capa
capa copied to clipboard
mandiant
static analysis of memory dumps to find capabilities
It would be useful to run capa against memory snapshots, such as those derived from sandbox executions, to identify capabilities of unpacked software.
There might be some subtlety and/or challenges around restricting the feature extraction to the "interesting" regions of memory, like the target image and dynamically allocated regions, skipping libraries. Also, there are potentially many memory image formats to handle. And, we'd need to find/implement solid code analysis in these memory images which might take some work. Do we re-add SMDA as a backend?
This is potentially related to #1649 in that TTD may provide memory snapshots from specific points within a trace to this feature extractor backend.
minidump resources
focused on minidumps in this comment because its a common format with lots of tool support, so probably a good place to start. there are other memory image formats, too.
SMDA doesn't have a minidump loader. the memory dump loader looks like its loads a flat memory dump at a given start address?
https://github.com/danielplohmann/smda/tree/master/smda/utility
vivisect has a vtype definition for minidump here: https://github.com/vivisect/vivisect/blob/379287a643496f12a734f2b2c9e36a0c6507853c/vstruct/defs/minidump.py#L559
though tbh, i'd sort of like to reduce our dependencies on vivisect if possible.
Fox-IT dissect doesn't have any memory image formats: https://docs.dissect.tools/en/latest/index.html
but we could use cstruct to build one, perhaps derived from the structures in viv or similar. (note that a bunch of the parsers in dissect are AGPL (!) but fortunately not cstruct or util).
kaitai structure definitions for minidump: http://formats.kaitai.io/windows_minidump/
libyal research: https://github.com/libyal/libmdmp/blob/main/documentation/Minidump%20(MDMP)%20format.asciidoc
rust-minidump format parser: https://github.com/rust-minidump/rust-minidump/blob/87a29fba5e19cfae5ebf73a57ba31504a3872545/minidump-common/src/format.rs#L1
miasm parser: https://github.com/cea-sec/miasm/blob/2b8366aaa88679609ae56e738ebf9e2f47aa53fc/miasm/loader/minidump.py#L68
7fe6809b3e9c8202777acbbfeec792417633b987ab70dd9e86989c5cc2f2fbf0 (VT) looks like a nice 192KB MDMP containing a metasploit payload that we can use for reference.
https://www.virustotal.com/gui/file/6e3f6e02f455112317305331d63c698d1a1d3714e00e8a72f23323400cd9ab69/content "full" minidump for "C:\Users\00103701\Downloads\a.exe"
minidump feature extractor
To extract features from a minidump file, we'll first have to identify functions, basic blocks, instructions (and if possible, files via loaded modules). We'll have to pick an analysis engine, like vivisect, lancelot, etc. to load the minidump and find code. Then we can use it to enumerate those items and extract features; this part is pretty well understood and could be re-used from existing extractors.
The harder part is building the loader and code analyzer. From the minidump we can expect (usually? sometimes?) a list of memory regions, their permissions, a list of threads and their program counters, and maybe some metadata about loaded modules. From this, we can reconstruct an address space and do some code discovery using known entrypoints, like thread program counters, return addresses, module entrypoints and exports, etc. This sort of code analysis is non-negligible; ideally we can rely on existing systems. Like, perhaps we can map the regions into a viv/lancelot workspace and then mark a few locations as known code and rely on their control flow reconstruction to work well enough.
I suppose IDA has support for minidumps already, so we could use this to prove out the idea of extracting features from minidumps. Then, as we implement a headless feature extractor with viv/lancelot/etc. then we can compare the results with what IDA gives.
My guess is that this will be reasonable to get a PoC going and challenging to nail down all the edge cases. But, maybe it's good enough for capa?
script for showing the layout of a minidump file, using vivisect vstruct (but pending bug: https://github.com/vivisect/vivisect/pull/625 and https://github.com/vivisect/vivisect/pull/626)
https://github.com/mandiant/capa/blob/willi/mdmp/scripts/show-mdmp.py
❯ python scripts/show-mdmp.py tests/data/7fe6809b3e9c8202777acbbfeec7924 17633b987ab70dd9e86989c5cc2f2fbf0.mdmp_ INFO:vstruct.defs.minidump:Unknown stream type of 21 INFO:vstruct.defs.minidump:Unknown stream type of 22 00000000 (176) MiniDumpHeader: MiniDumpHeader 00000000 (04) Signature: 0x504d444d (1347241037) 00000004 (04) Version: 0xa061a793 (2690754451) 00000008 (04) NumberOfStreams: 0x0000000c (12) 0000000c (04) StreamDirectoryRVA: 0x00000020 (32) 00000010 (04) Checksum: 0x00000000 (0) 00000014 (04) Resv_TimeDateStamp: 0x63c93d30 (1674132784) 00000018 (08) Flags: 0x00000121 (289) 00000020 (144) Directory: VArray 00000020 (12) 0: MiniDumpDirectory 00000020 (04) StreamType: 0x00000003 (3) 00000024 (08) Location: MiniDumpLocationDescriptor 00000024 (04) DataSize: 0x00000094 (148) 00000028 (04) RVA: 0x000006e4 (1764) 0000002c (12) 1: MiniDumpDirectory 0000002c (04) StreamType: 0x00000004 (4) 00000030 (08) Location: MiniDumpLocationDescriptor 00000030 (04) DataSize: 0x00000514 (1300) 00000034 (04) RVA: 0x00000784 (1924) 00000038 (12) 2: MiniDumpDirectory 00000038 (04) StreamType: 0x00000005 (5) 0000003c (08) Location: MiniDumpLocationDescriptor 0000003c (04) DataSize: 0x00000244 (580) 00000040 (04) RVA: 0x00001f18 (7960) 00000044 (12) 3: MiniDumpDirectory 00000044 (04) StreamType: 0x00000006 (6) 00000048 (08) Location: MiniDumpLocationDescriptor 00000048 (04) DataSize: 0x000000a8 (168) 0000004c (04) RVA: 0x0000063c (1596) 00000050 (12) 4: MiniDumpDirectory 00000050 (04) StreamType: 0x00000007 (7) 00000054 (08) Location: MiniDumpLocationDescriptor 00000054 (04) DataSize: 0x00000038 (56) 00000058 (04) RVA: 0x000000b0 (176) 0000005c (12) 5: MiniDumpDirectory 0000005c (04) StreamType: 0x0000000f (15) 00000060 (08) Location: MiniDumpLocationDescriptor 00000060 (04) DataSize: 0x00000554 (1364) 00000064 (04) RVA: 0x000000e8 (232) 00000068 (12) 6: MiniDumpDirectory 00000068 (04) StreamType: 0x00000015 (21) 0000006c (08) Location: MiniDumpLocationDescriptor 0000006c (04) DataSize: 0x000001ec (492) 00000070 (04) RVA: 0x00000c98 (3224) 00000074 (12) 7: MiniDumpDirectory 00000074 (04) StreamType: 0x00000016 (22) 00000078 (08) Location: MiniDumpLocationDescriptor 00000078 (04) DataSize: 0x00000098 (152) 0000007c (04) RVA: 0x00000e84 (3716) 00000080 (12) 8: MiniDumpDirectory 00000080 (04) StreamType: 0x00000000 (0) 00000084 (08) Location: MiniDumpLocationDescriptor 00000084 (04) DataSize: 0x00000000 (0) 00000088 (04) RVA: 0x00000000 (0) 0000008c (12) 9: MiniDumpDirectory 0000008c (04) StreamType: 0x00000000 (0) 00000090 (08) Location: MiniDumpLocationDescriptor 00000090 (04) DataSize: 0x00000000 (0) 00000094 (04) RVA: 0x00000000 (0) 00000098 (12) 10: MiniDumpDirectory 00000098 (04) StreamType: 0x00000000 (0) 0000009c (08) Location: MiniDumpLocationDescriptor 0000009c (04) DataSize: 0x00000000 (0) 000000a0 (04) RVA: 0x00000000 (0) 000000a4 (12) 11: MiniDumpDirectory 000000a4 (04) StreamType: 0x00000000 (0) 000000a8 (08) Location: MiniDumpLocationDescriptor 000000a8 (04) DataSize: 0x00000000 (0) 000000ac (04) RVA: 0x00000000 (0) 00000000 (148) MiniDumpThreadListStream: MiniDumpThreadListStream 00000000 (04) NumberOfThreads: 0x00000003 (3) 00000004 (144) Threads: VArray 00000004 (48) 0: MiniDumpThread 00000004 (04) ThreadId: 0x00003e74 (15988) 00000008 (04) SuspendCount: 0x00000000 (0) 0000000c (04) PriorityClass: 0x00000020 (32) 00000010 (04) Priority: 0x00000000 (0) 00000014 (08) Teb: 0x00251000 (2428928) 0000001c (16) Stack: MiniDumpMemoryDescriptor 0000001c (08) StartOfMemoryPage: 0x0019f8bc (1702076) 00000024 (08) Memory: MiniDumpLocationDescriptor 00000024 (04) DataSize: 0x00000744 (1860) 00000028 (04) RVA: 0x0002f4f0 (193776) 0000002c (08) ThreadContext: MiniDumpLocationDescriptor 0000002c (04) DataSize: 0x000002cc (716) 00000030 (04) RVA: 0x000014fe (5374) 00000034 (48) 1: MiniDumpThread 00000034 (04) ThreadId: 0x000032f8 (13048) 00000038 (04) SuspendCount: 0x00000001 (1) 0000003c (04) PriorityClass: 0x00000020 (32) 00000040 (04) Priority: 0x00000000 (0) 00000044 (08) Teb: 0x00254000 (2441216) 0000004c (16) Stack: MiniDumpMemoryDescriptor 0000004c (08) StartOfMemoryPage: 0x0069fdb0 (6946224) 00000054 (08) Memory: MiniDumpLocationDescriptor 00000054 (04) DataSize: 0x00000250 (592) 00000058 (04) RVA: 0x0002ec98 (191640) 0000005c (08) ThreadContext: MiniDumpLocationDescriptor 0000005c (04) DataSize: 0x000002cc (716) 00000060 (04) RVA: 0x000017ca (6090) 00000064 (48) 2: MiniDumpThread 00000064 (04) ThreadId: 0x0000398c (14732) 00000068 (04) SuspendCount: 0x00000001 (1) 0000006c (04) PriorityClass: 0x00000020 (32) 00000070 (04) Priority: 0x00000000 (0) 00000074 (08) Teb: 0x00257000 (2453504) 0000007c (16) Stack: MiniDumpMemoryDescriptor 0000007c (08) StartOfMemoryPage: 0x0092fdb0 (9633200) 00000084 (08) Memory: MiniDumpLocationDescriptor 00000084 (04) DataSize: 0x00000250 (592) 00000088 (04) RVA: 0x00009a58 (39512) 0000008c (08) ThreadContext: MiniDumpLocationDescriptor 0000008c (04) DataSize: 0x000002cc (716) 00000090 (04) RVA: 0x00001a96 (6806) 00000000 (1300) MiniDumpModuleListStream: MiniDumpModuleListStream 00000000 (04) NumberOfModules: 0x0000000c (12) 00000004 (1296) Modules: VArray 00000004 (108) 0: MiniDumpModule 00000004 (08) BaseOfImage: 0x00400000 (4194304) 0000000c (04) SizeOfImage: 0x00016000 (90112) 00000010 (04) CheckSum: 0x00000000 (0) 00000014 (04) TimeDateStamp: 0x4aa6154d (1252398413) 00000018 (04) ModuleNameRva: 0x00000f22 (3874) 0000001c (52) VersionInfo: VS_FixedFileInfo 0000001c (04) Signature: 0xfeef04bd (4277077181) 00000020 (04) StrucVersion: 0x00010000 (65536) 00000024 (04) FileVersionMS: 0x00020002 (131074) 00000028 (04) FileVersionLS: 0x000e0000 (917504) 0000002c (04) ProductVersionMS: 0x00020002 (131074) 00000030 (04) ProductVersionLS: 0x000e0000 (917504) 00000034 (04) FileFlagsMask: 0x0000003f (63) 00000038 (04) FileFlags: 0x00000000 (0) 0000003c (04) FileOS: 0x00000004 (4) 00000040 (04) FileType: 0x00000001 (1) 00000044 (04) FileSubType: 0x00000000 (0) 00000048 (04) FileDateMS: 0x00000000 (0) 0000004c (04) FileDateLS: 0x00000000 (0) 00000050 (08) CvRecord: MiniDumpLocationDescriptor 00000050 (04) DataSize: 0x0000004a (74) 00000054 (04) RVA: 0x00001d62 (7522) 00000058 (08) MiscRecord: MiniDumpLocationDescriptor 00000058 (04) DataSize: 0x00000000 (0) 0000005c (04) RVA: 0x00000000 (0) 00000060 (08) Reserved1: 0x00000000 (0) 00000068 (08) Reserved2: 0x00000000 (0) 00000070 (108) 1: MiniDumpModule 00000070 (08) BaseOfImage: 0x771e0000 (1998454784) 00000078 (04) SizeOfImage: 0x001a4000 (1720320) 0000007c (04) CheckSum: 0x001ac639 (1754681) 00000080 (04) TimeDateStamp: 0xea5711f3 (3931574771) 00000084 (04) ModuleNameRva: 0x00000f44 (3908) 00000088 (52) VersionInfo: VS_FixedFileInfo 00000088 (04) Signature: 0xfeef04bd (4277077181) 0000008c (04) StrucVersion: 0x00010000 (65536) 00000090 (04) FileVersionMS: 0x000a0000 (655360) 00000094 (04) FileVersionLS: 0x4a61093c (1247873340) 00000098 (04) ProductVersionMS: 0x000a0000 (655360) 0000009c (04) ProductVersionLS: 0x4a61093c (1247873340) 000000a0 (04) FileFlagsMask: 0x0000003f (63) 000000a4 (04) FileFlags: 0x00000000 (0) 000000a8 (04) FileOS: 0x00040004 (262148) 000000ac (04) FileType: 0x00000002 (2) 000000b0 (04) FileSubType: 0x00000000 (0) 000000b4 (04) FileDateMS: 0x00000000 (0) 000000b8 (04) FileDateLS: 0x00000000 (0) 000000bc (08) CvRecord: MiniDumpLocationDescriptor 000000bc (04) DataSize: 0x00000023 (35) 000000c0 (04) RVA: 0x00001dac (7596) 000000c4 (08) MiscRecord: MiniDumpLocationDescriptor 000000c4 (04) DataSize: 0x00000000 (0) 000000c8 (04) RVA: 0x00000000 (0) 000000cc (08) Reserved1: 0x00004140 (16704) 000000d4 (08) Reserved2: 0x00000000 (0) 000000dc (108) 2: MiniDumpModule 000000dc (08) BaseOfImage: 0x75790000 (1970864128) 000000e4 (04) SizeOfImage: 0x000f0000 (983040) 000000e8 (04) CheckSum: 0x000a14e7 (660711) 000000ec (04) TimeDateStamp: 0x4781ffee (1199701998) 000000f0 (04) ModuleNameRva: 0x00000f84 (3972) 000000f4 (52) VersionInfo: VS_FixedFileInfo 000000f4 (04) Signature: 0xfeef04bd (4277077181) 000000f8 (04) StrucVersion: 0x00010000 (65536) 000000fc (04) FileVersionMS: 0x000a0000 (655360) 00000100 (04) FileVersionLS: 0x4a61093c (1247873340) 00000104 (04) ProductVersionMS: 0x000a0000 (655360) 00000108 (04) ProductVersionLS: 0x4a61093c (1247873340) 0000010c (04) FileFlagsMask: 0x0000003f (63) 00000110 (04) FileFlags: 0x00000000 (0) 00000114 (04) FileOS: 0x00040004 (262148) 00000118 (04) FileType: 0x00000002 (2) 0000011c (04) FileSubType: 0x00000000 (0) 00000120 (04) FileDateMS: 0x00000000 (0) 00000124 (04) FileDateLS: 0x00000000 (0) 00000128 (08) CvRecord: MiniDumpLocationDescriptor 00000128 (04) DataSize: 0x00000026 (38) 0000012c (04) RVA: 0x00001dcf (7631) 00000130 (08) MiscRecord: MiniDumpLocationDescriptor 00000130 (04) DataSize: 0x00000000 (0) 00000134 (04) RVA: 0x00000000 (0) 00000138 (08) Reserved1: 0x00004140 (16704) 00000140 (08) Reserved2: 0x00000000 (0) 00000148 (108) 3: MiniDumpModule 00000148 (08) BaseOfImage: 0x76860000 (1988493312) 00000150 (04) SizeOfImage: 0x0021c000 (2211840) 00000154 (04) CheckSum: 0x0021e4ff (2221311) 00000158 (04) TimeDateStamp: 0xca518c9d (3394342045) 0000015c (04) ModuleNameRva: 0x00000fca (4042) 00000160 (52) VersionInfo: VS_FixedFileInfo 00000160 (04) Signature: 0xfeef04bd (4277077181) 00000164 (04) StrucVersion: 0x00010000 (65536) 00000168 (04) FileVersionMS: 0x000a0000 (655360) 0000016c (04) FileVersionLS: 0x4a6109b6 (1247873462) 00000170 (04) ProductVersionMS: 0x000a0000 (655360) 00000174 (04) ProductVersionLS: 0x4a6109b6 (1247873462) 00000178 (04) FileFlagsMask: 0x0000003f (63) 0000017c (04) FileFlags: 0x00000000 (0) 00000180 (04) FileOS: 0x00040004 (262148) 00000184 (04) FileType: 0x00000002 (2) 00000188 (04) FileSubType: 0x00000000 (0) 0000018c (04) FileDateMS: 0x00000000 (0) 00000190 (04) FileDateLS: 0x00000000 (0) 00000194 (08) CvRecord: MiniDumpLocationDescriptor 00000194 (04) DataSize: 0x00000028 (40) 00000198 (04) RVA: 0x00001df5 (7669) 0000019c (08) MiscRecord: MiniDumpLocationDescriptor 0000019c (04) DataSize: 0x00000000 (0) 000001a0 (04) RVA: 0x00000000 (0) 000001a4 (08) Reserved1: 0x00004140 (16704) 000001ac (08) Reserved2: 0x00000000 (0) 000001b4 (108) 4: MiniDumpModule 000001b4 (08) BaseOfImage: 0x6a950000 (1788149760) 000001bc (04) SizeOfImage: 0x000a0000 (655360) 000001c0 (04) CheckSum: 0x0009f710 (653072) 000001c4 (04) TimeDateStamp: 0xeb7b2a71 (3950717553) 000001c8 (04) ModuleNameRva: 0x00001014 (4116) 000001cc (52) VersionInfo: VS_FixedFileInfo 000001cc (04) Signature: 0xfeef04bd (4277077181) 000001d0 (04) StrucVersion: 0x00010000 (65536) 000001d4 (04) FileVersionMS: 0x000a0000 (655360) 000001d8 (04) FileVersionLS: 0x4a61081b (1247873051) 000001dc (04) ProductVersionMS: 0x000a0000 (655360) 000001e0 (04) ProductVersionLS: 0x4a61081b (1247873051) 000001e4 (04) FileFlagsMask: 0x0000003f (63) 000001e8 (04) FileFlags: 0x00000000 (0) 000001ec (04) FileOS: 0x00040004 (262148) 000001f0 (04) FileType: 0x00000002 (2) 000001f4 (04) FileSubType: 0x00000000 (0) 000001f8 (04) FileDateMS: 0x00000000 (0) 000001fc (04) FileDateLS: 0x00000000 (0) 00000200 (08) CvRecord: MiniDumpLocationDescriptor 00000200 (04) DataSize: 0x00000024 (36) 00000204 (04) RVA: 0x00001e1d (7709) 00000208 (08) MiscRecord: MiniDumpLocationDescriptor 00000208 (04) DataSize: 0x00000000 (0) 0000020c (04) RVA: 0x00000000 (0) 00000210 (08) Reserved1: 0x00004140 (16704) 00000218 (08) Reserved2: 0x00000000 (0) 00000220 (108) 5: MiniDumpModule 00000220 (08) BaseOfImage: 0x75430000 (1967325184) 00000228 (04) SizeOfImage: 0x000bf000 (782336) 0000022c (04) CheckSum: 0x000c7c0a (818186) 00000230 (04) TimeDateStamp: 0x7f567a50 (2136373840) 00000234 (04) ModuleNameRva: 0x00001058 (4184) 00000238 (52) VersionInfo: VS_FixedFileInfo 00000238 (04) Signature: 0xfeef04bd (4277077181) 0000023c (04) StrucVersion: 0x00010000 (65536) 00000240 (04) FileVersionMS: 0x00070000 (458752) 00000244 (04) FileVersionLS: 0x4a610222 (1247871522) 00000248 (04) ProductVersionMS: 0x000a0000 (655360) 0000024c (04) ProductVersionLS: 0x4a610222 (1247871522) 00000250 (04) FileFlagsMask: 0x0000003f (63) 00000254 (04) FileFlags: 0x00000000 (0) 00000258 (04) FileOS: 0x00040004 (262148) 0000025c (04) FileType: 0x00000001 (1) 00000260 (04) FileSubType: 0x00000000 (0) 00000264 (04) FileDateMS: 0x00000000 (0) 00000268 (04) FileDateLS: 0x00000000 (0) 0000026c (08) CvRecord: MiniDumpLocationDescriptor 0000026c (04) DataSize: 0x00000023 (35) 00000270 (04) RVA: 0x00001e41 (7745) 00000274 (08) MiscRecord: MiniDumpLocationDescriptor 00000274 (04) DataSize: 0x00000000 (0) 00000278 (04) RVA: 0x00000000 (0) 0000027c (08) Reserved1: 0x00004140 (16704) 00000284 (08) Reserved2: 0x00000000 (0) 0000028c (108) 6: MiniDumpModule 0000028c (08) BaseOfImage: 0x750a0000 (1963589632) 00000294 (04) SizeOfImage: 0x0007b000 (503808) 00000298 (04) CheckSum: 0x00079356 (496470) 0000029c (04) TimeDateStamp: 0xdca539bb (3701815739) 000002a0 (04) ModuleNameRva: 0x0000109a (4250) 000002a4 (52) VersionInfo: VS_FixedFileInfo 000002a4 (04) Signature: 0xfeef04bd (4277077181) 000002a8 (04) StrucVersion: 0x00010000 (65536) 000002ac (04) FileVersionMS: 0x000a0000 (655360) 000002b0 (04) FileVersionLS: 0x4a610852 (1247873106) 000002b4 (04) ProductVersionMS: 0x000a0000 (655360) 000002b8 (04) ProductVersionLS: 0x4a610852 (1247873106) 000002bc (04) FileFlagsMask: 0x0000003f (63) 000002c0 (04) FileFlags: 0x00000000 (0) 000002c4 (04) FileOS: 0x00040004 (262148) 000002c8 (04) FileType: 0x00000002 (2) 000002cc (04) FileSubType: 0x00000000 (0) 000002d0 (04) FileDateMS: 0x00000000 (0) 000002d4 (04) FileDateLS: 0x00000000 (0) 000002d8 (08) CvRecord: MiniDumpLocationDescriptor 000002d8 (04) DataSize: 0x00000025 (37) 000002dc (04) RVA: 0x00001e64 (7780) 000002e0 (08) MiscRecord: MiniDumpLocationDescriptor 000002e0 (04) DataSize: 0x00000000 (0) 000002e4 (04) RVA: 0x00000000 (0) 000002e8 (08) Reserved1: 0x00004140 (16704) 000002f0 (08) Reserved2: 0x00000000 (0) 000002f8 (108) 7: MiniDumpModule 000002f8 (08) BaseOfImage: 0x75970000 (1972830208) 00000300 (04) SizeOfImage: 0x00076000 (483328) 00000304 (04) CheckSum: 0x0007bf51 (507729) 00000308 (04) TimeDateStamp: 0x4ce6f448 (1290204232) 0000030c (04) ModuleNameRva: 0x000010e0 (4320) 00000310 (52) VersionInfo: VS_FixedFileInfo 00000310 (04) Signature: 0xfeef04bd (4277077181) 00000314 (04) StrucVersion: 0x00010000 (65536) 00000318 (04) FileVersionMS: 0x000a0000 (655360) 0000031c (04) FileVersionLS: 0x4a610749 (1247872841) 00000320 (04) ProductVersionMS: 0x000a0000 (655360) 00000324 (04) ProductVersionLS: 0x4a610749 (1247872841) 00000328 (04) FileFlagsMask: 0x0000003f (63) 0000032c (04) FileFlags: 0x00000000 (0) 00000330 (04) FileOS: 0x00040004 (262148) 00000334 (04) FileType: 0x00000001 (1) 00000338 (04) FileSubType: 0x00000000 (0) 0000033c (04) FileDateMS: 0x00000000 (0) 00000340 (04) FileDateLS: 0x00000000 (0) 00000344 (08) CvRecord: MiniDumpLocationDescriptor 00000344 (04) DataSize: 0x00000024 (36) 00000348 (04) RVA: 0x00001e89 (7817) 0000034c (08) MiscRecord: MiniDumpLocationDescriptor 0000034c (04) DataSize: 0x00000000 (0) 00000350 (04) RVA: 0x00000000 (0) 00000354 (08) Reserved1: 0x00004140 (16704) 0000035c (08) Reserved2: 0x00000000 (0) 00000364 (108) 8: MiniDumpModule 00000364 (08) BaseOfImage: 0x76c50000 (1992622080) 0000036c (04) SizeOfImage: 0x000be000 (778240) 00000370 (04) CheckSum: 0x000cd944 (842052) 00000374 (04) TimeDateStamp: 0x9d768d96 (2641792406) 00000378 (04) ModuleNameRva: 0x00001124 (4388) 0000037c (52) VersionInfo: VS_FixedFileInfo 0000037c (04) Signature: 0xfeef04bd (4277077181) 00000380 (04) StrucVersion: 0x00010000 (65536) 00000384 (04) FileVersionMS: 0x000a0000 (655360) 00000388 (04) FileVersionLS: 0x4a6109b6 (1247873462) 0000038c (04) ProductVersionMS: 0x000a0000 (655360) 00000390 (04) ProductVersionLS: 0x4a6109b6 (1247873462) 00000394 (04) FileFlagsMask: 0x0000003f (63) 00000398 (04) FileFlags: 0x00000000 (0) 0000039c (04) FileOS: 0x00040004 (262148) 000003a0 (04) FileType: 0x00000002 (2) 000003a4 (04) FileSubType: 0x00000000 (0) 000003a8 (04) FileDateMS: 0x00000000 (0) 000003ac (04) FileDateLS: 0x00000000 (0) 000003b0 (08) CvRecord: MiniDumpLocationDescriptor 000003b0 (04) DataSize: 0x00000024 (36) 000003b4 (04) RVA: 0x00001ead (7853) 000003b8 (08) MiscRecord: MiniDumpLocationDescriptor 000003b8 (04) DataSize: 0x00000000 (0) 000003bc (04) RVA: 0x00000000 (0) 000003c0 (08) Reserved1: 0x00004140 (16704) 000003c8 (08) Reserved2: 0x00000000 (0) 000003d0 (108) 9: MiniDumpModule 000003d0 (08) BaseOfImage: 0x75360000 (1966473216) 000003d8 (04) SizeOfImage: 0x00063000 (405504) 000003dc (04) CheckSum: 0x00064f32 (413490) 000003e0 (04) TimeDateStamp: 0xf9ac0921 (4188801313) 000003e4 (04) ModuleNameRva: 0x00001166 (4454) 000003e8 (52) VersionInfo: VS_FixedFileInfo 000003e8 (04) Signature: 0xfeef04bd (4277077181) 000003ec (04) StrucVersion: 0x00010000 (65536) 000003f0 (04) FileVersionMS: 0x000a0000 (655360) 000003f4 (04) FileVersionLS: 0x4a610222 (1247871522) 000003f8 (04) ProductVersionMS: 0x000a0000 (655360) 000003fc (04) ProductVersionLS: 0x4a610222 (1247871522) 00000400 (04) FileFlagsMask: 0x0000003f (63) 00000404 (04) FileFlags: 0x00000000 (0) 00000408 (04) FileOS: 0x00040004 (262148) 0000040c (04) FileType: 0x00000002 (2) 00000410 (04) FileSubType: 0x00000000 (0) 00000414 (04) FileDateMS: 0x00000000 (0) 00000418 (04) FileDateLS: 0x00000000 (0) 0000041c (08) CvRecord: MiniDumpLocationDescriptor 0000041c (04) DataSize: 0x00000023 (35) 00000420 (04) RVA: 0x00001ed1 (7889) 00000424 (08) MiscRecord: MiniDumpLocationDescriptor 00000424 (04) DataSize: 0x00000000 (0) 00000428 (04) RVA: 0x00000000 (0) 0000042c (08) Reserved1: 0x00004140 (16704) 00000434 (08) Reserved2: 0x00000000 (0) 0000043c (108) 10: MiniDumpModule 0000043c (08) BaseOfImage: 0x71df0000 (1910439936) 00000444 (04) SizeOfImage: 0x00008000 (32768) 00000448 (04) CheckSum: 0x0000f700 (63232) 0000044c (04) TimeDateStamp: 0x4e127638 (1309832760) 00000450 (04) ModuleNameRva: 0x000011a8 (4520) 00000454 (52) VersionInfo: VS_FixedFileInfo 00000454 (04) Signature: 0xfeef04bd (4277077181) 00000458 (04) StrucVersion: 0x00010000 (65536) 0000045c (04) FileVersionMS: 0x000a0000 (655360) 00000460 (04) FileVersionLS: 0x4a610001 (1247870977) 00000464 (04) ProductVersionMS: 0x000a0000 (655360) 00000468 (04) ProductVersionLS: 0x4a610001 (1247870977) 0000046c (04) FileFlagsMask: 0x0000003f (63) 00000470 (04) FileFlags: 0x00000000 (0) 00000474 (04) FileOS: 0x00040004 (262148) 00000478 (04) FileType: 0x00000002 (2) 0000047c (04) FileSubType: 0x00000000 (0) 00000480 (04) FileDateMS: 0x00000000 (0) 00000484 (04) FileDateLS: 0x00000000 (0) 00000488 (08) CvRecord: MiniDumpLocationDescriptor 00000488 (04) DataSize: 0x00000024 (36) 0000048c (04) RVA: 0x00001ef4 (7924) 00000490 (08) MiscRecord: MiniDumpLocationDescriptor 00000490 (04) DataSize: 0x00000000 (0) 00000494 (04) RVA: 0x00000000 (0) 00000498 (08) Reserved1: 0x00004140 (16704) 000004a0 (08) Reserved2: 0x00000000 (0) 000004a8 (108) 11: MiniDumpModule 000004a8 (08) BaseOfImage: 0x771d0000 (1998389248) 000004b0 (04) SizeOfImage: 0x0000a000 (40960) 000004b4 (04) CheckSum: 0x0000d69c (54940) 000004b8 (04) TimeDateStamp: 0x378bc3cd (931906509) 000004bc (04) ModuleNameRva: 0x000011ec (4588) 000004c0 (52) VersionInfo: VS_FixedFileInfo 000004c0 (04) Signature: 0xfeef04bd (4277077181) 000004c4 (04) StrucVersion: 0x00010000 (65536) 000004c8 (04) FileVersionMS: 0x000a0000 (655360) 000004cc (04) FileVersionLS: 0x4a610296 (1247871638) 000004d0 (04) ProductVersionMS: 0x000a0000 (655360) 000004d4 (04) ProductVersionLS: 0x4a610296 (1247871638) 000004d8 (04) FileFlagsMask: 0x0000003f (63) 000004dc (04) FileFlags: 0x00000000 (0) 000004e0 (04) FileOS: 0x00040004 (262148) 000004e4 (04) FileType: 0x00000002 (2) 000004e8 (04) FileSubType: 0x00000000 (0) 000004ec (04) FileDateMS: 0x00000000 (0) 000004f0 (04) FileDateLS: 0x00000000 (0) 000004f4 (08) CvRecord: MiniDumpLocationDescriptor 000004f4 (04) DataSize: 0x00000000 (0) 000004f8 (04) RVA: 0x00000000 (0) 000004fc (08) MiscRecord: MiniDumpLocationDescriptor 000004fc (04) DataSize: 0x00000000 (0) 00000500 (04) RVA: 0x00000000 (0) 00000504 (08) Reserved1: 0x00000000 (0) 0000050c (08) Reserved2: 0x00000000 (0) 00000000 (580) MiniDumpMemoryListStream: MiniDumpMemoryListStream 00000000 (04) NumberOfMemoryRanges: 0x00000024 (36) 00000004 (576) MemoryRanges: VArray 00000004 (16) 0: MiniDumpMemoryDescriptor 00000004 (08) StartOfMemoryPage: 0x00731ff0 (7544816) 0000000c (08) Memory: MiniDumpLocationDescriptor 0000000c (04) DataSize: 0x000002c0 (704) 00000010 (04) RVA: 0x0000215c (8540) 00000014 (16) 1: MiniDumpMemoryDescriptor 00000014 (08) StartOfMemoryPage: 0x007324b8 (7546040) 0000001c (08) Memory: MiniDumpLocationDescriptor 0000001c (04) DataSize: 0x0000007e (126) 00000020 (04) RVA: 0x0000241c (9244) 00000024 (16) 2: MiniDumpMemoryDescriptor 00000024 (08) StartOfMemoryPage: 0x00733cc0 (7552192) 0000002c (08) Memory: MiniDumpLocationDescriptor 0000002c (04) DataSize: 0x00000006 (6) 00000030 (04) RVA: 0x0000249a (9370) 00000034 (16) 3: MiniDumpMemoryDescriptor 00000034 (08) StartOfMemoryPage: 0x007376d8 (7567064) 0000003c (08) Memory: MiniDumpLocationDescriptor 0000003c (04) DataSize: 0x00002000 (8192) 00000040 (04) RVA: 0x000024a0 (9376) 00000044 (16) 4: MiniDumpMemoryDescriptor 00000044 (08) StartOfMemoryPage: 0x00743818 (7616536) 0000004c (08) Memory: MiniDumpLocationDescriptor 0000004c (04) DataSize: 0x00000008 (8) 00000050 (04) RVA: 0x000044a0 (17568) 00000054 (16) 5: MiniDumpMemoryDescriptor 00000054 (08) StartOfMemoryPage: 0x00743cf8 (7617784) 0000005c (08) Memory: MiniDumpLocationDescriptor 0000005c (04) DataSize: 0x00000004 (4) 00000060 (04) RVA: 0x000044a8 (17576) 00000064 (16) 6: MiniDumpMemoryDescriptor 00000064 (08) StartOfMemoryPage: 0x00744e40 (7622208) 0000006c (08) Memory: MiniDumpLocationDescriptor 0000006c (04) DataSize: 0x00003fc8 (16328) 00000070 (04) RVA: 0x000044ac (17580) 00000074 (16) 7: MiniDumpMemoryDescriptor 00000074 (08) StartOfMemoryPage: 0x71df4000 (1910456320) 0000007c (08) Memory: MiniDumpLocationDescriptor 0000007c (04) DataSize: 0x0000034c (844) 00000080 (04) RVA: 0x00008474 (33908) 00000084 (16) 8: MiniDumpMemoryDescriptor 00000084 (08) StartOfMemoryPage: 0x7725302c (1998925868) 0000008c (08) Memory: MiniDumpLocationDescriptor 0000008c (04) DataSize: 0x00000100 (256) 00000090 (04) RVA: 0x000087c0 (34752) 00000094 (16) 9: MiniDumpMemoryDescriptor 00000094 (08) StartOfMemoryPage: 0x772547ac (1998931884) 0000009c (08) Memory: MiniDumpLocationDescriptor 0000009c (04) DataSize: 0x00000100 (256) 000000a0 (04) RVA: 0x000088c0 (35008) 000000a4 (16) 10: MiniDumpMemoryDescriptor 000000a4 (08) StartOfMemoryPage: 0x76cfd000 (1993330688) 000000ac (08) Memory: MiniDumpLocationDescriptor 000000ac (04) DataSize: 0x00000f54 (3924) 000000b0 (04) RVA: 0x000089c0 (35264) 000000b4 (16) 11: MiniDumpMemoryDescriptor 000000b4 (08) StartOfMemoryPage: 0x76d01000 (1993347072) 000000bc (08) Memory: MiniDumpLocationDescriptor 000000bc (04) DataSize: 0x00000144 (324) 000000c0 (04) RVA: 0x00009914 (39188) 000000c4 (16) 12: MiniDumpMemoryDescriptor 000000c4 (08) StartOfMemoryPage: 0x0092fdb0 (9633200) 000000cc (08) Memory: MiniDumpLocationDescriptor 000000cc (04) DataSize: 0x00000250 (592) 000000d0 (04) RVA: 0x00009a58 (39512) 000000d4 (16) 13: MiniDumpMemoryDescriptor 000000d4 (08) StartOfMemoryPage: 0x0040d000 (4247552) 000000dc (08) Memory: MiniDumpLocationDescriptor 000000dc (04) DataSize: 0x0000705c (28764) 000000e0 (04) RVA: 0x00009ca8 (40104) 000000e4 (16) 14: MiniDumpMemoryDescriptor 000000e4 (08) StartOfMemoryPage: 0x0024e000 (2416640) 000000ec (08) Memory: MiniDumpLocationDescriptor 000000ec (04) DataSize: 0x000004a8 (1192) 000000f0 (04) RVA: 0x00010d04 (68868) 000000f4 (16) 15: MiniDumpMemoryDescriptor 000000f4 (08) StartOfMemoryPage: 0x00251000 (2428928) 000000fc (08) Memory: MiniDumpLocationDescriptor 000000fc (04) DataSize: 0x00001000 (4096) 00000100 (04) RVA: 0x000111ac (70060) 00000104 (16) 16: MiniDumpMemoryDescriptor 00000104 (08) StartOfMemoryPage: 0x00254000 (2441216) 0000010c (08) Memory: MiniDumpLocationDescriptor 0000010c (04) DataSize: 0x00001000 (4096) 00000110 (04) RVA: 0x000121ac (74156) 00000114 (16) 17: MiniDumpMemoryDescriptor 00000114 (08) StartOfMemoryPage: 0x00257000 (2453504) 0000011c (08) Memory: MiniDumpLocationDescriptor 0000011c (04) DataSize: 0x00001000 (4096) 00000120 (04) RVA: 0x000131ac (78252) 00000124 (16) 18: MiniDumpMemoryDescriptor 00000124 (08) StartOfMemoryPage: 0x6a9ce000 (1788665856) 0000012c (08) Memory: MiniDumpLocationDescriptor 0000012c (04) DataSize: 0x00001ffc (8188) 00000130 (04) RVA: 0x000141ac (82348) 00000134 (16) 19: MiniDumpMemoryDescriptor 00000134 (08) StartOfMemoryPage: 0x759d8000 (1973256192) 0000013c (08) Memory: MiniDumpLocationDescriptor 0000013c (04) DataSize: 0x00002e28 (11816) 00000140 (04) RVA: 0x000161a8 (90536) 00000144 (16) 20: MiniDumpMemoryDescriptor 00000144 (08) StartOfMemoryPage: 0x759de000 (1973280768) 0000014c (08) Memory: MiniDumpLocationDescriptor 0000014c (04) DataSize: 0x00000090 (144) 00000150 (04) RVA: 0x00018fd0 (102352) 00000154 (16) 21: MiniDumpMemoryDescriptor 00000154 (08) StartOfMemoryPage: 0x77303000 (1999646720) 0000015c (08) Memory: MiniDumpLocationDescriptor 0000015c (04) DataSize: 0x00005a84 (23172) 00000160 (04) RVA: 0x00019060 (102496) 00000164 (16) 22: MiniDumpMemoryDescriptor 00000164 (08) StartOfMemoryPage: 0x77309000 (1999671296) 0000016c (08) Memory: MiniDumpLocationDescriptor 0000016c (04) DataSize: 0x00002378 (9080) 00000170 (04) RVA: 0x0001eae4 (125668) 00000174 (16) 23: MiniDumpMemoryDescriptor 00000174 (08) StartOfMemoryPage: 0x7510a000 (1964023808) 0000017c (08) Memory: MiniDumpLocationDescriptor 0000017c (04) DataSize: 0x000038dc (14556) 00000180 (04) RVA: 0x00020e5c (134748) 00000184 (16) 24: MiniDumpMemoryDescriptor 00000184 (08) StartOfMemoryPage: 0x75840000 (1971585024) 0000018c (08) Memory: MiniDumpLocationDescriptor 0000018c (04) DataSize: 0x00000d08 (3336) 00000190 (04) RVA: 0x00024738 (149304) 00000194 (16) 25: MiniDumpMemoryDescriptor 00000194 (08) StartOfMemoryPage: 0x75114000 (1964064768) 0000019c (08) Memory: MiniDumpLocationDescriptor 0000019c (04) DataSize: 0x0000023c (572) 000001a0 (04) RVA: 0x00025440 (152640) 000001a4 (16) 26: MiniDumpMemoryDescriptor 000001a4 (08) StartOfMemoryPage: 0x76a3f000 (1990455296) 000001ac (08) Memory: MiniDumpLocationDescriptor 000001ac (04) DataSize: 0x000034f8 (13560) 000001b0 (04) RVA: 0x0002567c (153212) 000001b4 (16) 27: MiniDumpMemoryDescriptor 000001b4 (08) StartOfMemoryPage: 0x75850000 (1971650560) 000001bc (08) Memory: MiniDumpLocationDescriptor 000001bc (04) DataSize: 0x00000034 (52) 000001c0 (04) RVA: 0x00028b74 (166772) 000001c4 (16) 28: MiniDumpMemoryDescriptor 000001c4 (08) StartOfMemoryPage: 0x76a49000 (1990496256) 000001cc (08) Memory: MiniDumpLocationDescriptor 000001cc (04) DataSize: 0x00000364 (868) 000001d0 (04) RVA: 0x00028ba8 (166824) 000001d4 (16) 29: MiniDumpMemoryDescriptor 000001d4 (08) StartOfMemoryPage: 0x754e2000 (1968054272) 000001dc (08) Memory: MiniDumpLocationDescriptor 000001dc (04) DataSize: 0x00005d8c (23948) 000001e0 (04) RVA: 0x00028f0c (167692) 000001e4 (16) 30: MiniDumpMemoryDescriptor 000001e4 (08) StartOfMemoryPage: 0x0069fdb0 (6946224) 000001ec (08) Memory: MiniDumpLocationDescriptor 000001ec (04) DataSize: 0x00000250 (592) 000001f0 (04) RVA: 0x0002ec98 (191640) 000001f4 (16) 31: MiniDumpMemoryDescriptor 000001f4 (08) StartOfMemoryPage: 0x771d5000 (1998409728) 000001fc (08) Memory: MiniDumpLocationDescriptor 000001fc (04) DataSize: 0x00000608 (1544) 00000200 (04) RVA: 0x0002eee8 (192232) 00000204 (16) 32: MiniDumpMemoryDescriptor 00000204 (08) StartOfMemoryPage: 0x0019f8bc (1702076) 0000020c (08) Memory: MiniDumpLocationDescriptor 0000020c (04) DataSize: 0x00000744 (1860) 00000210 (04) RVA: 0x0002f4f0 (193776) 00000214 (16) 33: MiniDumpMemoryDescriptor 00000214 (08) StartOfMemoryPage: 0x0054039b (5505947) 0000021c (08) Memory: MiniDumpLocationDescriptor 0000021c (04) DataSize: 0x00000100 (256) 00000220 (04) RVA: 0x0002fc34 (195636) 00000224 (16) 34: MiniDumpMemoryDescriptor 00000224 (08) StartOfMemoryPage: 0x753a8000 (1966768128) 0000022c (08) Memory: MiniDumpLocationDescriptor 0000022c (04) DataSize: 0x00000648 (1608) 00000230 (04) RVA: 0x0002fd34 (195892) 00000234 (16) 35: MiniDumpMemoryDescriptor 00000234 (08) StartOfMemoryPage: 0x753ab000 (1966780416) 0000023c (08) Memory: MiniDumpLocationDescriptor 0000023c (04) DataSize: 0x00000048 (72) 00000240 (04) RVA: 0x0003037c (197500) 00000000 (168) MiniDumpExceptionStream: MiniDumpExceptionStream 00000000 (04) ThreadId: 0x00003e74 (15988) 00000004 (04) _MiniDumpExceptionStream__aligntment: 0x00000000 (0) 00000008 (152) ExceptionRecored: MiniDumpException 00000008 (04) ExceptionCode: 0xc0000409 (3221226505) 0000000c (04) ExceptionFlags: 0x00000008 (8) 00000010 (08) ExceptionRecord: 0x0019fac4 (1702596) 00000018 (08) ExceptionAddress: 0x0054041b (5506075) 00000020 (04) NumberParameters: 0x00000001 (1) 00000024 (04) _MiniDumpException__unusedAlignment: 0x00000000 (0) 00000028 (120) ExecptionInformation: VArray 00000028 (08) 0: 0x00000015 (21) 00000030 (08) 1: 0x00000000 (0) 00000038 (08) 2: 0x00000000 (0) 00000040 (08) 3: 0x00000000 (0) 00000048 (08) 4: 0x00000000 (0) 00000050 (08) 5: 0x00000000 (0) 00000058 (08) 6: 0x00000000 (0) 00000060 (08) 7: 0x00000000 (0) 00000068 (08) 8: 0x00000000 (0) 00000070 (08) 9: 0x00000000 (0) 00000078 (08) 10: 0x00000000 (0) 00000080 (08) 11: 0x00000000 (0) 00000088 (08) 12: 0x00000000 (0) 00000090 (08) 13: 0x00000000 (0) 00000098 (08) 14: 0x00000000 (0) 000000a0 (08) ThreadContext: MiniDumpLocationDescriptor 000000a0 (04) DataSize: 0x000002cc (716) 000000a4 (04) RVA: 0x00001232 (4658) 00000000 (56) MiniDumpSystemInfoStream: MiniDumpSystemInfoStream 00000000 (02) ProcessorArchitecture: 0x00000000 (0) 00000002 (02) ProcessorLevel: 0x00000006 (6) 00000004 (02) ProcessorRevision: 0x00009e09 (40457) 00000006 (02) Reserved: 0x00000104 (260) 00000008 (04) MajorVersion: 0x0000000a (10) 0000000c (04) MinorVersion: 0x00000000 (0) 00000010 (04) BuildNumber: 0x00004a65 (19045) 00000014 (04) PlatformId: 0x00000002 (2) 00000018 (04) CSDVersionRSA: 0x00000f1c (3868) 0000001c (04) Reserved1: 0x00000100 (256) 00000020 (04) CpuInfo1: 0x756e6547 (1970169159) 00000024 (04) CpuInfo2: 0x49656e69 (1231384169) 00000028 (04) CpuInfo3: 0x6c65746e (1818588270) 0000002c (04) CpuInfo4: 0x000906e9 (591593) 00000030 (04) CpuInfo5: 0xbfebfbff (3219913727) 00000034 (04) CpuInfo6: 0x00000000 (0) 00000000 (24) MiniDumpMiscInfoStream: MiniDumpMiscInfoStream 00000000 (04) SizeOfInfo: 0x00000554 (1364) 00000004 (04) Flags1: 0x000003f7 (1015) 00000008 (04) ProcessId: 0x000026e0 (9952) 0000000c (04) ProcessCreateTime: 0x63c93d2f (1674132783) 00000010 (04) ProcessUserTime: 0x00000000 (0) 00000014 (04) ProcessKernelTime: 0x00000000 (0) 00000000 (00) MiniDumpUnusedStream: MiniDumpUnusedStream 00000000 (00) MiniDumpUnusedStream: MiniDumpUnusedStream 00000000 (00) MiniDumpUnusedStream: MiniDumpUnusedStream 00000000 (00) MiniDumpUnusedStream: MiniDumpUnusedStreamarch: intel
memory map: [no memory map]
modules: [0x00000000400000-0x00000000416000] F:\payload.exe [0x0000000040d000-0x0000000041405c] [0x000000771e0000-0x00000077384000] C:\Windows\System32\ntdll.dll [0x0000007725302c-0x0000007725312c] [0x000000772547ac-0x000000772548ac] [0x00000077303000-0x00000077308a84] [0x00000077309000-0x0000007730b378] [0x00000075790000-0x00000075880000] C:\Windows\System32\kernel32.dll [0x00000075840000-0x00000075840d08] [0x00000075850000-0x00000075850034] [0x00000076860000-0x00000076a7c000] C:\Windows\System32\KERNELBASE.dll [0x00000076a3f000-0x00000076a424f8] [0x00000076a49000-0x00000076a49364] [0x0000006a950000-0x0000006a9f0000] C:\Windows\System32\apphelp.dll [0x0000006a9ce000-0x0000006a9cfffc] [0x00000075430000-0x000000754ef000] C:\Windows\System32\msvcrt.dll [0x000000754e2000-0x000000754e7d8c] [0x000000750a0000-0x0000007511b000] C:\Windows\System32\advapi32.dll [0x0000007510a000-0x0000007510d8dc] [0x00000075114000-0x0000007511423c] [0x00000075970000-0x000000759e6000] C:\Windows\System32\sechost.dll [0x000000759d8000-0x000000759dae28] [0x000000759de000-0x000000759de090] [0x00000076c50000-0x00000076d0e000] C:\Windows\System32\rpcrt4.dll [0x00000076cfd000-0x00000076cfdf54] [0x00000076d01000-0x00000076d01144] [0x00000075360000-0x000000753c3000] C:\Windows\System32\ws2_32.dll [0x000000753a8000-0x000000753a8648] [0x000000753ab000-0x000000753ab048] [0x00000071df0000-0x00000071df8000] C:\Windows\System32\wsock32.dll [0x00000071df4000-0x00000071df434c] [0x000000771d0000-0x000000771da000] C:\Windows\System32\wow64cpu.dll [0x000000771d5000-0x000000771d5608]
thread: 15988 eax: 0x00000000000000 ebx: 0x00000000000000 ecx: 0x00000000000000 edx: 0x00000073c05ff5 esi: 0x00000000000000 edi: 0x00000000000002 ebp: 0x0000000019f900 -> stack for thread 15988 esp: 0x0000000019f8c0 -> stack for thread 15988 eip: 0x000000772530ac -> C:\Windows\System32\ntdll.dll
teb: [0x251000-???] [0x00000000251000-0x00000000252000]
stack: [0x0000000019f8bc-0x000000001a0000] [0x0000000019f8bc-0x000000001a0000]
thread: 13048 eax: 0x00000000000000 ebx: 0x00000000747690 -> range [0x00000000744e40-0x00000000748e08] ecx: 0x00000000000000 edx: 0x00000000000000 esi: 0x00000000747690 -> range [0x00000000744e40-0x00000000748e08] edi: 0x00000000742778 ebp: 0x0000000069ff70 -> stack for thread 13048 esp: 0x0000000069fdb4 -> stack for thread 13048 eip: 0x0000007725482c -> C:\Windows\System32\ntdll.dll
teb: [0x254000-???] [0x00000000254000-0x00000000255000]
stack: [0x0000000069fdb0-0x000000006a0000] [0x0000000069fdb0-0x000000006a0000]
thread: 14732 eax: 0x000000772159c0 -> C:\Windows\System32\ntdll.dll ebx: 0x00000000000000 ecx: 0x00000000000000 edx: 0x00000000000000 esi: 0x0000000024e000 -> range [0x0000000024e000-0x0000000024e4a8] edi: 0x00000000742778 ebp: 0x0000000092ff70 -> stack for thread 14732 esp: 0x0000000092fdb4 -> stack for thread 14732 eip: 0x0000007725482c -> C:\Windows\System32\ntdll.dll
teb: [0x257000-???] [0x00000000257000-0x00000000258000]
stack: [0x0000000092fdb0-0x00000000930000] [0x0000000092fdb0-0x00000000930000]
memory ranges: [0x0000000019f8bc-0x000000001a0000] stack for thread 15988 [0x0000000024e000-0x0000000024e4a8] [0x00000000251000-0x00000000252000] TEB for thread 15988 [0x00000000254000-0x00000000255000] TEB for thread 13048 [0x00000000257000-0x00000000258000] TEB for thread 14732 [0x0000000040d000-0x0000000041405c] F:\payload.exe [0x0000000054039b-0x0000000054049b] [0x0000000069fdb0-0x000000006a0000] stack for thread 13048 [0x00000000731ff0-0x000000007322b0] [0x000000007324b8-0x00000000732536] [0x00000000733cc0-0x00000000733cc6] [0x000000007376d8-0x000000007396d8] [0x00000000743818-0x00000000743820] [0x00000000743cf8-0x00000000743cfc] [0x00000000744e40-0x00000000748e08] [0x0000000092fdb0-0x00000000930000] stack for thread 14732 [0x0000006a9ce000-0x0000006a9cfffc] C:\Windows\System32\apphelp.dll [0x00000071df4000-0x00000071df434c] C:\Windows\System32\wsock32.dll [0x0000007510a000-0x0000007510d8dc] C:\Windows\System32\advapi32.dll [0x00000075114000-0x0000007511423c] C:\Windows\System32\advapi32.dll [0x000000753a8000-0x000000753a8648] C:\Windows\System32\ws2_32.dll [0x000000753ab000-0x000000753ab048] C:\Windows\System32\ws2_32.dll [0x000000754e2000-0x000000754e7d8c] C:\Windows\System32\msvcrt.dll [0x00000075840000-0x00000075840d08] C:\Windows\System32\kernel32.dll [0x00000075850000-0x00000075850034] C:\Windows\System32\kernel32.dll [0x000000759d8000-0x000000759dae28] C:\Windows\System32\sechost.dll [0x000000759de000-0x000000759de090] C:\Windows\System32\sechost.dll [0x00000076a3f000-0x00000076a424f8] C:\Windows\System32\KERNELBASE.dll [0x00000076a49000-0x00000076a49364] C:\Windows\System32\KERNELBASE.dll [0x00000076cfd000-0x00000076cfdf54] C:\Windows\System32\rpcrt4.dll [0x00000076d01000-0x00000076d01144] C:\Windows\System32\rpcrt4.dll [0x000000771d5000-0x000000771d5608] C:\Windows\System32\wow64cpu.dll [0x0000007725302c-0x0000007725312c] C:\Windows\System32\ntdll.dll [0x000000772547ac-0x000000772548ac] C:\Windows\System32\ntdll.dll [0x00000077303000-0x00000077308a84] C:\Windows\System32\ntdll.dll [0x00000077309000-0x0000007730b378] C:\Windows\System32\ntdll.dll
I finally finished the development of ttd2mdmp Thanks to this new utility, we can extract minidump files from a TTD trace by specifying a cursor position or a function to hook in the trace! I made a list of all the information I collected within the dump, you can check it in the README. Some important feature are still missing like python bindings for a better integration with capa and x86 support. I'll now focus on mdmp analysis within capa!
EDIT After reading again your message about the minidump feature extractor, I also noticed ttd2mdmp might miss the permissions of memory regions. I'll try to add this feature!
You mentioned earlier that we should reduce vivisect dependencies Should I use another parser than the vivisect one or continue with it?
I suppose IDA has support for minidumps already, so we could use this to prove out the idea of extracting features from minidumps
Also, you said IDA as a Minidump feature extractor, but I can't find it. Do you have a link/clue to find it?
if viv is the right tool for the job, no problem in using it. if there's another solution that has a modern and healthy code base, all things being equal, consider picking the other one.
for IDA, i meant that IDA can analyze minidumps and find functions, code, strings, etc. I don't think it can produce minidumps.
and, given that we have a feature extractor that relies on IDA for the heavy lifting, I meant to suggest that using the capa-explorer IDA plugin is a quick way to prove the idea.
Alright, got it, thanks for this clear answers! I'm still trying to figure out how it works by playing a bit with minidumps/vivisect/capa !
Hi @williballenthin I see this issue is still open. Has any work been done on it?
EDIT: Also, I have read through #1649! If this is still a work in progress, can you write a bit more about why you would like to reduce capa's dependence on vivisect? This may be helpful for understanding the pro's and con's of different minidump loaders.
