Una manera de detectar intrusos.
Posteado en: http://hackhound.org/forums/topic/7209-vb6src-memory-regions/ (http://hackhound.org/forums/topic/7209-vb6src-memory-regions/)
Modulo:
Option Explicit
'typedef enum _MEMORY_INFORMATION_CLASS {
' MemoryBasicInformation,
' MemoryWorkingSetList,
' MemorySectionName
'} MEMORY_INFORMATION_CLASS;
Public Enum MEMORY_INFORMATION_CLASS
MemoryBasicInformation = 0
MemoryWorkingSetList
MemorySectionName
End Enum
'typedef struct _MEMORY_BASIC_INFORMATION {
' PVOID BaseAddress;
' PVOID AllocationBase;
' DWORD AllocationProtect;
' SIZE_T RegionSize;
' DWORD State;
' DWORD Protect;
' DWORD Type;
'} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;
Public Type MEMORY_BASIC_INFORMATION
BaseAddress As Long
AllocationBase As Long
AllocationProtect As Long
RegionSize As Long
State As Long
Protect As Long
Type As Long
End Type
'typedef struct _FUNCTION_INFORMATION {
' char name[64];
' ULONG_PTR VirtualAddress;
'} FUNCTION_INFORMATION, *PFUNCTION_INFORMATION;
Public Type FUNCTION_INFORMATION
name As String * 64
VirtualAddress As Long
End Type
'typedef struct _MODULE_INFORMATION
'{
' PVOID BaseAddress;
' PVOID AllocationBase;
' DWORD AllocationProtect;
' SIZE_T RegionSize;
' DWORD State;
' DWORD Protect;
' DWORD Type;
' WCHAR szPathName[MAX_PATH];
' PVOID EntryAddress;
' PFUNCTION_INFORMATION Functions;
' DWORD FunctionCount;
' DWORD SizeOfImage;
'}MODULE_INFORMATION, *PMODULE_INFORMATION;
Public Type MODULE_INFORMATION
BaseAddress As Long
AllocationBase As Long
AllocationProtect As Long
RegionSize As Long
State As Long
Protect As Long
Type As Long
szPathName(1 To 520) As Byte
EntryAddress As Long
Functions As Long 'VarPtr(MODULE_INFORMATION), es un puntero, PFUNCTION_INFORMATION Functions;
FunctionCount As Long
SizeOfImage As Long
End Type
'struct UNICODE_STRING {
' USHORT Length;
' USHORT MaximumLength;
' PWSTR Buffer;
'};
Public Type UNICODE_STRING
Length As Integer
MaximumLength As Integer
Buffer As Long 'PWSTR Buffer;
End Type
'typedef UNICODE_STRING *PUNICODE_STRING;
Public Const PAGE_NOACCESS = &H1
Public Const PAGE_READONLY = &H2
Public Const PAGE_READWRITE = &H4
Public Const PAGE_WRITECOPY = &H8
Public Const PAGE_EXECUTE = &H10
Public Const PAGE_EXECUTE_READ = &H20
Public Const PAGE_EXECUTE_READWRITE = &H40
Public Const PAGE_EXECUTE_WRITECOPY = &H80
Public Const PAGE_GUARD = &H100
Public Const PAGE_NOCACHE = &H200
Public Const PAGE_WRITECOMBINE = &H400
Public Const MEM_COMMIT = &H1000
Public Const MEM_RESERVE = &H2000
Public Const MEM_DECOMMIT = &H4000
Public Const MEM_RELEASE = &H8000
Public Const MEM_FREE = &H10000
Public Const MEM_PRIVATE = 20000
Public Const MEM_MAPPED = &H40000
Public Const MEM_RESET = &H80000
Public Const MEM_TOP_DOWN = &H100000
Public Const MEM_WRITE_WATCH = &H200000
Public Const MEM_PHYSICAL = &H400000
Public Const MEM_ROTATE = &H800000
Public Const MEM_LARGE_PAGES = &H20000000
Public Const MEM_4MB_PAGES = &H80000000
'typedef LONG (WINAPI *ZWQUERYVIRTUALMEMORY)(
' HANDLE ProcessHandle,
' PVOID BaseAddress,
' MEMORY_INFORMATION_CLASS MemoryInformationClass,
' PVOID MemoryInformation,
' ULONG MemoryInformationLength,
' PULONG ReturnLength
');
Public Declare Function ZwQueryVirtualMemory Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, ByVal BaseAddress As Long, ByVal MemoryInformationClass As MEMORY_INFORMATION_CLASS, ByVal MemoryInformation As Long, ByVal MemoryInformationLength As Long, ByVal ReturnLength As Long) As Long
Public Declare Function GetCurrentProcess Lib "kernel32" () As Long
Public Declare Function VirtualQuery Lib "kernel32" (ByRef lpAddress As Any, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long
Public Declare Sub ZeroMemory Lib "kernel32.dll" Alias "RtlZeroMemory" (Destination As Any, ByVal Length As Long)
Public Declare Sub RtlMoveMemory Lib "kernel32.dll" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Public Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long
Public Const PROCESS_ALL_ACCESS = &H1F0FFF 'Specifies all possible access flags for the process object.
Public Const PROCESS_CREATE_THREAD = &H2 'Enables using the process handle in the CreateRemoteThread function to create a thread in the process.
Public Const PROCESS_DUP_HANDLE = &H40 'Enables using the process handle as either the source or target process in the DuplicateHandle function to duplicate a handle.
Public Const PROCESS_QUERY_INFORMATION = &H400 'Enables using the process handle in the GetExitCodeProcess and GetPriorityClass functions to read information from the process object.
Public Const PROCESS_SET_INFORMATION = &H200 'Enables using the process handle in the SetPriorityClass function to set the priority class of the process.
Public Const PROCESS_TERMINATE = &H1 'Enables using the process handle in the TerminateProcess function to terminate the process.
Public Const PROCESS_VM_OPERATION = &H8 'Enables using the process handle in the VirtualProtectEx and WriteProcessMemory functions to modify the virtual memory of the process.
Public Const PROCESS_VM_READ = &H10 'Enables using the process handle in the ReadProcessMemory function to read from the virtual memory of the process.
Public Const PROCESS_VM_WRITE = &H20 'Enables using the process handle in the WriteProcessMemory function to write to the virtual memory of the process.
Public Const SYNCHRONIZE = &H100000 'Enables using the process handle in any of the wait functions to wait for the process to terminate.
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
'The WideCharToMultiByte function maps a wide-character string to a new character string.
'The function is faster when both lpDefaultChar and lpUsedDefaultChar are NULL.
'CodePage
Private Const CP_ACP = 0 'ANSI
Private Const CP_MACCP = 2 'Mac
Private Const CP_OEMCP = 1 'OEM
Private Const CP_UTF7 = 65000
Private Const CP_UTF8 = 65001
'dwFlags
Private Const WC_NO_BEST_FIT_CHARS = &H400
Private Const WC_COMPOSITECHECK = &H200
Private Const WC_DISCARDNS = &H10
Private Const WC_SEPCHARS = &H20 'Default
Private Const WC_DEFAULTCHAR = &H40
Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, ByVal lpMultiByteStr As Long, ByVal cbMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long
Public Function ByteArrayToString(Bytes() As Byte) As String
Dim iUnicode As Long, i As Long, j As Long
On Error Resume Next
i = UBound(Bytes)
If (i < 1) Then
'ANSI, just convert to unicode and return
ByteArrayToString = StrConv(Bytes, vbUnicode)
Exit Function
End If
i = i + 1
'Examine the first two bytes
CopyMemory iUnicode, Bytes(0), 2
If iUnicode = Bytes(0) Then 'Unicode
'Account for terminating null
If (i Mod 2) Then i = i - 1
'Set up a buffer to recieve the string
ByteArrayToString = String$(i / 2, 0)
'Copy to string
CopyMemory ByVal StrPtr(ByteArrayToString), Bytes(0), i
Else 'ANSI
ByteArrayToString = StrConv(Bytes, vbUnicode)
End If
End Function
Public Function StringToByteArray(strInput As String, Optional bReturnAsUnicode As Boolean = True, Optional bAddNullTerminator As Boolean = False) As Byte()
Dim lRet As Long
Dim bytBuffer() As Byte
Dim lLenB As Long
If bReturnAsUnicode Then
'Number of bytes
lLenB = LenB(strInput)
'Resize buffer, do we want terminating null?
If bAddNullTerminator Then
ReDim bytBuffer(lLenB)
Else
ReDim bytBuffer(lLenB - 1)
End If
'Copy characters from string to byte array
CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
Else
'METHOD ONE
' 'Get rid of embedded nulls
' strRet = StrConv(strInput, vbFromUnicode)
' lLenB = LenB(strRet)
' If bAddNullTerminator Then
' ReDim bytBuffer(lLenB)
' Else
' ReDim bytBuffer(lLenB - 1)
' End If
' CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
'METHOD TWO
'Num of characters
lLenB = Len(strInput)
If bAddNullTerminator Then
ReDim bytBuffer(lLenB)
Else
ReDim bytBuffer(lLenB - 1)
End If
lRet = WideCharToMultiByte(CP_ACP, 0&, ByVal StrPtr(strInput), -1, ByVal VarPtr(bytBuffer(0)), lLenB, 0&, 0&)
End If
StringToByteArray = bytBuffer
End Function
Form:
Agregar RitchTextBox (llenar el texto), un Label (para el address del for) y un CommandButton (acción)
Private Sub Command1_Click()
'MEMORY_BASIC_INFORMATION mbi;
Dim mbi As MEMORY_BASIC_INFORMATION
'MODULE_INFORMATION mi;
Dim mi As MODULE_INFORMATION
'BYTE szBuffer[MAX_PATH * 2 + 4] = { 0 };
Dim szBuffer(523) As Byte
Dim i As Integer
'PUNICODE_STRING usSectionName;
Dim usSectionName As UNICODE_STRING
Dim hProcess As Long
hProcess = GetCurrentProcess()
Dim Addr As Long
Dim READABLE As Long
READABLE = (PAGE_EXECUTE_READ + PAGE_EXECUTE_READWRITE + PAGE_EXECUTE_WRITECOPY + PAGE_READONLY + PAGE_READWRITE + PAGE_WRITECOPY)
txtSections.Text = ""
Addr = 0
Dim hRet As Long
Dim asd As String
Dim zBytes() As Byte
txtSections.Visible = False
ReDim zBytes(0) As Byte
While VirtualQuery(Addr, mbi, 28)
DoEvents
Label1.Caption = "0x" & Hex(Addr)
If (mbi.State And MEM_COMMIT) Then
If (mbi.AllocationProtect And READABLE) Then
hRet = ZwQueryVirtualMemory(hProcess, Addr, MemoryBasicInformation, VarPtr(mbi), &H1C, 0&)
txtSections.Text = txtSections.Text & "Add: " & Hex(Addr) & " - Size: " & Hex(mbi.RegionSize) & vbNewLine
For i = LBound(szBuffer) To UBound(szBuffer)
szBuffer(i) = 0
Next i
For i = LBound(zBytes) To UBound(zBytes)
zBytes(i) = 0
Next i
If (hRet >= 0) Then
If (mbi.Type <> MEM_FREE) Then
hRet = ZwQueryVirtualMemory(hProcess, Addr, MemorySectionName, VarPtr(szBuffer(0)), &H20C, 0&)
If (hRet >= 0) Then
Call ZeroMemory(mi, &H234)
Call RtlMoveMemory(mi, mbi, &H1C)
Call ReadProcessMemory(hProcess, VarPtr(szBuffer(0)), usSectionName.Length, &H2, 0&)
Call ReadProcessMemory(hProcess, VarPtr(szBuffer(2)), usSectionName.MaximumLength, &H2, 0&)
ReDim zBytes(usSectionName.Length * 2)
'How do I know is offset 8? It's simple.... "Aliens"
Call ReadProcessMemory(hProcess, VarPtr(szBuffer(8)), zBytes(0), usSectionName.Length * 2, 0&)
txtSections.Text = txtSections.Text & ByteArrayToString(zBytes) & " (" & usSectionName.Length & "/" & usSectionName.MaximumLength & ")" & vbNewLine & vbNewLine
End If
End If
End If
End If
End If
txtSections.SelStart = Len(txtSections)
If Addr >= &H7FFF0000 Then
GoTo salir
End If
Addr = (mbi.BaseAddress) + mbi.RegionSize
Wend
salir:
txtSections.Visible = True
MsgBox "Done"
End Sub
Resultado:
Add: 0 - Size: 1000
Add: 10000 - Size: 1000
Add: 20000 - Size: 1000
Add: 21000 - Size: 1000
Add: 30000 - Size: 1000
Add: 129000 - Size: 1000
Add: 12A000 - Size: 1000
Add: 130000 - Size: 1000
Add: 134000 - Size: 1000
Add: 140000 - Size: 1000
Add: 141000 - Size: 1000
Add: 150000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\locale.nls
Add: 1B7000 - Size: 1000
Add: 1C0000 - Size: 1000
Add: 1C1000 - Size: 1000
Add: 1D0000 - Size: 1000
Add: 1DA000 - Size: 1000
Add: 1E0000 - Size: 1000
Add: 1E7000 - Size: 1000
Add: 1F0000 - Size: 1000
Add: 1F2000 - Size: 1000
Add: 200000 - Size: 1000
Add: 201000 - Size: 1000
Add: 210000 - Size: 1000
Add: 211000 - Size: 1000
Add: 220000 - Size: 1000
Add: 222000 - Size: 1000
Add: 230000 - Size: 1000
Add: 232000 - Size: 1000
Add: 240000 - Size: 1000
Add: 241000 - Size: 1000
Add: 250000 - Size: 1000
Add: 252000 - Size: 1000
Add: 260000 - Size: 1000
Add: 2F3000 - Size: 1000
Add: 360000 - Size: 1000
Add: 361000 - Size: 1000
Add: 370000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
Add: 37D000 - Size: 1000
Add: 380000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
Add: 3D0000 - Size: 1000
Add: 3D1000 - Size: 1000
Add: 3E0000 - Size: 1000
Add: 400000 - Size: 1000
\Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe
Add: 401000 - Size: 1000
\Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe
Add: 42D000 - Size: 1000
\Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe
Add: 430000 - Size: 1000
\Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe
Add: 431000 - Size: 1000
Add: 440000 - Size: 1000
Add: 441000 - Size: 1000
Add: 4C0000 - Size: 1000
Add: 4E0000 - Size: 1000
Add: 4E3000 - Size: 1000
Add: 4F0000 - Size: 1000
Add: 4FF000 - Size: 1000
Add: 5B0000 - Size: 1000
Add: 5B3000 - Size: 1000
Add: 5B8000 - Size: 1000
Add: 5C0000 - Size: 1000
Add: 6C1000 - Size: 1000
Add: 6D0000 - Size: 1000
Add: 87A000 - Size: 1000
Add: 12D0000 - Size: 1000
Add: 12E0000 - Size: 1000
Add: 16D0000 - Size: 1000
\Device\HarddiskVolume2\Windows\Globalization\Sorting\SortDefault.nls
Add: 199F000 - Size: 1000
Add: 19A0000 - Size: 1000
Add: 1A7F000 - Size: 1000
Add: 1A80000 - Size: 1000
Add: 1A82000 - Size: 1000
Add: 1B80000 - Size: 1000
Add: 1B90000 - Size: 1000
Add: 1BAE000 - Size: 1000
Add: 1BD0000 - Size: 1000
Add: 1CF0000 - Size: 1000
Add: 1CF2000 - Size: 1000
Add: 1D00000 - Size: 1000
Add: 1D90000 - Size: 1000
Add: 1DD0000 - Size: 1000
Add: 1F00000 - Size: 1000
Add: 1F03000 - Size: 1000
Add: 1F10000 - Size: 1000
Add: 1FA0000 - Size: 1000
Add: 1FC7000 - Size: 1000
Add: 1FE0000 - Size: 1000
Add: 2356000 - Size: 1000
Add: 2360000 - Size: 1000
Add: 2370000 - Size: 1000
Add: 2760000 - Size: 1000
Add: 2B61000 - Size: 1000
Add: 2B70000 - Size: 1000
\Device\HarddiskVolume2\Windows\Fonts\StaticCache.dat
Add: 34A0000 - Size: 1000
Add: 35D0000 - Size: 1000
Add: 35D1000 - Size: 1000
Add: 35E0000 - Size: 1000
Add: 10000000 - Size: 1000
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
Add: 10001000 - Size: 1000
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
Add: 10002000 - Size: 1000
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
Add: 10003000 - Size: 1000
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
Add: 10004000 - Size: 1000
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
Add: 10005000 - Size: 1000
Add: 20000000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
Add: 20001000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
Add: 2001E000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
Add: 2001F000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
Add: 20030000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
Add: 20032000 - Size: 1000
Add: 212F0000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
Add: 212F1000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
Add: 21313000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
Add: 21316000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
Add: 21321000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX
Add: 21323000 - Size: 1000
Add: 5C290000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\oledlg.dll
Add: 5C291000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\oledlg.dll
Add: 5C2A5000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\oledlg.dll
Add: 5C2A6000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\oledlg.dll
Add: 5C2A7000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\oledlg.dll
Add: 5C2AC000 - Size: 1000
Add: 65D90000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched20.dll
Add: 65D91000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched20.dll
Add: 65DF7000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched20.dll
Add: 65DF8000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched20.dll
Add: 65E06000 - Size: 1000
Add: 713E0000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
Add: 713E1000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
Add: 71456000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
Add: 71458000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
Add: 71459000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll
Add: 71464000 - Size: 1000
Add: 72940000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\msvbvm60.dll
Add: 72941000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\msvbvm60.dll
Add: 72A4A000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\msvbvm60.dll
Add: 72A51000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\msvbvm60.dll
Add: 72A52000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\msvbvm60.dll
Add: 72A93000 - Size: 1000
Add: 742C0000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched32.dll
Add: 742C1000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched32.dll
Add: 742C3000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched32.dll
Add: 742C4000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched32.dll
Add: 742C6000 - Size: 1000
Add: 74640000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\dwmapi.dll
Add: 74641000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\dwmapi.dll
Add: 7464C000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\dwmapi.dll
Add: 7464E000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\dwmapi.dll
Add: 74653000 - Size: 1000
Add: 74C20000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
Add: 74C21000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
Add: 74D6C000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
Add: 74D6E000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
Add: 74D6F000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
Add: 74DBE000 - Size: 1000
Add: 74DC0000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\uxtheme.dll
Add: 74DC1000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\uxtheme.dll
Add: 74DFA000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\uxtheme.dll
Add: 74DFB000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\uxtheme.dll
Add: 74DFC000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\uxtheme.dll
Add: 74E00000 - Size: 1000
Add: 75C70000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\cryptbase.dll
Add: 75C71000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\cryptbase.dll
Add: 75C79000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\cryptbase.dll
Add: 75C7A000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\cryptbase.dll
Add: 75C7C000 - Size: 1000
Add: 75C80000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\sxs.dll
Add: 75C81000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\sxs.dll
y blablabla
Hola,
Esto...disculpa mi ignorancia, pero, no me ha quedado muy claro para que sirve esto.... :¬¬
Para detectar regiones externas.
Edit: como por ejemplo
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll
Que es un programa externo que inyectó esa DLL.