[VB6][SRC] Memory Regions

Iniciado por Miseryk, 13 Febrero 2015, 13:48 PM

0 Miembros y 1 Visitante están viendo este tema.

Imprimir
Ir Abajo Páginas1
Acciones del Usuario

Miseryk

13 Febrero 2015, 13:48 PM Ultima modificación: 13 Febrero 2015, 21:10 PM por Miseryk
Una manera de detectar intrusos.

Posteado en: http://hackhound.org/forums/topic/7209-vb6src-memory-regions/

Modulo:
Código (vb) [Seleccionar]

Option Explicit

'typedef enum _MEMORY_INFORMATION_CLASS {
'    MemoryBasicInformation,
'    MemoryWorkingSetList,
'    MemorySectionName
'} MEMORY_INFORMATION_CLASS;

Public Enum MEMORY_INFORMATION_CLASS
   MemoryBasicInformation = 0
   MemoryWorkingSetList
   MemorySectionName
End Enum

'typedef struct _MEMORY_BASIC_INFORMATION {
'    PVOID BaseAddress;
'    PVOID AllocationBase;
'    DWORD AllocationProtect;
'    SIZE_T RegionSize;
'    DWORD State;
'    DWORD Protect;
'    DWORD Type;
'} MEMORY_BASIC_INFORMATION, *PMEMORY_BASIC_INFORMATION;

Public Type MEMORY_BASIC_INFORMATION
   BaseAddress As Long
   AllocationBase As Long
   AllocationProtect As Long
   RegionSize As Long
   State As Long
   Protect As Long
   Type As Long
End Type

'typedef struct _FUNCTION_INFORMATION {
'    char name[64];
'    ULONG_PTR VirtualAddress;
'} FUNCTION_INFORMATION, *PFUNCTION_INFORMATION;

Public Type FUNCTION_INFORMATION
   name As String * 64
   VirtualAddress As Long
End Type

'typedef struct _MODULE_INFORMATION
'{
'    PVOID BaseAddress;
'    PVOID AllocationBase;
'    DWORD AllocationProtect;
'    SIZE_T RegionSize;
'    DWORD State;
'    DWORD Protect;
'    DWORD Type;
'    WCHAR szPathName[MAX_PATH];
'    PVOID EntryAddress;
'    PFUNCTION_INFORMATION Functions;
'    DWORD FunctionCount;
'    DWORD SizeOfImage;
'}MODULE_INFORMATION, *PMODULE_INFORMATION;

Public Type MODULE_INFORMATION
   BaseAddress As Long
   AllocationBase As Long
   AllocationProtect As Long
   RegionSize As Long
   State As Long
   Protect As Long
   Type As Long
   szPathName(1 To 520) As Byte
   EntryAddress As Long
   Functions As Long 'VarPtr(MODULE_INFORMATION), es un puntero, PFUNCTION_INFORMATION Functions;
   FunctionCount As Long
   SizeOfImage As Long
End Type

'struct UNICODE_STRING {
'    USHORT  Length;
'    USHORT  MaximumLength;
'    PWSTR    Buffer;
'};

Public Type UNICODE_STRING
   Length As Integer
   MaximumLength As Integer
   Buffer As Long 'PWSTR    Buffer;
End Type

'typedef UNICODE_STRING *PUNICODE_STRING;

Public Const PAGE_NOACCESS = &H1
Public Const PAGE_READONLY = &H2
Public Const PAGE_READWRITE = &H4
Public Const PAGE_WRITECOPY = &H8
Public Const PAGE_EXECUTE = &H10
Public Const PAGE_EXECUTE_READ = &H20
Public Const PAGE_EXECUTE_READWRITE = &H40
Public Const PAGE_EXECUTE_WRITECOPY = &H80
Public Const PAGE_GUARD = &H100
Public Const PAGE_NOCACHE = &H200
Public Const PAGE_WRITECOMBINE = &H400
Public Const MEM_COMMIT = &H1000
Public Const MEM_RESERVE = &H2000
Public Const MEM_DECOMMIT = &H4000
Public Const MEM_RELEASE = &H8000
Public Const MEM_FREE = &H10000
Public Const MEM_PRIVATE = 20000
Public Const MEM_MAPPED = &H40000
Public Const MEM_RESET = &H80000
Public Const MEM_TOP_DOWN = &H100000
Public Const MEM_WRITE_WATCH = &H200000
Public Const MEM_PHYSICAL = &H400000
Public Const MEM_ROTATE = &H800000
Public Const MEM_LARGE_PAGES = &H20000000
Public Const MEM_4MB_PAGES = &H80000000

'typedef LONG (WINAPI *ZWQUERYVIRTUALMEMORY)(
'    HANDLE ProcessHandle,
'    PVOID BaseAddress,
'    MEMORY_INFORMATION_CLASS MemoryInformationClass,
'    PVOID MemoryInformation,
'    ULONG MemoryInformationLength,
'    PULONG ReturnLength
');

Public Declare Function ZwQueryVirtualMemory Lib "NTDLL.DLL" (ByVal ProcessHandle As Long, ByVal BaseAddress As Long, ByVal MemoryInformationClass As MEMORY_INFORMATION_CLASS, ByVal MemoryInformation As Long, ByVal MemoryInformationLength As Long, ByVal ReturnLength As Long) As Long

Public Declare Function GetCurrentProcess Lib "kernel32" () As Long

Public Declare Function VirtualQuery Lib "kernel32" (ByRef lpAddress As Any, ByRef lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long

Public Declare Sub ZeroMemory Lib "kernel32.dll" Alias "RtlZeroMemory" (Destination As Any, ByVal Length As Long)

Public Declare Sub RtlMoveMemory Lib "kernel32.dll" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)



Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Public Declare Function LoadLibraryA Lib "kernel32" (ByVal lpLibFileName As String) As Long

Public Const PROCESS_ALL_ACCESS = &H1F0FFF  'Specifies all possible access flags for the process object.
Public Const PROCESS_CREATE_THREAD = &H2   'Enables using the process handle in the CreateRemoteThread function to create a thread in the process.
Public Const PROCESS_DUP_HANDLE = &H40  'Enables using the process handle as either the source or target process in the DuplicateHandle function to duplicate a handle.
Public Const PROCESS_QUERY_INFORMATION = &H400 'Enables using the process handle in the GetExitCodeProcess and GetPriorityClass functions to read information from the process object.
Public Const PROCESS_SET_INFORMATION = &H200  'Enables using the process handle in the SetPriorityClass function to set the priority class of the process.
Public Const PROCESS_TERMINATE = &H1 'Enables using the process handle in the TerminateProcess function to terminate the process.
Public Const PROCESS_VM_OPERATION = &H8 'Enables using the process handle in the VirtualProtectEx and WriteProcessMemory functions to modify the virtual memory of the process.
Public Const PROCESS_VM_READ = &H10     'Enables using the process handle in the ReadProcessMemory function to read from the virtual memory of the process.
Public Const PROCESS_VM_WRITE = &H20 'Enables using the process handle in the WriteProcessMemory function to write to the virtual memory of the process.
Public Const SYNCHRONIZE = &H100000   'Enables using the process handle in any of the wait functions to wait for the process to terminate.

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)

'The WideCharToMultiByte function maps a wide-character string to a new character string.
'The function is faster when both lpDefaultChar and lpUsedDefaultChar are NULL.

'CodePage
Private Const CP_ACP = 0 'ANSI
Private Const CP_MACCP = 2 'Mac
Private Const CP_OEMCP = 1 'OEM
Private Const CP_UTF7 = 65000
Private Const CP_UTF8 = 65001

'dwFlags
Private Const WC_NO_BEST_FIT_CHARS = &H400
Private Const WC_COMPOSITECHECK = &H200
Private Const WC_DISCARDNS = &H10
Private Const WC_SEPCHARS = &H20 'Default
Private Const WC_DEFAULTCHAR = &H40

Private Declare Function WideCharToMultiByte Lib "kernel32" (ByVal CodePage As Long, ByVal dwFlags As Long, ByVal lpWideCharStr As Long, ByVal cchWideChar As Long, ByVal lpMultiByteStr As Long, ByVal cbMultiByte As Long, ByVal lpDefaultChar As Long, ByVal lpUsedDefaultChar As Long) As Long

Public Function ByteArrayToString(Bytes() As Byte) As String
Dim iUnicode As Long, i As Long, j As Long

On Error Resume Next
i = UBound(Bytes)

If (i < 1) Then
   'ANSI, just convert to unicode and return
   ByteArrayToString = StrConv(Bytes, vbUnicode)
   Exit Function
End If
i = i + 1

'Examine the first two bytes
CopyMemory iUnicode, Bytes(0), 2

If iUnicode = Bytes(0) Then 'Unicode
   'Account for terminating null
   If (i Mod 2) Then i = i - 1
   'Set up a buffer to recieve the string
   ByteArrayToString = String$(i / 2, 0)
   'Copy to string
   CopyMemory ByVal StrPtr(ByteArrayToString), Bytes(0), i
Else 'ANSI
   ByteArrayToString = StrConv(Bytes, vbUnicode)
End If
End Function

Public Function StringToByteArray(strInput As String, Optional bReturnAsUnicode As Boolean = True, Optional bAddNullTerminator As Boolean = False) As Byte()
Dim lRet As Long
Dim bytBuffer() As Byte
Dim lLenB As Long

If bReturnAsUnicode Then
   'Number of bytes
   lLenB = LenB(strInput)
   'Resize buffer, do we want terminating null?
   If bAddNullTerminator Then
       ReDim bytBuffer(lLenB)
   Else
       ReDim bytBuffer(lLenB - 1)
   End If
   'Copy characters from string to byte array
   CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB
Else
   'METHOD ONE
'        'Get rid of embedded nulls
'        strRet = StrConv(strInput, vbFromUnicode)
'        lLenB = LenB(strRet)
'        If bAddNullTerminator Then
'            ReDim bytBuffer(lLenB)
'        Else
'            ReDim bytBuffer(lLenB - 1)
'        End If
'        CopyMemory bytBuffer(0), ByVal StrPtr(strInput), lLenB

   'METHOD TWO
   'Num of characters
   lLenB = Len(strInput)
   If bAddNullTerminator Then
       ReDim bytBuffer(lLenB)
   Else
       ReDim bytBuffer(lLenB - 1)
   End If
   lRet = WideCharToMultiByte(CP_ACP, 0&, ByVal StrPtr(strInput), -1, ByVal VarPtr(bytBuffer(0)), lLenB, 0&, 0&)
End If

StringToByteArray = bytBuffer
End Function


Form:
Agregar RitchTextBox (llenar el texto), un Label (para el address del for) y un CommandButton (acción)
Código (vb) [Seleccionar]

Private Sub Command1_Click()
'MEMORY_BASIC_INFORMATION mbi;
Dim mbi As MEMORY_BASIC_INFORMATION

'MODULE_INFORMATION mi;
Dim mi As MODULE_INFORMATION

'BYTE szBuffer[MAX_PATH * 2 + 4] = { 0 };
Dim szBuffer(523) As Byte

Dim i As Integer

'PUNICODE_STRING usSectionName;
Dim usSectionName As UNICODE_STRING

Dim hProcess As Long

hProcess = GetCurrentProcess()

Dim Addr As Long

Dim READABLE As Long

READABLE = (PAGE_EXECUTE_READ + PAGE_EXECUTE_READWRITE + PAGE_EXECUTE_WRITECOPY + PAGE_READONLY + PAGE_READWRITE + PAGE_WRITECOPY)

txtSections.Text = ""

Addr = 0

Dim hRet As Long
Dim asd As String

Dim zBytes() As Byte

txtSections.Visible = False

ReDim zBytes(0) As Byte

While VirtualQuery(Addr, mbi, 28)
   DoEvents
   Label1.Caption = "0x" & Hex(Addr)
   If (mbi.State And MEM_COMMIT) Then
       If (mbi.AllocationProtect And READABLE) Then
           hRet = ZwQueryVirtualMemory(hProcess, Addr, MemoryBasicInformation, VarPtr(mbi), &H1C, 0&)

           txtSections.Text = txtSections.Text & "Add: " & Hex(Addr) & " - Size: " & Hex(mbi.RegionSize) & vbNewLine
           
           For i = LBound(szBuffer) To UBound(szBuffer)
               szBuffer(i) = 0
           Next i
           
           For i = LBound(zBytes) To UBound(zBytes)
               zBytes(i) = 0
           Next i
           
           If (hRet >= 0) Then
               If (mbi.Type <> MEM_FREE) Then
               
                   hRet = ZwQueryVirtualMemory(hProcess, Addr, MemorySectionName, VarPtr(szBuffer(0)), &H20C, 0&)
                   
                   If (hRet >= 0) Then
                       Call ZeroMemory(mi, &H234)
                       Call RtlMoveMemory(mi, mbi, &H1C)
                       
                       Call ReadProcessMemory(hProcess, VarPtr(szBuffer(0)), usSectionName.Length, &H2, 0&)
                       Call ReadProcessMemory(hProcess, VarPtr(szBuffer(2)), usSectionName.MaximumLength, &H2, 0&)
                       
                       ReDim zBytes(usSectionName.Length * 2)
                       
                       'How do I know is offset 8? It's simple.... "Aliens"
                       Call ReadProcessMemory(hProcess, VarPtr(szBuffer(8)), zBytes(0), usSectionName.Length * 2, 0&)
                       
                       txtSections.Text = txtSections.Text & ByteArrayToString(zBytes) & " (" & usSectionName.Length & "/" & usSectionName.MaximumLength & ")" & vbNewLine & vbNewLine
                   End If
               End If
           End If
       End If
   End If
   
   txtSections.SelStart = Len(txtSections)
   
   If Addr >= &H7FFF0000 Then
       GoTo salir
   End If
   Addr = (mbi.BaseAddress) + mbi.RegionSize
Wend

salir:

txtSections.Visible = True

MsgBox "Done"
End Sub


Resultado:
Código (ini) [Seleccionar]

Add: 0 - Size: 1000
Add: 10000 - Size: 1000
Add: 20000 - Size: 1000
Add: 21000 - Size: 1000
Add: 30000 - Size: 1000
Add: 129000 - Size: 1000
Add: 12A000 - Size: 1000
Add: 130000 - Size: 1000
Add: 134000 - Size: 1000
Add: 140000 - Size: 1000
Add: 141000 - Size: 1000
Add: 150000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\locale.nls

Add: 1B7000 - Size: 1000
Add: 1C0000 - Size: 1000
Add: 1C1000 - Size: 1000
Add: 1D0000 - Size: 1000
Add: 1DA000 - Size: 1000
Add: 1E0000 - Size: 1000
Add: 1E7000 - Size: 1000
Add: 1F0000 - Size: 1000
Add: 1F2000 - Size: 1000
Add: 200000 - Size: 1000
Add: 201000 - Size: 1000
Add: 210000 - Size: 1000
Add: 211000 - Size: 1000
Add: 220000 - Size: 1000
Add: 222000 - Size: 1000
Add: 230000 - Size: 1000
Add: 232000 - Size: 1000
Add: 240000 - Size: 1000
Add: 241000 - Size: 1000
Add: 250000 - Size: 1000
Add: 252000 - Size: 1000
Add: 260000 - Size: 1000
Add: 2F3000 - Size: 1000
Add: 360000 - Size: 1000
Add: 361000 - Size: 1000
Add: 370000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX

Add: 37D000 - Size: 1000
Add: 380000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX
Add: 3D0000 - Size: 1000
Add: 3D1000 - Size: 1000
Add: 3E0000 - Size: 1000
Add: 400000 - Size: 1000
\Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe

Add: 401000 - Size: 1000
\Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe

Add: 42D000 - Size: 1000
\Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe

Add: 430000 - Size: 1000
\Device\HarddiskVolume2\Misery-PC\[New Programming 2014]\[AO]\OffiHack\test\Project1.exe

Add: 431000 - Size: 1000
Add: 440000 - Size: 1000
Add: 441000 - Size: 1000
Add: 4C0000 - Size: 1000
Add: 4E0000 - Size: 1000
Add: 4E3000 - Size: 1000
Add: 4F0000 - Size: 1000
Add: 4FF000 - Size: 1000
Add: 5B0000 - Size: 1000
Add: 5B3000 - Size: 1000
Add: 5B8000 - Size: 1000
Add: 5C0000 - Size: 1000
Add: 6C1000 - Size: 1000
Add: 6D0000 - Size: 1000
Add: 87A000 - Size: 1000
Add: 12D0000 - Size: 1000
Add: 12E0000 - Size: 1000
Add: 16D0000 - Size: 1000
\Device\HarddiskVolume2\Windows\Globalization\Sorting\SortDefault.nls

Add: 199F000 - Size: 1000
Add: 19A0000 - Size: 1000
Add: 1A7F000 - Size: 1000
Add: 1A80000 - Size: 1000
Add: 1A82000 - Size: 1000
Add: 1B80000 - Size: 1000
Add: 1B90000 - Size: 1000
Add: 1BAE000 - Size: 1000
Add: 1BD0000 - Size: 1000
Add: 1CF0000 - Size: 1000
Add: 1CF2000 - Size: 1000
Add: 1D00000 - Size: 1000
Add: 1D90000 - Size: 1000
Add: 1DD0000 - Size: 1000
Add: 1F00000 - Size: 1000
Add: 1F03000 - Size: 1000
Add: 1F10000 - Size: 1000
Add: 1FA0000 - Size: 1000
Add: 1FC7000 - Size: 1000
Add: 1FE0000 - Size: 1000
Add: 2356000 - Size: 1000
Add: 2360000 - Size: 1000
Add: 2370000 - Size: 1000
Add: 2760000 - Size: 1000
Add: 2B61000 - Size: 1000
Add: 2B70000 - Size: 1000
\Device\HarddiskVolume2\Windows\Fonts\StaticCache.dat

Add: 34A0000 - Size: 1000
Add: 35D0000 - Size: 1000
Add: 35D1000 - Size: 1000
Add: 35E0000 - Size: 1000
Add: 10000000 - Size: 1000
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll

Add: 10001000 - Size: 1000
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll

Add: 10002000 - Size: 1000
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll

Add: 10003000 - Size: 1000
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll

Add: 10004000 - Size: 1000
\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll

Add: 10005000 - Size: 1000
Add: 20000000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX

Add: 20001000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX

Add: 2001E000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX

Add: 2001F000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX

Add: 20030000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\RICHTX32.OCX

Add: 20032000 - Size: 1000
Add: 212F0000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX

Add: 212F1000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX

Add: 21313000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX

Add: 21316000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX

Add: 21321000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\TABCTL32.OCX

Add: 21323000 - Size: 1000
Add: 5C290000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\oledlg.dll

Add: 5C291000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\oledlg.dll

Add: 5C2A5000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\oledlg.dll

Add: 5C2A6000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\oledlg.dll

Add: 5C2A7000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\oledlg.dll

Add: 5C2AC000 - Size: 1000
Add: 65D90000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched20.dll

Add: 65D91000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched20.dll

Add: 65DF7000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched20.dll

Add: 65DF8000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched20.dll

Add: 65E06000 - Size: 1000
Add: 713E0000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll

Add: 713E1000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll

Add: 71456000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll

Add: 71458000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll

Add: 71459000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5\comctl32.dll

Add: 71464000 - Size: 1000
Add: 72940000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\msvbvm60.dll

Add: 72941000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\msvbvm60.dll

Add: 72A4A000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\msvbvm60.dll

Add: 72A51000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\msvbvm60.dll

Add: 72A52000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\msvbvm60.dll

Add: 72A93000 - Size: 1000
Add: 742C0000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched32.dll

Add: 742C1000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched32.dll

Add: 742C3000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched32.dll

Add: 742C4000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\riched32.dll

Add: 742C6000 - Size: 1000
Add: 74640000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\dwmapi.dll

Add: 74641000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\dwmapi.dll

Add: 7464C000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\dwmapi.dll

Add: 7464E000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\dwmapi.dll

Add: 74653000 - Size: 1000
Add: 74C20000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

Add: 74C21000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

Add: 74D6C000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

Add: 74D6E000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

Add: 74D6F000 - Size: 1000
\Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

Add: 74DBE000 - Size: 1000
Add: 74DC0000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\uxtheme.dll

Add: 74DC1000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\uxtheme.dll

Add: 74DFA000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\uxtheme.dll

Add: 74DFB000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\uxtheme.dll

Add: 74DFC000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\uxtheme.dll

Add: 74E00000 - Size: 1000
Add: 75C70000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\cryptbase.dll

Add: 75C71000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\cryptbase.dll

Add: 75C79000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\cryptbase.dll

Add: 75C7A000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\cryptbase.dll

Add: 75C7C000 - Size: 1000
Add: 75C80000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\sxs.dll

Add: 75C81000 - Size: 1000
\Device\HarddiskVolume2\Windows\System32\sxs.dll

y blablabla
Can you see it?
The worst is over
The monsters in my head are scared of love
Fallen people listen up! It's never too late to change our luck
So, don't let them steal your light
Don't let them break your stride
There is light on the other side
And you'll see all the raindrops falling behind
Make it out tonight
it's a revolution

CL!!!

okik

#1
13 Febrero 2015, 18:44 PM
Hola,
Esto...disculpa mi ignorancia, pero, no me ha quedado muy claro para que sirve esto.... :¬¬

Miseryk

#2
13 Febrero 2015, 20:37 PM
Para detectar regiones externas.

Edit: como por ejemplo

\Device\HarddiskVolume2\Program Files\Unlocker\UnlockerHook.dll

Que es un programa externo que inyectó esa DLL.
Can you see it?
The worst is over
The monsters in my head are scared of love
Fallen people listen up! It's never too late to change our luck
So, don't let them steal your light
Don't let them break your stride
There is light on the other side
And you'll see all the raindrops falling behind
Make it out tonight
it's a revolution

CL!!!
Imprimir
Ir Arriba Páginas1
Acciones del Usuario