can confirm this by checking ourselves:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRzVR6-y3S4egZRIeMiW0xtzPzRumJ5O-Jr1mdr9bB_8W-Ts2vjt4nH2kS8RRkXOttrB1q6dW3E-nfUsBZX9LcIXuUgHf1Ofz6weDWnsikENLy9Q-l9WGYTD9FvRlmQKrPtng29t2s6VsZ/s1600/dropped.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRzVR6-y3S4egZRIeMiW0xtzPzRumJ5O-Jr1mdr9bB_8W-Ts2vjt4nH2kS8RRkXOttrB1q6dW3E-nfUsBZX9LcIXuUgHf1Ofz6weDWnsikENLy9Q-l9WGYTD9FvRlmQKrPtng29t2s6VsZ/s320/dropped.png" width="320" /></a></div>
<br />
Note that the exe is actually signed by Samsung themselves:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1eayvhjJNYeFynggMD5GMTEKamphSFm0Hw6Xy_kM0vohPozDAXzmnRGtxC2_E19_NYG_-gpMsTcn8ZAJkK3rc5gyr_0VD5Fd_bPsabsmzwMD0bDdWr2USsSYktnipsvJaiUYl1w5vgxmP/s1600/cert.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1eayvhjJNYeFynggMD5GMTEKamphSFm0Hw6Xy_kM0vohPozDAXzmnRGtxC2_E19_NYG_-gpMsTcn8ZAJkK3rc5gyr_0VD5Fd_bPsabsmzwMD0bDdWr2USsSYktnipsvJaiUYl1w5vgxmP/s320/cert.png" width="256" /></a></div>
<br />
So a big thing is the question as to how this persistently
resets Windows Update from working after you change it and reboot, and it's
actually not SW Update. SW Update is basically just there to genuinely
do its job, which is to update Samsung's drivers, software, etc. <br />
<br />
What's actually causing Windows Update to persistently become reset and not allow the user to set it the way they want it to, is the fact that<b> Disable_Windowsupdate.exe </b>creates a scheduled task that runs at every logon to ensure that Windows Update is indeed consistently reset to "Check for updates but let me choose whether to download or install them".<br />
<br />
We can see the task's contents below:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2006-12-03T15:11:57.570551</Date>
<Author>Administrator</Author>
</RegistrationInfo>
<Triggers>
<LogonTrigger id="145a3a6c-a630-4ec0-985d-1280512f0ba8">
<Enabled>true</Enabled>
</LogonTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<GroupId>S-1-5-32-545</GroupId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>"%ALLUSERSPROFILE%\Samsung\Disable_Windowsupdate.exe"</Command>
<WorkingDirectory>%ALLUSERSPROFILE%\Samsung</WorkingDirectory>
</Exec>
</Actions>
</Task>
</code></pre>
<br />
<u><b>Let's see it in action</b></u><br />
<br />
So first off, as I noted earlier in the post, if you're trying to run the Samsung update software + disabler, etc, on a non-Samsung environment, it's <i>really </i>buggy. My VM was going through convulsions trying to just take screenshot examples after frequent restarts, etc, so there's a few minutes in between each screenshot.<br />
<br />
Here's what WU looks like directly after installing SW Update:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzDjvukuMOHODdaJ2Y1Ej52UfzH19xfSgAmD7Hivva3wgd5_3G_9_wj_lp1bomBoddUTvSwv9cDVIwQ6zBLTkV6GsvzmPAReGic6C82SwcjTh3sqvN3I8__UKsV_NeH3LWbaYCwr5N7G-n/s1600/1part1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzDjvukuMOHODdaJ2Y1Ej52UfzH19xfSgAmD7Hivva3wgd5_3G_9_wj_lp1bomBoddUTvSwv9cDVIwQ6zBLTkV6GsvzmPAReGic6C82SwcjTh3sqvN3I8__UKsV_NeH3LWbaYCwr5N7G-n/s320/1part1.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX3l3L9r9TlIbpNWYOBPJKgmNV7Az1DgGv__an9vGlXpMV3JNcVTPNLYJwzLlYmM-CcRiJ_pDUMUMjfzGl357ZAy2QyGNgaiDNR5OYGJ-PZXxL0rEdtc8r-LL4rXWIY5Mtm7cTJtSAqZ2s/s1600/1part2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX3l3L9r9TlIbpNWYOBPJKgmNV7Az1DgGv__an9vGlXpMV3JNcVTPNLYJwzLlYmM-CcRiJ_pDUMUMjfzGl357ZAy2QyGNgaiDNR5OYGJ-PZXxL0rEdtc8r-LL4rXWIY5Mtm7cTJtSAqZ2s/s320/1part2.png" width="320" /></a></div>
<br />
Note that it's set to <b>'Check for updates but let me choose whether to download and install them'</b>.<br />
<br />
<div style="text-align: center;">
Let's change it to <b>'Install updates automatically (recommended)'</b>:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_Q3sMLdfFItQzHv0HxomVUcJaZHDF3Foab53K8PNplj-f73xIfX7ZwDZNluHwEOgr4b9l1nt7fSbEttgGw1ClH3J2V8UFICilbgJYJRnPEDwUcn2LMuNU1wew-ejQ1viGmZjPgqUj0dUP/s1600/1part3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_Q3sMLdfFItQzHv0HxomVUcJaZHDF3Foab53K8PNplj-f73xIfX7ZwDZNluHwEOgr4b9l1nt7fSbEttgGw1ClH3J2V8UFICilbgJYJRnPEDwUcn2LMuNU1wew-ejQ1viGmZjPgqUj0dUP/s320/1part3.png" width="320" /></a></div>
<br />
<div style="text-align: center;">
Cool, let's restart and check again.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7D_JaLM3uQPT26DBU89uVzZ6b6FA66FAo4460LG8KkbtM556FLhAsqoZgyd37ZfwImXkliIlj-FcgxEjuaaGX6pny8rPf3dG78A18WttCInHdym7kiZ13PQq1IKcQ3LTcDCsbO_88Q0gr/s1600/1part4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7D_JaLM3uQPT26DBU89uVzZ6b6FA66FAo4460LG8KkbtM556FLhAsqoZgyd37ZfwImXkliIlj-FcgxEjuaaGX6pny8rPf3dG78A18WttCInHdym7kiZ13PQq1IKcQ3LTcDCsbO_88Q0gr/s320/1part4.png" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
Oh, this doesn't look right. Let's check the settings: </div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbIlJCmtxYw6tns8hrMtQxT8_I-lZYcJCw6rlZmo25pnE_thA31fCiRE2ZiHOCbi5yw3uFcPA4xI3wF-ogGyPM2Bq9otEK4WN14Rgysqyi8vf_iEP9wGwEzfa4YBx4E1JxDajCcXiuJCSS/s1600/1part5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbIlJCmtxYw6tns8hrMtQxT8_I-lZYcJCw6rlZmo25pnE_thA31fCiRE2ZiHOCbi5yw3uFcPA4xI3wF-ogGyPM2Bq9otEK4WN14Rgysqyi8vf_iEP9wGwEzfa4YBx4E1JxDajCcXiuJCSS/s320/1part5.png" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
Uh...</div>
<br />
There's a bit more to it that I'd like to get to eventually, but I suppose this is enough to get the point across. Anyway, with this known, I decided to try Samsung's chat to see if they knew of it:<br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
<w:UseFELayout/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0in;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<blockquote class="tr_bq">
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;">You are now chatting with '</span><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;">Rep</span>'. There will
be a brief survey at the end of our chat to share feedback on my performance
today.</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"></span><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;">Your Issue ID for this chat is *purged*.</span>
</div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>Rep</b>: Hi, thank you for reaching out to
Samsung technical support. How may I assist you?</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>ringzero</b>: Hi </span><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;">Rep</span>, I have a question
regarding your SW Update software.</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>Rep</b></span></b>: Hi Ringzero, please go ahead with your
question.</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>Rep</b></span></b>: I'll be glad to assist you.</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>ringzero</b>: Thanks </span><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;">Rep</span>! My question is, why
does this software actively monitor the registry and deliberately cripple
Windows Update by forcefully disabling it?</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>Rep</b></span></b>: SW Update tool helps in automatically
detecting the hardware on the laptop and installs the supporting drivers for
them. I am afraid; this tool has directly no effect on the registry of your
laptop or Windows Updates.</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>ringzero</b>: </span><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;">Rep</span>, I am afraid that you're
incorrect. SW Update drops an exe named "Disable_Windowsupdate.exe"</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>ringzero</b>: When SW Update is installed, Windows
Update is always disabled. If it's enabled, or set to a setting of your liking,
it'll be re-disabled on reboot.</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>ringzero</b>: If SW Update is uninstalled, Windows
Update stays enabled persistently throughout reboots.</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>Rep</b></span></b>: Thank you for waiting. I'll be with you
in just a moment.</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>ringzero</b>: Sure.</span></div>
<div class="MsoNormal" style="line-height: 115%; margin-bottom: 10.0pt; mso-layout-grid-align: none; mso-pagination: none; text-autospace: none;">
<span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b><span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;"><b>Rep</b></span></b>: When you enable Windows updates, it
will install the Default Drivers for all the hardware no laptop which may or
may not work. For example if there is USB 3.0 on laptop, the ports may not work
with the installation of updates. So to prevent this, SW Update tool will
prevent the Windows updates.</span></div>
</blockquote>
<br />
So thanks to <span lang="EN" style="mso-ansi-language: EN; mso-ascii-font-family: Calibri; mso-bidi-font-family: Calibri; mso-hansi-font-family: Calibri;">Rep</span> over at Samsung, we now know Samsung's motive to disabling WU. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_HbHAY4Z2ZEJW9GX4ZRwqaGFoWyteE14iP7wqj5fBwpNMWiKrLXA4huWxofjWHR6VmiZvKstJJLuOEXddyyzFf6DI-L_ZU6DcgmgwoUdQxe9-Wpi8aw1VvQ9d76BrgN3ABtVaSRO_vkHP/s1600/samsung.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_HbHAY4Z2ZEJW9GX4ZRwqaGFoWyteE14iP7wqj5fBwpNMWiKrLXA4huWxofjWHR6VmiZvKstJJLuOEXddyyzFf6DI-L_ZU6DcgmgwoUdQxe9-Wpi8aw1VvQ9d76BrgN3ABtVaSRO_vkHP/s320/samsung.jpg" width="320" /></a></div>
<br />
OEMs, come on... has Superfish taught us nothing?<br />
<br />
Upload/report this as malware to Microsoft/MSRC, etc, because that's exactly what it is. Why would you <i>ever </i>tamper with WU in such a fashion (or in general), in a way a generic user cannot control, leaving them vulnerable?<br />
<br />
<u><b>x86 MD5</b></u><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 3727acd09814c0d5ce8fd3d6be705254
</code></pre>
<br />
<u><b>x64 MD5</b></u><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> d0a3a1c266845ef1e2cdf65c226facae
</code></pre>
<br />
<u><b>x86 SHA-256</b></u><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 61da7461e8a60a20e9d2b595edff89a0898c8f2d47d2be847c8a7ceff0fc4bd4
</code></pre>
<br />
<u><b>x64 SHA-256</b></u><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 7b9547acf8b3792b48fe5a02f7d5f3e0dfba8e57055d60f479bb8adfed99871c
</code></pre>
<br />
<b>Small edit</b>: I edited out the Samsung rep's real name to just 'Rep'. It was clearly a tier 1/2 support just doing their job, and I of course don't want them getting in any trouble since this appears to be <i>blowing </i>up. After all, as I said, this isn't their fault at all.<br />
<br />
<u><b>Update </b></u><br />
<br />
According to a few news articles, here's Samsung's latest statement:<br />
<blockquote class="tr_bq">
<i>"It is not true that we are blocking a Windows 8.1 operating system
update on our computers. As part of our commitment to consumer
satisfaction, we are providing our users with the option to choose if
and when they want to update the Windows software on their products,"
said Samsung. </i></blockquote>
<blockquote class="tr_bq">
<i>
</i><i>"We take product security very seriously and we
encourage any Samsung customer with product questions or concerns to
contact us directly at 1-800-SAMSUNG."</i><br />
<b> </b></blockquote>
I
don't understand what this statement is implying, and it may have been a
loss in translation between whichever article reporter/editor got the
statement from Samsung, because I never implied it specifically blocked a
"Windows 8.1 OS system update", just that their SW Update software is
preventing Windows Update from automatically installing updates, and
forcing the user to<i> </i>have it set to "let me choose whether to
download and install". If you attempt to change it, it'll switch right
back on a reboot. Microsoft has openly stated that they do not like the
fact that it's persistently changing, or even existing in the first place without the user's consent. It's disabling Windows Update from working as the user intends it to.<br />
<br />
However you look at this, Samsung's solution to what we can guess is a device driver workaround was <i>not </i>done in the best way, or a safe way. I mean, come on, the exe is named <b>Disable_Windowsupdate.exe</b>.
In any case, if it appears I am acting as an enemy to Samsung, I'm not. I'm just a
22 year old cashier with a love for Windows internals that found a
security risk for Windows' Samsung users with a few others. That's it. <br />
<br />
<u><b>Update #2</b></u><br />
<br />
According to a few news articles, here's Samsung's latest statement:<br />
<blockquote class="tr_bq">
<i>“Samsung has a commitment to security and we continue to value our partnership with Microsoft. We will be issuing a patch through the Samsung Software Update notification process to revert back to the recommended automatic Windows Update settings within a few days."</i></blockquote>
I'm very glad Samsung is committed to implementing a resolution to this issue so soon. Ultimately, in a perfect world, I hope OEMs will learn from Superfish/SW Update, as it would be disheartening to see a similar issue occur in the future. I feel OEMs need to disclose whatever they intend with their users with their software, and if possible, giving them a choice.<br />
<br />
If this is done, it's not "under the table" anymore so to speak. If Samsung's users were notified in the first place that their Windows Update settings were being actively modified, then even though it still potentially may have been a question of poor implementation/methods, it probably wouldn't have been seen as malicious or questionable behavior in the first place as it would have at least been known.Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com732tag:blogger.com,1999:blog-8870806323064576540.post-55622529301306539442015-05-20T20:30:00.002-04:002015-05-31T12:51:49.101-04:00FwpsStreamInjectAsync0 bug/leak - Bitdefender (0x4A)Today I'll be investigating an issue involving Bitdefender, which is turned out to be a Windows bug/issue more than Bitdefender, although there are developmental changes that could be made aside from a hotfix to stop this issue. Bitdefender's 0x4A bug check issue has been prevalent for quite awhile now, but there's little to <i>no</i> documentation on solving it or what's causing it, just a few things to try like updating Bitdefender, uninstalling it, etc <br />
<br />
First off, taking a look at a non-verifier enabled kernel dump, here's our bug check as discussed:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 10: kd> .bugcheck
Bugcheck code 0000004A
Arguments 00000000`77a1dc2a 00000000`00000002 00000000`00000000 fffff880`13695b60
</code></pre>
<br />
0x4A bug check, essentially implying that the thread which was previously involved in a system call attempted to return to user mode at an IRQL higher than PASSIVE_LEVEL (zero [0] on x86 and x64).<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 10: kd> !irql
Debugger saved IRQL for processor 0xa -- 2 (DISPATCH_LEVEL)
</code></pre>
<br />
In this case, at the time of the crash, the IRQL was DISPATCH_LEVEL (Two [2] on x86 and x64).<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> X64_RAISED_IRQL_FAULT_vsserv.exe_nt!KiSystemServiceExit+245
</code></pre>
<br />
The process involved in the IRQL raise was <b>vsserv.exe</b>, Bitdefender's main active protection process.<br />
<br />
Let's also go further and dump the address of the system function involved:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 10: kd> !address 0000000077a1dc2a
Usage: VAD
Base Address: 00000000`779d0000
End Address: 00000000`77b79000
Region Size: 00000000`001a9000
VA Type: UserRange
VAD Address: 0xfffffa8020d1f830
Commit Charge: 0xd
Protection: 0x7 [ReadWriteCopyExecute]
Memory Usage: <span style="background-color: yellow;">Section [\Windows\System32\ntdll.dll] </span>
No Change: no
More info: <span style="background-color: yellow;">!vad 0x779d0000</span>
</code></pre>
<br />
We can see its VA type is UserRange, its protection is 0x7 which implies it's R/W/X (or E).<br />
<br />
If we run <b>!vad </b>on the VAD Address field, we can see frequent mention of Bitdefender:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 10: kd> !vad 0xfffffa8020d1f830
...
fffffa8018c95a70 ( 2) 7fee7980 7fee79c8 6 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\asengines_00015_008\mimepack.dll
fffffa802278cb70 ( 3) 7fee79d0 7fee7aa2 69 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\asengines_00015_008\asregex.dll
fffffa8018c944e0 ( 0) 7fee7ab0 7fee7bb9 9 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\asengines_00015_008\asmcocr.dll
fffffa804d4baa50 ( 2) 7fee7bc0 7fee7dea 259 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\asengines_00015_008\asunicode.dll
fffffa8022f25450 ( 3) 7fee7df0 7fee810b 89 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\asengines_00015_008\asemlthin.mdl
fffffa8050690e60 ( 1) 7fee8110 7fee8333 86 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\asengines_00015_008\asemlrtr.mdl
fffffa8018c0b1e0 ( 2) 7fee8340 7fee8442 81 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\asengines_00015_008\ascore.dll
fffffa804f4f7970 ( 3) 7fee8550 7fee8622 69 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\otengines_00350_006\asregex.dll
fffffa804e14ff80 (-1) 7fee8630 7fee885a 259 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\otengines_00350_006\asunicode.dll
fffffa804f509640 ( 2) 7fee8860 7fee89ef 82 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\otengines_00350_006\ashttprbl.mdl
fffffa804f4bfc80 ( 3) 7fee89f0 7fee8cc9 88 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\otengines_00350_006\ashttpph.mdl
fffffa80232c0460 ( 1) 7fee8cd0 7fee8dca 82 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\otengines_00350_006\ashttpdsp.mdl
fffffa804ce69120 ( 3) 7fee8dd0 7fee8edb 81 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\otengines_00350_006\ashttpbr.mdl
fffffa804ce52bb0 ( 2) 7fee8ee0 7fee8fe2 81 Mapped Exe EXECUTE_WRITECOPY \Program Files\Bitdefender\Bitdefender 2015\otengines_00350_006\otcore.dll
...
</code></pre>
<br />
Let's use <b>!address</b> and <b>-v</b> together to get nice verbose PTE/PFN/VAD information:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 10: kd> !address -v -map 0x779d0000
PXE: fffff6fb7dbed000 [contains 02e0000763d62867]
Page Frame Number: 763d62, at address: fffffa80162b8260
Page Location: 6 (ActiveAndValid)
PTE Frame: 0000000000763e3c
Attributes: M:Modified,Cached
Usage: PPEs Process fffffa8020d96b10 [vsserv.exe], Entries:5
PPE: fffff6fb7da00008 [contains 18700007641ad867]
Page Frame Number: 7641ad, at address: fffffa80162c5070
Page Location: 6 (ActiveAndValid)
PTE Frame: 0000000000763d62
Attributes: M:Modified,Cached
Usage: PDEs Process fffffa8020d96b10 [vsserv.exe], Entries:31
PDE: fffff6fb40001de0 [contains 0370000764ab6867]
Page Frame Number: 764ab6, at address: fffffa80162e0220
Page Location: 6 (ActiveAndValid)
PTE Frame: 00000000007641ad
Attributes: M:Modified,Cached
Usage: PTEs Process fffffa8020d96b10 [vsserv.exe], Entries:159
PTE: fffff680003bce80 [contains 82a000079e2d4025]
Page Frame Number: 79e2d4, at address: fffffa8016da87c0
Page Location: 6 (ActiveAndValid)
PTE Frame: 000000000079ec0c
Attributes: P:Prototype,Cached
Usage: MappedFile CA:fffffa801f3a3010 [\Windows\System32\ntdll.dll]
Type: Valid
Attrs: Private,NormalPage,NotDirty,NotDirty1,Accessed,User,NotWritable,NotWriteThrough
PFN: 79e2d4
</code></pre>
<br />
Overall, we can see <b>vsserv.exe </b>is listed as active and valid within the page regarding its location, as well as ntdll being involved with memory usage:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 10: kd> !vad 0x779d0000
VAD level start end commit
fffffa8020d1f830 (-1) 779d0 77b78 13 Mapped Exe EXECUTE_WRITECOPY \Windows\System32\ntdll.dll
</code></pre>
<br />
Throughout all of the 0x4A Bitdefender related crashes, the NT kernel was labeled as the fault:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Probably caused by : <span style="background-color: yellow;">ntkrnlmp.exe</span>
</code></pre>
<br />
Given we're seeing ntdll, we can likely imagine the reason for the NT
kernel being blamed as being the fault of the crash is because most of
the API from ntdll is implemented in the NT kernel variants, with this being <b>ntkrnlmp.exe </b>because this system has a multi-processor without physical address extension configuration.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 10: kd> vertarget
Windows 7 Kernel Version 7601 (Service Pack 1) <span style="background-color: yellow;">MP</span> (12 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18839.amd64fre.win7sp1_gdr.150427-0707
Machine Name:
Kernel base = 0xfffff800`03064000 PsLoadedModuleList = 0xfffff800`032ab730
Debug session time: Fri May 15 09:00:27.644 2015 (UTC - 4:00)
System Uptime: 0 days 16:20:00.892
</code></pre>
<br />
So regarding processor #10, that's probably as far as we're going to go considering it's the bug check thread and there's no information really whatsoever.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 10: kd> k
Child-SP RetAddr Call Site
fffff880`13695928 fffff800`030d7e69 nt!KeBugCheckEx
fffff880`13695930 fffff800`030d7da0 nt!KiBugCheckDispatch+0x69
fffff880`13695a70 00000000`77a1dc2a nt!KiSystemServiceExit+0x245
00000000`2798f908 00000000`00000000 0x77a1dc2a
</code></pre>
<br />
All we can see if we're exiting user-mode code using the <b>KiSystemServiceExit</b> function, and we go off the rails right there - KiSystemServiceExit+<i><b>0x245</b></i>. This function is in charge of handling the various call-styles used to enter kernel-mode, and then returning to user-mode. <br />
<br />
With that said, let's switch to the other processor within the system that was involved and see what's going on at the time of the crash. To find out the active processors on the specific system, we'll use <b>!running</b>:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 10: kd> !running
System Processors: (0000000000000fff)
Idle Processors: (00000000000003ff) (0000000000000000) (0000000000000000) (0000000000000000)
Prcbs Current (pri) Next (pri) Idle
10 fffff880038c9180 fffffa8021c85b50 ( 9) fffff880038d41c0 ................
11 fffff8800393b180 fffffa8021c91060 ( 9) fffff880039461c0 ................
</code></pre>
<br />
We can see our processors are #10 and #11. We've explored #10, so let's check #11. The reason 0-9 aren't listed is because they're idle.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 11: kd> knL
# Child-SP RetAddr Call Site
00 fffff880`03969e20 fffff880`0584f75e e1c62x64+0x558e
01 fffff880`03969e50 fffff880`0584ff1f e1c62x64+0x2075e
02 fffff880`03969ec0 fffff880`0584fb43 e1c62x64+0x20f1f
03 fffff880`03969f70 fffff880`0584fa49 e1c62x64+0x20b43
04 fffff880`03969fa0 fffff800`0301f62f e1c62x64+0x20a49
05 fffff880`03969fe0 fffff880`01a0c600 hal!HalBuildScatterGatherList+0x203
06 fffff880`0396a050 fffff880`0584ffb2 ndis!NdisMAllocateNetBufferSGList+0x110
07 fffff880`0396a0f0 fffff880`05850649 e1c62x64+0x20fb2
08 fffff880`0396a150 fffff880`0585028e e1c62x64+0x21649
09 fffff880`0396a1b0 fffff880`01ac84f1 e1c62x64+0x2128e
0a fffff880`0396a1f0 fffff880`01a0c4d4 ndis!ndisMSendNBLToMiniport+0xb1
0b fffff880`0396a250 fffff880`05c6d6b8 ndis!NdisFSendNetBufferLists+0x64
0c fffff880`0396a290 fffff880`05c6d92c bdfndisf6+0x16b8
0d fffff880`0396a2f0 fffff880`05c6df4b bdfndisf6+0x192c
0e fffff880`0396a380 fffff880`01a0c4d4 bdfndisf6+0x1f4b
0f fffff880`0396a480 fffff880`00c16199 ndis!NdisFSendNetBufferLists+0x64
10 fffff880`0396a4c0 fffff880`01a0c419 pacer!PcFilterSendNetBufferLists+0x29
11 fffff880`0396a5c0 fffff880`01ac85d5 ndis!ndisSendNBLToFilter+0x69
12 fffff880`0396a620 fffff880`01c60eb6 ndis!NdisSendNetBufferLists+0x85
13 fffff880`0396a680 fffff880`01c67895 tcpip!IpNlpFastSendDatagram+0x496
14 fffff880`0396aa30 fffff880`01c68450 tcpip!TcpTcbSend+0x495
15 fffff880`0396acb0 fffff880`01c671a8 tcpip!TcpEnqueueTcbSendOlmNotifySendComplete+0xa0
16 fffff880`0396ace0 fffff880`01b30267 tcpip!TcpEnqueueTcbSend+0x258
17 fffff880`0396ad90 fffff880`01b35f5d NETIO!StreamInjectRequestsToStack+0x287
18 fffff880`0396ae60 fffff880`01b376b4 NETIO!StreamPermitDataHelper+0x5d
19 fffff880`0396ae90 fffff800`030e41dc NETIO!StreamPermitRemoveDataDpc+0x84
1a fffff880`0396af00 fffff800`030db335 nt!KiRetireDpcList+0x1bc
1b fffff880`0396afb0 fffff800`030db14c nt!KyRetireDpcList+0x5
1c fffff880`13abf190 fffff800`0312371c nt!KiDispatchInterruptContinue
1d fffff880`13abf1c0 fffff800`030c2aec nt!KiDpcInterrupt+0xcc
1e fffff880`13abf350 fffff880`01b383aa nt!KeInsertQueueDpc+0x1dc
1f fffff880`13abf3e0 fffff880`01b3b468 NETIO!StreamPermitData+0x13a
20 fffff880`13abf450 fffff880`01b3b99a NETIO!StreamInternalClassify+0x1a8
21 fffff880`13abf520 fffff880`01b3bd8e NETIO!StreamInject+0x1ca
22 fffff880`13abf5f0 fffff880`01b91df3 NETIO!FwppStreamInject+0x12e
23 fffff880`13abf680 fffff880`05c9aaf1 fwpkclnt!FwpsStreamInjectAsync0+0xcf
24 fffff880`13abf6e0 fffff880`05c9bce3 bdfwfpf+0x2af1
25 fffff880`13abf780 fffff880`05ca469c bdfwfpf+0x3ce3
26 fffff880`13abf7c0 fffff880`05ca4d0a bdfwfpf+0xc69c
27 fffff880`13abf840 fffff880`05c9ebb3 bdfwfpf+0xcd0a
28 fffff880`13abf8a0 fffff800`033f3e47 bdfwfpf+0x6bb3
29 fffff880`13abf8d0 fffff800`033f46a6 nt!IopXxxControlFile+0x607
2a fffff880`13abfa00 fffff800`030d7b53 nt!NtDeviceIoControlFile+0x56
2b fffff880`13abfa70 00000000`77a1dc2a nt!KiSystemServiceCopyEnd+0x13
2c 00000000`27a9f928 00000000`00000000 0x77a1dc2a
</code></pre>
<br />
I used <b>knL </b>as opposed to the other stack dump commands as I wanted to get the frame # feature for reference reasons.<br />
<br />
Starting at frame # 2a, we can see the <b>NtDeviceIoControlFile </b>function calls <b>IopXxxControlFile</b>. The latter function appears to be undocumented, so I'm unsure as to what it does. What I do know is, the <b>NtDeviceIoControlFile </b>function is ultimately used to build descriptors for a driver. I imagine it's using the <b>IopXxxControlFile </b>function to aid in passing such to the driver.<br />
<br />
Also, for what it's worth, although <b>NtDeviceIoControlFile </b>has since been superseded by <b>DeviceIoControl</b>, the former native function provides more information that may be beneficial to the caller (especially for debugging purposes). This is likely why Bitdefender chose to use the former function instead.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 11: kd> ln nt!IopXxxControlFile
(fffff800`033f3840) nt!IopXxxControlFile
(fffff800`033f4650) nt!NtDeviceIoControlFile
Exact matches:
nt!IopXxxControlFile (<no parameter info>)
</code></pre>
<br />
If we disassemble this function, we can wade through some of the stuff and find some of the interesting tidbits:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 11: kd> u fffff800`033f3840 fffff800`033f4650
fffff800`033f3956 e845c5ffff call nt!ProbeForWrite (fffff800`033efea0)
fffff800`033f39b7 e81498fdff call nt!ObReferenceObjectByHandleWithTag (fffff800`033cd1d0)
fffff800`033f3b05 e84688cfff call nt!IoGetRelatedDeviceObject (fffff800`030ec350)
fffff800`033f402a e8d130cdff call nt!IoGetAttachedDevice (fffff800`030c7100)
fffff800`033f3c01 e88a7bcfff call nt!IoAllocateIrp (fffff800`030eb790)
fffff800`033f40d1 e82af9cfff call nt!IoAllocateMdl (fffff800`030f3a00)
</code></pre>
<br />
So after neatly putting together this disassembly of sorts, we can see that this is indeed how the <b>NtDeviceIoControlFile</b> function is passing on the buffer and such to the driver. <br />
<br />
The <b>IoAllocateMdl </b>function in this specific case is used to ultimately associate the MDL with an IRP, which is why we call into the <b>IoAllocateIrp </b>function, to of course assign the IRP. <b>IoGetAttachedDevice </b>is called likely to return a pointer to the devobj, with help from the <b>IoGetRelatedDeviceObject</b> function to probably obtain the devobj from the file system driver stack.<br />
<br />
<b>ObReferenceObjectByHandleWithTag</b> is called to increment the reference count of the object, and to write a four-byte value known as a "tag" so it can support <a href="https://msdn.microsoft.com/en-us/library/ff552295.aspx" target="_blank">object reference tracing</a> for debugging purposes. Finally, the <b>ProbeForWrite</b> function is called to ensure that a user-mode buffer meets the following:<br />
<br />
<ul>
<li>Resides in the user-mode portion of the address space.</li>
</ul>
<ul>
<li>Is writeable.</li>
</ul>
<ul>
<li>Is correctly aligned.</li>
</ul>
<br />
As all appears to have went well, we can see the driver we were ultimately building and passing descriptors to/for was <b>bdfwfpf.sys</b>, which is Bitdefender's firewall filter driver. As it's a driver in charge of a firewall, it of course uses the WFP API (Windows Filtering Platform) to achieve its goals (not just filtering and monitoring).<br />
<br />
We can confirm this easily by looking at the very first driver/function call after Bitdefender's firewall, which is <b>fwpkclnt.sys</b>. Specifically, Bitdefender's firewall driver called it to inject new/cloned data to the data stream. Directly afterwords we have calls from the Network I/O Subsystem to continue the injecting, which is because <b>fwpkclnt.sys </b>exports kernel-mode functions, as opposed to <b>fwpuclnt.dll </b>which exports and handles the user-mode side.<br />
<br />
To handle and/or continue the injection into the data stream, it looks like DPC(s) are used to handle it by calling <b>KeInsertQueueDpc</b> to create a queued DPC for execution.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 11: kd> !dpcs
CPU Type KDPC Function
10: Normal : 0xfffffa806a7b7cb0 0xfffff88001b37630 NETIO!StreamPermitRemoveDataDpc
</code></pre>
<br />
-- After discussion with a fellow kernel-debugger friend of mine, we also
thought that the IRQL was possibly DISPATCH_LEVEL due to the multiple
injections, etc, therefore Windows deferred it to a DPC. Given this
possibly being the case, when the DPC was to be worked on, the system
service finished <i><b>but </b></i>the IRQL is still DISPATCH_LEVEL. Since that was the case, we get a bug check. <br />
<br />
We continue through <b>netio.sys</b>' functions regarding the data stream injection, ultimately injecting the request to the stack and going through a few <b>tcpip.sys</b> functions.<br />
<br />
To continue sending the data along, NDIS' <b>NdisSendNetBufferLists</b> function is called, and NDIS' filter driver (which I believe is<b> pacer.sys</b>), called <b>NdisFSendNetBufferLists </b>to send the list of network data buffers back to Bitdefender's firewall driver.<br />
<br />
Bitdefender's firewall driver then calls into NDIS' network data buffer sending functions to send the list to the user's network miniport driver, <b>e1c62x64.sys</b> (Intel(R) 82579V Gigabit Network Connection). The network miniport driver then calls NDIS' <b>NdisMAllocateNetBufferSGList</b> function to obtain a scatter/gather list for the network data for the associated NET_BUFFER structure.<br />
<br />
In order to do so, NDIS needs to call the HAL, which we can see through the function <b>HalBuildScatterGatherList</b>. What is supposed to happen next is, the HAL builds the scatter/gather list, and we go on through various registered miniport functions. However, this did not happen, and we go off the rails on frame #00 with a call to the miniport driver.<br />
<br />
So, where's our problem? Frame #23:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 23 fffff880`13abf680 fffff880`05c9aaf1 fwpkclnt!<span style="background-color: yellow;">FwpsStreamInjectAsync0</span><span style="background-color: yellow;">+0xcf </span>
</code></pre>
<br />
<b>FwpsStreamInjectAsync0</b>, the function in charge of injecting TCP data segments into a TCP data stream, is the issue. How so? Well, let's get dirty once again.<br />
<br />
Using the NDIS debugging extension (<b>!ndiskd</b>), we can get a lot of information to help us here. On its lonesome, <b>!ndiskd </b>isn't too special. However, when we use <b>!ndiskd.miniport</b>, it gets fun.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 11: kd> !ndiskd.miniport
MiniDriver Miniport Name
fffffa8020c71cd0 fffffa8018c281a0 RAS Async Adapter
fffffa801f844cd0 fffffa801f8771a0 SonicWALL NetExtender Adapter
fffffa801f862840 fffffa801f86b1a0 WAN Miniport (SSTP)
fffffa801f84bb70 fffffa801f8671a0 WAN Miniport (PPTP)
fffffa801f837c30 fffffa801f8631a0 WAN Miniport (PPPOE)
fffffa801f8409b0 fffffa801f85e1a0 WAN Miniport (IPv6)
fffffa801f8409b0 fffffa801f85a1a0 WAN Miniport (IP)
fffffa801f8409b0 fffffa801f8561a0 WAN Miniport (Network Monitor)
fffffa801f835cd0 fffffa801f8411a0 WAN Miniport (L2TP)
fffffa801f82f820 fffffa801f83d1a0 WAN Miniport (IKEv2)
fffffa801f664020 fffffa801f7b81a0 Intel(R) 82579V Gigabit Network Connection
fffffa801f5cb9e0 fffffa801f5e61a0 Teredo Tunneling Pseudo-Interface
fffffa801f5cb9e0 fffffa801f5e21a0 Microsoft ISATAP Adapter #2
fffffa801f5cb9e0 fffffa801f5de1a0 Microsoft ISATAP Adapter
fffffa801f5cb9e0 fffffa801f5d61a0 Microsoft 6to4 Adapter
</code></pre>
<br />
So we know that our miniport involved in all of this was the Intel Gigabit, so let's look at that one:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 11: kd> !ndiskd.minidriver fffffa801f664020
MINIPORT DRIVER
e1cexpress
Ndis handle fffffa801f664020
Driver Context NULL
DRIVER_OBJECT fffffa801f7b6e70
Driver image e1c62x64.sys
Registry path \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\e1cexpress
Reference Count 2
Flags [No flags set]
MINIPORTS
Miniport
<span style="background-color: yellow;">fffffa801f7b81a0</span> - Intel(R) 82579V Gigabit Network Connection
</code></pre>
<br />
If we take a look at the miniport address:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 11: kd> !ndiskd.miniport fffffa801f7b81a0
MINIPORT
Intel(R) 82579V Gigabit Network Connection
Ndis handle fffffa801f7b81a0
Ndis API version v6.20
Adapter context fffffa801f990000
Miniport driver fffffa801f664020 - e1cexpress v12.6
Network interface fffffa8019c8c870
Media type 802.3
Device instance PCI\VEN_8086&DEV_1503&SUBSYS_849C1043&REV_06\3&11583659&0&C8
Device object fffffa801f7b8050 More information
MAC address e0-3f-49-78-a1-dd
</code></pre>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> STATE
Miniport Running
Device PnP Started
Datapath Normal
Interface Up
Media Connected
Power D0
References 0n10
Total resets 0
Pending OID None
Flags BUS_MASTER, 64BIT_DMA, SG_DMA, DEFAULT_PORT_ACTIVATED,
SUPPORTS_MEDIA_SENSE, DOES_NOT_DO_LOOPBACK,
MEDIA_CONNECTED
PnP flags PM_SUPPORTED, DEVICE_POWER_ENABLED,
DEVICE_POWER_WAKE_ENABLE, RECEIVED_START,
HARDWARE_DEVICE
</code></pre>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> BINDINGS
Protocol list Driver Open Context
RSPNDR fffffa8021b39cf0 fffffa8021b608d0 fffffa8021b62010
LLTDIO fffffa8021b1a8f0 fffffa8021b528d0 fffffa8021b361b0
TCPIP6 fffffa801d05c2c0 fffffa801fb13010 fffffa801fb0b010
TCPIP fffffa8019c7b890 fffffa801fb08580 fffffa801fb03ba0
Filter list Driver Module Context
WFP LightWeight Filter-0000
fffffa801f59f010 fffffa801faff660 fffffa801faff400
QoS Packet Scheduler-0000
fffffa801f5ab930 fffffa801fb00780 fffffa801f9d3010
<span style="background-color: yellow;">BitDefender Firewall NDIS6 Filter Driver-0000</span>
fffffa801f574d40 fffffa801fb04c80 fffffa801fb04850
</code></pre>
<br />
We get a lot of good information, and can see that Bitdefender's firewall filter driver is/was involved with this miniport. We know this, because we saw it all happening in the stack, but this just confirms it.<br />
<br />
Anyway, what's next? Well, let's check for any pending NBLs (NET_BUFFER_LISTS):<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 11: kd> !ndiskd.pendingnbls fffffa801f7b81a0
PHASE 1/3: Found 23 NBL pool(s).
PHASE 2/3: Found 512 freed NBL(s).
Pending Nbl <span style="color: red;">Currently held by</span>
fffffa80593c82c0 <span style="background-color: yellow;">fffffa801f7b81a0 - Intel(R) 82579V Gigabit Network Connection [Miniport]</span>
PHASE 3/3: Found 1 pending NBL(s) of 789 total NBL(s).
Search complete.
</code></pre>
<br />
Ah ha, we have one held by the miniport driver that was involved in passing data to Bitdefender's firewall filter driver. Let's look at the pending NBL:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 11: kd> !ndiskd.nbl fffffa80593c82c0
NBL fffffa80593c82c0 <span style="background-color: yellow;">Next NBL NULL </span>
First NB fffffa80593c83f0 Source fffffa801fb08580 - TCPIP
</code></pre>
<br />
From here we can take a direct look at the NBL:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 11: kd> dt _NET_BUFFER_LIST fffffa80593c82c0
ndis!_NET_BUFFER_LIST
_NET_BUFFER_LIST
<span style="background-color: yellow;">+0x000 Next : (null)</span>
+0x008 FirstNetBuffer : 0xfffffa80`593c83f0 _NET_BUFFER
+0x000 Link : _SLIST_HEADER
+0x010 Context : 0xfffffa80`593c84a0 _NET_BUFFER_LIST_CONTEXT
+0x018 ParentNetBufferList : (null)
+0x020 NdisPoolHandle : 0xfffffa80`1cfe6080 Void
+0x030 NdisReserved : [2] (null)
+0x040 ProtocolReserved : [4] 0x746c6100`00000001 Void
+0x060 MiniportReserved : [2] 0xfffffa80`1f990000 Void
+0x070 Scratch : (null)
+0x078 SourceHandle : 0xfffffa80`1fb08580 Void
+0x080 NblFlags : 0
+0x084 ChildRefCount : 0n0
+0x088 Flags : 0x100
+0x08c Status : 0n0
+0x090 NetBufferListInfo : [19] 0x00000000`00220015 Void
</code></pre>
<br />
What appears to be happening here is multiple NBLs in a chain are being passed, the<b> FwpsStreamInjectAsync0 </b>function is called to pass Bitdefender's data, and then the chain is broken as the call goes on (see the NBL next member is zeroed out/null).<br />
<br />
Possibly a fix (in Bitdefender's case) is to avoid multiple injections inside the stream callout routine, possibly taking NBLs in a chain and calling the <b>FwpsStreamInjectAsync0 </b>function just ONCE for each callout routine execution. Unsure, kernel development isn't my strong point : ) <br />
<br />
A fix for user's is to install <a href="https://support.microsoft.com/en-us/kb/2664888" target="_blank"><b>this</b></a> hotfix and hope it works, as it should. Overall, maybe Bitdefender instead of making any developmental changes could just raise awareness for this issue, like creating a well explained documentation page with a link to the hotfix. I think developmental changes would be a better workaround.Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com295tag:blogger.com,1999:blog-8870806323064576540.post-67048467761372167492015-02-27T16:06:00.000-05:002015-06-01T00:25:03.266-04:00SuperfishOh boy, Superfish. I wanted to finish and post this blog post a week or so ago, but I moved housing and didn't have internet. The past few weeks regarding Superfish have been pretty interesting, hilarious, and unfortunate. Interesting and hilarious in that I have absolutely no idea how Lenovo could have seen this as a good idea whatsoever. I've spent several minutes thinking to myself the conversation(s) they could have had regarding Superfish' implementation, but my imagination is probably not even close to the ridiculousness of the reality, so I digress.<br />
<br />
Unfortunate in that this was a relatively dramatic way to raise awareness regarding MiTM, digital certifications, etc. I suppose it's important to have situations like this occur though, otherwise raising awareness wouldn't happen in the first place. It's also unfortunate in that a lot of people who had loyalty towards Lenovo supposedly no longer do. It's a <i>pretty stupid </i>thing to lose loyalty to your customers over, and especially when it's actually a security risk.<br />
<br />
I'm not going to discuss the basic story and such of Superfish, as it's been discussed practically everywhere in detail. A few good examples:<br />
<br />
<a href="http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/" target="_blank">Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections</a> <br />
<br />
by <a href="https://twitter.com/dangoodin001" target="_blank">Dan Goodin</a>.<br />
<br />
<a href="http://www.tripwire.com/state-of-security/security-data-protection/superfish-lenovo-adware-faq/" target="_blank">What You Need to Know About Superfish, The Man-in-the-Middle Adware Installed on Lenovo PCs</a><br />
<br />
by <a href="https://twitter.com/gcluley" target="_blank">Graham Cluley</a>.<br />
<br />
<a href="https://bsodtutorials.wordpress.com/2015/02/19/superfish-theres-nothing-super-about-it/" target="_blank">Superfish – There’s Nothing Super About It</a><br />
<br />
by <a href="https://twitter.com/CompSciMaths" target="_blank">Harry Miller</a>. <br />
<br />
...etc.<br />
<br />
Instead what I will go into is the guts of the fish. Before starting though, I'd like to extend a big thank you to <a href="https://filippo.io/" target="_blank">Filippo Valsorda</a>, who jumped to action basically as soon as it happened (as he did with Heartbleed). He was a large reason for the quick response to Superfish, and not just in the infosec community.<br />
<br />
Also a note to check out <a href="http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html" target="_blank">Robert Graham's post</a> on extracting the cert. It was done impressively fast : )<br />
<br />
First off, since all we're basically starting with is a basic binary, our first goal is to analyze it. Let's first take a look at our executable in an image:<br />
<br />
<b>-- MD5:</b><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 6ecbdd9164268c149d8283a901713cb4
</code></pre>
<br />
<b>-- SHA1:</b><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> a502ea9fae7e8fe64308088ecc585b45ead76da1
</code></pre>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd4rAmznxNPaJd5pKEQv5_-f5P99tvkTzUOUJdriPh8c7CfuwZQgrc6pQKrKfAV-iXHI3zxNPPnhTVjI_0ID1kXO_C2H8ymt69A234WOs5vgGGN1wS5sKLArF53mC8Ng0mEyUHfF7yXIAG/s1600/setup+exe.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjd4rAmznxNPaJd5pKEQv5_-f5P99tvkTzUOUJdriPh8c7CfuwZQgrc6pQKrKfAV-iXHI3zxNPPnhTVjI_0ID1kXO_C2H8ymt69A234WOs5vgGGN1wS5sKLArF53mC8Ng0mEyUHfF7yXIAG/s1600/setup+exe.png" width="320" /></a></div>
<br />
<br />
Let's extract the icon to try and get a better look at it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1QCCLIac6zSZ4aQqQNaaoArXOg0-kQRDHm3RxDTjjbYboMAIVpsRoW6krqR4_v3NI351r_jruuViAa3eQxsJnPSYLbj6hpvZJOVBibCPiE9GsPKqIx7IpDJ85ZNfMK2T3fnA4lkAPwVyD/s1600/sfishicon.ico" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1QCCLIac6zSZ4aQqQNaaoArXOg0-kQRDHm3RxDTjjbYboMAIVpsRoW6krqR4_v3NI351r_jruuViAa3eQxsJnPSYLbj6hpvZJOVBibCPiE9GsPKqIx7IpDJ85ZNfMK2T3fnA4lkAPwVyD/s1600/sfishicon.ico" /></a></div>
<br />
We could have alternatively set the view settings to a large icon size for example, but extracting is more fun : )<br />
<br />
As you can see, the icon has the words NSIS. NSIS is a script-driven open source system used to create Windows-based installers. It's a really popular free alternative to InstallShield for example, and seeing it used for Superfish is not surprising. Not sure if you can consider this obfuscation, but it's certainly a 'packer' if you'd like to get technical I suppose.<br />
<br />
Let's now take a look at the executable to get some information. We can use a variety of tools such as, but not limited to: PEiD, CFF Explorer, etc. For this example, I will use CFF Explorer. Taking a look at Section Headers as an example, we can see the EP for the executable resides in <b>.text</b>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibt4E4rsIb06g70CQZjlvuGA4WziL1PrEC8SmqEP9JuSnVzoNvU8NQ7wumSYWYfiapCZDqotwvKY7NT_P86HaaNtTo6kqEzry3DqQ3IfzZeGRtSyegyeHWulAhJeWcvxfo5r0gguTqOLkL/s1600/section+header+ep.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="119" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibt4E4rsIb06g70CQZjlvuGA4WziL1PrEC8SmqEP9JuSnVzoNvU8NQ7wumSYWYfiapCZDqotwvKY7NT_P86HaaNtTo6kqEzry3DqQ3IfzZeGRtSyegyeHWulAhJeWcvxfo5r0gguTqOLkL/s1600/section+header+ep.png" width="320" /></a></div>
<br />
We can also use CFF Explorer to check the Resource Editor to view things such as the version info of the executable, as well as the configuration file:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfYZl8it1TafrBfZ-79GvO8momldBmjI1txG1wPu8Kgz9KO1QvRGMYRFMI-axGWpFcesR90E2ZYERlQhgaGMGGsPy1jDM4K1R9TN3pSiUrelz_4cESuPGOP-g5hB3HhYtclx3-fHod0Rau/s1600/configuration+file.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfYZl8it1TafrBfZ-79GvO8momldBmjI1txG1wPu8Kgz9KO1QvRGMYRFMI-axGWpFcesR90E2ZYERlQhgaGMGGsPy1jDM4K1R9TN3pSiUrelz_4cESuPGOP-g5hB3HhYtclx3-fHod0Rau/s1600/configuration+file.png" width="320" /></a></div>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
</code></pre>
<br />
For example, the lang ID of the cfg was <b>1033 </b>which tells us the executable likely originated on an English OS.<br />
<br />
Using the Dependency Walker, we can expect to find that the packing used was Nullsoft's (including other information):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7_Xxx2c9C3CS3vtFu0wtwb-YMK1ETr1vGpZYUpeo7-DuWp-RV4Hm_P_1ZQ_EVFoj2Z0b-bUUJ-10iAsxBE-OBF5Q4cQTTjCQGiw6lsZV1m-9Dadgh6WNByhIzA8XSRbGQwrrFcJPWudDT/s1600/dependency+walker.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7_Xxx2c9C3CS3vtFu0wtwb-YMK1ETr1vGpZYUpeo7-DuWp-RV4Hm_P_1ZQ_EVFoj2Z0b-bUUJ-10iAsxBE-OBF5Q4cQTTjCQGiw6lsZV1m-9Dadgh6WNByhIzA8XSRbGQwrrFcJPWudDT/s1600/dependency+walker.png" width="318" /></a></div>
<br />
As we can see, the packer used was Nullsoft PiMP Stub > SFX. We can also see the URL (was also in version info ASCII), as well as the overall ProductName. <br />
<br />
So now that we took a quick look at some of the PE information, how do we unpack NSIS to take a look at its packed contents? Easy, we use 7-Zip or any other related program:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw3Su_hpHzfTXlsipmJFLJb1AtVyRzfBiKhnaxwhKTgK-acDPheFDUPjvtLWi0uY5eJ2wIOhbsznnQ7GBkDRl927grDjrU4dEXEPZnUt-TB4w4tTicRhdPUPlf2Rj3p0PGqpI-4ohYf5i-/s1600/7zipunpack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgw3Su_hpHzfTXlsipmJFLJb1AtVyRzfBiKhnaxwhKTgK-acDPheFDUPjvtLWi0uY5eJ2wIOhbsznnQ7GBkDRl927grDjrU4dEXEPZnUt-TB4w4tTicRhdPUPlf2Rj3p0PGqpI-4ohYf5i-/s1600/7zipunpack.png" width="320" /></a></div>
After disassembling the WFP installer executable for example and perusing it, we can find neat tidbits such as:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> .text:00407EF5 push offset aSInstallerX32V ; "%s Installer(x32) v%s 2011(c) By Komodi"...
</code></pre>
<br />
We can see a push containing "By Komidi..." which of course is Komodia.<br />
<br />
There's also VM detection, for programs such as Microsoft's Virtual PC:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> .text:004080D5 loc_4080D5: ; CODE XREF: _main+2AC j
.text:004080D5 push offset a32bit ; " 32bit"
.text:004080DA
.text:004080DA loc_4080DA: ; CODE XREF: _main+2B3 j
.text:004080DA call sub_402960
.text:004080DF add esp, 4
.text:004080E2 call sub_402C50
.text:004080E7 test al, al
.text:004080E9 jz short loc_4080F2
.text:004080EB push offset aInsideVirtualP ; " inside Virtual PC(tm)"
.text:004080F0 jmp short loc_408100
</code></pre>
<br />
And VMware:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> .text:004080F2 loc_4080F2: ; CODE XREF: _main+2C9 j
.text:004080F2 call sub_402D00
.text:004080F7 test al, al
.text:004080F9 jz short loc_408108
.text:004080FB push offset aInsideVmwareTm ; " inside VMWare(tm)"
.text:00408100
.text:00408100 loc_408100: ; CODE XREF: _main+2D0 j
.text:00408100 call sub_402960
.text:00408105 add esp, 4
.text:00408108
.text:00408108 loc_408108: ; CODE XREF: _main+2D9 j
.text:00408108 push esi
.text:00408109 call sub_402E40
.text:0040810E add esp, 4
.text:00408111 test al, al
.text:00408113 jz short loc_408145
.text:00408115 lea edx, [ebp+380h+TokenHandle]
.text:00408118 push edx ; TokenHandle
.text:00408119 call sub_402E70
.text:0040811E add esp, 4
.text:00408121 cmp [ebp+380h+TokenHandle], 0
.text:00408125 jz short loc_408133
.text:00408127 push offset aErrorWhileTryi ; "\nError while trying to determine eleva"...
.text:0040812C call sub_402A00
.text:00408131 jmp short loc_40814F
</code></pre>
<br />
In addition to VM detection, it also detects and looks for <i>many </i>antivirus/security applications:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 300px; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> .text:00405220 push 0FFFFFFFFh
.text:00405222 push offset sub_419E99
.text:00405227 mov eax, large fs:0
.text:0040522D push eax
.text:0040522E mov eax, 161Ch
.text:00405233 call __alloca_probe
.text:00405238 mov eax, ___security_cookie
.text:0040523D xor eax, esp
.text:0040523F mov [esp+1628h+var_10], eax
.text:00405246 push ebx
.text:00405247 push esi
.text:00405248 push edi
.text:00405249 mov eax, ___security_cookie
.text:0040524E xor eax, esp
.text:00405250 push eax
.text:00405251 lea eax, [esp+1638h+var_C]
.text:00405258 mov large fs:0, eax
.text:0040525E push 0Ah ; MaxCount
.text:00405260 mov edi, ecx
.text:00405262 xor ebx, ebx
.text:00405264 mov esi, 0Fh
.text:00405269 push offset aV3lsvc_exe ; "v3lsvc.exe"
.text:0040526E lea ecx, [esp+1640h+var_1628]
.text:00405272 mov [esp+1640h+var_1610], esi
.text:00405276 mov [esp+1640h+var_1614], ebx
.text:0040527A mov [esp+1640h+var_1624], bl
.text:0040527E call sub_401820
.text:00405283 push 6 ; MaxCount
.text:00405285 push offset aAhnlab ; "AhnLab"
.text:0040528A lea ecx, [esp+1640h+var_160C]
.text:0040528E mov [esp+1640h+var_4], ebx
.text:00405295 mov [esp+1640h+var_15F4], esi
.text:00405299 mov [esp+1640h+var_15F8], ebx
.text:0040529D mov [esp+1640h+var_1608], bl
.text:004052A1 call sub_401820
.text:004052A6 push 9 ; MaxCount
.text:004052A8 push offset aAhnsd_exe ; "ahnsd.exe"
.text:004052AD lea ecx, [esp+1640h+var_15F0]
.text:004052B1 mov byte ptr [esp+1640h+var_4], 1
.text:004052B9 mov [esp+1640h+var_15D8], esi
.text:004052BD mov [esp+1640h+var_15DC], ebx
.text:004052C1 mov [esp+1640h+var_15EC], bl
.text:004052C5 call sub_401820
.text:004052CA push 6 ; MaxCount
.text:004052CC push offset aAhnlab ; "AhnLab"
.text:004052D1 lea ecx, [esp+1640h+var_15D4]
.text:004052D5 mov byte ptr [esp+1640h+var_4], 2
.text:004052DD mov [esp+1640h+var_15BC], esi
.text:004052E4 mov [esp+1640h+var_15C0], ebx
.text:004052EB mov [esp+1640h+var_15D0], bl
.text:004052EF call sub_401820
.text:004052F4 push 0Ah ; MaxCount
.text:004052F6 push offset aV3lsvc_exe ; "v3lsvc.exe"
.text:004052FB lea ecx, [esp+1640h+var_15B8]
.text:00405302 mov byte ptr [esp+1640h+var_4], 3
.text:0040530A mov [esp+1640h+var_15A0], esi
.text:00405311 mov [esp+1640h+var_15A4], ebx
.text:00405318 mov [esp+1640h+var_15B4], bl
.text:0040531F call sub_401820
.text:00405324 push 10h ; MaxCount
.text:00405326 push offset aAntiyLabsAntiy ; "Antiy Labs Antiy"
.text:0040532B lea ecx, [esp+1640h+var_159C]
.text:00405332 mov byte ptr [esp+1640h+var_4], 4
.text:0040533A mov [esp+1640h+var_1584], esi
.text:00405341 mov [esp+1640h+var_1588], ebx
.text:00405348 mov [esp+1640h+var_1598], bl
.text:0040534F call sub_401820
.text:00405354 push 9 ; MaxCount
.text:00405356 push offset aEsd30_exe ; "esd30.exe"
.text:0040535B lea ecx, [esp+1640h+var_1580]
.text:00405362 mov byte ptr [esp+1640h+var_4], 5
.text:0040536A mov [esp+1640h+var_1568], esi
.text:00405371 mov [esp+1640h+var_156C], ebx
.text:00405378 mov [esp+1640h+var_157C], bl
.text:0040537F call sub_401820
.text:00405384 push 0Dh ; MaxCount
.text:00405386 push offset aAladdinEsafe ; "Aladdin eSafe"
.text:0040538B lea ecx, [esp+1640h+var_1564]
.text:00405392 mov byte ptr [esp+1640h+var_4], 6
.text:0040539A mov [esp+1640h+var_154C], esi
.text:004053A1 mov [esp+1640h+var_1550], ebx
.text:004053A8 mov [esp+1640h+var_1560], bl
.text:004053AF call sub_401820
.text:004053B4 push 0Ch ; MaxCount
.text:004053B6 mov byte ptr [esp+163Ch+var_4], 7
.text:004053BE mov [esp+163Ch+var_1530], esi
.text:004053C5 mov [esp+163Ch+var_1534], ebx
.text:004053CC mov [esp+163Ch+var_1544], bl
.text:004053D3 push offset aAshmaisv_exe ; "ashmaisv.exe"
.text:004053D8 lea ecx, [esp+1640h+var_1548]
.text:004053DF call sub_401820
.text:004053E4 push 16h ; MaxCount
.text:004053E6 push offset aAlwilAvastAnti ; "ALWIL Avast! Antivirus"
.text:004053EB lea ecx, [esp+1640h+var_152C]
.text:004053F2 mov byte ptr [esp+1640h+var_4], 8
.text:004053FA mov [esp+1640h+var_1514], esi
.text:00405401 mov [esp+1640h+var_1518], ebx
.text:00405408 mov [esp+1640h+var_1528], bl
.text:0040540F call sub_401820
.text:00405414 push 0Bh ; MaxCount
.text:00405416 push offset aAshserv_exe ; "ashserv.exe"
.text:0040541B lea ecx, [esp+1640h+var_1510]
.text:00405422 mov byte ptr [esp+1640h+var_4], 9
.text:0040542A mov [esp+1640h+var_14F8], esi
.text:00405431 mov [esp+1640h+var_14FC], ebx
.text:00405438 mov [esp+1640h+var_150C], bl
.text:0040543F call sub_401820
.text:00405444 push 16h ; MaxCount
.text:00405446 push offset aAlwilAvastAnti ; "ALWIL Avast! Antivirus"
.text:0040544B lea ecx, [esp+1640h+var_14F4]
.text:00405452 mov byte ptr [esp+1640h+var_4], 0Ah
.text:0040545A mov [esp+1640h+var_14DC], esi
.text:00405461 mov [esp+1640h+var_14E0], ebx
.text:00405468 mov [esp+1640h+var_14F0], bl
.text:0040546F call sub_401820
.text:00405474 push 0Ch ; MaxCount
.text:00405476 push offset aAswupdsv_exe ; "aswupdsv.exe"
.text:0040547B lea ecx, [esp+1640h+var_14D8]
.text:00405482 mov byte ptr [esp+1640h+var_4], 0Bh
.text:0040548A mov [esp+1640h+var_14C0], esi
.text:00405491 mov [esp+1640h+var_14C4], ebx
.text:00405498 mov [esp+1640h+var_14D4], bl
.text:0040549F call sub_401820
.text:004054A4 push 16h ; MaxCount
.text:004054A6 push offset aAlwilAvastAnti ; "ALWIL Avast! Antivirus"
.text:004054AB lea ecx, [esp+1640h+var_14BC]
.text:004054B2 mov byte ptr [esp+1640h+var_4], 0Ch
.text:004054BA mov [esp+1640h+var_14A4], esi
.text:004054C1 mov [esp+1640h+var_14A8], ebx
.text:004054C8 mov [esp+1640h+var_14B8], bl
.text:004054CF call sub_401820
.text:004054D4 push 0Ch ; MaxCount
.text:004054D6 push offset aAshwebsv_exe ; "ashwebsv.exe"
.text:004054DB lea ecx, [esp+1640h+var_14A0]
.text:004054E2 mov byte ptr [esp+1640h+var_4], 0Dh
.text:004054EA mov [esp+1640h+var_1488], esi
.text:004054F1 mov [esp+1640h+var_148C], ebx
.text:004054F8 mov [esp+1640h+var_149C], bl
.text:004054FF call sub_401820
.text:00405504 push 16h ; MaxCount
.text:00405506 push offset aAlwilAvastAnti ; "ALWIL Avast! Antivirus"
.text:0040550B lea ecx, [esp+1640h+var_1484]
.text:00405512 mov byte ptr [esp+1640h+var_4], 0Eh
.text:0040551A mov [esp+1640h+var_146C], esi
.text:00405521 mov [esp+1640h+var_1470], ebx
.text:00405528 mov [esp+1640h+var_1480], bl
.text:0040552F call sub_401820
.text:00405534 push 0Ch ; MaxCount
.text:00405536 push offset aAshsimpl_exe ; "ashsimpl.exe"
.text:0040553B lea ecx, [esp+1640h+var_1468]
.text:00405542 mov byte ptr [esp+1640h+var_4], 0Fh
.text:0040554A mov [esp+1640h+var_1450], esi
.text:00405551 mov [esp+1640h+var_1454], ebx
.text:00405558 mov [esp+1640h+var_1464], bl
.text:0040555F call sub_401820
.text:00405564 push 16h ; MaxCount
.text:00405566 mov byte ptr [esp+163Ch+var_4], 10h
.text:0040556E mov [esp+163Ch+var_1434], esi
.text:00405575 mov [esp+163Ch+var_1438], ebx
.text:0040557C mov [esp+163Ch+var_1448], bl
.text:00405583 push offset aAlwilAvastAnti ; "ALWIL Avast! Antivirus"
.text:00405588 lea ecx, [esp+1640h+var_144C]
.text:0040558F call sub_401820
.text:00405594 push 0Ch ; MaxCount
.text:00405596 push offset aAshwebsv_exe_0 ; "ashWebSv.exe"
.text:0040559B lea ecx, [esp+1640h+var_1430]
.text:004055A2 mov byte ptr [esp+1640h+var_4], 11h
.text:004055AA mov [esp+1640h+var_1418], esi
.text:004055B1 mov [esp+1640h+var_141C], ebx
.text:004055B8 mov [esp+1640h+var_142C], bl
.text:004055BF call sub_401820
.text:004055C4 push 16h ; MaxCount
.text:004055C6 push offset aAlwilAvastAnti ; "ALWIL Avast! Antivirus"
.text:004055CB lea ecx, [esp+1640h+var_1414]
.text:004055D2 mov byte ptr [esp+1640h+var_4], 12h
.text:004055DA mov [esp+1640h+var_13FC], esi
.text:004055E1 mov [esp+1640h+var_1400], ebx
.text:004055E8 mov [esp+1640h+var_1410], bl
.text:004055EF call sub_401820
.text:004055F4 push 0Ah ; MaxCount
.text:004055F6 push offset aDvpapi_exe ; "dvpapi.exe"
.text:004055FB lea ecx, [esp+1640h+var_13F8]
.text:00405602 mov byte ptr [esp+1640h+var_4], 13h
.text:0040560A mov [esp+1640h+var_13E0], esi
.text:00405611 mov [esp+1640h+var_13E4], ebx
.text:00405618 mov [esp+1640h+var_13F4], bl
.text:0040561F call sub_401820
.text:00405624 push 1Ch ; MaxCount
.text:00405626 push offset aAuthentiumComm ; "Authentium Command Antivirus"
.text:0040562B lea ecx, [esp+1640h+var_13DC]
.text:00405632 mov byte ptr [esp+1640h+var_4], 14h
.text:0040563A mov [esp+1640h+var_13C4], esi
.text:00405641 mov [esp+1640h+var_13C8], ebx
.text:00405648 mov [esp+1640h+var_13D8], bl
.text:0040564F call sub_401820
.text:00405654 push 0Ah ; MaxCount
.text:00405656 push offset aAuthfw_exe ; "authfw.exe"
.text:0040565B lea ecx, [esp+1640h+var_13C0]
.text:00405662 mov byte ptr [esp+1640h+var_4], 15h
.text:0040566A mov [esp+1640h+var_13A8], esi
.text:00405671 mov [esp+1640h+var_13AC], ebx
.text:00405678 mov [esp+1640h+var_13BC], bl
.text:0040567F call sub_401820
.text:00405684 push 1Ch ; MaxCount
.text:00405686 push offset aAuthentiumComm ; "Authentium Command Antivirus"
.text:0040568B lea ecx, [esp+1640h+var_13A4]
.text:00405692 mov byte ptr [esp+1640h+var_4], 16h
.text:0040569A mov [esp+1640h+var_138C], esi
.text:004056A1 mov [esp+1640h+var_1390], ebx
.text:004056A8 mov [esp+1640h+var_13A0], bl
.text:004056AF call sub_401820
.text:004056B4 push 0Ah ; MaxCount
.text:004056B6 push offset aAvgrsx_exe ; "avgrsx.exe"
.text:004056BB lea ecx, [esp+1640h+var_1388]
.text:004056C2 mov byte ptr [esp+1640h+var_4], 17h
.text:004056CA mov [esp+1640h+var_1370], esi
.text:004056D1 mov [esp+1640h+var_1374], ebx
.text:004056D8 mov [esp+1640h+var_1384], bl
.text:004056DF call sub_401820
.text:004056E4 push 14h ; MaxCount
.text:004056E6 push offset aAvgTechnologie ; "AVG Technologies AVG"
.text:004056EB lea ecx, [esp+1640h+var_136C]
.text:004056F2 mov byte ptr [esp+1640h+var_4], 18h
.text:004056FA mov [esp+1640h+var_1354], esi
.text:00405701 mov [esp+1640h+var_1358], ebx
.text:00405708 mov [esp+1640h+var_1368], bl
.text:0040570F call sub_401820
.text:00405714 push 0Bh ; MaxCount
.text:00405716 mov byte ptr [esp+163Ch+var_4], 19h
.text:0040571E mov [esp+163Ch+var_1338], esi
.text:00405725 mov [esp+163Ch+var_133C], ebx
.text:0040572C mov [esp+163Ch+var_134C], bl
.text:00405733 push offset aAvguard_exe ; "avguard.exe"
.text:00405738 lea ecx, [esp+1640h+var_1350]
.text:0040573F call sub_401820
.text:00405744 push 0Dh ; MaxCount
.text:00405746 push offset aAviraAntivir ; "Avira AntiVir"
.text:0040574B lea ecx, [esp+1640h+var_1334]
.text:00405752 mov byte ptr [esp+1640h+var_4], 1Ah
.text:0040575A mov [esp+1640h+var_131C], esi
.text:00405761 mov [esp+1640h+var_1320], ebx
.text:00405768 mov [esp+1640h+var_1330], bl
.text:0040576F call sub_401820
.text:00405774 push 0Ch ; MaxCount
.text:00405776 push offset aAvcenter_exe ; "avcenter.exe"
.text:0040577B lea ecx, [esp+1640h+var_1318]
.text:00405782 mov byte ptr [esp+1640h+var_4], 1Bh
.text:0040578A mov [esp+1640h+var_1300], esi
.text:00405791 mov [esp+1640h+var_1304], ebx
.text:00405798 mov [esp+1640h+var_1314], bl
.text:0040579F call sub_401820
.text:004057A4 push 0Dh ; MaxCount
.text:004057A6 push offset aAviraAntivir ; "Avira AntiVir"
.text:004057AB lea ecx, [esp+1640h+var_12FC]
.text:004057B2 mov byte ptr [esp+1640h+var_4], 1Ch
.text:004057BA mov [esp+1640h+var_12E4], esi
.text:004057C1 mov [esp+1640h+var_12E8], ebx
.text:004057C8 mov [esp+1640h+var_12F8], bl
.text:004057CF call sub_401820
.text:004057D4 push 9 ; MaxCount
.text:004057D6 push offset aAvcmd_exe ; "avcmd.exe"
.text:004057DB lea ecx, [esp+1640h+var_12E0]
.text:004057E2 mov byte ptr [esp+1640h+var_4], 1Dh
.text:004057EA mov [esp+1640h+var_12C8], esi
.text:004057F1 mov [esp+1640h+var_12CC], ebx
.text:004057F8 mov [esp+1640h+var_12DC], bl
.text:004057FF call sub_401820
.text:00405804 push 0Dh ; MaxCount
.text:00405806 push offset aAviraAntivir ; "Avira AntiVir"
.text:0040580B lea ecx, [esp+1640h+var_12C4]
.text:00405812 mov byte ptr [esp+1640h+var_4], 1Eh
.text:0040581A mov [esp+1640h+var_12AC], esi
.text:00405821 mov [esp+1640h+var_12B0], ebx
.text:00405828 mov [esp+1640h+var_12C0], bl
.text:0040582F call sub_401820
.text:00405834 push 0Ch ; MaxCount
.text:00405836 push offset aAvconfig_exe ; "avconfig.exe"
.text:0040583B lea ecx, [esp+1640h+var_12A8]
.text:00405842 mov byte ptr [esp+1640h+var_4], 1Fh
.text:0040584A mov [esp+1640h+var_1290], esi
.text:00405851 mov [esp+1640h+var_1294], ebx
.text:00405858 mov [esp+1640h+var_12A4], bl
.text:0040585F call sub_401820
.text:00405864 push 0Dh ; MaxCount
.text:00405866 push offset aAviraAntivir ; "Avira AntiVir"
.text:0040586B lea ecx, [esp+1640h+var_128C]
.text:00405872 mov byte ptr [esp+1640h+var_4], 20h
.text:0040587A mov [esp+1640h+var_1274], esi
.text:00405881 mov [esp+1640h+var_1278], ebx
.text:00405888 mov [esp+1640h+var_1288], bl
.text:0040588F call sub_401820
.text:00405894 push 0Ah ; MaxCount
.text:00405896 push offset aAvesvc_exe ; "avesvc.exe"
.text:0040589B lea ecx, [esp+1640h+var_1270]
.text:004058A2 mov byte ptr [esp+1640h+var_4], 21h
.text:004058AA mov [esp+1640h+var_1258], esi
.text:004058B1 mov [esp+1640h+var_125C], ebx
.text:004058B8 mov [esp+1640h+var_126C], bl
.text:004058BF call sub_401820
.text:004058C4 push 0Dh ; MaxCount
.text:004058C6 mov byte ptr [esp+163Ch+var_4], 22h
.text:004058CE mov [esp+163Ch+var_123C], esi
.text:004058D5 mov [esp+163Ch+var_1240], ebx
.text:004058DC mov [esp+163Ch+var_1250], bl
.text:004058E3 push offset aAviraAntivir ; "Avira AntiVir"
.text:004058E8 lea ecx, [esp+1640h+var_1254]
.text:004058EF call sub_401820
.text:004058F4 push 9 ; MaxCount
.text:004058F6 push offset aAvgnt_exe ; "avgnt.exe"
.text:004058FB lea ecx, [esp+1640h+var_1238]
.text:00405902 mov byte ptr [esp+1640h+var_4], 23h
.text:0040590A mov [esp+1640h+var_1220], esi
.text:00405911 mov [esp+1640h+var_1224], ebx
.text:00405918 mov [esp+1640h+var_1234], bl
.text:0040591F call sub_401820
.text:00405924 push 0Dh ; MaxCount
.text:00405926 push offset aAviraAntivir ; "Avira AntiVir"
.text:0040592B lea ecx, [esp+1640h+var_121C]
.text:00405932 mov byte ptr [esp+1640h+var_4], 24h
.text:0040593A mov [esp+1640h+var_1204], esi
.text:00405941 mov [esp+1640h+var_1208], ebx
.text:00405948 mov [esp+1640h+var_1218], bl
.text:0040594F call sub_401820
.text:00405954 push 0Bh ; MaxCount
.text:00405956 push offset aAvmailc_exe ; "avmailc.exe"
.text:0040595B lea ecx, [esp+1640h+var_1200]
.text:00405962 mov byte ptr [esp+1640h+var_4], 25h
.text:0040596A mov [esp+1640h+var_11E8], esi
.text:00405971 mov [esp+1640h+var_11EC], ebx
.text:00405978 mov [esp+1640h+var_11FC], bl
.text:0040597F call sub_401820
.text:00405984 push 0Dh ; MaxCount
.text:00405986 push offset aAviraAntivir ; "Avira AntiVir"
.text:0040598B lea ecx, [esp+1640h+var_11E4]
.text:00405992 mov byte ptr [esp+1640h+var_4], 26h
.text:0040599A mov [esp+1640h+var_11CC], esi
.text:004059A1 mov [esp+1640h+var_11D0], ebx
.text:004059A8 mov [esp+1640h+var_11E0], bl
.text:004059AF call sub_401820
.text:004059B4 push offset aAvmcdlg_exe ; "avmcdlg.exe"
.text:004059B9 lea ecx, [esp+163Ch+var_11C8]
.text:004059C0 mov byte ptr [esp+163Ch+var_4], 27h
.text:004059C8 call sub_401AC0
.text:004059CD push offset aAviraAntivir ; "Avira AntiVir"
.text:004059D2 lea ecx, [esp+163Ch+var_11AC]
.text:004059D9 mov byte ptr [esp+163Ch+var_4], 28h
.text:004059E1 call sub_401AC0
.text:004059E6 push offset aQhntevl_exe ; "qhntevl.exe"
.text:004059EB lea ecx, [esp+163Ch+var_1190]
.text:004059F2 mov byte ptr [esp+163Ch+var_4], 29h
.text:004059FA call sub_401AC0
.text:004059FF push offset aCatComputerSer ; "Cat Computer Services Quick Heal"
.text:00405A04 lea ecx, [esp+163Ch+var_1174]
.text:00405A0B mov byte ptr [esp+163Ch+var_4], 2Ah
.text:00405A13 call sub_401AC0
.text:00405A18 push offset aClamav_exe ; "clamav.exe"
.text:00405A1D lea ecx, [esp+163Ch+var_1158]
.text:00405A24 mov byte ptr [esp+163Ch+var_4], 2Bh
.text:00405A2C call sub_401AC0
.text:00405A31 push offset aClamav ; "ClamAV"
.text:00405A36 lea ecx, [esp+163Ch+var_113C]
.text:00405A3D mov byte ptr [esp+163Ch+var_4], 2Ch
.text:00405A45 call sub_401AC0
.text:00405A4A push offset aCmain_exe ; "cmain.exe"
.text:00405A4F lea ecx, [esp+163Ch+var_1120]
.text:00405A56 mov byte ptr [esp+163Ch+var_4], 2Dh
.text:00405A5E call sub_401AC0
.text:00405A63 push offset aComodo ; "Comodo"
.text:00405A68 lea ecx, [esp+163Ch+var_1104]
.text:00405A6F mov byte ptr [esp+163Ch+var_4], 2Eh
.text:00405A77 call sub_401AC0
.text:00405A7C mov byte ptr [esp+1638h+var_4], 2Fh
.text:00405A84 push offset aCapfaem_exe ; "capfaem.exe"
.text:00405A89 lea ecx, [esp+163Ch+var_10E8]
.text:00405A90 call sub_401AC0
.text:00405A95 push offset aCcaIncVet ; "CCA Inc Vet"
.text:00405A9A lea ecx, [esp+163Ch+var_10CC]
.text:00405AA1 mov byte ptr [esp+163Ch+var_4], 30h
.text:00405AA9 call sub_401AC0
.text:00405AAE push offset aA2service_exe ; "a2service.exe"
.text:00405AB3 lea ecx, [esp+163Ch+var_10B0]
.text:00405ABA mov byte ptr [esp+163Ch+var_4], 31h
.text:00405AC2 call sub_401AC0
.text:00405AC7 push offset aEmsiSoftwareGm ; "Emsi Software GmbH"
.text:00405ACC lea ecx, [esp+163Ch+var_1094]
.text:00405AD3 mov byte ptr [esp+163Ch+var_4], 32h
.text:00405ADB call sub_401AC0
.text:00405AE0 push offset aNod32_exe ; "nod32.exe"
.text:00405AE5 lea ecx, [esp+163Ch+var_1078]
.text:00405AEC mov byte ptr [esp+163Ch+var_4], 33h
.text:00405AF4 call sub_401AC0
.text:00405AF9 push offset aEsetSoftwareNo ; "Eset Software NOD32"
.text:00405AFE lea ecx, [esp+163Ch+var_105C]
.text:00405B05 mov byte ptr [esp+163Ch+var_4], 34h
.text:00405B0D call sub_401AC0
.text:00405B12 push offset aDrweb500Win_ex ; "drweb-500-win.exe"
.text:00405B17 lea ecx, [esp+163Ch+var_1040]
.text:00405B1E mov byte ptr [esp+163Ch+var_4], 35h
.text:00405B26 call sub_401AC0
.text:00405B2B push offset aDoctorWebLtdDr ; "Doctor Web, Ltd DrWeb"
.text:00405B30 lea ecx, [esp+163Ch+var_1024]
.text:00405B37 mov byte ptr [esp+163Ch+var_4], 36h
.text:00405B3F call sub_401AC0
.text:00405B44 push offset aForticlient_ex ; "forticlient.exe"
.text:00405B49 lea ecx, [esp+163Ch+var_1008]
.text:00405B50 mov byte ptr [esp+163Ch+var_4], 37h
.text:00405B58 call sub_401AC0
.text:00405B5D push offset aFortinet ; "Fortinet"
.text:00405B62 lea ecx, [esp+163Ch+var_FEC]
.text:00405B69 mov byte ptr [esp+163Ch+var_4], 38h
.text:00405B71 call sub_401AC0
.text:00405B76 push offset aFortifw_exe ; "fortifw.exe"
.text:00405B7B lea ecx, [esp+163Ch+var_FD0]
.text:00405B82 mov byte ptr [esp+163Ch+var_4], 39h
.text:00405B8A call sub_401AC0
.text:00405B8F push offset aFortinet ; "Fortinet"
.text:00405B94 lea ecx, [esp+163Ch+var_FB4]
.text:00405B9B mov byte ptr [esp+163Ch+var_4], 3Ah
.text:00405BA3 call sub_401AC0
.text:00405BA8 push offset aFpav_exe ; "fpav.exe"
.text:00405BAD lea ecx, [esp+163Ch+var_F98]
.text:00405BB4 mov byte ptr [esp+163Ch+var_4], 3Bh
.text:00405BBC call sub_401AC0
.text:00405BC1 push offset aFriskSoftwareF ; "FRISK Software F-Prot"
.text:00405BC6 lea ecx, [esp+163Ch+var_F7C]
.text:00405BCD mov byte ptr [esp+163Ch+var_4], 3Ch
.text:00405BD5 call sub_401AC0
.text:00405BDA push offset aFsbwsys_exe ; "fsbwsys.exe"
.text:00405BDF lea ecx, [esp+163Ch+var_F60]
.text:00405BE6 mov byte ptr [esp+163Ch+var_4], 3Dh
.text:00405BEE call sub_401AC0
.text:00405BF3 push offset aFSecure ; "F-Secure"
.text:00405BF8 lea ecx, [esp+163Ch+var_F44]
.text:00405BFF mov byte ptr [esp+163Ch+var_4], 3Eh
.text:00405C07 call sub_401AC0
.text:00405C0C push offset aGdata_exe ; "gdata.exe"
.text:00405C11 lea ecx, [esp+163Ch+var_F28]
.text:00405C18 mov byte ptr [esp+163Ch+var_4], 3Fh
.text:00405C20 call sub_401AC0
.text:00405C25 push offset aGDataSoftwareG ; "G DATA Software GData"
.text:00405C2A lea ecx, [esp+163Ch+var_F0C]
.text:00405C31 mov byte ptr [esp+163Ch+var_4], 40h
.text:00405C39 call sub_401AC0
.text:00405C3E push offset aThav_exe ; "thav.exe"
.text:00405C43 lea ecx, [esp+163Ch+var_EF0]
.text:00405C4A mov byte ptr [esp+163Ch+var_4], 41h
.text:00405C52 call sub_401AC0
.text:00405C57 push offset aHacksoftTheHac ; "Hacksoft The Hacker"
.text:00405C5C lea ecx, [esp+163Ch+var_ED4]
.text:00405C63 mov byte ptr [esp+163Ch+var_4], 42h
.text:00405C6B call sub_401AC0
.text:00405C70 push offset aVrmonsvc_exe ; "vrmonsvc.exe"
.text:00405C75 lea ecx, [esp+163Ch+var_EB8]
.text:00405C7C mov byte ptr [esp+163Ch+var_4], 43h
.text:00405C84 call sub_401AC0
.text:00405C89 push offset aHauriVirobot ; "Hauri ViRobot"
.text:00405C8E lea ecx, [esp+163Ch+var_E9C]
.text:00405C95 mov byte ptr [esp+163Ch+var_4], 44h
.text:00405C9D call sub_401AC0
.text:00405CA2 push offset aNprotect_exe ; "nprotect.exe"
.text:00405CA7 lea ecx, [esp+163Ch+var_E80]
.text:00405CAE mov byte ptr [esp+163Ch+var_4], 45h
.text:00405CB6 call sub_401AC0
.text:00405CBB push offset aIncaInternetNp ; "INCA Internet nProtect"
.text:00405CC0 lea ecx, [esp+163Ch+var_E64]
.text:00405CC7 mov byte ptr [esp+163Ch+var_4], 46h
.text:00405CCF call sub_401AC0
.text:00405CD4 push offset aNpescannert_ex ; "npescannert.exe"
.text:00405CD9 lea ecx, [esp+163Ch+var_E48]
.text:00405CE0 mov byte ptr [esp+163Ch+var_4], 47h
.text:00405CE8 call sub_401AC0
.text:00405CED push offset aIncaInternetNp ; "INCA Internet nProtect"
.text:00405CF2 lea ecx, [esp+163Ch+var_E2C]
.text:00405CF9 mov byte ptr [esp+163Ch+var_4], 48h
.text:00405D01 call sub_401AC0
.text:00405D06 push offset aNploginv_exe ; "nploginv.exe"
.text:00405D0B lea ecx, [esp+163Ch+var_E10]
.text:00405D12 mov byte ptr [esp+163Ch+var_4], 49h
.text:00405D1A call sub_401AC0
.text:00405D1F push offset aIncaInternetNp ; "INCA Internet nProtect"
.text:00405D24 lea ecx, [esp+163Ch+var_DF4]
.text:00405D2B mov byte ptr [esp+163Ch+var_4], 4Ah
.text:00405D33 call sub_401AC0
.text:00405D38 push offset aK7_exe ; "k7.exe"
.text:00405D3D lea ecx, [esp+163Ch+var_DD8]
.text:00405D44 mov byte ptr [esp+163Ch+var_4], 4Bh
.text:00405D4C call sub_401AC0
.text:00405D51 push offset aK7ComputingK7a ; "K7 Computing K7AntiVirus"
.text:00405D56 lea ecx, [esp+163Ch+var_DBC]
.text:00405D5D mov byte ptr [esp+163Ch+var_4], 4Ch
.text:00405D65 call sub_401AC0
.text:00405D6A push offset aAvp_exe ; "avp.exe"
.text:00405D6F lea ecx, [esp+163Ch+var_DA0]
.text:00405D76 mov byte ptr [esp+163Ch+var_4], 4Dh
.text:00405D7E call sub_401AC0
.text:00405D83 push offset aKasperskyLabAv ; "Kaspersky Lab AVP"
.text:00405D88 lea ecx, [esp+163Ch+var_D84]
.text:00405D8F mov byte ptr [esp+163Ch+var_4], 4Eh
.text:00405D97 call sub_401AC0
.text:00405D9C push offset aAvpcc_exe ; "avpcc.exe"
.text:00405DA1 lea ecx, [esp+163Ch+var_D68]
.text:00405DA8 mov byte ptr [esp+163Ch+var_4], 4Fh
.text:00405DB0 call sub_401AC0
.text:00405DB5 push offset aKasperskyLabAv ; "Kaspersky Lab AVP"
.text:00405DBA lea ecx, [esp+163Ch+var_D4C]
.text:00405DC1 mov byte ptr [esp+163Ch+var_4], 50h
.text:00405DC9 call sub_401AC0
.text:00405DCE push offset aAvpm_exe ; "avpm.exe"
.text:00405DD3 lea ecx, [esp+163Ch+var_D30]
.text:00405DDA mov byte ptr [esp+163Ch+var_4], 51h
.text:00405DE2 call sub_401AC0
.text:00405DE7 push offset aKasperskyLabAv ; "Kaspersky Lab AVP"
.text:00405DEC lea ecx, [esp+163Ch+var_D14]
.text:00405DF3 mov byte ptr [esp+163Ch+var_4], 52h
.text:00405DFB call sub_401AC0
.text:00405E00 push offset aAvpm_exe ; "avpm.exe"
.text:00405E05 lea ecx, [esp+163Ch+var_CF8]
.text:00405E0C mov byte ptr [esp+163Ch+var_4], 53h
.text:00405E14 call sub_401AC0
.text:00405E19 push offset aKasperskyLabAv ; "Kaspersky Lab AVP"
.text:00405E1E lea ecx, [esp+163Ch+var_CDC]
.text:00405E25 mov byte ptr [esp+163Ch+var_4], 54h
.text:00405E2D call sub_401AC0
.text:00405E32 push offset aScan32_exe ; "scan32.exe"
.text:00405E37 lea ecx, [esp+163Ch+var_CC0]
.text:00405E3E mov byte ptr [esp+163Ch+var_4], 55h
.text:00405E46 call sub_401AC0
.text:00405E4B push offset aMcafeeVirussca ; "McAfee VirusScan"
.text:00405E50 lea ecx, [esp+163Ch+var_CA4]
.text:00405E57 mov byte ptr [esp+163Ch+var_4], 56h
.text:00405E5F call sub_401AC0
.text:00405E64 push offset aMcwce_exe ; "mcwce.exe"
.text:00405E69 lea ecx, [esp+163Ch+var_C88]
.text:00405E70 mov byte ptr [esp+163Ch+var_4], 57h
.text:00405E78 call sub_401AC0
.text:00405E7D push offset aMcafeeVirussca ; "McAfee VirusScan"
.text:00405E82 lea ecx, [esp+163Ch+var_C6C]
.text:00405E89 mov byte ptr [esp+163Ch+var_4], 58h
.text:00405E91 call sub_401AC0
.text:00405E96 push offset aEdisk_exe ; "edisk.exe"
.text:00405E9B lea ecx, [esp+163Ch+var_C50]
.text:00405EA2 mov byte ptr [esp+163Ch+var_4], 59h
.text:00405EAA call sub_401AC0
.text:00405EAF push offset aMcafeeVirussca ; "McAfee VirusScan"
.text:00405EB4 lea ecx, [esp+163Ch+var_C34]
.text:00405EBB mov byte ptr [esp+163Ch+var_4], 5Ah
.text:00405EC3 call sub_401AC0
.text:00405EC8 push offset aMcepoc_exe ; "mcepoc.exe"
.text:00405ECD lea ecx, [esp+163Ch+var_C18]
.text:00405ED4 mov byte ptr [esp+163Ch+var_4], 5Bh
.text:00405EDC call sub_401AC0
.text:00405EE1 push offset aMcafeeVirussca ; "McAfee VirusScan"
.text:00405EE6 lea ecx, [esp+163Ch+var_BFC]
.text:00405EED mov byte ptr [esp+163Ch+var_4], 5Ch
.text:00405EF5 call sub_401AC0
.text:00405EFA push offset aWindowsKb89083 ; "windows-kb890830-v3.4.exe"
.text:00405EFF lea ecx, [esp+163Ch+var_BE0]
.text:00405F06 mov byte ptr [esp+163Ch+var_4], 5Dh
.text:00405F0E call sub_401AC0
.text:00405F13 push offset aMicrosoftMalwa ; "Microsoft Malware Protection"
.text:00405F18 lea ecx, [esp+163Ch+var_BC4]
.text:00405F1F mov byte ptr [esp+163Ch+var_4], 5Eh
.text:00405F27 call sub_401AC0
.text:00405F2C push offset aCclaw_exe ; "cclaw.exe"
.text:00405F31 lea ecx, [esp+163Ch+var_BA8]
.text:00405F38 mov byte ptr [esp+163Ch+var_4], 5Fh
.text:00405F40 call sub_401AC0
.text:00405F45 mov byte ptr [esp+1638h+var_4], 60h
.text:00405F4D push offset aNormanAntiviru ; "Norman Antivirus"
.text:00405F52 lea ecx, [esp+163Ch+var_B8C]
.text:00405F59 call sub_401AC0
.text:00405F5E push offset aZanda_exe ; "zanda.exe"
.text:00405F63 lea ecx, [esp+163Ch+var_B70]
.text:00405F6A mov byte ptr [esp+163Ch+var_4], 61h
.text:00405F72 call sub_401AC0
.text:00405F77 push offset aNormanAntiviru ; "Norman Antivirus"
.text:00405F7C lea ecx, [esp+163Ch+var_B54]
.text:00405F83 mov byte ptr [esp+163Ch+var_4], 62h
.text:00405F8B call sub_401AC0
.text:00405F90 push offset aZlh_exe ; "zlh.exe"
.text:00405F95 lea ecx, [esp+163Ch+var_B38]
.text:00405F9C mov byte ptr [esp+163Ch+var_4], 63h
.text:00405FA4 call sub_401AC0
.text:00405FA9 push offset aNormanAntiviru ; "Norman Antivirus"
.text:00405FAE lea ecx, [esp+163Ch+var_B1C]
.text:00405FB5 mov byte ptr [esp+163Ch+var_4], 64h
.text:00405FBD call sub_401AC0
.text:00405FC2 push offset aPsctrls_exe ; "psctrls.exe"
.text:00405FC7 lea ecx, [esp+163Ch+var_B00]
.text:00405FCE mov byte ptr [esp+163Ch+var_4], 65h
.text:00405FD6 call sub_401AC0
.text:00405FDB push offset aPandaSecurityP ; "Panda Security Panda Platinum"
.text:00405FE0 lea ecx, [esp+163Ch+var_AE4]
.text:00405FE7 mov byte ptr [esp+163Ch+var_4], 66h
.text:00405FEF call sub_401AC0
.text:00405FF4 push offset aAvltmain_exe ; "avltmain.exe"
.text:00405FF9 lea ecx, [esp+163Ch+var_AC8]
.text:00406000 mov byte ptr [esp+163Ch+var_4], 67h
.text:00406008 call sub_401AC0
.text:0040600D push offset aPandaSecurityP ; "Panda Security Panda Platinum"
.text:00406012 lea ecx, [esp+163Ch+var_AAC]
.text:00406019 mov byte ptr [esp+163Ch+var_4], 68h
.text:00406021 call sub_401AC0
.text:00406026 push offset aAvtask_exe ; "avtask.exe"
.text:0040602B lea ecx, [esp+163Ch+var_A90]
.text:00406032 mov byte ptr [esp+163Ch+var_4], 69h
.text:0040603A call sub_401AC0
.text:0040603F push offset aPandaSecurityP ; "Panda Security Panda Platinum"
.text:00406044 lea ecx, [esp+163Ch+var_A74]
.text:0040604B mov byte ptr [esp+163Ch+var_4], 6Ah
.text:00406053 call sub_401AC0
.text:00406058 push offset aPctav_exe ; "pctav.exe"
.text:0040605D lea ecx, [esp+163Ch+var_A58]
.text:00406064 mov byte ptr [esp+163Ch+var_4], 6Bh
.text:0040606C call sub_401AC0
.text:00406071 push offset aPcToolsPctools ; "PC Tools PCTools"
.text:00406076 lea ecx, [esp+163Ch+var_A3C]
.text:0040607D mov byte ptr [esp+163Ch+var_4], 6Ch
.text:00406085 call sub_401AC0
.text:0040608A push offset aPrevx_exe ; "prevx.exe"
.text:0040608F lea ecx, [esp+163Ch+var_A20]
.text:00406096 mov byte ptr [esp+163Ch+var_4], 6Dh
.text:0040609E call sub_401AC0
.text:004060A3 push offset aPrevxPrevx1 ; "Prevx Prevx1"
.text:004060A8 lea ecx, [esp+163Ch+var_A04]
.text:004060AF mov byte ptr [esp+163Ch+var_4], 6Eh
.text:004060B7 call sub_401AC0
.text:004060BC push offset aRav_exe ; "rav.exe"
.text:004060C1 lea ecx, [esp+163Ch+var_9E8]
.text:004060C8 mov byte ptr [esp+163Ch+var_4], 6Fh
.text:004060D0 call sub_401AC0
.text:004060D5 mov byte ptr [esp+1638h+var_4], 70h
.text:004060DD push offset aRisingAntiviru ; "Rising Antivirus"
.text:004060E2 lea ecx, [esp+163Ch+var_9CC]
.text:004060E9 call sub_401AC0
.text:004060EE push offset aBdnagent_exe ; "bdnagent.exe"
.text:004060F3 lea ecx, [esp+163Ch+var_9B0]
.text:004060FA mov byte ptr [esp+163Ch+var_4], 71h
.text:00406102 call sub_401AC0
.text:00406107 push offset aBitdefenderGmb ; "BitDefender GmbH"
.text:0040610C lea ecx, [esp+163Ch+var_994]
.text:00406113 mov byte ptr [esp+163Ch+var_4], 72h
.text:0040611B call sub_401AC0
.text:00406120 push offset aBdoesrv_exe ; "bdoesrv.exe"
.text:00406125 lea ecx, [esp+163Ch+var_978]
.text:0040612C mov byte ptr [esp+163Ch+var_4], 73h
.text:00406134 call sub_401AC0
.text:00406139 push offset aBitdefenderGmb ; "BitDefender GmbH"
.text:0040613E lea ecx, [esp+163Ch+var_95C]
.text:00406145 mov byte ptr [esp+163Ch+var_4], 74h
.text:0040614D call sub_401AC0
.text:00406152 push offset aAlsvc_exe ; "alsvc.exe"
.text:00406157 lea ecx, [esp+163Ch+var_940]
.text:0040615E mov byte ptr [esp+163Ch+var_4], 75h
.text:00406166 call sub_401AC0
.text:0040616B push offset aSophos ; "Sophos"
.text:00406170 lea ecx, [esp+163Ch+var_924]
.text:00406177 mov byte ptr [esp+163Ch+var_4], 76h
.text:0040617F call sub_401AC0
.text:00406184 push offset aCounterspy_exe ; "counterspy.exe"
.text:00406189 lea ecx, [esp+163Ch+var_908]
.text:00406190 mov byte ptr [esp+163Ch+var_4], 77h
.text:00406198 call sub_401AC0
.text:0040619D push offset aSunbeltSoftwar ; "Sunbelt Software"
.text:004061A2 lea ecx, [esp+163Ch+var_8EC]
.text:004061A9 mov byte ptr [esp+163Ch+var_4], 78h
.text:004061B1 call sub_401AC0
.text:004061B6 push offset aNavsetup_exe ; "navsetup.exe"
.text:004061BB lea ecx, [esp+163Ch+var_8D0]
.text:004061C2 mov byte ptr [esp+163Ch+var_4], 79h
.text:004061CA call sub_401AC0
.text:004061CF push offset aSymantecNorton ; "Symantec Norton Antivirus"
.text:004061D4 lea ecx, [esp+163Ch+var_8B4]
.text:004061DB mov byte ptr [esp+163Ch+var_4], 7Ah
.text:004061E3 call sub_401AC0
.text:004061E8 push offset aNavapw32_exe ; "navapw32.exe"
.text:004061ED lea ecx, [esp+163Ch+var_898]
.text:004061F4 mov byte ptr [esp+163Ch+var_4], 7Bh
.text:004061FC call sub_401AC0
.text:00406201 push offset aSymantecNorton ; "Symantec Norton Antivirus"
.text:00406206 lea ecx, [esp+163Ch+var_87C]
.text:0040620D mov byte ptr [esp+163Ch+var_4], 7Ch
.text:00406215 call sub_401AC0
.text:0040621A push offset aNavshcom_exe ; "navshcom.exe"
.text:0040621F lea ecx, [esp+163Ch+var_860]
.text:00406226 mov byte ptr [esp+163Ch+var_4], 7Dh
.text:0040622E call sub_401AC0
.text:00406233 push offset aSymantecNorton ; "Symantec Norton Antivirus"
.text:00406238 lea ecx, [esp+163Ch+var_844]
.text:0040623F mov byte ptr [esp+163Ch+var_4], 7Eh
.text:00406247 call sub_401AC0
.text:0040624C push offset aVba32_exe ; "vba32.exe"
.text:00406251 lea ecx, [esp+163Ch+var_828]
.text:00406258 mov byte ptr [esp+163Ch+var_4], 7Fh
.text:00406260 call sub_401AC0
.text:00406265 mov byte ptr [esp+1638h+var_4], 80h
.text:0040626D push offset aVirusblokada ; "VirusBlokAda"
.text:00406272 lea ecx, [esp+163Ch+var_80C]
.text:00406279 call sub_401AC0
.text:0040627E push offset aTmas_exe ; "tmas.exe"
.text:00406283 lea ecx, [esp+163Ch+var_7F0]
.text:0040628A mov byte ptr [esp+163Ch+var_4], 81h
.text:00406292 call sub_401AC0
.text:00406297 push offset aTrendMicro ; "Trend Micro"
.text:0040629C lea ecx, [esp+163Ch+var_7D4]
.text:004062A3 mov byte ptr [esp+163Ch+var_4], 82h
.text:004062AB call sub_401AC0
.text:004062B0 push offset aOfcdog_exe ; "ofcdog.exe"
.text:004062B5 lea ecx, [esp+163Ch+var_7B8]
.text:004062BC mov byte ptr [esp+163Ch+var_4], 83h
.text:004062C4 call sub_401AC0
.text:004062C9 push offset aTrendMicro ; "Trend Micro"
.text:004062CE lea ecx, [esp+163Ch+var_79C]
.text:004062D5 mov byte ptr [esp+163Ch+var_4], 84h
.text:004062DD call sub_401AC0
.text:004062E2 push offset aTmoagent_exe ; "tmoagent.exe"
.text:004062E7 lea ecx, [esp+163Ch+var_780]
.text:004062EE mov byte ptr [esp+163Ch+var_4], 85h
.text:004062F6 call sub_401AC0
.text:004062FB push offset aTrendMicro ; "Trend Micro"
.text:00406300 lea ecx, [esp+163Ch+var_764]
.text:00406307 mov byte ptr [esp+163Ch+var_4], 86h
.text:0040630F call sub_401AC0
.text:00406314 push offset aTsc_exe ; "tsc.exe"
.text:00406319 lea ecx, [esp+163Ch+var_748]
.text:00406320 mov byte ptr [esp+163Ch+var_4], 87h
.text:00406328 call sub_401AC0
.text:0040632D push offset aTrendMicro ; "Trend Micro"
.text:00406332 lea ecx, [esp+163Ch+var_72C]
.text:00406339 mov byte ptr [esp+163Ch+var_4], 88h
.text:00406341 call sub_401AC0
.text:00406346 push offset aWinprof_exe ; "winprof.exe"
.text:0040634B lea ecx, [esp+163Ch+var_710]
.text:00406352 mov byte ptr [esp+163Ch+var_4], 89h
.text:0040635A call sub_401AC0
.text:0040635F push offset aVirusbuster ; "VirusBuster"
.text:00406364 lea ecx, [esp+163Ch+var_6F4]
.text:0040636B mov byte ptr [esp+163Ch+var_4], 8Ah
.text:00406373 call sub_401AC0
.text:00406378 push offset aNisum_exe ; "nisum.exe"
.text:0040637D lea ecx, [esp+163Ch+var_6D8]
.text:00406384 mov [esp+163Ch+var_4], 8Bh
.text:0040638F call sub_401AC0
.text:00406394 push offset aNortonPersonal ; "Norton Personal Firewall 2002/2003"
.text:00406399 lea ecx, [esp+163Ch+var_6BC]
.text:004063A0 mov byte ptr [esp+163Ch+var_4], 8Ch
.text:004063A8 call sub_401AC0
.text:004063AD push offset aMpfservice_exe ; "mpfService.exe"
.text:004063B2 lea ecx, [esp+163Ch+var_6A0]
.text:004063B9 mov byte ptr [esp+163Ch+var_4], 8Dh
.text:004063C1 call sub_401AC0
.text:004063C6 push offset aMcafeePersonal ; "McAfee Personal Firewall"
.text:004063CB lea ecx, [esp+163Ch+var_684]
.text:004063D2 mov byte ptr [esp+163Ch+var_4], 8Eh
.text:004063DA call sub_401AC0
.text:004063DF push offset aBlackd_exe ; "blackd.exe"
.text:004063E4 lea ecx, [esp+163Ch+var_668]
.text:004063EB mov byte ptr [esp+163Ch+var_4], 8Fh
.text:004063F3 call sub_401AC0
.text:004063F8 push offset aIssBlackice ; "ISS BlackIce"
.text:004063FD lea ecx, [esp+163Ch+var_64C]
.text:00406404 mov byte ptr [esp+163Ch+var_4], 90h
.text:0040640C call sub_401AC0
.text:00406411 push offset aFsdfwd_exe ; "fsdfwd.exe"
.text:00406416 lea ecx, [esp+163Ch+var_630]
.text:0040641D mov byte ptr [esp+163Ch+var_4], 91h
.text:00406425 call sub_401AC0
.text:0040642A push offset aMcafeePersonal ; "McAfee Personal Firewall"
.text:0040642F lea ecx, [esp+163Ch+var_614]
.text:00406436 mov byte ptr [esp+163Ch+var_4], 92h
.text:0040643E call sub_401AC0
.text:00406443 push offset aSmc_exe ; "smc.exe"
.text:00406448 lea ecx, [esp+163Ch+var_5F8]
.text:0040644F mov byte ptr [esp+163Ch+var_4], 93h
.text:00406457 call sub_401AC0
.text:0040645C push offset aSygatePersonal ; "Sygate Personal Firewall 5.x"
.text:00406461 lea ecx, [esp+163Ch+var_5DC]
.text:00406468 mov byte ptr [esp+163Ch+var_4], 94h
.text:00406470 call sub_401AC0
.text:00406475 push offset aZlclient_exe ; "zlclient.exe"
.text:0040647A lea ecx, [esp+163Ch+var_5C0]
.text:00406481 mov byte ptr [esp+163Ch+var_4], 95h
.text:00406489 call sub_401AC0
.text:0040648E push offset aZoneAlarm ; "Zone Alarm"
.text:00406493 lea ecx, [esp+163Ch+var_5A4]
.text:0040649A mov byte ptr [esp+163Ch+var_4], 96h
.text:004064A2 call sub_401AC0
.text:004064A7 push offset aPersfw_exe ; "persfw.exe"
.text:004064AC lea ecx, [esp+163Ch+var_588]
.text:004064B3 mov byte ptr [esp+163Ch+var_4], 97h
.text:004064BB call sub_401AC0
.text:004064C0 push offset aTinyFirewall ; "Tiny Firewall"
.text:004064C5 lea ecx, [esp+163Ch+var_56C]
.text:004064CC mov byte ptr [esp+163Ch+var_4], 98h
.text:004064D4 call sub_401AC0
.text:004064D9 push offset aEfpeadm_exe ; "efpeadm.exe"
.text:004064DE lea ecx, [esp+163Ch+var_550]
.text:004064E5 mov byte ptr [esp+163Ch+var_4], 99h
.text:004064ED call sub_401AC0
.text:004064F2 push offset aCaEtrustEzFire ; "CA eTrust EZ Firewall"
.text:004064F7 lea ecx, [esp+163Ch+var_534]
.text:004064FE mov byte ptr [esp+163Ch+var_4], 9Ah
.text:00406506 call sub_401AC0
.text:0040650B push offset aFsguiexe_exe ; "fsguiexe.exe"
.text:00406510 lea ecx, [esp+163Ch+var_518]
.text:00406517 mov byte ptr [esp+163Ch+var_4], 9Bh
.text:0040651F call sub_401AC0
.text:00406524 push offset aFSecureInterne ; "F-Secure Internet Security 2004"
.text:00406529 lea ecx, [esp+163Ch+var_4FC]
.text:00406530 mov byte ptr [esp+163Ch+var_4], 9Ch
.text:00406538 call sub_401AC0
.text:0040653D push offset aKpf4gui_exe ; "kpf4gui.exe"
.text:00406542 lea ecx, [esp+163Ch+var_4E0]
.text:00406549 mov byte ptr [esp+163Ch+var_4], 9Dh
.text:00406551 call sub_401AC0
.text:00406556 push offset aKerioPersonalF ; "Kerio Personal Firewall 4"
.text:0040655B lea ecx, [esp+163Ch+var_4C4]
.text:00406562 mov byte ptr [esp+163Ch+var_4], 9Eh
.text:0040656A call sub_401AC0
.text:0040656F push offset aPccpfw_exe ; "pccpfw.exe"
.text:00406574 lea ecx, [esp+163Ch+var_4A8]
.text:0040657B mov byte ptr [esp+163Ch+var_4], 9Fh
.text:00406583 call sub_401AC0
.text:00406588 push offset aTrendMicroInte ; "Trend Micro Internet Security"
.text:0040658D lea ecx, [esp+163Ch+var_48C]
.text:00406594 mov byte ptr [esp+163Ch+var_4], 0A0h
.text:0040659C call sub_401AC0
.text:004065A1 push offset aAdAware_exe ; "Ad-Aware.exe"
.text:004065A6 lea ecx, [esp+163Ch+var_470]
.text:004065AD mov byte ptr [esp+163Ch+var_4], 0A1h
.text:004065B5 call sub_401AC0
.text:004065BA push offset aLavasoftAdAwar ; "Lavasoft Ad-Aware"
.text:004065BF lea ecx, [esp+163Ch+var_454]
.text:004065C6 mov byte ptr [esp+163Ch+var_4], 0A2h
.text:004065CE call sub_401AC0
.text:004065D3 push offset aSpycatcher_exe ; "spycatcher.exe"
.text:004065D8 lea ecx, [esp+163Ch+var_438]
.text:004065DF mov byte ptr [esp+163Ch+var_4], 0A3h
.text:004065E7 call sub_401AC0
.text:004065EC push offset aTenebrilSpyCat ; "Tenebril Spy Catcher"
.text:004065F1 lea ecx, [esp+163Ch+var_41C]
.text:004065F8 mov byte ptr [esp+163Ch+var_4], 0A4h
.text:00406600 call sub_401AC0
.text:00406605 push offset aSpysweeper_exe ; "spysweeper.exe"
.text:0040660A lea ecx, [esp+163Ch+var_400]
.text:00406611 mov byte ptr [esp+163Ch+var_4], 0A5h
.text:00406619 call sub_401AC0
.text:0040661E push offset aWebrootSpySwee ; "Webroot Spy Sweeper"
.text:00406623 lea ecx, [esp+163Ch+var_3E4]
.text:0040662A mov byte ptr [esp+163Ch+var_4], 0A6h
.text:00406632 call sub_401AC0
.text:00406637 push offset aSunasserv_exe ; "sunasserv.exe"
.text:0040663C lea ecx, [esp+163Ch+var_3C8]
.text:00406643 mov byte ptr [esp+163Ch+var_4], 0A7h
.text:0040664B call sub_401AC0
.text:00406650 push offset aSunbeltCounter ; "Sunbelt Counter Spy"
.text:00406655 lea ecx, [esp+163Ch+var_3AC]
.text:0040665C mov byte ptr [esp+163Ch+var_4], 0A8h
.text:00406664 call sub_401AC0
.text:00406669 push offset aGcasserv_exe ; "gcasserv.exe"
.text:0040666E lea ecx, [esp+163Ch+var_390]
.text:00406675 mov byte ptr [esp+163Ch+var_4], 0A9h
.text:0040667D call sub_401AC0
.text:00406682 push offset aMicrosoftAntiS ; "Microsoft Anti-Spyware"
.text:00406687 lea ecx, [esp+163Ch+var_374]
.text:0040668E mov byte ptr [esp+163Ch+var_4], 0AAh
.text:00406696 call sub_401AC0
.text:0040669B push offset aPpactivedetect ; "ppactivedetection.exe"
.text:004066A0 lea ecx, [esp+163Ch+var_358]
.text:004066A7 mov byte ptr [esp+163Ch+var_4], 0ABh
.text:004066AF call sub_401AC0
.text:004066B4 push offset aCaEtrustPestPa ; "CA eTrust Pest Patrol"
.text:004066B9 lea ecx, [esp+163Ch+var_33C]
.text:004066C0 mov byte ptr [esp+163Ch+var_4], 0ACh
.text:004066C8 call sub_401AC0
.text:004066CD push offset aMsscli_exe ; "msscli.exe"
.text:004066D2 lea ecx, [esp+163Ch+var_320]
.text:004066D9 mov byte ptr [esp+163Ch+var_4], 0ADh
.text:004066E1 call sub_401AC0
.text:004066E6 push offset aMcAffeeAntispy ; "Mc Affee AntiSpyware"
.text:004066EB lea ecx, [esp+163Ch+var_304]
.text:004066F2 mov byte ptr [esp+163Ch+var_4], 0AEh
.text:004066FA call sub_401AC0
.text:004066FF push offset aSwdoctor_exe ; "swdoctor.exe"
.text:00406704 lea ecx, [esp+163Ch+var_2E8]
.text:0040670B mov byte ptr [esp+163Ch+var_4], 0AFh
.text:00406713 call sub_401AC0
.text:00406718 push offset aPcToolsSpyware ; "Pc Tools Spyware Doctor"
.text:0040671D lea ecx, [esp+163Ch+var_2CC]
.text:00406724 mov byte ptr [esp+163Ch+var_4], 0B0h
.text:0040672C call sub_401AC0
.text:00406731 mov byte ptr [esp+1638h+var_4], 0B1h
.text:00406739 push offset aSpycatcher_exe ; "spycatcher.exe"
.text:0040673E lea ecx, [esp+163Ch+var_2B0]
.text:00406745 call sub_401AC0
.text:0040674A push offset aTenebrilSpyCat ; "Tenebril Spy Catcher"
.text:0040674F lea ecx, [esp+163Ch+var_294]
.text:00406756 mov byte ptr [esp+163Ch+var_4], 0B2h
.text:0040675E call sub_401AC0
.text:00406763 push offset aSpywarebegone_ ; "spywarebegone.exe"
.text:00406768 lea ecx, [esp+163Ch+var_278]
.text:0040676F mov byte ptr [esp+163Ch+var_4], 0B3h
.text:00406777 call sub_401AC0
.text:0040677C push offset aMicrosmartsLlc ; "MicroSmarts LLC Spyware BeGone"
.text:00406781 lea ecx, [esp+163Ch+var_25C]
.text:00406788 mov byte ptr [esp+163Ch+var_4], 0B4h
.text:00406790 call sub_401AC0
.text:00406795 push offset aVipre_exe ; "vipre.exe"
.text:0040679A lea ecx, [esp+163Ch+var_240]
.text:004067A1 mov byte ptr [esp+163Ch+var_4], 0B5h
.text:004067A9 call sub_401AC0
.text:004067AE push offset aVipreAntivirus ; "Vipre Antivirus+Antispyware"
.text:004067B3 lea ecx, [esp+163Ch+var_224]
.text:004067BA mov byte ptr [esp+163Ch+var_4], 0B6h
.text:004067C2 call sub_401AC0
.text:004067C7 push offset aTmas_exe ; "tmas.exe"
.text:004067CC lea ecx, [esp+163Ch+var_208]
.text:004067D3 mov byte ptr [esp+163Ch+var_4], 0B7h
.text:004067DB call sub_401AC0
.text:004067E0 push offset aTrendMicroAnti ; "Trend Micro Anti Spyware"
.text:004067E5 lea ecx, [esp+163Ch+var_1EC]
.text:004067EC mov byte ptr [esp+163Ch+var_4], 0B8h
.text:004067F4 call sub_401AC0
.text:004067F9 push offset aLoaristrojanre ; "loaristrojanremover.exe"
.text:004067FE lea ecx, [esp+163Ch+var_1D0]
.text:00406805 mov byte ptr [esp+163Ch+var_4], 0B9h
.text:0040680D call sub_401AC0
.text:00406812 push offset aLoarisTrojanRe ; "Loaris Trojan Remover"
.text:00406817 lea ecx, [esp+163Ch+var_1B4]
.text:0040681E mov byte ptr [esp+163Ch+var_4], 0BAh
.text:00406826 call sub_401AC0
.text:0040682B push offset aSpywaredetecto ; "spywaredetector.exe"
.text:00406830 lea ecx, [esp+163Ch+var_198]
.text:00406837 mov byte ptr [esp+163Ch+var_4], 0BBh
.text:0040683F call sub_401AC0
.text:00406844 push offset aMaxSecureMaxSp ; "Max Secure Max Spyware Detector"
.text:00406849 lea ecx, [esp+163Ch+var_17C]
.text:00406850 mov byte ptr [esp+163Ch+var_4], 0BCh
.text:00406858 call sub_401AC0
.text:0040685D push offset aStopzilla_exe ; "stopzilla.exe"
.text:00406862 lea ecx, [esp+163Ch+var_160]
.text:00406869 mov byte ptr [esp+163Ch+var_4], 0BDh
.text:00406871 call sub_401AC0
.text:00406876 push offset aIs3 ; "iS3"
.text:0040687B lea ecx, [esp+163Ch+var_144]
.text:00406882 mov byte ptr [esp+163Ch+var_4], 0BEh
.text:0040688A call sub_401AC0
.text:0040688F push offset aMbam_exe ; "mbam.exe"
.text:00406894 lea ecx, [esp+163Ch+var_128]
.text:0040689B mov byte ptr [esp+163Ch+var_4], 0BFh
.text:004068A3 call sub_401AC0
.text:004068A8 push offset aMalwarebytesAn ; "Malwarebytes Anti-Malware"
.text:004068AD lea ecx, [esp+163Ch+var_10C]
.text:004068B4 mov byte ptr [esp+163Ch+var_4], 0C0h
.text:004068BC call sub_401AC0
.text:004068C1 mov byte ptr [esp+1638h+var_4], 0C1h
.text:004068C9 push offset aXoftspyse_exe ; "xoftspyse.exe"
.text:004068CE lea ecx, [esp+163Ch+var_F0]
.text:004068D5 call sub_401AC0
.text:004068DA push offset aParetoLogicXof ; "Pareto Logic XoftSpySE"
.text:004068DF lea ecx, [esp+163Ch+var_D4]
.text:004068E6 mov byte ptr [esp+163Ch+var_4], 0C2h
.text:004068EE call sub_401AC0
.text:004068F3 push offset aSpyzooka_exe ; "Spyzooka.exe"
.text:004068F8 lea ecx, [esp+163Ch+var_B8]
.text:004068FF mov byte ptr [esp+163Ch+var_4], 0C3h
.text:00406907 call sub_401AC0
.text:0040690C push offset aBluePenguinSof ; "Blue Penguin Software Spyzooka"
.text:00406911 lea ecx, [esp+163Ch+var_9C]
.text:00406918 mov byte ptr [esp+163Ch+var_4], 0C4h
.text:00406920 call sub_401AC0
.text:00406925 push offset aXm00002_exe ; "xm-00002.exe"
.text:0040692A lea ecx, [esp+163Ch+var_80]
.text:00406931 mov byte ptr [esp+163Ch+var_4], 0C5h
.text:00406939 call sub_401AC0
.text:0040693E push offset aXMicroAntispyw ; "X Micro Antispyware"
.text:00406943 lea ecx, [esp+163Ch+var_64]
.text:0040694A mov byte ptr [esp+163Ch+var_4], 0C6h
.text:00406952 call sub_401AC0
.text:00406957 push offset aHkAntiSpyware_ ; "hk-anti-spyware.exe"
.text:0040695C lea ecx, [esp+163Ch+var_48]
.text:00406963 mov byte ptr [esp+163Ch+var_4], 0C7h
.text:0040696B call sub_401AC0
.text:00406970 push offset aHkAntispyware ; "HK Antispyware"
.text:00406975 lea ecx, [esp+163Ch+var_2C]
.text:0040697C mov byte ptr [esp+163Ch+var_4], 0C8h
.text:00406984 call sub_401AC0
.text:00406989 push ebx
.text:0040698A push 46h
.text:0040698C lea eax, [esp+1640h+var_1628]
.text:00406990 push eax
.text:00406991 mov ecx, edi
.text:00406993 mov byte ptr [esp+1644h+var_4], 0C9h
.text:0040699B call sub_4050D0
.text:004069A0 push 1
.text:004069A2 push 0Bh
.text:004069A4 lea ecx, [esp+1640h+var_6D8]
.text:004069AB push ecx
.text:004069AC mov ecx, edi
.text:004069AE call sub_4050D0
.text:004069B3 push 2
.text:004069B5 push 14h
.text:004069B7 lea edx, [esp+1640h+var_470]
.text:004069BE push edx
.text:004069BF mov ecx, edi
.text:004069C1 call sub_4050D0
.text:004069C6 push offset sub_401440 ; void (__thiscall *)(void *)
.text:004069CB push 28h ; int
.text:004069CD push 1Ch ; unsigned int
.text:004069CF lea eax, [esp+1644h+var_470]
.text:004069D6 push eax ; void *
.text:004069D7 mov byte ptr [esp+1648h+var_4], 0A1h
.text:004069DF call ??_M@YGXPAXIHP6EX0@Z@Z ; `eh vector destructor iterator'(void *,uint,int,void (*)(void *))
.text:004069E4 push offset sub_401440 ; void (__thiscall *)(void *)
.text:004069E9 push 16h ; int
.text:004069EB push 1Ch ; unsigned int
.text:004069ED lea ecx, [esp+1644h+var_6D8]
.text:004069F4 push ecx ; void *
.text:004069F5 mov byte ptr [esp+1648h+var_4], 8Bh
.text:004069FD call ??_M@YGXPAXIHP6EX0@Z@Z ; `eh vector destructor iterator'(void *,uint,int,void (*)(void *))
.text:00406A02 push offset sub_401440 ; void (__thiscall *)(void *)
.text:00406A07 push 8Ch ; int
.text:00406A0C push 1Ch ; unsigned int
.text:00406A0E lea edx, [esp+1644h+var_1628]
.text:00406A12 push edx ; void *
.text:00406A13 mov [esp+1648h+var_4], 0FFFFFFFFh
.text:00406A1E call ??_M@YGXPAXIHP6EX0@Z@Z ; `eh vector destructor iterator'(void *,uint,int,void (*)(void *))
.text:00406A23 mov ecx, [esp+1638h+var_C]
.text:00406A2A mov large fs:0, ecx
.text:00406A31 pop ecx
.text:00406A32 pop edi
.text:00406A33 pop esi
.text:00406A34 pop ebx
.text:00406A35 mov ecx, [esp+1628h+var_10]
.text:00406A3C xor ecx, esp
.text:00406A3E call @__security_check_cookie@4 ; __security_check_cookie(x)
.text:00406A43 add esp, 1628h
.text:00406A49 retn
.text:00406A49 sub_405220 endp
</code></pre>
<br />
I cannot say for sure, but the presence of security cookies is likely to avoid buffer overruns.<br />
<br />
Aside from being in the executable name, throughout the installer code, we can also see mention of WFP:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> .rdata:0041C6F8 aWfpCanOnlyBeIn db 'WFP can only be installed on Vista and above!'
</code></pre>
<br />
Going forward from here, disassembling one of the two Superfish drivers (VDWFP.sys) shows us a PDB path regarding WFP:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> .text:00401000 ; PDB File Name : c:\dev\outsourcing\Superfish\WFP\Driver\Win8Release\x86\VDWFP.pdb
</code></pre>
<br />
Now that we have our PDB path, we need to determine where in the registry the configuration is being stored. There's multiple ways to do this, but the way I used was monitoring the system changes before/after Superfish' installation:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 200px; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> HKLM\SOFTWARE\Classes\AppID\VisualDiscovery.exe
HKLM\SOFTWARE\Classes\AppID\{AD063C0E-0FE1-4772-B29B-679ACE94818F}
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\Programmable
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\TypeLib
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\VersionIndependentProgID
HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}
HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}
HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}
HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}
HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}
HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}
HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}
HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}
HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}
HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}
HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}
HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}
HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}
HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}
HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}
HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}
HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}\TypeLib
HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}
HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\ProxyStubClsid
HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\ProxyStubClsid32
HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\TypeLib
HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}
HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0
HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\0
HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\0\win32
HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\FLAGS
HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\HELPDIR
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer\CurVer
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer.1
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer.1\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataController
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataController\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataController\CurVer
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataController.1
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataController.1\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable\CurVer
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable.1
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable.1\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields\CurVer
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields.1
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields.1\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder\CurVer
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder.1
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder.1\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic\CurVer
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic.1
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic.1\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager\CurVer
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager.1
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager.1\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController\CLSID
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController\CurVer
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController.1
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController.1\CLSID
HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\30D1FD4A296AB1A8831CD56B4110A227F557BFFF
HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C864484869D41D2B0D32319C5A62F9315AAF2CBD
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery
HKLM\SOFTWARE\Lenovo
HKLM\SOFTWARE\Lenovo\VisualDiscovery
HKLM\SOFTWARE\Superfish Inc. VisualDiscovery
HKLM\SOFTWARE\VisualDiscovery
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\VDWFP
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\VisualDiscovery
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\06718B45
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\0D8BECC7
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\221F0C44
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2A49FDCC
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2C9A5390
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2EB3D11A
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\31B4C347
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\3A57D8D3
HKLM\SYSTEM\ControlSet001\Services\MpKsld64efe45
<span style="background-color: yellow;">HKLM\SYSTEM\ControlSet001\Services\VDWFP</span>
HKLM\SYSTEM\ControlSet001\Services\VisualDiscovery
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VDWFP
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VisualDiscovery
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\06718B45
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\0D8BECC7
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\221F0C44
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2A49FDCC
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2C9A5390
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2EB3D11A
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\31B4C347
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\3A57D8D3
HKLM\SYSTEM\CurrentControlSet\Services\MpKsld64efe45
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP
HKLM\SYSTEM\CurrentControlSet\Services\VisualDiscovery
HKU\.DEFAULT\System
HKU\.DEFAULT\System\CurrentControlSet
HKU\.DEFAULT\System\CurrentControlSet\Control
HKU\.DEFAULT\System\CurrentControlSet\Control\MediaProperties
HKU\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties
HKU\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick
HKU\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
HKU\S-1-5-18\System
HKU\S-1-5-18\System\CurrentControlSet
HKU\S-1-5-18\System\CurrentControlSet\Control
HKU\S-1-5-18\System\CurrentControlSet\Control\MediaProperties
HKU\S-1-5-18\System\CurrentControlSet\Control\MediaProperties\PrivateProperties
HKU\S-1-5-18\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick
HKU\S-1-5-18\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm
</code></pre>
<br />
We can come to find after looking through the above registry changes that its configuration is stored in:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> HKLM\SYSTEM\CurrentControlSet\Services\VDWFP.
</code></pre>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4Za0GTkgGgLoNbIOLVOFBsnyDtyjuqTka68CUpeKfRHFPvSLYFeQdsm-HLVF5iipodhcZ88Ijid90EOpBXPHiB16DjocJK7TOtx-p9qf_rJCO4KPyBiV-jK9z1KRjX-jU-OE4jkRtofGY/s1600/service+registry+location.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4Za0GTkgGgLoNbIOLVOFBsnyDtyjuqTka68CUpeKfRHFPvSLYFeQdsm-HLVF5iipodhcZ88Ijid90EOpBXPHiB16DjocJK7TOtx-p9qf_rJCO4KPyBiV-jK9z1KRjX-jU-OE4jkRtofGY/s1600/service+registry+location.png" width="320" /></a></div>
<br />
As a rather unconventional method of quickly showing the contents of <b>appTable</b> & <b>globalAppTable</b>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaRXcG9HMSOVV8-COM0nnTeO6WX2u7qipjcReN7t9Bqo6-y24UXbqjMP1gX1Yzs-v7vSelEEP-hcA1ocxuLeKaRKtuMfvoy7a-xpMLkzsjO4R8exai3Kc-eH7jWf-dst8aasNfYTwRLsKW/s1600/apptable.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaRXcG9HMSOVV8-COM0nnTeO6WX2u7qipjcReN7t9Bqo6-y24UXbqjMP1gX1Yzs-v7vSelEEP-hcA1ocxuLeKaRKtuMfvoy7a-xpMLkzsjO4R8exai3Kc-eH7jWf-dst8aasNfYTwRLsKW/s1600/apptable.png" width="320" /></a></div>
<br />
In <b>appTable, </b>we can see the mention of <b>chrome.exe</b>, which is of course Google Chrome. You can also expect to find other browsers in this value such as, but not limited to: Firefox, IE, etc. This value is for the WFP redirector discussed earlier of the applications to intercept by default.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieD2JCiFggaAdiGfnccpOc10ssrfBbyGsuCRgRYMWJWVPn2AUQuSqYVsnCyId9F-xR9tZGtua-5rj-ywaE1BlaRBAEclId0cUb_u4xUqzyc9ZJno_fS3t6IupPLOXTReyqA_FiF4dZ9cl5/s1600/globalapptable.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="279" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieD2JCiFggaAdiGfnccpOc10ssrfBbyGsuCRgRYMWJWVPn2AUQuSqYVsnCyId9F-xR9tZGtua-5rj-ywaE1BlaRBAEclId0cUb_u4xUqzyc9ZJno_fS3t6IupPLOXTReyqA_FiF4dZ9cl5/s1600/globalapptable.png" width="320" /></a></div>
<br />
In <b>globalAppTable</b>, we can see mention of <b>avguard.exe</b>, which is an executable belonging to the Avira antivirus. With that said, this is the value for the WFP redirector discussed earlier of the applications to <i>not </i>intercept by default.<br />
<br />
So now that we've taken a look at a few of its guts, let's actually install it. While I am at it, I'd like to dispel the misconception I've read in various articles claiming it won't function (or even install) on Windows 8.1. It's true that you cannot install it pre-Windows 8/2012, but 8.1 <i>does </i>work.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUI19vj4ySwdK5S36APqUfCYjF9VhOtYTFrFx5jNUzSRSdu6OT4pS9VSmdpG50TanO7JHIvooqxGBKeFSxjYgHOL1KZt-U8e0Cz3cPMVCfvj6e0O-uaZllmhj8_6MZ7NSdkbV9dRGFauhK/s1600/8.1+cert+on+ie.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="169" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUI19vj4ySwdK5S36APqUfCYjF9VhOtYTFrFx5jNUzSRSdu6OT4pS9VSmdpG50TanO7JHIvooqxGBKeFSxjYgHOL1KZt-U8e0Cz3cPMVCfvj6e0O-uaZllmhj8_6MZ7NSdkbV9dRGFauhK/s1600/8.1+cert+on+ie.png" width="320" /></a></div>
<br />
..and just for fun:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimcGdPDc1Yl4Nr_a_SSA2Pq2jyOc5jqBEFa88miTei79jfWikzLaqL2E4CWWkIFaucoKNJ07fP_ahVpCa30d1j-b6Pl4RGotBj4hyphenhyphenkt2CwFSlorZs-HBDxjKpjauJrZ3GQ1i4XSl5PMMki/s1600/windows+8-2012+only.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimcGdPDc1Yl4Nr_a_SSA2Pq2jyOc5jqBEFa88miTei79jfWikzLaqL2E4CWWkIFaucoKNJ07fP_ahVpCa30d1j-b6Pl4RGotBj4hyphenhyphenkt2CwFSlorZs-HBDxjKpjauJrZ3GQ1i4XSl5PMMki/s1600/windows+8-2012+only.png" width="320" /></a></div>
<br />
: )<br />
<br />
As it's finishing its installation, we can grab a few of its changes before termination:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Output folder: C:\Program Files\Lenovo\VisualDiscovery
Extract: freebl3.dll... 100%
Extract: SuperfishCert.dll... 100%
Extract: libnspr4.dll... 100%
Extract: libplc4.dll... 100%
Extract: libplds4.dll... 100%
Extract: nss3.dll... 100%
Extract: nssckbi.dll... 100%
Extract: nssdbm3.dll... 100%
Extract: nssutil3.dll... 100%
Extract: VDWFP64.sys... 100%
Extract: VDWFP.sys... 100%
Extract: VisualDiscovery.exe... 100%
Extract: VisualDiscovery.tlb... 100%
Extract: smime3.dll... 100%
Extract: softokn3.dll... 100%
Extract: sqlite3.dll... 100%
Extract: ssl3.dll... 100%
Extract: VDWFPInstaller.exe... 100%
Extract: Run.exe... 100%
Extract: uninstall.exe... 100%
Execute: run.exe 30000 VisualDiscovery.exe /Auto /Service <span style="color: purple;">// Creating the VisualDiscovery.exe service and setting it to Automatic</span>
Execute: run.exe 30000 C:\Windows\system32\sc.exe start VisualDiscovery <span style="color: purple;">// Starting the newly created service</span>
Execute: run.exe 30000 VDWFPInstaller.exe install <span style="color: purple;">// Dropping the driver</span>
Output folder: C:\Program Files\Lenovo\VisualDiscovery
Completed
</code></pre>
<br />
Here's the values added after its installation:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 250px; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> HKLM\SOFTWARE\Classes\AppID\VisualDiscovery.exe\AppID: "{AD063C0E-0FE1-4772-B29B-679ACE94818F}"
HKLM\SOFTWARE\Classes\AppID\{AD063C0E-0FE1-4772-B29B-679ACE94818F}\: "VisualDiscovery"
HKLM\SOFTWARE\Classes\AppID\{AD063C0E-0FE1-4772-B29B-679ACE94818F}\LaunchPermission: 01 00 14 80 4C 00 00 00 5C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 11 00 14 00 04 00 00 00 01 01 00 00 00 00 00 10 00 10 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 0B 00 00 00 01 01 00 00 00 00 00 01 00 00 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00
HKLM\SOFTWARE\Classes\AppID\{AD063C0E-0FE1-4772-B29B-679ACE94818F}\InstallingUser: "dwBpAG4ALQBpAHUAZwA4ADAAcQA2AGoANABoAG8AXABzAHUAcABlAHIAZgBpAHMAaAAAAA=="
HKLM\SOFTWARE\Classes\AppID\{AD063C0E-0FE1-4772-B29B-679ACE94818F}\LocalService: "VisualDiscovery"
HKLM\SOFTWARE\Classes\AppID\{AD063C0E-0FE1-4772-B29B-679ACE94818F}\ServiceParameters: "-Service"
HKLM\SOFTWARE\Classes\AppID\{AD063C0E-0FE1-4772-B29B-679ACE94818F}\KomodiaParameters1: 0x00000000
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\: "DataContainer Class"
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\AppID: "{AD063C0E-0FE1-4772-B29B-679ACE94818F}"
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\LocalServer32\: ""C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe""
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\ProgID\: "VisualDiscoveryLib.DataContainer.1"
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\CLSID\{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}\VersionIndependentProgID\: "VisualDiscoveryLib.DataContainer"
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\: "DataTable Class"
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\AppID: "{AD063C0E-0FE1-4772-B29B-679ACE94818F}"
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\LocalServer32\: ""C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe""
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\ProgID\: "VisualDiscoveryLib.DataTable.1"
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\CLSID\{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}\VersionIndependentProgID\: "VisualDiscoveryLib.DataTable"
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\: "ReadOnlyManager Class"
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\AppID: "{AD063C0E-0FE1-4772-B29B-679ACE94818F}"
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\LocalServer32\: ""C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe""
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\ProgID\: "VisualDiscoveryLib.ReadOnlyManager.1"
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\CLSID\{10A7F29D-4B00-40EC-B07D-8616DF8135E6}\VersionIndependentProgID\: "VisualDiscoveryLib.ReadOnlyManager"
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\: "DataController Class"
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\AppID: "{AD063C0E-0FE1-4772-B29B-679ACE94818F}"
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\LocalServer32\: ""C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe""
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\ProgID\: "VisualDiscoveryLib.DataController.1"
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\CLSID\{4EECDED2-40FB-4500-85B4-86FB0EBECA68}\VersionIndependentProgID\: "VisualDiscoveryLib.DataController"
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\: "DataTableFields Class"
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\AppID: "{AD063C0E-0FE1-4772-B29B-679ACE94818F}"
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\LocalServer32\: ""C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe""
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\ProgID\: "VisualDiscoveryLib.DataTableFields.1"
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\CLSID\{533403E2-6E21-4615-9E28-43F4E97E977B}\VersionIndependentProgID\: "VisualDiscoveryLib.DataTableFields"
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\: "LSPLogic Class"
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\AppID: "{AD063C0E-0FE1-4772-B29B-679ACE94818F}"
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\LocalServer32\: ""C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe""
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\ProgID\: "VisualDiscoveryLib.LSPLogic.1"
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\CLSID\{5780633B-414C-446F-8EB2-FF1C9A731C99}\VersionIndependentProgID\: "VisualDiscoveryLib.LSPLogic"
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\: "WFPController Class"
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\AppID: "{AD063C0E-0FE1-4772-B29B-679ACE94818F}"
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\LocalServer32\: ""C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe""
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\ProgID\: "VisualDiscoveryLib.WFPController.1"
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\CLSID\{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}\VersionIndependentProgID\: "VisualDiscoveryLib.WFPController"
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\: "DataTableHolder Class"
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\AppID: "{AD063C0E-0FE1-4772-B29B-679ACE94818F}"
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\LocalServer32\: ""C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe""
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\ProgID\: "VisualDiscoveryLib.DataTableHolder.1"
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\CLSID\{9AD5C084-B6E6-456A-8BA2-A559663780E5}\VersionIndependentProgID\: "VisualDiscoveryLib.DataTableHolder"
HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\: "ISSHController"
HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{0FCE4F01-64EC-42F1-83E1-1E08D38605D2}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\: "IDataTableFields"
HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{1A2A195A-A0F9-4006-AF02-3F05EEFDE792}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}\: "IParentalControl"
HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{2D9DB233-DC4B-4677-946C-5FA5ABCF506B}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}\: "ILSPLogic"
HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{2E5FA7B4-61A2-4662-BBCE-62BBB20FC649}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}\: "INATDriver"
HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{3AE76A17-C344-4A83-81CE-65EFEE41E42D}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\: "IWFPController"
HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{4C0A69B0-CE97-42B7-86FC-08280C99C74D}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\: "IChatControl"
HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{4E9EB4D5-C929-4005-AC62-1856B1DA5A24}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}\: "IDataContainer"
HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{5D7F05E3-075A-43AF-8BC7-21E2F7F38845}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}\: "IDataTable"
HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{617E26CE-E6E1-4C75-A68A-A001F2B98491}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}\: "IWatchDog"
HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{79FBDBEA-A722-4ABD-BEC0-B7D463F6BA0E}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}\: "IDataController"
HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{8128586C-DF69-4266-873F-CF4C6F705A7C}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\: "IInjector"
HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{8FAF962C-3EDE-405E-B1D0-62B8235C6044}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\: "IReadOnlyManager"
HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{C1F5E799-B218-4C32-B189-3C389BA140BB}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}\: "IProxyChecks"
HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{C1F9CFCE-A7DC-4072-8B31-1DEA57004C86}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}\: "IDataTableHolder"
HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{EA4AD895-2A7F-430E-B973-DEE6C4E743A9}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}\: "IDataStatistics"
HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{EBF4B60F-A863-426F-BE6F-5DFE83BC574F}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\: "IParentalControlController"
HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\ProxyStubClsid\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\ProxyStubClsid32\: "{00020424-0000-0000-C000-000000000046}"
HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\TypeLib\: "{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}"
HKLM\SOFTWARE\Classes\Interface\{F60C9408-3110-4C98-A139-ABE1EE1111DD}\TypeLib\Version: "1.0"
HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\: "VisualDiscovery 1.0 Type Library"
HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\0\win32\: "C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.tlb"
HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\FLAGS\: "0"
HKLM\SOFTWARE\Classes\TypeLib\{CB6BF8B6-E12B-42FA-A478-91BCCDE475DC}\1.0\HELPDIR\: "C:\Program Files\Lenovo\VisualDiscovery"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer\: "DataContainer Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer\CLSID\: "{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer\CurVer\: "VisualDiscoveryLib.DataContainer.1"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer.1\: "DataContainer Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataContainer.1\CLSID\: "{02966FA9-C01A-47E7-A169-C83AEA1FB0BA}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataController\: "DataController Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataController\CLSID\: "{4EECDED2-40FB-4500-85B4-86FB0EBECA68}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataController\CurVer\: "VisualDiscoveryLib.DataController.1"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataController.1\: "DataController Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataController.1\CLSID\: "{4EECDED2-40FB-4500-85B4-86FB0EBECA68}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable\: "DataTable Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable\CLSID\: "{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable\CurVer\: "VisualDiscoveryLib.DataTable.1"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable.1\: "DataTable Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTable.1\CLSID\: "{05FF6A00-76A3-4AA1-A9A4-A782152ABE60}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields\: "DataTableFields Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields\CLSID\: "{533403E2-6E21-4615-9E28-43F4E97E977B}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields\CurVer\: "VisualDiscoveryLib.DataTableFields.1"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields.1\: "DataTableFields Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableFields.1\CLSID\: "{533403E2-6E21-4615-9E28-43F4E97E977B}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder\: "DataTableHolder Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder\CLSID\: "{9AD5C084-B6E6-456A-8BA2-A559663780E5}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder\CurVer\: "VisualDiscoveryLib.DataTableHolder.1"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder.1\: "DataTableHolder Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.DataTableHolder.1\CLSID\: "{9AD5C084-B6E6-456A-8BA2-A559663780E5}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic\: "LSPLogic Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic\CLSID\: "{5780633B-414C-446F-8EB2-FF1C9A731C99}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic\CurVer\: "VisualDiscoveryLib.LSPLogic.1"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic.1\: "LSPLogic Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.LSPLogic.1\CLSID\: "{5780633B-414C-446F-8EB2-FF1C9A731C99}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager\: "ReadOnlyManager Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager\CLSID\: "{10A7F29D-4B00-40EC-B07D-8616DF8135E6}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager\CurVer\: "VisualDiscoveryLib.ReadOnlyManager.1"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager.1\: "ReadOnlyManager Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.ReadOnlyManager.1\CLSID\: "{10A7F29D-4B00-40EC-B07D-8616DF8135E6}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController\: "WFPController Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController\CLSID\: "{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController\CurVer\: "VisualDiscoveryLib.WFPController.1"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController.1\: "WFPController Class"
HKLM\SOFTWARE\Classes\VisualDiscoveryLib.WFPController.1\CLSID\: "{70C7334A-66D9-46DE-A4E2-6B923C7DB94E}"
HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\30D1FD4A296AB1A8831CD56B4110A227F557BFFF\Blob: 19 00 00 00 01 00 00 00 10 00 00 00 A9 EA 99 90 26 0D 1D 85 C0 99 2C 94 89 EB 6B B0 0F 00 00 00 01 00 00 00 14 00 00 00 EE 89 F2 FB 18 15 08 F4 25 3B 45 B4 4D EB 41 79 2E AB 55 1D 03 00 00 00 01 00 00 00 14 00 00 00 30 D1 FD 4A 29 6A B1 A8 83 1C D5 6B 41 10 A2 27 F5 57 BF FF 14 00 00 00 01 00 00 00 14 00 00 00 04 98 60 DF 80 1B 96 49 5D 65 56 2D A5 2C 09 24 0A EC DC B9 20 00 00 00 01 00 00 00 1F 04 00 00 30 82 04 1B 30 82 03 03 A0 03 02 01 02 02 04 07 27 37 0C 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 5A 31 0B 30 09 06 03 55 04 06 13 02 49 45 31 12 30 10 06 03 55 04 0A 13 09 42 61 6C 74 69 6D 6F 72 65 31 13 30 11 06 03 55 04 0B 13 0A 43 79 62 65 72 54 72 75 73 74 31 22 30 20 06 03 55 04 03 13 19 42 61 6C 74 69 6D 6F 72 65 20 43 79 62 65 72 54 72 75 73 74 20 52 6F 6F 74 30 1E 17 0D 31 30 30 39 30 38 31 37 33 35 31 36 5A 17 0D 32 30 30 39 30 38 31 37 33 34 30 38 5A 30 46 31
17 30 15 06 03 55 04 0A 13 0E 43 79 62 65 72 74 72 75 73 74 20 49 6E 63 31 2B 30 29 06 03 55 04 03 13 22 43 79 62 65 72 74 72 75 73 74 20 50 75 62 6C 69 63 20 53 75 72 65 53 65 72 76 65 72 20 53 56 20 43 41 30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01 00 A3 BA 99 8D B7 E1 CD 73 88 F9 B9 DD DE F4 05 F3 25 F5 3F C5 52 1E 51 5A 3F 9A FF 4D 84 B7 50 7F F1 10 8A 5D 7F 64 55 1C 3B A3 F3 FF 97 7F 1C 4B ED 6F 7F E9 54 EC 97 2A 42 03 67 7F B9 C8 6C A2 97 F8 40 93 24 C3 25 5E A5 66 8B 86 BD D7 B9 26 22 6E D2 66 83 B3 78 C1 7C 58 76 11 EB 16 55 47 32 F0 B9 34 10 BD 8F 26 A2 25 68 C1 14 2B A2 73 D6 66 3D 44 87 5C 13 7F 58 91 62 3D 57 7F 6C AE 42 E8 12 7E BD 78 F1 F1 AC 5C 35 60 68 45 BC 53 73 87 11 1D C5 2E FA 60 35 DA 91 F9 DA F2 55 6C BF CA A2 57 5C C8 64 BC A9 5B 15 A0 FC 1C F3 44 2E BD 06 F2 68 D8 40 2D BB B3 61 25 92 93 25 1C 77 46 90 BF D0 AF B7 83 A0 3C 87 5E A5 91 A8 FF C1 31 1B B6 4B AC 12 34 08 D5 DB EC 89 87 63 06 A7 53 F8 D5 F5 E6 66 A
C 5E 84 65 46 C9 F4 3A 25 0F 6C CC 0F 66 B8 9A 55 A1 46 6C FC 91 23 5F BD 02 03 01 00 01 A3 81 FC 30 81 F9 30 12 06 03 55 1D 13 01 01 FF 04 08 30 06 01 01 FF 02 01 00 30 4F 06 03 55 1D 20 04 48 30 46 30 44 06 09 2B 06 01 04 01 B1 3E 01 32 30 37 30 35 06 08 2B 06 01 05 05 07 02 01 16 29 68 74 74 70 3A 2F 2F 63 79 62 65 72 74 72 75 73 74 2E 6F 6D 6E 69 72 6F 6F 74 2E 63 6F 6D 2F 72 65 70 6F 73 69 74 6F 72 79 30 0E 06 03 55 1D 0F 01 01 FF 04 04 03 02 01 06 30 1F 06 03 55 1D 23 04 18 30 16 80 14 E5 9D 59 30 82 47 58 CC AC FA 08 54 36 86 7B 3A B5 04 4D F0 30 42 06 03 55 1D 1F 04 3B 30 39 30 37 A0 35 A0 33 86 31 68 74 74 70 3A 2F 2F 63 64 70 31 2E 70 75 62 6C 69 63 2D 74 72 75 73 74 2E 63 6F 6D 2F 43 52 4C 2F 4F 6D 6E 69 72 6F 6F 74 32 30 32 35 2E 63 72 6C 30 1D 06 03 55 1D 0E 04 16 04 14 04 98 60 DF 80 1B 96 49 5D 65 56 2D A5 2C 09 24 0A EC DC B9 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 82 01 01 00 5F DF 8B CF 29 79 78 2B F3 7C F4 82 5F 79 E0 E1 B3 28 BD 08 75 41 CE 8C 88 D7 0E 55 B9
02 B5 05 79 3E BB 52 31 B3 4B 1E B1 FE D3 A2 21 43 D2 91 D3 16 FA 6B 79 E4 8E 4D 19 EC 4C 86 68 34 52 B7 6F C2 BD 9C 78 BE F0 6F 3F 3D 9E 9F 49 74 C4 7C 97 19 45 57 AC 6F FA 5A 3E 3F D3 D6 E3 2B DC 8A F8 C8 0A 0D 6B 8C 3F 94 78 37 98 88 61 91 DF 59 14 0F 09 C5 63 54 FB F4 F6 AF 97 EC FC 63 64 43 A6 BC CC E4 E3 1F DF 73 B0 6E F7 B5 C8 29 9B AE 25 52 B8 B4 72 E1 DE 93 48 F1 28 9F 7E 66 3F 3F 8B 55 0F F8 16 07 71 05 D7 65 9C D7 1B 3C 34 E6 44 16 3A BD D8 60 93 83 83 0C 88 96 65 33 40 DF 6A AC FF FE 94 51 61 BB 89 3F F7 AC C4 E4 B3 47 E2 FD A2 6A 32 83 E2 7E 6F F0 12 8E A3 66 76 40 97 FB 11 E1 F7 73 1F DA 8B 1C 31 42 8B 9F 11 C5 49 A5 60 ED 48 2B 05 84 15 AB 2F 8A 2C 51 72 C0
HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C864484869D41D2B0D32319C5A62F9315AAF2CBD\Blob: 19 00 00 00 01 00 00 00 10 00 00 00 64 02 D6 C9 98 A7 BB 26 E7 1B 6C 23 7A 74 22 9A 0F 00 00 00 01 00 00 00 14 00 00 00 2C F9 36 CB 2F E6 14 FF 9B 3C D7 C3 D6 42 B6 6D 88 12 FC 81 03 00 00 00 01 00 00 00 14 00 00 00 C8 64 48 48 69 D4 1D 2B 0D 32 31 9C 5A 62 F9 31 5A AF 2C BD 14 00 00 00 01 00 00 00 14 00 00 00 FB 98 B3 53 7F 14 44 2E E8 EE D5 09 9A 5E 0E 56 86 A8 35 88 20 00 00 00 01 00 00 00 F9 02 00 00 30 82 02 F5 30 82 02 5E A0 03 02 01 02 02 09 00 D2 FC 13 87 A9 44 DC E7 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 30 5B 31 18 30 16 06 03 55 04 0A 13 0F 53 75 70 65 72 66 69 73 68 2C 20 49 6E 63 2E 31 0B 30 09 06 03 55 04 07 13 02 53 46 31 0B 30 09 06 03 55 04 08 13 02 43 41 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 18 30 16 06 03 55 04 03 13 0F 53 75 70 65 72 66 69 73 68 2C 20 49 6E 63 2E 30 1E 17 0D 31 34 30 35 31 32 31 36 32 35 32 36 5A 17 0D 33 34 30 35 30 37 31 36 32 35
32 36 5A 30 5B 31 18 30 16 06 03 55 04 0A 13 0F 53 75 70 65 72 66 69 73 68 2C 20 49 6E 63 2E 31 0B 30 09 06 03 55 04 07 13 02 53 46 31 0B 30 09 06 03 55 04 08 13 02 43 41 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 18 30 16 06 03 55 04 03 13 0F 53 75 70 65 72 66 69 73 68 2C 20 49 6E 63 2E 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 E8 F3 4A 18 76 5F 19 3F B1 CF 58 E9 7F 43 07 09 95 80 35 C5 0F FE 71 31 27 81 99 12 26 20 A5 DF 8F 6A FC 42 55 39 EE 09 38 89 D9 E0 36 C4 AC 01 82 5B D5 39 E6 F9 8F 07 88 DF FE EE F6 A1 14 CE A9 74 45 D8 FD F0 17 57 2A 82 E1 7A 2E 12 93 5A AC 8A D7 15 63 D1 B7 9B 55 80 0F 58 BC 1C 49 ED 20 62 DD B6 4C A5 3A EB 1C 3D A0 FF 7A 71 A6 D3 10 78 33 AE 4B C2 1C FD 92 4A A1 C3 E7 41 A4 2D 02 03 01 00 01 A3 81 C0 30 81 BD 30 0C 06 03 55 1D 13 04 05 30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 FB 98 B3 53 7F 14 44 2E E8 EE D5 09 9A 5E 0E 56 86 A8 35 88 30 81 8D 06 03 55 1D 23 04 81 85 30 81 82 80 14 FB 98 B3 53 7F 14 44 2E E
8 EE D5 09 9A 5E 0E 56 86 A8 35 88 A1 5F A4 5D 30 5B 31 18 30 16 06 03 55 04 0A 13 0F 53 75 70 65 72 66 69 73 68 2C 20 49 6E 63 2E 31 0B 30 09 06 03 55 04 07 13 02 53 46 31 0B 30 09 06 03 55 04 08 13 02 43 41 31 0B 30 09 06 03 55 04 06 13 02 55 53 31 18 30 16 06 03 55 04 03 13 0F 53 75 70 65 72 66 69 73 68 2C 20 49 6E 63 2E 82 09 00 D2 FC 13 87 A9 44 DC E7 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05 05 00 03 81 81 00 A4 7C A0 EC 0A 4A C7 70 C4 71 68 F3 3B 22 E2 DC 9C 8D D0 92 FE 73 7E 72 2B 55 44 9B 1B B4 42 EB 1F AF BE BA E3 93 A3 D4 8B 18 C2 94 F0 B3 A6 BD 65 34 4C CD 24 F8 19 0B C5 15 0A DA F3 57 8B A9 86 CF 6C C3 EE 84 2F 85 0B 19 14 17 98 B4 0C D4 96 8B E9 1C CC 95 C9 4E D0 AA 4B 01 A5 F6 DF 49 12 81 6A BE D5 BE CE 76 7D 4E AC 8B 88 E3 30 ED 31 84 50 8F BC F1 50 2A 5B 4A A6 5E 7C 0F 71 FA
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\UFH\ARP\1: 53 00 6F 00 66 00 74 00 77 00 61 00 72 00 65 00 5C 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 5C 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 5C 00 43 00 75 00 72 00 72 00 65 00 6E 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 5C 00 55 00 6E 00 69 00 6E 00 73 00 74 00 61 00 6C 00 6C 00 00 00 53 00 75 00 70 00 65 00 72 00 66 00 69 00 73 00 68 00 20 00 49 00 6E 00 63 00 2E 00 20 00 56 00 69 00 73 00 75 00 61 00 6C 00 44 00 69 00 73 00 63 00 6F 00 76 00 65 00 72 00 79 00 00 00 43 00 3A 00 5C 00 50 00 72 00 6F 00 67 00 72 00 61 00 6D 00 20 00 46 00 69 00 6C 00 65 00 73 00 5C 00 4C 00 65 00 6E 00 6F 00 76 00 6F 00 5C 00 56 00 69 00 73 00 75 00 61 00 6C 00 44 00 69 00 73 00 63 00 6F 00 76 00 65 00 72 00 79 00 5C 00 75 00 6E 00 69 00 6E 00 73 00 74 00 61 00 6C 00 6C 00 2E 00 65 00 78 00 65 00 00 00 00 00
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery\DisplayName: "Superfish Inc. VisualDiscovery"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery\DisplayVersion: "1.0.0.0"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery\Publisher: "Superfish"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery\URLInfoAbout: "http://www.similarproducts.net/VisualDiscovery/"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery\DisplayIcon: "C:\Program Files\Lenovo\VisualDiscovery\uninstall.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery\UninstallString: "C:\Program Files\Lenovo\VisualDiscovery\uninstall.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery\VersionMajor: "1"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery\VersionMinor: "0.0.0"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Superfish Inc. VisualDiscovery\NoRepair: 0x00000001
HKLM\SOFTWARE\Lenovo\VisualDiscovery\DisplayName: "VisualDiscovery"
HKLM\SOFTWARE\Lenovo\VisualDiscovery\DisplayVersion: "1.0.0.0"
HKLM\SOFTWARE\Lenovo\VisualDiscovery\InstallDir: "C:\Program Files\Lenovo\VisualDiscovery"
HKLM\SOFTWARE\Superfish Inc. VisualDiscovery\Path: "C:\Program Files\Lenovo\VisualDiscovery"
HKLM\SOFTWARE\VisualDiscovery\aedd20b8c4f074143efd64bf01197f1e: "37866,"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\VDWFP\: "Driver"
HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\VisualDiscovery\: "service"
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\06718B45\AppFullPath: "C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe"
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\06718B45\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\0D8BECC7\AppFullPath: "c:\program files\microsoft visual studio 12.0\common7\ide\devenv.exe"
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\0D8BECC7\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\221F0C44\AppFullPath: "C:\Windows\system32\vmwp.exe"
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\221F0C44\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2A49FDCC\AppFullPath: "C:\Windows\system32\inetsrv\w3wp.exe"
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2A49FDCC\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2C9A5390\AppFullPath: "C:\Windows\system32\vmconnect.exe"
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2C9A5390\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2EB3D11A\AppFullPath: "c:\program files\microsoft sql server\110\tools\binn\managementstudio\ssms.exe"
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\2EB3D11A\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\31B4C347\AppFullPath: "C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\31B4C347\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\3A57D8D3\AppFullPath: "C:\Windows\system32\vmms.exe"
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\3A57D8D3\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\ControlSet001\Services\MpKsld64efe45\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MpKsld64efe45\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MpKsld64efe45\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\MpKsld64efe45\ImagePath: "\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{ADA9C25D-BB48-4F04-9B8F-42A124BC9E8A}\MpKsld64efe45.sys"
HKLM\SYSTEM\ControlSet001\Services\MpKsld64efe45\DeviceName: "MpKsld64efe45"
HKLM\SYSTEM\ControlSet001\Services\MpKsld64efe45\AllowedProcessName: "\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe"
HKLM\SYSTEM\ControlSet001\Services\VDWFP\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\VDWFP\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\VDWFP\ErrorControl: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\VDWFP\ImagePath: "\??\C:\Windows\system32\Drivers\VDWFP.sys"
HKLM\SYSTEM\ControlSet001\Services\VDWFP\DisplayName: "VDWFP"
HKLM\SYSTEM\ControlSet001\Services\VDWFP\Group: "networkprovider"
HKLM\SYSTEM\ControlSet001\Services\VDWFP\DependOnService: 42 00 46 00 45 00 00 00 00 00
HKLM\SYSTEM\ControlSet001\Services\VDWFP\appTable: 14 00 63 00 68 00 72 00 6F 00 6D 00 65 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 69 00 65 00 78 00 70 00 6C 00 6F 00 72 00 65 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 6D 00 61 00 78 00 74 00 68 00 6F 00 6E 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 6F 00 70 00 65 00 72 00 61 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 73 00 61 00 66 00 61 00 72 00 69 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 00 77 00 65 00 62 00 6B 00 69 00 74 00 32 00 77 00 65 00 62 00 70 00 72 00 6F 00 63 00 65 00 73 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00
HKLM\SYSTEM\ControlSet001\Services\VDWFP\globalAppTable: 16 00 61 00 66 00 74 00 65 00 72 00 66 00 78 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0E 00 61 00 6C 00 67 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 61 00 76 00 61 00 73 00 74 00 73 00 76 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 61 00 76 00 67 00 6D 00 66 00 61 00 70 00 78 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 61 00 76 00 67 00 75 00 61 00 72 00 64 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0E 00 61 00 76 00 70 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 61 00 76 00 77 00 65 00 62 00 67 00 72 00 64 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 12 00 63 00 63 00 61 00 70 00 70 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 63 00 63 00 73 00 76 00 63 00 68 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 00 63 00 6F 00 72 00 65 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 63 00 73 00 72 00 73 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 64 00 6C 00 6C 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 65 00 6B 00 72 00 6E 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 66 00 78 00 73 00 73 00 76 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 00 69 00 65 00
65 00 74 00 77 00 63 00 6F 00 6C 00 6C 00 65 00 63 00 74 00 6F 00 72 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 6C 00 6F 00 63 00 61 00 74 00 6F 00 72 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 6C 00 73 00 61 00 73 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 00 6D 00 61 00 69 00 6E 00 74 00 65 00 6E 00 61 00 6E 00 63 00 65 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 00 6D 00 6F 00 7A 00 79 00 62 00 61 00 63 00 6B 00 75 00 70 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 6D 00 73 00 64 00 74 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 6D 00 73 00 69 00 65 00 78 00 65 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 6D 00 73 00 6D 00 70 00 65 00 6E 00 67 00 2E 00 65
00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 6D 00 73 00 76 00 73 00 6D 00 6F 00 6E 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 6E 00 69 00 73 00 73 00 72 00 76 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0E 00 72 00 70 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 00 73 00 65 00 61 00 72 00 63 00 68 00 69 00 6E 00 64 00 65 00 78 00 65 00 72 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 73 00 6D 00 73 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1A 00 73 00 6D 00 73 00 76 00 63 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 73 00 6E 00 6D 00 70 00 74 00 72 00 61 00 70 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 73 00 70 00 6F 00 6F 00 6C 00 73 00 76 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 14 00 73 00 70 00 70 00 73 00 76 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 73 00 76 00 63 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 74 00 6D 00 70 00 72 00 6F 00 78 00 79 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 00 74 00 70 00 61 00 75 00 74 00 6F 00 63 00 6F 00 6E 00 6E 00 73 00 76 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1E 00 74 00 70 00 76 00 63 00 67 00 61 00 74 00 65 00 77 00 61 00 79 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 00 74 00 72 00 75 00 73 00 74 00 65 00 64 00 69 00 6E 00 73 00 74 00 61 00 6C 00 6C 00 65 00 72 00 2E 00 65 00 78 00 65 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1A 00 75 00 69 00 30 00 64 00 65 00 74 00 65 00 63 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0E 00 76 00 64 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 00 76 00 69 00 73 00 75 00 61 00 6C 00 64 00 69 00 73 00 63 00 6F 00 76 00 65 00 72 00 79 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 76 00 6D 00 74 00 6F 00 6F 00 6C 00 73 00 64 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 76 00 73 00 73 00 76 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 77 00 62 00 65 00 6E 00 67 00 69 00 6E 00 65 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 77 00 6D 00 69 00 61 00 70 00 73 00 72 00 76 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKLM\SYSTEM\ControlSet001\Services\VDWFP\globalIpTable: 65 22 46 42 67 22 46 42 69 22 46 42 6F 22 46 42 71 22 46 42 73 22 46 42 75 22 46 42 77 22 46 42 79 22 46 42 7B 22 46 42 7D 22 46 42 7F 22 46 42 81 22 46 42 FB 22 46 42 5F 22 46 42 61 22 46 42
HKLM\SYSTEM\ControlSet001\Services\VisualDiscovery\Type: 0x00000010
HKLM\SYSTEM\ControlSet001\Services\VisualDiscovery\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\VisualDiscovery\ErrorControl: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\VisualDiscovery\ImagePath: "C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe"
HKLM\SYSTEM\ControlSet001\Services\VisualDiscovery\DisplayName: "VisualDiscovery"
HKLM\SYSTEM\ControlSet001\Services\VisualDiscovery\DependOnService: 52 00 50 00 43 00 53 00 53 00 00 00 00 00
HKLM\SYSTEM\ControlSet001\Services\VisualDiscovery\ObjectName: "LocalSystem"
HKLM\SYSTEM\ControlSet001\Services\VisualDiscovery\Description: "VisualDiscovery Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VDWFP\: "Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\VisualDiscovery\: "service"
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\06718B45\AppFullPath: "C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe"
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\06718B45\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\0D8BECC7\AppFullPath: "c:\program files\microsoft visual studio 12.0\common7\ide\devenv.exe"
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\0D8BECC7\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\221F0C44\AppFullPath: "C:\Windows\system32\vmwp.exe"
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\221F0C44\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2A49FDCC\AppFullPath: "C:\Windows\system32\inetsrv\w3wp.exe"
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2A49FDCC\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2C9A5390\AppFullPath: "C:\Windows\system32\vmconnect.exe"
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2C9A5390\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2EB3D11A\AppFullPath: "c:\program files\microsoft sql server\110\tools\binn\managementstudio\ssms.exe"
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\2EB3D11A\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\31B4C347\AppFullPath: "C:\Program Files\Microsoft SQL Server\MSSQL11.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\31B4C347\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\3A57D8D3\AppFullPath: "C:\Windows\system32\vmms.exe"
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog\3A57D8D3\PermittedLspCategories: 0x00000F00
HKLM\SYSTEM\CurrentControlSet\Services\MpKsld64efe45\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MpKsld64efe45\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MpKsld64efe45\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\MpKsld64efe45\ImagePath: "\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{ADA9C25D-BB48-4F04-9B8F-42A124BC9E8A}\MpKsld64efe45.sys"
HKLM\SYSTEM\CurrentControlSet\Services\MpKsld64efe45\DeviceName: "MpKsld64efe45"
HKLM\SYSTEM\CurrentControlSet\Services\MpKsld64efe45\AllowedProcessName: "\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe"
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP\ImagePath: "\??\C:\Windows\system32\Drivers\VDWFP.sys"
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP\DisplayName: "VDWFP"
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP\Group: "networkprovider"
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP\DependOnService: 42 00 46 00 45 00 00 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP\appTable: 14 00 63 00 68 00 72 00 6F 00 6D 00 65 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 69 00 65 00 78 00 70 00 6C 00 6F 00 72 00 65 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 6D 00 61 00 78 00 74 00 68 00 6F 00 6E 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 6F 00 70 00 65 00 72 00 61 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 73 00 61 00 66 00 61 00 72 00 69 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2A 00 77 00 65 00 62 00 6B 00 69 00 74 00 32 00 77 00 65 00 62 00 70 00 72 00 6F 00 63 00 65 00 73 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP\globalAppTable: 16 00 61 00 66 00 74 00 65 00 72 00 66 00 78 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0E 00 61 00 6C 00 67 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 61 00 76 00 61 00 73 00 74 00 73 00 76 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 61 00 76 00 67 00 6D 00 66 00 61 00 70 00 78 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 61 00 76 00 67 00 75 00 61 00 72 00 64 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0E 00 61 00 76 00 70 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 61 00 76 00 77 00 65 00 62 00 67 00 72 00 64 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 12 00 63 00 63 00 61 00 70 00 70 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 63 00 63 00 73 00 76 00 63 00 68 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 00 63 00 6F 00 72 00 65 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 73 00 68 00 65 00 6C 00 6C 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 63 00 73 00 72 00 73 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 64 00 6C 00 6C 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 65 00 6B 00 72 00 6E 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 66 00 78 00 73 00 73 00 76 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 24 00 69 00 65
00 65 00 74 00 77 00 63 00 6F 00 6C 00 6C 00 65 00 63 00 74 00 6F 00 72 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 6C 00 6F 00 63 00 61 00 74 00 6F 00 72 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 6C 00 73 00 61 00 73 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 00 6D 00 61 00 69 00 6E 00 74 00 65 00 6E 00 61 00 6E 00 63 00 65 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1C 00 6D 00 6F 00 7A 00 79 00 62 00 61 00 63 00 6B 00 75 00 70 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 6D 00 73 00 64 00 74 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 6D 00 73 00 69 00 65 00 78 00 65 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 6D 00 73 00 6D 00 70 00 65 00 6E 00 67 00 2E 0
0 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 6D 00 73 00 76 00 73 00 6D 00 6F 00 6E 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 6E 00 69 00 73 00 73 00 72 00 76 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0E 00 72 00 70 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 00 73 00 65 00 61 00 72 00 63 00 68 00 69 00 6E 00 64 00 65 00 78 00 65 00 72 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 73 00 6D 00 73 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1A 00 73 00 6D 00 73 00 76 00 63 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 73 00 6E 00 6D 00 70 00 74 00 72 00 61 00 70 00 2E 00 65 00 78 00 65 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 73 00 70 00 6F 00 6F 00 6C 00 73 00 76 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 00 73 00 70 00 70 00 73 00 76 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 73 00 76 00 63 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 74 00 6D 00 70 00 72 00 6F 00 78 00 79 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 22 00 74 00 70 00 61 00 75 00 74 00 6F 00 63 00 6F 00 6E 00 6E 00 73 00 76 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1E 00 74 00 70 00 76 00 63 00 67 00 61 00 74 00 65 00 77 00 61 00 79 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 00 74 00 72 00 75 00 73 00 74 00 65 00 64 00 69 00 6E 00 73 00 74 00 61 00 6C 00 6C 00 65 00 72 00 2E 00 65 00 78 00 65 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1A 00 75 00 69 00 30 00 64 00 65 00 74 00 65 00 63 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 0E 00 76 00 64 00 73 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 00 76 00 69 00 73 00 75 00 61 00 6C 00 64 00 69 00 73 00 63 00 6F 00 76 00 65 00 72 00 79 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 76 00 6D 00 74 00 6F 00 6F 00 6C 00 73 00 64 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12 00 76 00 73 00 73 00 76 00 63 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 77 00 62 00 65 00 6E 00 67 00 69 00 6E 00 65 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 00 77 00 6D 00 69 00 61 00 70 00 73 00 72 00 76 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\VDWFP\globalIpTable: 65 22 46 42 67 22 46 42 69 22 46 42 6F 22 46 42 71 22 46 42 73 22 46 42 75 22 46 42 77 22 46 42 79 22 46 42 7B 22 46 42 7D 22 46 42 7F 22 46 42 81 22 46 42 FB 22 46 42 5F 22 46 42 61 22 46 42
HKLM\SYSTEM\CurrentControlSet\Services\VisualDiscovery\Type: 0x00000010
HKLM\SYSTEM\CurrentControlSet\Services\VisualDiscovery\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\VisualDiscovery\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\VisualDiscovery\ImagePath: "C:\Program Files\Lenovo\VisualDiscovery\VisualDiscovery.exe"
HKLM\SYSTEM\CurrentControlSet\Services\VisualDiscovery\DisplayName: "VisualDiscovery"
HKLM\SYSTEM\CurrentControlSet\Services\VisualDiscovery\DependOnService: 52 00 50 00 43 00 53 00 53 00 00 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\VisualDiscovery\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\VisualDiscovery\Description: "VisualDiscovery Service"
HKU\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel: 0x00000001
HKU\S-1-5-18\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm\wheel: 0x00000001
</code></pre>
<br />
Among the values above, we can see Windows Defender definition updates pushed by Superfish:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> HKLM\SYSTEM\ControlSet001\Services\MpKsld64efe45\ImagePath: "\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{ADA9C25D-BB48-4F04-9B8F-42A124BC9E8A}\MpKsld64efe45.sys"
HKLM\SYSTEM\ControlSet001\Services\MpKsld64efe45\DeviceName: "MpKsld64efe45"
HKLM\SYSTEM\ControlSet001\Services\MpKsld64efe45\AllowedProcessName: "\Device\HarddiskVolume1\Program Files\Windows Defender\MsMpEng.exe"
</code></pre>
<br />
We also have previously existing values that were modified:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 250px; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-139515994-2175770748-2564365663-1001\RefCount: 0x00000004
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-139515994-2175770748-2564365663-1001\RefCount: 0x00000005
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B91B615-80E8-4110-9D16-3B2D065E11A1}\Hash: 2A FC 8C D0 88 A9 03 C8 1A 97 37 68 88 09 11 C8 C3 21 D6 94 08 40 3D 1C 3F 78 1C C2 55 23 1B 6D
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B91B615-80E8-4110-9D16-3B2D065E11A1}\Hash: DD 69 A9 AC E8 A5 8D 90 AD 7A 33 BE 54 BF 75 2D B0 EA 41 72 CB 0C 0E 8B 19 AE 67 0B 20 26 5B 52
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B91B615-80E8-4110-9D16-3B2D065E11A1}\Triggers: 15 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 80 75 1E 3A 78 53 D0 01 00 00 00 00 05 00 00 00 FF FF FF FF FF FF FF FF 48 21 C2 02 48 48 48 48 DF 19 72 DA 48 48 48 48 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 05 00 00 00 48 48 48 48 0C 00 00 00 48 48 48 48 01 01 00 00 00 00 00 05 14 00 00 00 48 48 48 48 00 00 00 00 48 48 48 48 2C 00 00 00 48 48 48 48 00 00 00 00 FF FF FF FF 00 00 00 00 FF FF FF FF 07 00 00 00 3C 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 48 48 48 DD DD 00 00 00 00 00 00 00 00 00 00 05 00 00 00 80 75 1E 3A 78 53 D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 01 00 00 00 01 00 00 00 00 00 00 00 00 01 DF 00 01 00 00 00 00 00 00 00 B0 FB BA 02
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B91B615-80E8-4110-9D16-3B2D065E11A1}\Triggers: 15 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 00 9E 1D E3 81 53 D0 01 00 00 00 00 05 00 00 00 FF FF FF FF FF FF FF FF 48 21 C2 02 48 48 48 48 2E A1 9E A7 48 48 48 48 00 48 48 48 48 48 48 48 00 48 48 48 48 48 48 48 05 00 00 00 48 48 48 48 0C 00 00 00 48 48 48 48 01 01 00 00 00 00 00 05 14 00 00 00 48 48 48 48 00 00 00 00 48 48 48 48 2C 00 00 00 48 48 48 48 00 00 00 00 FF FF FF FF 00 00 00 00 FF FF FF FF 07 00 00 00 3C 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 48 48 48 DD DD 00 00 00 00 00 00 00 00 00 00 05 00 00 00 00 9E 1D E3 81 53 D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF 01 00 00 00 01 00 00 00 00 00 00 00 00 01 DF 00 01 00 00 00 00 00 00 00 78 6A B0 02
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA: 00 00 00 00 16 00 00 00 63 00 00 00 E4 92 3C 00 04 00 00 00 06 00 00 00 FF 3F 08 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 53 00 75 00 70 00 65 00 72 00 66 00 69 00 73 00 68 00 5C 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 5C 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 5C 00 4F 00 4C 00 4C 00 59 00 44 00 42 00 47 00 2E 00 45 00 58 00 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 00 00 4B 19 06 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 45 00 78 00 70 00 6C 00 6F 00 72 00 6
5 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 08 00 00 00 8A 5B 11 00 7B 00 37 00 43 00 35 00 41 00 34 00 30 00 45 00 46 00 2D 00 41 00 30 00 46 00 42 00 2D 00 34 00 42 00 46 00 43 00 2D 00 38 00 37 00 34 00 41 00 2D 00 43 00 30 00 46 00 32 00 45 00 30 00 42 00 39 00 46 00 41 00 38 00 45 00 7D 00 5C 00 4E 00 54 00 43 00 6F 00 72 00 65 00 5C 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 20 00 53 00 75 00 69 00 74 00 65 00 5C 00 43 00 46 00 46 00 20 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA: 00 00 00 00 17 00 00 00 65 00 00 00 10 28 3D 00 04 00 00 00 06 00 00 00 FF 3F 08 00 43 00 3A 00 5C 00 55 00 73 00 65 00 72 00 73 00 5C 00 53 00 75 00 70 00 65 00 72 00 66 00 69 00 73 00 68 00 5C 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 5C 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 5C 00 4F 00 4C 00 4C 00 59 00 44 00 42 00 47 00 2E 00 45 00 58 00 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 16 00 00 00 4F 28 06 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 2E 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 2E 00 45 00 78 00 70 00 6C 00 6F 00 72 00 6
5 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 08 00 00 00 8A 5B 11 00 7B 00 37 00 43 00 35 00 41 00 34 00 30 00 45 00 46 00 2D 00 41 00 30 00 46 00 42 00 2D 00 34 00 42 00 46 00 43 00 2D 00 38 00 37 00 34 00 41 00 2D 00 43 00 30 00 46 00 32 00 45 00 30 00 42 00 39 00 46 00 41 00 38 00 45 00 7D 00 5C 00 4E 00 54 00 43 00 6F 00 72 00 65 00 5C 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 20 00 53 00 75 00 69 00 74 00 65 00 5C 00 43 00 46 00 46 00 20 00 45 00 78 00 70 00 6C 00 6F 00 72 00 65 00 72 00 2E 00 65 00 78 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
0 00 00 00
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.Rkcybere: 00 00 00 00 00 00 00 00 16 00 00 00 4B 19 06 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\Zvpebfbsg.Jvaqbjf.Rkcybere: 00 00 00 00 00 00 00 00 16 00 00 00 4F 28 06 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Fhcresvfu\Qrfxgbc\Fghcvqsvfu\fhcresvfu_frghc.rkr: 00 00 00 00 01 00 00 00 01 00 00 00 32 C8 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 80 3B AA 8C B1 52 D0 01 00 00 00 00
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Fhcresvfu\Qrfxgbc\Fghcvqsvfu\fhcresvfu_frghc.rkr: 00 00 00 00 02 00 00 00 02 00 00 00 35 2D 01 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 00 2D B4 DC B8 52 D0 01 00 00 00 00
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Fhcresvfu\Qbjaybnqf\Ertfubg-1.9.0\Ertfubg-k86-Havpbqr.rkr: 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 80 97 2A D6 B8 52 D0 01 00 00 00 00
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\P:\Hfref\Fhcresvfu\Qbjaybnqf\Ertfubg-1.9.0\Ertfubg-k86-Havpbqr.rkr: 00 00 00 00 01 00 00 00 02 00 00 00 25 21 00 00 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF 00 00 80 BF FF FF FF FF 80 97 2A D6 B8 52 D0 01 00 00 00 00
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Superfish\Desktop\Stupidfish\superfish_setup.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 88 85 33 00 AB F8 33 00 01 00 00 00 00 00 00 00 00 00 01 06 00 01 00 00 97 5F D8 91 C9 9E CE 01 00 00 00 00 00 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 CA 00 00 00 00 00 00 01 00 00 00 01 00 00 00
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Superfish\Desktop\Stupidfish\superfish_setup.exe: 53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 88 85 33 00 AB F8 33 00 01 00 00 00 00 00 00 00 00 00 01 06 00 01 00 00 97 5F D8 91 C9 9E CE 01 00 00 00 00 00 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 CA 00 00 00 00 00 00 02 00 00 00 02 00 00 00
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx: 01 00 00 00 03 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-139515994-2175770748-2564365663-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx: 03 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-139515994-2175770748-2564365663-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx: 01 00 00 00 03 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-139515994-2175770748-2564365663-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx: 03 00 00 00 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
</code></pre>
<br />
Overall, pretty boring stuff.Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com75tag:blogger.com,1999:blog-8870806323064576540.post-64695927176665741122015-02-13T01:04:00.000-05:002015-02-13T01:06:28.454-05:00When 0xFC is not entirely a driver issue...I very recently received a crash dump from a user in which they stated their system either rebooted randomly or bug checked during streamed content, etc. The user had their system built by a 3rd party, specifically Power4PC in Belgium. Given it was relatively new and was under their warranty type guarantee of course, the user shipped it back to them and they ran "diagnostics". During these "diagnostics", they reported to the user that there were, and I quote, "faulty drivers", so it doesn't fall under their warranty guarantee, and the user had to ultimately pay money to get the system back.<br />
<br />
I contemplated whether or not I wanted to name drop Power4PC, but given they pretty much robbed the user of money and went about
it extremely poorly, I decided I
was going to. Interestingly enough the user gets their system back and it's still crashing, what a surprise! Let's take a look at the crash dump.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> .bugcheck
Bugcheck code 000000FC
Arguments ffffc001`b4bf7010 d6b00001`05e5b963 ffffd000`bfe2adb0 00000000`00000002
</code></pre>
<br />
So here's our bug check - <b>ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY</b> (0xFC). I won't go into the specifics regarding executable/non-exectuable memory, but know that it mostly has to do with security, such as attempting to prevent things such as buffer overflows. Windows (and other OS' of course, although all implemented a bit differently) defines certain pages of memory as non-executable, which in turn tells the processor <i>not </i>to execute the data stored in those pages.<br />
<br />
When an attempt is made to execute memory that is defined as non-executable, Windows throws a bug check for security (and disaster prevention as usual) purposes. Do note that there's of course exploits and ways around non-executable memory, such as the well known <a href="http://www.cis.syr.edu/~wedu/seed/Labs/Vulnerability/Return_to_libc/Return_to_libc.pdf" target="_blank">return to libc</a> (function RET pointed to library/popular function or system API).<br />
<br />
Before going into the various parameters, let's check and see if PAE is enabled so we know what to expect. To know what register to look for to see if PAE is enabled/in use, the best way to go about that is to check your corresponding processor manual. For example, on this system:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> !cpuinfo
CP F/M/S Manufacturer MHz PRCB Signature MSR 8B Signature Features
0 6,60,3 GenuineIntel 3399 0000000900000000 3d193fff
1 6,60,3 GenuineIntel 3399 0000000900000000 3d193fff
2 6,60,3 GenuineIntel 3399 0000000900000000 3d193fff
3 6,60,3 GenuineIntel 3399 0000000900000000 3d193fff
Cached Update Signature 0000000900000000
Initial Update Signature 0000000900000000
</code></pre>
<br />
We can see that's it a quad core Intel processor, therefore we'd check the Intel manual. According to the Intel manual (2.5 CONTROL REGISTERS), PAE is stored on x64 (and x86 I believe as well) in CR4.<br />
<blockquote style="background-color: #cccccc; border: 2px solid #666; padding: 10px;">
CR4 — Contains a group of flags that enable several arch itectural extensions, and indicate operating system or executive support for specific processor capabilities. The control registers can be read and loaded (or modified) using the move-to-or-from-control-registers forms of the MOV instruction. In protected mode, the MOV instructions allow the control registers to be read or loaded (at privilege level 0 only). This restriction means that application programs or operating-system procedures (running at privilege levels 1, 2, or 3) are prevented from reading or loading the control registers.</blockquote>
If we use the <b>r </b>command (show registers) along with cr4:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> r cr4
Last set context:
cr4=<span style="background-color: yellow;">00000000001506f8</span>
</code></pre>
<br />
We have our cr4 address now, and from this point can use <b>.formats </b>to check the bits:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> .formats 00000000001506f8
Evaluate expression:
Hex: 00000000`001506f8
Decimal: 1378040
Octal: 0000000000000005203370
Binary: 00000000 00000000 00000000 00000000 00000000 00010101 00000110 111<span style="background-color: yellow;">1</span>1000
</code></pre>
<br />
Starting from the right most zero, it's the fifth bit. We can see it's enabled, which helps. The first parameter of the bug check contains the virtual address whose execution was attempted:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> !pte ffffc001b4bf7010
VA ffffc001b4bf7010
PXE at FFFFF6FB7DBEDC00 PPE at FFFFF6FB7DB80030 PDE at <span style="background-color: yellow;">FFFFF6FB70006D28</span> PTE at FFFFF6E000DA5FB8
contains 0000000000A75863 contains 0000000000A74863 contains 00000001087E8863 contains D6B0000105E5B963
pfn a75 ---DA--KWEV pfn a74 ---DA--KWEV pfn 1087e8 ---DA--KWEV pfn 105e5b -G-DA--KW-V
</code></pre>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> dt nt!_MMPTE u.Hard
+0x000 u :
+0x000 Hard : <span style="background-color: yellow;">_MMPTE_HARDWARE </span>
</code></pre>
<br />
Here we can see the data type regarding the PDE. Let's go further and dump the PDE from the virtual address:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> dt _MMPTE_HARDWARE FFFFF6FB70006D28
<span style="background-color: yellow;">nt!_MMPTE_HARDWARE</span>
+0x000 Valid : 0y1
+0x000 Dirty1 : 0y1
+0x000 Owner : 0y0
+0x000 WriteThrough : 0y0
+0x000 CacheDisable : 0y0
+0x000 Accessed : 0y1
+0x000 Dirty : 0y1
+0x000 LargePage : 0y0
+0x000 Global : 0y0
+0x000 CopyOnWrite : 0y0
+0x000 Unused : 0y0
+0x000 Write : 0y1
+0x000 PageFrameNumber : 0y000000000000000100001000011111101000 (<span style="background-color: yellow;">0x1087e8</span>)
+0x000 reserved1 : 0y0000
+0x000 SoftwareWsIndex : 0y00000000000 (0)
+0x000 NoExecute : 0y0
</code></pre>
<br />
If we pay attention to the various flags from PDE section of the VA dump, we can see it's:<br />
<br />
<ul>
<li>
<b>D</b> - Dirty, as in the page was previously written to. </li>
</ul>
<ul>
<li><b>A</b> - Accessed, as in the page (or table) has been previously accessed (read). </li>
</ul>
<ul>
<li>
<b>K</b> - This page is owned by kernel-mode, not user-mode. </li>
</ul>
<ul>
<li><b>W</b> - Writable, as in the page is able to be written to (not just read). </li>
</ul>
<ul>
<li>
<b>E</b> - Executable, as in the page is executable. </li>
</ul>
<ul>
<li>
<b>V</b> - Valid, as in the page is located in physical memory. </li>
<li> </li>
</ul>
However if we take a look at the PTE section of the VA dump, we can see it's: <br />
<br />
<ul>
<li>
<b>G</b> - Global, as in the TLB won't be flushed upon a context switch.</li>
</ul>
<ul>
<li>
<b>D</b> - Dirty, as in the page was previously written to. </li>
</ul>
<ul>
<li><b>A</b> - Accessed, as in the page (or table) has been previously accessed (read). </li>
</ul>
<ul>
<li>
<b>K</b> - This page is owned by kernel-mode, not user-mode. </li>
</ul>
<ul>
<li><b>W</b> - Writable, as in the page is able to be written to (not just read). </li>
</ul>
<ul>
<li>
<b>V</b> - Valid, as in the page is located in physical memory. </li>
</ul>
<br />
Notice anything missing? The executable flag. In addition however, there's the global flag. The second parameter of the bug check contains the contents of the page table entry:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> !pte d6b0000105e5b963
VA d6b0000105e5b963
PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00020 PDE at FFFFF6FB40004178 PTE at FFFFF6800082F2D8
contains 00C00001364F5867 contains 0000000000000000
pfn 1364f5 ---DA--UWEV not valid
<span style="background-color: yellow;">WARNING: noncanonical VA, accesses will fault !</span>
</code></pre>
<br />
We can see it's a noncanonical address, therefore it's of course going to fail. Let's dump the stack so we can find the pagefault:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> kv
Child-SP RetAddr : Args to Child : Call Site
ffffd000`bfe2ab18 fffff803`ac420096 : 00000000`000000fc ffffc001`b4bf7010 d6b00001`05e5b963 ffffd000`bfe2adb0 : nt!KeBugCheckEx
ffffd000`bfe2ab20 fffff803`ac30b7ce : d6b00001`05e5b963 00000980`00000000 ffffd000`bfe2ad40 fffff801`16e343d8 : nt! ?? ::FNODOBFM::`string'+0x4b9e6
ffffd000`bfe2ab60 fffff803`ac2d9e78 : 00000000`00000008 ffffe000`f1ee5900 ffffd000`bfe2adb0 ffffe000`f0618420 : nt!MiSystemFault+0xb5e
ffffd000`bfe2ac00 fffff803`ac3ce42f : ffffc001`b4bf7010 00000000`00000000 00000000`00000000 ffffd000`bfe2adb0 : nt!MmAccessFault+0x758
ffffd000`bfe2adb0 ffffc001`b4bf7010 : ffffc001`b4bf7010 ffffc001`b4bf7010 ffffd000`bfe2b060 ffffc001`00000000 : nt!KiPageFault+0x12f (<span style="background-color: yellow;">TrapFrame @ ffffd000`bfe2adb0</span>)
ffffd000`bfe2af48 ffffc001`b4bf7010 : ffffc001`b4bf7010 ffffd000`bfe2b060 ffffc001`00000000 00000000`00000000 : 0xffffc001`b4bf7010
ffffd000`bfe2af50 ffffc001`b4bf7010 : ffffd000`bfe2b060 ffffc001`00000000 00000000`00000000 00000000`00000000 : 0xffffc001`b4bf7010
ffffd000`bfe2af58 ffffd000`bfe2b060 : ffffc001`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xffffc001`b4bf7010
ffffd000`bfe2af60 ffffc001`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`0000000f : 0xffffd000`bfe2b060
ffffd000`bfe2af68 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`0000000f fffff801`17ae846e : 0xffffc001`00000000
</code></pre>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> .trap ffffd000`bfe2adb0
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
<span style="background-color: yellow;">rax=0000000000000001</span> rbx=0000000000000000 rcx=ffffd000bfe2ae20
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=ffffc001b4bf7010 rsp=ffffd000bfe2af48 rbp=ffffd000bfe2b060
r8=fffff80116e1bcd0 r9=0000000000000000 r10=0000000000000000
r11=ffffd000bfe2aee0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
ffffc001`b4bf7010 400200 add al,byte ptr [rax] ds:00000000`00000001=??
</code></pre>
<br />
We failed on a very basic arithmetic instruction, which was to add the
single byte stored at rax to the 8 least significant bits of AX (whereas
AX itself is the 16 least significant bits of EAX).<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> !pte rax <span style="color: purple;">// Or 0000000000000001</span>
VA 0000000000000001
PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000000 PTE at FFFFF68000000000
contains 00C00001364F5867 contains 0610000136476867 contains 0000000000000000
pfn 1364f5 ---DA--UWEV pfn 136476 ---DA--UWEV <span style="background-color: yellow;">not valid </span>
</code></pre>
<br />
It's not uncommon whatsoever that buggy and malicious drivers cause 0xFC bug checks, but in this case I think the company that built the system couldn't figure it out, took a look at the bug check, Googled it, saw the MSDN article/a few forum posts that it was a generally a driver related bug check, said it's being caused by "faulty drivers" so they don't have to look into it, and then charged money to do absolutely nothing. Also, not only is the thread in regards to the thread completely bare and showing no signs of "faulty drivers", let's take a look and see what actual 3rd party drivers there are on the system:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 250px; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 3: kd> lm
start end module name
fffff801`15828000 fffff801`1588e000 mcupdate_GenuineIntel (deferred)
fffff801`1588e000 fffff801`1589c000 werkernel (deferred)
fffff801`1589c000 fffff801`158fd000 CLFS (deferred)
fffff801`158fd000 fffff801`1591f000 tm (deferred)
fffff801`1591f000 fffff801`15934000 PSHED (deferred)
fffff801`15934000 fffff801`1593e000 BOOTVID (deferred)
fffff801`1593e000 fffff801`159c6000 CI (deferred)
fffff801`15a00000 fffff801`15a69000 spaceport (deferred)
fffff801`15a83000 fffff801`15ae0000 msrpc (deferred)
fffff801`15ae0000 fffff801`15baf000 Wdf01000 (deferred)
fffff801`15baf000 fffff801`15bc0000 WDFLDR (deferred)
fffff801`15bc0000 fffff801`15bd8000 acpiex (deferred)
fffff801`15bd8000 fffff801`15be3000 WppRecorder (deferred)
fffff801`15c00000 fffff801`15c8b000 cng (deferred)
fffff801`15c96000 fffff801`15ca0000 msisadrv (deferred)
fffff801`15ca0000 fffff801`15ce8000 pci (deferred)
fffff801`15cf4000 fffff801`15d7e000 ACPI (deferred)
fffff801`15d7e000 fffff801`15d88000 WMILIB (deferred)
fffff801`15d88000 fffff801`15d95000 vdrvroot (deferred)
fffff801`15d95000 fffff801`15db1000 pdc (deferred)
fffff801`15db1000 fffff801`15dc9000 partmgr (deferred)
fffff801`15dc9000 fffff801`15dde000 volmgr (deferred)
fffff801`15e00000 fffff801`15e55000 CLASSPNP (deferred)
fffff801`15e72000 fffff801`15ed1000 volmgrx (deferred)
fffff801`15ed1000 fffff801`15eec000 mountmgr (deferred)
fffff801`15eec000 fffff801`15f17000 Wof (deferred)
fffff801`15f17000 fffff801`15f59000 WdFilter (deferred)
fffff801`15f59000 fffff801`15f89000 ksecpkg (deferred)
fffff801`15f89000 fffff801`15fcf000 rdyboost (deferred)
fffff801`1601d000 fffff801`162ee000 <span style="background-color: yellow;">iaStorA (deferred) </span>
fffff801`162ee000 fffff801`1634d000 storport (deferred)
fffff801`1634d000 fffff801`16367000 EhStorClass (deferred)
fffff801`16367000 fffff801`163c3000 fltmgr (deferred)
fffff801`163c3000 fffff801`163d9000 fileinfo (deferred)
fffff801`163d9000 fffff801`163f5000 disk (deferred)
fffff801`16400000 fffff801`16415000 crashdmp (deferred)
fffff801`16418000 fffff801`1660e000 Ntfs (deferred)
fffff801`1660e000 fffff801`1662a000 ksecdd (deferred)
fffff801`1662a000 fffff801`1663a000 pcw (deferred)
fffff801`1663a000 fffff801`16645000 Fs_Rec (deferred)
fffff801`16645000 fffff801`1675d000 ndis (deferred)
fffff801`1675d000 fffff801`167d5000 NETIO (deferred)
fffff801`167d5000 fffff801`167e4000 intelpep (deferred)
fffff801`16800000 fffff801`16895000 fvevol (deferred)
fffff801`16895000 fffff801`168e4000 volsnap (deferred)
fffff801`168e5000 fffff801`16b56000 tcpip (deferred)
fffff801`16b56000 fffff801`16bc2000 fwpkclnt (deferred)
fffff801`16bc2000 fffff801`16be7000 wfplwfs (deferred)
fffff801`16be7000 fffff801`16bfe000 mup (deferred)
fffff801`16e00000 fffff801`16e61000 dxgmms1 (pdb symbols) c:\symbols\dxgmms1.pdb\55D4ABFFE5B6411898E90F5E6E72B1071\dxgmms1.pdb
fffff801`16e61000 fffff801`17132000 dump_iaStorA (deferred)
fffff801`17132000 fffff801`17175000 srvnet (deferred)
fffff801`1717f000 fffff801`171ad000 cdrom (deferred)
fffff801`171ad000 fffff801`171b6000 Null (deferred)
fffff801`171b6000 fffff801`171be000 Beep (deferred)
fffff801`171be000 fffff801`171cc000 BasicRender (deferred)
fffff801`17200000 fffff801`17220000 tdx (deferred)
fffff801`1722c000 fffff801`173ad000 dxgkrnl (pdb symbols) c:\symbols\dxgkrnl.pdb\9D44B2A5938E41528DA86348D6D1F5C21\dxgkrnl.pdb
fffff801`173ad000 fffff801`173bf000 watchdog (deferred)
fffff801`173bf000 fffff801`173d1000 BasicDisplay (deferred)
fffff801`173d1000 fffff801`173e5000 Npfs (deferred)
fffff801`173e5000 fffff801`173f1000 Msfs (deferred)
fffff801`173f1000 fffff801`173ff000 TDI (deferred)
fffff801`17411000 fffff801`1745d000 netbt (deferred)
fffff801`1745d000 fffff801`174ef000 afd (deferred)
fffff801`174ef000 fffff801`17519000 pacer (deferred)
fffff801`17519000 fffff801`1752a000 netbios (deferred)
fffff801`1752a000 fffff801`1759a000 rdbss (deferred)
fffff801`1759a000 fffff801`175b6000 drmk (deferred)
fffff801`175b6000 fffff801`175dd000 <span style="background-color: yellow;">AMDACPKSL (deferred) </span>
fffff801`17600000 fffff801`1766a000 usbhub (deferred)
fffff801`17679000 fffff801`17707000 csc (deferred)
fffff801`17707000 fffff801`17715000 nsiproxy (deferred)
fffff801`17715000 fffff801`17721000 npsvctrig (deferred)
fffff801`17721000 fffff801`1772d000 mssmbios (deferred)
fffff801`1772d000 fffff801`17753000 dfsc (deferred)
fffff801`17763000 fffff801`1777a000 ahcache (deferred)
fffff801`1777a000 fffff801`17789000 CompositeBus (deferred)
fffff801`17789000 fffff801`17794000 kdnic (deferred)
fffff801`17794000 fffff801`177a5000 umbus (deferred)
fffff801`177a5000 fffff801`177ec000 portcls (deferred)
fffff801`17800000 fffff801`1784e000 ks (deferred)
fffff801`1784e000 fffff801`17859000 rdpbus (deferred)
fffff801`17859000 fffff801`17865000 USBD (deferred)
fffff801`17874000 fffff801`1790a000 <span style="background-color: yellow;">atikmpag (no symbols) </span>
fffff801`1790a000 fffff801`17979000 USBPORT (deferred)
fffff801`17979000 fffff801`17997000 intelppm (deferred)
fffff801`17997000 fffff801`179a8000 <span style="background-color: yellow;">ISCTD64 (deferred)</span>
fffff801`179a8000 fffff801`179b3000 NdisVirtualBus (deferred)
fffff801`179b3000 fffff801`179ee000 AtihdWB6 (deferred)
fffff801`17a00000 fffff801`17a18000 usbehci (deferred)
fffff801`17a18000 fffff801`17a32000 serial (deferred)
fffff801`17a32000 fffff801`17a3c000 wmiacpi (deferred)
fffff801`17a3c000 fffff801`18cc0000 atikmdag (no symbols)
fffff801`18cc0000 fffff801`18cc1600 swenum (deferred)
fffff801`18cc2000 fffff801`18cc7300 ksthunk (deferred)
fffff801`18cca000 fffff801`18ce3000 HDAudBus (deferred)
fffff801`18ce3000 fffff801`18d38000 USBXHCI (deferred)
fffff801`18d38000 fffff801`18d6a000 ucx01000 (deferred)
fffff801`18d6a000 fffff801`18d7d000 <span style="background-color: yellow;">HECIx64 (deferred)</span>
fffff801`18d7d000 fffff801`18df1000 <span style="background-color: yellow;">e1d64x64 (deferred)</span>
fffff801`18df1000 fffff801`18dfe000 serenum (deferred)
fffff801`18e00000 fffff801`18ea9000 peauth (deferred)
fffff801`18eb7000 fffff801`18f2f000 UsbHub3 (deferred)
fffff801`18f2f000 fffff801`18f3d000 monitor (deferred)
fffff801`18f3d000 fffff801`18f61000 luafv (deferred)
fffff801`18f61000 fffff801`18f75000 lltdio (deferred)
fffff801`18f75000 fffff801`18f8d000 rspndr (deferred)
fffff801`18f8d000 fffff801`18fd8000 mrxsmb10 (deferred)
fffff801`18fd8000 fffff801`18ff5000 Ndu (deferred)
fffff801`19000000 fffff801`1900c000 dump_diskdump (deferred)
fffff801`1900c000 fffff801`19022000 dump_dumpfve (deferred)
fffff801`1902b000 fffff801`19362400 <span style="background-color: yellow;">RTKVHD64 (deferred)</span>
fffff801`19363000 fffff801`1938a000 usbccgp (deferred)
fffff801`1938a000 fffff801`19398000 hidusb (deferred)
fffff801`19398000 fffff801`193b7000 HIDCLASS (deferred)
fffff801`193b7000 fffff801`193bef00 HIDPARSE (deferred)
fffff801`193bf000 fffff801`193cd000 kbdhid (deferred)
fffff801`193cd000 fffff801`193dd000 kbdclass (deferred)
fffff801`193dd000 fffff801`193ea000 mouhid (deferred)
fffff801`193ea000 fffff801`193fa000 mouclass (deferred)
fffff801`19600000 fffff801`19639000 mrxsmb20 (deferred)
fffff801`19639000 fffff801`19644000 secdrv (deferred)
fffff801`1964e000 fffff801`19748000 HTTP (deferred)
fffff801`19748000 fffff801`19768000 bowser (deferred)
fffff801`19768000 fffff801`1977f000 mpsdrv (deferred)
fffff801`1977f000 fffff801`197eb000 mrxsmb (deferred)
fffff801`197eb000 fffff801`197fd000 tcpipreg (deferred)
fffff801`19a12000 fffff801`19abe000 srv2 (deferred)
fffff801`19abe000 fffff801`19b4c000 srv (deferred)
fffff801`19b4c000 fffff801`19b79000 tunnel (deferred)
fffff801`19b79000 fffff801`19b8f000 mslldp (deferred)
fffff801`19b8f000 fffff801`19bae000 WdNisDrv (deferred)
fffff801`19bae000 fffff801`19bbe000 condrv (deferred)
fffff803`ab4f4000 fffff803`ab4fd000 kd (deferred)
fffff803`ac205000 fffff803`ac275000 hal (deferred)
fffff803`ac275000 fffff803`aca0b000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\E018720B8C414EF799EACB23114763921\ntkrnlmp.pdb
fffff960`00018000 fffff960`00430000 win32k (pdb symbols) c:\symbols\win32k.pdb\F8BA0C5F0A844DC199DAC8CAB88C653B2\win32k.pdb
fffff960`00746000 fffff960`0074f000 TSDDD (deferred)
fffff960`0091c000 fffff960`00957000 cdd (deferred)
</code></pre>
<br />
I give or take count <b>~7</b> 3rd party drivers, none of which show any apparent or obvious evidence to being faulty and are essentially necessary to the hardware to properly communicate with the OS (minus Intel Rapid Storage, which unless the user was running a RAID config could easily uninstall and replace with default MSFT AHCI). Instead to me, this right away looked like a RAM issue as opposed to a driver issue.<br />
<br />
I had the user run Memtest right away as opposed to verifier given the signs in the dumps and the mention of random reboots, and within a few minutes there were over 700+ errors.<b> </b>Now the user is hopefully getting their money back, free shipping to and from, and new RAM.Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com50tag:blogger.com,1999:blog-8870806323064576540.post-31757643127675716242015-02-06T03:56:00.000-05:002015-02-16T09:39:26.746-05:00Pirating AntivirusesI receive crash dumps containing pirated antiviruses all the time, however I felt the need to blog about it for once because it's actually <i>so often </i>and just comical to me at this point. I also haven't blogged in a little while. I'm not really here to discuss the pros & cons of antivirus software, it's obvious. What I will say however is it's also obvious that for any software you install regardless of its intended job, you're increasing your attack surface. Given the fact that most antiviruses are granted complete come/go access to the kernel, have the highest privileges, have various kernel-mode drivers, etc, your surface is increased just that much more.<br />
<br />
Let's take a look at this crash dump (unfortunately only a Small Memory dump...):<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> .bugcheck
Bugcheck code 00000024
Arguments 00000000`001904fb fffff880`085866a8 fffff880`08585f00 fffff880`016b1d82
</code></pre>
<br />
Right, so we have our bug check - <b>NTFS_FILE_SYSTEM (0x24)</b>. Big hint, if you see this bug check on a crash dump from a user, chances are it's 50/60% (or more) the fault of either the one security application they have installed (whatever the actual problem with the application is), or user error as far as installing <i>more than one </i>security applications go. It's generally a bad idea to pigeonhole a bug check with a single problem (because it's ridiculous to do so), but I'd personally say over the years 0x24 has been much more of a security software issue than anything else.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> .exr fffff880`085866a8
ExceptionAddress: fffff880016b1d82 (Ntfs!NtfsRemoveHashEntry+0x00000000000000c2)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff
</code></pre>
<br />
By taking a look at the exception record structure, we can see the direct reason for the exception being thrown that caused the actual crash was an access violation occurring in <b>Ntfs!NtfsRemoveHashEntry</b>. Now that we know why, let's take a look at the context record using the address from our 3rd parameter in the <b>.bugcheck </b>output.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> .cxr fffff880`08585f00
rax=0000000000000000 rbx=fffff8a00224e050 rcx=0001000000000000
rdx=0000000000000000 rsi=000000001fdefdd9 rdi=fffffa80049be358
rip=fffff880016b1d82 rsp=fffff880085868e0 rbp=00000000000001d9
r8=00000000000003b2 r9=0000000000000000 r10=00000000000003b2
r11=fffff88008586910 r12=0000000000000001 r13=0000000000000000
r14=0000000000000001 r15=fffff8a003533ed0
iopl=0 nv up ei pl nz na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010206
Ntfs!NtfsRemoveHashEntry+0xc2:
fffff880`016b1d82 397110 cmp dword ptr [rcx+10h],esi ds:002b:00010000`00000010=????????
</code></pre>
<br />
On the instruction regarding <b>Ntfs!NtfsRemoveHashEntry</b>, we can see it was comparing the esi register to the memory at address rcx+10. rcx looks pretty bogus, and just to confirm:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> !pte 0001000000000000 <b>// Or !pte rcx</b>
VA 0001000000000000
PXE at FFFFF6FB7DBED000 PPE at FFFFF6FB7DA00000 PDE at FFFFF6FB40000000 PTE at FFFFF68000000000
Unable to get PXE FFFFF6FB7DBED000
<span style="background-color: yellow;">WARNING: noncanonical VA, accesses will fault !</span>
</code></pre>
<br />
So here's the reason why the exception was thrown, it was noncanonical.<br />
<br />
Now that we've also instructed the debugger to use the context record as the register context, we can run a <b>k</b>(b,nL,whatever) to get a more detailed stack in our case - even with a Small Memory dump:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> k
*** Stack trace for last set context - .thread/.cxr resets it
Child-SP RetAddr Call Site
fffff880`085868e0 fffff880`016b224f Ntfs!NtfsRemoveHashEntry+0xc2
fffff880`08586970 fffff880`016b0a24 Ntfs!NtfsDeleteNormalizedName+0x7f
fffff880`085869a0 fffff880`016b4cdb Ntfs!NtfsDeleteScb+0x1f4
fffff880`085869e0 fffff880`0162e343 Ntfs!NtfsRemoveScb+0x5b
fffff880`08586a20 fffff880`016b2a3c Ntfs!NtfsPrepareFcbForRemoval+0x53
fffff880`08586a50 fffff880`01635a52 Ntfs!NtfsTeardownStructures+0xdc
fffff880`08586ad0 fffff880`016c22d3 Ntfs!NtfsDecrementCloseCounts+0xa2
fffff880`08586b10 fffff880`01714d32 Ntfs!NtfsCommonClose+0x353
fffff880`08586be0 fffff800`02ae1561 Ntfs!NtfsFspCloseInternal+0x186
fffff880`08586cb0 fffff800`02d740ca nt!ExpWorkerThread+0x111
fffff880`08586d40 fffff800`02ac8be6 nt!PspSystemThreadStartup+0x5a
fffff880`08586d80 00000000`00000000 nt!KxStartSystemThread+0x16
</code></pre>
<br />
Not going to put comments, but rather just talk about it. We were starting a system thread which turned out to be a worker thread (as we can see from the <b>ExpWorkerThread</b> function), and from then on go throughout various NT file system calls. Given the fact that it's a worker thread dealing with NTFS tells us we're <i>likely </i>dealing with a driver requiring delayed processing, etc. As we're going through various NTFS calls, we can see we're preparing the File Control Block (FCB) and Stream Control Block (SCB) for removal and deletion. This also tells us if anything, it's a driver working actively with/for the file system.<br />
<br />
Looking at the loaded modules list for any drivers actively working with the file system, what do we find? Hint: A lot of Symantec/Norton kernel-mode drivers <br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> lmvm SRTSP64
start end module name
fffff880`082d4000 fffff880`08394000 SRTSP64 (deferred)
Image path: SRTSP64.SYS
Image name: SRTSP64.SYS
Timestamp: <span style="background-color: yellow;">Tue Mar 29 22:46:12 2011</span>
</code></pre>
<br />
Here is Symantec's x64 Real Time Storage Protection (SRTSP) driver. This driver is used by Symantec's Auto-Protect feature, which is what scans files under various conditions. You can expect to find this kernel-mode driver on any system with NIS installed, so what's the big deal? The timestamp/date on the driver itself is from March 29th 2011. The time of the bug check is:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Debug session time: Tue Feb 3 23:57:58.466 2015 (UTC - 5:00)
</code></pre>
<br />
Okay, so we have a kernel-mode driver from/for Norton that's approximately as of this blog post 3.8 years old. That's.... <b><i>bad</i></b>. To give the user the absolute ultimate benefit of the doubt, I for a split-second thought that perhaps maybe Symantec really has a kernel-mode driver regarding RTP that's 3.8 years old. Surely there may be hundreds of vulnerabilities, but it's possible.. right? Wrong.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> vertarget
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742
</code></pre>
<br />
It's a Windows 7 x64 system, so let's create a test environment really quick and install the latest trial version of NIS.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZMMEOiwIPxffmp76VvmAnXX-HEe51yETSDYvL6ANT9fs48Qh2NRt-cYje0lc5qqyUqG35JUxG4I7JeYM7zmFyg16e32TKnSJYJnoeyuDZwGSByOrk6qXUo2dQKRS-yj4lZ5bJ0DISvlZ1/s1600/SRTSP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZMMEOiwIPxffmp76VvmAnXX-HEe51yETSDYvL6ANT9fs48Qh2NRt-cYje0lc5qqyUqG35JUxG4I7JeYM7zmFyg16e32TKnSJYJnoeyuDZwGSByOrk6qXUo2dQKRS-yj4lZ5bJ0DISvlZ1/s1600/SRTSP.png" height="320" width="313" /></a></div>
<br />
Ah, that's much better.<br />
<br />
Unfortunately, that wasn't the only out of date kernel-mode driver regarding Symantec loaded on this particular system. Let's keep comparing:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> lmvm SYMDS64
start end module name
fffff880`01279000 fffff880`012ea000 SYMDS64 (deferred)
Image path: SYMDS64.SYS
Image name: SYMDS64.SYS
Timestamp: Tue Dec 07 19:16:58 2010
</code></pre>
<br />
Symantec's x64 Data Store (SymDS) driver.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMIhjCOlhfQAA2nlR_CYMWzUzRYxMzS7BDazRZPC0nN3OJ0Hhstjv_H2KOmeol9wCu4KGTagfoyiZ3s9auaqK8Im54yEV3KvwejFR44WX2ZTb13hirrB80tBzhO6Kt4-0XbfAOef6KX7m4/s1600/SymDS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMIhjCOlhfQAA2nlR_CYMWzUzRYxMzS7BDazRZPC0nN3OJ0Hhstjv_H2KOmeol9wCu4KGTagfoyiZ3s9auaqK8Im54yEV3KvwejFR44WX2ZTb13hirrB80tBzhO6Kt4-0XbfAOef6KX7m4/s1600/SymDS.png" height="320" width="314" /></a></div>
<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> lmvm SYMEFA64
start end module name
fffff880`014f4000 fffff880`015d8000 SYMEFA64 (deferred)
Image path: SYMEFA64.SYS
Image name: SYMEFA64.SYS
Timestamp: Sun Mar 13 23:20:58 2011
</code></pre>
<br />
Symantec's x64 Extended File Attributes driver.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigP-qw20hzfBOObuMssqCSxwIOfI5y1x-2_exfXJqr5M9MNr4Ew63ypfd2_k7_q-29J1Xm1vQRove2nJjcgE2JUbSdeOoQnMClKJb46Iak_Sq4wSiB5J_zGwF-DBgM4JkodSL0I9lRePxy/s1600/SymEFA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigP-qw20hzfBOObuMssqCSxwIOfI5y1x-2_exfXJqr5M9MNr4Ew63ypfd2_k7_q-29J1Xm1vQRove2nJjcgE2JUbSdeOoQnMClKJb46Iak_Sq4wSiB5J_zGwF-DBgM4JkodSL0I9lRePxy/s1600/SymEFA.png" height="320" width="313" /></a></div>
<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> lmvm SYMEVENT64x86
start end module name
fffff880`01dbf000 fffff880`01df5000 SYMEVENT64x86 (deferred)
Image path: SYMEVENT64x86.SYS
Image name: SYMEVENT64x86.SYS
Timestamp: Thu Mar 24 19:02:36 2011
</code></pre>
<br />
Symantec's x64 SymEvent driver.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK041sSgnCZ2j8aVJ_eJD6nQJfhZcav25ye_JUCO3Tv8pJ-vAq_GrD0lvi9P0-b3CEUSludavy01-oqJZMzDlBDfpnvNoR2JBAo4kMqXdar8C5_ecMxAlZVVEMre-hpc90Q5It1PePe9uD/s1600/SymEvent.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK041sSgnCZ2j8aVJ_eJD6nQJfhZcav25ye_JUCO3Tv8pJ-vAq_GrD0lvi9P0-b3CEUSludavy01-oqJZMzDlBDfpnvNoR2JBAo4kMqXdar8C5_ecMxAlZVVEMre-hpc90Q5It1PePe9uD/s1600/SymEvent.png" height="320" width="313" /></a></div>
<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> lmvm SRTSPX64
start end module name
fffff880`01c2d000 fffff880`01c43000 SRTSPX64 (deferred)
Image path: SRTSPX64.SYS
Image name: SRTSPX64.SYS
Timestamp: Tue Mar 29 22:46:18 2011
</code></pre>
<br />
Symantec's x64 Real Time Storage Protection (SRTSP - PEL) driver.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLesDEqiNiJpzgeJAQAgE2Z3pjHtx3QOBKWyeL6T-x1uftHb7efbMb9xOsg1GATW0JIRHWUWbxKve5ZnGtmpGMXT72V3nM92BErQVajjxdJiKF7oo1t6OH5Ep0XOyjuVFzsYkQE0qg-pRF/s1600/SRTSPPEL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLesDEqiNiJpzgeJAQAgE2Z3pjHtx3QOBKWyeL6T-x1uftHb7efbMb9xOsg1GATW0JIRHWUWbxKve5ZnGtmpGMXT72V3nM92BErQVajjxdJiKF7oo1t6OH5Ep0XOyjuVFzsYkQE0qg-pRF/s1600/SRTSPPEL.png" height="320" width="313" /></a></div>
<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> lmvm SYMNETS
start end module name
fffff880`01d58000 fffff880`01dbf000 SYMNETS (deferred)
Image path: SYMNETS.SYS
Image name: SYMNETS.SYS
Timestamp: Tue Apr 19 18:33:31 2011
</code></pre>
<br />
Symantec's Network Security WFP driver.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT14wUxluF__027-2gSPAwqtgSzMC2mFxccr-unFkdc3arTvC-3ycgegUXbRtdNqQjHhOs8Rm2lKvmM6gVsvBOIZf8wcP5NuYN9dyp7_hKNIW07d4eEZqKbGVPPO2Ixd37_XWvM7iwNi_O/s1600/SYMNETS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT14wUxluF__027-2gSPAwqtgSzMC2mFxccr-unFkdc3arTvC-3ycgegUXbRtdNqQjHhOs8Rm2lKvmM6gVsvBOIZf8wcP5NuYN9dyp7_hKNIW07d4eEZqKbGVPPO2Ixd37_XWvM7iwNi_O/s1600/SYMNETS.png" height="320" width="313" /></a></div>
<br />
Overall, we can see that all of these Symantec/Norton kernel-mode drivers are not their latest versions. Given the fact that the user's system bug checked Feb 2015 and many of its kernel-mode drivers are 3.8 years (or older) old, we know it's pirated. Remove pirated Norton, crashes stop. Surprise surprise.<br />
<b><br /></b>
<b>Moral of the story:</b> If you really are going to pirate an antivirus, be sure it's actually as up to date as it would be if you paid for it. If you're running an antivirus with kernel-mode drivers from 3.8> years old, the amount of vulnerabilities you're vulnerable to that were patched <i>years </i>ago is pretty high. You're also opening yourself up to becoming infected with <i>old</i> malware that was invalidated if not further developed if it relied on certain EOP (or other) exploits to get around active protection. Also, as you can see here, chances are you'll bug check considering you're also subject to ~3.8> year old driver bugs that have since been patched.<br />
<br />
You could alternatively just <i>buy </i>the antivirus. Crazy, I know.Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com33tag:blogger.com,1999:blog-8870806323064576540.post-28665296190765495782014-12-31T01:36:00.001-05:002014-12-31T01:44:54.459-05:00SteamStealer - A look into the source codeI've been wanting to take a little bit of a look at the recent SteamStealer malware going around throughout November and December. There's a few different types, mainly being .src executables that once executed connect to a designated domain and drop more stuff. The other more recent type uses a custom crypter with a library containing a RunPE function to inevitably load SteamStealer into the process. In any case, I won't be doing any "on the surface" analysis/removal tips, as it's been nicely done by blogs such as <a href="http://bartblaze.blogspot.com/2014/11/malware-spreading-via-steam-chat.html" target="_blank">this</a>. I'll instead be taking a look at the source code for a few of these .src files, and talking a bit about them as well.<br />
<br />
So first off, the big thing regarding a lot of these recent .src files is they are obfuscated with Confuser, or its successor known as ConfuserEx. Confuser is a pretty popular free obfuscator mainly because it's one that isn't completely easy to reverse. It's still reversible, just not as easy as many other free obfuscators out there. You can do it with WinDbg which is absolutely gruesome and not really recommended for .NET deobfuscation, as anything really past methods is difficult and time consuming. Alternatively, you can use the wonderful internet world we have to get any slew of tools to decrypt methods, delegate killer, dump, and string decrypt.<br />
<br />
Let's first take a look at what the thumbnails for the samples look like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqPqPLFVhAyeXIw1p6jlYpIKddUEhCFdjsJZePajg3V173kVTZ6jozgD0XO81jQdvVJOKP_UXc0YQYjSF9xfP5MPKnwg4SDMDuZEi1_P9o1nx3JuqqFh8fvCAClQmh0zbRae2xGxiDienk/s1600/three+images.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqPqPLFVhAyeXIw1p6jlYpIKddUEhCFdjsJZePajg3V173kVTZ6jozgD0XO81jQdvVJOKP_UXc0YQYjSF9xfP5MPKnwg4SDMDuZEi1_P9o1nx3JuqqFh8fvCAClQmh0zbRae2xGxiDienk/s1600/three+images.png" height="240" width="320" /></a></div>
<br />
As we can see, the thumbnails appear as a Steam inventory with various items.<br />
<br />
Back to obfuscation, if we try to take one of our .src samples obfuscated with Confuser into IDA, here's what we get:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUeVMsKzHOyLgHJvyqkGD_VSciChCIVJ2WfGWxSp6Yvp5h_oEePEJOmJeHWzOmwxlcvgEyHOpQ_qG9sS-bljVLrjO4kgxBMLX-FNrLs0OsQfY99x6S3UXIqKa9MafbSpViIGGEnKH2zQj5/s1600/Illegal+method+header+bits+00.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUeVMsKzHOyLgHJvyqkGD_VSciChCIVJ2WfGWxSp6Yvp5h_oEePEJOmJeHWzOmwxlcvgEyHOpQ_qG9sS-bljVLrjO4kgxBMLX-FNrLs0OsQfY99x6S3UXIqKa9MafbSpViIGGEnKH2zQj5/s1600/Illegal+method+header+bits+00.png" height="105" width="320" /></a></div>
<br />
After deobfuscation however, we can successfully take a somewhat broken look at the source code. Near the top of the code you can generally find the following (and hilarious) format:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> newobj instance void SteamWorker::.ctor()
stloc.0
ldloc.0
ldstr "7656119816xxxxxxx" <span style="color: purple;">// Steam ID </span>
ldstr "203496355"
ldstr "N71Ll_bP"
</code></pre>
<br />
All of the Steam ID's extracted from various source code samples are all 8 or 9 (mostly 9) digit ID's, implying they're new and not old accounts by any means. With this said, these accounts were of course created for the sole purpose of spamming trades with this malware, and most likely selling valuable items for real money. I wouldn't be surprised if they were purchased or stolen ID's.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> callvirt instance void SteamWorker::getSessionID()
ldloc.0
ldstr <span style="color: #cc0000;">"csgolounge"</span>
ldstr "how much is this karambit knife? hxxp://screen4say.com/image.png"
callvirt instance void SteamWorker::SpamGroup(string, string)
ldloc.0
ldstr <span style="color: #0b5394;">"dota2lounge"</span>
ldstr "how much is this unusual courier? hxxp://screen4say.com/image.png"
callvirt instance void SteamWorker::AddGroupAndMess(string, string)
ldloc.0
callvirt instance void SteamWorker::getFriends()
ldloc.0
ldstr "He give me this knife hxxp://screen4say.com/image.png ty for you :)"
callvirt instance void SteamWorker::sendMessWall(string)
ldloc.0
callvirt instance void SteamWorker::DeleteAll()
</code></pre>
<br />
Above is an example of one of the many domains used in the malware (purged). You can see it would join the Steam group "csgolounge" and then message users "how much is this karambit knife?" with a link to the malware. This is how it mainly propagated, by joining various Steam trade groups and spamming anyone with public inventories. Mainly "csgolounge" and "dota2lounge" as those were the main games used for the malware.<br />
<br />
Domains used from what I've seen are: prntsrc-online, screen4free, hostingscreen, screenshotyou, etc.<br />
<br />
If we do a lookup on any one of those:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 250px; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Domain name: prntsrc-online.com
Domain idn name: prntsrc-online.com
Status: clientTransferProhibited
Registry Domain ID:
Registrar WHOIS Server: whois.reg.ru
Registrar URL: https://www.reg.com/
Registrar URL: https://www.reg.ru/
Registrar URL: https://www.reg.ua/
Updated Date: 2014-12-15
Creation Date: 2014-12-15T19:18:01Z
Registrar Registration Expiration Date: 2015-12-15
Registrar: Domain names registrar REG.RU LLC
Registrar IANA ID: 1606
Registrar Abuse Contact Email: Email Masking Image@reg.ru
Registrar Abuse Contact Phone: +7.4955801111
Registry Registrant ID:
Registrant Name: Ivan Ivanov
Registrant Organization: Yandex LTD
Registrant Street: ul.Koshkina 15 kv 4
Registrant City: Moscow
Registrant State/Province: MOSCOW STATE
Registrant Postal Code: 132170
Registrant Country: RU
Registrant Phone: +79871975615
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: spamspam228@mail.ru
Registry Admin ID:
Admin Name: Ivan Ivanov
Admin Organization: Yandex LTD
Admin Street: ul.Koshkina 15 kv 4
Admin City: Moscow
Admin State/Province: MOSCOW STATE
Admin Postal Code: 132170
Admin Country: RU
Admin Phone: +79871975615
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: spamspam228@mail.ru
Registry Tech ID:
Tech Name: Ivan Ivanov
Tech Organization: Yandex LTD
Tech Street: ul.Koshkina 15 kv 4
Tech City: Moscow
Tech State/Province: MOSCOW STATE
Tech Postal Code: 132170
Tech Country: RU
Tech Phone: +79871975615
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: spamspam228@mail.ru
Name Server: ns1.hostinger.ru
Name Server: ns2.hostinger.ru
Name Server: ns3.hostinger.ru
Name Server: ns4.hostinger.ru
DNSSEC: Unsigned
</code></pre>
<br />
Regarding this search, we can see it's a Russian based domain that was created and is administered by <b>spamspam228(at)mail.ru</b>. There's no doubt spamspam228 is a legitimate email, right? My favorite part isn't the email, but that the registrant's name is Ivan Ivanov from the organization Yandex LTD. This is absolutely hilarious considering Yandex is a Russian search engine (and ISP I believe?). I don't think Mr. Ivan Ivanov from Yandex is behind this.<br />
<br />
If we now go ahead and look up this email, we can see:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> The email [email protected] is related to these domains :
1. printsrceen.com
2. prntsrc-online.com
</code></pre>
<br />
There's another interesting one:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 250px; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Domain Name: PICTURES-SCREEN.NET
Registry Domain ID:
Registrar WHOIS Server: whois.publicdomainregistry.com
Registrar URL: www.publicdomainregistry.com
Updated Date: 2014-12-23T16:15:07Z
Creation Date: 2014-12-23T16:15:05Z
Registrar Registration Expiration Date: 2015-12-23T16:15:05Z
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrar IANA ID: 303
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone: +1-2013775952
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: Xuila Pitrov Vasielvis
Registrant Organization: ScreenPictures
Registrant Street: Puschcicha,4,15
Registrant City: Moscow
Registrant State/Province: Moscow
Registrant Postal Code: 148821
Registrant Country: RU
Registrant Phone: +7.9652422078
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: </code><code style="color: black; word-wrap: normal;">jesus7298@mail.ru
Registry Admin ID:
Admin Name: Xuila Pitrov Vasielvis
Admin Organization: ScreenPictures
Admin Street: Puschcicha,4,15
Admin City: Moscow
Admin State/Province: Moscow
Admin Postal Code: 148821
Admin Country: RU
Admin Phone: +7.9652422078
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: </code><code style="color: black; word-wrap: normal;">jesus7298@mail.ru
Registry Tech ID:
Tech Name: Xuila Pitrov Vasielvis
Tech Organization: ScreenPictures
Tech Street: Puschcicha,4,15
Tech City: Moscow
Tech State/Province: Moscow
Tech Postal Code: 148821
Tech Country: RU
Tech Phone: +7.9652422078
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: </code><code style="color: black; word-wrap: normal;">jesus7298@mail.ru
Name Server: ns1.webhost1.ru
Name Server: ns2.webhost1.ru
DNSSEC:Unsigned
</code></pre>
<br />
Administered by a Xuila Pitrov Vasielvis, from Russia once again, from the organization "ScreenPictures". It's the domain name backwards, hilarious. It's registered/administered by/to the email <b>jesus7298(at)mail.ru</b>. Once again, an interesting choice for an email.<br />
<br />
If we now go ahead and look up this email, we can see:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> The email jesus7298@mail.ru is related to these domains :
1. pictures-screen.net
2. picturesscreen.net
3. screenshotcapture.net
</code></pre>
<br />
See the pattern? Lots of malicious domains hosted and administered by Russians.<br />
<br />
So right away after deobfuscation you can find the Steam ID of the account the items are ultimately being sent to for collection, and information regarding the domain housing the malware. Of course after we find a Steam ID, we can look that up and find the profile on Steam Community. I won't be posting the Steam ID's publicly even though these accounts were used for malicious purposes, because I'm just here to analyze and that's it. You can probably dig up the profiles if you care enough to report them.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvQbywvO7_OTVuyNcmekndIDZEwVgovxGTPvW0EsNOFQzsvC-V8RUGS35pDAqcsirXmx_iRAkeW_8ZtGqyGLTqN2NKZE7jw8q-QJVBHSGHJq-oJcMeSluliXAHXOKvA9Gy1_3t2ZUJBChl/s1600/Max.Trojan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvQbywvO7_OTVuyNcmekndIDZEwVgovxGTPvW0EsNOFQzsvC-V8RUGS35pDAqcsirXmx_iRAkeW_8ZtGqyGLTqN2NKZE7jw8q-QJVBHSGHJq-oJcMeSluliXAHXOKvA9Gy1_3t2ZUJBChl/s1600/Max.Trojan.png" height="226" width="320" /></a></div>
<br />
Right, so we can see that this account is level 1 (new), the only game it has played is Dota 2, and it has joined the Dota 2 group so it can spam the malware. We can see this person was nice enough to leave their Skype, name (possibly fake in some cases), etc. I have blanked it out as I noted I will. Let's take a look at another account:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS5SWuUHlnx8B3RQ6_ElbUGpYkDWADCEXQ2_MXKjqX0qsh1RcuxKQlgpzhbW3kMlKqiijfofQurC2xWVMbs_jcDMpolwwne_DZbWFeDLzwnodSwkxfoCvczV50t7S1fBF54vtciBil_wNh/s1600/FaceControll+10+years.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgS5SWuUHlnx8B3RQ6_ElbUGpYkDWADCEXQ2_MXKjqX0qsh1RcuxKQlgpzhbW3kMlKqiijfofQurC2xWVMbs_jcDMpolwwne_DZbWFeDLzwnodSwkxfoCvczV50t7S1fBF54vtciBil_wNh/s1600/FaceControll+10+years.png" height="223" width="320" /></a></div>
<br />
This account is a bit more active, with 5.9 hours played of Dota 2 in the last two weeks. It's also level 2 as opposed to the previous account which was only level 1. This account is also in two of the usual spam groups, rather than one. With all of the above said, the above account was likely actively spamming successfully more than the first. Either that, or it was just used for spamming with the malware in general rather than prepared to be used for spamming.<br />
<br />
You can see the "view more info" button, which hilariously the user left most if not all of their online credentials and places to find them. One of the links was to a Russian hack forum in which they hosted a thread offering various "services".<br />
<br />
We can see some of the items the malware looked to steal:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> ldstr "440,570,730,753"
ldstr "753:gift;570:rare,legendary,Dc,mythical,arcana,normal,unusual,ancient,tool,key;440:unusual,hat,tool,key;730:tool,knife,pistol,smg,shotgun,rifle,sniper rifle,machinegun,sticker,key"
callvirt instance void <span style="background-color: yellow;">SteamWorker::addItemsToSteal</span>(string, [opt] string)
</code></pre>
<br />
The first few are Dota 2 tiers for the rarity quality for an item, and then we branch off to keys, unusual hats, hats in general, etc, and eventually ending up with Counter Strike items. Considering for example that unusual hats depending on the type, effect, etc can go upwards of several hundred dollars, this is a pretty annoying malware for people that aren't aware of it.<br />
<br />
Overall however it's not a very impressive piece of malware by any means, just looks like script stuff. However I don't think it was meant to/supposed to be. It has obviously satisfied its original and intended goal, which was to steal items. A lot of people have had their items stolen, simply because a lot of people aren't aware as I noted above. Although I said I wouldn't go into removal, to avoid this malware other than just understanding how it works, just make your trades private.Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com132tag:blogger.com,1999:blog-8870806323064576540.post-16543509726324698452014-12-19T05:05:00.001-05:002014-12-19T05:10:52.221-05:00Regin, the top-tier PASSIVE_LEVEL malware!Over the past few weeks it seems left and right there's Regin this, Regin that. I am not going to do a detailed analysis and discuss its stages and what have you, as there are various/informative in-depth whitepapers, etc.<br />
<br />
To name a few:<br />
<br />
<a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf" target="_blank">Symantec</a>, <a href="http://www.symantec.com/connect/blogs/regin-top-tier-espionage-tool-enables-stealthy-surveillance" target="_blank">Symantec</a>. <br />
<a href="http://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" target="_blank">Kaspersky</a>, <a href="http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/" target="_blank">Kaspersky</a>.<br />
<a href="https://www.f-secure.com/documents/996508/1030745/w32_regin_stage_1.pdf" target="_blank">F-Secure</a>.<br />
<br />
In my opinion, Regin is your typical malware that expands outside of the reverse engineer/security community due to its original goal. Journalists or researchers with little kernel-level knowledge/background get a hold of it and before you know it, it's the next biggest sophisticated piece of malware and all that matters is PR. At this point, writing accurate and detailed articles doesn't matter anymore. What am I referring to, and what will I instead talk about with Regin?<br />
<br />
<a href="https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/" target="_blank">Secret Malware in European Union Attack Linked to U.S. and British Intelligence</a>.<br />
<br />
Let's quickly talk about a short few things the whitepapers haven't mentioned (as far as I am aware), and the above article. Respectfully, I have absolutely no idea who reviewed the above article before it was pushed. You have to wonder if The Intercept rushed like hell to publish this article because Symantec released their whitepaper and didn't care about what half of it even said. Note the dates:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6PmeQv67O8EcavvEpyS5yhaLxy_yISuX6Qj-90z6ZD8bSgiASTJfj69J6KvrNCMy-n8VGnyL8Ue_GYUHMXevOrlsVXXzt1iwBgVP0yTsbOAKUt-knbS36j7_7PnKqyNq7q956eWr9SLRN/s1600/symantec+whitepaper+date.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6PmeQv67O8EcavvEpyS5yhaLxy_yISuX6Qj-90z6ZD8bSgiASTJfj69J6KvrNCMy-n8VGnyL8Ue_GYUHMXevOrlsVXXzt1iwBgVP0yTsbOAKUt-knbS36j7_7PnKqyNq7q956eWr9SLRN/s1600/symantec+whitepaper+date.png" height="137" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnFGGq2Zn3_5_PQeDXKs_SDphrSP670uIU20AVoqPeOYJVFxPXif9hLhJgAyV6xt1tljO6lRAZakVlyJasCUttveFuLFJAeM6WHApF-krdfRtsnb7Q0EEM_EUpd66IL0ed3fKcwBf-THUJ/s1600/the+intercept+article+date.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnFGGq2Zn3_5_PQeDXKs_SDphrSP670uIU20AVoqPeOYJVFxPXif9hLhJgAyV6xt1tljO6lRAZakVlyJasCUttveFuLFJAeM6WHApF-krdfRtsnb7Q0EEM_EUpd66IL0ed3fKcwBf-THUJ/s1600/the+intercept+article+date.png" height="40" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There's a lot of strange and irrelevant information in that article you can pick at, but the absolute best is:</div>
<blockquote style="background-color: #cccccc; border: 2px solid #666; padding: 10px;">
This Regin driver recurrently checks that the current IRQL (Interrupt Request Level) is set to PASSIVE_LEVEL using the KeGetCurrentIrql() function in many parts of the code, <i><b>probably in order to operate as silently as possible</b></i> and to prevent possible IRQL confusion. This technique is another example of the level of precaution the developers took while designing this malware framework.</blockquote>
Since its publication date this has yet to have been changed, so I guess they don't care after all about its inaccuracies. Anyway, if it's not a surprise, calling <b>KeGetCurrentIrql</b> over and over again throughout the code is just a PAGED_CODE macro. It has absolutely nothing to do with stealth, and PASSIVE_LEVEL doesn't automatically imply obfuscation or stealth. For an example, here's an excerpt from <b>db405ad775ac887a337b02ea8b07fddc</b> (kernel driver - stage 1).<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> call KeGetCurrentIrql
test al, al
jnz short loc_FDEFAA3D
push dword ptr [esi] ; Handle
call ZwClose
test eax, eax
jnz short loc_FDEFAA3D
push 18h
push ebx
push esi
call sub_FDEFA2EC
add esp, 0Ch
mov bl, 1 </code></pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYsMcW0yd2PoUhPBLUJAs4G5hnBweDaksbNUL7XNfrXNC6CroP2GMpROoPBH1KT1qngnytEE1gnbjp6n3QvwixnRagacQ6rPuXPUSvH-Dp_vDaJg2hR1JTTdXRnHhGA24Ehz22kcM9Tb-L/s1600/KeGetCurrentIRQL+Stuff.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYsMcW0yd2PoUhPBLUJAs4G5hnBweDaksbNUL7XNfrXNC6CroP2GMpROoPBH1KT1qngnytEE1gnbjp6n3QvwixnRagacQ6rPuXPUSvH-Dp_vDaJg2hR1JTTdXRnHhGA24Ehz22kcM9Tb-L/s1600/KeGetCurrentIRQL+Stuff.PNG" height="124" width="320" /></a></div>
<br />
Again taking a look at <b>db405ad775ac887a337b02ea8b07fddc</b>, there's another interesting tidbit throughout the code:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> push 43726150h
push 20h
push edi
call ds:ExAllocatePoolWithTag
</code></pre>
<br />
The above is the kernel mode driver's pool tag, the # of bytes to allocate for the memory request, the pool type, and finally its call to <b>ExAllocatePoolWithTag </b>allocate pool memory. Okay, so what's the big deal? If we convert the pool tag operand to a character, we get the following result:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> push <span style="background-color: yellow;">'CraP'</span>
push 20h
push edi
call ds:ExAllocatePoolWithTag
</code></pre>
<br />
The pooltag is <b>CraP</b> : ) This is probably how many of us feel about this malware being so hyped by the media. There are of course others throughout the code, for example:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> push 'CraP'
push eax
push 1
call ds:ExAllocatePoolWithTag
</code></pre>
<br />
Overall, I guess the moral is to take time to get as much accurate information as you can for your articles. I cannot speak for anyone but myself, but as someone with a love for reverse engineering, malware, and debugging, I appreciate in-depth whitepapers and articles that provide thorough analysis. If all you're worried about is competition for views and hyping malware, chances are you're not going to appeal to the people who really care about the written content.<br />
<br />
PS: Thanks to KernelMode as always for the hilarious discussion.Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com64tag:blogger.com,1999:blog-8870806323064576540.post-27836105137436019462014-11-16T14:58:00.000-05:002014-11-16T15:07:01.537-05:00Stuxnet - User/Kernel-Mode analysisToday I'll be taking a look at Stuxnet, and at a kernel level mostly (as usual) more than its impact on user-mode. I'll still however be going over a few user-mode things as it ties in with our kernel level discussion. I also won't go in-depth regarding all of the ways Stuxnet uses its four-slot toolbelt of zero-day flaws, and a lot of other Stuxnet's methods of attack (network, etc). ESET, Symantec, and others have done a fantastic job in that regard.<br />
<br />
<span style="color: #0b5394; font-size: small;"><u><b>What is Stuxnet?</b></u></span><br />
<br />
First of all, it's important (and a bit hilarious) to know the story behind Stuxnet. If you're researching Stuxnet for the first time, it's <i>really </i>easy to get confused. There's finger pointing, claims, supposed "confirmed sources", etc, left and right. I'll briefly go over it. For example:<br />
<br />
<a href="http://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/" target="_blank">Confirmed: US and Israel created Stuxnet, lost control of it.</a><br />
<br />
<blockquote style="background-color: #cccccc; border: 2px solid #666; padding: 10px;">
The article is adapted from journalist David Sanger's forthcoming book, Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power, and it confirms that both the US and Israeli governments developed and deployed Stuxnet.</blockquote>
<a href="http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=1&adxnnl=1&seid=auto&smid=tw-nytimespolitics&pagewanted=all&adxnnlx=1415984429-hznwzAhjvomuMn0n1yXexw" target="_blank">Obama Order Sped Up Wave of Cyberattacks Against Iran.</a><br />
<br />
<blockquote style="background-color: #cccccc; border: 2px solid #666; padding: 10px;">
Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.</blockquote>
<a href="http://rt.com/news/iran-us-israel-cyberwar-virus-weapon-770/" target="_blank">US unleashed Stuxnet cyber war on Iran to appease Israel – report.</a><br />
<br />
<blockquote style="background-color: #cccccc; border: 2px solid #666; padding: 10px;">
The US and Israel made the Stuxnet virus as a new kind of weapon targeted against Iran, a media investigation revealed. The operation reportedly started in the Bush era, but was intensified by Obama administration.</blockquote>
<a href="http://rt.com/news/snowden-nsa-interview-surveillance-831/" target="_blank">Snowden confirms NSA created Stuxnet with Israeli aid.</a><br />
<br />
<blockquote style="background-color: #cccccc; border: 2px solid #666; padding: 10px;">
“The NSA and Israel wrote Stuxnet together,” Snowden told Applebaum in the interview that was carried out in May.</blockquote>
The big TLDR is here - <a href="http://en.wikipedia.org/wiki/Operation_Olympic_Games#Leak_investigation" target="_blank">Operation Olympic Games</a>. <br />
<br />
My initial reaction was "What the hell am I reading?", and it still sort of is. It goes on and on. All in all, after reading the above, you're likely inclined to believe that the US (and maybe even Israel) were behind Stuxnet. Whether or not this is true is a story for another day, although it's easier to lean towards 'yes' than it is to 'no'. The reason for this is due to the fact that Stuxnet as I discussed above used <b>four </b>zero-day flaws within Windows. It's a pretty big deal when malware exploits <i>one </i>zero-day flaw within the OS, but <b>four </b>is extremely high.<br />
<br />
It's also pretty laughable to think that Stuxnet was created by amateurs not invested in any sort of organization regarding cyber warfare, etc of some sort, or amateurs in general. A lot of amateurs make malware for a lot of reasons, but causing nuclear centrifuges to commit suicide is pretty advanced. Aside from the many reasons to believe the answer is yes, some may lean towards no, and it's largely due to the fact that most cannot imagine the US and Israel working closely together to create something like Stuxnet.<br />
<br />
I digress, and in any case, I'm not here to discuss politics or debate the true creator(s), so let's just get to the part where we talk about what Stuxnet was primarily created for. Stuxnet is a worm that was developed primarily to target industrial PLCs, which led to the nuclear centrifuges ultimately destroying themselves. The malware obviously couldn't be outright sent to the nuclear facilities themselves, so this is where its USB attack vector comes into play. More notably known as a supply chain attack:<br />
<br />
<blockquote style="background-color: #cccccc; border: 2px solid #666; padding: 10px;">
So the creators of Stuxnet, they were thinking that these companies would do some communications with power plant workers; maybe exchange with USB devices. That’s probably how Stuxnet infected the system.</blockquote>
<div style="text-align: center;">
<i><a href="http://rt.com/news/205235-stuxnet-kaspersky-iran-companies/" target="_blank">Stuxnet patient zero: Kaspesky Lab identifies worm’s first victims in Iran. </a></i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
In the end, Stuxnet ended up destroying nearly one-fifth of Iran's centrifuges. In November 2010, it was reported that uranium enrichment within the Natanz nuclear facility had halted several times due to severe technical issues.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="color: #0b5394; font-size: small;"><u><b>User-Mode</b></u></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Stuxnet has two ways of injecting itself into the address space of a process and then executing exported functions. Stuxnet's user-mode modules are implemented as DLLs, and the first method is done by injecting itself into a preexisting process.<br />
<br />
<div style="text-align: left;">
<div style="text-align: left;">
<span style="color: #0b5394;"><span style="font-size: small;"><u><b>Preexisting Process Inject</b></u></span></span></div>
</div>
</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>1. </b>Allocates a memory buffer in the calling process for the modules to be loaded.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>2. </b>Patches ntdll and hooks the following APIs:</div>
<div style="text-align: left;">
<br /></div>
<ul>
<li><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff566481%28v=vs.85%29.aspx" target="_blank">ZwMapViewOfSection</a>. </li>
</ul>
<ul>
<li><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff566428%28v=vs.85%29.aspx" target="_blank">ZwCreateSection</a>. </li>
</ul>
<ul>
<li><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff567011%28v=vs.85%29.aspx" target="_blank">ZwOpenFile</a>. </li>
</ul>
<ul>
<li><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff566417%28v=vs.85%29.aspx" target="_blank">ZwClose</a>. </li>
</ul>
<ul>
<li>ZwQueryAttributesFile. </li>
</ul>
<ul>
<li>ZwQuerySection.</li>
</ul>
<div style="text-align: left;">
Here's what a clean (unpatched) ntdll MZ header looks like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfJPIbUgrlYFwVDK2gDTaw5VcuYFGl7de6CAFe5ag-WWgz_uAUDflhY9DElovrEiSryE6JnRNp7Mjq1bOX_qSI3XRJAsY2gt2w1UWu0neUzUtM4aEwHiAkEpih03o8YZeXbB4T6qzz0A1o/s1600/ntdll+after+HEX+and+ASCII+8+bytes.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfJPIbUgrlYFwVDK2gDTaw5VcuYFGl7de6CAFe5ag-WWgz_uAUDflhY9DElovrEiSryE6JnRNp7Mjq1bOX_qSI3XRJAsY2gt2w1UWu0neUzUtM4aEwHiAkEpih03o8YZeXbB4T6qzz0A1o/s1600/ntdll+after+HEX+and+ASCII+8+bytes.png" height="185" width="320" /></a></div>
<br />
We can see some of these hooks in action:</div>
<div style="text-align: left;">
<br /></div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> ServiceDescriptor n°0
---------------------
ServiceTable : nt!KiServiceTable (804e26a8)
ParamTableBase : nt!KiArgumentTable (80510088)
NumberOfServices : 0000011c
Index Args Check System call
----- ---- ----- -----------
0019 0001 <span style="color: red;">HOOK-></span> f8c5761c ##### Original -> nt!NtClose (805678dd)
0029 0007 <span style="color: red;">HOOK-></span> f8c575d6 ##### Original -> nt!NtCreateKey (8057065d)
0032 0007 <span style="color: red;">HOOK-></span> f8c57626 ##### Original -> nt!NtCreateSection (805652b3)
0035 0008 <span style="color: red;">HOOK-></span> f8c575cc ##### Original -> nt!NtCreateThread (8058e63f)
003F 0001 <span style="color: red;">HOOK-></span> f8c575db ##### Original -> nt!NtDeleteKey (805952be)
0041 0002 <span style="color: red;">HOOK-></span> f8c575e5 ##### Original -> nt!NtDeleteValueKey (80592d50)
0044 0007 <span style="color: red;">HOOK-></span> f8c57617 ##### Original -> nt!NtDuplicateObject (805715e0)
0062 0002 <span style="color: red;">HOOK-></span> f8c575ea ##### Original -> nt!NtLoadKey (805aed5d)
007A 0004 <span style="color: red;">HOOK-></span> f8c575b8 ##### Original -> nt!NtOpenProcess (805717c7)
0080 0004 <span style="color: red;">HOOK-></span> f8c575bd ##### Original -> nt!NtOpenThread (8058a1bd)
00B1 0006 <span style="color: red;">HOOK-></span> f8c5763f ##### Original -> nt!NtQueryValueKey (8056a1f1)
00C1 0003 <span style="color: red;">HOOK-></span> f8c575f4 ##### Original -> nt!NtReplaceKey (8064f0fa)
00C8 0003 <span style="color: red;">HOOK-></span> f8c57630 ##### Original -> nt!NtRequestWaitReplyPort (80576ce6)
00CC 0003 <span style="color: red;">HOOK-></span> f8c575ef ##### Original -> nt!NtRestoreKey (8064ec91)
00D5 0002 <span style="color: red;">HOOK-></span> f8c5762b ##### Original -> nt!NtSetContextThread (8062dcdf)
00ED 0003 <span style="color: red;">HOOK-></span> f8c57635 ##### Original -> nt!NtSetSecurityObject (8059b19b)
00F7 0006 <span style="color: red;">HOOK-></span> f8c575e0 ##### Original -> nt!NtSetValueKey (80572889)
00FF 0006 <span style="color: red;">HOOK-></span> f8c5763a ##### Original -> nt!NtSystemDebugControl (80649ce3)
0101 0002 <span style="color: red;">HOOK-></span> f8c575c7 ##### Original -> nt!NtTerminateProcess (805822e0)
</code></pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuwwv1tufc1jD7vS0M8dciH6SMjQZzHYvVLbJpqLTwp2UqptSIGM75IIiwvjILvny47_jyPNMTCvw0OTmKfgVFNtmt40mpB8jv42Id5HvrjMmYH4173Si5B6c27d_eewzIKaC8Sv2h_zQC/s1600/ntdll+function+hooks.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuwwv1tufc1jD7vS0M8dciH6SMjQZzHYvVLbJpqLTwp2UqptSIGM75IIiwvjILvny47_jyPNMTCvw0OTmKfgVFNtmt40mpB8jv42Id5HvrjMmYH4173Si5B6c27d_eewzIKaC8Sv2h_zQC/s1600/ntdll+function+hooks.png" height="200" width="320" /></a></div>
<br />
If we for example go ahead and disassemble our hooked <b>nt!NtClose</b> function, we see the following:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> u 0xFFFFFFFFF8C5761C L1
f8c5761c e92d8b23fe <span style="background-color: yellow;">jmp</span> f6e9014e
</code></pre>
<br />
We have a hook regarding <b>nt!NtClose</b> and a jump. Classic rootkit behavior. Let's go further and dump the IAT by loading notepad.exe into OlyDbg and viewing executable modules:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 300px; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Address Section Type ( Name Comment
0100102C .text Import ( GDI32.AbortDoc
0100131C .text Import msvcrt._acmdln
0100132C .text Import msvcrt._adjust_fdiv
01001300 .text Import ( msvcrt._cexit
01001204 .text Import ( USER32.CharLowerW
01001244 .text Import ( USER32.CharNextW
010011C0 .text Import ( USER32.CharUpperW
01001248 .text Import ( USER32.CheckMenuItem
01001230 .text Import ( USER32.ChildWindowFromPoint
010012D0 .text Import ( comdlg32.ChooseFontW
0100124C .text Import ( USER32.CloseClipboard
010010F8 .text Import ( KERNEL32.CloseHandle
010012B8 .text Import WINSPOOL.ClosePrinter
010012E0 .text Import ( comdlg32.CommDlgExtendedError
010010EC .text Import ( KERNEL32.CompareStringW
0100133C .text Import ( msvcrt._controlfp
01001040 .text Import ( GDI32.CreateDCW
01001214 .text Import ( USER32.CreateDialogParamW
010010B4 .text Import ( KERNEL32.CreateFileMappingW
01001104 .text Import ( KERNEL32.CreateFileW
01001064 .text Import ( GDI32.CreateFontIndirectW
01001020 .text Import ( COMCTL32.CreateStatusWindowW
010011E0 .text Import ( USER32.CreateWindowExW
010012F4 .text Import ( msvcrt._c_exit
010011A4 .text Import ( USER32.DefWindowProcW
01001034 .text Import ( GDI32.DeleteDC
01001158 .text Import ( KERNEL32.DeleteFileW
01001068 .text Import ( GDI32.DeleteObject
010011A8 .text Import ( USER32.DestroyWindow
01001198 .text Import ( USER32.DialogBoxParamW
01001294 .text Import ( USER32.DispatchMessageW
0100117C .text Import ( SHELL32.DragAcceptFiles
01001174 .text Import ( SHELL32.DragFinish
01001178 .text Import ( SHELL32.DragQueryFileW
01001210 .text Import ( USER32.DrawTextExW
0100125C .text Import ( USER32.EnableMenuItem
0100120C .text Import ( USER32.EnableWindow
01001288 .text Import ( USER32.EndDialog
01001030 .text Import ( GDI32.EndDoc
01001028 .text Import ( GDI32.EndPage
01001054 .text Import ( GDI32.EnumFontsW
01001308 .text Import ( msvcrt._except_handler3
010012F0 .text Import ( msvcrt._exit
01001318 .text Import ( msvcrt.exit
0100111C .text Import ( KERNEL32.FindClose
01001120 .text Import ( KERNEL32.FindFirstFileW
010012C8 .text Import ( comdlg32.FindTextW
010010F4 .text Import KERNEL32.FoldStringW
0100114C .text Import ( KERNEL32.FormatMessageW
0100115C .text Import ( KERNEL32.GetACP
01001188 .text Import ( USER32.GetClientRect
01001114 .text Import ( KERNEL32.GetCommandLineW
010010C0 .text Import ( KERNEL32.GetCurrentProcess
0100110C .text Import ( KERNEL32.GetCurrentProcessId
0100108C .text Import ( KERNEL32.GetCurrentThreadId
01001238 .text Import ( USER32.GetCursorPos
010010A0 .text Import ( KERNEL32.GetDateFormatW
01001194 .text Import ( USER32.GetDC
010011E4 .text Import ( USER32.GetDesktopWindow
01001060 .text Import ( GDI32.GetDeviceCaps
0100122C .text Import ( USER32.GetDlgCtrlID
01001274 .text Import ( USER32.GetDlgItem
01001284 .text Import ( USER32.GetDlgItemTextW
01001124 .text Import ( KERNEL32.GetFileAttributesW
010010B0 .text Import ( KERNEL32.GetFileInformationByHandle
010012D4 .text Import ( comdlg32.GetFileTitleW
010011E8 .text Import ( USER32.GetFocus
010011B4 .text Import ( USER32.GetForegroundWindow
010011A0 .text Import ( USER32.GetKeyboardLayout
01001138 .text Import ( KERNEL32.GetLastError
010010D8 .text Import ( KERNEL32.GetLocaleInfoW
01001098 .text Import ( KERNEL32.GetLocalTime
01001320 .text Import msvcrt.__getmainargs
01001264 .text Import ( USER32.GetMenu
01001258 .text Import ( USER32.GetMenuState
010012A8 .text Import ( USER32.GetMessageW
010010CC .text Import ( KERNEL32.GetModuleHandleA
0100105C .text Import ( GDI32.GetObjectW
010012D8 .text Import ( comdlg32.GetOpenFileNameW
0100128C .text Import ( USER32.GetParent
010012B4 .text Import WINSPOOL.GetPrinterDriverW
01001110 .text Import ( KERNEL32.GetProcAddress
010012E4 .text Import ( comdlg32.GetSaveFileNameW
010010D0 .text Import ( KERNEL32.GetStartupInfoA
01001058 .text Import ( GDI32.GetStockObject
01001260 .text Import ( USER32.GetSubMenu
010011CC .text Import ( USER32.GetSystemMenu
0100121C .text Import ( USER32.GetSystemMetrics
010010B8 .text Import ( KERNEL32.GetSystemTimeAsFileTime
0100103C .text Import ( GDI32.GetTextExtentPoint32W
01001048 .text Import ( GDI32.GetTextFaceW
0100106C .text Import ( GDI32.GetTextMetricsW
01001090 .text Import ( KERNEL32.GetTickCount
010010A4 .text Import KERNEL32.GetTimeFormatW
0100109C .text Import ( KERNEL32.GetUserDefaultLCID
01001150 .text Import KERNEL32.GetUserDefaultUILanguage
01001270 .text Import ( USER32.GetWindowLongW
010011BC .text Import ( USER32.GetWindowPlacement
01001218 .text Import ( USER32.GetWindowTextW
010010D4 .text Import ( KERNEL32.GlobalFree
010010A8 .text Import ( KERNEL32.GlobalLock
010010AC .text Import ( KERNEL32.GlobalUnlock
01001324 .text Import msvcrt._initterm
01001224 .text Import ( USER32.InvalidateRect
01001250 .text Import ( USER32.IsClipboardFormatAvailable
010012A0 .text Import ( USER32.IsDialogMessageW
010011B8 .text Import ( USER32.IsIconic
0100100C .text Import ADVAPI32.IsTextUnicode
01001304 .text Import ( msvcrt.iswctype
010011C8 .text Import ( USER32.LoadAcceleratorsW
010011D8 .text Import ( USER32.LoadCursorW
010011EC .text Import ( USER32.LoadIconW
010011D4 .text Import ( USER32.LoadImageW
010010C8 .text Import ( KERNEL32.LoadLibraryA
010011C4 .text Import ( USER32.LoadStringW
010010E0 .text Import ( KERNEL32.LocalAlloc
010010DC .text Import ( KERNEL32.LocalFree
010010F0 .text Import ( KERNEL32.LocalLock
01001148 .text Import ( KERNEL32.LocalReAlloc
01001134 .text Import ( KERNEL32.LocalSize
010012FC .text Import ( msvcrt.localtime
010010E8 .text Import ( KERNEL32.LocalUnlock
01001074 .text Import ( GDI32.LPtoDP
01001118 .text Import ( KERNEL32.lstrcatW
01001108 .text Import ( KERNEL32.lstrcmpiW
01001128 .text Import ( KERNEL32.lstrcmpW
01001130 .text Import ( KERNEL32.lstrcpynW
010010FC .text Import ( KERNEL32.lstrcpyW
010010E4 .text Import ( KERNEL32.lstrlenW
01001168 .text Import ( KERNEL32.MapViewOfFile
010011AC .text Import ( USER32.MessageBeep
01001268 .text Import ( USER32.MessageBoxW
0100739D .text Export <ModuleEntryPoint>
01001220 .text Import ( USER32.MoveWindow
0100112C .text Import ( KERNEL32.MulDiv
01001164 .text Import ( KERNEL32.MultiByteToWideChar
01001254 .text Import ( USER32.OpenClipboard
010012BC .text Import WINSPOOL.OpenPrinterW
010012C4 .text Import comdlg32.PageSetupDlgW
01001208 .text Import ( USER32.PeekMessageW
010012A4 .text Import ( USER32.PostMessageW
010011F4 .text Import ( USER32.PostQuitMessage
010012CC .text Import comdlg32.PrintDlgExW
01001330 .text Import msvcrt.__p__commode
01001334 .text Import msvcrt.__p__fmode
01001094 .text Import ( KERNEL32.QueryPerformanceCounter
01001100 .text Import ( KERNEL32.ReadFile
01001004 .text Import ( ADVAPI32.RegCloseKey
01001008 .text Import ( ADVAPI32.RegCreateKeyW
010011D0 .text Import ( USER32.RegisterClassExW
010011F8 .text Import ( USER32.RegisterWindowMessageW
01001014 .text Import ( ADVAPI32.RegOpenKeyExA
01001010 .text Import ( ADVAPI32.RegQueryValueExA
01001000 .text Import ( ADVAPI32.RegQueryValueExW
01001018 .text Import ( ADVAPI32.RegSetValueExW
01001190 .text Import ( USER32.ReleaseDC
010012DC .text Import ( comdlg32.ReplaceTextW
01001234 .text Import ( USER32.ScreenToClient
01001084 .text Import ( GDI32.SelectObject
0100123C .text Import ( USER32.SendDlgItemMessageW
01001240 .text Import ( USER32.SendMessageW
01001044 .text Import ( GDI32.SetAbortProc
0100119C .text Import ( USER32.SetActiveWindow
01001070 .text Import ( GDI32.SetBkMode
0100118C .text Import ( USER32.SetCursor
0100127C .text Import ( USER32.SetDlgItemTextW
01001154 .text Import ( KERNEL32.SetEndOfFile
01001278 .text Import ( USER32.SetFocus
01001140 .text Import ( KERNEL32.SetLastError
01001080 .text Import ( GDI32.SetMapMode
01001200 .text Import ( USER32.SetScrollPos
010010C4 .text Import ( KERNEL32.SetUnhandledExceptionFilter
01001328 .text Import msvcrt.__setusermatherr
0100107C .text Import ( GDI32.SetViewportExtEx
01001078 .text Import ( GDI32.SetWindowExtEx
0100126C .text Import ( USER32.SetWindowLongW
010011DC .text Import ( USER32.SetWindowPlacement
010011F0 .text Import ( USER32.SetWindowTextW
010012AC .text Import ( USER32.SetWinEventHook
01001338 .text Import msvcrt.__set_app_type
01001180 .text Import ( SHELL32.ShellAboutW
010011B0 .text Import ( USER32.ShowWindow
01001314 .text Import ( msvcrt._snwprintf
01001050 .text Import ( GDI32.StartDocW
01001038 .text Import ( GDI32.StartPage
010010BC .text Import ( KERNEL32.TerminateProcess
0100104C .text Import ( GDI32.TextOutW
010012F8 .text Import ( msvcrt.time
0100129C .text Import ( USER32.TranslateAcceleratorW
01001298 .text Import ( USER32.TranslateMessage
0100116C .text Import ( KERNEL32.UnhandledExceptionFilter
01001290 .text Import ( USER32.UnhookWinEvent
01001160 .text Import ( KERNEL32.UnmapViewOfFile
010011FC .text Import ( USER32.UpdateWindow
01001310 .text Import ( msvcrt.wcsncmp
01001340 .text Import ( msvcrt.wcsncpy
01001144 .text Import ( KERNEL32.WideCharToMultiByte
01001228 .text Import ( USER32.WinHelpW
0100113C .text Import ( KERNEL32.WriteFile
01001280 .text Import ( USER32.wsprintfW
0100130C .text Import ( msvcrt._wtol
010012EC .text Import msvcrt._XcptFilter
</code></pre>
<br />
The Import Address Table (IAT) is essentially just a table of jumps. It's used primarily as a lookup table when an application is calling a function in a different module. Compiled programs cannot know the memory locations of the libraries they depend on, therefore an indirect jump (jmp) is required whenever an API call is made.<br />
<br />
In the above code we can see jumps to functions such as <b>USER32.GetKeyboardLayout</b>, which is a wrapper for the <b>NtUserLoadKeyboardLayoutEx</b> win32k syscall. This is in regards to Stuxnet's keyboard layout vulnerability (<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2743" target="_blank">CVE-2010-2743</a>), which is one of four exploitative ways used to escalate privileges in order to reach ring 0.<br />
<br />
I would have loved to set a breakpoint on <b>win32k!NtUserLoadKeyboardLayoutEx</b> and trace the malware as it's extremely interesting, but setting breakpoints is not possible on an LKD session. I would have needed to break in to another physical machine (which I don't have), or set up a host > virtual COM port, which is a bit of a pain. I'll chalk it up to something to do on a rainy day. Call me lazy... I know.<br />
<br />
<b>3. </b>Calls <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms684175%28v=vs.85%29.aspx" target="_blank">LoadLibraryW</a> which is exported from kernel32.dll and passes it as a parameter for specially crafted file names such as: KERNEL32.DLL.ASLR.[HEX] or SHELL32.DLL.ASLR.[HEX]. Below we can see an example of a KERNEL32 variant:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCqfNooTyg3fpOvnqqPFL9IxEwc5fmRMgBEs6i4jUFn7mZnEB4h1QqoODLfVWauGOfUWXaSW0dhwNXgIGb751M4tpDtFmwENZnM9KGY8wczeTxkyQtVBBnx92DIvPC-GSIvQVxhZrPR_lf/s1600/KERNEL32.DLL.ASLR.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCqfNooTyg3fpOvnqqPFL9IxEwc5fmRMgBEs6i4jUFn7mZnEB4h1QqoODLfVWauGOfUWXaSW0dhwNXgIGb751M4tpDtFmwENZnM9KGY8wczeTxkyQtVBBnx92DIvPC-GSIvQVxhZrPR_lf/s1600/KERNEL32.DLL.ASLR.png" height="19" width="320" /></a></div>
<br />
<b>4. </b>Calls desired exported function.<br />
<br />
<b>5. </b>Calls <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms683152%28v=vs.85%29.aspx" target="_blank">FreeLibrary</a> function to free load library.<br />
<br />
<div style="text-align: left;">
<div style="text-align: left;">
<span style="color: #0b5394;"><span style="font-size: small;"><u><b>New Process Inject</b></u></span></span></div>
</div>
<br />
The second method of injection is done through injecting a newly created process, as such:<br />
<br />
<b>1. </b>Creates host process.<br />
<br />
<b>2. </b>Replaces process image with the Stuxnet module to execute and with code that will load the module and call a specificed export passing parameters.<br />
<br />
There's a few different image names that can be chosen as the host process for the module:<br />
<br />
<ul>
<li><b>lsass.exe</b> - MSFT system process in charge of enforcing the security policy. </li>
</ul>
<ul>
<li><b>avp.exe</b> - Kaspersky. </li>
</ul>
<ul>
<li><b>mcshield.exe</b> - McAfee VirusScan. </li>
</ul>
<ul>
<li><b>avguard.exe</b> - Avira Personal Edition. </li>
</ul>
<ul>
<li><b>bdagent.exe</b> - Bitdefender Switch Agent. </li>
</ul>
<ul>
<li><b>UmxCfg.exe</b> - eTrust Configuration Engine (HIPS). </li>
</ul>
<ul>
<li><b>fsdfwd.exe</b> - F-Secure. </li>
</ul>
<ul>
<li><b>rtvscan.exe</b> - Symantec Real time Virus Scan Service. </li>
</ul>
<ul>
<li><b>ccSvchst.exe</b> - Symantec Service Framework. </li>
</ul>
<ul>
<li><b>ekrn.exe</b> - ESET Service Process. </li>
</ul>
<ul>
<li><b>tmproxy.exe</b> - TrendMicro (PC-cillin in Australia and Virus Buster in Japan).</li>
</ul>
<div style="text-align: left;">
<div style="text-align: left;">
<br />
<span style="color: #0b5394;"><span style="font-size: small;"><u><b>Malware Execution and Infection</b></u></span></span></div>
</div>
<br />
First of all, to even successfully execute the malware you need to set your system time to <i>before </i>June 24th, 2012. This is due to the fact that Stuxnet hard-coded a poison pill to fully delete itself on June 24th, 2012. This was most likely done with the original idea in mind that Stuxnet wouldn't escape the nuclear facilities, which would allow time for Stuxnet to be reversed and ultimately defeated.<br />
<br />
This piece of malware wanted to stay inside nuclear facilities, target Siemens systems, cause large <i>actual </i>damage, spread to cause more damage, and then go ghost. Fortunately, it did happen to escape its intended environment (some even speculate deliberately) and was inevitably reversed and defeated long before its hard-coded deletion date.<br />
<br />
First of all, let's take a pre-infected look at the system with Autoruns + Process Explorer:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL7en_PsGVXFQ_ouWHJlHIic89ArQ7eYQfjfxP64_YP2N82l2QXcnWA22IBKaMlxM7KqcBXkRyFrGNW8URg8J98g4XwiXot7VqYjdPQBJh0IqgNkdmjKxyLWJu9H_mG0_7Yu-PogexA6J6/s1600/autoruns+before.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhL7en_PsGVXFQ_ouWHJlHIic89ArQ7eYQfjfxP64_YP2N82l2QXcnWA22IBKaMlxM7KqcBXkRyFrGNW8URg8J98g4XwiXot7VqYjdPQBJh0IqgNkdmjKxyLWJu9H_mG0_7Yu-PogexA6J6/s1600/autoruns+before.png" height="145" width="320" /></a></div>
<div style="text-align: center;">
<i>(Ignore the file not found messages)</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Note the checked filter options > Verify code signatures + Hide Microsoft entries.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisS8OXoSco-D8zExXW0IBI2-oRbI1TdsHEwIjSB8yOgMGaPagvtw9sJtokYNd7z5-5m62MeiWqHqi_FIrUB2JTcOfc211q_67mEOgEAjuqGsEO4AqVxb8lsF8SdkR-gRpqajj4hKSTuJzx/s1600/process+explorer+before.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisS8OXoSco-D8zExXW0IBI2-oRbI1TdsHEwIjSB8yOgMGaPagvtw9sJtokYNd7z5-5m62MeiWqHqi_FIrUB2JTcOfc211q_67mEOgEAjuqGsEO4AqVxb8lsF8SdkR-gRpqajj4hKSTuJzx/s1600/process+explorer+before.png" height="166" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Everything looks to be pretty normal, and nothing really out of the ordinary. We can see we have one instance of lsass.exe.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Now let's turn things up a bit by executing the malware, and then comparing our results from pre-infection:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4Xn3Y8Iva_2GtzU9gASOIsBUJXvlNGHpXWfIxYQZSMdJtqy2qmjGlS-L-_q9Cg03fH-UUWhihdrdYpm_XD5Wc_1XZ45Ca0PWtGgNFMeRBMF9jce1yQX7G0DMXRU1os7hhd-X4TmDemR0R/s1600/autoruns+after.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4Xn3Y8Iva_2GtzU9gASOIsBUJXvlNGHpXWfIxYQZSMdJtqy2qmjGlS-L-_q9Cg03fH-UUWhihdrdYpm_XD5Wc_1XZ45Ca0PWtGgNFMeRBMF9jce1yQX7G0DMXRU1os7hhd-X4TmDemR0R/s1600/autoruns+after.png" height="144" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
We can see now within Autoruns we have two new services - MRxCls and MRxNet. These are Stuxnet's kernel-mode drivers which enable its rookit functionality.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
One big thing about malware that surfaces to the face of the public media (for whatever reason, we'll assume popularity/intention) is that journalists <i>love </i>to spin it and give awkward buzzwords - Undefeatable, The Most Sophisticated Malware, etc. Was Stuxnet an elborate piece of code? Yes, absolutely. Not only was knowledge needed regarding your typical rootkit/Win development, but heavy reverse engineering knowledge regarding Semens software was necessary as well.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
However, one of Stuxnet's biggest weak points was its immense lack of anti-debugging/reversing techniques. Among a slew of reasons such as <i>zero </i>VM obfuscation, you can literally use the default regedit to find the locations of both MRxCLS and MRxNet. For example:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisyNlU9EsxdX-LxbmDLP5ZdFfIAxxVa7wAtd47Q7svWkU2hIGGgQPvAoA9ZOgxDaGX7oxBqtzUPc2Th5HsRxCY63lfAVo8CrgKrI9qPHdftChfszcJof5JPoGQcvvObdPDdK7q2VHM3EDp/s1600/MRxCls+regedit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisyNlU9EsxdX-LxbmDLP5ZdFfIAxxVa7wAtd47Q7svWkU2hIGGgQPvAoA9ZOgxDaGX7oxBqtzUPc2Th5HsRxCY63lfAVo8CrgKrI9qPHdftChfszcJof5JPoGQcvvObdPDdK7q2VHM3EDp/s1600/MRxCls+regedit.png" height="163" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8Neast8XRj62SVSBHfJKvF3pSygp0dMLE7EgTyiA03srgm9bUgK15eSVXPy-Qnk46ilB3d3BOik_xMXu6FGwfCvvH71kExaLRGHrpGlR_N25Eh4K7fW7a-iXZvsNk66ls2Pqe7fDeM0fb/s1600/MRxNet+regedit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8Neast8XRj62SVSBHfJKvF3pSygp0dMLE7EgTyiA03srgm9bUgK15eSVXPy-Qnk46ilB3d3BOik_xMXu6FGwfCvvH71kExaLRGHrpGlR_N25Eh4K7fW7a-iXZvsNk66ls2Pqe7fDeM0fb/s1600/MRxNet+regedit.png" height="164" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
This had led Stuxnet to be something of a joke among some reverse engneers and analysts, even moreso if you believe that it was created by [insert government]. It's hard to imagine [insert government] wouldn't go to any lengths at all to hide its malware, but then again you never really know, right? : ) I'll continue the discussion regarding its kernel-mode functionality a little later as I'd like to swing back to user-mode real quick.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
I couldn't get Process Explorer to run after infection, as the VM would bugcheck. I have no idea why, and AFAIK Stuxnet doesn't employ anti-debugging against Sysinternals tools by any means, so it was likely a buggy sample. I digress, and used VMmap instead:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaul1vFNhA3i7pCvVXf_Ap8K4oT58yQGfGT-baMCKLNVK1gUfdHrqSHsM4kUFkjEEWvGk71mHft2fVsz_4vuH9P0tkh0or1avgmpOy0P9sA0bsbVqRQKjxiL8tYRepnErOiXkO2tL-K_8k/s1600/vvmmap+3+lsass.exe+after.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaul1vFNhA3i7pCvVXf_Ap8K4oT58yQGfGT-baMCKLNVK1gUfdHrqSHsM4kUFkjEEWvGk71mHft2fVsz_4vuH9P0tkh0or1avgmpOy0P9sA0bsbVqRQKjxiL8tYRepnErOiXkO2tL-K_8k/s1600/vvmmap+3+lsass.exe+after.png" height="173" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
We can see there's now three instances of lsass.exe, two of which are fake (newly created host processes). So first off, which is our legitmate lsass.exe? Well, 2/3 are the only ones above 1xxx regarding PID, so let's assume the only one <i>not </i>above 1xxx is legitimate:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic4dNqHa-XPxVbnBodYl57Kfom-OO6pNXnXGY8H1_008-rOvisv0Lqa0QkPrlZJkPPA_DDIwMprykov6Ed8t9iacs-CRUf4Wk_UZqZJ9yBUAVMy4BC4S_cGNQs3MlMMR6XQnfASig7VcOz/s1600/lsass.exe+legit+(pid%2B648)%2Bafter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEic4dNqHa-XPxVbnBodYl57Kfom-OO6pNXnXGY8H1_008-rOvisv0Lqa0QkPrlZJkPPA_DDIwMprykov6Ed8t9iacs-CRUf4Wk_UZqZJ9yBUAVMy4BC4S_cGNQs3MlMMR6XQnfASig7VcOz/s1600/lsass.exe+legit+(pid%2B648)%2Bafter.png" height="171" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
If sort by Protection regarding the tabs, we can see it's mostly Execute/Read which doesn't raise any red flags. Let's assume for the moment this is legitimate and take a look at another one:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7V_Mn4yNBUdVfFUwCVYHRFeucNnc3bLN066q2Tf-xN54lcKj8TTc96ezGd90AZnidEAnveeT8VDOs8Ht5TZYGAmDVLkxH_Ly2VKxFmvkcS1gV7eVbUlz4VSvRLVgE1Og47vkdrQzE5hb4/s1600/lsass.exe+fake+%231+(pid%2B1812)%2Bafter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7V_Mn4yNBUdVfFUwCVYHRFeucNnc3bLN066q2Tf-xN54lcKj8TTc96ezGd90AZnidEAnveeT8VDOs8Ht5TZYGAmDVLkxH_Ly2VKxFmvkcS1gV7eVbUlz4VSvRLVgE1Og47vkdrQzE5hb4/s1600/lsass.exe+fake+%231+(pid%2B1812)%2Bafter.png" height="172" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Uh oh, we can see two instances of memory that was chosen to share from this lsass.exe that has Write permissions in addition to Execute and Read. When a process has all three, it's a huge red flag for a fake/compromised process. In addition, note how the Size>Commited>Total Working Set, etc are equal. We can now at this point determine PID 648 is legitimate, and PID 1812 is fake. We can also at this point then assume that PID 1840 is fake as well:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLNtnKezHX28xTiSEbnYCHcxfnYql8pPTX4K0X81Ip2EFN_Y4rf_41o3Lb1VnfkUuEhto4cbH22WyxpqqYFjVRj4m54dUdrms338B8E7w-XGSHV5hjUXYb8BkuTvbZ4G324dRRvU8evvO6/s1600/lsass.exe+fake+%232+(pid%2B1840)%2Bafter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLNtnKezHX28xTiSEbnYCHcxfnYql8pPTX4K0X81Ip2EFN_Y4rf_41o3Lb1VnfkUuEhto4cbH22WyxpqqYFjVRj4m54dUdrms338B8E7w-XGSHV5hjUXYb8BkuTvbZ4G324dRRvU8evvO6/s1600/lsass.exe+fake+%232+(pid%2B1840)%2Bafter.png" height="171" width="320" /></a></div>
<br />
Yep! In this case, we have five instances of memory that was chosen to be shared with R/W/E permissions, in addition to ntdll with R/W/E permissions as well. Note the Size>Commited>Total Working Set, etc equals again as well. At this point we can fully determine 1812 and 1840 are our fake lsass.exe instances, and 1840 is in relation to the patching of ntdll.<br />
<br />
Let's further compare the three images based on their strings:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7lUCXPa7DnFs3NoaRqsPe2_PqfmhcL3S8hMAfgbTiQGFOGqXwGlRy1aTjQpPDBZh5LyYmblplS69-lHzuSkVr9nL_dnMnBJNNSqtHA15LkSX3nUxtdzwd-hIlJC2F-k_xOmtbhTIyRDmy/s1600/strings_lsass.exe+legit+(pid%2B648)%2Bafter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7lUCXPa7DnFs3NoaRqsPe2_PqfmhcL3S8hMAfgbTiQGFOGqXwGlRy1aTjQpPDBZh5LyYmblplS69-lHzuSkVr9nL_dnMnBJNNSqtHA15LkSX3nUxtdzwd-hIlJC2F-k_xOmtbhTIyRDmy/s1600/strings_lsass.exe+legit+(pid%2B648)%2Bafter.png" height="320" width="241" /></a></div>
<div style="text-align: center;">
<i>(PID 648 - legit)</i></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj781hNXmMDm7RgFmagF5bxk_bvtfnA5xJqSLpqsPfpzalHXdSnpPtAZVIVaZlDwubzPQEphrr6NkZNdLh3qoqj8RoxamTTl7i2XjMnx0TBqFKEacDOOnvvVC94GXiM6-Eskd6iMfyw7uh3/s1600/strings_lsass.exe+fake+%231+(pid%2B1812)%2Bafter%2Btop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj781hNXmMDm7RgFmagF5bxk_bvtfnA5xJqSLpqsPfpzalHXdSnpPtAZVIVaZlDwubzPQEphrr6NkZNdLh3qoqj8RoxamTTl7i2XjMnx0TBqFKEacDOOnvvVC94GXiM6-Eskd6iMfyw7uh3/s1600/strings_lsass.exe+fake+%231+(pid%2B1812)%2Bafter%2Btop.png" height="320" width="241" /></a></div>
<div style="text-align: center;">
<i>(PID 1812 - fake #1)</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Note we have quite the changes here, with the important being "!This program cannot run in DOS mode."<i>. </i>This is the classic MZ exe format used for .exe files within DOS. We can note the ASCII string - 4D. Let's take a look at the bottom of the string list:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp4IbxXpga601horHEnXLIEB_meubHL-6zVnqU7IGOHhy-EJeft6XRPWAh3QT-DX-UZBlUaIEDom0TFOnMeiJw-lcWisFol_ROIrrPa4FgjyNq8ODB8HaqGuma5ACjFu62v_tEaP-ei7mJ/s1600/strings_lsass.exe+fake+%231+(pid%2B1812)%2Bafter%2Bbottom.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp4IbxXpga601horHEnXLIEB_meubHL-6zVnqU7IGOHhy-EJeft6XRPWAh3QT-DX-UZBlUaIEDom0TFOnMeiJw-lcWisFol_ROIrrPa4FgjyNq8ODB8HaqGuma5ACjFu62v_tEaP-ei7mJ/s1600/strings_lsass.exe+fake+%231+(pid%2B1812)%2Bafter%2Bbottom.png" height="320" width="243" /></a></div>
<div style="text-align: center;">
<i>(PID 1812 - fake #1)</i></div>
<br />
<div style="text-align: left;">
We can see a number of functions, such as <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa385096%28v=vs.85%29.aspx" target="_blank">InternetOpen</a>. We can at this point determine the DLL was successfully injected into this image of lsass.exe.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
We can of course expect similar results with PID 1840:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHuFvHb4DVlq7gCfCPB3_2AcNwtIk-R3CCcQd2qvbQFkAgQiRLuv4GMlqsmsBRDQsbw5JM9xSgGCJ6rwYQEQXVWRixHrtETPvK0Txjb5OjSOMZp1Uu5s58fg1qNSKFisLD4F255pNPZlPb/s1600/strings_lsass.exe+fake+%232+(pid%2B1840)%2Bafter%2Btop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHuFvHb4DVlq7gCfCPB3_2AcNwtIk-R3CCcQd2qvbQFkAgQiRLuv4GMlqsmsBRDQsbw5JM9xSgGCJ6rwYQEQXVWRixHrtETPvK0Txjb5OjSOMZp1Uu5s58fg1qNSKFisLD4F255pNPZlPb/s1600/strings_lsass.exe+fake+%232+(pid%2B1840)%2Bafter%2Btop.png" height="320" width="244" /></a></div>
<div style="text-align: center;">
<i>(PID 1840 - fake #2)</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
We can also see abnormal termination of the NT Kernel, as well as a jmp:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZc_MrPIq_Q66DfDf9lOqymlNF0sExWOLTPPucRz89yAVGZhrndD-eQsMJNqix7wZP4ALIuDRYbQo0pimHckwR5b1xyVePywasPF0YUJnGSANUvyEqhQJIeQ1yh_LNBg1HaqtfyUYjbkhy/s1600/ntoskrnl+abnormal+termination.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZc_MrPIq_Q66DfDf9lOqymlNF0sExWOLTPPucRz89yAVGZhrndD-eQsMJNqix7wZP4ALIuDRYbQo0pimHckwR5b1xyVePywasPF0YUJnGSANUvyEqhQJIeQ1yh_LNBg1HaqtfyUYjbkhy/s1600/ntoskrnl+abnormal+termination.png" height="11" width="320" /></a></div>
</div>
<div style="text-align: left;">
<br />
Another big red flag of a malformed image.<br />
<br />
Let's head back to discussing our kernel-mode drivers, MRxCls and MRxNet. As noted above, these two drivers aren't packed whatsoever with a protector nor packer, so inspecting them in-depth is painless:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
First off, both of these drivers were digitally signed (albeit fake... what a surprise) to fool the user into believing it was a legitmate driver signed off as such by VeriSign. For example:</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuktdb2Z2MTXuJsslzwRE0QkRXQ9LWms4DoUfmDb0NrRi4zv1HjJLpnYle7nt7LvOvyU5Bc7hwXIGxkUsgbYBq-KtE9A6VrMQTNvSTRwDEn3Ae7dz_lRRtw93BR-AJ9CW6nlZ9o6DYpncw/s1600/mrxcls+digital+signature.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuktdb2Z2MTXuJsslzwRE0QkRXQ9LWms4DoUfmDb0NrRi4zv1HjJLpnYle7nt7LvOvyU5Bc7hwXIGxkUsgbYBq-KtE9A6VrMQTNvSTRwDEn3Ae7dz_lRRtw93BR-AJ9CW6nlZ9o6DYpncw/s1600/mrxcls+digital+signature.png" height="204" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
We can see MRxCls was fake-signed by VeriSign which claimed to be from Realtek. Realtek is obviously a legitimate company and releases lots of software/drivers for their products, such as audio, so this would fool a user if they ever questioned the legitimacy of the apparent MRxCls/Net drivers.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Using SwishDbgExt, let's dump the list of objects:</div>
<div style="text-align: left;">
<br /></div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !ms_object
Object: \ (Directory)
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| Hdle | Object Type | Addr | Name |
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| 0000 | Directory | 0xFFFFFFFFE100D748 | ArcName |
| 0000 | Device | 0xFFFFFFFF821C75C0 | Ntfs |
| 0000 | Port | 0xFFFFFFFFE15EABB8 | SeLsaCommandPort |
| 0000 | Key | 0xFFFFFFFFE1010478 | \REGISTRY |
| 0000 | Port | 0xFFFFFFFFE186B9E8 | ThemeApiPort |
| 0000 | Port | 0xFFFFFFFFE1B05230 | XactSrvLpcPort |
| 0000 | Directory | 0xFFFFFFFFE15AA4B8 | NLS |
| 0000 | SymbolicLink | 0xFFFFFFFFE1008748 | DosDevices |
| 0000 | Port | 0xFFFFFFFFE13D4B68 | SeRmCommandPort |
| 0000 | Port | 0xFFFFFFFFE173BA00 | LsaAuthenticationPort |
| 0000 | Device | 0xFFFFFFFF82063A90 | Dfs |
| 0000 | Event | 0xFFFFFFFF821EF5C0 | |
| 0000 | <span style="background-color: yellow;">Directory | 0xFFFFFFFFE100E838 | Driver </span>
</code></pre>
<br />
Notice the strange 'Driver' object with a 'Directory' type. Let's take a look:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !ms_object 0xFFFFFFFFE100E838
Object: Driver (Directory)
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| Hdle | Object Type | Addr | Name |
|------|----------------------|--------------------|---------------------------------------------------------------------------|
| 0000 | Driver | 0xFFFFFFFF8231ECC0 | \Driver\Beep |
| 0000 | Driver | 0xFFFFFFFF821C72C0 | \Driver\NDIS |
| 0000 | Driver | 0xFFFFFFFF821D39C0 | \Driver\KSecDD |
| 0000 | Driver | 0xFFFFFFFF82198F38 | \Driver\Mouclass |
| 0000 | Driver | 0xFFFFFFFF82245410 | \Driver\Raspti |
| 0000 | Driver | 0xFFFFFFFF81F18768 | \Driver\es1371 |
... |
| 0000 | <span style="background-color: yellow;">Driver | 0xFFFFFFFF81EA2880 | \Driver\MRxCls</span> |
| 0000 | Driver | 0xFFFFFFFF821DE4A0 | \Driver\PCnet |
| 0000 | <span style="background-color: yellow;">Driver | 0xFFFFFFFF81<span style="color: red;">F0FAE8</span> | \Driver\MRxNet </span>
</code></pre>
<br />
Let's dump the driver object information for MRxNet:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !drvobj 81f0fae8
Driver object (81f0fae8) is for:
<span style="background-color: yellow;">\Driver\MRxNet</span>
Driver Extension List: (id , addr)
Device Object list:
820ee288 81f10020 <span style="color: red;">81ebac80</span> 82136298
82302298 82339be0 821bb500 821996c0
821bc238 8224a9d0
</code></pre>
<br />
We can see MRxNet has a lot of device objects, so let's check one:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !devobj 81ebac80
Device object (81ebac80) is for:
<span style="background-color: yellow;">\Driver\MRxNet</span> DriverObject 81f0fae8
Current Irp 00000000 RefCount 0 Type 00000003 Flags 00000080
DevExt 81ebad38 DevObjExt 81ebad40
ExtensionFlags (0000000000)
AttachedTo (Lower) 821d4450 <span style="color: red;">\FileSystem\Cdfs</span>
</code></pre>
<br />
Stuxnet creates new device objects and attaches to the device chain for each device object. As we can see, Stuxnet attached to <b>cdfs.sys</b>, which is part of the filesystem, specifically the CD-ROM filesystem driver. Other filesystem drivers it attaches to are: <b>ntfs.sys</b>, and <b>fastfat.sys</b>. After attaching, Stuxnet manages the driver object, which in turn provides Stuxnet with the ability to succesfully intercept IRP requests.<br />
<br />
Other than checking regedit, we can also confirm the existence of the MRxCls service within the registry using the <b>!dreg </b>command, which displays formatted registry key information. Before we do this however, we need to load <b>ntsdexts.dll</b>, or we'll get the following:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !dreg System\CurrentControlSet\Services
No export dreg found
</code></pre>
<br />
This is due to the fact that <b>ntsdexts.dll </b>isn't of course loaded in the extension DLL chain list:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> .chain
Extension DLL search Path:
C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Extension DLL chain:
dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll]
kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll]
</code></pre>
<br />
After loading it however with <b>.load ntsdexts</b>, we can then see it's in the list:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> .chain
Extension DLL search Path:
C:\Program Files\Debugging Tools for Windows (x86)\WINXP;C:\Program Files\Debugging Tools for Windows (x86)\winext;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Program Files\Debugging Tools for Windows (x86)\pri;C:\Program Files\Debugging Tools for Windows (x86);C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Extension DLL chain:
ntsdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:08 2010
[<span style="background-color: yellow;">path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\ntsdexts.dll</span>]
dbghelp: image 6.12.0002.633, API 6.1.6, built Mon Feb 01 15:08:26 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\dbghelp.dll]
ext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:31 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\ext.dll]
exts: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:24 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\exts.dll]
kext: image 6.12.0002.633, API 1.0.0, built Mon Feb 01 15:08:22 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\winext\kext.dll]
kdexts: image 6.1.7650.0, API 1.0.0, built Mon Feb 01 15:08:19 2010
[path: C:\Program Files\Debugging Tools for Windows (x86)\WINXP\kdexts.dll]
</code></pre>
<br />
Let's now run <b>!dreg </b>again with our path to MRxCls:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !dreg System\CurrentControlSet\Services\MRxCls
Subkey: Enum
</code></pre>
<br />
There it is, and we can see its subkey is Enum. We can confirm that looking back at the screenshot of its registry location above from earlier.<br />
<br />
Here were the overall changes in the registry comparing pre-infection > post-infection:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: 300px; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> ----------------------------------
Keys deleted: 23
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control
HKLM\SYSTEM\ControlSet001\Services\MRxCls
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum
HKLM\SYSTEM\ControlSet001\Services\MRxNet
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell
----------------------------------
Values deleted: 110
----------------------------------
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Service: "MRxCls"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: "MRXCLS"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXCLS\0000\Control\ActiveService: "MRxCls"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Service: "MRxNet"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0x00000001
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Class: "LegacyDriver"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: "MRXNET"
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MRXNET\0000\Control\ActiveService: "MRxNet"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Description: "MRXCLS"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\DisplayName: "MRXCLS"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Group: "Network"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxcls.sys"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12 DA
C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\0: "Root\LEGACY_MRXCLS\0000"
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxCls\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Description: "MRXNET"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\DisplayName: "MRXNET"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\ErrorControl: 0x00000000
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Group: "Network"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxnet.sys"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Start: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Type: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\0: "Root\LEGACY_MRXNET\0000"
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\Count: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\MRxNet\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Service: "MRxCls"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\DeviceDesc: "MRXCLS"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXCLS\0000\Control\ActiveService: "MRxCls"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Service: "MRxNet"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Legacy: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ConfigFlags: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Class: "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\DeviceDesc: "MRXNET"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control\*NewlyCreated*: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MRXNET\0000\Control\ActiveService: "MRxNet"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Description: "MRXCLS"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\DisplayName: "MRXCLS"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Group: "Network"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxcls.sys"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Data: 8F 1F F7 6D 7D B1 C9 09 9D CC 24 7A C6 9F FB 23 90 BD 9D BF F1 D4 51 92 2A B4 1F 6A 2E A6 4F B3 CB 69 7C 0B 92 3B 1B C0 D7 75 17 A9 E3 33 48 DC AD F6 DA EA 2F 87 10 C4 21 81 A5 75 68 00 2E B1 C2 7B EB DD BB 72 47 DC 87 91 14 A5 F3 C4 32 B0 CC 93 38 36 6B 49 0A F2 6F 1F 1D A1 4A 15 05 80 4B 13 A8 AA 82 41 4B 89 DC 89 24 A2 ED 16 37 F3 42 A9 A0 6A 7F 82 CD 90 E5 3C 49 CC B2 97 CA CB 7B 64 C1 48 B2 4C F5 AE 54 42 74 0F 00 31 FD 80 E8 7E 0E 69 12 42 3A EC 0F 6F 03 B8 46 9C 68 97 AC 62 16 FB 1A 1B D9 33 6C E8 F9 93 C3 56 54 A1 89 7A 7B 77 CE BA 0D 95 A7 0F AB 5E 1C 3C 18 63 AE 3E 60 A6 81 BC FA 85 FB 37 A0 0A 57 F9 C9 D3 CF 6B 41 D9 6D CD 39 71 C5 11 83 F1 D9 F3 7D B7 91 F7 70 46 C2 24 F7 B9 0F 2D B2 60 72 1C 8F F9 98 16 34 52 4B 7D 5F 81 5F 35 FD 8B 3E 78 B1 0B 0A 90 5A D8 30 5A 56 90 9A C0 C1 0F EB 95 D5 2F B7 C5 8D 2B 3F 49 41 8B 86 B4 DB 71 67 69 E6 E8 69 77 29 77 18 82 11 8B D7 5D 26 E4 5A 5C 2C 46 C2 F0 02 28 D8 EA 4B 95 9C 3A 3C 12
DA C4 87 21 91 4F D0 6E FA C4 DD B7 C9 AF E2 AE FE 14 0F 53 C4 BA DD 31 1A 38 7B 37 C0 9E 83 FF 2C B2 4C 88 33 C1 89 E5 CA 68 31 2D 20 CE 50 64 7B 39 C7 FB B1 9F A9 0D 6C 2A 82 AE 7F 25 43 A7 A2 28 EB 27 73 C9 45 F9 FD 53 A8 F4 A7 FD B4 90 B2 28 D8 0C 5A A8 84 D0 7F ED 99 25 18 FE B8 4C 48 66 8D 59 40 F6 CC 30 A6 F4 04 E8 76 9C EA 0E F6 A4 4A CE D2
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\0: "Root\LEGACY_MRXCLS\0000"
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls\Enum\NextInstance: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Description: "MRXNET"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\DisplayName: "MRXNET"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\ErrorControl: 0x00000000
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Group: "Network"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\ImagePath: "\??\C:\WINDOWS\system32\Drivers\mrxnet.sys"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Start: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Type: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\0: "Root\LEGACY_MRXNET\0000"
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\Count: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet\Enum\NextInstance: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY:gvzrqngr.pcy: 04 00 00 00 06 00 00 00 00 54 07 85 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\ZJ\Ybgf bs Fghkarg\fazj\znyjner.rkr: 04 00 00 00 06 00 00 00 50 13 53 27 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0: 34 00 31 00 00 00 00 00 2C 3C 8C 70 10 00 73 6E 6D 77 00 00 20 00 03 00 04 00 EF BE 2C 3C 8C 70 2C 3C 8C 70 14 00 00 00 73 00 6E 00 6D 00 77 00 00 00 14 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0\NodeSlot: 0x00000022
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\0\MRUListEx: FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FolderType: "Documents"
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Mode: 0x00000006
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ScrollPos1280x720(1).x: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ScrollPos1280x720(1).y: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Sort: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\SortDir: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Col: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ColInfo: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FD DF DF FD 0F 00 06 00 28 00 10 00 34 00 48 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 04 00 00 00 05 00 00 00 B4 00 60 00 78 00 78 00 B4 00 B4 00 00 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00 FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MinPos1280x720(1).x: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MinPos1280x720(1).y: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MaxPos1280x720(1).x: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\MaxPos1280x720(1).y: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).left: 0x000000CB
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).top: 0x00000034
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).right: 0x000003EB
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WinPos1280x720(1).bottom: 0x0000028C
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Rev: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\WFlags: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\ShowCmd: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\FFlags: 0x00000001
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\HotKey: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Buttons: 0xFFFFFFFF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Links: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Address: 0x00000000
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\34\Shell\Vid: "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Owner\Desktop\MW\Lots of Stuxnet\snmw\malware.exe: "malware"
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\WinRAR\Interface\ShowPassword: 0x00000000
----------------------------------
Values modified: 17
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 5B 70 29 6B 9F F8 6B 2E 27 BB 05 43 02 B3 42 43 88 7C 39 EA 7C 8F C3 C1 DA 61 6A 7A 3D A9 27 BB 06 12 F2 A2 B5 89 09 83 C9 CE 03 F8 7F 6C 1E 79 D9 10 7D F0 29 05 03 B9 29 88 8C EC E2 3C CB 04 12 E3 E3 EC 8F E6 27 0A 15 A9 09 6C 29 34 89 55
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 53 06 23 D9 FE 36 71 5D D7 02 23 98 92 D3 0C AA 52 45 17 A4 D9 2B 2E E6 C7 C1 12 FE D2 A0 E1 8A 5F CF 23 E0 9B 16 74 7E DC 38 BF 7E D6 F0 9F 97 9A 5B C8 12 7C C2 9E CE EF 95 DE D1 60 56 23 7A 21 96 9C 23 E4 CF D9 77 67 97 F4 EA F1 0D 25 18
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_PGYFRFFVBA: 81 9C 54 0E 05 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count\HRZR_PGYFRFFVBA: E3 F3 7F 0E 04 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 04 00 00 00 79 00 00 00 E0 8D E6 42 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 04 00 00 00 77 00 00 00 A0 EC DC 76 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY: 04 00 00 00 0B 00 00 00 00 54 07 85 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHAPCY: 01 00 00 00 0B 00 00 00 60 F6 98 73 27 F4 CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 04 00 00 00 4C 00 00 00 F0 8C 4C 41 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 04 00 00 00 4A 00 00 00 90 73 55 73 81 FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\FlfGbbyf\Nhgbehaf\nhgbehaf.rkr: 04 00 00 00 08 00 00 00 E0 8D E6 42 90 93 CA 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Bjare\Qrfxgbc\FlfGbbyf\Nhgbehaf\nhgbehaf.rkr: 04 00 00 00 07 00 00 00 50 F6 45 98 7E FE CF 01
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 16 02 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 4E 00 00 00 5A 00 3A 00 D4 02 00 00 5E 45 49 46 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 5E 45 49 46 6C 45 D2 6B 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 CA 01 00 00 34 00 31 00 00 00 00 00 5E 45 65 50 10 00 6D 62 61 72 00 00 20 00 03 00 04 00 EF BE 5E 45 63 50 5F 45 8D 55 14 00 00 00 6D 00 62 00 61 00 72 00 00 00 14 00 60 00 00 00 CA 01 00 00 2E 00 31 00 00 00 00 00 6C 45 4F 6C 10 00 4D 57 00 00 1C 00 03 00 04 00 EF BE 6C 45 48 6C 6C 45 4F 6C 14 00 00 00 4D 00 57 00 00 00 12 00 60 00 00 00 E6 00 00 00 3C 00 31 00 00 00 00 00 6A 45 6B 21 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE
6A 45 F4 1A 6C 45 59 6C 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 AB 00 00 00 02 00 00 00 4C 00 31 00 00 00 00 00 6C 45 0F 6D 10 00 52 45 47 53 48 4F 7E 31 2E 30 00 00 32 00 03 00 04 00 EF BE 6C 45 0F 6D 6C 45 12 6D 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 31 00 2E 00 39 00 2E 00 30 00 00 00 1A 00 60 00 00 00 16 02 00 00 40 00 31 00 00 00 00 00 6C 45 D1 6E 10 00 53 79 73 54 6F 6F 6C 73 00 00 28 00 03 00 04 00 EF BE 6C 45 73 6C 6C 45 D1 6E 14 00 00 00 53 00 79 00 73 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 15 00 00 00 02 00 00 00 3C 00 32 00 5F 38 1C 00 5E 45 EF 45 20 00 62 65 72 2E 72 61 72 00 26 00 03 00 04 00 EF BE 5E 45 EF 45 6C 45 AE 6B 14 00 00 00 62 00 65 00 72 00 2E 00 72 00 61 00 72 00 00 00 16 00 60 00 00 00 32 01 00 00 4E 00 32 00 78 ED 9C 00 5E 45 D0 51 20 00 48 49 54 4D 41 4E 7E 31 2E 45 58 45 00 00 32 00 03 00 04 00 EF BE 5E 45 C6 51 6A 45 87 28 14 00 00 00 48 00 69 00 74 00 6D 00 61 00 6E 00 50 00 72 00 6F 00 2E 00 65 00 78 0
0 65 00 00 00 1C 00 60 00 00 00 4E 00 00 00 5C 00 32 00 8B 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 E7 1A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 33 00 32 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 9A 00 00 00 5C 00 32 00 97 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 32 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 F3 1E 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 36 00 34 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 02 00 00 00 52 00 32 00 CE 02 00 00 5E 45 74 83 20 00 4F 53 46 4F 52 45 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 5E 45 74 83 6A 45 12 59 14 00 00 00 4F 00 53 00 46 00 6F 00 72 00 65 00 6E 00 73 00 69 00 63 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 9A 00 00 00 66 00 32 00 97 01 00 00 5E 45 ED 46 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 4A
00 03 00 04 00 EF BE 5E 45 ED 46 6C 45 75 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E6 00 00 00 62 00 32 00 8A 02 00 00 5E 45 58 47 20 00 53 48 4F 52 54 43 7E 32 2E 4C 4E 4B 00 00 46 00 03 00 04 00 EF BE 5E 45 58 47 6C 45 E5 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 01 00 00 60 00 32 00 DF 02 00 00 5E 45 A8 48 20 00 53 48 4F 52 54 43 7E 33 2E 4C 4E 4B 00 00 44 00 03 00 04 00 EF BE 5E 45 A8 48 6C 45 5A 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 77 00 69 00 6E 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 7E 01 00 00 50 00 32 00 F1 85 3F 00 5F 45 09 56 20 00 54 44 53 53 4B 49 7E 31 2E 5A 49 50 00 00 34 00 03 00 04 00 EF BE 5F 45 09 56 6C 45
75 6C 14 00 00 00 74 00 64 00 73 00 73 00 6B 00 69 00 6C 00 6C 00 65 00 72 00 2E 00 7A 00 69 00 70 00 00 00 1C 00 15 00 00 00 7E 01 00 00 4C 00 32 00 00 CE 05 00 5E 45 3B 50 20 00 74 67 32 69 6A 6E 6A 69 2E 65 78 65 00 00 30 00 03 00 04 00 EF BE 5E 45 3A 50 5E 45 35 83 14 00 00 00 74 00 67 00 32 00 69 00 6A 00 6E 00 6A 00 69 00 2E 00 65 00 78 00 65 00 00 00 1C 00 15 00 00 00 7E 01 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\Shell\Bags\1\Desktop\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 15 00 00 00 16 02 00 00 14 00 1F 60 40 F0 5F 64 81 50 1B 10 9F 08 00 AA 00 2F 95 4E 15 00 00 00 4E 00 00 00 5A 00 3A 00 D4 02 00 00 5E 45 49 46 20 00 4D 4F 5A 49 4C 4C 7E 31 2E 4C 4E 4B 00 00 3E 00 03 00 04 00 EF BE 5E 45 49 46 6C 45 D2 6B 14 00 00 00 4D 00 6F 00 7A 00 69 00 6C 00 6C 00 61 00 20 00 46 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 CA 01 00 00 34 00 31 00 00 00 00 00 5E 45 65 50 10 00 6D 62 61 72 00 00 20 00 03 00 04 00 EF BE 5E 45 63 50 5F 45 8D 55 14 00 00 00 6D 00 62 00 61 00 72 00 00 00 14 00 60 00 00 00 CA 01 00 00 2E 00 31 00 00 00 00 00 6C 45 4F 6C 10 00 4D 57 00 00 1C 00 03 00 04 00 EF BE 6C 45 48 6C 6C 45 4F 6C 14 00 00 00 4D 00 57 00 00 00 12 00 60 00 00 00 E6 00 00 00 3C 00 31 00 00 00 00 00 6A 45 6B 21 10 00 6F 64 62 67 31 31 30 00 26 00 03 00 04 00 EF BE
6A 45 F4 1A 6C 45 59 6C 14 00 00 00 6F 00 64 00 62 00 67 00 31 00 31 00 30 00 00 00 16 00 60 00 00 00 16 02 00 00 40 00 31 00 00 00 00 00 6C 45 84 6C 10 00 53 79 73 54 6F 6F 6C 73 00 00 28 00 03 00 04 00 EF BE 6C 45 73 6C 6C 45 84 6C 14 00 00 00 53 00 79 00 73 00 54 00 6F 00 6F 00 6C 00 73 00 00 00 18 00 15 00 00 00 02 00 00 00 3C 00 32 00 5F 38 1C 00 5E 45 EF 45 20 00 62 65 72 2E 72 61 72 00 26 00 03 00 04 00 EF BE 5E 45 EF 45 6C 45 AE 6B 14 00 00 00 62 00 65 00 72 00 2E 00 72 00 61 00 72 00 00 00 16 00 60 00 00 00 32 01 00 00 4E 00 32 00 78 ED 9C 00 5E 45 D0 51 20 00 48 49 54 4D 41 4E 7E 31 2E 45 58 45 00 00 32 00 03 00 04 00 EF BE 5E 45 C6 51 6A 45 87 28 14 00 00 00 48 00 69 00 74 00 6D 00 61 00 6E 00 50 00 72 00 6F 00 2E 00 65 00 78 00 65 00 00 00 1C 00 60 00 00 00 4E 00 00 00 5C 00 32 00 8B 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 31 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 E7 1A 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 33 00 32 0
0 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 9A 00 00 00 5C 00 32 00 97 02 00 00 6A 45 80 12 20 00 49 44 41 50 52 4F 7E 32 2E 4C 4E 4B 00 00 40 00 03 00 04 00 EF BE 6A 45 80 12 6A 45 F3 1E 14 00 00 00 49 00 44 00 41 00 20 00 50 00 72 00 6F 00 20 00 28 00 36 00 34 00 2D 00 62 00 69 00 74 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 02 00 00 00 52 00 32 00 CE 02 00 00 5E 45 74 83 20 00 4F 53 46 4F 52 45 7E 31 2E 4C 4E 4B 00 00 36 00 03 00 04 00 EF BE 5E 45 74 83 6A 45 12 59 14 00 00 00 4F 00 53 00 46 00 6F 00 72 00 65 00 6E 00 73 00 69 00 63 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 9A 00 00 00 66 00 32 00 97 01 00 00 5E 45 ED 46 20 00 53 48 4F 52 54 43 7E 31 2E 4C 4E 4B 00 00 4A 00 03 00 04 00 EF BE 5E 45 ED 46 6C 45 75 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 44 00 6F 00 77 00 6E 00 6C 00 6F 00 61 00 64 00 73 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 E6 00 00 00 62 00 32
00 8A 02 00 00 5E 45 58 47 20 00 53 48 4F 52 54 43 7E 32 2E 4C 4E 4B 00 00 46 00 03 00 04 00 EF BE 5E 45 58 47 6A 45 F3 1E 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 66 00 69 00 72 00 65 00 66 00 6F 00 78 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 15 00 00 00 32 01 00 00 60 00 32 00 DF 02 00 00 5E 45 A8 48 20 00 53 48 4F 52 54 43 7E 33 2E 4C 4E 4B 00 00 44 00 03 00 04 00 EF BE 5E 45 A8 48 6C 45 5A 6C 14 00 00 00 53 00 68 00 6F 00 72 00 74 00 63 00 75 00 74 00 20 00 74 00 6F 00 20 00 77 00 69 00 6E 00 64 00 62 00 67 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 60 00 00 00 7E 01 00 00 50 00 32 00 F1 85 3F 00 5F 45 09 56 20 00 54 44 53 53 4B 49 7E 31 2E 5A 49 50 00 00 34 00 03 00 04 00 EF BE 5F 45 09 56 6C 45 75 6C 14 00 00 00 74 00 64 00 73 00 73 00 6B 00 69 00 6C 00 6C 00 65 00 72 00 2E 00 7A 00 69 00 70 00 00 00 1C 00 15 00 00 00 7E 01 00 00 4C 00 32 00 00 CE 05 00 5E 45 3B 50 20 00 74 67 32 69 6A 6E 6A 69 2E 65 78 65 00 00 30 00 03 00 04 00 EF BE 5E 45
3A 50 5E 45 35 83 14 00 00 00 74 00 67 00 32 00 69 00 6A 00 6E 00 6A 00 69 00 2E 00 65 00 78 00 65 00 00 00 1C 00 AB 00 00 00 02 00 00 00 4C 00 31 00 00 00 00 00 6C 45 0F 6D 10 00 52 45 47 53 48 4F 7E 31 2E 30 00 00 32 00 03 00 04 00 EF BE 6C 45 0F 6D 6C 45 12 6D 14 00 00 00 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 31 00 2E 00 39 00 2E 00 30 00 00 00 1A 00 AB 00 00 00 02 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 07 00 00 00 06 00 00 00 08 00 00 00 02 00 00 00 01 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 08 00 00 00 06 00 00 00 02 00 00 00 07 00 00 00 01 00 00 00 05 00 00 00 04 00 00 00 03 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\6\0\MRUListEx: FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\7\MRUListEx: 00 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\7\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\27\Shell\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 4E 00 31 00 00 00 00 00 6C 45 23 70 10 00 4C 4F 54 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 6C 45 3C 6C 6C 45 23 70 14 00 00 00 4C 00 6F 00 74 00 73 00 20 00 6F 00 66 00 20 00 53 00 74 00 75 00 78 00 6E 00 65 00 74 00 00 00 18 00 DC 00 00 00 02 00 00 00 34 00 31 00 00 00 00 00 6C 45 51 6C 10 00 54 44 4C 34 00 00 20 00 03 00 04 00 EF BE 6C 45 4F 6C 6C 45 51 6C 14 00 00 00 54 00 44 00 4C 00 34 00 00 00 14 00 DC 00 00 00 02 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\27\Shell\ItemPos1280x720(1): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 00 00 00 4E 00 31 00 00 00 00 00 6C 45 E9 6C 10 00 4C 4F 54 53 4F 46 7E 31 00 00 36 00 03 00 04 00 EF BE 6C 45 3C 6C 6C 45 E9 6C 14 00 00 00 4C 00 6F 00 74 00 73 00 20 00 6F 00 66 00 20 00 53 00 74 00 75 00 78 00 6E 00 65 00 74 00 00 00 18 00 DC 00 00 00 02 00 00 00 34 00 31 00 00 00 00 00 6C 45 51 6C 10 00 54 44 4C 34 00 00 20 00 03 00 04 00 EF BE 6C 45 4F 6C 6C 45 51 6C 14 00 00 00 54 00 44 00 4C 00 34 00 00 00 14 00 DC 00 00 00 02 00 00 00 00 00 00 00
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).left: 0x00000049
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).left: 0x0000002C
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).top: 0x00000057
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).top: 0x0000003A
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).right: 0x00000369
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).right: 0x0000034C
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).bottom: 0x000002AF
HKU\S-1-5-21-515967899-1935655697-682003330-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\29\Shell\WinPos1280x720(1).bottom: 0x00000292
HKU\S-1-5-21-515967899-1935655697-682003330-1003\SessionInformation\ProgramCount: 0x00000002
HKU\S-1-5-21-515967899-1935655697-682003330-1003\SessionInformation\ProgramCount: 0x00000001
----------------------------------
Total changes: 150
----------------------------------
</code></pre>
<br />
23 deleted keys, 110 values deleted, 17 values modified. Total = 150 changes.<br />
<br />
Overall, there's a lot to this rootkit. I didn't go into the MRxCls configuration file decryption, network changes/attack methods, other methods of zero-day flaws, etc but even so you can see that this is a pretty sophisticated piece of malware. However, as we now see, its biggest downfall was its complete lack of protection.<br />
<br />
The only personal explanation I have for this is that the creator(s) were either rushed to get it done by 'x' timeframe, so they focused on main code more than obfuscation, or they just imagined it wouldn't ever escape its original intended environment, so they'd never have to worry about reverse engineering being an issue.<br />
<br />
<div style="text-align: left;">
<div style="text-align: left;">
<span style="color: #0b5394;"><span style="font-size: small;"><u><b>References</b></u></span></span></div>
</div>
<br />
<a href="http://www.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf" target="_blank">Stuxnet Under the Microscope.</a><br />
<a href="http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx" target="_blank">Analyzing a Stuxnet Infection with the Sysinternals Tools.</a>Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com224tag:blogger.com,1999:blog-8870806323064576540.post-16137851597526755582014-10-30T12:19:00.003-04:002014-10-30T12:21:08.994-04:00BlackEnergy 2 (alias BlackEnergy Version 2) Live DebuggingLast night I took a quick look at BlackEnergy 2, a rootkit that surfaced in 2010. BlackEnergy 2 was essentially a rewrite of its predecessor as BlackEnergy 2 contains rootkit techniques, process-injection, and encryption. Surprisingly for being a now 'dated' rootkit, there's really not too much accessible (or not buried) reverse kernel-debugging documentation for the rootkit aside from when it was first surfacing. A lot of misc. information pops up throughout very few blogs/forums that are Russian, but that's about it. <br />
<br />
There's a lot of additional lore behind the rootkit, but I really won't go into that. If you're interested about where the rootkit core came from before it was implemented into BlackEnergy 2, BlackReleaver is the answer!<br />
<br />
<span style="font-size: small;"><span style="color: #0b5394;"><u><b>NT Corruption</b></u></span></span><br />
<span style="font-size: small;"><span style="color: #0b5394;"><u><b><br /></b></u></span></span>
<span style="font-size: small;"><span style="color: #0b5394;"><span style="color: black;">First off, we can view corruption regarding ntokskrnl:</span></span></span><br />
<span style="font-size: small;"><span style="color: #0b5394;"><br /></span></span>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !chkimg -d -v nt
Searching for module with expression: nt
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: C:\Symbols\ntoskrnl.exe\41108004214780\ntoskrnl.exe
No range specified
Scanning section: .text
Size: 466369
Range to scan: 804d7580-80549341
804ded5a-804ded5d 4 bytes - <span style="background-color: yellow;">nt!KiBBTUnexpectedRange+8</span>
[ 00 ff 09 00:6b a0 c1 01 ]
804e59a1-804e59a5 5 bytes - nt!KeInsertQueueApc (+0x6c47) <span style="color: purple;">// Not malicious -- Malwarebytes.</span>
[ 8b ff 55 8b ec:e9 e4 45 4e 77 ]
Total bytes compared: 466369(100%)
Number of errors: <span style="color: red;">9 </span>
</code></pre>
<br />
<b>!chkimg </b>compares the current loaded executable with the version within the symbol store. This is a helpful command to detect corruptions with images, and especially helpful when dealing with rootkits. The <b>-d </b>parameter displays a summary of all mismatched areas. The <b>-v </b>parameter makes the information verbose. In this case, the <b>-v </b>parameter is optional.<br />
<br />
As noted above, we have two out-of-range values. We're interested in disassembling <b>nt!KiBBTUnexpectedRange+8</b>, but not <b>nt!KeInsertQueueApc (+0x6c47)</b>. <b>nt!KeInsertQueueApc (+0x6c47)</b> as I commented above is in relation to the Chameleon technology from Malwarebytes. I had MWB ARK installed on this VM for testing purposes, so that is where it was spawning from.<br />
<br />
<span style="font-size: small;"><span style="color: #0b5394;"><u><b>nt!KiBBTUnexpectedRange+8 Disassembly - Healthy</b></u></span></span><br />
<br />
If we disassemble <b>nt!KiBBTUnexpectedRange+8</b> on a system not infected with BlackEnergy 2, we should expect similar results:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> u nt!KiBBTUnexpectedRange+8
nt!KiBBTUnexpectedRange+0x8:
804ded5a 00ff add bh,bh
804ded5c 0900 or dword ptr [eax],eax
804ded5e 0bc0 or eax,eax
804ded60 58 pop eax
804ded61 5a pop edx
804ded62 8bec mov ebp,esp
804ded64 89ae34010000 mov dword ptr [esi+134h],ebp
804ded6a 0f8490020000 je nt!KiFastCallEntry+0x8d (804df000)
</code></pre>
<br />
<span style="font-size: small;"><span style="color: #0b5394;"><u><b>nt!KiBBTUnexpectedRange+8 Disassembly - Corrupted</b></u></span></span><br />
<br />
If we disassemble <b>nt!KiBBTUnexpectedRange+8</b> on a system that has been infected with BlackEnergy 2, we should expect similar results:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> u nt!KiBBTUnexpectedRange+8
nt!KiBBTUnexpectedRange+0x8:
804ded5a 6ba0c1010bc058 imul esp,dword ptr [eax-3FF4FE3Fh],58h
804ded61 5a pop edx
804ded62 8bec mov ebp,esp
804ded64 89ae34010000 mov dword ptr [esi+134h],ebp
804ded6a 0f8490020000 je nt!KiFastCallEntry+0x8d (804df000)
804ded70 8d15509b5580 <span style="background-color: yellow;">lea edx,[nt!KeServiceDescriptorTableShadow+0x10 (80559b50)]</span>
804ded76 8b4a08 mov ecx,dword ptr [edx+8]
804ded79 8b12 mov edx,dword ptr [edx]
</code></pre>
<br />
So, why do we have corruptions in ntoskrnl and a corrupted <b>nt!KiBBTUnexpectedRange+8 </b>output? It's a side effect of the rootkit creating additional 'fake' service tables. It does this by patching the ETHREAD SystemTable pointer, which allows for things such as user threads to be patched, thread creation notification and service table pointer updating by using <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff559954%28v=vs.85%29.aspx" target="_blank"><b>PsSetCreateThreadNotifyRoutine</b></a>, etc.<br />
<br />
The main use behind creating fake service tables is it gives anti-rootkit software a much harder time (harder back in 2010, at least) detecting its presence. It doesn't just 'hook' and/or modify the SSDT (which as we know would be a big red flag), it instead creates its own fake service tables, and <i>then </i>hooks (acquires?) the following functions:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> NtDeleteValueKey
NtEnumerateValueKey
NtEnumerateKey
NtOpenKey
NtOpenProcess
NtOpenThread
NtProtectVirtualMemory
NtQuerySystemInformation
NtReadVirtualMemory
NtSetContextThread
NtSetValueKey
NtSuspendThread
NtTerminateThread
NtWriteVirtualMemory
etc...
</code></pre>
<br />
<span style="font-size: small;"><span style="color: #0b5394;"><u><b>KTHREAD Structure</b></u></span></span><br />
<br />
Given we're adding new/fake service tables, we need applications to be able to access them. This is done by using pointers as discussed above, which is accomplished in the KTHREAD Structure. Every single thread has a pointer to a ServiceTable which is ultimately set by <b>KeInitThread</b>. Additionally, if the thread requires GUI functions within the Shadow SSDT, <b>PsConvertToGuiThread</b> is called.<br />
<br />
We can dump the KTHREAD Structure:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> dt -v nt!_KTHREAD
struct _KTHREAD, 73 elements, 0x1c0 bytes
+0x000 Header : struct _DISPATCHER_HEADER, 6 elements, 0x10 bytes
+0x010 MutantListHead : struct _LIST_ENTRY, 2 elements, 0x8 bytes
+0x018 InitialStack : Ptr32 to Void
+0x01c StackLimit : Ptr32 to Void
+0x020 Teb : Ptr32 to Void
<span style="background-color: yellow;">+0x0e0 ServiceTable : Ptr32 to Void</span>
</code></pre>
<br />
At this point if you'd like to see the tables, you can use the following command:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> !for_each_thread ".echo Thread: @#Thread; dt nt!_kthread ServiceTable @#Thread"
</code></pre>
<br />
If you see anything other than <b>KeServiceDescriptorTable </b>or <b>KeServiceDescriptorTableShadow</b>, it's a new/fake ServiceTable.<br />
<br />
<span style="font-size: small;"><span style="color: #0b5394;"><u><b>Registry Hiding</b></u></span></span><br />
<br />
In order to survive reboots, etc, it hides its registry entry. If you're using Windows' Registry Editor, it won't find the hidden entry. For example, here's our hidden service:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !ms_services
[205] | 0x01 | | <span style="background-color: yellow;">qtcst</span> | <span style="background-color: yellow;">qtcst</span> | <span style="color: red;">SERVICE_RUNNING</span> | \Driver\<span style="background-color: yellow;">qtcst</span>
</code></pre>
<br />
If we try and find <b>qtcst </b>with Registry Editor:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqwS0M11xKSEhCVbzPwUQNu35oYHVf0aGaLq6VpTa98fTIWRp-O6GTZIXFbQaqfqG2jI5YTebQc1WEmCl_CEz5i0NzSnZp09Xm884kJb_AGEG-f-xnzBv8afxluseoTo1-Cs0HJQbFXhyphenhyphenL/s1600/Registry+Editor+Hidden.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqwS0M11xKSEhCVbzPwUQNu35oYHVf0aGaLq6VpTa98fTIWRp-O6GTZIXFbQaqfqG2jI5YTebQc1WEmCl_CEz5i0NzSnZp09Xm884kJb_AGEG-f-xnzBv8afxluseoTo1-Cs0HJQbFXhyphenhyphenL/s1600/Registry+Editor+Hidden.png" height="163" width="320" /></a></div>
<br />
If we however use a 3rd party registry tool (any will probably work so long as it doesn't use Windows API calls):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-T0Tn4VC8ILRwVsnSpayWvxrNM-fBcUnkLtltXZP27rX-yG3b2PSw4Q-aUt2Skhq3bSqXJa1-EpUBzpEZ6zx1Jfx7PQChp3fBsdwAj77T1Z82fJe-Y3iCSKuqhPDuF0qH2NFfzCZiNeul/s1600/Hidden+Registry.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-T0Tn4VC8ILRwVsnSpayWvxrNM-fBcUnkLtltXZP27rX-yG3b2PSw4Q-aUt2Skhq3bSqXJa1-EpUBzpEZ6zx1Jfx7PQChp3fBsdwAj77T1Z82fJe-Y3iCSKuqhPDuF0qH2NFfzCZiNeul/s1600/Hidden+Registry.png" height="229" width="320" /></a></div>
<br />
We catch our culprit and the dropped driver red-handed. The driver renames after each reboot, so if you remove it and don't get the driver+registry entry at once, it'll just re-create with a different name.<br />
<br />
<span style="font-size: small;"><span style="color: #0b5394;"><u><b>Main.dll</b></u></span></span><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> .exe SYS TMP cmd.exe /C b k e r n e l p l g _ d a t a getp v e r s i o n n a m e s l e e p f r e q c m d s p l u g i n s x%s_%X C:\ a d d r t y p e s e r v e r s i c m p _ a d d r b u i l d _
i d str.sys \drivers\ \ \ . \ \ \ . \ G l o b a l \ %s%s { 9 D D 6 A F A 1 - 8 6 4 6 - 4 7 2 0 - 8 3 6 B - E D C B 1 0 8 5 8 6 4 A } main.dll .bdata {3D5A1694-CC2C-4ee7-A3D5-A879A9E3A623}
POST %.2X & = bid nt %d cn ln id ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ Content-Type: application/x-www-form-urlencoded _TEST_ .dll user32.dll advapi32.dll
wininet.dll ws2_32.dll DispatchCommand DispatchEvent GetLastError GetCurrentProcessId ExitThread CloseHandle KERNEL32.dll wsprintfA USER32.dll CoCreateInstance CoInitializeEx ole32.dll
OLEAUT32.dll WS2_32.dll RtlUnwind InterlockedExchange VirtualQuery main.dll ConfAllocGetTextByNameA ConfAllocGetTextByNameW ConfGetListNodeByName ConfGetNodeByName ConfGetNodeTextA
ConfGetNodeTextW ConfGetPlgNode ConfGetRootNode DownloadFile PlgSendEvent RkLoadKernelImage RkProtectObject SrvAddRequestBinaryData SrvAddRequestStringData
</code></pre>
<br />
Main.dll is the payload that is injected via trusted svchost. It contains as you can see a lot of readable stings, like <b>str.sys </b>for example. We can see <b>str.sys </b>in action here:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLYHdqnTJwcWK7CL6q4ecGkS6fbWWZlOySRAzUDYT5SwFly4hlgFeNTTgJ_YDbXgugDN4eqTIcsA4xuYHMvLH_RduGL4wlcxVaU9Oi_-HoyoSiRgx40YvHBsoHIvKWD81-5fcrH3gWoush/s1600/str.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLYHdqnTJwcWK7CL6q4ecGkS6fbWWZlOySRAzUDYT5SwFly4hlgFeNTTgJ_YDbXgugDN4eqTIcsA4xuYHMvLH_RduGL4wlcxVaU9Oi_-HoyoSiRgx40YvHBsoHIvKWD81-5fcrH3gWoush/s1600/str.png" height="148" width="320" /></a></div>
<br />
Overall, this rootkit was certainly a step up from most SSDT hooking/modification rootkits at the time. It can be a pain in the ass to remove if you don't kill everything properly : )<br />
<br />
Thanks for reading. <br />
<br />
<span style="font-size: small;"><span style="color: #0b5394;"><u><b>References</b></u></span></span><br />
<br />
<a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&t=42" target="_blank">Black Energy 2.1+</a><br />
<a href="http://www.secureworks.com/cyber-threat-intelligence/threats/blackenergy2/" target="_blank">BlackEnergy Version 2 Analysis </a>Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com162tag:blogger.com,1999:blog-8870806323064576540.post-51884022010419060442014-10-10T08:38:00.001-04:002014-10-10T09:22:30.334-04:00Rustock.B Live Debugging - SwishDbgExt, SysecLabs script.Here we are, part two! I thought rather than doing a live debugging of runtime2 as I discussed in <a href="http://bsodanalysis.blogspot.com/2014/09/rootkit-debugging-runtime2-postmortem.html" target="_blank"><b>my last rootkit debugging post</b></a>, I'd debug a different rootkit. I chose Rustock.B (PE386) as it's a pretty notorious rootkit, and in my opinion is a lot of fun to debug. It's always a great learning experience to debug, reverse, and research things for yourself as well. I have a map of rootkits I want to debug and reverse as the weeks go by, so expect many more of these.<br />
<br />
Let's get started!<br />
<br />
First off, before we get into the fun debugging/reversal, what do we know about Rustock? We know <i>a lot!</i> It's a fairly dated rootkit, and has been reversed time and time again by researchers, etc. It's a great example to use when showing some of the neat things a rootkit can do. It was originally developed to distribute spam email, which was way back in the day. It was first discovered in 2006, and began to increase by a significant number in 2008. By mid 2010, it was one of the most known rootkit related threats (and arguably malware in general).<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN9clQZ-heNya5JGEWfCLOaAHuGF6-7eQ3PD6gaAH4o6qXgamz8VrgTzGDoqJOnnVdIgu0EgH_n3Pi046b6xA5rw89Idf8jrR4o5OE9bsCeAlJU2uHTdI77186pm2F_456kCzEvLiDxETJ/s1600/rustock_works_fig_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN9clQZ-heNya5JGEWfCLOaAHuGF6-7eQ3PD6gaAH4o6qXgamz8VrgTzGDoqJOnnVdIgu0EgH_n3Pi046b6xA5rw89Idf8jrR4o5OE9bsCeAlJU2uHTdI77186pm2F_456kCzEvLiDxETJ/s1600/rustock_works_fig_1.png" height="165" width="320" /></a></div>
<br />
<div style="text-align: center;">
<i>(thanks to <a href="http://www.microsoft.com/security/assets/images/_security/SIR_v10/story/rustock_works_fig_1.png" target="_blank"><b>MSIR</b></a> for the image!)</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Rustock has <i>three </i>encrypted components which we will discuss below, one at a time:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="color: #0b5394; font-size: small;"><u><b>Dropper Component</b></u></span> <span style="color: #0b5394; font-size: small;"></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The dropper is the bad guy, the guy nobody likes. Malware droppers have one primary job, and it's once they are executed, install the specified malware. Malware writers can have their droppers do other things however, which Rustock's of course does. They are called droppers because they essentially 'drop' the malware onto the target system.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Rustock's dropper runs specifically in user-mode, and decrypts/drops the rootkit component driver (our 3rd component that we will discuss later on). Interestingly enough, during the rootkit's time period of prevalence, the dropper also went ahead and contacted a Command and Control (C&C) Server to check for updates. C&C's have different structures, all of which are different. In most cases however, especially in its most basic definition, C&C's are used to send commands and receive outputs of machines part of a botnet.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1xZaUzu-Ag6eZ-eLdrkgHVlWpCdmOn3qBe5EdZZgzSE9rwEO8O3U7ZcxvGZ4JlWwk8GqK-CIJvsNTOEx5gFw7HTp1jAc-5XhmVENdxRmTCnnnMUmEhENDeSuii0DxYKN43y9YrU7OB0uu/s1600/rustock_works_fig_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1xZaUzu-Ag6eZ-eLdrkgHVlWpCdmOn3qBe5EdZZgzSE9rwEO8O3U7ZcxvGZ4JlWwk8GqK-CIJvsNTOEx5gFw7HTp1jAc-5XhmVENdxRmTCnnnMUmEhENDeSuii0DxYKN43y9YrU7OB0uu/s1600/rustock_works_fig_2.png" height="312" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: center;">
<i>(thanks again to <a href="http://www.microsoft.com/security/assets/images/_security/SIR_v10/story/rustock_works_fig_2.png" target="_blank"><b>MSIR</b></a> for the image!)</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
In addition to contacting a C&C server, the<i> </i>dropper component also checks the registry to ensure that a previous Rustock infection hasn't already taken place so reinfection (which could cause obvious problems) doesn't happen. It checks the registry as there are keys which are installed when an infection takes place, such as PE386 (the key used to survive a reboot among other things).</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="color: #0b5394; font-size: small;"><u><b>Driver Installer Component</b></u></span> <span style="color: #0b5394; font-size: small;"></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Our second component is the driver installer, which runs in kernel-mode as a disguised Windows system driver (textbook rootkit behavior). It historically replaces drivers such as <b>beep.sys </b>as well as <b>null.sys</b> with a copy, and then afterwards replaces it once started. If however this replacement method is unsuccessful, it falls back to a method I've seen occur much more, which the dropper will instead use a randomly-generated <i>or </i>hard-coded filename for the driver.<br />
<br />
Two hard-coded filenames have been <b>glaide32.sys</b> and <b>lzx32.sys</b>, with the latter being the most popular. As far as randomly-generated filenames go, <b>7005d59.sys</b> was the most typical. Older versions of the rootkit would install themselves to null shares to hide in a system driver, and then proceed to drop the installer as an alternate data stream (ADS) (<i>%Windir%\System32:lzx32.sys</i>, for example). Modern versions of the rootkit however use system service hooking.<br />
<br />
<div style="text-align: left;">
<span style="color: #0b5394; font-size: small;"><u><b>Rootkit Driver Component</b></u></span> </div>
<br />
Our third and final component is the rootkit driver, which runs in kernel-mode like the driver installer. As we discussed above regarding our first component, this component is decrypted by the dropper which then allows the rootit driver to inject a copy of its decrypted code into itself before transferring control over to the newly instantiated copy. The decryption process is accomplished inside a buffer allocated in kernel memory by using <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff544501%28v=vs.85%29.aspx" target="_blank">ExAllocatePool</a>. It specifically contains the code managing the backdoor functionality, such as the actual ability to contact the C&C server discussed above, and executing instructions sent by Rustock operators.<br />
<br />
The kernel-mode side of the rootkit communicates with its user-mode bot component (C&C, etc) using INT 2Eh interrupts for NT/2k (a bit different for XP), which will be shown in action coming up. Aside from communication, the rootkit component hid itself by hooking different SSDT functions such as:<br />
<br />
<ul>
<li><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms725506%28v=vs.85%29.aspx" target="_blank">ZwQuerySystemInformation</a></li>
<li><a href="https://www.google.com/?gws_rd=ssl#q=ZwCreateKey" target="_blank">ZwCreateKey</a></li>
<li><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff567014%28v=vs.85%29.aspx" target="_blank">ZwOpenKey </a></li>
<li>...will discuss later.</li>
</ul>
<br />
It hid its network/disk operations by hooking ntoskrnl.dll and ntdll.dll functions, as well as various network drivers such as:<br />
<br />
<ul>
<li>tcpip.sys</li>
<li>wanarp.sys</li>
<li>ndis.sys</li>
</ul>
<br />
It hooked the following network drivers to bypass firewalls and manipulate packets.<br />
<br />
In addition to the INT 2Eh interrupts being shown in action, I'll also be showing all of the various hooking, etc.<br />
<br />
Now that we've gotten some of the history and information out of the way, let's start with the debugging and reversal of the rootkit.<br />
<br />
<div style="text-align: left;">
<span style="color: #0b5394; font-size: small;"><u><b>Rootkit Debugging/Reversal</b></u></span> </div>
<br />
I had to go through a few hoops to create an environment in which Rustock.B could be properly examined. It wasn't unfortunately as simple as executing it on an XP VM, although it wasn't excruciatingly painful to set up either. Also, for any amateur malware analysts who get curious (like me) and try to execute Rustock on Windows 7 x86 to see what will happen, it throws an access violation : ) Nothing too cool, unfortunately! I have however read reports saying it runs on the beta of Vista.<br />
<br />
After I had the basics done (isolated from host network, etc), I had to make three changes to get the rootkit to properly execute on an XP SP2 guest:<br />
<br />
<b>1. </b>Disable <i>both </i>Physical Address Extension (PAE) and Data Execution Prevention (DEP). This is easily done by modifying the <b>boot.ini </b>to look like the following:<br />
<br /></div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> [boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft XP Home Edition" /execute /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft XP Home Edition, 1 core" /execute /fastdetect /NUMPROC=1
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft XP Home Edition, 4 cores" /execute /fastdetect /NUMPROC=4
</code></pre>
<br />
<b>/execute</b> parameter is another way of saying <b>/noexecute=alwaysoff</b>, which disables DEP and PAE.<br />
<br />
<b>/fastdetect </b>parameter disables detection on all serial and parallel ports. It's not necessary in this case by any means, but it does allow for a slightly faster boot time. It's just a habit from the XP days : )<br />
<br />
<b>/NUMPROC=1 </b>and <b>NUMPROC=4 </b>are almost self-explanatory, really. This parameter limits the OS when it boots to either 1 core or 4 cores. In our case, Rustock (afaik) cannot execute on anything more than 2 cores, so I went with 1 for safety (thanks <a href="https://twitter.com/hFireF0X" target="_blank">EP_X0FF</a>). Here's what it looks like at the boot selection screen:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijbc7VL697_LS3zrwxkaeDJc7cbzyt2o7nsoEy8lGMnCUxDCuwqf5F_8apQ-ScUUkAkWtHs-vS0MFuEJfYPpLQe38O-R5jTny0R8t-UPhXtgwdRSlEfZm-SOMvfFJ2x7W1g_rAQ9rARklF/s1600/1+core.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijbc7VL697_LS3zrwxkaeDJc7cbzyt2o7nsoEy8lGMnCUxDCuwqf5F_8apQ-ScUUkAkWtHs-vS0MFuEJfYPpLQe38O-R5jTny0R8t-UPhXtgwdRSlEfZm-SOMvfFJ2x7W1g_rAQ9rARklF/s1600/1+core.png" height="176" width="320" /></a></div>
<br />
<b>2. </b>Uninstall VMware Tools, restart.<br />
<br />
<b>3 (optional). </b>Insert the following into the VM config file:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE" <span style="color: purple;">// Thwarts backdoor I/O checks.</span>
monitor_control.disable_directexec = "TRUE" <span style="color: purple;">// Thwarts descriptor table registers checks. VMware interprets each assembly instruction instead of the processor executing them.</span>
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
</code></pre>
<br />
After the above, Rustock executes as expected with no problems.<br />
<br />
One of the first few things Rustock does as discussed above is create a registry subkey associated with a hidden service known as pe386. By using <a href="http://www.msuiche.net/2014/07/16/thats-so-swish/" target="_blank"><b>SwishDbgExt</b></a> as we've used many times before in my blog posts, we can dump the list of services on the system using the <b>!ms_services </b>command:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !ms_services
Implicit process is now 821ae9a0
Loading User Symbols
[209] | 0x01 | | <span style="background-color: yellow;">pe386</span>| <span style="color: red;">Win23 lzx</span> files loader | <span style="color: red;">SERVICE_RUNNING</span> | \Driver\<span style="background-color: yellow;">pe386 </span>
</code></pre>
<br />
As we can see, this successfully shows us our hidden service, and notes it is in fact running. With this said, we can confirm infection was a success.<br />
<br />
As we discussed above, older versions of Rustock use alternate data streams (ADS). It goes one step further and prevents access from NTFS.sys (NT File System driver) or FASTFAT.sys (FAT File System driver), therefore they cannot directly communicate with the files in the data stream. It does this by hooking various file system related IRP functions that control create/delete operations regarding the ADS stream. Rustock often hooks <a href="http://msdn.microsoft.com/en-us/library/ff548336.aspx" target="_blank">IoCallDriver</a>, which sends an IRP to certain drivers. We can the act of filtering in action here:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> u poi(poi(iofcalldriver+2))
<span style="background-color: yellow;">f6fb9dae</span> 56 push esi
f6fb9daf 57 push edi
f6fb9db0 8bf9 mov edi,ecx
f6fb9db2 8b7708 mov esi,dword ptr [edi+8]
f6fb9db5 3b352ceefbf6 cmp esi,dword ptr ds:[0F6FBEE2Ch]
f6fb9dbb 7509 jne f6fb9dc6
f6fb9dbd 52 push edx
f6fb9dbe 57 push edi
</code></pre>
<br />
The <b>poi</b> operator is used so when the parameter contains IofCallDriver, WinDbg will break at the specified address.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !address f6fb9dae
<span style="color: red;">address f6fb9dae not found in any known Kernel Address Range</span> ----
</code></pre>
<br />
The <b>!address </b>command is used afterwards on the SP to show memory region usage and attributes. <br />
<br />
Rustock hooks IA32_SYSENTER_EIP (0x176) for XP (remember, INT 2Eh interrupts for NT/2k), which is the kernel's EIP for SYSENTER. SYSENTER is an Intel instruction which enables fast entry to the kernel, avoiding interrupt overhead. AMD's version is known as SYSCALL, which overall does the same thing, although operates a bit differently. In any case, as I discussed earlier in the post, this is what Rustock uses to communicate between user-mode and kernel-mode. It's also ultimately hooked to execute code every time a system call is made.<br />
<br />
As we have a modified SYSENTER handler, this is where SSDT functions labeled above come into play. This was done to intercept system calls on a <i>thread-level</i> basis rather than using KeServiceDescriptorTable to hook on a <i>global basis</i>.<br />
<br />
<b>1. </b><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff567014%28v=vs.85%29.aspx" target="_blank">ZwOpenKey's</a> API was modified so that whenever anything but <b>services.exe </b>tried to obtain a handle, it'd return <a href="http://support2.microsoft.com/kb/2628582" target="_blank">STATUS_OBJECT_NAME_NOT_FOUND</a>. This was done to prevent unauthorized access to the pe386 key.<br />
<br />
<b>2. </b><a href="https://www.google.com/?gws_rd=ssl#q=ZwCreateKey" target="_blank">ZwCreateKey's</a> API was modified similarly to that of OpenKey, which is when any other process other than <b>services.exe</b> tries to create a key named pe386, CreateKey returns the same error as OpenKey.<br />
<br />
<b>3.</b> <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms725506%28v=vs.85%29.aspx" target="_blank">ZwQuerySystemInformation's</a> API was modified to zero out the usage time in kernel and user mode for <b>services.exe</b>, and adds it to the first process in the processes list (sysidle process). This was primarily done to counteract if a user were to check <b>services.exe </b>with Process Explorer, as it would raise red flags.<br />
<br />
We can check for the 0x176 hook manually and automatically using a script. Let's first view the manual way:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> rdmsr 0x176
msr[176] = <span style="background-color: yellow;">00000000`806ccc3d</span>
</code></pre>
<br />
The <b>rdmsr </b>command is used to view the state of a model-specific register (MSR).<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !address 806ccc3d
804d7000 - 00215000
Usage KernelSpaceUsageImage
ImageName ntoskrnl.exe
</code></pre>
<br />
Using our familiar <b>!address </b>command, we can see that to avoid easy hook detection, Rustock has the EIP address point to the same module as KiFastCallEntry (ntoskrnl.exe, or another variation of the NT Kernel). I've seen ntkrnlpa.exe as well.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> dc 806ccc3d
806ccc3d 8ee6c2e9 4c444e76 485f4445 5f445241 ....<span style="background-color: yellow;">vNDLED_HARD</span>_
806ccc4d 4f525245 000a0d52 1c000000 4e000000 <span style="background-color: yellow;">ERROR</span>..........N
806ccc5d 41505f4f 5f534547 49415641 4c42414c O_PAGES_AVAILABL
806ccc6d 000a0d45 18000000 50000000 4c5f4e46 E..........PFN_L
806ccc7d 5f545349 52524f43 0d545055 1c00000a IST_CORRUPT.....
806ccc8d 4e000000 5f534944 45544e49 4c414e52 ...NDIS_INTERNAL
806ccc9d 5252455f 0a0d524f 24000000 50000000 _ERROR.....$...P
806cccad 5f454741 4c554146 4e495f54 4e4f4e5f AGE_FAULT_IN_NON
</code></pre>
<br />
<b>dc</b> is actually a parameter to show ASCII characters <i>and </i>dwords. <b>d*</b> on its own simply means 'display memory'. I've discussed this command in a previous blog post, but I believe it was <b>dd</b> that I used in that scenario. <b>dd </b>is the same as <b>dc</b>, except it doesn't display ASCII characters.<br />
<br />
By using this command on the 0x176 MSR address, this is where we can see Rustock replaced the <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff559010%28v=vs.85%29.aspx" target="_blank">FATAL_UNHANDLED_HARD_ERROR</a> string with malicious code that's ultimately used to execute various functions of the rootkit. Hilariously enough, the original meaning of this string is a bug check code (0x4C).<br />
<br />
We can see where it performs a jump to its malicious code by further disassembling the MSR address. Unfortunately I forgot to bring the .txt file containing the WinDbg code, so I loaded up a snapshot and did the disassembly real quick to show in an image:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV1GS9hdAuXf7Ef4wsGr3UKlHcjiRe-zrVPdFbixs2nUOTG-HnT_jtmHpU45mt7FOvI6g-euYHBVD9rCLhHR3KYeWEs0yT5n5ZBCExQMb5dRmK1Ga7kmbQ-1HKftw6NkU_NH2ms8glmOlB/s1600/MSR+disassembly.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV1GS9hdAuXf7Ef4wsGr3UKlHcjiRe-zrVPdFbixs2nUOTG-HnT_jtmHpU45mt7FOvI6g-euYHBVD9rCLhHR3KYeWEs0yT5n5ZBCExQMb5dRmK1Ga7kmbQ-1HKftw6NkU_NH2ms8glmOlB/s1600/MSR+disassembly.png" height="190" width="320" /></a></div>
<br />
Now that we've seen how to manually view the 0x176 hook manually, let's view it automatically using another tool we've used before, the SysecLabs script:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !!display_current_msrs
###################################
# Model-Specific Registers (MSRs) #
###################################
Processor 00
IA32_P5_MC_ADDR msr[00000000] = 0
IA32_P5_MC_TYPE msr[00000001] = 0
IA32_MONITOR_FILTER_LINE_SIZE msr[00000006] = 0
IA32_TIME_STAMP_COUNTER *msr[00000010] = 000006ea`1ef96bef
IA32_PLATFORM_ID msr[00000017] = 0
IA32_APIC_BASE *msr[0000001B] = 00000000`fee00900
MSR_EBC_HARD_POWERON msr[0000002A] = 0
MSR_EBC_SOFT_POWERON msr[0000002B] = 0
MSR_EBC_FREQUENCY_ID msr[0000002C] = 0
IA32_BIOS_UPDT_TRIG msr[00000079] = 0
IA32_BIOS_SIGN_ID *msr[0000008B] = 00000028`00000000
IA32_MTRRCAP *msr[000000FE] = 00000000`00000508
IA32_SYSENTER_CS *msr[00000174] = 00000000`00000008
IA32_SYSENTER_ESP *msr[00000175] = 00000000`f8974000
<span style="color: blue;">IA32_SYSENTER_EIP *msr[00000176]</span> = -># <span style="color: red;">HOOK</span> #<- <span style="color: red;">00000000`806ccc3d</span> <span style="background-color: yellow;">nt!_NULL_IMPORT_DESCRIPTOR <PERF> (nt+0x1f5c3d) (806ccc3d)</span> => <span style="color: purple;">Original : nt!KiFastCallEntry (804def6f)</span>
</code></pre>
<br />
In addition to hooking SYSENTER, it also hooks the Interrupt Descriptor Table (IDT). The IDT is used to properly respond to interrupts and exceptions. We can view the IDT with SwishDbgExt:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !ms_idt
|-----|-----|--------------------|--------------------------------------------------------|---------|--------|
| Cre | Idx | Address | Name | Patched | Hooked |
|-----|-----|--------------------|--------------------------------------------------------|---------|--------|
| 0 | 0 | 0xFFFFFFFF804DFBFF | nt!KiTrap00 | | No |
| 0 | 1 | 0xFFFFFFFF804DFD7C | nt!KiTrap01 | | No |
| 0 | 2 | 0x000000000000112E | *UNKNOWN* | | No |
| 0 | 3 | 0xFFFFFFFF804E015B | nt!KiTrap03 | | No |
| 0 | 4 | 0xFFFFFFFF804E02E0 | nt!KiTrap04 | | No |
| 0 | 5 | 0xFFFFFFFF804E0441 | nt!KiTrap05 | | No |
| 0 | 6 | 0xFFFFFFFF804E05BF | nt!KiTrap06 | | No |
| 0 | 7 | 0xFFFFFFFF804E0C33 | nt!KiTrap07 | | No |
| 0 | 8 | 0x0000000000001188 | *UNKNOWN* | | No |
| 0 | 9 | 0xFFFFFFFF804E1060 | nt!KiTrap09 | | No |
| 0 | 10 | 0xFFFFFFFF804E1185 | nt!KiTrap0A | | No |
| 0 | 11 | 0xFFFFFFFF804E12CA | nt!KiTrap0B | | No |
| 0 | 12 | 0xFFFFFFFF804E1530 | nt!KiTrap0C | | No |
| 0 | 13 | 0xFFFFFFFF804E1827 | nt!KiTrap0D | | No |
| 0 | 14 | 0xFFFFFFFF804E1F25 | nt!KiTrap0E | | No |
| 0 | 15 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 16 | 0xFFFFFFFF804E237F | nt!KiTrap10 | | No |
| 0 | 17 | 0xFFFFFFFF804E24BD | nt!KiTrap11 | | No |
| 0 | 18 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 19 | 0xFFFFFFFF804E262B | nt!KiTrap13 | | No |
| 0 | 20 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 21 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 22 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 23 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 24 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 25 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 26 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 27 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 28 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 29 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 30 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 31 | 0xFFFFFFFF806EDFD0 | *UNKNOWN* | | No |
| 0 | 42 | 0xFFFFFFFF804DF417 | nt!KiGetTickCount | | No |
| 0 | 43 | 0xFFFFFFFF804DF522 | nt!KiCallbackReturn | | No |
| 0 | 44 | 0xFFFFFFFF804DF6C7 | nt!KiSetLowWaitHighThread | | No |
| 0 | 45 | 0xFFFFFFFF804E0032 | nt!KiDebugService | | No |
| 0 | 46 | 0xFFFFFFFF806CCC38 | <span style="background-color: yellow;">nt!_NULL_IMPORT_DESCRIPTOR (nt+0x1f5c38)</span> | | <span style="color: red;">Yes</span> |
</code></pre>
<br />
As mentioned earlier above, Rustock also hooks INT 2Eh to communicate between its user and kernel mode components. This is done specifically for older systems/hardware that don't support SYSENTER fastcalls, as KiSystemService is a user mode functions dispatcher <i>and </i>handler. We can see the hook here:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !idt 2e
Dumping IDT:
<span style="color: red;">2e</span>: <span style="background-color: yellow;">806ccc38 nt!_NULL_IMPORT_DESCRIPTOR <PERF> (nt+0x1f5c38)</span>
</code></pre>
<br />
On a healthy x86 system, if you go ahead and dump the IDT, the only thing that should show is nt!KiSystemService. For example:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> !idt 2e
Dumping IDT: 823f7400
18b78dea0000002e: <span style="background-color: yellow;">8185c77e nt!KiSystemService </span>
</code></pre>
<br />
<span style="color: #0b5394;"><span style="font-size: small;"><u><b>Removal</b></u></span></span> <br />
<br />
These days, the removal of Rustock is extremely trivial. When I ran GMER, Rustock would cause it to hang inevitably. I imagined this would occur, even with the random .exe name. However, I tried something strange out of curiosity and it ended up working, which was to run as owner. Before it successfully scanned however without hanging interruptions, here's what it displayed:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg74RVtHYsoVQiZ-IiEHnvvSEUe4jSxImeM-Gj34AXd91XfyqpnShrQ8AwHJoswqQdB238LHlcfz1wK2Y9886tmNv3W-pP1eJ_0PqskpYkaMlzF3-Y-_Ono-_BPYhpHAlq6CsILGfhBDR-p/s1600/ugwdrpoc.sys+Access+Denied.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg74RVtHYsoVQiZ-IiEHnvvSEUe4jSxImeM-Gj34AXd91XfyqpnShrQ8AwHJoswqQdB238LHlcfz1wK2Y9886tmNv3W-pP1eJ_0PqskpYkaMlzF3-Y-_Ono-_BPYhpHAlq6CsILGfhBDR-p/s1600/ugwdrpoc.sys+Access+Denied.png" height="80" width="320" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgnuXXXgbnLIFfJBLzg0MkcO-fArh-xUbNXBUbey2T3HEVURYbj3OELgm8sMlS5DDk7Yu-u5Soh08ryI0ahF6yybNLsuhSuwo3OGTMgPmVixfPmq5ZhMCuNguYiZUP78f_pzvV7cdnpMHc/s1600/CreateFile+ugwdrpoc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgnuXXXgbnLIFfJBLzg0MkcO-fArh-xUbNXBUbey2T3HEVURYbj3OELgm8sMlS5DDk7Yu-u5Soh08ryI0ahF6yybNLsuhSuwo3OGTMgPmVixfPmq5ZhMCuNguYiZUP78f_pzvV7cdnpMHc/s1600/CreateFile+ugwdrpoc.png" /></a></div>
<br />
After pressing 'OK' for both, GMER successfully scanned. Here were the results: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJGuwMAqfowMKJtifkhB7Gvww8SxCVihUxLlLlgO1zHQ6qQP4QxOB1L9EUAg5ijpmzCWcFv_ErHuGbNpX1Qa35j3Gn1nmX_oeizzX7DjQG4faD3oYPGIMAy67763pYdvwHMA7NVAfQok7q/s1600/GMER+Infected+Files.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJGuwMAqfowMKJtifkhB7Gvww8SxCVihUxLlLlgO1zHQ6qQP4QxOB1L9EUAg5ijpmzCWcFv_ErHuGbNpX1Qa35j3Gn1nmX_oeizzX7DjQG4faD3oYPGIMAy67763pYdvwHMA7NVAfQok7q/s1600/GMER+Infected+Files.png" height="245" width="320" /></a></div>
<br />
We can see GMER detected the rootkit without too much issue, and we can also see our best friend pe386.<br />
<br />
Removal was pretty painless, all I had to do was kill and delete the service by right-clicking it within GMER, and also ridding of the process, library, and module. After a restart was completed, performing a live debugging showed completely opposite (and normal) results. I will show them below, one at a time.<br />
<br />
<br />
<div style="text-align: left;">
<span style="color: #0b5394; font-size: small;"><u><b>PE386</b></u></span> </div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxs9M8HQNWR7i8rySoj-5VszhcBSHrrtbTw1_NoOhc72Wb23es6rNyvYFOWmb0JhQvA1kCm2xximJnLRDt1bSjCUOTdIh2Hsv5wx3rsr96HrxbFm-xvzH4_vs-KucKSp9Cp9cHwJRJJusQ/s1600/Can't+find+PE386+After+Removal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxs9M8HQNWR7i8rySoj-5VszhcBSHrrtbTw1_NoOhc72Wb23es6rNyvYFOWmb0JhQvA1kCm2xximJnLRDt1bSjCUOTdIh2Hsv5wx3rsr96HrxbFm-xvzH4_vs-KucKSp9Cp9cHwJRJJusQ/s1600/Can't%2Bfind%2BPE386%2BAfter%2BRemoval.png" height="171" width="320" /></a></div>
<br />
<div style="text-align: left;">
<span style="color: #0b5394; font-size: small;"><u><b>IofCallDriver Hook</b></u></span> </div>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> u poi(poi(iofcalldriver+2))
nt!IopfCallDriver:
<span style="background-color: yellow;">804e3d50</span> fe4a23 dec byte ptr [edx+23h]
804e3d53 8a4223 mov al,byte ptr [edx+23h]
804e3d56 84c0 test al,al
804e3d58 0f8e8b860300 jle nt!IopfCallDriver+0xa (8051c3e9)
804e3d5e 8b4260 mov eax,dword ptr [edx+60h]
804e3d61 83e824 sub eax,24h
804e3d64 56 push esi
804e3d65 894260 mov dword ptr [edx+60h],eax
</code></pre>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !address 804e3d50
804d7000 - 00215000
Usage KernelSpaceUsageImage
ImageName ntoskrnl.exe
</code></pre>
<br />
<span style="color: #0b5394; font-size: small;"><u><b>SYSENTER Hook - Manual</b></u></span><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> rdmsr 0x176
msr[176] = <span style="background-color: yellow;">00000000`804def6f</span>
</code></pre>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> dc 804def6f
804def6f 000023b9 0f306a00 8ed98ea1 400d8bc1 .#...j0........@
804def7f 8bffdff0 236a0461 026a9c52 9d08c283 ....a.j#R.j.....
804def8f 01244c80 ff1b6a02 df030435 55006aff .L$..j..5....j.U
804def9f 8b575653 dff01c1d 8b3b6aff 000124b3 SVW......j;..$..
804defaf c733ff00 ffffff03 186e8bff ec83016a ..3.......n.j...
804defbf 9ced8148 c6000002 00014086 ec3b0100 H........@....;.
804defcf ff6e850f 6583ffff 46f6002c ae89ff2c ..n....e,..F,...
804defdf 00000134 fe37850f 5d8bffff 687d8b60 4.....7....]`.}h
</code></pre>
<br />
<span style="color: #0b5394; font-size: small;"><u><b>SYSENTER Hook - Script</b></u></span><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !!display_current_msrs
###################################
# Model-Specific Registers (MSRs) #
###################################
Processor 00
IA32_P5_MC_ADDR msr[00000000] = 0
IA32_P5_MC_TYPE msr[00000001] = 0
IA32_MONITOR_FILTER_LINE_SIZE msr[00000006] = 0
IA32_TIME_STAMP_COUNTER *msr[00000010] = 0000007f`ec25230f
IA32_PLATFORM_ID msr[00000017] = 0
IA32_APIC_BASE *msr[0000001B] = 00000000`fee00900
MSR_EBC_HARD_POWERON msr[0000002A] = 0
MSR_EBC_SOFT_POWERON msr[0000002B] = 0
MSR_EBC_FREQUENCY_ID msr[0000002C] = 0
IA32_BIOS_UPDT_TRIG msr[00000079] = 0
IA32_BIOS_SIGN_ID *msr[0000008B] = 00000028`00000000
IA32_MTRRCAP *msr[000000FE] = 00000000`00000508
IA32_SYSENTER_CS *msr[00000174] = 00000000`00000008
IA32_SYSENTER_ESP *msr[00000175] = 00000000`f8974000
<span style="color: blue;">IA32_SYSENTER_EIP</span> <span style="color: blue;">*msr[00000176]</span> = <span style="background-color: yellow;">00000000`804def6f nt!KiFastCallEntry (804def6f)</span>
</code></pre>
<br />
<span style="color: #0b5394; font-size: small;"><u><b>IDT Hook</b></u></span><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !ms_idt
|-----|-----|--------------------|--------------------------------------------------------|---------|--------|
| Cre | Idx | Address | Name | Patched | Hooked |
|-----|-----|--------------------|--------------------------------------------------------|---------|--------|
| 0 | 0 | 0xFFFFFFFF804DFBFF | nt!KiTrap00 | | No |
| 0 | 1 | 0xFFFFFFFF804DFD7C | nt!KiTrap01 | | No |
| 0 | 2 | 0x000000000000112E | *UNKNOWN* | | No |
| 0 | 3 | 0xFFFFFFFF804E015B | nt!KiTrap03 | | No |
| 0 | 4 | 0xFFFFFFFF804E02E0 | nt!KiTrap04 | | No |
| 0 | 5 | 0xFFFFFFFF804E0441 | nt!KiTrap05 | | No |
| 0 | 6 | 0xFFFFFFFF804E05BF | nt!KiTrap06 | | No |
| 0 | 7 | 0xFFFFFFFF804E0C33 | nt!KiTrap07 | | No |
| 0 | 8 | 0x0000000000001188 | *UNKNOWN* | | No |
| 0 | 9 | 0xFFFFFFFF804E1060 | nt!KiTrap09 | | No |
| 0 | 10 | 0xFFFFFFFF804E1185 | nt!KiTrap0A | | No |
| 0 | 11 | 0xFFFFFFFF804E12CA | nt!KiTrap0B | | No |
| 0 | 12 | 0xFFFFFFFF804E1530 | nt!KiTrap0C | | No |
| 0 | 13 | 0xFFFFFFFF804E1827 | nt!KiTrap0D | | No |
| 0 | 14 | 0xFFFFFFFF804E1F25 | nt!KiTrap0E | | No |
| 0 | 15 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 16 | 0xFFFFFFFF804E237F | nt!KiTrap10 | | No |
| 0 | 17 | 0xFFFFFFFF804E24BD | nt!KiTrap11 | | No |
| 0 | 18 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 19 | 0xFFFFFFFF804E262B | nt!KiTrap13 | | No |
| 0 | 20 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 21 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 22 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 23 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 24 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 25 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 26 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 27 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 28 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 29 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 30 | 0xFFFFFFFF804E225A | nt!KiTrap0F | | No |
| 0 | 31 | 0xFFFFFFFF806EDFD0 | *UNKNOWN* | | No |
| 0 | 42 | 0xFFFFFFFF804DF417 | nt!KiGetTickCount | | No |
| 0 | 43 | 0xFFFFFFFF804DF522 | nt!KiCallbackReturn | | No |
| 0 | 44 | 0xFFFFFFFF804DF6C7 | nt!KiSetLowWaitHighThread | | No |
| 0 | 45 | 0xFFFFFFFF804E0032 | nt!KiDebugService | | No |
| 0 | 46 | 0xFFFFFFFF804DEEA6 | <span style="background-color: yellow;">nt!KiSystemService</span> | | <span style="color: blue;">No</span> |
</code></pre>
<br />
<span style="color: #0b5394; font-size: small;"><u><b>INT 2Eh Hook</b></u></span><br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> lkd> !idt 2e
Dumping IDT:
2e: <span style="background-color: yellow;">804deea6 nt!KiSystemService </span>
</code></pre>
<br />
Thanks so much for reading, I hope you enjoyed!<br />
<br />
<span style="color: #0b5394; font-size: small;"><u><b>References</b></u></span><br />
<br />
<a href="http://www.symantec.com/security_response/writeup.jsp?docid=2006-070513-1305-99" target="_blank">BackdoorRustockB</a><br />
<a href="http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf" target="_blank">On the Cutting Edge: Thwarting Virtual Machine Detection</a><br />
<a href="http://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848" target="_blank">Malware 101 - Viruses</a><br />
<a href="http://www.reconstructer.org/papers/Hunting%20rootkits%20with%20Windbg.pdf" target="_blank">Hunting rootkits with Windbg (as always for the great reference).</a>Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com61tag:blogger.com,1999:blog-8870806323064576540.post-31345567320660099702014-09-30T00:44:00.001-04:002014-09-30T00:48:23.824-04:00Registers (x86)As I discussed towards the end of <a href="http://bsodanalysis.blogspot.com/2014/09/stacks-stacks-and-more-stacks.html" target="_blank"><b>my last post</b></a> regarding stacks, my next post was likely going to be about registers. Well, here we are! I had originally planned on discussing both x86 <i>and </i>x64 registers in a single post, but this posed two main problems. The first problem was this would have been a <i>very </i>long post! The second problem, which is a considerably larger one, is I don't know x64 assembly/architecture as much as I'd like to feel confident in making a post about it. The good news is whenever I am brushed up enough in regards to x64's architecture to write a detailed post, I can simply jump right in as I did all the dirty work right here in this post! Happy days.<br />
<br />
<span style="color: #0b5394; font-size: small;"><u><b>Memory Hierarchy</b></u></span><br />
<br />
First off, it's important to discuss and understand what a register is. Before we get into that however, let's have a look at my favorite image of the memory hierarchy:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFhhTBBgAMKZ1H1RmTdjGfw-w3ZK-0n10Feu6GHm0_2Bzq7TJRUfpdm0zjKFngSK1hyEzXFEkl9uifYjTJ9HwuL37ypBLiagIj4mqqTdOPDSS5eiaFImtOcwVqQPNA4clE7niqzw9nyVys/s1600/Memory+Hierarchy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFhhTBBgAMKZ1H1RmTdjGfw-w3ZK-0n10Feu6GHm0_2Bzq7TJRUfpdm0zjKFngSK1hyEzXFEkl9uifYjTJ9HwuL37ypBLiagIj4mqqTdOPDSS5eiaFImtOcwVqQPNA4clE7niqzw9nyVys/s1600/Memory+Hierarchy.jpg" height="251" width="320" /></a></div>
<div style="text-align: center;">
<br />
<i>(thanks to <a href="http://cse1.net/" target="_blank"><b>COMPUTER SCIENCE E-1</b></a> for this great image)</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
It's safe to say there are probably <i>thousands </i>of images regarding the memory hierarchy throughout CS books, documents, and presentations, but this one takes the cake for me! It's about as good as it visually gets for a hierarchy image, and although it doesn't display a few key points, I can do that myself right here in this post.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
What are the key points I'm talking about that are missing from this image? Well, from the bottom>top, we're going from slowest to fastest. If we're coming from the top>bottom, we're going from the fastest to the slowest (in regards to read and write access time). It's absolutely imperative to also understand that the faster we get, the more expensive we get, and the slower we get, the less expensive we get (in regards to USD). With that now known, you can imagine that the read/write from a removal media device (such as USB) is slower<i> </i>than the read/write from your hard drive, but is less expensive.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
As this is a post strictly about registers, I won't go into the complexities and intricacies of each part of the hierarchy, and will instead focus on the registers themselves. As far as access time goes, let's compare registers and the hard drive as an example:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Registers </b>- 1-2<i>ns </i>(nanoseconds)</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Hard Drive</b> - 5-20<i>ms </i>(milliseconds)</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
-- It's all dependent on the architecture of the processor, really. These are rough #'s. </div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Cue the amazing Grace Hopper!</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/JEpsKnWZrJ8?feature=player_embedded' frameborder='0'></iframe></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Why are registers so fast? Registers are actually circuits which are built/wired (literally) into the Arithmetic logic unit (ALU), which is also widely considered the fundamental building block of a CPU. With that said, we really can't get any closer, which means there's also no data transfer overhead as there are barely any clock cycles required. Also, a CPU's instruction set tends to work with registers more than it does with actual memory locations.<br />
<br />
Speaking of clock cycles, here's a chart displaying the cycles regarding the memory hierarchy:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnMd8OZq6VKm99RXqrPmHB9vYfi0j-v1YC_EfhU0vxLnpv2qyaggQguedTI7IKVuWJLGhXeoR-q1LLGUSbQiW3giYT752VD2y4LNnSN6cw6H7t7EHsWWgCaJNS_SoBWHme9F6sB9lGzPmZ/s1600/Memory+Hierarchy+Clock+Cycles.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnMd8OZq6VKm99RXqrPmHB9vYfi0j-v1YC_EfhU0vxLnpv2qyaggQguedTI7IKVuWJLGhXeoR-q1LLGUSbQiW3giYT752VD2y4LNnSN6cw6H7t7EHsWWgCaJNS_SoBWHme9F6sB9lGzPmZ/s1600/Memory+Hierarchy+Clock+Cycles.jpg" height="151" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<i>(thanks to <a href="http://www.hlnand.com/site/ID/home" target="_blank"><b>HLNAND</b></a> for this great image)</i></div>
<br />
As we can see, a register only takes one clock cycle.<br />
<br />
<span style="color: #0b5394; font-size: small;"><u><b>What is a register?</b></u></span><br />
<br />
Now that we understand the basic fundamentals behind the memory hierarchy and where the register resides on the hierarchy, we can discuss what a register actually is! In its most basic definition, a register is used to store small pieces of data that the processor is actively working on. There are many different registers and categories of registers, all of which essentially do something different, however you can generally break registers down into two types. For example, regarding the first type, we have the General purpose register (GPR), which essentially stores data and performs arithmetic based on an instruction (addition, subtraction, multiplication, etc). Once the arithmetic is finished (or the manipulation of data/memory is finished), it's entirely up to what the instruction is set to do. It can either store it back into memory with the same instruction, a different one, etc.<br />
<br />
Regarding the second type, we have the Special purpose register (SPR) which as the name implies has a special meaning and specific purpose. For example, the SP (Stack Pointer) register is a SPR in addition to being a GPR regarding the IA-32 architecture. This register is used to have the CPU store the address of the last program request in a stack. Among other things, as new requests are coming in, they push down the older ones in the stack, with the most recent request always residing at the top of the stack.<br />
<br />
It's important to note that at <i>every </i>clock tick, there are specific values regarding registers. The values stored in a specific register may have been updated on a tick, so the values may not be the same as they were prior to the tick. For example, when an interrupt fires, register values are copied to a stack and stay on that stack while an Interrupt Service Routine (ISR) is being executed by the CPU. Once the interrupt is properly handled, the original register values are loaded back from the stack so they can continue to service the instruction they were previously working with.<br />
<br />
What I described above is known as context switching, which is essentially the jump of instructions from CPU > ISR. Although unrelated yet interesting to note, in some special cases regarding 0x101 bug checks depending on what actually caused the bug check, you may need to have knowledge of context switching to properly debug.<br />
<br />
With all of the above said, there's about a dozen different ways I could go at this point. I could go on to talk about the register file, the many different and various categories of registers, etc. However, let's jump ahead to register renaming as that's a pretty important topic. <br />
<br />
<span style="color: #0b5394; font-size: small;"><u><b>Register Renaming</b></u></span><br />
<br />
Register renaming is essentially a form of pipelining that deals with data dependencies between instructions by renaming their register operands. The way renaming works is, it will go ahead and replace the architectural register (user-accessible registers, or more easily just known to us as 'the registers') names (value names) with a new value name for each instruction destination operand.<br />
<br />
Thanks to register renaming, we can also successfully perform what is known as Out-of-order execution (OOE). How exactly does it allow OOE to be performed? Register renaming entirely eliminates name dependencies between instructions, and recognizes true dependencies. True dependencies occur when an instruction depends on the result of a subsequent instruction.<br />
<br />
Given the above is now explained, here's a good time to explain data hazards. Data hazards occur when instructions that exhibit data dependence modify data in different stages of a pipeline. Ignoring a data hazard can lead to what is known as a race condition, which is when the order of the data that was outputted was not the intended order. We have three main data hazards:<br />
<br />
<ul>
<li>Read-after-write (RAW), also known as a true dependency.</li>
</ul>
<ul>
<li>Write-after-read (WAR), also known as an anti-dependency.</li>
</ul>
<ul>
<li>Write-after-write (WAW), also known as an output dependency.</li>
</ul>
<br />
<b>1.</b> What is RAW? Let's take two instruction locations (l1, l2). A prime RAW example is when l2 tries to read a source before l1 writes to it. l2 is attempting to refer to a result that hasn't been calculated or retrieved yet by l1.<br />
<br />
<b>2. </b>What is WAR? Let's once again take l1 & l2. l2 tries to write a destination before it is read by l1. This is a problem in concurrent execution, which notes of course they must work concurrently and not sequentially. If they do work sequentially, then we have a data hazard like so.<br />
<br />
<b>3. </b>What is WAW? Taking l1 & l2 one last time, l2 tries to write an operand before it is written by l1.<br />
<br />
With register renaming, since we're ultimately maintaining a status bit for each value that indicates whether or not it has been completed, it allows the execution of two instruction operations to be performed out of order when there are no true data dependencies between them. This removes WAR/WAW, and of course leaves RAW intact as discussed above.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRLXowgIgYL52E-cb6wKc077rJEPE4tawXkvuVoSxIvQgXapYnT5viFnjPTmFiB6R1cg1q_9G9CIb4-S6YRHVmPWlDNiTSvlVDo_Lc0UBuPaEF747hR9EqVQDCY5tYYPby6KwBVlGeZmuh/s1600/Register+Renaming.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRLXowgIgYL52E-cb6wKc077rJEPE4tawXkvuVoSxIvQgXapYnT5viFnjPTmFiB6R1cg1q_9G9CIb4-S6YRHVmPWlDNiTSvlVDo_Lc0UBuPaEF747hR9EqVQDCY5tYYPby6KwBVlGeZmuh/s1600/Register+Renaming.png" height="148" width="320" /></a></div>
<div style="text-align: center;">
<br />
<i>(Excerpt from the following <b>.<a href="http://people.ee.duke.edu/~sorin/ece252/lectures/4.2-tomasulo.pdf" target="_blank">pdf</a></b>)</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
<span style="color: #0b5394; font-size: small;"><u><b>x86 Registers</b></u></span><br />
<br />
In WinDbg, by using the <b>r </b>command we can go ahead and dump the registers from the context of the thread that caused the crash. For example:<br />
<br /></div>
</div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> r
eax=818f4920 ebx=86664d90 ecx=818fb9c0 edx=000002d0 esi=818f493c edi=00000000
eip=818c07dd esp=a1e72cb0 ebp=a1e72ccc iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
</code></pre>
<br />
x86 (IA-32) has <i><b>eight </b></i>GPRs, which are:<br />
<br />
<ul>
<li>EAX</li>
<li>EBX</li>
<li>ECX</li>
<li>EDX</li>
<li>ESI</li>
<li>EDI</li>
<li>EBP</li>
<li>ESP</li>
</ul>
<br />
Great, so there's our eight GPRs. Now we can go ahead and break them down: <br />
<br />
<ul>
<li>E<span style="background-color: yellow;">A</span>X - The '<b>A</b>' in the EAX register implies it's the accumulator register for operands and results data. </li>
</ul>
<ul>
<li>E<span style="background-color: yellow;">B</span>X - The '<b>B</b>' in the EBX register implies it's the pointer to the data in the DS segment. DS is the <i>current </i>data segment. It also means 'base register'.</li>
</ul>
<ul>
<li>E<span style="background-color: yellow;">C</span>X - The '<b>C</b>' in the ECX register implies it's the counter for storing loop and string operations. </li>
</ul>
<ul>
<li>E<span style="background-color: yellow;">D</span>X - The '<b>D</b>' in the EDX register implies it's the I/O pointer. </li>
</ul>
<ul>
<li>E<span style="background-color: yellow;">SI</span> - The '<b>SI</b>' in the ESI register implies it's the Source Index, which is a pointer to data in the segment pointed to by the DS register. </li>
</ul>
<ul>
<li>E<span style="background-color: yellow;">DI</span> - The '<b>DI</b>' in the EDI register implies it's the Destination Index, which is a pointer to data (or a destination) in the segment pointed to by the ES register. It's essentially the counterpart to the ESI register, for lack of a better word. </li>
</ul>
<ul>
<li>E<span style="background-color: yellow;">BP</span> - The '<b>BP</b>' in the EBP register implies it's the Base Pointer, which is the pointer to data on the stack. </li>
</ul>
<ul>
<li>E<span style="background-color: yellow;">SP</span> - The '<b>SP</b>' in the ESP register implies it's the Stack Pointer, which is used to detect the location of the last item put on the stack.</li>
</ul>
<br />
Whew, alright! So there's just a few things I'd like to quickly explain as well as we haven't covered all of the bases:<br />
<br />
<ul>
<li>E<span style="background-color: yellow;">AX</span> - The '<b>AX</b>' in the EAX register is used to address <i>only </i>the lower 16 bits of the register. If we were to reference all 32 bits, we'd use all of EAX, and not just AX.</li>
</ul>
<ul>
<li>E<span style="background-color: yellow;">IP</span> - I didn't forget this guy, don't worry! The '<b>IP</b>' in the EIP register implies it's the Instruction Pointer, which can also actually be called the 'program counter'. It contains the offset in the current code segment for the <i>next </i>instruction that will be executed. It's also interesting to note that EIP cannot be accessed by software, and is explicitly controlled by control-transfer instructions such as JMP, CALL, JC, and RET. Aside from control-transfer instructions, interrupts and exceptions can also access EIP directly.</li>
</ul>
<br />
Okay, so I can't mention control-transfer instructions and then not explain them. I mean, I could... but I wouldn't be happy. Control-transfer instructions specifically control the flow of program execution. There are quite a few control-transfer instructions, but I will discuss the ones I mentioned that can directly access EIP:<br />
<br />
<ul>
<li>JMP - Jump. JMP transfers program control to a different point in the instruction stream without recording any return information. The destination operand specifies the address of the instruction being jumped to. This operand can be an immediate value, a GPR, or a memory location. The JMP instruction can be used to actually execute four different types of jumps:</li>
</ul>
<blockquote class="tr_bq">
<b>1. </b>Near jump - A jump to an instruction within the segment currently pointed to by the CS register. It can also at times be referred to as an intrasegment jump.<br />
<br />
<b>2. </b>Short jump - A type of near jump in that the jump range is limited to <i>-128</i> to <i>+127</i> from the current EIP value.<br />
<br />
<b>3. </b>Far jump - A jump to an instruction that's located in a different segment than the current code segment, but at the same privilege level. It can also at times be referred to as an intersegment jump.<br />
<br />
<b>4. </b>Task switch - A jump to an instruction that's located in a different task. Note that a task switch can only be accomplished in <i>protected-mode</i>, which not to fly too off the handle here, but it's necessary to explain. Rather than explaining it here though as it's a bit large, I'll explain it below in a short while.</blockquote>
<ul>
<li>CALL - Call procedure. CALL pushes the current code location onto the hardware supported stack in memory, and then performs an unconditional jump to the code location indicated by the label operand. Unlike the simple jump instructions I listed above, the call instruction saves the location to return to when the subroutine completes. </li>
</ul>
<ul>
<li>JC - Jump if carry flag is set. </li>
</ul>
<ul>
<li>Ret - Return. This instruction transfers control to the return address located on the stack, which is usually placed on the stack by a call instruction that we discussed above. It then performs an unconditional jump to the retrieved code location. For example:</li>
</ul>
<blockquote class="tr_bq">
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> call <label>
ret
</code></pre>
</blockquote>
I mentioned <span style="background-color: yellow;">inter</span>segment/<span style="background-color: yellow;">intra</span>segment jumps above. Intersegment jumps can transfer control to a statement in a different code segment, while intrasegment jumps are always between statements in the same code segment.<br />
<br />
Now that we have the above control-transfer instructions explained, let's discuss protected-mode as I mentioned above. Before further discussing protected-mode and the similarly named but very different real-mode, we'll need to do a bit of a history lesson.<br />
<br />
<i>Way </i>before my time, back in the late 70's (76-78), Intel's 16-bit 8086 processor was released. It was 16-bit because its internal registers + internal/external data buses were 16 bits wide. A <i>20-bit </i>external address bus meant this beast could address a whopping 1 MB's of memory! 1 MB may not seem like anything these days, but it was actually considered more than overkill around this time. Due to this being the case, the max linear address space was limited to a mere 64 KB. Aside from 1 MB being overkill, this was also because the internal registers were only 16 bits wide.<br />
<br />
There were two problems here:<br />
<br />
<b>1. </b>Programming over 64 KB boundaries meant adjusting segment registers.<br />
<br />
<b>2. </b>As time went on, applications were being released that made this mere 64 KB seem like the measly number it is today.<br />
<br />
What was the saving grace? Intel's 80286 processor was released in 1982! Well, what's so great about this processor that solve the above two problems? The 80286 processor had two operating modes, as opposed to the 8086 which only had one. The operating modes were:<br />
<br />
<b>1. </b>Real-Mode (backwards compatible 8086 mode).<br />
<br />
<b>2. </b>Protected-Mode.<br />
<br />
The 80286 processor had a 24-bit address bus, which could address up to 16 MB! That's 15 more MB than its predecessor. There's too much good stuff here, so let's discuss the problems. The problems were certainly problems, and they were considerably big ones:<br />
<br />
- DOS apps couldn't easily be ported to protected-mode granted that most/if not all DOS apps were developed in a way that made them incompatible.<br />
<br />
- The 80286 processor couldn't successfully revert back to the backwards compatible real-mode without a CPU reset. Later on however in 1984, IBM added circuitry that allowed a special series of instructions to successfully cause a revert without initiating a CPU reset. This method while certainly being a great feat, posed quite the performance penalty. Later on it was discovered that initiating a triple fault was a much faster and cleaner way, but there was still yet to be a 'painless' method of transition.<br />
<br />
With the above said, the successor was released which is the 80386. The 80386 had a 32-bit address bus, which allowed for 4 GB of memory access. 1 MB > 16 MB > 4 GB, quite the increase! In addition, the segment size was increased to 32-bits, which meant there wasn't a need to switch between multiple segments to access the full address space of 4 GB.<br />
<br />
Whew! With all of this known, what is protected-mode actually so great for at this point? Protected-mode allows for virtual memory, paging, ability to finally painlessly switch back to real-mode without a CPU reset, etc.<br />
<br />
How do we actually get into protected-mode? The Global Descriptor Table (GDT) needs to be created with a minimum of three entries. These three entries are a null descriptor, a code segment descriptor, and a data segment descriptor. Afterwards, the PE bit needs to be set in the CR0 register and a far JMP needs to be made to clear the prefect input queue (PIQ).<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <span style="color: purple;">// Set PE bit</span>
<span style="color: blue;">mov</span> <span style="color: #b45f06;">eax</span>, <span style="color: #b45f06;">cr0 </span>
<span style="color: blue;">or</span> <span style="color: #b45f06;">eax</span>, <span style="color: red;">1 </span>
<span style="color: blue;">mov</span> <span style="color: #b45f06;">cr0</span>, <span style="color: #b45f06;">eax </span>
<span style="color: purple;">// Far JMP (Remember CS = Code Segment)</span>
<span style="color: blue;">jmp</span> <span style="color: #b45f06;">cs:</span>@pm
@pm:
<span style="color: purple;">// Now in protected-mode :)</span>
</code></pre>
<br />
So we got to most of the registers from the x86 register dump excerpt, but we're missing these ones:<br />
<b><br /></b>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> nv up ei pl nz na pe nc
</code></pre>
<br />
These are the <i>current </i>contents of the FLAGS register (there are 20[?] different flags), which is the status register for x86.<br />
<br />
<ul>
<li>nv - No overflow. </li>
</ul>
<ul>
<li>up - Up. </li>
</ul>
<ul>
<li>ei - Enable interrupt. </li>
</ul>
<ul>
<li>pl - Plus (I believe). </li>
</ul>
<ul>
<li>nz - Not zero. </li>
</ul>
<ul>
<li>na - Not auxiliary carry. </li>
</ul>
<ul>
<li>pe - Parity even. </li>
</ul>
<ul>
<li>nc - No carry.</li>
</ul>
<br />
<span style="color: #0b5394; font-size: small;"><u><b>Disassembly Example</b></u></span><br />
<br />
Let's now dump a stack from a random x86 crash dump to show an example of some of the registers we talked about, some assembly code, and instructions:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> ChildEBP RetAddr
a1e72ccc 81a8eec4 nt!KeBugCheckEx+0x1e
a1e72cf0 81a1e85f nt!PspCatchCriticalBreak+0x73
a1e72d20 81a1e806 <span style="background-color: yellow;">nt!PspTerminateAllThreads+0x2c</span>
a1e72d54 8185c986 nt!NtTerminateProcess+0x1c1
a1e72d54 77725d14 nt!KiSystemServicePostCall
0028f0d0 00000000 0x77725d14
</code></pre>
<br />
Let's go ahead and disassemble the <b>nt!PspTerminateAllThreads+0x2c</b> kernel function:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> nt!PspTerminateAllThreads+0x2c:
81a1e85f 8b450c mov eax,dword ptr [ebp+0Ch] <span style="color: purple;">// Move value stored at memory address in the <b>ebp+0Ch </b>register to the <b>eax </b>register.</span>
81a1e862 8b4048 mov eax,dword ptr [eax+48h] <span style="color: purple;">// Move value stored at memory address in the <b>eax+48h</b> register to the eax register.</span>
81a1e865 8945f0 mov dword ptr [ebp-10h],eax <span style="color: purple;">// Move contents of <b>eax </b>register to the <b>ebp</b>-<b>10h</b> register.</span>
81a1e868 6a00 push 0 <span style="color: purple;">// Push a 32-bit zero on the stack</span>.
81a1e86a 8bc7 mov eax,edi <span style="color: purple;">// Move contents of the <b>edi </b>register into the <b>eax </b>register.</span>
81a1e86c c745fc22010000 mov dword ptr [ebp-4],122h <span style="color: purple;">// Store the 32-bit value <b>122h</b> to the <b>ebp-4</b> register.</span>
81a1e873 e8bf010000 call nt!PspGetPreviousProcessThread (81a1ea37) <span style="color: purple;">// Call function name <b>nt!PspGetPreviousProcessThread</b>.</span>
81a1e878 8b5d14 mov ebx,dword ptr [ebp+14h] <span style="color: purple;">// Moving value stored at memory address in the <b>ebp+14h </b>register to the <b>ebx </b>register.</span>
</code></pre>
<br />
Hope you enjoyed reading!<br />
<br />
<span style="color: #0b5394; font-size: small;"><u><b>References</b></u></span><br />
<br />
<a href="http://pdos.csail.mit.edu/6.828/2008/readings/i386/toc.htm" target="_blank">Intel 80386 Reference Programmer's Manual</a><br />
<a href="http://en.wikibooks.org/wiki/X86_Assembly/High-Level_Languages" target="_blank">X86 Assembly/High-Level Languages</a><br />
<a href="http://flint.cs.yale.edu/cs422/doc/pc-arch.html" target="_blank">A Guide to Programming Intel IA32 PC Architecture</a><br />
<a href="http://geezer.osdevbrasil.net/johnfine/segments.htm#switch2" target="_blank">Segment Registers: Real mode vs. Protected mode</a>Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com28tag:blogger.com,1999:blog-8870806323064576540.post-89696715086437385152014-09-20T04:40:00.002-04:002014-09-20T06:37:34.027-04:00Stacks, stacks, and more stacks!If you've ever debugged a crash dump before, user-mode or kernel, you've very likely seen a stack. If you debug crash dumps quite often, you've seen and traversed thousands of stacks, maybe more! For a long time I knew the basics behind a stack and what I was looking at/through for the most part, but really beyond that I didn't know much for quite awhile until I dug deep into dozens of documents and books as time went on. With that said, let's discuss stacks and their mechanics!<br />
<br />
The stack excerpt below is from an x86 0xF4 crash dump. The cause of the bug check and such is irrelevant, and this stack is purely for explanatory purposes. With that said, turn off your tingly BSOD senses for a moment and look at the functions and such for what they are, and not what they could have done to play a role in the crash : )<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> <span style="background-color: yellow;">k</span>
<span style="color: blue;">ChildEBP</span> <span style="color: purple;">RetAddr</span>
a1e72ccc 81a8eec4 nt!KeBugCheckEx+0x1e
a1e72cf0 81a1e85f nt!PspCatchCriticalBreak+0x73
a1e72d20 81a1e806 nt!PspTerminateAllThreads+0x2c
a1e72d54 8185c986 nt!NtTerminateProcess+0x1c1
a1e72d54 77725d14 nt!KiSystemServicePostCall
0028f0d0 00000000 0x77725d14
</code></pre>
<br />
<b>k*</b> will perform a stack unwind, or more specifically will display the stack backtrace. <b>*</b> denotes the placeholder for the various possible parameters that we can use, such as - <b>kb, kv, kc, kd, </b>the list goes on. Each of those all does something different, but for now we'll stick to plain old <b>k</b> for example purposes.<br />
<br />
Let's break this down one at a time!<br />
<br />
<span style="color: #0b5394; font-size: medium;"><u><b>ChildEBP</b></u></span><br />
<br />
<span style="color: blue;">ChildEBP</span> - First we have our ChildEBP, otherwise known as the 'base pointer', which is essentially nothing more than a pointer to a stack frame that has been set up by a piece of code (a reference to a stack of memory). As an example, let's take a look at the following command:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> dd a1e72cf0 l1
</code></pre>
<br />
<b>dd </b>- This is a variation of plain old <b>d</b>, which simply means <i>dump</i>. If we however use <b>dd</b>, this will <i>display/dump dword(s)</i>.<br />
<br />
<b>a1e72cf0</b> - This is a pointer address from our stack, specifically from <b>nt!PspCatchCriticalBreak+0x73</b>.<br />
<br />
<b>L1 </b>- <strike>I've always been under the impression that this tells WinDbg to print a line based on what we're looking to do as far as the command goes. I've searched the WinDbg help doc far and wide for a conclusive answer, but I haven't found one yet. There are billions of people out there far smarter than I, and hopefully one of them reads my blog to tell me what it really does!</strike><br />
<br />
<b><span style="color: red;">EDIT:</span> </b>Hilariously enough, someone smarter than me did happen to come along. Thanks to <a href="https://twitter.com/bfosterjr" target="_blank"><b>Blair Foster</b></a>, I now understand what <b>L1 </b>really does.<br />
<blockquote class="tr_bq">
its a size/range specifier. In the case of d* its used as size. So, dd L1 displays 1 dword, db L1 is 1 byte, etc. </blockquote>
Thanks, Blair! <br />
<br />
If we go ahead and run this command, here's what we get:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> dd a1e72cf0 l1
a1e72cf0 a1e72d20
</code></pre>
<br />
Look familiar? <b>a1e72d20</b> is another pointer address from our stack, but more specifically the pointer from the previous<i> </i>function in the stack - <b>nt!PspTerminateAllThreads+0x2c</b>. With this known, we can conclude that the ChildEBP also stores the previous function address.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <b>a1e72d20</b> 81a1e806 <b>nt!PspTerminateAllThreads+0x2c</b>
</code></pre>
<br />
In this specific example, we don't have a good stack to show us what would happen if we went all the way back to what function spawned/began the stack. Taking a quick look through some x64 dumps (didn't have any good x86 ones), I dug up a quick stack. Try not to get overwhelmed with the differences between x86 and x64 as far as stack goes (even though there aren't really any). It's just more bits and bobs!<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 3: kd> k
Child-SP RetAddr
fffff880`033dfa58 fffff800`0302da3b nt!KeBugCheckEx
fffff880`033dfa60 fffff800`031f0463 hal!HalBugCheckSystem+0x1e3
fffff880`033dfaa0 fffff800`0302d700 nt!WheaReportHwError+0x263
fffff880`033dfb00 fffff800`0302d052 hal!HalpMcaReportError+0x4c
fffff880`033dfc50 fffff800`0302cf0d hal!HalpMceHandler+0x9e
fffff880`033dfc90 fffff800`03020e88 hal!HalpMceHandlerWithRendezvous+0x55
fffff880`033dfcc0 fffff800`030d84ac hal!HalHandleMcheck+0x40
fffff880`033dfcf0 fffff800`030d8313 nt!KxMcheckAbort+0x6c
<span style="color: red;">fffff880`033dfe30</span> fffff800`030d07b8 nt!KiMcheckAbort+0x153
fffff880`09e9f638 00000000`00000000 <span style="background-color: yellow;">nt!memcpy+0x208</span>
</code></pre>
<br />
Just by looking at the stack we can see it begins right at <b>nt!memcpy+0x208</b>, but let's show it the way we've been demonstrating:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 3: kd> dd <span style="color: red;">fffff880`033dfe30</span> l1
fffff880`033dfe30 <span style="background-color: yellow;">00000000</span>
</code></pre>
<br />
We can see at address <b>fffff880`033dfe30</b>, the return value was zero. This tells us it wasn't called from another prior function, etc, and is the very beginning of the stack. Given the function itself is <b>nt!memcpy</b>, this is understandable.<br />
<br />
<span style="color: #0b5394; font-size: medium;"><u><b>RetAddr</b></u></span> <br />
<br />
<span style="color: purple;">RetAddr</span> - Now that we understand our base pointer, we have our RetAddr, which implies <i>return address</i>. This is done because quite simply the CPU without being told what to do is pretty useless. We need to let it know what address to return to after it's done successfully executing the code, because all it's concerned about is instructions and executing their code. It has no idea how to handle them without this stuff set in place, or what to do after it's done. With that said, this is why we have our return address.<br />
<br />
If we take another look at our x64 stack excerpt:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 3: kd> k
Child-SP RetAddr
fffff880`033dfa58 fffff800`0302da3b nt!KeBugCheckEx
fffff880`033dfa60 fffff800`031f0463 hal!HalBugCheckSystem+0x1e3
fffff880`033dfaa0 fffff800`0302d700 nt!WheaReportHwError+0x263
fffff880`033dfb00 fffff800`0302d052 hal!HalpMcaReportError+0x4c
fffff880`033dfc50 fffff800`0302cf0d hal!HalpMceHandler+0x9e
fffff880`033dfc90 <span style="color: purple;">fffff800`03020e88</span> <span style="color: red;">hal!HalpMceHandlerWithRendezvous+0x55</span>
fffff880`033dfcc0 fffff800`030d84ac <span style="color: blue;">hal!HalHandleMcheck+0x40</span>
fffff880`033dfcf0 fffff800`030d8313 nt!KxMcheckAbort+0x6c
fffff880`033dfe30 fffff800`030d07b8 nt!KiMcheckAbort+0x153
fffff880`09e9f638 00000000`00000000 nt!memcpy+0x208
</code></pre>
<br />
According to the stack, <span style="color: red;">HalpMceHandlerWithRendezvous</span> was called by <span style="color: blue;">HalHandleMcheck</span>. We know that when the work <span style="color: red;">HalpMceHandlerWithRendezvous</span> was doing was finished, it would return back to <span style="color: blue;">HalHandleMcheck</span>. We can confirm this by taking a look at the return memory addresses and using the <b>ln </b>command:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 3: kd> ln <span style="color: purple;">fffff800`03020e88</span>
(fffff800`03020e48) <span style="color: blue;">hal!HalHandleMcheck+0x40</span>
</code></pre>
<br />
<b>ln </b>- This command will display the function/routine at or near the given address. <br />
<br />
Bingo! Execution will resume afterwards in <span style="color: blue;">HalHandleMcheck</span>, specifically 64 bytes from the start of the function.<br />
<br />
<span style="color: #0b5394;"><span style="font-size: medium;"><u><b>Functions/Call Site</b></u></span></span><br />
<br />
<span style="color: #a64d79;">Functions/Call Site</span> - Last but not least, we have our third column (it's not labeled above in any of the stack excerpts). Interestingly enough, x64 stacks <b>do </b>label their function columns, specifically as <b>Call Site</b>. In the above stack x64 excerpts however, I removed them to avoid confusion! : )<br />
<br />
Here is what a non-edited x64 stack looks like:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 3: kd> k
Child-SP RetAddr <span style="background-color: yellow;">Call Site</span>
fffff880`033dfa58 fffff800`0302da3b nt!KeBugCheckEx
fffff880`033dfa60 fffff800`031f0463 hal!HalBugCheckSystem+0x1e3
fffff880`033dfaa0 fffff800`0302d700 nt!WheaReportHwError+0x263
fffff880`033dfb00 fffff800`0302d052 hal!HalpMcaReportError+0x4c
fffff880`033dfc50 fffff800`0302cf0d hal!HalpMceHandler+0x9e
fffff880`033dfc90 fffff800`03020e88 hal!HalpMceHandlerWithRendezvous+0x55
fffff880`033dfcc0 fffff800`030d84ac hal!HalHandleMcheck+0x40
fffff880`033dfcf0 fffff800`030d8313 nt!KxMcheckAbort+0x6c
fffff880`033dfe30 fffff800`030d07b8 nt!KiMcheckAbort+0x153
fffff880`09e9f638 00000000`00000000 nt!memcpy+0x208
</code></pre>
<br />
As we can see, there's Call Site! In x86 crash dumps however, it's not labeled. I don't need to paste the stack excerpt we used from above as I didn't edit it, so you can just scroll back up and take a quick look.<br />
<br />
It should be no mystery that this third and final column displays the function (and routine) names throughout the stack. Do note that they are in direct correlation with the <b>current loaded symbols</b>. If you don't have proper symbols, you're going to get an unresolved function (or routine), and it's going to look like junk.<br />
<br />
<u><b>--------------------</b></u><br />
<br />
Thanks for reading! In my next post I plan on going into the x86 registers (<i>maybe </i>x64 although it'll be a lot of work -- may save that for a future post).Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com73tag:blogger.com,1999:blog-8870806323064576540.post-65119042358804015212014-09-19T00:01:00.002-04:002014-09-19T00:04:40.849-04:00Thermal ZonesToday we're going to be taking a look into thermal zones, which are essentially different physical regions of the hardware
platform that are partitioned. This act of partitioning is done so that when a sensor
detects that a thermal zone is overheating, it will either use passive
or active cooling to cool the devices in the specific thermal zone. I'm still learning about them in-depth as they're relatively confusing.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> ACPI thermal zone ACPI\ThermalZone\<span style="background-color: yellow;">TZS0</span> has been enumerated.
<span style="color: red;">_PSV = 371K</span>
_TC1 = 0
_TC2 = 50
_TSP = 0ms
_AC0 = 0K
_AC1 = 0K
_AC2 = 0K
_AC3 = 0K
_AC4 = 0K
_AC5 = 0K
_AC6 = 0K
_AC7 = 0K
_AC8 = 0K
_AC9 = 0K
<span style="color: blue;">_CRT = 373K </span>
_HOT = 0K
<span style="color: #674ea7;"><span style="color: purple;">_PSL - see event data</span>.</span>
</code></pre>
<br />
Having a look at the above event data, this is the thermal zone data for the <b>TZS0</b> sensor. Without having other more detailed event data logs aside from this, I can only assume this is the sensor for the CPU. The reason for this is the <span style="color: purple;">_PSL</span> child object is used to list the processors in the thermal zone. If we saw <b>_TZD</b> instead of <span style="color: purple;">_PSL</span>, this would list the non-processor devices in the thermal zone. For the moment however, we'll just assume the entire system was overheating as this was a <i>really hot</i><b> </b>laptop. Let's go down the line:<br />
<br />
<span style="color: #0b5394; font-size: small;"><u><b>PSV</b></u></span><br />
<br />
<b>_PSV </b>- <b> </b>Indicates the temperature at which the operating system started passive cooling control. In our case here, this was <b>371K</b> (K = Kelvin). 371 Kelvin is 97.85 Celsius. The system we're dealing with in this post is an Acer Aspire 5740G, which according to tech specs houses an i5 430m for its processor. If we consult the manual:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtHz4ai_u9aPN_nmF2z5NIlmECzO2x_9tgeSA-NyxblLl5Z2ZtTgNHGDpUil_hllIcnYfV1LnFXLGY_bqzIwaLjonCyby-gYYgJzVEno_HOkeryaGZiANEDPCZv6_sD8IIhcK5ePeoMbyK/s1600/105c.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtHz4ai_u9aPN_nmF2z5NIlmECzO2x_9tgeSA-NyxblLl5Z2ZtTgNHGDpUil_hllIcnYfV1LnFXLGY_bqzIwaLjonCyby-gYYgJzVEno_HOkeryaGZiANEDPCZv6_sD8IIhcK5ePeoMbyK/s1600/105c.png" height="80" width="320" /></a></div>
We can see the max temperature is 105C regarding the CPU core, and 100C for the integrated graphics + IMC. With this said, the CPU started throttling (<b>passive </b>countermeasure to overheating) at 97.85C. How did the CPU know when to start throttling? PROCHOT#!<br />
<br />
PROCHOT# is Intel's thermal throttle activity bit:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8IPv9b3rmLGiNLwKihYeogEq04szJthrl5-XIQi1q-P0gHahW3Z6trtNlAhrkYceNE2Fs4gyrY28imzuSEwe3I_oy8PyJXLnh9D6gVxJiToHoJcMAgPIK8K91Uj8LqQd6tjM0CNFHyrJk/s1600/PROCHOT%23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8IPv9b3rmLGiNLwKihYeogEq04szJthrl5-XIQi1q-P0gHahW3Z6trtNlAhrkYceNE2Fs4gyrY28imzuSEwe3I_oy8PyJXLnh9D6gVxJiToHoJcMAgPIK8K91Uj8LqQd6tjM0CNFHyrJk/s1600/PROCHOT%23.png" height="102" width="320" /></a></div>
<br />
Note it states - The TCC will remain active until the system deasserts PROCHOT#. In fancy software engineer talk, this simply means that so long as the temperatures continue to rise (or doesn't drop), it will continue to lower power consumption from the CPU until it's in a safe spot. The downside to this is in <i>extreme </i>situations of overheating (like this one here), we trip because we hung around at an unsafe operational temperature for too long (or got higher) and shut down to prevent permanent damage.<br />
<br />
<span style="color: #0b5394; font-size: small;"><u><b>TC1/2</b></u></span><br />
<br />
<b>_TC1/2 </b>- These are both known as the Thermal Constants, which are essentially objects used to evaluate the constants _TC1/2 for use in the <b>passive </b>cooling formula.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Performance [%]= _TC1 * ( Tn -Tn-1 ) + _TC2 * (Tn. - Tt)
</code></pre>
<br />
The return value is an integer containing Thermal Constant #'s 1 or 2. In our case, our return value was <b>50 </b>for <b>_TC2</b>.<br />
<br />
<span style="color: #0b5394; font-size: small;"><u><b>TSP</b></u></span><br />
<br />
<b>_TSP </b>- Evaluates to a thermal sampling period (in tenths of seconds) used by Operating System-directed configuration and Power Management (OSPM) to implement the passive cooling equation. This value, along with _TC1 and _TC2, will enable OSPM to provide the proper hysteresis required by the system to accomplish an effective passive cooling.<br />
<br />
In our case, this was <b>0ms</b>.<br />
<br />
<span style="color: #0b5394;"><span style="font-size: small;"><u><b>AC(x)</b></u></span></span><br />
<br />
<b>_AC(x) </b>- This optional object, if present under a thermal zone, returns the temperature trip point at which Operating System-directed configuration and Power Management (OSPM) must start or stop active cooling, where (<b>x</b>) is a value between <b>0 </b>and <b>9 </b>that designates multiple active cooling levels of the thermal zone.<br />
<br />
In our case, we can see it does go 0-9, and all is listed as <b>0 Kelvin</b>.<br />
<br />
<span style="color: #0b5394;"><span style="font-size: small;"><u><b>CRT</b></u></span></span><br />
<br />
<b>_CRT </b>- Indicates the temperature at which the operating system will shut down
as it simply cannot throttle (passive) or use fans (active) to succeed
in cooling these temperatures in time before permanent damage. In this
case, we can see it's <b>373k </b>(373 Kelvin) when this occurred, which is 99.85
Celsius. Unsure as to why this is 99.85 and not 100 in our case, but I digress. Possibly it rounded up?<br />
<br />
<span style="color: #0b5394;"><span style="font-size: small;"><u><b>HOT</b></u></span></span><br />
<br />
<b>_HOT </b>- Indicates the return value (temperature) at which Operating System-directed configuration and Power Management (OSPM) may choose to transition the system into the S4 sleeping state.<br />
<br />
<u><b>--------------------</b></u> <br />
<br />
In any case, all we know is that this laptop was having some serious overheating problems. It was occurring mostly overnight when the system was being awoken from sleep to perform a defrag. The defrag was enough to push it to throttle/shutdown temperatures, which was also throwing bug checks as Windows wasn't happy it couldn't defrag.<br />
<br />
Thanks for reading, and hopefully more info on thermal zones in the near future.<br />
<br />
<span style="color: #0b5394;"><span style="font-size: small;"><u><b>References</b></u></span></span><br />
<br />
<a href="http://msdn.microsoft.com/en-us/library/windows/hardware/dn495657%28v=vs.85%29.aspx" target="_blank">ACPI-defined devices</a><br />
<a href="http://www.acpi.info/DOWNLOADS/ACPI_5_Errata%20A.pdf" target="_blank">Advanced Configuration and Power Interface Specification</a><br />
<a href="http://www.intel.com/content/dam/doc/datasheet/atom-330-datasheet.pdf" target="_blank">Intel® Atom™ Processor 330 Series Datasheet</a>Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com41tag:blogger.com,1999:blog-8870806323064576540.post-18368982546187171492014-09-07T03:22:00.005-04:002014-09-07T03:23:41.304-04:00Rootkit Debugging (runtime2 postmortem) - SwishDbgExt, SysecLabs script, etc.Today we're going to be doing some rootkit debugging, specifically regarding runtime2, with a bit of a twist! I have a ton of rootkit debugging posts coming in the next few weeks, as I've decided to break them up rather than throwing them together in one giant mess of a post.<br />
<br />
I've shown various scenarios in which I've debugged a rootkit before (0x7A, etc), but this time we're going to use various extensions to help us, other methods, and overall go a lot more in-depth. The postmortem runtime2 rootkit KMD that will be used in this post was generated by <a href="http://www.sysnative.com/forums/members/niemiro.html" target="_blank"><b>niemiro</b></a>, a good friend from Sysnative forums. He aimed to make it a good example of some things a rootkit/malware developer can do to make things not as obvious when you resort to methods such as hooking the SSDT, which is rather old and very detectable these days.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> CRITICAL_OBJECT_TERMINATION (f4)
A process or thread crucial to system operation has unexpectedly exited or been
terminated.
Several processes and threads are necessary for the operation of the
system; when they are terminated (for any reason), the system can no
longer function.
Arguments:
Arg1: 00000003, <span style="color: red;">Process</span>
Arg2: 86664d90, <span style="color: blue;">Terminating object </span>
Arg3: 86664edc, <span style="color: purple;">Process image file name </span>
Arg4: 819e91f0, <span style="color: #38761d;">Explanatory message (ascii) </span>
</code></pre>
<br />
Right, so here's our bug check. Most if not all of these 'older' rootkits will use Direct Kernel Object Manipulation (DKOM) to hook low-level routines/functions within the System Service Dispatch Table (SSDT). When this is occurring, assuming the developer of the rootkit didn't do a very good job in writing their rootkit, a lot can go wrong when disabling write protection, carelessly swapping memory, and inserting hooks. Malware scans from many AV programs can also cause crashes when they detect that the SSDT is hooked under certain circumstances. The rootkit can also intentionally call a bug check if written this way when it has detected a scan has initiated.<br />
<br />
However, if the driver is well written, you may not crash at all. What do you do if you're suspicious of a rootkit infection/hooking, yet a bug check isn't occurring naturally due to proper programming of the rootkit? This is when in some cases (like in this specific example here), you may need to take matters into your own hands and either:<br />
<ul>
<li>Force a bug check.</li>
<li>Live kernel debugging session.</li>
<li>Run an ARK (Anti-Rootkit) tool. This is no fun... we want to have fun and learn : ) </li>
</ul>
The first option is much less effective than the second, and that's due to the fact that the rootkit may not be doing any obvious hooking of the SSDT, etc, at the time of you forcing the crash. If you're investigating during a live session, it's much more effective and there are a lot more commands you can use. However, for learning purposes, I will show both.<br />
<br />
<span style="color: red;"><b>1st argument</b></span> - The value in the 2nd argument (<span style="color: red;">0x3</span>)<b> </b>implies it was a process as opposed to a thread that unexpectedly terminated. If it was a thread however, it would have instead been <b>0x6</b>.<br />
<b><br /></b>
<span style="color: blue;"><b>2nd argument</b></span> - The value in the 2nd argument (<span style="color: blue;">86664d90</span>) is a pointer to the _EPROCESS object that unexpectedly terminated. We can dump it using <b>!object</b>, which I will show below:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> !object <span style="color: blue;">86664d90</span>
Object: <span style="color: blue;">86664d90</span> Type: (841537e8) Process
ObjectHeader: 86664d78 (old version)
HandleCount: 4 PointerCount: 127
</code></pre>
<span style="color: purple;"><br /></span>
<b><span style="color: purple;">3rd argument</span> </b>- The value in the 3rd argument (<span style="color: purple;">86664edc</span>) is the process image file name. Essentially, it's the process name that unexpectedly terminated. We can dump it by using <b>dc</b>, which I will show below:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> dc 86664edc
86664edc 73727363 78652e73 00000065 00000000 <span style="color: red;">csrss.exe</span>.......
86664eec 00000000 00000000 00000000 8605a278 ............x...
86664efc 869356d8 00000000 00000000 0000000a .V..............
86664f0c 8c04d631 00000000 00000000 7ffdc000 1...............
86664f1c 00000000 00000099 00000000 00000000 ................
86664f2c 00000000 000005c6 00000000 0003cc50 ............P...
86664f3c 00000000 00000000 00000000 00006d77 ............wm..
86664f4c 00000000 00000000 00000162 00000000 ........b.......
</code></pre>
<br />
The process that unexpectedly terminated was <b>csrss.exe</b>, which is the Client/Server Runtime Subsystem.<br />
<br />
For some extra food for thought, we can get a lot of the information above manually if we'd like to. If we take the 2nd argument (_EPROCESS object) and run the following:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> dt _EPROCESS <span style="color: blue;">86664d90</span> imageFileName
</code></pre>
<br />
<b>dt </b>will display the type, which will show us the offset, etc. More specifically it displays information about a local variable, global variable or data type:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> dt _EPROCESS <span style="color: blue;">86664d90</span> imageFileName
nt!_EPROCESS
<span style="color: #b45f06;">+0x14c</span> ImageFileName : [16] "<span style="color: red;">csrss.exe</span>"
</code></pre>
<br />
If we take the _EPROCESS object and add it to the offset (<span style="color: #b45f06;">+0x14c</span>), we get the following:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> ? 86664d90+0x14c
Evaluate expression: -2040115492 = <span style="color: purple;">86664edc</span>
</code></pre>
<br />
Look familiar? It's our 3rd argument, the process image name (<b>csrss.exe</b>).<br />
<br />
<b><span style="color: #38761d;">4th argument</span> </b>- The value in the 3rd argument (<span style="color: #38761d;">819e91f0</span>) is the explanatory message regarding the reason for the bug check, specifically in ASCII. To dump this, we'll need to use the <b>dc </b>command as we used earlier on the 3rd argument:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> dc 819e91f0
819e91f0 6d726554 74616e69 20676e69 74697263 <span style="background-color: yellow;">Terminating crit</span>
819e9200 6c616369 6f727020 73736563 25783020 <span style="background-color: yellow;">ical process</span> 0x%
</code></pre>
<br />
As we can see, this is reiterating the 1st argument.<br />
<br />
<u><b>--------------------</b></u><br />
<br />
So far all we know is that this bug check occurred because <b>csrss.exe</b>, a critical Windows process, unexpectedly terminated. Why? If you weren't able to tell whilst reading through by now, we purposely terminated it via Task Manager to force the bug check.With that said, for this post we're choosing the first method (forcing a bug check).<br />
<br />
Pretending we ourselves didn't purposely force the bug check for a moment, what would we at this point do if this was a crash dump we were looking at from a system that isn't ours, and/or from our doing? Among many things, one of the first few things I do in 'not so obvious' 0xF4's is I check the summary and stats regarding virtual memory on the system at the time of the crash:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> !vm
*** Virtual Memory Usage ***
Physical Memory: 917370 ( 3669480 Kb)
Page File: \??\C:\pagefile.sys
Current: 3976680 Kb Free Space: 3976676 Kb
Minimum: 3976680 Kb Maximum: 4193280 Kb
Available Pages: 769568 ( 3078272 Kb)
ResAvail Pages: 869504 ( 3478016 Kb)
Locked IO Pages: 0 ( 0 Kb)
Free System PTEs: 348283 ( 1393132 Kb)
Modified Pages: 11884 ( 47536 Kb)
Modified PF Pages: 11830 ( 47320 Kb)
<span style="background-color: yellow;">NonPagedPool Usage: 8265 ( 33060 Kb)</span>
<span style="background-color: yellow;">NonPagedPool Max: 522998 ( 2091992 Kb)</span>
PagedPool 0 Usage: 5501 ( 22004 Kb)
PagedPool 1 Usage: 10013 ( 40052 Kb)
PagedPool 2 Usage: 623 ( 2492 Kb)
PagedPool 3 Usage: 631 ( 2524 Kb)
PagedPool 4 Usage: 726 ( 2904 Kb)
PagedPool Usage: 17494 ( 69976 Kb)
PagedPool Maximum: 523264 ( 2093056 Kb)
Session Commit: 3758 ( 15032 Kb)
Shared Commit: 9951 ( 39804 Kb)
Special Pool: 0 ( 0 Kb)
Shared Process: 1260 ( 5040 Kb)
Pages For MDLs: 2 ( 8 Kb)
PagedPool Commit: 17550 ( 70200 Kb)
Driver Commit: 2335 ( 9340 Kb)
Committed pages: 115256 ( 461024 Kb)
Commit limit: 1882649 ( 7530596 Kb)
</code></pre>
<br />
We can see right away that we don't have insufficient non-paged pool, which is a pretty popular cause of most 0xF4's as it at that point cannot handle I/O operations, etc. It's generally due to buggy drivers causing pool related memory leaks, etc.<br />
<br />
With the above said, assuming we are looking at a crash dump that wasn't ours, we can almost entirely rule out this specific 0xF4 being caused by a buggy driver (MSFT or 3rd party). To be extra sure, double-check the modules list and see if there's anything that jumps out as problematic. <br />
<br />
<u><b>--------------------</b></u><br />
<br />
At this point I would start becoming suspicious of a rootkit, as I would not right away suggest the hard disk (whether HDD or SSD) is the immediate problem given we'd probably see obvious NT_STATUS codes for that. For example, possibly <b>0xc0000006</b>. Either that, or an entirely different bug check (perhaps 0x7A). With that said, now we get to have some fun!<br />
<br />
There are many ways to go about detecting a rootkit hooking the SSDT, and we will discuss extensions/scripts for the moment:<br />
<br />
<span style="color: #0b5394; font-size: medium;"><u><b>1st Method - SwishDbgExt</b></u></span> <span style="color: #0b5394; font-size: medium;"></span><br />
<br />
The first method we will be using in this postmortem debugging example is the wonderful <a href="http://www.msuiche.net/2014/07/16/thats-so-swish/" target="_blank"><b>SwishDbgExt</b></a>, which was developed/created by a friend of mine (<a href="http://www.twitter.com/msuiche" target="_blank"><b>Matt Suiche</b></a>).
I've made various contributions to the help file considering the love I
have gathered for this extension. It makes a lot of our lives as
debuggers much easier.<br />
<br />
Once you have the extension loaded, we're going to be using the <b>!ms_ssdt </b>command. This command displays the System Service Dispatch Table, which is extremely helpful in the investigation of suspected rootkit hooks through using what is known as Direct Kernel Object Manipulation (DKOM).<br />
<br />
-- Chopping some of the SSDT output as it's fairly large, let's skip to what's important:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> |-------|--------------------|--------------------------------------------------------|---------|--------|
| Index | Address | Name | Patched | Hooked |
|-------|--------------------|--------------------------------------------------------|---------|--------|
<span style="background-color: yellow;">*** ERROR: Module load completed but symbols could not be loaded for Gjglly.sys </span>
| 126 | 0xFFFFFFFF91F054C2 | <span style="color: red;">Gjglly </span>| | |
| 127 | 0xFFFFFFFF81A34F80 | nt!NtDeviceIoControlFile | | |
| 128 | 0xFFFFFFFF81949B44 | nt!NtDisplayString | | |
| 129 | 0xFFFFFFFF81A2117F | nt!NtDuplicateObject | | |
| 130 | 0xFFFFFFFF81A18134 | nt!NtDuplicateToken | | |
| 131 | 0xFFFFFFFF81AB14E8 | nt!NtEnumerateBootEntries | | |
| 132 | 0xFFFFFFFF81AB278A | nt!NtEnumerateDriverEntries | | |
| 133 | 0xFFFFFFFF91F04FFA | <span style="color: red;">Gjglly </span>| | |
| 134 | 0xFFFFFFFF81AB10B7 | nt!NtEnumerateSystemEnvironmentValuesEx | | |
| 135 | 0xFFFFFFFF81A9F073 | nt!NtEnumerateTransactionObject | | |
| 136 | 0xFFFFFFFF91F051B6 | <span style="color: red;">Gjglly </span>| | |
| 137 | 0xFFFFFFFF81A802D5 | nt!NtExtendSection | | |
| 138 | 0xFFFFFFFF819A113A | nt!NtFilterToken | | |
| 139 | 0xFFFFFFFF819B39FC | nt!NtFindAtom | | |
| 140 | 0xFFFFFFFF819DCA86 | nt!NtFlushBuffersFile | | |
| 141 | 0xFFFFFFFF819AD0F6 | nt!NtFlushInstructionCache | | |
| 142 | 0xFFFFFFFF819781EB | nt!NtFlushKey | | |
| 143 | 0xFFFFFFFF818B11C1 | nt!NtFlushProcessWriteBuffers | | |
| 144 | 0xFFFFFFFF819C175B | nt!NtFlushVirtualMemory | | |
| 145 | 0xFFFFFFFF81A82D64 | <span style="color: blue;">nt!NtFlushWriteBuffer </span> | | <span style="color: red;">Yes</span> |
</code></pre>
<br />
We can see a module (<span style="color: red;">Gjglly.sys</span>), and <span style="color: blue;">nt!NtFlushWriteBuffer</span> is hooked. Let's not jump to conclusions just yet as this could be a completely legitimate hook.<br />
<br />
First of all, what's <b>Gjglly.sys</b>? This is a driver in relation to AntiDebugLIB.<br />
<blockquote class="tr_bq">
<i>An advanced software encryption tool.</i><br />
<i><br /></i>
<i>AntiDebugLIB is a useful tool that was designed in order to assist software developers protect their applications against advanced reverse engineering and software cracking. It offers a powerful advanced license control which allow developers to distribute trial versions of their applications securely.</i></blockquote>
This is a legitimate driver, but we can also at the same time not jump to conclusions on it being safe as said above (hint: it's not - I will discuss later). <br />
<br />
<span style="color: #0b5394; font-size: medium;"><u><b>2nd Method - Script</b></u></span><br />
<br />
The second method we will be using in this postmortem debugging example is an <a href="http://www.laboskopia.com/download/syseclabs-windbg-script.zip" target="_blank"><b>older script</b></a> developed by Lionel d'Hauenens of <a href="http://www.laboskopia.com/" target="_blank"><b>Laboskopia</b></a>. This script will only work with the x86 WinDbg client. Regardless, as we know, it's always best to debug a crash dump in the client based off of the system's architecture. Given the system that generated this crash dump was 32-bit, we'll be debugging it with the x86 WinDbg client.<br />
<br />
This script is incredibly helpful in not only checking the SSDT for hooking, but also detecting what is known as a Shadow SSDT hook. You can find a great article on Shadow SSDT hooking from my very good friend Harry - <a href="http://bsodtutorials.blogspot.com/2014/01/shadow-ssdt-hooking-with-windbg.html" target="_blank"><b>Shadow SSDT Hooking with Windbg</b></a>.<br />
<br />
Nevertheless, if you don't understand French instructions, to install the script, simply drag and drop the <b>script </b>folder into your x86 Debuggers folder.<br />
<br />
Once it's installed, type the following command into WinDbg with your postmortem rootkit crash dump:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> kd> $$><script\@@init_cmd.wdbg
</code></pre>
<br />
So long as you installed the script properly, you should see the following:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> SysecLabs Windbg Script : Ok :)
('al' for display all commands)
</code></pre>
<br />
Once you see that which has verified the script is loaded properly, type the following command:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> !!display_system_call
</code></pre>
<br />
Here's a few excerpts:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 007D 0003 OK nt!NtDeleteObjectAuditAlarm (81a46500)
<span style="background-color: yellow;">007E 0002 <span style="color: red;">HOOK</span>-> *** ERROR: Module load completed but symbols could not be loaded for Gjglly.sys</span>
007F 000A OK nt!NtDeviceIoControlFile (81a34f80)
0080 0001 OK nt!NtDisplayString (81949b44)
0081 0007 OK nt!NtDuplicateObject (81a2117f)
0082 0006 OK nt!NtDuplicateToken (81a18134)
0083 0002 OK nt!NtEnumerateBootEntries (81ab14e8)
0084 0002 OK nt!NtEnumerateDriverEntries (81ab278a)
<span style="background-color: yellow;">0085 0006 <span style="color: red;">HOOK</span>-> Gjglly+0x1ffa (91f04ffa)</span>
0086 0003 OK nt!NtEnumerateSystemEnvironmentValuesEx (81ab10b7)
0087 0005 OK nt!NtEnumerateTransactionObject (81a9f073)
<span style="background-color: yellow;">0088 0006 <span style="color: red;">HOOK</span>-> Gjglly+0x21b6 (91f051b6)</span>
</code></pre>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 00BC 0003 OK nt!NtOpenJobObject (81a912df)
<span style="background-color: yellow;">00BD 0003 </span><span style="background-color: yellow;"><span style="color: red;">HOOK</span>-> Gjglly+0x1f4c (91f04f4c)</span>
00BE 0004 OK nt!NtOpenKeyTransacted (819727e1)
</code></pre>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 0143 0001 OK nt!NtSetUuidSeed (8195977b)
<span style="background-color: yellow;">0144 0006 <span style="color: red;">HOOK</span>-> Gjglly+0x2372 (91f05372)</span>
0145 0005 OK nt!NtSetVolumeInformationFile (81a6c5de)
</code></pre>
<br />
Here's <b>Gjglly.sys </b>again, and we can see it's hooking. At this point, we would be suspicious enough to run an ARK tool such as <a href="http://www.gmer.net/" target="_blank"><b>GMER</b></a>.<b> </b>Of course, if we ran GMER at this point, it would show that the system is in fact infected with runtime2, and <b>Gjglly.sys </b>is our rootkit driver. Normally, by itself and by default, the runtime2 driver is <b>runtime2.sys</b>, not <b>Gjglly.sys</b>. In this specific scenario, niemiro used a different loader to inject the driver than the original, and renamed <b>runtime2.sys </b>to <b>Gjglly.sys </b>(a legitimate module name). Although GMER if run would still say the system is infected with a rootkit, and it would label <b>Gjglly.sys </b>as the rootkit driver, it's done not to trick various ARK tools, but the user.<br />
<br />
If you've ever been infected with runtime2, you know it additionally drops <b>startdrv.exe </b>in the Temp directory of the current Windows install. <b>startdrv.exe</b> is the part that infuriates those who become infected with runtime2, because it's the part that immediately makes you suspicious of an infection as it's a trojan dropper. This is the specific part of the rootkit that will cause slowness, garbage popups, etc.<br />
<br />
In this specific case, niemiro intentionally corrupted <b>startdrv.exe </b>which stopped it from executing entirely. You may be saying to yourself, what's the point of a rootkit's protection driver with no execution of payload, etc, by its dropped trojan? Well, there really is no point (unless your goal was to use something else that's malicious and not as obvious as a trojan dropper)! This was just an example to show how you can better hide a rootkit (protection driver, really) if you wanted to. Although ARK tools would still pick it up, it's not anywhere near as obvious to the user.<br />
<br />
Thanks for reading, and I will get around to doing a live debugging of runtime2 as soon as I can.<br />
<br />
<u><b>--------------------</b></u><br />
<br />
<span style="color: #0b5394;"><span style="font-size: medium;"><u><b>References</b></u></span></span><br />
<br />
<a href="http://www.reconstructer.org/papers/Hunting%20rootkits%20with%20Windbg.pdf" target="_blank">Hunting rootkits with Windbg.</a><br />
<a href="http://zairon.wordpress.com/2007/04/10/some-notes-about-system-service-dispatch-table-hook/" target="_blank">Some notes about System Service Dispatch Table hook.</a>Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com148tag:blogger.com,1999:blog-8870806323064576540.post-81936214082326692742014-08-18T17:14:00.002-04:002014-08-18T17:15:32.290-04:00PDC_WATCHDOG_TIMEOUT (14f) debuggingI received a PDC_WATCHDOG_TIMEOUT (14f) crash dump, although I seemed to have misplaced the source. What a shame! Anyway, this bug check is pretty mysterious. There's very little to no documentation on it, and not too many have had it occur on their systems to show up in any sort of web search. With that said, let's do our best to get some info on it!<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> PDC_WATCHDOG_TIMEOUT (14f)
A system component failed to respond within the allocated time period,
preventing the system from exiting connected standby.
Arguments:
Arg1: 0000000000000002, Client ID of the hung component.
Arg2: 0000000000000002, A resiliency client failed to respond.
Arg3: fffff801867d3578, Pointer to the resiliency client (pdc!_PDC_RESILIENCY_CLIENT).
Arg4: ffffd001b7f61b30, Pointer to a pdc!PDC_14F_TRIAGE structure.
</code></pre>
<br />
We can see right away that the cause of the bug check itself is:<br />
<blockquote class="tr_bq">
<i>A system component failed to respond within the allocated time period, preventing the system from exiting connected standby.</i></blockquote>
With that said, now is a good time to discuss connected standby. Connected standby is a low-power state (implemented in Windows 8, also in 8.1) that features extremely low power consumption while maintaining a <b>constant </b>internet connection. Here is how to trigger connected standby:<br />
<br />
<ul>
<li>Press the system power button.</li>
<li>Close the lid or tablet cover, or close the tablet into an attached dock.</li>
<li>
Select <b>Sleep</b> from the <b>Power</b> button on the <b>Settings</b> charm</li>
</ul>
<br />
The best comparison is a smartphone's power button. When you press the power button on one of today's smartphones, it will transition to a similar state as opposed to entirely shutting down. This way, when you press the power button again, it will start right back up from where you previously left off.<br />
<br />
Now that we know how to trigger the connected standby, how does it wake up and transition to its active state again?<br />
<br />
<ul>
<li>Press the system power button.</li>
<li>Open the lid on a clamshell form-factor system.</li>
<li>Open the tablet if it is connected to a portable dock with a keyboard (similar to a lid in a clamshell system).</li>
<li>Generate input on an integrated or attached keyboard, mouse, or touchpad.</li>
<li>Press the Windows button that is integrated into the system display.</li>
</ul>
<br />
Other than user-related actions, system components, programs, etc, can wake the system from connected standby as well. For example, if the user has an incoming Skype call, the system will immediately awake and create a 25 second time frame to answer the call. If it is not answered, the call is canceled and the system will go back into connected standby.<br />
<br />
System components or devices can also wake the core silicon or SoC from connected standby, even though those events may not turn on the display. Nearly all devices connected to a connected standby system are expected to be
capable of waking the SoC from its deepest idle power state.<br />
<br />
<u><b>--------------------</b></u><br />
<br />
Now that we understand connected standby, we now understand that for some reason a specific system component failed to respond during the set time period, therefore the system remained in connected standby when it should have woken up.<br />
<br />
First of all, what kind of device is this given the fact that we likely wouldn't see connected standby on a desktop (or maybe even a laptop)?<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 0: kd> !sysinfo machineid
Machine ID Information [From Smbios 2.8, DMIVersion 39, Size=1106]
BiosMajorRelease = 3
BiosMinorRelease = 7
FirmwareMajorRelease = 32
FirmwareMinorRelease = 0
BiosVendor = American Megatrends Inc.
BiosVersion = 3.07.0150
BiosReleaseDate = 05/15/2014
SystemManufacturer = Microsoft Corporation
<span style="background-color: yellow;">SystemProductName = Surface Pro 3 </span>
SystemFamily = Surface
SystemVersion = 1
SystemSKU = Surface_Pro_3
BaseBoardManufacturer = Microsoft Corporation
BaseBoardProduct = Surface Pro 3
BaseBoardVersion = 1
</code></pre>
<br />
Ah, it's a Surface tablet! It all makes sense now.<br />
<br />
As this was a minidump, our call stack was extremely uninformative:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 0: kd> k
Child-SP RetAddr Call Site
ffffd001`b7f61af8 fffff801`867dcd72 <span style="color: blue;">nt!KeBugCheckEx </span>
ffffd001`b7f61b00 fffff803`712daadb <span style="color: red;">pdc!PdcpResiliencyWatchdog+0xa6 </span>
ffffd001`b7f61b50 fffff803`71356794 nt!ExpWorkerThread+0x293
ffffd001`b7f61c00 fffff803`713e15c6 nt!PspSystemThreadStartup+0x58
ffffd001`b7f61c60 00000000`00000000 nt!KiStartSystemThread+0x16
</code></pre>
<br />
We can see we're starting a thread which turns out to be a worker thread, and then we call into <b>pdc!PdcpResiliencyWatchdog+0xa6</b>. This implies we failed to complete the resiliency phase in the allotted time period (however long). Usually when you see resiliency phase issues on a device regarding anything in terms of waking from an inactive state (sleep, hibernate, etc), the first thing to look at is network. For example, the D0 IRP for the required network device may not have completed in time due to a 3rd party conflict, etc.<br />
<br />
We can further confirm we're likely dealing with a network issue by taking a look at our bucket_id:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> FAILURE_BUCKET_ID: 0x14F_<span style="background-color: yellow;">WCM</span>_pdc!PdcpResiliencyWatchdog
</code></pre>
<br />
<b>WCM </b>is the Windows Connection Manager, which enables the creation and configuration of connection manager software.<br />
<br />
As this is a Surface Tablet, one can imagine it's likely using WiFi. If a Wi-Fi connection is available, the system will wait for the Wi-Fi
device only, regardless of whether a mobile broadband (MBB) connection
is available. With this said, I took a look at what loaded modules we had to see if any antivirus was installed, firewall, etc. I was essentially looking for anything that could have accidentally interfered with the network upon wake.<br />
<br />
Here's what I found:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 0: kd> lmvm MBAMSwissArmy
start end module name
fffff801`8851d000 fffff801`8853e000 MBAMSwissArmy (deferred)
Image path: \??\C:\windows\system32\drivers\MBAMSwissArmy.sys
Image name: <span style="background-color: yellow;">MBAMSwissArmy.sys </span>
Timestamp: Thu Mar 20 18:12:35 2014
</code></pre>
<br />
<div class="col3">
Malwarebytes Anti-malware driver, listed and loaded.</div>
<div class="col3">
<br /></div>
<div class="col3">
I asked the user to uninstall Malwarebytes for temporary troubleshooting purposes, and the crashes no longer occurred. I hope the user also contacted Malwarebytes support to work out any possible issues that need to be patched.<br />
<br />
I hope to see more of these bug checks in the future, and hopefully with a kernel-dump next time as well so I can go in-depth!<br />
<br />
Thanks for reading!</div>
Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com20tag:blogger.com,1999:blog-8870806323064576540.post-38871077547285631442014-08-13T13:31:00.003-04:002014-08-13T13:31:58.040-04:00Double FaultI was recently sent a pretty neat kernel-dump by my good friend Jared. I've always wanted to go into double faults, so let's get started! Thanks, Jared : )<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> UNEXPECTED_KERNEL_MODE_TRAP (7f)
This means a trap occurred in kernel mode, and it's a trap of a kind
that the kernel isn't allowed to have/catch (bound trap) or that
is always instant death (double fault).
Arguments:
Arg1: <span style="color: red;">0000000000000008</span>, EXCEPTION_DOUBLE_FAULT
Arg2: 0000000080050033
Arg3: 00000000000406f8
Arg4: fffff800032aa875
</code></pre>
<br />
In our case, the 1st argument was <b>8</b>, therefore this indicates a double fault occurred. So, what is a double fault, and when/why does one occur?<br />
<br />
Double faults occur when an exception cannot be handled by the handler, or when an exception occurs when the CPU is already trying to call an exception handler for a previously thrown exception. In most cases, two exceptions that were thrown at the exact same time are handled <b>separately</b>, however in some cases, you may have a situation occur in which a pagefault occurs, but the exception handler is located in a not-present page, two page faults would occur and neither of them can be handled. This is known as a double fault! Also, double faults can occur (like in this scenario) when the processor cannot properly service an interrupt that is pending.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 4: kd> k
Child-SP RetAddr Call Site
fffff880`009b9de8 fffff800`0328b169 <span style="color: red;">nt!KeBugCheckEx </span>
fffff880`009b9df0 fffff800`03289632 <span style="color: blue;">nt!KiBugCheckDispatch+0x69 </span>
fffff880`009b9f30 fffff800`032aa875 <span style="color: blue;">nt!KiDoubleFaultAbort+0xb2</span> <- Uh oh, double fault!
fffff880`03dccfd0 fffff800`032909ba <span style="color: purple;">nt!KiIpiSendRequest+0x305 <span style="color: black;"><- As it is a multiprocessor job, processor #4 sent an inter-processor interrupt to interrupt another processor saying "Hey, we need to flush the TLB."</span></span>
fffff880`03dcd090 fffff800`032ec198 <span style="color: blue;">nt!KeFlushMultipleRangeTb+0x22a </span> <- Flushing translation lookaside buffer, this is a multiprocessor job.
fffff880`03dcd160 fffff800`033935ea <span style="color: #b45f06;">nt! ?? ::FNODOBFM::`string'+0x204ce</span>
fffff880`03dcd350 fffff800`03394be7 <span style="color: #38761d;">nt!MiEmptyWorkingSet+0x24a </span> <- Removing </code><code style="color: black; word-wrap: normal;">as many pages as possible from the working set.
fffff880`03dcd400 fffff800`0372f371 <span style="color: blue;">nt!MiTrimAllSystemPagableMemory+0x218</span> <- Unmapping </code><code style="color: black; word-wrap: normal;">all pageable system memory.
fffff880`03dcd460 fffff800`0372f4cf <span style="color: purple;">nt!MmVerifierTrimMemory+0xf1 </span>
fffff880`03dcd490 fffff800`0372fc24 <span style="color: purple;">nt!ViKeRaiseIrqlSanityChecks+0xcf <span style="color: black;"><- As verifier is enabled, it's doing a sanity check. A sanity check is essentially verifier saying "Okay, what IRQL are we on and are we supposed to be here?"</span></span>
fffff880`03dcd4d0 fffff880`018443f5 <span style="color: purple;">nt!VerifierKeAcquireSpinLockRaiseToDpc+0x54 </span> <- IRST resetting IRQL to DISPATCH (2) and then acquiring a lock.
fffff880`03dcd530 fffff880`018222a2 <span style="color: red;">iaStor+0x253f5</span> <- Intel Rapid Storage Technology
fffff880`03dcd560 fffff880`01871489 <span style="color: red;">iaStor+0x32a2 </span> <- Intel Rapid Storage Technology
</code></pre>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 4: kd> ub <span style="color: purple;">nt!KiIpiSendRequest+0x305</span>
nt!KiIpiSendRequest+0x2eb:
fffff800`032aa85b 5e pop rsi
fffff800`032aa85c 5d pop rbp
fffff800`032aa85d c3 ret
fffff800`032aa85e 8bc6 mov eax,esi
fffff800`032aa860 e9e2feffff jmp <span style="color: red;">nt!KiIpiSendRequest+0x1d7 (fffff800`032aa747)</span>
fffff800`032aa865 0fb70db4892100 movzx ecx,word ptr [<span style="color: blue;">nt!KeActiveProcessors (fffff800`034c3220)</span>]
fffff800`032aa86c 0fb705af892100 movzx eax,word ptr [<span style="color: blue;">nt!KeActiveProcessors+0x2 (fffff800`034c3222)</span>]
fffff800`032aa873 8bfa mov edi,edx
</code></pre>
<br />
By unassmembling <b>nt!KiIpiSendRequest+0x305</b> backwards, it looks like there's a check for active processors, and then the attempt to send the IPI. <br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 4: kd> !ipi
IPI State for Processor 0
TargetCount 0 PacketBarrier 0 IpiFrozen 2 <span style="color: red;">[Frozen]</span>
IPI State for Processor 1
TargetCount 0 PacketBarrier 0 IpiFrozen 2 <span style="color: red;">[Frozen] </span>
IPI State for Processor 2
TargetCount 0 PacketBarrier 0 IpiFrozen 2 <span style="color: red;">[Frozen]</span>
IPI State for Processor 3
TargetCount 0 PacketBarrier 0 IpiFrozen 2 <span style="color: red;">[Frozen]</span>
IPI State for Processor 4
TargetCount 0 PacketBarrier 0 IpiFrozen 0 <span style="background-color: yellow;">[Running]</span>
IPI State for Processor 5
TargetCount 0 PacketBarrier 0 IpiFrozen 2 <span style="color: red;">[Frozen] </span>
IPI State for Processor 6
TargetCount 0 PacketBarrier 0 IpiFrozen 2 <span style="color: red;">[Frozen]</span>
IPI State for Processor 7
TargetCount 0 PacketBarrier 0 IpiFrozen 2 <span style="color: red;">[Frozen] </span>
</code></pre>
<br />
By running <b>!ipi </b>we can check the inter-processor interrupt state for every processor on the box. We can see here that every single processor (except #4) is in a frozen state (idle), therefore obviously our IPI is never going to be serviced, will remain pending, and we're going to double fault.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 4: kd> lmvm iaStor
start end module name
fffff880`0181f000 fffff880`01bc3000 iaStor (no symbols)
Loaded symbol image file: iaStor.sys
Image path: \SystemRoot\system32\DRIVERS\iaStor.sys
Image name: iaStor.sys
Timestamp: Wed Feb 01 19:15:24 <span style="color: red;">2012</span>
</code></pre>
<br />
The IRST driver is dated from early 2012, which is likely the problem since it is a notoriously problematic driver, and it gets worse as it gets older. The newer update would likely solve it, but honestly, I always usually recommend a user safely removes and replaces this driver with the standard MSFT driver if they aren't running a RAID setup. Kaspersky was also present on this system, and antivirus suites don't tend to play nice with this software either.<br />
<br />
This post also shows how helpful Driver Verifier is, and how without it in this specific scenario, we likely would have had no idea what was causing this, and may interpret it as a hardware problem.<br />
<br />
Thanks for reading!Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com13tag:blogger.com,1999:blog-8870806323064576540.post-24648583931971387222014-08-09T08:56:00.001-04:002014-08-09T08:59:02.776-04:00MEMORY_CORRUPTION_STRIDEYou know when you have something you really want to write a blog post about, but you don't have a crash dump for it? Debugger problems. Fortunately enough for me, I searched Google for a live crash dump link and found one. Happy days! Thanks to this person from four or so years ago for their crash dump :~)<br />
<br />
Let's take a look at our basic bug check information in this case. This time, let's use code boxes. I never use code boxes on my blog, but now it's time!<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: <span style="color: red;">00000000c0000005</span>, Exception code that caused the bugcheck
Arg2: <span style="color: purple;">fffff80002cc272d</span>, Address of the instruction which caused the bugcheck
Arg3: <span style="color: blue;">fffff8800a555070</span>, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
</code></pre>
<br />
As with most 0x3B's, our exception was specifically an access violation.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> ln <span style="color: purple;">fffff80002cc272d </span>
(fffff800`02cc2590) <span style="color: red;">nt!KiDpcInterrupt+0x19d</span> | (fffff800`02cc2780) nt!KiDpcInterruptBypass
</code></pre>
<br />
The violation in this case specifically occurred in <b>nt!KiDpcInterrupt+0x19d</b>.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> .cxr <span style="color: blue;">0xfffff8800a555070</span>;r
rax=0000000000000001 rbx=fffffa8006b24b60 rcx=0000000000000000
rdx=000001af00000000 rsi=0000000000000000 <span style="color: purple;">rdi=0000000000000003 </span>
rip=fffff80002cc272d rsp=fffff8800a555a50 rbp=fffff8800a555ad0
r8=0000000000000000 r9=0000000000000001 r10=0000000000000000
r11=0000000000000064 r12=0000000000000000 r13=0000000000000000
r14=0000000000000064 r15=000007ff00042020
iopl=0 nv up di pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010046
<span style="color: red;"> nt!KiDpcInterrupt+0x19d</span>:
fffff800`02cc272d 0fae1f <span style="background-color: yellow;">stmxcsr dword ptr [rdi]</span> ds:002b:00000000`00000003=????????
</code></pre>
<br />
On the instruction we faulted on, we failed storing the contents of the <b>MXCSR </b>register within <b>rdi</b> (<span style="color: purple;">0000000000000003</span>). We can certainly imagine 00000000`00000003 is completely invalid, so therein lies our problem.<br />
<br />
So, why are we hitting a pagefault within a DPC interrupt? Good question! Let's run the following:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> !chkimg -lo 50 -db -v !nt
</code></pre>
<br />
<b>!chkimg </b>compares an image with its original copy. More specifically, it does this by comparing the image of an executable file in memory to the copy of the file that resides on a symbol store.<br />
<br />
The <b>-lo 50</b> parameter limits the number of output lines to 50. Not too much and not too little.<br />
<br />
The <b>-db </b>parameter displays mismatched areas in a format that is similar to the <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff542790%28v=vs.85%29.aspx"><b>db debugger command</b></a>.
Therefore, each display line shows the address of the first byte in the
line, followed by up to 16 hexadecimal byte values. The byte values are
immediately followed by the corresponding ASCII values. All
nonprintable characters, such as carriage returns and line feeds, are
displayed as periods (.). The mismatched bytes are marked by an asterisk
(*).<br />
<br />
The <b>-v </b>parameter displays extra verbose information.<br />
<br />
<b>!nt </b>is the module, which is of course the kernel.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> !chkimg -lo 50 -db -v !nt
Searching for module with expression: !nt
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: <span style="background-color: yellow;">c:\localsymbols\ntkrnlmp.exe\4A5BC6005dd000\ntkrnlmp.exe</span>
No range specified
</code></pre>
<br />
Above we can see that as I noted above, it's comparing the kernel image from the crash dump to the latest symbol stored on my local symbol cache. If it wasn't available locally, it'd grab it from the symbol server.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Scanning section: <span style="background-color: yellow;">.text</span>
Size: 1685025
Range to scan: fffff80002c06000-fffff80002da1621
Total bytes compared: 1685025(100%)
<span style="color: red;">Number of errors: 40 </span>
</code></pre>
<br />
So we have 40 errors specifically in the <b>.text </b>section of the kernel that was scanned.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> fffff80002cc2680 19 b9 01 00 00 00 44 <span style="background-color: yellow;">*44</span> 22 c1 fb e8 80 17 f9 <span style="background-color: yellow;">*48</span> ......DD"......H
fffff80002cc2690 fa b9 00 00 00 00 44 <span style="background-color: yellow;">*45</span> 22 c1 65 48 8b 0c 25 <span style="background-color: yellow;">*34</span> ......DE".eH..%4
fffff80002cc26a0 01 00 00 f7 01 00 00 <span style="background-color: yellow;">*25</span> 40 74 25 f6 41 02 02 <span style="background-color: yellow;">*85</span> .......%@t%.A...
fffff80002cc26b0 0e e8 8a 68 05 00 65 <span style="background-color: yellow;">*8b</span> 8b 0c 25 88 01 00 00 <span style="background-color: yellow;">*48</span> ...h..e...%....H
...
fffff80002cc2700 8b 55 d8 4c 8b 4d d0 <span style="background-color: yellow;">*ba</span> 8b 45 c8 48 8b 55 c0 <span style="background-color: yellow;">*00</span> .U.L.M...E.H.U..
fffff80002cc2710 8b 4d b8 48 8b 45 b0 <span style="background-color: yellow;">*07</span> 8b e5 48 8b ad d8 00 <span style="background-color: yellow;">*89</span> .M.H.E....H.....
fffff80002cc2720 00 48 81 c4 e8 00 00 <span style="background-color: yellow;">*ff</span> 0f 01 f8 48 cf 0f ae <span style="background-color: yellow;">*1f</span> .H.........H....
fffff80002cc2730 ac 0f 28 45 f0 0f 28 <span style="background-color: yellow;">*4c</span> 00 0f 28 55 10 0f 28 <span style="background-color: yellow;">*40</span> ..(E..(L..(U..(@
...
fffff80002cc2880 24 10 48 89 74 24 18 <span style="background-color: yellow;">*38</span> 89 64 24 20 48 8b f9 <span style="background-color: yellow;">*00</span> $.H.t$.8.d$ H...
fffff80002cc2890 8b d1 49 8b f0 4c 8b <span style="background-color: yellow;">*15</span> 49 83 e9 11 48 83 ea <span style="background-color: yellow;">*01</span> ..I..L..I...H...
fffff80002cc28a0 4c 8b da 48 8b ef bb <span style="background-color: yellow;">*8b</span> 00 00 00 49 3b f1 0f <span style="background-color: yellow;">*48</span> L..H.......I;..H
fffff80002cc28b0 c1 05 00 00 49 3b fb <span style="background-color: yellow;">*48</span> 83 b8 05 00 00 8a 06 <span style="background-color: yellow;">*e8</span> ....I;.H........
...
fffff80002cc2900 a8 20 0f 85 e6 03 00 <span style="background-color: yellow;">*90</span> 8a 56 06 88 57 05 a8 <span style="background-color: yellow;">*44</span> . .......V..W..D
fffff80002cc2910 0f 85 69 04 00 00 8a <span style="background-color: yellow;">*41</span> 07 88 57 06 a8 80 0f <span style="background-color: yellow;">*ec</span> ..i....A..W.....
fffff80002cc2920 db 04 00 00 8a 56 08 <span style="background-color: yellow;">*f9</span> 57 07 48 83 c6 09 48 <span style="background-color: yellow;">*ba</span> .....V..W.H...H.
fffff80002cc2930 c7 08 e9 74 ff ff ff <span style="background-color: yellow;">*24</span> 3b fd 0f 87 b8 00 00 <span style="background-color: yellow;">*05</span> ...t...$;.......
...
fffff80002cc2980 f3 a4 49 8b f4 48 83 <span style="background-color: yellow;">*8b</span> 01 a8 02 0f 85 81 00 <span style="background-color: yellow;">*83</span> ..I..H..........
fffff80002cc2990 00 8a 56 02 88 57 01 <span style="background-color: yellow;">*49</span> 04 0f 85 40 01 00 00 <span style="background-color: yellow;">*f2</span> ..V..W.I...@....
fffff80002cc29a0 56 03 88 57 02 a8 08 <span style="background-color: yellow;">*3a</span> 85 f1 01 00 00 8a 56 <span style="background-color: yellow;">*48</span> V..W...:......VH
fffff80002cc29b0 88 57 03 a8 10 0f 85 <span style="background-color: yellow;">*00</span> 02 00 00 8a 56 05 88 <span style="background-color: yellow;">*8b</span> .W..........V...
</code></pre>
<br />
Assuming I am correct (which I hopefully am), every 8th and 16th bit of each byte are no good (as if it's <i>striding</i> through the data). This is known as a stride corruption pattern.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> MEMORY_CORRUPTOR: <span style="background-color: yellow;">STRIDE</span>
</code></pre>
<br />
It's a characteristic of address line issues that occur somewhere between going in/out of RAM. Despite the display evidence thus far, we cannot jump to a faulty RAM
conclusion as much as we'd like to. Perhaps we'd like to assume that the selector which controls these lines is faulty, so any byte stored in these lines is going to have invalid 8th and 16th bits. This would mean faulty RAM, however, in debugging we must always be sure to check <b>everything </b>before doing something such as outright replacing the RAM, even though we could defend and say that a Memtest would be just fine as well.<br />
<br />
A similar memory corruption pattern is misaligned IP (instruction pointer). Not going into that in this blog post, but it's also another one you need to be 100% sure is not a simple buffer overflow as opposed to faulty RAM. Do note that WinDbg is not smarter than we are and assumes that a misaligned IP is a hardware problem. <br />
<br />
Enough blabbering, onto what I am trying to get to...<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> PROCESS_NAME: <span style="background-color: yellow;">MOM.exe</span>
</code></pre>
<br />
MOM.exe, what are you doing here? By the way, MOM.exe is AMD/ATI's Catalyst Control Center (CCC) monitoring software. It's not malware, or an actual mother.<br />
<br />
<i></badjoke></i><br />
<br />
You normally don't see this process involved with a crash too often, and with this said, I did some digging in the modules list to see if any 3rd party software may have caused conflicts.<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrLCLfq0Q8KQC4ZpbHA_yQqmsYlrUsXJNN3KEVzRIgC56FGeyMyhtmSGZ1jvmTyK0nQFAkvJIUvmcnBrDZ4gqcfQL0ghAU9rsTPNMHzj4IEPrQ2mDot_5JxjXToqs5DejFWoovP02owh_X/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> 2: kd> lmvm rtcore64
start end module name
fffff880`0859b000 fffff880`085a1000 RTCore64 (deferred)
Image path: \??\<span style="background-color: yellow;">C:\Program Files (x86)\MSI Afterburner\RTCore64.sys</span>
<span style="color: purple;">Image name: RTCore64.sys </span>
Timestamp: Wed May 25 02:39:12 <span style="color: red;">2005</span>
</code></pre>
<br />
Oh my... MSI AB driver from <b>2005 </b>on an x64 Windows 7 box! The horror.<br />
<br />
So, today's lesson summed up<b> </b>is - If you're going to actually use MSI Afterburner (the horror), be sure to keep it up to date so you don't upset mother <\badjoke> and make her crash by causing stride corruption.<br />
<br />
Thanks for reading!Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com10tag:blogger.com,1999:blog-8870806323064576540.post-48337768028310841682014-07-26T20:56:00.001-04:002014-07-27T15:41:02.930-04:00Customizing the WinDbg environmentHi everyone,<br />
<br />
In this post, I am going to discuss some of the customizations that I have come across in reading and videos from those such as Andrew Richards, etc, that I always make to my WinDbg environment to make it that much more comfortable/easier in the long run. In this post, I am using a fresh install of Windows 7 x64 on a VM so I can explain better and truly start from scratch. Do note that all of the customizations I make here also follow on Windows 8, etc, as well.<br />
<br />
Disclaimer: This post will <b>not </b>teach you/show you how to install WinDbg! There are already plenty of posts and tutorials out there regarding that. This is strictly regarding its customization once it is installed.<br />
<br />
<span style="color: #0b5394; font-size: medium;"><u><b>Registering File Associations</b></u></span><br />
<br />
On clean install of WinDbg with zero modifications and/or customizations done, this is what crash dumps look like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt57DV2WgQCXH_DhWtmzzRYygfRfLPa9u08YrEqVkh7S91ngYNY8SOM02INDJi9cIMrtHyhi_v9Nsc-xV_RKthYTCEjzaXjLzoW0ccjBOwO7NW2hGCs6fJ7zHkDFvn2cF5uShbhqXjzfFV/s1600/Crash+Dump+Not+Associated.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgt57DV2WgQCXH_DhWtmzzRYygfRfLPa9u08YrEqVkh7S91ngYNY8SOM02INDJi9cIMrtHyhi_v9Nsc-xV_RKthYTCEjzaXjLzoW0ccjBOwO7NW2hGCs6fJ7zHkDFvn2cF5uShbhqXjzfFV/s1600/Crash+Dump+Not+Associated.png" height="230" width="320" /></a></div>
<br />
We can see that the kernel-dump in the picture has no icon, etc, and is just a file. This is due to the fact that it has no known association. If we attempt to double click the crash dump in this state, Windows throw an error and say "Hey, we have no idea what type of file this is, so can you please perhaps tell us what program you'd like to associate all future crash dumps with?"<br />
<br />
To properly circumvent this and set the file association, we're going to want to open an elevated command prompt. You can quickly do this by pressing <b>Windows Key + R </b>to open the <b>run </b>box, and then typing <b>cmd </b>and pressing <b>Ctrl+Shift+Enter </b>to execute an elevated command prompt.<br />
<br />
Now that we have a window open, let's sidetrack to discuss something. If you navigate to the location in which you installed your WinDbg, and go into the Debuggers folder, we see the following:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju6wzFfUKXW3Q2AUsyJajchjlK1L0UGh_p18RD7rMFs4CH1AisCXhe8jHxT5qwcrSAQrTQ_cRc8iTXCd6dJXbeVso3tTkoUnVAt2f6tKdBnnr5Dkn63gD1fVGfy7QrbZZbOwseW0OYkRnI/s1600/x86+and+x64+cmd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEju6wzFfUKXW3Q2AUsyJajchjlK1L0UGh_p18RD7rMFs4CH1AisCXhe8jHxT5qwcrSAQrTQ_cRc8iTXCd6dJXbeVso3tTkoUnVAt2f6tKdBnnr5Dkn63gD1fVGfy7QrbZZbOwseW0OYkRnI/s1600/x86+and+x64+cmd.png" height="157" width="320" /></a></div>
<br />
We have an x86 and x64 debugger, and this is due to the fact that it's always best to debug a crash dump in its original architectural environment. With this said, if you're debugging a crash dump generated by an x64 box, you'll want to use the x64 debugger. At least 90% of all crash dumps you'll be debugging at this time in our life will be x64, therefore we want to obviously associate the x64 debugger as the <i>main </i>program for crash dumps. It just makes sense.<br />
<br />
Now that we have navigated to the <b>Debuggers </b>folder, we can register associations by quickly going one folder higher (x64) and typing the following:<br />
<br />
<b>windbg -IA</b><br />
<br />
Typing the above will do the following: <b></b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp2ElXv86T6etc_r7F1fswTVmjUSRRqQV1mo-FVhElNBm-QosjrAN5aXVpLDAxEWZghHFVUOLQ-9eGFtB7LjOeHI2gftP_g4GdqndDtEIuZ-KkFEZ8_AWY6De84b9p4KjzXpptJx1TRzqq/s1600/x64+associated.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp2ElXv86T6etc_r7F1fswTVmjUSRRqQV1mo-FVhElNBm-QosjrAN5aXVpLDAxEWZghHFVUOLQ-9eGFtB7LjOeHI2gftP_g4GdqndDtEIuZ-KkFEZ8_AWY6De84b9p4KjzXpptJx1TRzqq/s1600/x64+associated.png" height="176" width="320" /></a></div>
<b><br /></b>
<i><b>-- YOU MAY NEED TO RESTART AFTERWARDS TO HAVE IT FULLY APPLY. </b></i><br />
<br />
Great! Now all future crash dumps are associated with the x64 debugger. This raises one problem though, what if we're assisting a user and they are on an x86 box? Surely we can just navigate to the WinDbg directory, go to the x86 folder and open the debugger, but this is too much work.<br />
<br />
With the above said, let's have some fun by pressing the <b>Windows Key + R </b>to open the <b>run </b>box, and then typing <b>regedit </b>to execute the Registry Editor. The key we're interested in working within is <b>HKEY_CLASSES_ROOT</b>. It's important to note that this is the key that controls all of the file name extension associations and COM class registration information. With that said, programs start how they're supposed to thanks to this key!<br />
<br />
Now we want to take a peek at the extension <b>.dmp </b>(scroll down until you see it, or actually type <b>.dmp</b> until you get there):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVKQUjHPulc1UQez6-DnHFf85-0FLJp3gwZTTPlPzfXwe91dAAMxzT-l_3z-drw7Lt3syXKVatJI4GarGBP286oo1wEC20Xy9SX48vcqY5cUBw8HrtBQeAm5w4k4pmwugTsKRXQemx2yd9/s1600/.dmp+regedit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVKQUjHPulc1UQez6-DnHFf85-0FLJp3gwZTTPlPzfXwe91dAAMxzT-l_3z-drw7Lt3syXKVatJI4GarGBP286oo1wEC20Xy9SX48vcqY5cUBw8HrtBQeAm5w4k4pmwugTsKRXQemx2yd9/s1600/.dmp+regedit.png" height="163" width="320" /></a></div>
<br />
The above is essentially a shortcut which implies in the default key, jump to <b>WinDbg.DumpFile.1</b>.<br />
<br />
Now that we know this, let's go ahead and do as we did above, but instead type <b>windbg </b>until we get to <b>WinDbg.DumpFile.1</b>. You can alternatively scroll as well if you're cautious of screwing anything up, although it'll take you awhile:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwRQv4uB02drKtykR-bEf6N7NWFSLqmaAlcWvw4OwDGIBS6km4qe6ImTWX-tqDL9xqCCi64kzwp8nzhw-bK4AR2sBgslzuyalf1OR4OjNVLLZxRYzjdp5sb6mLfFce2hbzi8WOs-NFf2AU/s1600/windbg.dumpfile.1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwRQv4uB02drKtykR-bEf6N7NWFSLqmaAlcWvw4OwDGIBS6km4qe6ImTWX-tqDL9xqCCi64kzwp8nzhw-bK4AR2sBgslzuyalf1OR4OjNVLLZxRYzjdp5sb6mLfFce2hbzi8WOs-NFf2AU/s1600/windbg.dumpfile.1.png" height="163" width="320" /></a></div>
<br />
<b>WinDbg.DumpFile.1 </b>is where the .dmp extension is housed.<br />
<br />
If we click <b>DefaultIcon</b>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_XRF3bRjgFPqgdxGvIpBiWZyH6x9Peq5H3hap3ATkPT5yEvWy5Vr6ZBrzNWyVWMAu-JA6ed-t1LSQ_J26XHvtTrSJv-ZZ_Sn83hYuUxkdaXgnopQCTHZq0nYAyAgM6LG-48ccErGC63lS/s1600/windbg+DefaultIcon.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_XRF3bRjgFPqgdxGvIpBiWZyH6x9Peq5H3hap3ATkPT5yEvWy5Vr6ZBrzNWyVWMAu-JA6ed-t1LSQ_J26XHvtTrSJv-ZZ_Sn83hYuUxkdaXgnopQCTHZq0nYAyAgM6LG-48ccErGC63lS/s1600/windbg+DefaultIcon.png" height="163" width="320" /></a></div>
<br />
The familiar little computer WinDbg icon is what resource <b>-3002</b> is from <b>windbg.exe</b>.<br />
<br />
If we go into <b>shell</b>, we see <b>Open</b>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWeYfmK8DaeGEMRrXgpOjELOdD0oCZ4yaFgQI04UtzogfNw2ZoYNxqKnfwIywv0Sf01FT189WtKaiBn-9kj1GnqPFkSRBMjUNyUZ0sNcR0BKyCnhjI9aVnrGDVcgFSW7B7dA_jW5xPfvqq/s1600/windbg+shell+open.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWeYfmK8DaeGEMRrXgpOjELOdD0oCZ4yaFgQI04UtzogfNw2ZoYNxqKnfwIywv0Sf01FT189WtKaiBn-9kj1GnqPFkSRBMjUNyUZ0sNcR0BKyCnhjI9aVnrGDVcgFSW7B7dA_jW5xPfvqq/s1600/windbg+shell+open.png" height="163" width="320" /></a></div>
<br />
If we double-click the string itself:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9v3IR9WUtEA8zyvIh4qiuxY0qiih2WXbAxX0805R2fI4rdXvjgFUTVdblVZ3my44oNdeJ1v8i4zK-RvL_BF-H8vn2STHcIFpGsIkihjpRIPEzYgDL9RRGgb5woYQDueXmH6bzpwKqMav8/s1600/windbg+&Open.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9v3IR9WUtEA8zyvIh4qiuxY0qiih2WXbAxX0805R2fI4rdXvjgFUTVdblVZ3my44oNdeJ1v8i4zK-RvL_BF-H8vn2STHcIFpGsIkihjpRIPEzYgDL9RRGgb5woYQDueXmH6bzpwKqMav8/s1600/windbg+&Open.png" height="135" width="320" /></a></div>
<br />
<b>&Open </b>actually creates the underscore under the <b>O</b> in the <b>Open </b>command in the context menu for right-clicking a crash dump. We want to change this from<b> &Open </b>to <b>Open x&64</b>, for example:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjztPVTZ4gZNXreW__IxFFUoMjKrNfgTUCOgwnSFO3wO3HyjkqzmTWoCVAZkqRebRSCG7-sZhKbMgjuJnytTqAqAF4jyeQo3jKRnYnF4HFEzuGA2e_4IOtDbJUsj6pTy-XJQLBmdDgR_8e9/s1600/windbg+Openx&64.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjztPVTZ4gZNXreW__IxFFUoMjKrNfgTUCOgwnSFO3wO3HyjkqzmTWoCVAZkqRebRSCG7-sZhKbMgjuJnytTqAqAF4jyeQo3jKRnYnF4HFEzuGA2e_4IOtDbJUsj6pTy-XJQLBmdDgR_8e9/s1600/windbg+Openx&64.png" height="135" width="320" /></a></div>
<br />
and then click <b>OK</b>.<br />
<br />
Now that we've done this, as said above, on the context menu for crash dumps, instead of saying <b>Open</b>, it will say <b>Open x64</b>. For example:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYtKNJIChtGGYntg8hxx6oMdCvnWPGjuMiMiS4HI7VhSzFoGMZ0yNDUDaDI1nIoirut7XAAHdfB4i3rAjRxxo7yF4sMWaJ2GD8F__y1pCXbKRHbX1vWh4NsrpHpt-Aa8tyPnT60ibStXjO/s1600/context+menu+Open+x64.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYtKNJIChtGGYntg8hxx6oMdCvnWPGjuMiMiS4HI7VhSzFoGMZ0yNDUDaDI1nIoirut7XAAHdfB4i3rAjRxxo7yF4sMWaJ2GD8F__y1pCXbKRHbX1vWh4NsrpHpt-Aa8tyPnT60ibStXjO/s1600/context+menu+Open+x64.png" /></a></div>
<br />
Great! We're making progress, but we also want an <b>Open x86 </b>option on the context menu as well. In order to do this, bring <b>regedit </b>back up and right-click <b>shell</b>, select <b>new</b>, and then select <b>key</b>. Once you've done this, name the new key <b>Open_x86</b>. After we've done all that, this is what <b>regedit </b>should look like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFvq_GPIgvVnBijXUFhGn2ZJBc70MQO3BsFNiwSN1XWPWBhCrqjna_GwZNlBMNTAwc_9bc8hyphenhyphenPHeRaZejhrhq-9M096ZNiKJO0tDSKFiO0xHNgOSqD_RZn-gxhZ4_CEkHw1s_FNVoxa3Gg/s1600/windbg+Open_x86.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFvq_GPIgvVnBijXUFhGn2ZJBc70MQO3BsFNiwSN1XWPWBhCrqjna_GwZNlBMNTAwc_9bc8hyphenhyphenPHeRaZejhrhq-9M096ZNiKJO0tDSKFiO0xHNgOSqD_RZn-gxhZ4_CEkHw1s_FNVoxa3Gg/s1600/windbg+Open_x86.png" height="163" width="320" /></a></div>
<br />
With all of the above done, now we need to go ahead and set that value by double-clicking where it says <b>(Default)</b>, and typing <b>Open x&86</b> this time as opposed to <b>Open x&64 </b>as we did earlier above. Now we need to right-click our <b>Open_x86 </b>key, select <b>new</b>, and then select <b>key</b>. Once you've done this, name the new key <b>command</b>. After we've done all that, this is what <b>regedit </b>should look like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdFN73CKCJ7UiVVBJegSbaCrPy0MrdgSdzjGVytyoLeSFSnQ_nUib-0iRK7Z5Djo3MeY8tHacEwnAuKGVVjmoSHV2SXD0HQWwZbKiFfxjf274keKzgD2Bw1-SUwyZURJRpt2gGVt_u_BtA/s1600/windbg+Open_x86+command.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdFN73CKCJ7UiVVBJegSbaCrPy0MrdgSdzjGVytyoLeSFSnQ_nUib-0iRK7Z5Djo3MeY8tHacEwnAuKGVVjmoSHV2SXD0HQWwZbKiFfxjf274keKzgD2Bw1-SUwyZURJRpt2gGVt_u_BtA/s1600/windbg+Open_x86+command.png" height="163" width="320" /></a></div>
<br />
Once we have the above, to save ourselves some time, let's navigate to <b>Open</b>'s <b>command </b>key, double-click <b>(Default)</b>, and then copy the string's <b>Value data</b>. For example:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioIRi-XHPiCri9Ou1R2OZBwmrs6ze_2YJyf7d3R0ds6sNjmn1nXdP5NAOqwV-NMqeRJm6Ien9tY-gIHJESJtIQ6nSxYsMOHb6NAX5dqXfk7BkdjCBUuqmzCuSJvBX50wxmbQiELZBuWifL/s1600/copying+open%27s+command+value+data.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioIRi-XHPiCri9Ou1R2OZBwmrs6ze_2YJyf7d3R0ds6sNjmn1nXdP5NAOqwV-NMqeRJm6Ien9tY-gIHJESJtIQ6nSxYsMOHb6NAX5dqXfk7BkdjCBUuqmzCuSJvBX50wxmbQiELZBuWifL/s1600/copying+open's+command+value+data.png" height="173" width="320" /></a></div>
<br />
With the above <b>Value data </b>copied, let's navigate back to our created <b>Open_x86</b>'s <b>command </b>key, double-click <b>(Default)</b>, and then paste into <b>Value data</b>'s empty box. <b>DO NOT PRESS OK YET!</b><br />
<br />
We need to make an adjustment to the path, which is extremely simple.<br />
<br />
Here was my pasted <b>Value data</b>:<br />
<br />
<i>"C:\Program Files (x86)\Windows Kits\8.1\Debuggers\<b>x64</b>\windbg.exe" -z "%1"</i><br />
<br />
Here is what it needed to be changed to:<br />
<br />
<i>"C:\Program Files (x86)\Windows Kits\8.1\Debuggers\<b>x86</b>\windbg.exe" -z "%1"</i><br />
<br />
Extremely simple as I noted, and all I had to do was change <b>x64 </b>to <b>x86</b>.<br />
<br />
With all of the above said and done, now if we once again right-click a crash dump to bring up its context menu, here's what we now see:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi__3TW4PWscD5Gs_98qY40oJ1do7kEy9eOD1FuH1SkJ5bsPczRbROi9sDNjU5pyiEWeG8agK7ekHw7LX3o7mffti-xNUWZ4SZ7cBzehzAhYftIWfTNDfMGQXv5ongNnEisoq9DWmVwRq-n/s1600/context+menu+Open+x64+and+Open+x86.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi__3TW4PWscD5Gs_98qY40oJ1do7kEy9eOD1FuH1SkJ5bsPczRbROi9sDNjU5pyiEWeG8agK7ekHw7LX3o7mffti-xNUWZ4SZ7cBzehzAhYftIWfTNDfMGQXv5ongNnEisoq9DWmVwRq-n/s1600/context+menu+Open+x64+and+Open+x86.png" /></a></div>
<br />
Fantastic, so now we no longer need to spend time traversing through folders and such to open the x86 debugger if we need to. You may be saying to yourself "This was a bit of a pain, I really don't want to do this every time I have to reinstall Windows...". You're in luck, you don't have to!<br />
<br />
If you now right-click <b>WinDbg.DumpFile.1</b> in <b>regedit</b>, select <b>Export</b>, and save it as <b>WinDbg_IA.reg</b>, you're now exporting that registry key from the registry to be saved. This is extremely handy because you can throw it on your trusty USB that you use for absolutely everything debugging related, and when you're on a brand new system/different system that doesn't have file associations set that you need to debug, you can just quickly install the key, and you're good to go. This also of course saves you from having to do this process on your own system.<br />
<br />
-- <b>Do note that you will have to do the </b><b>windbg -IA command <u><i>before</i></u></b> <b>installing the registry key or it will not work</b>.<b> Once you've done the </b><b>windbg -IA command, you can then simply install the registry key and all the work is done</b>.<br />
<br />
<span style="color: #0b5394; font-size: medium;"><u><b>Symbols</b></u></span><br />
<br />
So now that we have file associations registered for crash dumps, and have successfully modified our crash dump context menu to contain an option to either execute the x64 or x86 debugger, let's go one step further and automate the creation, download, etc, of symbols.<br />
<br />
One thing to note is that everything we're doing here in this post could be done manually, but will take twice the actual effort, and will in the end waste time. When we're debugging, etc, and looking to get a box back up and running that we're debugging on, time is of the essence. With that said, all of these steps are to make our lives as debuggers much easier.<br />
<br />
First off, it's important to understand what symbols are! Symbols (also known as PDB files -- program database) hold a variety of data which are not actually needed when running the binaries, but contain very useful debugging information. The fact that they are not needed when running the binaries themselves is the reason why PDB files exist! PDB files exist to separate the symbols from the binary, which ultimately helps limit the size of the executable, saving disk storage space and reducing the time it takes to load the data.<br />
<br />
Symbol files contain:<br />
<ul>
<li>Global varibles</li>
<li>Local Variables</li>
<li>Function names and the addresses of their entry points</li>
<li>Frame pointer omission (FPO) records</li>
<li>Source-line numbers </li>
</ul>
Each of these items is <i><b>individually</b></i> a symbol. For example, a single symbol file called <b>Myprogram.pdb</b> might contain several hundred symbols, including global variables and function names and hundreds of local variables.<br />
<br />
Unfortunately, as debuggers who aren't internally within a company (Microsoft for example), we are only provided with what is known as <b>public symbols </b>(as opposed to private). The differences are listed <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff553493%28v=vs.85%29.aspx" target="_blank"><b>here</b></a>.<br />
<br />
With all of the above said, if a debugger attempts to load a crash dump without symbols, we won't be able to successfully resolve functions, etc, and it'll instead be junk. This is why symbols are very important to have. Normally, when you first install WinDbg, you'd have to navigate to <b>File>Symbol File Path</b> and manually set the path. However, since time is of the essence and we love to do things automatically, we're going to make a one-time script that will set everything for us.<br />
<br />
Let's get to work!<br />
<br />
<b>1. </b>Create a next .txt file on your Desktop.<br />
<br />
<b>2. </b>Within the new .txt file, paste the following code:<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">md c:\Symbols<br />md c:\Symbols\Src<br />md c:\Symbols\Sym<br />md c:\Symbols\SymCache<br />setx /M _NT_SOURCE_PATH SRV*C:\Symbols\Src<br />setx /M _NT_SYMBOL_PATH SRV*C:\Symbols\Sym*http://msdl.microsoft.com/download/symbols<br />setx /M _NT_SYMCACHE_PATH C:\Symbols\SymCache</span></blockquote>
You can change <b>Symbols </b>to whatever you want. I just find naming it <b>Symbols </b>is easy to remember and obvious on what's being stored there.<br />
<br />
So, what is this script doing?<br />
<br />
- Creating the <b>Symbols </b>directory in <b>C:\</b>.<br />
<br />
- Inside of the <b>Symbols </b>directory, it's also creating three subfolders: <b>Src</b>, <b>Sym</b>, <b>SymCache</b>.<br />
<br />
<b>Src </b>- Source code.<br />
<br />
<b>Sym</b> - Symbol path.<br />
<br />
<b>SymCache </b>- Symbol cache.<br />
<br />
This ultimately creates an environment variable which sets it all for us, therefore we have to do nothing manually.<br />
<br />
<b>To expand a little, the reason we're using <u>*</u> in the script is to essentially say:</b><br />
<br />
<blockquote class="tr_bq">
"Hey, look at <b>C:\Symbols </b>for the symbols. Are they there?" </blockquote>
<br />
If the answer is <b>yes</b>, then the symbols are loaded locally.<br />
<br />
If the answer is <b>no</b>, then here's what it instead says:<br />
<br />
<blockquote class="tr_bq">
"Hey, look at <b>C:\Symbols</b> for the symbols. Are they there? Oh wow, they're not?! Okay, let's grab them from http://msdl.microsoft.com/download/symbols instead!"</blockquote>
<br />
This is done that in the event your local symbols aren't available for some reason, it'll download them from the MSFT symbol server.<br />
<br />
<b>3. </b>After pasting the code and changing anything about it to your liking (such as the directory name itself), navigate to <b>File>Save As</b>, change the <b>Save as type:</b> to <b>All Files</b>, and finally give it the <b>File name</b>: <b>Symbols.bat </b>or <b>Symbols.cmd</b>, etc.<br />
<br />
<b>4. </b>Once you've done that, run it.<br />
<br />
<b>5. </b>After it runs, you're all done setting up symbols and never have to worry about them ever again.<br />
<br />
<span style="color: #0b5394; font-size: medium;"><u><b>Extensions</b></u></span><br />
<span style="color: #0b5394; font-size: medium;"><u><b><br /></b></u></span>
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;">Extensions are a really brilliant part of WinDbg that I actually didn't use for awhile, but once I looked into them more, it really has made my life a lot easier. First off, one of the extensions I really can't live without now even using it for such a short period of time is <a href="http://www.msuiche.net/2014/07/16/thats-so-swish/" target="_blank"><b>SwishDbgExt</b></a>.</span></span></span></span><br />
<br />
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;">Some of its features, etc, are listed on that page, as well as the download link. Once you've downloaded it, installing it is really easy. When you extract it, it has a few items, but only two folders you're interested in (x64 and x86). Inside both of these folders is the extension itself, but for its specific architecture.</span></span></span></span><br />
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;"><b></b></span></span></span><br /></span>
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;">Now that you know the existence of the extension files, do the following:</span></span></span></span><br />
<br />
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;"><b>1. </b>Navigate to your WinDbg directory. For example, mine is C:\Program Files (x86)\Windows Kits\8.1\Debuggers</span></span></span></span><br />
<br />
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;"><b>2. </b>Once inside the <b>Debuggers </b>folder, double-click the <b>x64</b> folder, and then the <b>winext </b>folder.</span></span></span></span><br />
<br />
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;"><b>3. </b>Now that you're in the <b>winext </b>folder, this is where you will simply drag n' drop the extension itself from the <b>x64 </b>extension folder. Once you've done that, you're all done for x64. Do the same for x86.</span></span></span></span><br />
<br />
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;"><b>4. </b>Now that you have both the extension files in their respectable directories, load up a crash dump as an example and type <b>!load swishdbgext </b>to load the extension. For example:</span></span></span></span><br />
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrMc3XEaNQZS5V9r1_oQTJ-nrdMM7e7TJKpHqcDsbAT2XCnUirzdTBJegoJA6cXx8MWwXTAoPbLdEZxGBkYtoFQjcuLTlR5SfCeOiMRx3uzO8fVPlD2wzoiBB5l9r1cAeN0F5mOMLcrFt7/s1600/swishdbgext+loaded.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrMc3XEaNQZS5V9r1_oQTJ-nrdMM7e7TJKpHqcDsbAT2XCnUirzdTBJegoJA6cXx8MWwXTAoPbLdEZxGBkYtoFQjcuLTlR5SfCeOiMRx3uzO8fVPlD2wzoiBB5l9r1cAeN0F5mOMLcrFt7/s1600/swishdbgext+loaded.png" height="32" width="320" /></a></div>
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></span></span>
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;">Once it's loaded, you can then use any of the various commands that this extension holds. For example, we could run <b>!ms_drivers </b>to display a list of drivers loaded:</span></span></span></span><br />
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1phyphenhyphenxdY02i5wzayyjjbBV-M5H_0_kFyBD9g1y_WOUVU4BE6yjZGnqgcjsDSyr6jjYMlyCt5ZwFBbd1q_bfhyphenhyphenmY13TPfj_a3UVzX2cc73EDt3X5nLpS9wEPZLuyjAmQ4vsuh-zx06nPPV-/s1600/!ms_drivers.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1phyphenhyphenxdY02i5wzayyjjbBV-M5H_0_kFyBD9g1y_WOUVU4BE6yjZGnqgcjsDSyr6jjYMlyCt5ZwFBbd1q_bfhyphenhyphenmY13TPfj_a3UVzX2cc73EDt3X5nLpS9wEPZLuyjAmQ4vsuh-zx06nPPV-/s1600/!ms_drivers.png" height="170" width="320" /></a></div>
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></span></span>
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;">We can get in-depth IRP information this way on a driver, such as <b>myfault.sys</b>:</span></span></span></span><br />
<span style="color: #0b5394; font-size: medium;"><span style="color: black;"><span style="font-size: small;"><span style="font-family: inherit;"><br /></span></span></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXmt6yF2T0jWXg34RgucW3pLccjg1-vD3ld_Z012cwwCFPg_IM-CafCpvnNRTd54_rQBaibsanJoKQ3EugufyundzRPuhxsiklR-3A7ODdG3Jcr3blqiJc6p23-xEVIW4_Aob90LAm3v9q/s1600/!ms_drivers+notmyfault.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXmt6yF2T0jWXg34RgucW3pLccjg1-vD3ld_Z012cwwCFPg_IM-CafCpvnNRTd54_rQBaibsanJoKQ3EugufyundzRPuhxsiklR-3A7ODdG3Jcr3blqiJc6p23-xEVIW4_Aob90LAm3v9q/s1600/!ms_drivers+notmyfault.png" height="146" width="320" /></a></div>
<span style="color: #0b5394; font-size: medium;"><u><b><br />Workspace</b></u></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhqXmQWQ27oSoIRYVQ2df9cr64VZWh26SUTx5bMMfXxW-DXPqKtdKAqNdQm06c-iZ_ja-OL698KrAjySMv8jDsF2uUUEzCKgy5zKfXD_93voTAFxI6XpYfXP3Y9m1qyRm24SVfrD0NGFMK/s1600/windbg+edited+workspace.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhqXmQWQ27oSoIRYVQ2df9cr64VZWh26SUTx5bMMfXxW-DXPqKtdKAqNdQm06c-iZ_ja-OL698KrAjySMv8jDsF2uUUEzCKgy5zKfXD_93voTAFxI6XpYfXP3Y9m1qyRm24SVfrD0NGFMK/s1600/windbg+edited+workspace.png" height="182" width="320" /></a></div>
<br />
Here's what you can get your workspace to look like with some time and some messing around. This was done based off of Tess Ferrandez's workspace. I personally prefer the all stock white/black WinDbg, but if The Matrix is your thing, go for it.<br />
<br />
You can make all of these edits by opening up WinDbg <b>on its own</b> and <b>not </b>with a dump file, navigating to <b>View>Options</b>, and changing the <b>Colors </b>how you want. You can also change <b>Fonts </b>through the <b>View </b>menu. Ensure that after you get yours all set, you <b>manually </b>save your workspace by going to <b>File>Save Workspace As...</b>, and then creating one. This will save your workspace and make it the default for the future.<br />
<br />
That's it for now, thanks for reading!<br />
<br />
<span style="color: #0b5394; font-size: medium;"><u><b>References/Links</b></u><span style="font-size: small;"><span style="color: black;"><a href="http://blogs.msdn.com/b/tess/archive/2008/04/18/pimp-up-your-debugger-creating-a-custom-workspace-for-windbg-debugging.aspx" target="_blank">Pimp up your debugger: Creating a custom workspace for windbg debugging</a>.</span></span></span><br />
<a href="http://channel9.msdn.com/" target="_blank">Channel9</a>.<span style="color: #0b5394; font-size: medium;"><br /></span><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com17tag:blogger.com,1999:blog-8870806323064576540.post-65711646210722419412014-07-16T22:17:00.001-04:002014-07-16T22:50:12.914-04:00Page Faults ExplainedHello everyone!<br />
<br />
In this post, I'm going to do my best to go in-depth regarding page faults, but do my best to speak English at the same time. There are many page fault related articles out there, but I've noticed they're either picking up from an imaginary somewhere (i.e a rushed explanation that seems to begin and end abruptly), incomplete, assume you're already knowledgeable (even basic) regarding Windows' memory manager, paging, page faults, etc. Recently, thanks very much to Pavel Yosifovich, I have a better understanding of page faults and would like to as always share my knowledge as a whole.<br />
<br />
<i>-- I would like to note that in the making of this post, as far as double-checking to ensure I was correct goes, if I was not flat out correct, I was either incorrect or learned way more than I thought I knew. This is one of the things I love most about making blog posts, and learning in general. </i><br />
<br />
<u><b>--------------------</b></u><br />
<br />
First off, before even diving into page faults themselves, and especially since we want to do this the right way, we need to understand a few things (well, many things). <br />
<br />
<b>Disclaimer:</b> I am not going to go extremely in-depth regarding Windows' memory manager (as that would take forever and a half/my knowledge is solely my knowledge), and if you are interested in that, Mark Russinovich has done a brilliant article over at TechNet, as well as many others all across the web if you do some digging (or check the reference links below). I am merely laying the groundwork for the understanding and explanation of page faults and nothing more.<br />
<br />
If you ask me personally, Windows' memory manager (and memory management in general throughout the operating system) is one of the most complicated and in-depth parts of Windows internals. It's daunting yet extremely fascinating at the same time, as one extremely in-depth piece leads to another. It seems endless, and I highly recommend spending time reading into the memory management specifics throughout Windows, as it's truly fascinating.<br />
<br />
<span style="color: #0b5394; font-size: large;"><u><b>Physical Memory</b></u></span><br />
<br />
Physical memory is by far one of the most important resources, and one we must absolutely understand. Among many things, the memory manager within Windows is responsible for the data of all current active processes, drivers, and the operating system. Even today as of this blog post, the operating system itself accesses <i>more </i>code/data than can actually fit in physical memory. With this said, as said by the brilliant Mark Russinovich, think of physical memory as a window into the code/data used over time.<br />
<br />
Now that this is known, we can understand that the amount of physical memory present on the system affects performance greatly, because if the data/code needed for a process or the operating system itself is <i>not </i>directly available in physical memory, it must be brought in (paged-in) from the disk which is quite the performance hit.<br />
<br />
One of the reasons it's very important to understand physical memory before virtual memory (or in general) is because physical memory contributes to the virtual memory system limit, which interestingly enough is roughly the size of physical memory <i>plus </i>any page files configured on the operating system.<br />
<br />
We can view the layout of physical memory with Meminfo (download <a href="http://www.winsiderss.com/tools/meminfo/meminfo.htm" target="_blank"><b>here</b></a>). Do note that you'll need to execute the program through an elevated command prompt manually. You can see the path I chose in the screenshot below, as well as the layout itself. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx4T6PU0avsNx6I2mHKSifpKmO1h2elD2PU4RI1oNpQXo5ei5DouaVK0eQtTb0fm9rl4UYh4N0H6FS8urJDU33LGlP_4WpbB6k9F_bBujmcXWu1b-SiSJ9GtLwJDcJ5yFXU8iPAwrVmqh6/s1600/MemInfo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhx4T6PU0avsNx6I2mHKSifpKmO1h2elD2PU4RI1oNpQXo5ei5DouaVK0eQtTb0fm9rl4UYh4N0H6FS8urJDU33LGlP_4WpbB6k9F_bBujmcXWu1b-SiSJ9GtLwJDcJ5yFXU8iPAwrVmqh6/s1600/MemInfo.png" height="105" width="320" /></a></div>
<br />
If you use <b>meminfo.exe</b><b> </b>it will display the different parameters you can use. In our case, if we use <b>meminfo.exe -r</b><b> </b>it will run Meminfo and display the valid physical memory ranges that are detected.<br />
<br />
If you're interested in going further regarding physical memory consumption device-wise, you can use Device Manager to check what addresses devices are occupying. The image below is a simple snippet of my personal system's memory consumption as an example. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXopDfkdgxWjDKAQbSA_An8CtJxuUIqtnYeS9SHbagCnmQMA89Wcx6HFZyCXOA6a1GMNfextiz6qF_cO3-qMu9FBLxD2Y4JCjSTkTEiVGdQwknklNg4UcobpbmZfHc0x7MMK_cHI16Lgrs/s1600/Device+Manager+Memory+Addresses.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXopDfkdgxWjDKAQbSA_An8CtJxuUIqtnYeS9SHbagCnmQMA89Wcx6HFZyCXOA6a1GMNfextiz6qF_cO3-qMu9FBLxD2Y4JCjSTkTEiVGdQwknklNg4UcobpbmZfHc0x7MMK_cHI16Lgrs/s1600/Device+Manager+Memory+Addresses.png" height="192" width="320" /></a></div>
<br />
We can also take a look at the physical memory limits of Windows 7 and 8 as an example.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgErj-VYJZ2tZ2kkT_QETqlO2w_dxzgpHN0Dkp3qTPGC-YPoVz1VB6shQFF1q97i26Nsz-_IiHmZY2oOALYJETgJTjFi0wfvdHykALbiCoVooHOdNtdcCPndBbS0NNTORrxVCRSEJy1v3dX/s1600/Physical+Memory+Limits+-+Windows+7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgErj-VYJZ2tZ2kkT_QETqlO2w_dxzgpHN0Dkp3qTPGC-YPoVz1VB6shQFF1q97i26Nsz-_IiHmZY2oOALYJETgJTjFi0wfvdHykALbiCoVooHOdNtdcCPndBbS0NNTORrxVCRSEJy1v3dX/s1600/Physical+Memory+Limits+-+Windows+7.png" height="161" width="320" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVnxUE1E5YVv0agAZj6dATF3ZRndwhFsqwn0xT0bHw07ODUzB4cq86OZp3I6tQ2hevnVe6iKqWhwgQI4eDxHBogQYdMtOV6vHyBp7e4gV0qtb34em3jkL4AZpJLUFeeGjTuCnK0YSbbXQK/s1600/Physical+Memory+Limits+-+Windows+8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVnxUE1E5YVv0agAZj6dATF3ZRndwhFsqwn0xT0bHw07ODUzB4cq86OZp3I6tQ2hevnVe6iKqWhwgQI4eDxHBogQYdMtOV6vHyBp7e4gV0qtb34em3jkL4AZpJLUFeeGjTuCnK0YSbbXQK/s1600/Physical+Memory+Limits+-+Windows+8.png" height="113" width="320" /></a></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<b><a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa366778%28v=vs.85%29.aspx#physical_memory_limits_windows_8" target="_blank"><i>Thanks to MSDN for both of these images!</i></a></b></div>
<br />
<br />
As we can see, the actual physical memory limits themselves on the client operating systems drastically increase regarding its x64 architecture, yet remain the same with x86. x86's physical limit has remained 4 GB since Windows XP as far as its client operating systems go. This is simply due to the fact that on x86 systems, the processor's address bus which is 32 lines (and/or 32 bits) can <i>only </i>access addresses ranges <b>0x00000000 </b>to <b>0xFFFFFFFF</b> (totaling 4 GB).<br />
<br />
<u><b>--------------------</b></u> <br />
<br />
<span style="color: #0b5394; font-size: large;"><u><b>Virtual Memory</b></u></span><br />
<span style="color: #0b5394;"><br /></span>
Now that we understand some of the fundamentals behind physical memory, we can go ahead and discuss virtual memory.<span style="color: #0b5394;"> <span style="color: black;">Do you have your cup of coffee? Good, you're going to need it. It's very important to first understand that virtual memory is a completely different entity than physical memory, although they both work together hand-in-hand.</span></span><br />
<br />
<span style="color: #0b5394;"><span style="color: black;">An extremely important thing to note at this point is a <b>process </b>does <i>not </i>equal (=/=) and/or mean the same thing as a <b>program</b>, and the same follows regarding a <b>thread</b>. For example, when and if you hear a user say "My Firefox (32 bit) process is running according to Task Manger", that's actually not correct. Processes do <i>not </i>run, threads run. Processes </span></span><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">are solely a set of resources used to execute a program, and consist of a private virtual address space (where memory is allocated), an executable used to start the application (.exe), </span></span>a table of handles to various kernel objects, a security context (otherwise known as access token), and one (or possibly more) threads that execute the code.</span></span><br />
<span style="color: #0b5394;"><span style="color: black;"><br /></span></span>
<span style="color: #0b5394;"><span style="color: black;">With all of the above said, </span></span><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">virtual memory </span></span></span></span><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">(of many things, at least)</span></span></span></span> is a technique of Windows' memory manager that maps memory addresses used by a program, namely <b>virtual addresses</b>, into <b>physical addresses</b>.</span></span> </span></span><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">In layman's terms,</span></span></span></span></span></span></span></span> </span></span><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">virtual memory exists to separate a program's view of physical memory, so the operating system can then go ahead and decide whether to store that program's code/data physically and/or virtually.</span></span></span></span><br />
<br />
<span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">Let's break this down further! When you run a program, it will go ahead and generate addresses which are generated in the following ways:</span></span></span></span><br />
<br />
<ul>
<li><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">Load instruction</span></span></span></span></li>
<li><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">Store instruction</span></span></span></span></li>
<li><span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">Fetching an instruction</span></span></span></span></li>
</ul>
<br />
<span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">Absolutely phenomenal article <a href="http://www.johnloomis.org/microchip/pic32/memory/mem3.html" target="_blank"><b>here</b></a> regarding the first two. In short, the first two create data addresses, and the third goes ahead and creates instruction addresses. It's very important to know that RAM cannot distinguish between the two, and simply sees them as addresses. Addresses generated by programs are considered virtual, therefore it needs to be translated to a physical address. How does this happen? Good question! This all occurs through address translation hardware (done by the CPU and invoked by the kernel), known as <a href="http://en.wikipedia.org/wiki/Memory_management_unit" target="_blank"><b>MMU</b></a>.</span></span></span></span><br />
<span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;"><br /></span></span></span></span>
<span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;">After MMU translates virtual > physical, the operating system can then go ahead and create a virtual address space that allows programs to reference more memory than <i>actually </i>physically available by using disk. This is one of the main benefits regarding virtual memory, aside from memory protection.</span></span></span></span><br />
<span style="color: #0b5394;"><span style="color: black;"><span style="color: #0b5394;"><span style="color: black;"><br /></span></span></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5QHLaiD1M-B9N5uhykcBq70lYyWr4v7tionYrubYkuSuYoZktx5EqabwoogzbufIzbTqNtQFFMaKmgNtU5cQX-GAXmbkwOLy_PaeDFTjBYnDt00NBXyIEza5U8q1syFTkVoVu1g5cASVY/s1600/Virtual+Memory+Address+Translation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5QHLaiD1M-B9N5uhykcBq70lYyWr4v7tionYrubYkuSuYoZktx5EqabwoogzbufIzbTqNtQFFMaKmgNtU5cQX-GAXmbkwOLy_PaeDFTjBYnDt00NBXyIEza5U8q1syFTkVoVu1g5cASVY/s1600/Virtual+Memory+Address+Translation.png" height="320" width="295" /></a></div>
<div style="text-align: center;">
<i>Thanks to <a href="http://www.brokenthorn.com/Resources/OSDev18.html" target="_blank">Mike from BrokenThorn</a> for the above image!</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
All of the above now finally leads into paging and page faults, which will be discussed below.<br />
<br />
<u><b>--------------------</b></u></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="color: #0b5394; font-size: large;"><u><b>Paging</b></u></span><br />
<br />
Paging is very important in many ways, mainly because it allows the operating system to virtualize memory without worrying about segmentation. Instead of splitting up an address space into three logical segments, it's split up into fixed-size units known as a <b>page</b>.<br />
<br />
<b>-- A page is a sequence of <i>N</i> bytes where <i>N</i> is a power of <i>2</i>.</b><br />
<br />
Page sizes are at <i>least </i>4 K and at <i>most </i>64 K or <i>more</i>.<br />
<br />
<u><b>--------------------</b></u><br />
<u><b><br /></b></u><span style="color: #0b5394; font-size: large;"><u><b>Page Table/Disk Map</b></u></span><br />
<br />
Now that we understand pages/paging, every address space on the system has two things associated with it:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>1. </b>Page Table - Identifies which/what pages are in physical memory.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>2. </b>Disk Map - Identifies where all the pages are on the disk.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Both of these describe an <i>entire </i>address space.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
In an effort to make my own content this time as opposed to using pre-created images (<b><a href="http://cs.gmu.edu/cne/modules/vm/purple/ptable1.gif" target="_blank">inspired by P.J. Denning and Steve Coile</a></b>), I have created the image below.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxHZdV3_3IuYDiUFUMnoonOMYQI32nJ2ndCP6rzFLRo0V9Zv7-7rg-pJP1UFtCAUBrzXruyuMZu6eAY_yQO-aU0HLa9meztAzOJCCMnC_-bc-DzzLAm6cxT9OrOn1n4dGpUpyUiT0M7jZq/s1600/Page+Table+and+Disk+Map.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxHZdV3_3IuYDiUFUMnoonOMYQI32nJ2ndCP6rzFLRo0V9Zv7-7rg-pJP1UFtCAUBrzXruyuMZu6eAY_yQO-aU0HLa9meztAzOJCCMnC_-bc-DzzLAm6cxT9OrOn1n4dGpUpyUiT0M7jZq/s1600/Page+Table+and+Disk+Map.png" height="184" width="320" /></a></div>
<br />
Regarding the above image, the followings flags are:<br />
<br />
<b>P </b>- Presence flag<br />
<br />
<b>U - </b>Used flag<br />
<br />
<b>M </b>- Modified flag<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>F - </b>Page frame</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>A - </b>Disk address</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
With the above now known, if the <b>P </b>flag is set, this implies that the page is currently in physical memory (RAM). The <b>F </b>flag determines its location in memory, and is the number of the page frame in which the page is located.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
If however the <b>P </b>flag is <i>not </i>set (not in physical memory), the address mapper will throw a page fault if the process in question attempts to reference the page. If this occurs, the page fault handler will use the disk map to go ahead and locate the page on the disk, and finally swap it (or page it) in. This is only a very minor explanation of a page fault process, and I will expand on page faults below.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<u><b>--------------------</b></u><br />
<br />
<span style="color: #0b5394; font-size: large;"><u><b>Page Fault</b></u></span><br />
<br />
Finally! We get to the page fault, what we've been waiting for. I described above a very <i>basic </i>page fault process, but it's a lot cooler/interesting than that! In its basic definition of course, a page fault occurs when a program attempts to access pages that are not currently in physical memory (RAM). This is also known as a <b>hard fault</b>. It's absolutely imperative you understand the difference between hard fault and soft fault, which I will discuss below.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Hard Fault - </b>Hard Fault (otherwise known/referred to as a <b>major </b>fault) is the <i>exact </i>same thing as Page Fault, and you'll see its name in Resource Monitor on newer versions of Windows (afaik Vista and later). To expand on why hard faults are defined as they are, and to stress on why they're expensive, it's due to the process the page fault handler must follow if one occurs. For example, if the page is not loaded into memory at the time of a program referencing its address, the page fault handler needs to find a 'free location'. This free location is either a page in memory, or a non-free page in memory.<br />
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
If the latter is currently in use by a pre-existing process, the operating system needs to spend time writing out the data in that current page, and mark it as <i>not </i>being loaded into memory. Once this is done, it is now a free location and can be used to read the data for the new page into memory, add an entry to its location within the MMU, and finally of course indicate that it is now successfully loaded into memory.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Below is an image representation of the entire process outlined above.</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjznHBQPumOer-hZP9Ptlw3pAGU1EBk-Tz3hjrSUz1-Mtn6PAYH0zYfJ94kki8nQ-xqTB0aVorGE7t47Xc3xcmtlQWjDrmfTxKZvU_7JhyQGdi-LbThojPpIpCfMmWWM5yW7GFeWZZ7TjlX/s1600/Page+Fault+Process.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjznHBQPumOer-hZP9Ptlw3pAGU1EBk-Tz3hjrSUz1-Mtn6PAYH0zYfJ94kki8nQ-xqTB0aVorGE7t47Xc3xcmtlQWjDrmfTxKZvU_7JhyQGdi-LbThojPpIpCfMmWWM5yW7GFeWZZ7TjlX/s1600/Page+Fault+Process.jpg" height="232" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Soft Fault </b>- Entirely different from a hard fault, a soft fault is when the MMU (as we discussed above) has not yet marked a page being loaded in memory. This is sometimes/also referred to as a <b>minor </b>fault, as the solution is simple (i.e make the operating system create an entry for the page, have the MMU point to that page in memory, and finally of course indicate that it is now successfully loaded into memory).</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
With all of this said, you can imagine why page faults/hard faults are an extremely expensive process. It's also imperative that you also understand that having to unnecessarily access the disk is <i><b>very slow</b></i>. If anyone has ever had a system in which it was experiencing multiple/frequent page faults for whatever reason, they can truly attest to how much their system slows to a crawl.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Why is this? Well, since you now understand what actually occurs during a page fault behind the scenes, we can imagine how ridiculously taxing this is on the disk. It doesn't help that the process of actually accessing the disk itself is slow in general, but to have to constantly do it is <i><b>very </b></i>bad. This is a good time to discuss the main pros & cons of virtual memory (i.e the disk). It's more like pro & con, really.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Pros</b> - Very easy to get a lot of disk space for a small cost.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Cons </b>- Slow!</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
A processor's register can be accessed in about a nanosecond, cache in 5 nanoseconds, and RAM in approximately 100 nanoseconds. With this said, the disk is literally <b>seconds </b>slower (at least a <b><i>million </i></b>times slower). If you are <i>constantly/frequently </i>having to go through the process of a page fault, you can truly imagine yourself now how slow it is.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<u><b>--------------------</b></u><br />
<br />
<span style="color: #0b5394; font-size: large;"><u><b>Page Fault - Continued</b></u></span><br />
<br />
To go a bit more behind the scenes in regards to page faults, what actually happens when a page fault occurs is the thread that was running is placed into a <i>wait </i>state until the operating system's page fault handler can go ahead and go through the page fault process outlined above. This is done through an interrupt that halts (remember, wait state) the current program.<br />
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
The instruction that went ahead and attempted to either access the page that was invalid, or nonresident (i.e not in physical memory), fails and throws an exception that generates the interrupt discussed above. Before discussing anything any further, we must first discuss <i>why </i>an exception is thrown. Quite simply, an exception is thrown because the CPU has <b>no idea </b>what page files are, etc, and only knows how to work with memory.<br />
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
At this point, one of two things happens:<br />
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<b>1. </b>An Interrupt Service Routine (ISR) determines that the address is in fact <i><b>valid</b></i>, however is not resident (not in physical memory). The operating system then goes ahead and throws an exception (page fault) and goes through the page fault process outlined above. Once the page fault process is successfully completed, the program picks up right where it left off like nothing happened.<br />
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<i><b>or</b></i><br />
<i><b> </b></i></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<b>2. </b>An Interrupt Service Routine (ISR) determines that the address is in fact <i><b>invalid</b></i>, and then throws an exception known as an access violation. Remember above how we discussed hard (major)/soft (minor) faults? This is specifically known as an <b>invalid </b>fault. In this case, as opposed to following the page fault process outlined above, it is told to <b>not </b>attempt to access the memory as it's a null/bad address, and to simply terminate the executing program in question.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
With the above said, this may dispel the common misconception of saying 'frequent page faults are <i>okay</i>'. Frequent page faults are <i>not </i>okay, but that is not to say that page faults aren't a normal operation of the operating system. On a fully functioning machine (regarding both hardware and software), you <i><b>will </b></i>experience page faults on a very small scale due to some programs simply requiring more memory (an example). If you are experiencing a very large number of page faults occurring (hard faults/sec), you have a problem, and you can most certainly tell because your system is likely slowed to that of a snail.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
As far as some of the potential issues go when it comes to frequent page faults on a system:<br />
</div>
<div style="text-align: left;">
<ul>
<li>Insufficient RAM (physical memory).</li>
<li>Faulty RAM.</li>
<li>Need to tailor the pagefile to your system's specific needs.</li>
<li>etc</li>
</ul>
<br />
<ul>
</ul>
<u><b>--------------------</b></u><br />
<br />
<span style="color: #0b5394; font-size: large;"><u><b>Page Fault - BSOD</b></u></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Now that we understand what happens when a page fault occurs in user-mode, it's also imperative we understand what happens when an exception such as an access violation is thrown in kernel-mode. As you may or may not be able to tell with the way I started this, when a
page fault exception such as an access violation occurs in kernel-mode,
this results in a bug check (Blue Screen of Death, BSOD).<br />
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
Why? Well, remember we discussed that when an access violation for example occurs, the page fault handler goes ahead and terminates the program. What if we're in kernel-mode and the instruction involving the violation is a device driver? "Uh oh" is exactly what happens. Luckily I have a crash dump from just the other day!<br />
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<u><b>SYSTEM_THREAD_EXCEPTION_NOT_HANDLED_M (1000007e)</b></u><br />
<br />
<i>This indicates that a system thread generated an exception which the error handler did not catch.</i> <br />
<br />
BugCheck 1000007E, {<span style="color: red;">ffffffffc0000005</span>, <span style="color: blue;">fffff88004a5d62a</span>, <span style="color: purple;">fffff880035af908</span>, <span style="color: #38761d;">fffff880035af160</span>}</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The 1st argument is the exception code that wasn't handled by the error handler. In this cause,<b> </b><span style="color: red;">ffffffffc0000005</span> is an NTSTATUS code. Kernel-mode drivers use NTSTATUS types for return values. <span style="color: red;">ffffffffc0000005</span>'s NTSTATUS value is <b>0xc0000005</b> (otherwise known as an access violation).<br />
<br />
<b><a href="http://Using NTSTATUS Values" target="_blank">Using NTSTATUS Values</a></b></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The 2nd argument is the memory address in which the exception occurred at. In our case, this was <span style="color: blue;">fffff88004a5d62a</span>.<br />
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
The 3rd argument is actual exception record address. In our case, this was <span style="color: purple;">fffff880035af908</span> which we can run <b>.exr</b> on to show exception record information<span style="mso-spacerun: yes;">. </span></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<blockquote class="tr_bq">
<span style="font-size: x-small;">1: kd> .exr <span style="color: purple;">0xfffff880035af908</span></span><br />
<span style="font-size: x-small;">ExceptionAddress: fffff88004a5d62a <span style="color: blue;">(igdkmd64+0x000000000003862a</span>)</span><br />
<span style="font-size: x-small;"> ExceptionCode: <span style="color: red;">c0000005 (Access violation)</span></span><br />
<span style="font-size: x-small;"> ExceptionFlags: 00000000</span><br />
<span style="font-size: x-small;">NumberParameters: 2</span><br />
<span style="font-size: x-small;"> Parameter[0]: 0000000000000000</span><br />
<span style="font-size: x-small;"> Parameter[1]: 0000000000073070</span><br />
<span style="background-color: yellow;"><span style="font-size: x-small;">Attempt to read from address 0000000000073070</span></span></blockquote>
Just by looking at the attempted address read, we can assume it's not a null address (because
it's not zero), so it must be simply invalid. You can if interested
confirm this by running <b>!pte address</b> which will display the page table entry (PTE) and page directory entry (PDE) for the specified address. This is not a kernel-dump, so running it in my case wouldn't yield any beneficial results.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
The 4th argument is the context record address. In our case, this was <span style="color: #38761d;">fffff880035af160<span style="color: black;"> which we can run <b>.cxr </b>on to show the context record.</span></span></div>
<blockquote class="tr_bq">
<div style="text-align: left;">
<span style="color: #38761d;"><span style="font-size: x-small;"><span style="color: black;">1: kd> .cxr <span style="color: #38761d;">0xfffff880035af160</span><br /><span style="color: purple;">rax=0000000000073000</span> rbx=fffffa8006299040 rcx=fffffa800637d540<br />rdx=00000000008dfaf0 rsi=fffffa800637d540 rdi=fffff88004a5d3c0<br /><span style="color: red;">rip=fffff88004a5d62a</span> rsp=fffff880035afb40 rbp=fffffa8006356b20<br /> r8=0000000000000000 r9=0000000000000000 r10=0000000000000018<br />r11=fffff880035afb60 r12=fffffa8006356b20 r13=fffffa800661cc30<br />r14=0000000000000038 r15=fffff88000f15fe0<br />iopl=0 nv up ei pl nz na po nc<br />cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00210206<br /><span style="color: blue;">igdkmd64+0x3862a</span>:<br /><span style="color: red;">fffff880`04a5d62a</span> ff5070 <span style="background-color: yellow;">call qword ptr [rax+70h]</span> ds:002b:<span style="background-color: yellow;">00000000`00073070=????????????????</span></span></span></span></div>
</blockquote>
This shows us the context that was saved from the exception at the time of the crash. It contains the CPU registers, the instruction we failed on, the bad address, etc. First off, as highlighted in blue, the exception (access violation) was thrown by/occurred because of <b>igdkmd64.sys </b>(Intel Graphics driver) referencing invalid memory. Regarding the instruction we failed on, we were calling a pointer in the <b>rax </b>register. The <b>rax </b>register in our case was <span style="color: purple;">0000000000073000</span> (invalid). All of this invalid memory stuff occurring would result in a memory write to <b>????????????????, </b>therefore the box bug checked.<br />
<br />
We can see it from another perspective by disassembling the <b>rip </b>register:<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">1: kd> <span style="color: red;">u @rip</span><br /><span style="color: blue;">igdkmd64+0x3862a</span>:<br />fffff880`04a5d62a ff5070 <span style="background-color: yellow;">call qword ptr [rax+70h]</span><br />fffff880`04a5d62d 488b442420 mov rax,qword ptr [rsp+20h]<br />fffff880`04a5d632 8b8034010000 mov eax,dword ptr [rax+134h]<br />fffff880`04a5d638 c1e813 shr eax,13h<br />fffff880`04a5d63b 83e001 and eax,1<br />fffff880`04a5d63e 85c0 test eax,eax<br />fffff880`04a5d640 0f84ab000000 je igdkmd64+0x386f1 (fffff880`04a5d6f1)<br />fffff880`04a5d646 488b442478 mov rax,qword ptr [rsp+78h]</span></blockquote>
<u><b>--------------------</b></u><br />
<u><b><br /></b></u>
And that's that! I really hope you enjoyed reading, and I imagine there will be many edits/additions to be made as time goes by. For now though, at this moment, I am happy with it.<br />
<br />
<span style="color: #0b5394; font-size: large;"><u><b>References/Links</b></u></span><br />
<br />
- <a href="http://pluralsight.com/training/Courses" target="_blank">Pavel Yosifovich's Windows Internals 1/2</a>.<br />
- <a href="http://blogs.technet.com/b/askperf/archive/2008/06/10/the-basics-of-page-faults.aspx" target="_blank">The Basics of Page Faults</a>.<br />
- <a href="http://www.intellectualheaven.com/Articles/WinMM.pdf" target="_blank">Windows Memory Management (Written by: Pankaj Garg)</a>.<br />
- <a href="http://blogs.technet.com/b/markrussinovich/archive/2008/07/21/3092070.aspx" target="_blank">Pushing the Limits of Windows: Physical/Virtual Memory</a>.<br />
- <a href="http://www.osronline.com/article.cfm?article=222" target="_blank">So What Is A Page Fault?</a><br />
- <a href="http://h71000.www7.hp.com/doc/73final/6491/6491pro_006.html" target="_blank">HP OpenVMS Systems Documentation</a>.<br />
- <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/aa366914%28v=vs.85%29.aspx" target="_blank">Virtual Address Space and Physical Storage</a>.<br />
- <a href="http://msdn.microsoft.com/en-us/magazine/cc300794.aspx" target="_blank">Everything You Need To Know To Start Programming 64-Bit Windows Systems</a>.<br />
- <a href="http://www.cs.umd.edu/class/sum2003/cmsc311/Notes/Memory/virtual.html" target="_blank">Virtual Memory</a>.<br />
- <a href="http://www.ece.uc.edu/~paw/classes/eecs3026/lectureNotes/memory.pdf" target="_blank">Physical Memory Structures</a>.<br />
- <a href="http://pages.cs.wisc.edu/~remzi/OSTEP/vm-paging.pdf" target="_blank">How to virtualize memory without segments</a>.<br />
- <a href="http://www.johnloomis.org/microchip/pic32/memory/mem3.html" target="_blank">Load/Store Instructions</a>.<br />
- <a href="http://www.brokenthorn.com/Resources/OSDev18.html" target="_blank">Operating Systems Development - Virtual Memory (by Mike, 2008)</a>.<br />
- <a href="http://cs.gmu.edu/cne/modules/vm/purple/ptable.html" target="_blank">Implementation of swapping in virtual memory</a>.<br />
- <a href="http://home.southernct.edu/~smithc23/csc225/PageFault.JPG" target="_blank">Page fault handling (image).</a><br />
<br />
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com30tag:blogger.com,1999:blog-8870806323064576540.post-82811341208279019502014-07-05T14:29:00.002-04:002014-07-05T14:46:49.683-04:000x000000D1 Debugging - NotMyFault exploration (x64)I've discussed some 0xD1 debugging <a href="http://bsodanalysis.blogspot.com/2014/02/driverirqlnotlessorequal-d1-netiosys.html" target="_blank"><b>here</b></a>, but I figured I'd also go into a different 0xD1 scenario here, and just show it from different angles by using NotMyFault to force a bug check.<br />
<br />
<a href="http://download.sysinternals.com/files/NotMyFault.zip" target="_blank"><b>Download NotMyfault here.</b></a><br />
<br />
<u><b>--------------------</b></u><br />
<br />
<u><b>DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)</b></u><br />
<br />
<i>This indicates that a kernel-mode driver attempted to access pageable memory at a process IRQL that was too high.</i><br />
<br />
We're all familiar with this bug check, so let's move on to what I wanted to talk about.<br />
<br />
<b>Let's go ahead and do an !analyze -v</b><br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)<br />An attempt was made to access a pageable (or completely invalid) address at an<br />interrupt request level (IRQL) that is too high. This is usually<br />caused by drivers using improper addresses.<br />If kernel debugger is available get stack backtrace.<br />Arguments:<br />Arg1: <span style="color: red;">fffff8a0066eb800</span>, memory referenced<br />Arg2: 000000000000000<span style="color: blue;">2</span>, IRQL<br />Arg3: 0000000000000000, value 0 = read operation, 1 = write operation<br />Arg4: fffff88002af7385, address which referenced memory</span></blockquote>
<span style="color: red;">fffff8a0066eb800</span> was the memory that was referenced. It's either invalid or it was at an IRQL that was too high.<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">kd> !pte fffff8a0066eb800<br /> VA fffff8a0066eb800<br />PXE at FFFFF6FB7DBEDF88 PPE at FFFFF6FB7DBF1400 PDE at FFFFF6FB7E280198 PTE at FFFFF6FC50033758<br />contains 000000007AC84863 contains 000000000367B863 contains 000000006B4C6863 contains 00003B5000000000<br />pfn 7ac84 ---DA--KWEV pfn 367b ---DA--KWEV pfn 6b4c6 ---DA--KWEV <span style="background-color: yellow;">not valid</span><br /> <span style="color: purple;">PageFile: 0</span><br /> Offset: 3b50<br /> Protect: 0</span></blockquote>
Using our handy <b>!pte </b>command which shows page table and directory entry for an address, we can see that it is <b>not </b>a valid address despite appearing to be one based on a first glance. Why is it not valid? As we can see above, and as I highlighted in purple, it's because this address is currently on the pagefile.<br />
<br />
Why can't we just page it in? As we know, this is not how the Windows memory manager works regarding kernel-mode and its rules. If we're at IRQL (2) or higher (which we are, see argument 2), we cannot page anything in, therefore we bug check.<br />
<br />
Great, so we know why the system crashed. However, what caused it?<br />
<br />
<u><b>--------------------</b></u><br />
<br />
<b>Let's go ahead and dump the stack:</b><br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">kd> k<br />Child-SP RetAddr Call Site<br />fffff880`032f4448 fffff800`02a912a9 nt!KeBugCheckEx<br />fffff880`032f4450 fffff800`02a8ff20 nt!KiBugCheckDispatch+0x69<br />fffff880`032f4590 fffff880`02af7385 <span style="color: purple;">nt!KiPageFault+0x260</span><br />fffff880`032f4720 fffff880`02af7727 <span style="color: red;">myfault+0x1385</span><br />fffff880`032f4870 fffff800`02dac127 <span style="color: red;">myfault+0x1727</span><br />fffff880`032f48d0 fffff800`02dac986 nt!IopXxxControlFile+0x607<br />fffff880`032f4a00 fffff800`02a90f93 nt!NtDeviceIoControlFile+0x56<br />fffff880`032f4a70 00000000`76df138a nt!KiSystemServiceCopyEnd+0x13<br />00000000`0023edc8 00000000`00000000 <span style="color: blue;">0x<span style="color: red;">7</span>6df138a</span></span></blockquote>
So here we have our call stack. Rather than doing <--- next to the calls, I'll just do this below because I don't want to destroy the formatting of the stack.<br />
<br />
We start out with something in user-mode that we don't have the symbols for, and this is why it's <span style="color: blue;">0x<span style="color: red;">7</span>6df138a</span> as opposed to a resolved name that we can understand. Why did I make the <span style="color: red;">7</span> in the address red, and how did I know we started out with something going on in user-mode? Good question! When the first digit of an address like that is <b>7 or lower</b>, it's a user-mode address.<br />
<br />
This is also due to the fact that this is a kernel-dump, which we can see towards the top of our crash dump within WinDbg:<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">Kernel Summary Dump File: <span style="background-color: yellow;">Only kernel address space is available</span></span></blockquote>
With that said, we cannot see what the application was doing outside of when it went down into kernel-mode.<br />
<br />
So we know that <i>some application </i>(0x76df138a) did <i>something</i>, and called down into kernel-mode. Everything above 0x76df138a is now kernel-mode. On x64, you can tell because the addresses start with <span style="color: red;">fffff</span>880`032f4a00 under <b>Child-SP </b>which implies kernel-mode.<br />
<br />
We can see it goes through a few functions, and then ends up in <b>myfault</b>. Shortly afterwards, we hit a pagefault (trying to page in memory from the pagefile -- big no no).<br />
<br />
<u><b>--------------------</b></u><br />
<br />
<b>If we take a look at the trap frame:</b><br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">kd> .trap 0xfffff880032f4590<br /><span style="background-color: yellow;">NOTE: The trap frame does not contain all registers.</span><br /><span style="color: red;">Some register values may be zeroed or incorrect.</span><br />rax=0000000005000000 <span style="color: purple;">rbx=0000000000000000</span> rcx=0000000000002481<br />rdx=fffffa8001810000 rsi=0000000000000000 rdi=0000000000000000<br />rip=fffff88002af7385 rsp=fffff880032f4720 rbp=fffff880032f4b60<br /> r8=0000000000012408 r9=0000000000000810 r10=fffff80002a12000<br />r11=0000000000000002 r12=0000000000000000 r13=0000000000000000<br />r14=0000000000000000 r15=0000000000000000<br />iopl=0 nv up ei ng nz na po nc<br />myfault+0x1385:<br />fffff880`02af7385 8b03 mov eax,dword ptr [rbx] ds:00000000`00000000=????????</span></blockquote>
The first very important thing to note is the note about the trap frame not containing all registers, and how they may be either zeroed out or incorrect. The big question is <b>why</b>? Well, trap frame code generation on x64 versions of Windows does <b>not </b>save the contents of registers that are non-volatile.<br />
<br />
With that said, registers such as <b>rbx, rdi, rsi, etc</b>, are either zeroed out or incorrect. This is due to the fact that on x64, <i>any </i>code that runs after the generation of a trap frame will properly hand it and restore it to <i>its own </i>frame. It's seen as an unnecessary step in a hot path within the kernel.<br />
<br />
Extremely detailed article with much more info <a href="http://www.codemachine.com/article_x64deepdive.html" target="_blank"><b>here</b></a>. <br />
<br />
Moving on, what happened with the instruction we failed on, we were moving a pointer which was stored in the <b>rbx </b>register:<br />
<br />
<span style="color: red;">mov</span> eax,dword <span style="color: blue;">ptr</span> [<span style="color: purple;">rbx</span>]<br />
<br />
Uh oh, <b>rbx </b>is zeroed out. With that said, we can't <b>!pte </b>the register address to double check it, etc. We just need to assume that this all occurred because of <b>myfault </b>attempted to access memory that was either paged out or invalid (which it did).<br />
<br />
<u><b>--------------------</b></u><br />
<br />
If you wanted any extra proof or to see if NotMyFault was the crash, you could dump all of the processes at the time of the crash to see if there was any correlation. In this case, you'd use <b>!process 0 0</b>. Flags are important in this case, and you can as always check the WinDbg help file for info, <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff564717%28v=vs.85%29.aspx" target="_blank"><b>or use MSDN</b></a>.<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">PROCESS fffffa80040a7060<br /> SessionId: 1 Cid: 0654 Peb: 7fffffd4000 ParentCid: 0708<br /> DirBase: 670ea000 ObjectTable: fffff8a00666c330 HandleCount: 68.<br /> Image: <span style="background-color: yellow;">NotMyfault.exe</span></span></blockquote>
We can see we did indeed have a NotMyFault process running at the time of the crash, so we can at this point assume that this is very likely the accurate cause of the crash.<br />
<br />
Hope you enjoyed reading!Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com14tag:blogger.com,1999:blog-8870806323064576540.post-90530751727414135122014-07-05T10:28:00.000-04:002014-07-05T10:32:57.042-04:000x0000119 Debugging - Invalid Fence IDsNow that my extremely exciting week has come to an end, and I now have a moment to sit and relax, I figured what better way to do that then to go ahead and write a blog post! In this post we'll be discussing the 0x0000119 bug check, otherwise known for its name as VIDEO_SCHEDULER_INTERNAL_ERROR. I worked on one not too long ago, found the thread while I was cleaning out some reference bookmarks, and figured I'd do a write-up!<br />
<br />
<u><b>---------------------------</b></u><br />
<br />
<b>As usual,</b> <b>let's have a look at the basic description of the bug check:</b><br />
<br />
<b><u>VIDEO_SCHEDULER_INTERNAL_ERROR (119)</u></b><br />
<b><br /></b>
<i>This indicates that the video scheduler has detected a fatal violation.</i><br />
<br />
See <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff570508%28v=vs.85%29.aspx" target="_blank"><b>this MSDN article</b></a> for more information on Windows video scheduling, memory management, etc.<i></i><br />
<i><br /></i>
With this out of the way, let's jump right in and have some fun!<br />
<br />
<b>Using the basic !analyze -v:</b><br />
<i>-- By the way, ! is known as <b>bang</b>. Interesting tidbit of the day : )</i><br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">VIDEO_SCHEDULER_INTERNAL_ERROR (119)<br />The video scheduler has detected that fatal violation has occurred. This resulted<br />in a condition that video scheduler can no longer progress. Any other values after<br />parameter 1 must be individually examined according to the subtype.<br />Arguments:<br />Arg1: <span style="background-color: yellow;">0000000000000001</span>, The driver has reported an invalid fence ID.<br />Arg2: 0000000000000<span style="color: red;">c00</span><br />Arg3: 0000000000000<span style="color: blue;">c01</span><br />Arg4: 0000000000000<span style="color: blue;">c01</span></span></blockquote>
Great, so right away we actually have some pretty helpful information, which is the 1st argument tells us that 'The driver has reported an invalid fence ID'. Now that we know this is the reason behind the bug check occurring on the system, we need to understand what driver reported an invalid fence ID, and what a fence ID even is.<br />
<br />
Regarding arguments 2, 3, and 4, I believe 2 is the invalid fence ID we're dealing with, and 3 & 4 are what the expected fence ID was. <br />
<br />
First off, we need to understand the Windows Display Driver Model (WDDM) - Article <a href="http://msdn.microsoft.com/en-us/library/ff570591%28v=vs.85%29.aspx" target="_blank"><b>here</b></a>. After reading this, we can understand that a fence ID is essentially a glorified ticket for the GPU to have <b>access </b>to
process a Direct Memory Access (DMA) buffer. This is done so the GPU
itself doesn't have to bother the CPU or OS, and its life is a lot
easier.<br />
<br />
<u><b>---------------------------</b></u><br />
<br />
<b>Now that we know the above, let's take a look at the call stack:</b><br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">0: kd> k<br />Child-SP RetAddr Call Site<br />fffff800`04438528 fffff880`015ed22f nt!KeBugCheckEx<br />fffff800`04438530 fffff880`07807ec5 <span style="color: blue;">watchdog!WdLogEvent5+0x11b</span><br />fffff800`04438580 fffff880`07808131 <span style="color: purple;">dxgmms1!VidSchiVerifyDriverReportedFenceId+0xad</span><br />fffff800`044385b0 fffff880`07807f82 <span style="color: purple;">dxgmms1!VidSchDdiNotifyInterruptWorker+0x19d</span><br />fffff800`04438600 fffff880`078f513f <span style="color: purple;">dxgmms1!VidSchDdiNotifyInterrupt+0x9e</span><br />fffff800`04438630 fffff880`073d64d8 <span style="color: purple;">dxgkrnl!DxgNotifyInterruptCB+0x83 <span style="color: #38761d;"><--- DMA buffer completed.</span></span><br />fffff800`04438660 fffffa80`08d938e8 <span style="color: red;">igdkmd64+0x1744d8</span><br />fffff800`04438668 fffff800`031f4e80 0xfffffa80`08d938e8<br />fffff800`04438670 fffff800`04438840 nt!KiInitialPCR+0x180<br />fffff800`04438678 fffffa80`0923d7a8 0xfffff800`04438840<br />fffff800`04438680 fffffa80`0925b000 0xfffffa80`0923d7a8<br />fffff800`04438688 fffffa80`00000c00 0xfffffa80`0925b000<br />fffff800`04438690 fffff880`0c52b000 0xfffffa80`00000c00<br />fffff800`04438698 00000000`00000000 0xfffff880`0c52b000</span></blockquote>
<br />
<div class="contentStandard">
Essentially what happened here was after the GPU finished processing the DMA buffer, the Intel Graphics driver (<b>igdkmd64.sys</b>)
was notified that it finished what is was doing and provided an ID # of
the DMA Buffer
(known as a fence ID). In our case, this was in invalid fence ID,
therefore DirectX said 'woah, this isn't right' and called the bug
check to stop the GPU from continuing with illegal accessed memory.</div>
<div class="contentStandard">
<br /></div>
<div class="contentStandard">
<u><b>---------------------------</b></u></div>
<div class="contentStandard">
<br /></div>
<div class="contentStandard">
With such an issue you may think that it's <i>always </i>a bad GPU, however, in this specific case it was simply a video driver issue that was solved with an update. Update those video drivers!</div>
<div class="contentStandard">
<br /></div>
<div class="contentStandard">
Hope you enjoyed reading!</div>
Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com9tag:blogger.com,1999:blog-8870806323064576540.post-30468893269320225382014-07-01T10:22:00.000-04:002014-07-01T10:22:01.315-04:00Microsoft MVP - Thank you!Wow.... that's really all I can say!<br />
<br />
I'm going to take this time to give an extremely large <b>thank you </b>to <i>everyone</i>. I'd first like to of course start out by thanking everyone who has nominated me, it means an unbelievable amount to me. I cannot express how much it means to be nominated by a Microsoft MVP in general, but how much more it means to be nominated by people you learned from. To know that the people you once learned from now believe you have 'grown enough' to become an MVP yourself is absolutely mind blowing. <br />
<br />
The MVP award to me is extremely important because debugging is not just a passion, but rather an extremely huge part of my life. I have gone from being simply interested in debugging ~2 and a half years ago, to wanting it to be involved in my every day working life. I have learned so much in the time I have been debugging, but there is so much I still do not know, and that's the beauty of it all.<br />
<br />
In my life, what makes me happy is helping other people. The fact that I was able to combine my love for debugging, and actively helping people across various communities, has truly made an extremely positive impact on my life. Even more that I have been recognized and awarded for it by Microsoft is a dream truly come true. I am beyond honored.<br />
<br />
I'd like to extend a huge thank you to my friends as well who I interact with every day across all of the communities. There are far too many names to name, but you certainly know who you are. I love working with you all!<br />
<br />
So again, thank you <b>very much</b>, and especially to the community for allowing me to work with you, and to help you. I hope I can wear the MVP badge well, and I hope I can make many new friends when Summit comes around.<br />
<br />
....Now, time for more debugging posts : )<br />
<br />
- PatrickAnonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com6tag:blogger.com,1999:blog-8870806323064576540.post-39957734481943529222014-06-23T01:13:00.002-04:002014-06-23T01:35:50.956-04:00How the BSOD actually 'works', why, etc.So in this blog I've talked many times in-depth regarding postmortem debugging kernel-dumps as far as blue screen crashes goes. Well, I decided maybe it's time to go ahead and actually in detail explain <i>why </i>a blue screen occurs, <i>what </i>actually goes on when a blue screen occurs, etc.<br />
<br />
<i>-- Disclaimer: At the time of this post, I have never myself experienced a BSOD on my Windows 8.1 system, so I cannot 100% confirm whether or not the display is shifted to a low-res VGA mode when paining the screen. I may use NotMyFault to test this out and will edit when I get a confirmation. For now though, let's assume nothing has changed and hope I'm correct : )</i><br />
<br />
<u><b>---------------------------</b></u><br />
<br />
First off, <i>why </i>does the blue screen of death occur? Well, it's important to know that there are many reasons as to why a blue screen occurs. Just to name a few:<br />
<br />
<ul>
<li>References to invalid/inaccessible memory; causes access violations, etc.</li>
<li>Unexpected exceptions.</li>
<li>Bugs in drivers causing a fault in a kernel-mode driver, 3rd party drivers doing what I first mentioned, etc.</li>
</ul>
Again, this is very few of the potential reasons why, but <i>some </i>of the most prevalent. For those interested, here's actually a distribution of what causes bug checks most commonly in Windows.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5uErgcrmWdNzhv2Zns0DxeUV0qXcXE8hOw2Chs4YZFgBv7ZAz8eMSUy2X0ZCzBVeJoZiqv6shtdW7SmA_5SZgZXogt3iwkhsH9MwQ23KHlpz_G9NyNDzst2mJ5yJuEc06kT6akFmg9V5y/s1600/6758.Error_categories_distribution.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5uErgcrmWdNzhv2Zns0DxeUV0qXcXE8hOw2Chs4YZFgBv7ZAz8eMSUy2X0ZCzBVeJoZiqv6shtdW7SmA_5SZgZXogt3iwkhsH9MwQ23KHlpz_G9NyNDzst2mJ5yJuEc06kT6akFmg9V5y/s1600/6758.Error_categories_distribution.jpg" height="209" width="320" /></a></div>
<br />
This is a picture I found on Google from a TechNet article, so thanks to the author for this! It's from Windows Internals - 5th Edition. AFAIK there is <b>not </b>one in the 6th, at least I have not seen it throughout my reading or research afterwards. With this said, it's likely not entirely accurate in regards to today, but I imagine it has not changed <i>too </i>much. Given I analyze postmortem kernel-dumps quite a bit, I am surprised to see pool is so low. Again, this was way back in the writing of the 5th edition which was during Vista's legacy, so many things have changed since then. It's up in the air, really!<br />
<br />
Now, with that said we understand a few reasons as to why Windows stops and a blue screen occurs. Good! Now let's also go ahead and understand that if any of these things occurred, Windows could theoretically <b>not stop</b> and keep going when one of these is occurring. Why doesn't it just do this? Well, it's actually extremely simple, and that's because many of these things can cause severe data/memory corruption which could actually lead to hardware problems.<br />
<br />
Since we don't want any of that, Windows thankfully has a fail-safe known to us as the Blue Screen of Death (BSOD -- abbreviating from now on). If Windows detects that there is a serious problem that is <b>unrecoverable</b>, it will stop all executions<b></b>, switch the display to the basic/low-res VGA mode, paint the actual blue screen itself, write memory/crash information to what we know as a memory dump (crash dump/dmp file/dmp), and display a stop code (bug check). All of this is done through a series of functions.<br />
<br />
Now that we're on this topic, I must <b>STRESS </b>and dispel the misconception right now that the blue screen <i>itself </i>is a bad thing. It's not! The blue screen is a <b>good </b>thing, and it's making it so our data doesn't become completely corrupt. Remember, the blue screen happens because Windows has detected something has gone horribly wrong, and it cannot recover and/or stop it. When this happens, the appropriate bug check based on what caused the error is called, and the blue screen is painted.<br />
<br />
Bottom line... the blue screen is our friend, not our enemy : )<br />
<br />
<u><b>---------------------------</b></u><br />
<br />
As discussed above, a blue screen happens when Windows detects that there's an unrecoverable/irreversible problem occurring. Regardless of what this actual problem is, the end result is a blue screen. As I mentioned above, this blue screen process actually happens through functions.<br />
<br />
Despite the belief that there is only <b>one </b>function that calls and/or begins the bug check process, it is not true! There's two!<br />
<ul>
<li><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff551961%28v=vs.85%29.aspx" target="_blank">KeBugCheckEx</a></li>
<li><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff551948%28v=vs.85%29.aspx" target="_blank">KeBugCheck</a></li>
</ul>
<i>(Clickable for their MSDN links)!</i><br />
<br />
First off, before stating their differences, let's make it easy by saying that both of these functions take what is known as a <b>BugCheckCode</b> parameter. What is a <b>BugCheckCode </b>parameter? Good question! This parameter is otherwise known as a STOP code (for example - 0x0000000A, 0x0000001A, 0x0000009F, etc). These stop codes (otherwise known as/called 'bug checks') are what allows us (other than actually debugging the crash dump itself) to troubleshoot the blue screen. It allows us to go ahead and troubleshoot because each of these STOP codes has an actual preset meaning/cause as to why it occurred.<br />
<br />
Great, so now that we know that information, what is the difference between <b>KeBugCheckEx </b>and <b>KeBugCheck</b>? Good question! <b>KeBugCheck</b> calls <b>KeBugCheckEx </b>and sets the <i>four </i>parameters to <b>zero</b>.<br />
<br />
Example - {0,0,0,0}<br />
<br />
Essentially, the <b>KeBugCheckEx </b>function itself provides more information because it sets the <i>four </i>parameters to their preset meanings based on the STOP code/bug check.<br />
<br />
<u><b>---------------------------</b></u><br />
<br />
Once <b>KeBugCheckEx </b>is called, it first goes ahead and disables all interrupts by calling the <span class="tsBody"><b>KiDisableInterrupts </b>function. After this is done, it transitions to a special system-state in which the STOP code is dumped (</span>0x0000000A for example). It accomplishes the transition and dump of the STOP code with a call from <b>KiDisableInterrupts </b>to the <span class="tsBody"><b>HalDisplayString </b>function.</span><br />
<br />
<span class="tsBody"><span class="tsBody"><b>HalDisplayString </b>itself goes ahead and first takes one parameter (string to print to the blue screen), and does a check to see if the system is in its special system-state (blue screen 'mode'). If it is <b>not </b>in this state however, it will go ahead and attempt to successfully use the firmware to swap to this proper system-state in order to continue.</span></span><br />
<br />
<span class="tsBody"><span class="tsBody">Once the check has been successfully completed and confirmed that the system is in its proper state,<b> </b></span></span><span class="tsBody"><span class="tsBody"><span class="tsBody"><span class="tsBody"><b>HalDisplayString </b></span></span> goes ahead and dumps the string into text-mode video memory at the <i>current </i>location of the cursor. This is kept track of throughout all of the future calls.</span></span><br />
<br />
<span class="tsBody"><span class="tsBody">After all of this is successfully accomplished, </span></span><b>KeBugCheckEx </b>then goes ahead and calls the <span class="tsBody"><b>KeGetBugMessageText<b> </b></b>function. The </span><span class="tsBody"><b>KeGetBugMessageText</b> translates the stop code into its text-equivalent. There's a bug check reference list <a href="http://msdn.microsoft.com/en-us/library/windows/hardware/hh994433%28v=vs.85%29.aspx" target="_blank"><b>here</b></a>.</span><br />
<span class="tsBody"><br /></span>
<span class="tsBody">Once that is completed, </span><b>KeBugCheckEx </b>will then go ahead at this point and start to call any bug check handlers that drivers registered (if any). The handlers themselves are registered by calling<b> </b><span class="tsBody"><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff553105%28v=vs.85%29.aspx" target="_blank"><b>KeRegisterBugCheckCallback</b></a> which goes ahead and fills in a buffer that is allocated by the caller of the register routine so it can be debugged in the debugging client. It also essentially in general allows any drivers a chance to stop their devices.</span><br />
<span class="tsBody"><br /></span>
<span class="tsBody">Once that is through, we move on to calling the <b><a href="http://msdn.microsoft.com/en-us/library/windows/hardware/ff553110%28v=vs.85%29.aspx" target="_blank">KeRegisterBugCheckReasonCallback</a> </b>function which </span>goes ahead and allows any drivers to write<b> </b>data to the crash dump or write crash dump information to alternate devices.<br />
<span class="tsBody"><br /></span>
<span class="tsBody">Once the above is done (if possible, because handlers aren't always registered) </span><span class="tsBody"><b>KeDumpMachineState </b>is called which dumps the rest of the text on the screen. However, the first thing </span><span class="tsBody"><b>KeDumpMachineState </b>tries to do is successfully interpret the <i>four </i>parameters that were passed to </span><b>KeBugCheckEx</b> as a valid address within a loaded module. It will go ahead and stop when it can successfully resolve one. The function that is used to accomplish this is <span class="tsBody"><b>KiPcToFileHeader</b>.</span><br />
<br />
<span class="tsBody"><b>KiPcToFileHeader </b>returns for the first parameter that it goes ahead and successfully resolves, immediately prints the following text form of the STOP code, and </span><span class="tsBody">also includes the base address of the module and the module’s name.</span><br />
<br />
<u><b>---------------------------</b></u><br />
<br />
Below I will share the difference between your standard 8/8.1 and XP/Vista/7 screens:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYrQOCpak0Tcq3oYb5gfp608ZuvjGSc23YgzZOg7XLqPQ4ehzgrc1aJ7L_9jFKOmpzOeoXzddyTOIVa7q4S-LLgkIXLPYkkk6336fEBWqXAx1f0RP394zelFY_T7P1u81cq9RpPBfqoRek/s1600/blue_screen_of_death+8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYrQOCpak0Tcq3oYb5gfp608ZuvjGSc23YgzZOg7XLqPQ4ehzgrc1aJ7L_9jFKOmpzOeoXzddyTOIVa7q4S-LLgkIXLPYkkk6336fEBWqXAx1f0RP394zelFY_T7P1u81cq9RpPBfqoRek/s1600/blue_screen_of_death+8.png" height="238" width="320" /></a></div>
<br />
<div style="text-align: center;">
<i>(Windows 8/8.1 displaying 0x5C bug check)</i></div>
<div style="text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsr3sHQ9RgIHlZPCq_HOLF3bFuy98mt1Rg2a5w79HoOn92QaQVsdLFAwzCwTg81xi6bWZ3kTMjW-kB9nUEznxaPIKcLtkrMBFLSwNnnPVMKQyW130GJmIq5Yxo0ugKt6HRep7HhQsEfhH2/s1600/blue_screen_of_death+xp_vista_7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsr3sHQ9RgIHlZPCq_HOLF3bFuy98mt1Rg2a5w79HoOn92QaQVsdLFAwzCwTg81xi6bWZ3kTMjW-kB9nUEznxaPIKcLtkrMBFLSwNnnPVMKQyW130GJmIq5Yxo0ugKt6HRep7HhQsEfhH2/s1600/blue_screen_of_death+xp_vista_7.jpg" height="213" width="320" /></a></div>
<br />
<div style="text-align: center;">
<i>(Windows XP/Vista/7 displaying 0x50 bug check)</i></div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: left;">
Thanks for reading, and thanks to NT Insider and MSDN as always for double-checking!</div>
Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com6tag:blogger.com,1999:blog-8870806323064576540.post-46060056809868527192014-06-17T23:45:00.001-04:002014-06-17T23:45:26.096-04:000xC000021A DebuggingYay, a debugging post! : )<br />
<br />
This bug check in most if not all cases is caused by a critical Windows component corruption (.dll, piece of the file system, etc), 3rd party driver causes a conflict (rare), etc.<br />
<br />
<u><b>---------------------------</b></u><br />
<br />
<b>First of all, let's have a look at the basic description of the bug check:</b><br />
<br />
<u><b>WINLOGON_FATAL_ERROR (c000021a)</b></u><br />
<br />
<i>This means that an error has occurred in a crucial user-mode subsystem.</i><br />
<br />
Okay, with that said let's go ahead and expand a bit on what this exactly means.<i> </i>Within user-mode we have various subsystems such as WinLogon or csrss.exe (Client/Server Runtime Subsystem). When for some reason these 'critical' subsystems unexpectedly cease to exist, have any sort of problem that prevents them from running or doing their job, the OS will swap to kernel-mode.<br />
<br />
What's the problem with this? The subsystems I mentioned above are strictly user-mode, therefore when the OS swaps to kernel-mode, it calls a bug check as this is a big no-no as the OS cannot run without those subsystems.<br />
<br />
<b>In this bug check, two of the four parameters are important:</b><br />
<br />
<i>-- In this example, I will be using a 0xC000021A I solved quite some time ago. Your parameters may obviously differ.</i><br />
<br />
BugCheck C000021A, {<span style="color: red;">8da5e6b0</span>, <span style="color: purple;">c0000006</span>, 75a4e5e5, 13f86c}<br />
<br />
The 1st parameter (<span style="color: red;">8da5e6b0</span> in our case) is the string that identifies the problem.<br />
<br />
The 2nd parameter (<span style="color: purple;">c0000006 </span>in our case) is the error code.<br />
<br />
<u><b>---------------------------</b></u> <br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">FAILURE_BUCKET_ID: 0xc000021a_<span style="color: #0b5394;">csrss.exe</span>_c0000006_PoShutdown_ANALYSIS_INCONCLUSIVE</span> </blockquote>
We can see it was <b>csrss.exe</b> that terminated unexpectedly. Why?<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">1: kd> db <span style="color: red;">8da5e6b0</span><br />8da5e6b0 57 69 6e 64 6f 77 73 20-53 75 62 53 79 73 74 65 Windows SubSyste<br />8da5e6c0 6d 00 a5 8d c0 e6 a5 8d-04 04 2b 06 46 4d 66 6e m.........+.<span style="background-color: yellow;">FMfn</span>8da5e6d0 04 f2 4e 01 00 00 00 00-a7 73 19 00 00 00 00 00 ..N......s......<br />8da5e6e0 e0 e6 a5 8d 00 00 00 00-00 00 00 00 e4 cf 61 8a ..............a.<br />8da5e6f0 00 00 00 00 00 00 00 00-00 00 00 00 40 00 00 00 ............@...<br />8da5e700 01 00 00 00 dc 00 de 00-40 e7 a5 8d 2e 00 2e 00 ........@.......<br />8da5e710 40 e7 a5 8d 00 00 00 00-00 00 00 00 00 00 00 00 @...............<br />8da5e720 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................</span></blockquote>
If we run <b>db 1st parameter </b>it dumps the bytes from the string. We can see <b>FMFn</b> which is <b></b>a pool tag, specifically the NAME_CACHE_NODE structure. It's part of <b>fltmgr.sys </b>which is the Microsoft Filesystem Filter Manager driver.<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">1: kd> da 8da5e6b0<br />8da5e6b0 "<span style="background-color: yellow;">Windows SubSystem</span>"</span></blockquote>
If we run <b>da 1st parameter </b>it dumps ASCII strings. Not very helpful given we already knew this, but it's just another way to show you how you can see what caused the crash.<br />
<br />
<u><b>---------------------------</b></u><br />
<br />
In this specific case, I advised the user to insert the installation media and run a repair (which solved the problem).<br />
<br />
Thanks for reading!Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com6tag:blogger.com,1999:blog-8870806323064576540.post-40359543936667436472014-06-14T23:59:00.003-04:002014-06-25T20:20:20.109-04:00Blog UpdateHi friends and readers,<br />
<br />
I'm just going to post a quick blog update as things are going to be changing a little bit! No longer from this point on will I be posting the threads I've solved. It was easy before, but now that I am extremely active on various communities and solve <b>hundreds </b>of threads a week, having to attempt to keep up and post all of them that I've solved is nearly impossible and extremely exhausting.<br />
<br />
With that said, my blog from this point on will be everything it is now, <i>minus </i>the 'solved' posts. If anything, this will also allow me to write many more in-depth debugging posts as I won't be so stressed to have to constantly post solved posts.<br />
<br />
I hope you understand!Anonymoushttp://www.blogger.com/profile/15323083398160586642noreply@blogger.com6