[Vol-users] DPC procedure localization

Matthieu Suiche msuiche at gmail.com
Mon Jun 3 08:53:55 CDT 2013


Look at the RSDS section to read the pdb name.

http://www.msuiche.net/2008/07/28/check-your-system-virginity-in-less-than-60-seconds/
Matthieu Suiche


On Mon, Jun 3, 2013 at 6:15 AM, BRTAN Jaroslav
<Jaroslav.BRTAN at firstdata.sk> wrote:
> Hi all,
>
>
>
> I’d like to ask you for your help with analysis. The timers module shows
> that there is a strange DPC at 0x8647e4e0.
>
>
>
>
>
> Timers module output:
>
>
>
> Offset(V)  DueTime                  Period(ms) Signaled   Routine    Module
>
> ---------- ------------------------ ---------- ---------- ---------- ------
>
> 0x873097d0 0x0000002f:0x2db9d0c3             0 -          0xa7386d8e
> arp1394.sys
>
> 0x85b9a2c8 0x8000002d:0x6d7d7c8e             0 -          0x80538a98
> ntoskrnl.exe
>
> 0x8a332b20 0x0000002f:0x2ea5d991             0 -          0xb9ddef1a
> NDIS.sys
>
> 0x863ead10 0x00010014:0x863ead28    -205...072 Yes        0x8647e4e0 UNKNOWN
>
> 0x85e451e8 0x00010014:0x85e45200    -205...072 Yes        0x8647e4e0 UNKNOWN
>
>
>
> I am not able to identify where this procedure belongs to. I’ve been
> searching through  Volatility documentation project for a hint, but with no
> luck so far.
>
>
>
> Volshell show me that:
>
>
>
>>>> dis(0x8647e4e0, length=32)
>
> 0x8647e4e0 e0e4                             LOOPNZ 0x8647e4c6
>
> 0x8647e4e2 47                               INC EDI
>
> 0x8647e4e3 86e0                             XCHG AL, AH
>
> 0x8647e4e5 e447                             IN AL, 0x47
>
> 0x8647e4e7 86e8                             XCHG AL, CH
>
> 0x8647e4e9 e447                             IN AL, 0x47
>
> 0x8647e4eb 86e8                             XCHG AL, CH
>
> 0x8647e4ed e447                             IN AL, 0x47
>
> 0x8647e4ef 8600                             XCHG [EAX], AL
>
> 0x8647e4f1 803b99                           CMP BYTE [EBX], 0x99
>
> 0x8647e4f4 00403b                           ADD [EAX+0x3b], AL
>
> 0x8647e4f7 99                               CDQ
>
> 0x8647e4f8 00b0fd7f0000                     ADD [EAX+0x7ffd], DH
>
> 0x8647e4fe 0000                             ADD [EAX], AL
>
> ...
>
> ...
>
> 0x8647e4c6 0000                             ADD [EAX], AL
>
> 0x8647e4c8 d00a                             ROR BYTE [EDX], 0x1
>
> 0x8647e4ca 93                               XCHG EBX, EAX
>
> 0x8647e4cb 8a00                             MOV AL, [EAX]
>
> 0x8647e4cd 0000                             ADD [EAX], AL
>
> 0x8647e4cf 20c8                             AND AL, CL
>
> 0x8647e4d1 db12                             FIST DWORD [EDX]
>
> 0x8647e4d3 8726                             XCHG [ESI], ESP
>
> 0x8647e4d5 ad                               LODSD
>
> 0x8647e4d6 74e1                             JZ 0x8647e4b9
>
> 0x8647e4d8 06                               PUSH ES
>
> 0x8647e4d9 007000                           ADD [EAX+0x0], DH
>
> 0x8647e4dc 0000                             ADD [EAX], AL
>
> 0x8647e4de 0000                             ADD [EAX], AL
>
> 0x8647e4e0 e0e4                             LOOPNZ 0x8647e4c6
>
> 0x8647e4e2 47                               INC EDI
>
> 0x8647e4e3 86e0                             XCHG AL, AH
>
> 0x8647e4e5 e447                             IN AL, 0x47
>
> 0x8647e4e7 86e8                             XCHG AL, CH
>
> 0x8647e4e9 e447                             IN AL, 0x47
>
> 0x8647e4eb 86e8                             XCHG AL, CH
>
> 0x8647e4ed e447                             IN AL, 0x47
>
> 0x8647e4ef 8600                             XCHG [EAX], AL
>
> 0x8647e4f1 803b99                           CMP BYTE [EBX], 0x99
>
> 0x8647e4f4 00403b                           ADD [EAX+0x3b], AL
>
> 0x8647e4f7 99                               CDQ
>
> 0x8647e4f8 00b0fd7f0000                     ADD [EAX+0x7ffd], DH
>
> 0x8647e4fe 0000                             ADD [EAX], AL
>
> 0x8647e500 60                               PUSHA
>
> 0x8647e501 793b                             JNS 0x8647e53e
>
>
>
>
>
>>>> dis(0x8647e53e)
>
> 0x8647e53e 3e869ec7130008                   XCHG [ESI+0x80013c7], BL
>
> 0x8647e545 1000                             ADC [EAX], AL
>
> 0x8647e547 0410                             ADD AL, 0x10
>
> 0x8647e549 b268                             MOV DL, 0x68
>
> 0x8647e54b 8a10                             MOV DL, [EAX]
>
> 0x8647e54d b268                             MOV DL, 0x68
>
> 0x8647e54f 8ad8                             MOV BL, AL
>
>
>
>
>
> So I looked around and found that at offset 0x80013000 is a executable file
>
>
>
>>>> db(0x80013000, length=512)
>
> 0x80013000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00
> MZ..............
>
> 0x80013010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
> ........ at .......
>
> 0x80013020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
>
> 0x80013030  00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00
> ................
>
> 0x80013040  0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68
> ........!..L.!Th
>
> 0x80013050  69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f
> is.program.canno
>
> 0x80013060  74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20
> t.be.run.in.DOS.
>
> 0x80013070  6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
> mode....$.......
>
> 0x80013080  5d ed 0b 95 19 8c 65 c6 19 8c 65 c6 19 8c 65 c6
> ].....e...e...e.
>
> 0x80013090  19 8c 64 c6 30 8c 65 c6 da 83 38 c6 1e 8c 65 c6
> ..d.0.e...8...e.
>
> 0x800130a0  da 83 6a c6 1b 8c 65 c6 da 83 3b c6 18 8c 65 c6
> ..j...e...;...e.
>
> 0x800130b0  da 83 3a c6 1c 8c 65 c6 da 83 3f c6 18 8c 65 c6
> ..:...e...?...e.
>
> 0x800130c0  52 69 63 68 19 8c 65 c6 00 00 00 00 00 00 00 00
> Rich..e.........
>
> 0x800130d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
>
> 0x800130e0  50 45 00 00 4c 01 07 00 b4 52 02 48 00 00 00 00
> PE..L....R.H....
>
> 0x800130f0  00 00 00 00 e0 00 0e 01 0b 01 07 0a 00 1d 00 00
> ................
>
> 0x80013100  00 08 00 00 00 00 00 00 d3 1c 00 00 00 03 00 00
> ................
>
> 0x80013110  00 0e 00 00 00 30 01 80 80 00 00 00 80 00 00 00
> .....0..........
>
> 0x80013120  05 00 01 00 05 00 01 00 01 00 0a 00 00 00 00 00
> ................
>
> 0x80013130  00 28 00 00 00 03 00 00 e6 f1 00 00 01 00 00 24
> .(.............$
>
> 0x80013140  00 00 04 00 00 10 00 00 00 00 10 00 00 10 00 00
> ................
>
> 0x80013150  00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00
> ................
>
> 0x80013160  1c 1d 00 00 50 00 00 00 00 22 00 00 f8 03 00 00
> ....P...."......
>
> 0x80013170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
>
> 0x80013180  00 26 00 00 1c 01 00 00 b0 0e 00 00 1c 00 00 00
> .&..............
>
> 0x80013190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
>
> 0x800131a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
>
> 0x800131b0  00 00 00 00 00 00 00 00 00 0e 00 00 ac 00 00 00
> ................
>
> 0x800131c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ................
>
> 0x800131d0  00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00
> .........text...
>
> 0x800131e0  84 0a 00 00 00 03 00 00 00 0b 00 00 00 03 00 00
> ................
>
> 0x800131f0  00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68
> ...............h
>
>
>
>
>
>
>
> , but this one seems to be battc.sys driver (how can I dump this using the
> offset 0x80013000?)
>
>
>
> 0x80015180  7a 65 44 65 76 69 63 65 00 00 42 41 54 54 43 2e
> zeDevice..BATTC.
>
> 0x80015190  53 59 53 00 46 ec 25 ff 00 3d 00 00 74 03 e9 03
> SYS.F.%..=..t...
>
>
>
>
>
> I also tried to look around the offset 0x8647e4e0 for some strings
>
>
>
> 0x864716a0  00 00 00 00 00 00 00 00 00 00 00 00 43 3a 5c 50
> ............C:\P
>
> 0x864716b0  72 6f 67 72 61 6d 20 46 69 6c 65 73 5c 57 61 76
> rogram.Files\Wav
>
> 0x864716c0  65 20 53 79 73 74 65 6d 73 20 43 6f 72 70 5c 53
> e.Systems.Corp\S
>
> 0x864716d0  65 72 76 69 63 65 73 20 4d 61 6e 61 67 65 72 5c
> ervices.Manager\
>
> 0x864716e0  44 6f 63 4d 67 72 5c 62 69 6e 5c 64 6f 63 6d 67
> DocMgr\bin\docmg
>
> 0x864716f0  72 2e 65 78 65 00 00 00 00 00 00 00 00 00 00 00
> r.exe...........
>
>
>
> google: DocMgr from Wave Systems Corp.
>
>
>
>
>
> 0x86471890  00 00 00 00 43 3a 5c 57 49 4e 44 4f 57 53 5c 73
> ....C:\WINDOWS\s
>
> 0x864718a0  74 73 79 73 74 72 61 2e 65 78 65 00 00 00 00 00
> tsystra.exe.....
>
>
>
> google: Sigmatel Audio system tray application
>
>
>
> 0x86474ce0  00 00 00 00 00 00 00 00 00 f0 c1 9c 53 62 54 72
> ............SbTr
>
> 0x86474cf0  61 79 4d 61 6e 61 67 65 72 2e 65 00 00 00 00 00
> ayManager.e.....
>
>
>
> google: known as the Safe Boot Tray Manager software
>
>
>
> 0x8647db30  0d 00 04 0a 56 69 47 63 65 00 78 00 70 00 6c 00
> ....ViGce.x.p.l.
>
> 0x8647db40  6f 00 72 00 65 00 72 00 2e 00 65 00 78 00 65 00
> o.r.e.r...e.x.e.
>
>
>
> Could it be that the unknown timer was registered by the battc.sys?
>
>
>
> If anybody can push me the right direction, I’ll be more than thankful.
>
>
>
> Thank you
>
>
>
> Jaro
>
> The information in this message may be proprietary and/or confidential, and
> protected from disclosure. If the reader of this message is not the intended
> recipient, or an employee or agent responsible for delivering this message
> to the intended recipient, you are hereby notified that any dissemination,
> distribution or copying of this communication is strictly prohibited. If you
> have received this communication in error, please notify First Data
> immediately by replying to this message and deleting it from your computer.
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>


More information about the Vol-users mailing list