Sunday, September 7, 2014

Rootkit Debugging (runtime2 postmortem) - SwishDbgExt, SysecLabs script, etc.

Today we're going to be doing some rootkit debugging, specifically regarding runtime2, with a bit of a twist! I have a ton of rootkit debugging posts coming in the next few weeks, as I've decided to break them up rather than throwing them together in one giant mess of a post.

I've shown various scenarios in which I've debugged a rootkit before (0x7A, etc), but this time we're going to use various extensions to help us, other methods, and overall go a lot more in-depth. The postmortem runtime2 rootkit KMD that will be used in this post was generated by niemiro, a good friend from Sysnative forums. He aimed to make it a good example of some things a rootkit/malware developer can do to make things not as obvious when you resort to methods such as hooking the SSDT, which is rather old and very detectable these days.

 CRITICAL_OBJECT_TERMINATION (f4)  
 A process or thread crucial to system operation has unexpectedly exited or been  
 terminated.  
 Several processes and threads are necessary for the operation of the  
 system; when they are terminated (for any reason), the system can no  
 longer function.  
 Arguments:  
 Arg1: 00000003, Process  
 Arg2: 86664d90, Terminating object  
 Arg3: 86664edc, Process image file name  
 Arg4: 819e91f0, Explanatory message (ascii)  

Right, so here's our bug check. Most if not all of these 'older' rootkits will use Direct Kernel Object Manipulation (DKOM) to hook low-level routines/functions within the System Service Dispatch Table (SSDT). When this is occurring, assuming the developer of the rootkit didn't do a very good job in writing their rootkit, a lot can go wrong when disabling write protection, carelessly swapping memory, and inserting hooks. Malware scans from many AV programs can also cause crashes when they detect that the SSDT is hooked under certain circumstances. The rootkit can also intentionally call a bug check if written this way when it has detected a scan has initiated.

However, if the driver is well written, you may not crash at all. What do you do if you're suspicious of a rootkit infection/hooking, yet a bug check isn't occurring naturally due to proper programming of the rootkit? This is when in some cases (like in this specific example here), you may need to take matters into your own hands and either:
  • Force a bug check.
  • Live kernel debugging session.
  • Run an ARK (Anti-Rootkit) tool. This is no fun... we want to have fun and learn : )
The first option is much less effective than the second, and that's due to the fact that the rootkit may not be doing any obvious hooking of the SSDT, etc, at the time of you forcing the crash. If you're investigating during a live session, it's much more effective and there are a lot more commands you can use. However, for learning purposes, I will show both.

1st argument - The value in the 2nd argument (0x3) implies it was a process as opposed to a thread that unexpectedly terminated. If it was a thread however, it would have instead been 0x6.

2nd argument - The value in the 2nd argument (86664d90) is a pointer to the _EPROCESS object that unexpectedly terminated. We can dump it using !object, which I will show below:

 kd> !object 86664d90  
 Object: 86664d90 Type: (841537e8) Process  
   ObjectHeader: 86664d78 (old version)  
   HandleCount: 4 PointerCount: 127  

3rd argument - The value in the 3rd argument (86664edc) is the process image file name. Essentially, it's the process name that unexpectedly terminated. We can dump it by using dc, which I will show below:

 kd> dc 86664edc  
 86664edc 73727363 78652e73 00000065 00000000 csrss.exe.......  
 86664eec 00000000 00000000 00000000 8605a278 ............x...  
 86664efc 869356d8 00000000 00000000 0000000a .V..............  
 86664f0c 8c04d631 00000000 00000000 7ffdc000 1...............  
 86664f1c 00000000 00000099 00000000 00000000 ................  
 86664f2c 00000000 000005c6 00000000 0003cc50 ............P...  
 86664f3c 00000000 00000000 00000000 00006d77 ............wm..  
 86664f4c 00000000 00000000 00000162 00000000 ........b.......  

The process that unexpectedly terminated was csrss.exe, which is the Client/Server Runtime Subsystem.

For some extra food for thought, we can get a lot of the information above manually if we'd like to. If we take the 2nd argument (_EPROCESS object) and run the following:

 dt _EPROCESS 86664d90 imageFileName  

dt will display the type, which will show us the offset, etc. More specifically it displays information about a local variable, global variable or data type:

 kd> dt _EPROCESS 86664d90 imageFileName  
 nt!_EPROCESS  
   +0x14c ImageFileName : [16] "csrss.exe"  

If we take the _EPROCESS object and add it to the offset (+0x14c), we get the following:

 kd> ? 86664d90+0x14c  
 Evaluate expression: -2040115492 = 86664edc  

Look familiar? It's our 3rd argument, the process image name (csrss.exe).

4th argument - The value in the 3rd argument (819e91f0) is the explanatory message regarding the reason for the bug check, specifically in ASCII. To dump this, we'll need to use the dc command as we used earlier on the 3rd argument:

 kd> dc 819e91f0  
 819e91f0 6d726554 74616e69 20676e69 74697263 Terminating crit  
 819e9200 6c616369 6f727020 73736563 25783020 ical process 0x%   

As we can see, this is reiterating the 1st argument.

--------------------

So far all we know is that this bug check occurred because csrss.exe, a critical Windows process, unexpectedly terminated. Why? If you weren't able to tell whilst reading through by now, we purposely terminated it via Task Manager to force the bug check.With that said, for this post we're choosing the first method (forcing a bug check).

Pretending we ourselves didn't purposely force the bug check for a moment, what would we at this point do if this was a crash dump we were looking at from a system that isn't ours, and/or from our doing? Among many things, one of the first few things I do in 'not so obvious' 0xF4's is I check the summary and stats regarding virtual memory on the system at the time of the crash:

 kd> !vm  
 *** Virtual Memory Usage ***  
      Physical Memory:   917370 (  3669480 Kb)  
      Page File: \??\C:\pagefile.sys  
       Current:  3976680 Kb Free Space:  3976676 Kb  
       Minimum:  3976680 Kb Maximum:   4193280 Kb  
      Available Pages:   769568 (  3078272 Kb)  
      ResAvail Pages:    869504 (  3478016 Kb)  
      Locked IO Pages:      0 (     0 Kb)  
      Free System PTEs:   348283 (  1393132 Kb)  
      Modified Pages:    11884 (   47536 Kb)  
      Modified PF Pages:   11830 (   47320 Kb)  
      NonPagedPool Usage:   8265 (   33060 Kb)  
      NonPagedPool Max:   522998 (  2091992 Kb)  
      PagedPool 0 Usage:   5501 (   22004 Kb)  
      PagedPool 1 Usage:   10013 (   40052 Kb)  
      PagedPool 2 Usage:    623 (   2492 Kb)  
      PagedPool 3 Usage:    631 (   2524 Kb)  
      PagedPool 4 Usage:    726 (   2904 Kb)  
      PagedPool Usage:    17494 (   69976 Kb)  
      PagedPool Maximum:  523264 (  2093056 Kb)  
      Session Commit:     3758 (   15032 Kb)  
      Shared Commit:     9951 (   39804 Kb)  
      Special Pool:       0 (     0 Kb)  
      Shared Process:     1260 (   5040 Kb)  
      Pages For MDLs:      2 (     8 Kb)  
      PagedPool Commit:   17550 (   70200 Kb)  
      Driver Commit:     2335 (   9340 Kb)  
      Committed pages:   115256 (  461024 Kb)  
      Commit limit:    1882649 (  7530596 Kb)  

We can see right away that we don't have insufficient non-paged pool, which is a pretty popular cause of most 0xF4's as it at that point cannot handle I/O operations, etc. It's generally due to buggy drivers causing pool related memory leaks, etc.

With the above said, assuming we are looking at a crash dump that wasn't ours, we can almost entirely rule out this specific 0xF4 being caused by a buggy driver (MSFT or 3rd party). To be extra sure, double-check the modules list and see if there's anything that jumps out as problematic.

--------------------

At this point I would start becoming suspicious of a rootkit, as I would not right away suggest the hard disk (whether HDD or SSD) is the immediate problem given we'd probably see obvious NT_STATUS codes for that. For example, possibly 0xc0000006. Either that, or an entirely different bug check (perhaps 0x7A). With that said, now we get to have some fun!

There are many ways to go about detecting a rootkit hooking the SSDT, and we will discuss extensions/scripts for the moment:

1st Method - SwishDbgExt

The first method we will be using in this postmortem debugging example is the wonderful SwishDbgExt, which was developed/created by a friend of mine (Matt Suiche). I've made various contributions to the help file considering the love I have gathered for this extension. It makes a lot of our lives as debuggers much easier.

Once you have the extension loaded, we're going to be using the !ms_ssdt command. This command displays the System Service Dispatch Table, which is extremely helpful in the investigation of suspected rootkit hooks through using what is known as Direct Kernel Object Manipulation (DKOM).

-- Chopping some of the SSDT output as it's fairly large, let's skip to what's important:

   |-------|--------------------|--------------------------------------------------------|---------|--------|  
   | Index | Address      | Name                          | Patched | Hooked |  
   |-------|--------------------|--------------------------------------------------------|---------|--------|  
  *** ERROR: Module load completed but symbols could not be loaded for Gjglly.sys  
   |  126 | 0xFFFFFFFF91F054C2 | Gjglly                         |     |    |  
   |  127 | 0xFFFFFFFF81A34F80 | nt!NtDeviceIoControlFile                |     |    |  
   |  128 | 0xFFFFFFFF81949B44 | nt!NtDisplayString                   |     |    |  
   |  129 | 0xFFFFFFFF81A2117F | nt!NtDuplicateObject                  |     |    |  
   |  130 | 0xFFFFFFFF81A18134 | nt!NtDuplicateToken                  |     |    |  
   |  131 | 0xFFFFFFFF81AB14E8 | nt!NtEnumerateBootEntries               |     |    |  
   |  132 | 0xFFFFFFFF81AB278A | nt!NtEnumerateDriverEntries              |     |    |  
   |  133 | 0xFFFFFFFF91F04FFA | Gjglly                         |     |    |  
   |  134 | 0xFFFFFFFF81AB10B7 | nt!NtEnumerateSystemEnvironmentValuesEx        |     |    |  
   |  135 | 0xFFFFFFFF81A9F073 | nt!NtEnumerateTransactionObject            |     |    |  
   |  136 | 0xFFFFFFFF91F051B6 | Gjglly                         |     |    |  
   |  137 | 0xFFFFFFFF81A802D5 | nt!NtExtendSection                   |     |    |  
   |  138 | 0xFFFFFFFF819A113A | nt!NtFilterToken                    |     |    |  
   |  139 | 0xFFFFFFFF819B39FC | nt!NtFindAtom                     |     |    |  
   |  140 | 0xFFFFFFFF819DCA86 | nt!NtFlushBuffersFile                 |     |    |  
   |  141 | 0xFFFFFFFF819AD0F6 | nt!NtFlushInstructionCache               |     |    |  
   |  142 | 0xFFFFFFFF819781EB | nt!NtFlushKey                     |     |    |  
   |  143 | 0xFFFFFFFF818B11C1 | nt!NtFlushProcessWriteBuffers             |     |    |  
   |  144 | 0xFFFFFFFF819C175B | nt!NtFlushVirtualMemory                |     |    |  
   |  145 | 0xFFFFFFFF81A82D64 | nt!NtFlushWriteBuffer                 |     | Yes  |  

We can see a module (Gjglly.sys), and nt!NtFlushWriteBuffer is hooked. Let's not jump to conclusions just yet as this could be a completely legitimate hook.

First of all, what's Gjglly.sys? This is a driver in relation to AntiDebugLIB.
An advanced software encryption tool.

AntiDebugLIB is a useful tool that was designed in order to assist software developers protect their applications against advanced reverse engineering and software cracking. It offers a powerful advanced license control which allow developers to distribute trial versions of their applications securely.
This is a legitimate driver, but we can also at the same time not jump to conclusions on it being safe as said above (hint: it's not - I will discuss later).

2nd Method - Script

The second method we will be using in this postmortem debugging example is an older script developed by Lionel d'Hauenens of Laboskopia. This script will only work with the x86 WinDbg client. Regardless, as we know, it's always best to debug a crash dump in the client based off of the system's architecture. Given the system that generated this crash dump was 32-bit, we'll be debugging it with the x86 WinDbg client.

This script is incredibly helpful in not only checking the SSDT for hooking, but also detecting what is known as a Shadow SSDT hook. You can find a great article on Shadow SSDT hooking from my very good friend Harry - Shadow SSDT Hooking with Windbg.

Nevertheless, if you don't understand French instructions, to install the script, simply drag and drop the script folder into your x86 Debuggers folder.

Once it's installed, type the following command into WinDbg with your postmortem rootkit crash dump:

 kd> $$><script\@@init_cmd.wdbg  

So long as you installed the script properly, you should see the following:

 SysecLabs Windbg Script : Ok :)  
 ('al' for display all commands)  

Once you see that which has verified the script is loaded properly, type the following command:

 !!display_system_call  

Here's a few excerpts:

 007D  0003  OK  nt!NtDeleteObjectAuditAlarm (81a46500)  
 007E  0002 HOOK-> *** ERROR: Module load completed but symbols could not be loaded for Gjglly.sys  
 007F  000A  OK  nt!NtDeviceIoControlFile (81a34f80)  
 0080  0001  OK  nt!NtDisplayString (81949b44)  
 0081  0007  OK  nt!NtDuplicateObject (81a2117f)  
 0082  0006  OK  nt!NtDuplicateToken (81a18134)  
 0083  0002  OK  nt!NtEnumerateBootEntries (81ab14e8)  
 0084  0002  OK  nt!NtEnumerateDriverEntries (81ab278a)  
 0085  0006 HOOK-> Gjglly+0x1ffa (91f04ffa)  
 0086  0003  OK  nt!NtEnumerateSystemEnvironmentValuesEx (81ab10b7)  
 0087  0005  OK  nt!NtEnumerateTransactionObject (81a9f073)  
 0088  0006 HOOK-> Gjglly+0x21b6 (91f051b6)  

 00BC  0003  OK  nt!NtOpenJobObject (81a912df)  
 00BD  0003 HOOK-> Gjglly+0x1f4c (91f04f4c)  
 00BE  0004  OK  nt!NtOpenKeyTransacted (819727e1)  

 0143  0001  OK  nt!NtSetUuidSeed (8195977b)  
 0144  0006 HOOK-> Gjglly+0x2372 (91f05372)  
 0145  0005  OK  nt!NtSetVolumeInformationFile (81a6c5de)  

Here's Gjglly.sys again, and we can see it's hooking. At this point, we would be suspicious enough to run an ARK tool such as GMER. Of course, if we ran GMER at this point, it would show that the system is in fact infected with runtime2, and Gjglly.sys is our rootkit driver. Normally, by itself and by default, the runtime2 driver is runtime2.sys, not Gjglly.sys. In this specific scenario, niemiro used a different loader to inject the driver than the original, and renamed runtime2.sys to Gjglly.sys (a legitimate module name). Although GMER if run would still say the system is infected with a rootkit, and it would label Gjglly.sys as the rootkit driver, it's done not to trick various ARK tools, but the user.

If you've ever been infected with runtime2, you know it additionally drops startdrv.exe in the Temp directory of the current Windows install. startdrv.exe is the part that infuriates those who become infected with runtime2, because it's the part that immediately makes you suspicious of an infection as it's a trojan dropper. This is the specific part of the rootkit that will cause slowness, garbage popups, etc.

In this specific case, niemiro intentionally corrupted startdrv.exe which stopped it from executing entirely. You may be saying to yourself, what's the point of a rootkit's protection driver with no execution of payload, etc, by its dropped trojan? Well, there really is no point (unless your goal was to use something else that's malicious and not as obvious as a trojan dropper)! This was just an example to show how you can better hide a rootkit (protection driver, really) if you wanted to. Although ARK tools would still pick it up, it's not anywhere near as obvious to the user.

Thanks for reading, and I will get around to doing a live debugging of runtime2 as soon as I can.

--------------------

References

Hunting rootkits with Windbg.
Some notes about System Service Dispatch Table hook.

148 comments:

  1. Replies
    1. Great read guys! Thank you for sharing! Anyway anyone from Singapore here? Interested in property investment? I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below!

      new condo launch
      property launch singapore
      condo launch 2020

      new condo launch
      property launch singapore
      condo launch 2020

      new condo launch
      property launch singapore
      condo launch 2020

      Delete
  2. Hey, this is amazing content. thank you for sharing.
    ReverseEngineering

    ReplyDelete
  3. thanks for sharing this debbuging of rootkit in detail it is really very much helpful
    have a visit to our website for best solutions and information regarding Norton removal tool we recommend you to come there and have a look at our product and try our service

    ReplyDelete



  4. To install office setup you have to select the downloaded file otherwise insert the office setup CD disc. If you use the CD disc then you have to enter the Office Product Key for authorizing it. After selecting the downloaded file you have to run or setup this file on your computer.

    office.com/setup

    ReplyDelete
  5. The 123.hp.com/setup team of technical experts is an excellent group of people who believe in great repairs. They have been working in the same domain from almost a decade and that is why they deliver the most amazing services & The 123.hp.com/setup team of technical experts is an excellent group of people who believe in great repairs. They have been working in the same domain from almost a decade and that is why they deliver the most amazing services.

    ReplyDelete
  6. These days users, both individuals as well as business owners are highly concerned about computer security. If one safeguards their computer with antivirus, then they can protect their devices from viruses and other malware. For making the device secure, one needs to download Norton security software. To set up the Norton antivirus, the users need to go through its procedure of downloading, installing and activating on www.norton.com/setup.

    ReplyDelete
  7. office.com/setup - Easy guide to install office setup at www.office.com/setup Online. Get Started with MS Office Setup at office.com/setup.

    ReplyDelete
  8. www.trendmicro.com/downloadme For Trend Micro Download , you must create a Trend Micro account from trend micro that can help you in smooth Trend Micro installation.

    ReplyDelete
    Replies
    1. Nice read! Always a pleasure reading! Thank you for sharing!
      Anyway, anyone heard of the project Whistler Grand in D05 in Singapore? I heard it is a pretty good project with huge potential upside . Anyone else interested? Check this out! 🇸🇬

      Whistler Grand

      Delete
  9. Nice read! Always a pleasure reading! Thank you for sharing!
    Anyway, anyone heard of the project Whistler Grand in D05 in Singapore? I heard it is a pretty good project with huge potential upside . Anyone else interested? Check this out! 🇸🇬

    Whistler Grand

    ReplyDelete
  10. Nice read! Always a pleasure reading! Thank you for sharing!
    Anyway, anyone heard of the project Whistler Grand in D05 in Singapore? I heard it is a pretty good project with huge potential upside . Anyone else interested? Check this out! 🇸🇬

    Whistler Grand

    ReplyDelete
  11. Nice read! Always a pleasure reading! Thank you for sharing!
    Anyway, anyone heard of the project Whistler Grand in D05 in Singapore? I heard it is a pretty good project with huge potential upside . Anyone else interested? Check this out! 🇸🇬

    Whistler Grand

    ReplyDelete
  12. Norton.com/setup - Let's get Started with Norton Security as we are here to get you the easiest way to Setup Norton Security. Feel free to contact us if you need any help.

    ReplyDelete


  13. There is an uncommon acceleration in the quantity of infections, malwares and different burdens to the PC programming. To control this expansion, a few viable antivirus applications are being created every day, one of such application is the norton antivirus. Not with standing being the most dependable, this software helps the client to securing the product in an assortment of platfor including workstations, work areas and tablets also.For protect your system you can take help from norton.com/setup where you will find best way to protect your system from viruses.
    www.norton.com/setup
    norton setup

    ReplyDelete
  14. how to get free robux is the one main question which arises in the minds of every game lover to get the free robux online. With the use of our website they can easily get the free robux currency to use in your gaming id.

    ReplyDelete
  15. Availability of smooth part and parcel of HP printer is obvious so that there should not come turbulence of negative aftermath of this computer peripheral. Nobody can give the sure review of this thing that the performance of HP printer cannot fluctuate anymore. If you find something bad in Hp printer, then it is obvious though to reach 123.hp.com/setup and pick most valuable product. No need to be worry while facing many technical error and interruption in it.
    hp setup

    123.hp.com/setup 6978

    ReplyDelete

  16. vbucks is a kind of currency used in fortnite. you can unlock your favorite character. you can download vbucks generator to create unlimited vbucks.

    ReplyDelete
  17. Make sure to only purchase the right product that matches your security obligations. As Norton offers you a trial version of every product online without implying any charges, you can easily get to know their performances before paying for the subscription plan.
    norton.com/setup

    norton.com/setup

    ReplyDelete
  18. looking for how to get free robux ? you can real full information related to robux on our website.

    ReplyDelete
  19. This comment has been removed by the author.

    ReplyDelete
  20. Nice post with very good content with lot information. Keep Doing it.
    As we all are using digital medium to make our work easy. So Don't you think we need a secure system with antivirus updated.
    Please Visit-
    mcafee.com/activate
    norton.com/setup
    norton.com/setup

    ReplyDelete
  21. Process of debugging is really very great. There is no doubt that boosting the growth of any online business to buy SEO services from a reliable and experienced agency is required.

    ReplyDelete
  22. Management Assignment Help connects needy scholars to trustworthy online assignment writing service providers. Pay a reasonable amount to hire an online tutor and clear your doubts related to management assignments.
    Also visit here: Risk Management Assignment Help
    MBA Assignment Help

    ReplyDelete
  23. We are a well-known SEO services company, which is providing 100% guarantee of ranking, traffic, sales and revenue. We offer the best SEO services that are giving quick and long-term search results.

    ReplyDelete
  24. Are you feeling tired while writing risk management assignments? Do you want to finish your academic papers without involving them? Then you must consider Risk Management Assignment Help to accomplish your papers on time.
    Also visit here: MBA Assignment Help
    Strategic Assignment Help
    Compensation Management Assignment help

    ReplyDelete
  25. HP printers are best to print and scan documents. You can use both wired and wireless connection to print and scan documents. Sometimes HP printer won’t scan due to some technical issues.

    ReplyDelete
  26. Thank you so much for the post you do. I like your post and all you share with us is up to date and quite informative, i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job
    norton.com/setup
    mcafee.com/activate

    ReplyDelete
  27. Study of reverse enine is really great and your blog is so much informative about this. I have found this blog with the help of SEO services company.

    ReplyDelete
  28. Students can’t finish their homework when they have to adjust with time and other things being studying in Malaysian universities. They have to deal with opposite conditions when they don’t how to manage their work. If they have less knowledge of academic writing services, they can’t complete their assignments when they can’t write by themselves. Thus, use Assignment Help services in Malaysia and accomplish your work before the due dates.
    Also visit here: Assignment Help Online
    Online Assignment Help
    Strategic Management Assignment Help
    Risk Management Assignment Help

    ReplyDelete
  29. Thank you for sharing this kind of information through this blog. Really' it's so good. Click here or follow the Bubble shooter games website to play this world-famous bubbleshooter, clear all the coloured bubble to score more.

    ReplyDelete

  30. Norton is one of the best antivirus tools for any of your devices. This isn't only a standard instrument that expels little infections and reports bugs. Be that as it may, this is one entire full security arrangement for your Device.
    norton.com/setup

    ReplyDelete
  31. Delta clients profit by a reestablished set-up of Delta encounters that speak to interests in the client experience through separated help contributions. The ventures are uncovered through another line of marked items called Delta One, First Class, Delta Comfort+, and Main Cabin, all of which give more noteworthy decisions and premium alternatives that accompany Delta's mark of giving the best expectations of value and administration. Separated courtesies and administrations are offered with every item, setting another standard for solace and accommodation.

    Delta Change Flight

    Delta Change Flight Fee

    ReplyDelete
  32. Great read guys! Thank you for sharing! Anyway anyone from Singapore here? Interested in property investment? I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below!

    Daintree Residence Location
    DainTree Residence Singapore
    daintree residence balance unit

    whistler grand condo
    whistler grand singapore
    whistler grand site plan

    jadescape location
    jadescape singapore
    jadescape condo

    ReplyDelete
  33. Great read guys! Thank you for sharing! Anyway anyone from Singapore here? Interested in property investment? I saw a few property launches that has got huge potential. Anyway keen to know more? Click on the link below!

    Daintree Residence Location
    DainTree Residence Singapore
    daintree residence balance unit

    whistler grand condo
    whistler grand singapore
    whistler grand site plan

    jadescape location
    jadescape singapore
    jadescape condo

    ReplyDelete
  34. if you need so many Free vbucks to unlock your favorite character or outfits then download vbucks generator tool by which you can create so many vbucks and use them in fornite free v-bucks generator

    ReplyDelete
  35. http://bsodanalysis.blogspot.com/2014/09/rootkit-debugging-runtime2-postmortem.html
    http://hackslashmaster.blogspot.com/2020/06/on-cravenpeters-dream-auction.html
    http://illustrationart.blogspot.com/2020/06/the-energy-of-1960s-part-2.html
    http://davydov.blogspot.com/2011/10/blog-post_3515.html
    http://archives.aefjn.org/index.php/blog-reader/items/blog-on-africa.html?page=101
    http://bxblackrazor.blogspot.com/2020/06/a-hard-look-at-thieves.html

    ReplyDelete
  36. if you are intresting to play online game you can play free robux generation game https://freerobuxgenerators.co/

    ReplyDelete
  37. This implies the client needs a made sure about the web perusing framework. This is conceivable in the event that you are utilizing the antivirus programming McAfee.com.
    mcafee.com/activate | www.mcafee.com/activate | mcafee download | mcafee activate

    ReplyDelete
  38. Office setup has consistently been over the product business that has cleared its way through to the Hardware business as well. Microsoft is currently ready to make gadgets that can really incorporate the product
    office.com/setup | www.office.com/setup | office setup

    ReplyDelete
  39. This comment has been removed by the author.

    ReplyDelete
  40. Thanks for the really useful article. It helps to improve and fix many issues.
    I need to advise you on a new pack of online games. These are cool andno deposit slots. Here you can find more than 30 different slots on any topic. Most of them are no deposit. There are starting bonuses at registration.

    ReplyDelete
  41. Thanks for sharing this great article. Hi, I am John Smith, I am working as a technical manager at email support. I have 3 years of experience in this field. If you have any problems related to the Sasktel email login issue, then please contact for instant help related to email problems.

    ReplyDelete
  42. Wow! Such an amazing and helpful post.....keeps it up guys..., thanks for sharing. I really love it.
    reset belkin router

    ReplyDelete
  43. debugging is the process which is used when error occur in your code.
    mcafee.com/activate

    ReplyDelete
  44. i read it and it is about debugging and reverse engineering. i learned about Rootkit Debugging (runtime2 postmortem) - SwishDbgExt, SysecLabs script, etc. office.com/setup
    thanks alot for the info.

    ReplyDelete
  45. Debugging is important for each program to check for errors at compile time and run time as well.
    mcafee.com/activate

    ReplyDelete
  46. This comment has been removed by the author.

    ReplyDelete
  47. when we write a code for the software. its a usual thing error will occur. and we start debug. visit
    office.com/setup

    ReplyDelete
  48. This comment has been removed by the author.

    ReplyDelete
  49. Prime has a whopping 12,828 movies while Netflix, which has more subscribers than Amazon Prime, has 3,781 movies. And that number only represents the movies Amazon Prime offers to its subscribers for free, according to data from streaming-service search engine RealGood

    www.primevideo.com/mytv
    netflix.com/activate
    netflix.com/activate
    www.netflix.com/redeem
    www.netflix.com/giftcard
    www.netflix.com/tv8
    www.netflix.com/code
    www.netflix.com/tvhelpm

    ReplyDelete
  50. Interface your gadget to the Internet and go to the App Store.
    Search and "Download" the Amazon prime video application.
    When the document is downloaded and introduced, open the application.
    You will see an alternative – "Register on Amazon site", click on this.
    A 6 digit code will show up on the screen.
    Note down this code cautiously. This is amazon.com/mytv enter code.
    Presently open the Amazon site – Amazon.com/mytv.com and sign in with account subtleties.
    Presently enter the Amazon enactment code and snap on "Proceed".
    You will get the compliment message on your TV screen after the effective enactment.
    Start Enjoying the amazon prime videos on your device.
    If you are facing some issue in that process then you can visit :
    primevideo.com/mytv
    www.amazon.com/mytv registration
    www.primevideo.com/mytv
    www.amazon.com/mytv enter code

    ReplyDelete
  51. This is informative and helpful blog He aimed to make it a good example of some things about rootkit/malware. Diver is a set of tools for debugging and reverse engineering, which allows you to trace Java programs and visualise a program's runtime.office.com/setup

    ReplyDelete
  52. Get the steps to fix AOL mail sign in issues such as authentication issues, can not sign in , Unblock AOL account and so on. For more queries reach us & get best help.

    ReplyDelete
  53. www.office.com/setup:- visit Microsoft office setup site office.com/setup. Sign in Microsoft office setup Account. Enter office setup Product.

    www.office.com/setup | enter office setup product key | office setup

    ReplyDelete
  54. It's almost difficult to concede that you haven't known about Vashikaran and black magic yet. It doesn't require a presentation.
    At that point too we should investigate what it is, the thing that it's able to do, how would it is able to help you and how it could profit you.
    Before we get into this short conversation we invest wholeheartedly to acquaint you with the possibly name recited with regards to Black Magic Specialist in Delhi Guru Maneshwar Ji.
    Almost certainly it is perhaps the most confided in names in the space. Then again, there isn't anything. That he can't accomplish for you.

    ReplyDelete
  55. To be able to watch Prime Video on a Smart TV, the TV must have the application pre-installed in your device. Otherwise, you must have a similar

    platform to the App Store or Play Store on Google, so download the application from the website. Devices Compatible with Prime Video. Exclusive

    content and Amazon Original series Enjoy exclusive movies and TV shows on your device.
    primevideo.com/mytv

    ReplyDelete
  56. Hmm a strange problem, maybe there are some errors when debugging in Runtime2 Workspace. I recommend that you search YouTube for videos with solutions to typical problems with such a connection, in which experienced programmers show and tell you how to fix similar errors. I found about ten videos on this topic there and noticed that they were posted on accounts with about 10 thousand subscribers! I am sure the owners of these accounts often used the services of https://soclikes.com/buy-youtube-subscribers in order to acquire subscribers for YouTube .

    ReplyDelete
  57. I have read the content and the blog is very informtaive and helpfull.




    office.com/setup

    ReplyDelete
  58. very helpful information, its the first time I came across website and i found it very helpful and informative. office.com/setup

    ReplyDelete
  59. Set up Microsoft 365 through Microsoft365.com/setup
    | Microsoft365.com/setup
    | Microsoft365.com/setup
    | Microsoft365.com/setup
    | Microsoft365.com/setup
    and use Microsoft apps such as Word, PowerPoint, and Excel, online storage, cloud-connected features, and more. If you have a Microsoft account associated with Outlook, OneDrive, Xbox Live, or Skype, you can proceed with Microsoft 365 login.

    ReplyDelete
  60. Read the content and the blog is pretty informtive and helpful as well.


    office.com/setup

    ReplyDelete
  61. I would make a video about it and post it on tiktok because I know how to get tiktok likes for any video and want to be popular blogger. I read about likes on this site https://whatsnew2day.com/are-you-a-beginner-tiktoker/

    ReplyDelete
  62. Useful reading your blog. Thanks for sharing this marvelous post. I m very pleased to read this article. ActivePresenter crack
    EaseUS Data Recovery Wizard 14 Crack
    Nordvpn Crack
    EaseUS Data Recovery Wizard 14 Crack

    ReplyDelete
  63. Norton is already on the list of best antivirus security that helps you manage your digital life anywhere norton.com/setup , norton.con/setup ,
    123.hp.com/laserjet .


    ReplyDelete
  64. Go for multiple actions including lasejet installation, registration, and wireless connect, cartridge installation or more, 123.hp.com/laserjet , camps.intuit.com , camps.intuit.com .

    ReplyDelete
  65. Microsoft365.com/setup allows you to download and activate the Microsoft Office setup. Microsoft 365 plans for personal and home provides robust Office desktop apps including Word, PowerPoint, Excel, Outlook, and OneNote. Microsoft 365 subscribers can always install the latest version of MS Office and get frequent software updates. Microsoft365.com/setup | Skype Login

    ReplyDelete
  66. We liked your article very much. From this article we have come to know what we may not have known from any other article. We will be very grateful to you.

    If you have a ij.start.cannon printer and driver cannot be installed into your pc then we can solve your problem. So you can here download and install the driver easily.

    ReplyDelete
  67. Jerry kirsten is a software developer. He has expertise in making people aware of the new software technologies. He writes for http://ij.start.canon , https://ij.start.canon

    ReplyDelete
  68. Nice post...You have share very good information in your blog post...
    Hello.. we have a very good printer at a reasonable rate on our site, you can enjoy ultimate comfort with this printer with high-quality performance. Canon is the best brand among all brand printers. Canon printers are designed for small, home office printers for fast, high-quality document printing. If you need any information or if anyone want to buy this printer, get it easily through my ij.start.cannon site.
    https://ijstartcannonx.com/

    ReplyDelete
  69. Webroot is a computer security software program for Microsoft Windows users that combine software as a service cloud protection with traditional Antivirus and anti-spyware desktop technologies.
    webroot install with key code | webroot install with key code |
    office.com/setup |
    camps.intuit.com



    ReplyDelete

  70. Canon printers, especially all-in-one Inkjet printers, are ideal for home and office use to gain maximum output with high-quality printing documents straightforwardly.
    canon.com/ijsetup | ij.start canon | ij.start.canon | cox webmail login | norton.com/setup

    ReplyDelete
  71. Microsoft is an official portal to activate and start your Microsoft 365 product including office apps, cloud services and other collaboration services. You’ll need to Sign In and enter Microsoft product key

    ReplyDelete
  72. Great Article. Looking great work dear, I really appreciated to you on this quality work. I would like say thanks for this post.

    Our printer sells the most and you can print easily using Canon. If you want to know more about Canon, you can find out by visiting our site. You Can Also Visit Our Website - ij start canon

    ReplyDelete
  73. Are you looking to fix the Brother Printer offline on how to turn online on your Windows 10 computer? the steps to fix the offline issue on your printer approach the steps:
    visit our site for further steps: Brother printer offline

    ReplyDelete
  74. McAfee antivirus on any device. Once you visit the retail store like Walmart and Best buy, they issue you a retail card that holds McAfee. mcafe.com/activate , www.hp.com/123 webroot.com/geeksquad webroot.com/secureinstall , macfee.com/activate
    mcafee.com/activate

    ReplyDelete
  75. Go to norton.com/setup and download Norton setup. With over 64+ Million Users, Norton is already on the list of best antivirus security that helps you manage your digital life anywhere.Defend against the unknown threats and proceed for Trend micro download with www.trendmicro.com.activate having Advanced Machine Learning Technology.Download option for hp printer is available at 123.hp.com/leserjet site.

    ReplyDelete
  76. Are you facing problem in getting married to the person you love? Your parents are not accepting the match? Or, the financial and lifestyle differences have become an obstacle? Or, your partner is doubtful or in dilemma? Lose no hope. Seek out solutions in love marriage problem solutions astrology. The best astrologer for your love marriage solution can bring you closer to your dreams without any hiccups.

    ReplyDelete
  77. Hmm a strange problem, maybe there are some errors when debugging in Runtime2 Workspace. I recommend that you search YouTube for videos with solutions to typical problems with such a connection, in which experienced programmers show and tell you how to fix similar errors. Some of this videos have many dislikes, i think this is because some people used the services of the https://viplikes.net/buy-youtube-dislikes to increase their number.

    ReplyDelete
  78. Samsung Printers are succesful to establish a wireless connection with your goal network. To solution on – a way to connect Samsung printer wireless setup– please make certain which you have become sufficient speed in your Wifi network.

    ReplyDelete
  79. Nice blog, McAfee is the world’s greatest and largest device to cloud cyber security company, You can Activate McAfee with the help of activation key by simply following the mcafee.com/activate.

    ReplyDelete
  80. Sign in to your COX Webmail account to send or receive new Address Book messages, handle spam messages, access advanced email devices. In addition, you can receive up to 10 email accounts through COX Webmail. Cox High-Speed Internet provides its users with COX Communications. Cox webmail Login | Skype Login | canon.com/ijsetup | cannon/ijsetup

    ReplyDelete
  81. The Webroot program is highly rated software to protect your devices & data available for download at webroot.com/safe.
    123.hp.com/setup |
    ij.start.canon| ij.start.cannon/ts3322 |

    ReplyDelete
  82. The Webroot program is highly rated software to protect your devices & data available for download at |
    ij.start.canon| ij.start.cannon/ts3322 | microsoft365.com/setup| Microsoft365.com/setup

    ReplyDelete
  83. Cox Email Login is an online login portal that the company provides to its customers enabling them to operate 10 email accounts each capable of 2 GB storage.
    cox webmail login |
    camps.intuit.com | camps.intuit.com

    ReplyDelete
  84. ISC888 เปิดให้บริการ เกมพนันออนไลน์ มากมายหลากหลายรูปแบบรวบรวมเกมเดิมพันออนไลน์จากค่ายเกมจากทั่วโลกมากกว่า 200 เกม ด้วยการให้บริการแบบครบวงจร เปิดบริการตลอด 24 ชั่วโมง เปิดบริการมาอย่างยาวนาน.


    คลิ๊กที่นี่

    ReplyDelete
  85. Enter Trend micro activation code on www.trendmicro/activate | www.trendmciro.com/activate to download and activate Trend Micro. To activate Trend micro, make sure you already have an activation code that you’ll probably enter on the trendmicro.com/activate site.

    ReplyDelete
  86. Enter Trend micro activation code on www.trendmicro.com/activateto download and activate Trend Micro. To activate Trend micro, make sure you already have an activation code that you’ll probably enter on the trend micro activation site.

    ReplyDelete
  87. ION Casino is a trusted online casino site and certainly the best in Asia since 2010. ION Club Casino is also often known as ION CLUB.

    ION Casino
    Daftar ION Casino
    Login ION Casino
    Deposit ION Casino
    Withdraw ION Casino
    ION Casino Mobile

    ReplyDelete
  88. Do you need assignment help services to clear your assignments? If yes, then you are at the right place. The team of professionals who work for Assignmenthelp.com have extensive experience in providing students with quality assistance on their assignments. They offer various types of Assignment Help that range from academic writing to editing and proofreading. So what are you waiting for? Join today! Write my Assignment

    ReplyDelete
  89. It is perfect time to make some plans for the longer term and it’s time to be happy. 사설토토추천

    ReplyDelete
  90. Hi, I am David Jones, I am working as a technical expert at email support. I have 5 years of experience in this field. If you have any problems related to Office 365 support number, activation, installing etc. then please contact our Office 365 help team for instant solution.

    ReplyDelete
  91. Great Stuff! Thank you for Sharing the information, *I'm Sofia Williams, a Corporate Sales Specialist at (Expert Market Research), We are specialized in Market Research Report, Size, Share, Price, Trends, Growth, Analysis, Key Players, Outlook and Forecast. Want to read information about Procurement Intelligence
    visit here!

    Also Check: Global Electric Bike Market | Global Bioenergy Market | Global Air Purifier Market

    ReplyDelete
  92. https://sarvdata.com/vps/Under what circumstances does a site need to be upgraded? In case the volume of information on your site has increased and your site receives a lot of traffic every day

    ReplyDelete
  93. QuickBooks Customer Service is available 24/7, so if you have any issues with your software, just give them a call. This software is recommended for small businesses and individuals alike. You can contact QuickBooks Customer Service at +18668224745 or visit their website to learn more about the company.

    ReplyDelete
  94. QuickBooks is an accounting software that is used by over 1 million businesses in 50 countries worldwide. It provides a variety of options to help you obtain your finances the way you want it.Dialing Quickbooks Phone Number +18777621118 will get you answers to any questions you may have about the accounting software.

    ReplyDelete
  95. If you are looking for the protection of the data on the desktop you can use the mcafee.com/activate. It provides the lots of good plan or free trial.

    ReplyDelete
  96. I found this blog is amazing as well as useful to learn something new from it. here author had described the whole thing and created the good informative blog for us. so thank you for the amazing blog again. here YOU can find the canon printer help for your canon printer. we provide you the best online help for your printer to setup. so just try the new information. canon imageclass mf232w

    ReplyDelete
  97. what a appreciating blog by the author, which is providing us many good content and good things to learn. i always want to gain knowledge like this for my problems. thank you for the author. canon ts3322 is the best printer in today's era . if you need any help regarding this printer for any information just visit the tab.

    ReplyDelete
  98. https://www.irannaz.com/%D9%85%D8%AA%D8%AE%D8%B5%D8%B5-%D9%82%D9%84%D8%A8-%D8%B9%D8%B1%D9%88%D9%82-%DA%A9%DB%8C%D8%B3%D8%AA-%DA%86%D9%87-%D9%85%DB%8C%DA%A9%D9%86%D8%AF.html Before you go to a doctor, what is the science and knowledge of the doctor because any specialist and doctor have a special duty. The cardiologist has been told that many years in universities have learned information on the heart and blood vessels of the body, and now in the office and hospitals to treat patients.

    ReplyDelete
  99. https://baamardom.ir/186411/%D8%A8%D9%87%D8%AA%D8%B1%DB%8C%D9%86-%D8%B2%D9%85%D8%A7%D9%86-%D9%85%D8%B1%D8%A7%D8%AC%D8%B9%D9%87-%D8%A8%D9%87-%DB%8C%DA%A9-%D8%AF%DA%A9%D8%AA%D8%B1-%D8%B1%D9%88%D8%A7%D9%86%D9%BE%D8%B2%D8%B4%DA%A9/Physical examination, mental examination, CT scan and blood test are other things that a psychiatrist may need. Now that we are more familiar with this profession, it is better to dig a little deeper. Many people do not know exactly what to go to a psychiatrist for. In fact, it is better to say that they do not know when to see a psychiatrist. To this end, it will be important for them to study such material.

    ReplyDelete
  100. IMO regulation on sulfur content in the marine fuel and increase in gas exploration and production activities are the key driving factors in the growth of the LNG bunkering market globally. However, demand-supply gap in LNG bunkering is the key factor restraining the growth of the global market.

    Also read: acetic anhydride market | Tobacco Market | Takeitcool | Aerospace Fasteners Market

    ReplyDelete
  101. When we look back, we find that no one has ever been able to stand up to any technology. Science is advancing and صرافی نیل the world is changing day by day on the path of improvement and progress.

    ReplyDelete
  102. Hi, I am David Jones, I am working as a technical expert at email support. I have 3 years of experience in this field. If you have any problems related to Outlook search not working, then please contact us for help related to email problems.
    https://www.emailsupport.us/blog/fix-outlook-search-not-working-problem/

    ReplyDelete
  103. The literal meaning of the board game is a board or board game. But today, these games have gone beyond the board and the screen and have given a more comprehensive meaning to this word (game board). Some people call the board game a board game or an intellectual game that none of these words can be the complete and correct meaning of these games. Understanding the meaning of this word can only be done by entering the world of these games. So let's take a deeper look at the game board and its meaning.
    https://alvand-ads.ir/reportage/68-%D8%A8%D8%B1%D8%AF%DA%AF%DB%8C%D9%85

    ReplyDelete
  104. Once you choose the build, amount, material and design, you will get a quote from us. https://customboxesbulk.com/This will help you see how your budget stands with the price point of your order.

    ReplyDelete

  105. Whether you want printed custom packaging boxes boxes or embossed ones, you can get in touch with our design team to discuss all of this.

    ReplyDelete

  106. Leaving a good first impression is a necessity in today’s time. By not leaving a good impression custom packaging boxes, you give your competitor’s a chance to swoop in and take your client away.

    ReplyDelete
  107. Amazing website, Love it. Great work done. Nice website. Love it. This is really nice.
    ij.start.cannon
    hbomax/tvsignin
    disneyplus.com/begin
    showtimeanytime.com activate

    ReplyDelete
  108. App Cleaner & uninstaller for Mac can also eliminate applications and their service files on the operating system. It is the most reliable and powerful software. Through this tool, you can uninstall unwanted apps with one click. It offers you to search the complete list of unwanted programs and removed them. App Cleaner & Uninstaller Crack allows you to scan the whole system and preview installed apps.

    ReplyDelete
  109. https://icingdesignsonline.blogspot.com/2013/01/diy-glittered-honeycomb-balls.html?showComment=1644927092458#c3173986311182168392

    ReplyDelete
  110. Similarly, different add ons are available to add embellishments and glossy printed paper box surfaces to the box. We provide hundreds of custom options for your pizza boxes. We have the knack for delivering your custom top-notch perfection at an elite level.

    ReplyDelete
  111. Canon IJ Network Tool is a toolkit software with the options to keep a check on most of your Canon printer network settings and adjust them according to your requirements

    ReplyDelete
  112. Youtube.com/activate
    Youtube Tv is a Premium video web-based stage that offers internet real-time of different TV shows, Movies, and web series on more than 80+ stations.

    ReplyDelete
  113. Immensely thought out! This was the most detailed article I have read. 토토사이트

    ReplyDelete
  114. What an awesome post, I just read it from start to end your blog post. Really an informative blog. 바카라사이트닷컴

    ReplyDelete
  115. Many readers would be interested on this site. I am looking forward for your daily posts. 파워볼사이트닷컴

    ReplyDelete
  116. ij.start.canon is the solution for easy Canon printer drivers download. Https //ij.start.cannon allows you to install and set up a Canon inkjet printer and ensure that you receive outstanding printing results ,To complete your Canon ij printer setup with several connectivity options like WiFi, USB, Bluetooth, and others, see and follow ij.start.cannon

    ReplyDelete
  117. Oyes website is a web development company in Delhi which provides custom websites. As a web development firm we provide several IT services such as website development, website designing, E-commerce Solutions, website promotion, logo design, SEO services in Delhi.

    ReplyDelete
  118. University Homework Help is a reputable online platform that provides expert help with mechanical engineering homework. Their team of experts includes experienced civil engineers who are well-versed in the subject and have a proven track record of helping students excel in their studies.

    To get help with mechanical engineering homework from University Homework Help, you simply need to submit your assignment on their website and provide all the necessary details. The experts will review the assignment and provide you with a quote for their services.

    Once you agree to the quote, the experts will work with you to develop a plan of action and guide you through the process of solving mechanical engineering assignment. They will explain the concepts and techniques involved in the assignment and answer any questions you may have.

    ReplyDelete
  119. slot asia เป็นต้นแบบเกม เว็บไซต์สล็อต สล็อตออนไลน์ ยอดนิยมแล้วก็เป็นที่พึงพอใจอย่างยิ่งสำหรับผู้เล่นเกมสล็อตออนไลน์ในช่วงเวลานี้ด้วยแบบเกม PG เป็นเกมที่เล่นได้ง่ายๆ

    ReplyDelete
  120. slot joker สำหรับหนทางการเข้าเล่น เกมสล็อต พีจี โจ๊กเกอร์สมาชิกหลายๆท่านที่พึ่งพิงเริ่มสมัคร PG SLOT ใช้งานหนแรกบางทีอาจจะยังไม่เคยทราบหนทางการเข้าเล่นของเว็บไซต์พวกเรา joker 

    ReplyDelete
  121. สูตร บา คา ร่า 2023 คือสูตรที่ถูกออกแบบมาเพื่อให้ผู้เล่นสามารถเล่นเกม PG SLOTได้อย่างมีประสิทธิภาพและมีโอกาสชนะมากขึ้น การวางแผนการเล่นในปี 2023

    ReplyDelete