[Vol-users] DPC procedure localization

BRTAN Jaroslav Jaroslav.BRTAN at firstdata.sk
Mon Jun 3 08:15:15 CDT 2013


Hi all,

I'd like to ask you for your help with analysis. The timers module shows that there is a strange DPC at 0x8647e4e0.


Timers module output:

Offset(V)  DueTime                  Period(ms) Signaled   Routine    Module
---------- ------------------------ ---------- ---------- ---------- ------
0x873097d0 0x0000002f:0x2db9d0c3             0 -          0xa7386d8e arp1394.sys
0x85b9a2c8 0x8000002d:0x6d7d7c8e             0 -          0x80538a98 ntoskrnl.exe
0x8a332b20 0x0000002f:0x2ea5d991             0 -          0xb9ddef1a NDIS.sys
0x863ead10 0x00010014:0x863ead28    -205...072 Yes        0x8647e4e0 UNKNOWN
0x85e451e8 0x00010014:0x85e45200    -205...072 Yes        0x8647e4e0 UNKNOWN

I am not able to identify where this procedure belongs to. I've been searching through  Volatility documentation project for a hint, but with no luck so far.

Volshell show me that:

>>> dis(0x8647e4e0, length=32)
0x8647e4e0 e0e4                             LOOPNZ 0x8647e4c6
0x8647e4e2 47                               INC EDI
0x8647e4e3 86e0                             XCHG AL, AH
0x8647e4e5 e447                             IN AL, 0x47
0x8647e4e7 86e8                             XCHG AL, CH
0x8647e4e9 e447                             IN AL, 0x47
0x8647e4eb 86e8                             XCHG AL, CH
0x8647e4ed e447                             IN AL, 0x47
0x8647e4ef 8600                             XCHG [EAX], AL
0x8647e4f1 803b99                           CMP BYTE [EBX], 0x99
0x8647e4f4 00403b                           ADD [EAX+0x3b], AL
0x8647e4f7 99                               CDQ
0x8647e4f8 00b0fd7f0000                     ADD [EAX+0x7ffd], DH
0x8647e4fe 0000                             ADD [EAX], AL
...
...
0x8647e4c6 0000                             ADD [EAX], AL
0x8647e4c8 d00a                             ROR BYTE [EDX], 0x1
0x8647e4ca 93                               XCHG EBX, EAX
0x8647e4cb 8a00                             MOV AL, [EAX]
0x8647e4cd 0000                             ADD [EAX], AL
0x8647e4cf 20c8                             AND AL, CL
0x8647e4d1 db12                             FIST DWORD [EDX]
0x8647e4d3 8726                             XCHG [ESI], ESP
0x8647e4d5 ad                               LODSD
0x8647e4d6 74e1                             JZ 0x8647e4b9
0x8647e4d8 06                               PUSH ES
0x8647e4d9 007000                           ADD [EAX+0x0], DH
0x8647e4dc 0000                             ADD [EAX], AL
0x8647e4de 0000                             ADD [EAX], AL
0x8647e4e0 e0e4                             LOOPNZ 0x8647e4c6
0x8647e4e2 47                               INC EDI
0x8647e4e3 86e0                             XCHG AL, AH
0x8647e4e5 e447                             IN AL, 0x47
0x8647e4e7 86e8                             XCHG AL, CH
0x8647e4e9 e447                             IN AL, 0x47
0x8647e4eb 86e8                             XCHG AL, CH
0x8647e4ed e447                             IN AL, 0x47
0x8647e4ef 8600                             XCHG [EAX], AL
0x8647e4f1 803b99                           CMP BYTE [EBX], 0x99
0x8647e4f4 00403b                           ADD [EAX+0x3b], AL
0x8647e4f7 99                               CDQ
0x8647e4f8 00b0fd7f0000                     ADD [EAX+0x7ffd], DH
0x8647e4fe 0000                             ADD [EAX], AL
0x8647e500 60                               PUSHA
0x8647e501 793b                             JNS 0x8647e53e


>>> dis(0x8647e53e)
0x8647e53e 3e869ec7130008                   XCHG [ESI+0x80013c7], BL
0x8647e545 1000                             ADC [EAX], AL
0x8647e547 0410                             ADD AL, 0x10
0x8647e549 b268                             MOV DL, 0x68
0x8647e54b 8a10                             MOV DL, [EAX]
0x8647e54d b268                             MOV DL, 0x68
0x8647e54f 8ad8                             MOV BL, AL


So I looked around and found that at offset 0x80013000 is a executable file

>>> db(0x80013000, length=512)
0x80013000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x80013010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........ at .......
0x80013020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x80013030  00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00   ................
0x80013040  0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68   ........!..L.!Th
0x80013050  69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f   is.program.canno
0x80013060  74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20   t.be.run.in.DOS.
0x80013070  6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00   mode....$.......
0x80013080  5d ed 0b 95 19 8c 65 c6 19 8c 65 c6 19 8c 65 c6   ].....e...e...e.
0x80013090  19 8c 64 c6 30 8c 65 c6 da 83 38 c6 1e 8c 65 c6   ..d.0.e...8...e.
0x800130a0  da 83 6a c6 1b 8c 65 c6 da 83 3b c6 18 8c 65 c6   ..j...e...;...e.
0x800130b0  da 83 3a c6 1c 8c 65 c6 da 83 3f c6 18 8c 65 c6   ..:...e...?...e.
0x800130c0  52 69 63 68 19 8c 65 c6 00 00 00 00 00 00 00 00   Rich..e.........
0x800130d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x800130e0  50 45 00 00 4c 01 07 00 b4 52 02 48 00 00 00 00   PE..L....R.H....
0x800130f0  00 00 00 00 e0 00 0e 01 0b 01 07 0a 00 1d 00 00   ................
0x80013100  00 08 00 00 00 00 00 00 d3 1c 00 00 00 03 00 00   ................
0x80013110  00 0e 00 00 00 30 01 80 80 00 00 00 80 00 00 00   .....0..........
0x80013120  05 00 01 00 05 00 01 00 01 00 0a 00 00 00 00 00   ................
0x80013130  00 28 00 00 00 03 00 00 e6 f1 00 00 01 00 00 24   .(.............$
0x80013140  00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00   ................
0x80013150  00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00   ................
0x80013160  1c 1d 00 00 50 00 00 00 00 22 00 00 f8 03 00 00   ....P...."......
0x80013170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x80013180  00 26 00 00 1c 01 00 00 b0 0e 00 00 1c 00 00 00   .&..............
0x80013190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x800131a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x800131b0  00 00 00 00 00 00 00 00 00 0e 00 00 ac 00 00 00   ................
0x800131c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x800131d0  00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00   .........text...
0x800131e0  84 0a 00 00 00 03 00 00 00 0b 00 00 00 03 00 00   ................
0x800131f0  00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68   ...............h



, but this one seems to be battc.sys driver (how can I dump this using the offset 0x80013000?)

0x80015180  7a 65 44 65 76 69 63 65 00 00 42 41 54 54 43 2e   zeDevice..BATTC.
0x80015190  53 59 53 00 46 ec 25 ff 00 3d 00 00 74 03 e9 03   SYS.F.%..=..t...


I also tried to look around the offset 0x8647e4e0 for some strings

0x864716a0  00 00 00 00 00 00 00 00 00 00 00 00 43 3a 5c 50   ............C:\P
0x864716b0  72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 57 61 76   rogram.Files\Wav
0x864716c0  65 20 53 79 73 74 65 6d 73 20 43 6f 72 70 5c 53   e.Systems.Corp\S
0x864716d0  65 72 76 69 63 65 73 20 4d 61 6e 61 67 65 72 5c   ervices.Manager\
0x864716e0  44 6f 63 4d 67 72 5c 62 69 6e 5c 64 6f 63 6d 67   DocMgr\bin\docmg
0x864716f0  72 2e 65 78 65 00 00 00 00 00 00 00 00 00 00 00   r.exe...........

google: DocMgr from Wave Systems Corp.


0x86471890  00 00 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 73   ....C:\WINDOWS\s
0x864718a0  74 73 79 73 74 72 61 2e 65 78 65 00 00 00 00 00   tsystra.exe.....

google: Sigmatel Audio system tray application

0x86474ce0  00 00 00 00 00 00 00 00 00 f0 c1 9c 53 62 54 72   ............SbTr
0x86474cf0  61 79 4d 61 6e 61 67 65 72 2e 65 00 00 00 00 00   ayManager.e.....

google: known as the Safe Boot Tray Manager software

0x8647db30  0d 00 04 0a 56 69 47 63 65 00 78 00 70 00 6c 00   ....ViGce.x.p.l.
0x8647db40  6f 00 72 00 65 00 72 00 2e 00 65 00 78 00 65 00   o.r.e.r...e.x.e.

Could it be that the unknown timer was registered by the battc.sys?

If anybody can push me the right direction, I'll be more than thankful.

Thank you

Jaro

The information in this message may be proprietary and/or confidential, and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify First Data immediately by replying to this message and deleting it from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130603/32304d6e/attachment-0001.html


More information about the Vol-users mailing list