[panda-users] reversing windows apps

Michael Sieffert seefdogg at gmail.com
Tue Mar 10 11:52:10 EDT 2015 

Stuck reversing windows apps...

I'm using the stringsearch plugin to locate the areas of a windows program
using particular user data. I see output like the following:

./app-rr-nondet.log:  558756 of 2620754 (21.32%) bytes, 66066382 of
825324992 (8.00%) instructions processed.
./app-rr-nondet.log:  595760 of 2620754 (22.73%) bytes, 74621410 of
825324992 (9.04%) instructions processed.
./app-rr-nondet.log:  609988 of 2620754 (23.28%) bytes, 85417417 of
825324992 (10.35%) instructions processed.
READ Match of str 2 at: instr_count=88385491 :  0000000075900940
000000007593468d 000000005f956380
READ Match of str 2 at: instr_count=88386006 :  0000000075900940
00000000759346c4 000000005f956380
READ Match of str 2 at: instr_count=88453986 :  0000000075900940
000000007593468d 000000005f956380

Unfortunately, the addresses (such as pc and caller addres) in these
matches do not seem to jive with the symbol information I've pulled from
the guest using sysinternals listdlls for the process I'm looking at (found
below, pretty verbose). I would expect some of the addresses to correspond
to the app's module's address space, but do not see any. I suppose it's
possible this is the case, just unlikely.

Am I correct to interpret all of PANDA's output to be virtual addresses?
Any ideas?

app.exe pid: 1352
Command line: "C:\app.exe"

Base        Size      Path
0x2fe70000  0xf2a000  C:\app.exe
0x77090000  0x13c000  C:\Windows\SYSTEM32\ntdll.dll
0x76ad0000  0xd4000   C:\Windows\system32\kernel32.dll
0x752b0000  0x4a000   C:\Windows\system32\KERNELBASE.dll
0x746d0000  0x9000    C:\Windows\system32\VERSION.dll
0x77200000  0xac000   C:\Windows\system32\msvcrt.dll
0x6f0e0000  0xa3000
C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
0x759c0000  0xa0000   C:\Windows\system32\ADVAPI32.dll
0x758c0000  0x19000   C:\Windows\SYSTEM32\sechost.dll
0x76e80000  0xa1000   C:\Windows\system32\RPCRT4.dll
0x76a80000  0x4e000   C:\Windows\system32\GDI32.dll
0x758f0000  0xc9000   C:\Windows\system32\USER32.dll
0x772b0000  0xa000    C:\Windows\system32\LPK.dll
0x754f0000  0x9d000   C:\Windows\system32\USP10.dll
0x771d0000  0x1f000   C:\Windows\system32\IMM32.dll
0x76c00000  0xcc000   C:\Windows\system32\MSCTF.dll
0x70b80000  0x240000  C:\Windows\system32\msi.dll
0x76da0000  0x57000   C:\Windows\system32\SHLWAPI.dll
0x76f30000  0x15c000  C:\Windows\system32\ole32.dll
0x6f040000  0x8e000
C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCP90.dll
0x6dc60000  0x11e0000  C:\Program Files\Common Files\Microsoft
Shared\office14\mso.dll
0x750e0000  0x4c000   C:\Windows\system32\apphelp.dll
0x74230000  0x40000   C:\Windows\system32\uxtheme.dll
0x6d0f0000  0x40f000  C:\Program Files\Common Files\Microsoft
Shared\office14\Cultures\office.odf
0x74270000  0x19e000
 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32.dll
0x75a60000  0x83000   C:\Windows\system32\CLBCatQ.DLL
0x76d10000  0x8f000   C:\Windows\system32\OLEAUT32.dll
0x6cc60000  0x311000  c:\progra~1\micros~1\office14\olmapi32.dll
0x75130000  0xc000    C:\Windows\system32\CRYPTBASE.dll
0x73e00000  0x13000   C:\Windows\system32\dwmapi.dll
0x69de0000  0x646000  C:\Program Files\Microsoft
Office\Office14\1033\OUTLLIBR.DLL
0x658b0000  0x452a000  C:\Program Files\Common Files\Microsoft
Shared\office14\MSORES.DLL
0x6dc20000  0x17000   C:\Windows\system32\DavClnt.DLL
0x706f0000  0x8000    C:\Windows\system32\DAVHLPR.dll
0x6d670000  0x263000  C:\Program Files\Common Files\Microsoft
Shared\office14\1033\MSOINTL.DLL
0x6c9a0000  0x4a000   C:\Windows\system32\mscoree.dll
0x6f640000  0x20000   C:\Program Files\Common Files\Microsoft
Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL
0x6da30000  0x14f000  C:\Program Files\Common Files\Microsoft
Shared\office14\riched20.dll
0x6cb40000  0x113000  c:\progra~1\micros~1\office14\1033\mapir.dll
0x71d70000  0x21000   C:\Windows\system32\ntmarta.dll
0x76bb0000  0x45000   C:\Windows\system32\WLDAP32.dll
0x64630000  0x127a000  C:\Program Files\Microsoft Office\Office14\wwlib.dll
0x6aec0000  0x1ab000  C:\Program Files\Microsoft Office\Office14\gfx.dll
0x73cb0000  0xd000    C:\Windows\system32\WTSAPI32.dll
0x6da20000  0x5000    C:\Windows\system32\MSIMG32.dll
0x63290000  0x1392000  C:\Program Files\Microsoft Office\Office14\oart.dll
0x75140000  0x5f000   C:\Windows\system32\SXS.DLL
0x74ce0000  0x16000   C:\Windows\system32\CRYPTSP.dll
0x74a80000  0x3b000   C:\Windows\system32\rsaenh.dll
0x751a0000  0xe000    C:\Windows\system32\RpcRtRemote.dll
0x6d9f0000  0x23000   c:\progra~1\micros~1\office14\contab32.dll
0x6d9b0000  0x3a000   c:\progra~1\micros~1\office14\omsxp32.dll
0x768e0000  0x136000  C:\Windows\system32\urlmon.dll
0x755c0000  0xf5000   C:\Windows\system32\WININET.dll
0x756c0000  0x1fb000  C:\Windows\system32\iertutil.dll
0x75390000  0x11d000  C:\Windows\system32\CRYPT32.dll
0x75250000  0xc000    C:\Windows\system32\MSASN1.dll
0x6cab0000  0x84000
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\Comctl32.dll
0x6ad40000  0x17f000  c:\progra~1\micros~1\office14\EMSMDB32.DLL
0x75c90000  0xc4a000  C:\Windows\system32\SHELL32.dll
0x6d9a0000  0x7000    C:\Windows\system32\WSOCK32.dll
0x76cd0000  0x35000   C:\Windows\system32\WS2_32.dll
0x771f0000  0x6000    C:\Windows\system32\NSI.dll
0x738a0000  0x10000   C:\Windows\system32\NLAapi.dll
0x734a0000  0x1c000   C:\Windows\system32\IPHLPAPI.DLL
0x73490000  0x7000    C:\Windows\system32\WINNSI.DLL
0x733b0000  0xd000    C:\Windows\system32\dhcpcsvc6.DLL
0x71fa0000  0x12000   C:\Windows\system32\dhcpcsvc.DLL
0x73a70000  0x6000    C:\Windows\system32\rasadhlp.dll
0x6f4d0000  0x3000    C:\Windows\system32\SFC.DLL
0x6f3c0000  0xd000    C:\Windows\system32\sfc_os.DLL
0x63150000  0x133000  c:\progra~1\micros~1\office14\MSPST32.DLL
0x6f250000  0xc000    C:\Windows\system32\mssprxy.dll
0x70760000  0x58000   C:\Program Files\Common Files\microsoft
shared\ink\tiptsf.dll
0x6ee50000  0x12000   C:\Program Files\Microsoft
Office\Office14\ADDINS\ColleagueImport.dll
0x73bb0000  0x11000   C:\Windows\system32\NETAPI32.dll
0x74a70000  0x9000    C:\Windows\system32\netutils.dll
0x74900000  0x19000   C:\Windows\system32\srvcli.dll
0x73ba0000  0xf000    C:\Windows\system32\wkscli.dll
0x62d10000  0x1a3000  C:\Program Files\Microsoft
Office\Office14\SOCIALCONNECTOR.DLL
0x740a0000  0x190000
 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
0x74d90000  0x8000    C:\Windows\system32\Secur32.dll
0x750c0000  0x1b000   C:\Windows\system32\SSPICLI.DLL
0x62960000  0x3a1000
 C:\Windows\WinSxS\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4bf5400abf9d60b7\mfc90u.dll
0x6d990000  0xd000
 C:\Windows\WinSxS\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4973eb1d754a9dc9\MFC90ENU.DLL
0x62860000  0x100000  C:\Program Files\Microsoft
Office\Office14\ADDINS\UmOutlookAddin.dll
0x6c8d0000  0x16000   C:\Windows\system32\MAPI32.dll
0x728b0000  0x3c000   C:\Windows\system32\OLEACC.dll
0x6d980000  0x10000   C:\Program Files\Microsoft
Office\Office14\1033\UmOutlookStrings.dll
0x713d0000  0x16f000  C:\Windows\system32\explorerframe.dll
0x73fb0000  0x2f000   C:\Windows\system32\DUser.dll
0x73fe0000  0xb2000   C:\Windows\system32\DUI70.dll
0x70e10000  0x4e000   C:\Windows\system32\actxprxy.dll
0x6d940000  0x33000   C:\Program Files\Microsoft
Office\Office14\SHAREPOINTPROVIDER.DLL
0x71270000  0x158000  C:\Windows\System32\msxml6.dll
0x73cd0000  0xfb000   C:\Windows\system32\WindowsCodecs.dll
0x6f820000  0xa80000  C:\Windows\System32\ieframe.dll
0x754e0000  0x5000    C:\Windows\system32\PSAPI.DLL
0x751b0000  0xb000    C:\Windows\system32\profapi.dll
0x74b60000  0x44000   C:\Windows\system32\dnsapi.DLL
0x758e0000  0x3000    C:\Windows\system32\Normaliz.dll
0x6ee90000  0x52000   C:\Windows\system32\RASAPI32.dll
0x6ee70000  0x15000   C:\Windows\system32\rasman.dll
0x73a60000  0xd000    C:\Windows\system32\rtutils.dll
0x6d040000  0x6000    C:\Windows\system32\sensapi.dll
0x6cfc0000  0xc000    c:\progra~1\micros~1\office14\outlrpc.dll
0x6c940000  0x55000   c:\progra~1\micros~1\office14\exsec32.dll
0x737a0000  0x10000   C:\Windows\system32\napinsp.dll
0x6b690000  0x66000   c:\progra~1\micros~1\office14\rtfhtml.dll
0x6c9f0000  0x12000   C:\Windows\system32\pnrpnsp.dll
0x74ca0000  0x3c000   C:\Windows\System32\mswsock.dll
0x6c910000  0x2e000   C:\Windows\system32\mlang.dll
0x6c900000  0x8000    C:\Windows\System32\winrnr.dll
0x74760000  0x5000    C:\Windows\System32\wshtcpip.dll
0x74c90000  0x6000    C:\Windows\System32\wship6.dll
0x73360000  0x38000   C:\Windows\System32\fwpuclnt.dll
0x622e0000  0xc9000   C:\Program Files\Microsoft
Office\Office14\1033\wwintl.dll
0x62220000  0xbc000   C:\Program Files\Common Files\Microsoft
Shared\OFFICE14\MSPTLS.DLL
0x73e20000  0xf5000   C:\Windows\system32\propsys.dll
0x75af0000  0x19d000  C:\Windows\system32\SETUPAPI.dll
0x75260000  0x27000   C:\Windows\system32\CFGMGR32.dll
0x75290000  0x12000   C:\Windows\system32\DEVOBJ.dll
0x6b550000  0x9e000   C:\Program Files\Common Files\Microsoft
Shared\OFFICE14\USP10.DLL
0x74970000  0x8000    C:\Windows\system32\credssp.dll
0x74b30000  0x22000   C:\Windows\system32\LOGONCLI.DLL
0x73620000  0x9000    C:\Windows\system32\DSROLE.DLL
0x71820000  0x58000   C:\Windows\system32\WINHTTP.dll
0x717d0000  0x4f000   C:\Windows\system32\webio.dll
0x61c60000  0x5b7000  C:\Windows\System32\mshtml.dll
0x707c0000  0x2a000   C:\Windows\System32\msls31.dll
0x72520000  0x17c000  C:\Windows\system32\tquery.dll
0x6d8e0000  0x5c000   C:\Windows\System32\StructuredQuery.dll
0x737b0000  0xb000    C:\Windows\system32\msimtf.dll
0x61ba0000  0xb2000   C:\Windows\System32\jscript.dll
0x63090000  0xb3000   C:\Program Files\Microsoft Office\Office14\OMSMAIN.DLL
0x738e0000  0x32000   C:\Windows\system32\WINMM.dll
0x6cff0000  0x10000   C:\Windows\system32\msident.dll
0x6cfe0000  0xd000    C:\Windows\system32\PSTOREC.DLL
0x73640000  0x14000   C:\Windows\system32\ATL.DLL
0x73b30000  0x51000   C:\Windows\system32\Winspool.DRV
0x6acd0000  0x63000   C:\Program Files\Microsoft
Office\Office14\1033\omsintl.dll
0x63050000  0x38000   C:\Windows\system32\msoeacct.dll
0x6ca20000  0x1c000   C:\Windows\system32\MSOERT2.dll
0x62f90000  0xb9000   C:\Windows\system32\INETCOMM.dll
0x62f70000  0x16000   C:\Windows\system32\inetres.dll
0x6ca10000  0xb000    C:\Windows\system32\acctres.dll
0x62720000  0x133000  C:\Windows\System32\msxml3.dll
0x624d0000  0xd4000   C:\Program Files\Common Files\System\Ole
DB\oledb32.dll
0x62f50000  0x1f000   C:\Windows\system32\MSDART.DLL
0x74e00000  0x17000   C:\Windows\system32\bcrypt.dll
0x62f30000  0x14000   C:\Program Files\Common Files\System\Ole
DB\OLEDB32R.DLL
0x61a60000  0x136000  C:\Windows\system32\comsvcs.dll
0x749c0000  0x3d000   C:\Windows\system32\bcryptprimitives.dll
0x62ed0000  0x52000   c:\progra~1\micros~1\office14\outlph.dll
0x6dbe0000  0x2b000   C:\Program Files\Internet Explorer\ieproxy.dll
0x618c0000  0x194000  C:\Program Files\Common Files\Microsoft
Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL
0x624a0000  0x23000   C:\Windows\system32\WinSCard.dll
0x72470000  0x5a000   C:\Windows\System32\netprofm.dll
0x6f240000  0x8000    C:\Windows\System32\npmproxy.dll
0x754b0000  0x2d000   C:\Windows\system32\WINTRUST.dll

Seef
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/mailman/private/panda-users/attachments/20150310/5ed196dc/attachment-0001.htm

More information about the panda-users mailing list