[panda-users] reversing windows apps
Brendan Dolan-Gavitt
brendandg at gatech.edu
Tue Mar 10 12:18:18 EDT 2015
Hi,
The third value printed there is the CR3 of the process (essentially,
the physical address of the start of the page table for that process),
not a virtual address of code. The addresses you found seem to be in
user32.dll. You may want to examine the full callstack (which will be
written out to string_matches.txt at the end) in order to figure out
where in application code the calls that resulted in a match
originated.
-Brendan
On Tue, Mar 10, 2015 at 11:52 AM, Michael Sieffert <seefdogg at gmail.com> wrote:
> Stuck reversing windows apps...
>
> I'm using the stringsearch plugin to locate the areas of a windows program
> using particular user data. I see output like the following:
>
> ./app-rr-nondet.log: 558756 of 2620754 (21.32%) bytes, 66066382 of
> 825324992 (8.00%) instructions processed.
> ./app-rr-nondet.log: 595760 of 2620754 (22.73%) bytes, 74621410 of
> 825324992 (9.04%) instructions processed.
> ./app-rr-nondet.log: 609988 of 2620754 (23.28%) bytes, 85417417 of
> 825324992 (10.35%) instructions processed.
> READ Match of str 2 at: instr_count=88385491 : 0000000075900940
> 000000007593468d 000000005f956380
> READ Match of str 2 at: instr_count=88386006 : 0000000075900940
> 00000000759346c4 000000005f956380
> READ Match of str 2 at: instr_count=88453986 : 0000000075900940
> 000000007593468d 000000005f956380
>
> Unfortunately, the addresses (such as pc and caller addres) in these matches
> do not seem to jive with the symbol information I've pulled from the guest
> using sysinternals listdlls for the process I'm looking at (found below,
> pretty verbose). I would expect some of the addresses to correspond to the
> app's module's address space, but do not see any. I suppose it's possible
> this is the case, just unlikely.
>
> Am I correct to interpret all of PANDA's output to be virtual addresses? Any
> ideas?
>
> app.exe pid: 1352
> Command line: "C:\app.exe"
>
> Base Size Path
> 0x2fe70000 0xf2a000 C:\app.exe
> 0x77090000 0x13c000 C:\Windows\SYSTEM32\ntdll.dll
> 0x76ad0000 0xd4000 C:\Windows\system32\kernel32.dll
> 0x752b0000 0x4a000 C:\Windows\system32\KERNELBASE.dll
> 0x746d0000 0x9000 C:\Windows\system32\VERSION.dll
> 0x77200000 0xac000 C:\Windows\system32\msvcrt.dll
> 0x6f0e0000 0xa3000
> C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
> 0x759c0000 0xa0000 C:\Windows\system32\ADVAPI32.dll
> 0x758c0000 0x19000 C:\Windows\SYSTEM32\sechost.dll
> 0x76e80000 0xa1000 C:\Windows\system32\RPCRT4.dll
> 0x76a80000 0x4e000 C:\Windows\system32\GDI32.dll
> 0x758f0000 0xc9000 C:\Windows\system32\USER32.dll
> 0x772b0000 0xa000 C:\Windows\system32\LPK.dll
> 0x754f0000 0x9d000 C:\Windows\system32\USP10.dll
> 0x771d0000 0x1f000 C:\Windows\system32\IMM32.dll
> 0x76c00000 0xcc000 C:\Windows\system32\MSCTF.dll
> 0x70b80000 0x240000 C:\Windows\system32\msi.dll
> 0x76da0000 0x57000 C:\Windows\system32\SHLWAPI.dll
> 0x76f30000 0x15c000 C:\Windows\system32\ole32.dll
> 0x6f040000 0x8e000
> C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCP90.dll
> 0x6dc60000 0x11e0000 C:\Program Files\Common Files\Microsoft
> Shared\office14\mso.dll
> 0x750e0000 0x4c000 C:\Windows\system32\apphelp.dll
> 0x74230000 0x40000 C:\Windows\system32\uxtheme.dll
> 0x6d0f0000 0x40f000 C:\Program Files\Common Files\Microsoft
> Shared\office14\Cultures\office.odf
> 0x74270000 0x19e000
> C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32.dll
> 0x75a60000 0x83000 C:\Windows\system32\CLBCatQ.DLL
> 0x76d10000 0x8f000 C:\Windows\system32\OLEAUT32.dll
> 0x6cc60000 0x311000 c:\progra~1\micros~1\office14\olmapi32.dll
> 0x75130000 0xc000 C:\Windows\system32\CRYPTBASE.dll
> 0x73e00000 0x13000 C:\Windows\system32\dwmapi.dll
> 0x69de0000 0x646000 C:\Program Files\Microsoft
> Office\Office14\1033\OUTLLIBR.DLL
> 0x658b0000 0x452a000 C:\Program Files\Common Files\Microsoft
> Shared\office14\MSORES.DLL
> 0x6dc20000 0x17000 C:\Windows\system32\DavClnt.DLL
> 0x706f0000 0x8000 C:\Windows\system32\DAVHLPR.dll
> 0x6d670000 0x263000 C:\Program Files\Common Files\Microsoft
> Shared\office14\1033\MSOINTL.DLL
> 0x6c9a0000 0x4a000 C:\Windows\system32\mscoree.dll
> 0x6f640000 0x20000 C:\Program Files\Common Files\Microsoft
> Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL
> 0x6da30000 0x14f000 C:\Program Files\Common Files\Microsoft
> Shared\office14\riched20.dll
> 0x6cb40000 0x113000 c:\progra~1\micros~1\office14\1033\mapir.dll
> 0x71d70000 0x21000 C:\Windows\system32\ntmarta.dll
> 0x76bb0000 0x45000 C:\Windows\system32\WLDAP32.dll
> 0x64630000 0x127a000 C:\Program Files\Microsoft Office\Office14\wwlib.dll
> 0x6aec0000 0x1ab000 C:\Program Files\Microsoft Office\Office14\gfx.dll
> 0x73cb0000 0xd000 C:\Windows\system32\WTSAPI32.dll
> 0x6da20000 0x5000 C:\Windows\system32\MSIMG32.dll
> 0x63290000 0x1392000 C:\Program Files\Microsoft Office\Office14\oart.dll
> 0x75140000 0x5f000 C:\Windows\system32\SXS.DLL
> 0x74ce0000 0x16000 C:\Windows\system32\CRYPTSP.dll
> 0x74a80000 0x3b000 C:\Windows\system32\rsaenh.dll
> 0x751a0000 0xe000 C:\Windows\system32\RpcRtRemote.dll
> 0x6d9f0000 0x23000 c:\progra~1\micros~1\office14\contab32.dll
> 0x6d9b0000 0x3a000 c:\progra~1\micros~1\office14\omsxp32.dll
> 0x768e0000 0x136000 C:\Windows\system32\urlmon.dll
> 0x755c0000 0xf5000 C:\Windows\system32\WININET.dll
> 0x756c0000 0x1fb000 C:\Windows\system32\iertutil.dll
> 0x75390000 0x11d000 C:\Windows\system32\CRYPT32.dll
> 0x75250000 0xc000 C:\Windows\system32\MSASN1.dll
> 0x6cab0000 0x84000
> C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\Comctl32.dll
> 0x6ad40000 0x17f000 c:\progra~1\micros~1\office14\EMSMDB32.DLL
> 0x75c90000 0xc4a000 C:\Windows\system32\SHELL32.dll
> 0x6d9a0000 0x7000 C:\Windows\system32\WSOCK32.dll
> 0x76cd0000 0x35000 C:\Windows\system32\WS2_32.dll
> 0x771f0000 0x6000 C:\Windows\system32\NSI.dll
> 0x738a0000 0x10000 C:\Windows\system32\NLAapi.dll
> 0x734a0000 0x1c000 C:\Windows\system32\IPHLPAPI.DLL
> 0x73490000 0x7000 C:\Windows\system32\WINNSI.DLL
> 0x733b0000 0xd000 C:\Windows\system32\dhcpcsvc6.DLL
> 0x71fa0000 0x12000 C:\Windows\system32\dhcpcsvc.DLL
> 0x73a70000 0x6000 C:\Windows\system32\rasadhlp.dll
> 0x6f4d0000 0x3000 C:\Windows\system32\SFC.DLL
> 0x6f3c0000 0xd000 C:\Windows\system32\sfc_os.DLL
> 0x63150000 0x133000 c:\progra~1\micros~1\office14\MSPST32.DLL
> 0x6f250000 0xc000 C:\Windows\system32\mssprxy.dll
> 0x70760000 0x58000 C:\Program Files\Common Files\microsoft
> shared\ink\tiptsf.dll
> 0x6ee50000 0x12000 C:\Program Files\Microsoft
> Office\Office14\ADDINS\ColleagueImport.dll
> 0x73bb0000 0x11000 C:\Windows\system32\NETAPI32.dll
> 0x74a70000 0x9000 C:\Windows\system32\netutils.dll
> 0x74900000 0x19000 C:\Windows\system32\srvcli.dll
> 0x73ba0000 0xf000 C:\Windows\system32\wkscli.dll
> 0x62d10000 0x1a3000 C:\Program Files\Microsoft
> Office\Office14\SOCIALCONNECTOR.DLL
> 0x740a0000 0x190000
> C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
> 0x74d90000 0x8000 C:\Windows\system32\Secur32.dll
> 0x750c0000 0x1b000 C:\Windows\system32\SSPICLI.DLL
> 0x62960000 0x3a1000
> C:\Windows\WinSxS\x86_microsoft.vc90.mfc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4bf5400abf9d60b7\mfc90u.dll
> 0x6d990000 0xd000
> C:\Windows\WinSxS\x86_microsoft.vc90.mfcloc_1fc8b3b9a1e18e3b_9.0.30729.4148_none_4973eb1d754a9dc9\MFC90ENU.DLL
> 0x62860000 0x100000 C:\Program Files\Microsoft
> Office\Office14\ADDINS\UmOutlookAddin.dll
> 0x6c8d0000 0x16000 C:\Windows\system32\MAPI32.dll
> 0x728b0000 0x3c000 C:\Windows\system32\OLEACC.dll
> 0x6d980000 0x10000 C:\Program Files\Microsoft
> Office\Office14\1033\UmOutlookStrings.dll
> 0x713d0000 0x16f000 C:\Windows\system32\explorerframe.dll
> 0x73fb0000 0x2f000 C:\Windows\system32\DUser.dll
> 0x73fe0000 0xb2000 C:\Windows\system32\DUI70.dll
> 0x70e10000 0x4e000 C:\Windows\system32\actxprxy.dll
> 0x6d940000 0x33000 C:\Program Files\Microsoft
> Office\Office14\SHAREPOINTPROVIDER.DLL
> 0x71270000 0x158000 C:\Windows\System32\msxml6.dll
> 0x73cd0000 0xfb000 C:\Windows\system32\WindowsCodecs.dll
> 0x6f820000 0xa80000 C:\Windows\System32\ieframe.dll
> 0x754e0000 0x5000 C:\Windows\system32\PSAPI.DLL
> 0x751b0000 0xb000 C:\Windows\system32\profapi.dll
> 0x74b60000 0x44000 C:\Windows\system32\dnsapi.DLL
> 0x758e0000 0x3000 C:\Windows\system32\Normaliz.dll
> 0x6ee90000 0x52000 C:\Windows\system32\RASAPI32.dll
> 0x6ee70000 0x15000 C:\Windows\system32\rasman.dll
> 0x73a60000 0xd000 C:\Windows\system32\rtutils.dll
> 0x6d040000 0x6000 C:\Windows\system32\sensapi.dll
> 0x6cfc0000 0xc000 c:\progra~1\micros~1\office14\outlrpc.dll
> 0x6c940000 0x55000 c:\progra~1\micros~1\office14\exsec32.dll
> 0x737a0000 0x10000 C:\Windows\system32\napinsp.dll
> 0x6b690000 0x66000 c:\progra~1\micros~1\office14\rtfhtml.dll
> 0x6c9f0000 0x12000 C:\Windows\system32\pnrpnsp.dll
> 0x74ca0000 0x3c000 C:\Windows\System32\mswsock.dll
> 0x6c910000 0x2e000 C:\Windows\system32\mlang.dll
> 0x6c900000 0x8000 C:\Windows\System32\winrnr.dll
> 0x74760000 0x5000 C:\Windows\System32\wshtcpip.dll
> 0x74c90000 0x6000 C:\Windows\System32\wship6.dll
> 0x73360000 0x38000 C:\Windows\System32\fwpuclnt.dll
> 0x622e0000 0xc9000 C:\Program Files\Microsoft
> Office\Office14\1033\wwintl.dll
> 0x62220000 0xbc000 C:\Program Files\Common Files\Microsoft
> Shared\OFFICE14\MSPTLS.DLL
> 0x73e20000 0xf5000 C:\Windows\system32\propsys.dll
> 0x75af0000 0x19d000 C:\Windows\system32\SETUPAPI.dll
> 0x75260000 0x27000 C:\Windows\system32\CFGMGR32.dll
> 0x75290000 0x12000 C:\Windows\system32\DEVOBJ.dll
> 0x6b550000 0x9e000 C:\Program Files\Common Files\Microsoft
> Shared\OFFICE14\USP10.DLL
> 0x74970000 0x8000 C:\Windows\system32\credssp.dll
> 0x74b30000 0x22000 C:\Windows\system32\LOGONCLI.DLL
> 0x73620000 0x9000 C:\Windows\system32\DSROLE.DLL
> 0x71820000 0x58000 C:\Windows\system32\WINHTTP.dll
> 0x717d0000 0x4f000 C:\Windows\system32\webio.dll
> 0x61c60000 0x5b7000 C:\Windows\System32\mshtml.dll
> 0x707c0000 0x2a000 C:\Windows\System32\msls31.dll
> 0x72520000 0x17c000 C:\Windows\system32\tquery.dll
> 0x6d8e0000 0x5c000 C:\Windows\System32\StructuredQuery.dll
> 0x737b0000 0xb000 C:\Windows\system32\msimtf.dll
> 0x61ba0000 0xb2000 C:\Windows\System32\jscript.dll
> 0x63090000 0xb3000 C:\Program Files\Microsoft Office\Office14\OMSMAIN.DLL
> 0x738e0000 0x32000 C:\Windows\system32\WINMM.dll
> 0x6cff0000 0x10000 C:\Windows\system32\msident.dll
> 0x6cfe0000 0xd000 C:\Windows\system32\PSTOREC.DLL
> 0x73640000 0x14000 C:\Windows\system32\ATL.DLL
> 0x73b30000 0x51000 C:\Windows\system32\Winspool.DRV
> 0x6acd0000 0x63000 C:\Program Files\Microsoft
> Office\Office14\1033\omsintl.dll
> 0x63050000 0x38000 C:\Windows\system32\msoeacct.dll
> 0x6ca20000 0x1c000 C:\Windows\system32\MSOERT2.dll
> 0x62f90000 0xb9000 C:\Windows\system32\INETCOMM.dll
> 0x62f70000 0x16000 C:\Windows\system32\inetres.dll
> 0x6ca10000 0xb000 C:\Windows\system32\acctres.dll
> 0x62720000 0x133000 C:\Windows\System32\msxml3.dll
> 0x624d0000 0xd4000 C:\Program Files\Common Files\System\Ole
> DB\oledb32.dll
> 0x62f50000 0x1f000 C:\Windows\system32\MSDART.DLL
> 0x74e00000 0x17000 C:\Windows\system32\bcrypt.dll
> 0x62f30000 0x14000 C:\Program Files\Common Files\System\Ole
> DB\OLEDB32R.DLL
> 0x61a60000 0x136000 C:\Windows\system32\comsvcs.dll
> 0x749c0000 0x3d000 C:\Windows\system32\bcryptprimitives.dll
> 0x62ed0000 0x52000 c:\progra~1\micros~1\office14\outlph.dll
> 0x6dbe0000 0x2b000 C:\Program Files\Internet Explorer\ieproxy.dll
> 0x618c0000 0x194000 C:\Program Files\Common Files\Microsoft
> Shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL
> 0x624a0000 0x23000 C:\Windows\system32\WinSCard.dll
> 0x72470000 0x5a000 C:\Windows\System32\netprofm.dll
> 0x6f240000 0x8000 C:\Windows\System32\npmproxy.dll
> 0x754b0000 0x2d000 C:\Windows\system32\WINTRUST.dll
>
> Seef
>
> _______________________________________________
> panda-users mailing list
> panda-users at mit.edu
> http://mailman.mit.edu/mailman/listinfo/panda-users
>
More information about the panda-users
mailing list