Manalyze report for f4c6a01409025e59e32d4d17aef0c74785f21c717e564258b2119c6a7522dda7

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
Compilation Date	2021-Nov-02 19:16:09
Detected languages	English - United States
TLS Callbacks	1 callback(s) detected.
Debug artifacts	C:\Users\frida\Buildbot\frida-windows\build\build\frida-windows\Win32-Release\bin\frida-gadget.pdb

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ v6.0 DLL` `Microsoft Visual C++ 6.0 - 8.0`
Suspicious	PEiD Signature:	`Crunch 4`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Contains another PE executable: This program cannot be run in DOS mode.` `Contains domain names: crbug.com example.com feross.org freedesktop.org http://www.freedesktop.org http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd https://crbug.com https://feross.org openssl.org www.freedesktop.org`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses constants related to SHA512` `Uses constants related to AES` `Uses constants related to Blowfish` `Uses known Diffie-Helman primes` `Microsoft's Cryptography API`
Malicious	The PE contains functions mostly used by malware.	`[!] The program may be hiding some of its imports: LoadLibraryExW GetProcAddress LoadLibraryW LoadLibraryA` `Functions which can be used for anti-debugging purposes: CreateToolhelp32Snapshot` `Can access the registry: RegQueryValueExW RegOpenKeyExW RegEnumKeyExW RegCloseKey RegCreateKeyExW RegDeleteValueW RegEnumValueW RegNotifyChangeKeyValue RegSetValueExW` `Possibly launches other programs: CreateProcessW` `Uses Windows's Native API: ntohs ntohl` `Uses Microsoft's cryptographic API: CryptAcquireContextW CryptReleaseContext CryptDestroyKey CryptSetHashParam CryptGetHashParam CryptImportKey CryptCreateHash CryptHashData CryptDestroyHash CryptGenRandom` `Can create temporary files: CreateFileW CreateFileA GetTempPathA GetTempPathW` `Memory manipulation functions often used by packers: VirtualAlloc VirtualProtect` Leverages the raw socket API to access the Internet: WSASetEvent WSAStartup WSAWaitForMultipleEvents WSASendTo WSASend WSARecvFrom WSARecv WSAIoctl WSAEventSelect WSAEnumNetworkEvents getaddrinfo WSACloseEvent socket shutdown setsockopt send recv listen WSACleanup connect closesocket accept getservbyname getservbyport gethostbyname gethostbyaddr ntohs inet_ntoa inet_addr htons htonl WSAStringToAddressW WSASetLastError WSAAddressToStringW WSAGetLastError getsockopt getsockname getpeername bind ioctlsocket ntohl freeaddrinfo getnameinfo WSACreateEvent `Functions related to the privilege level: OpenProcessToken` `Enumerates local disk drives: GetDriveTypeW GetVolumeInformationW` `Manipulates other processes: EnumProcessModules OpenProcess`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`ab30c3454804e5b866cdd66e08562a24`
SHA1	`3c3a92f58abab5167755f2848cbe348b87726d0e`
SHA256	`f4c6a01409025e59e32d4d17aef0c74785f21c717e564258b2119c6a7522dda7`
SHA3	`ebee3e37c47c338ef1e7024d845873059c3ccd542fc889f768577de727a243d8`
SSDeep	`196608:M0+sPKvKIPkbVBHmZPcGjH7d6wvHbMx3q8kKxM9WLvhaVZ0b1KjJJgw:M0+WAzGVcPTjH3bMfxxvvhaVZ0hKjj`
Imports Hash	`68d63b12e5f51f3c9537bca80ec6c14d`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0x130`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2021-Nov-02 19:16:09
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_DLL` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`14.0`
SizeOfCode	`0xb7a000`
SizeOfInitializedData	`0x56e200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x00B02F0B (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0xb7b000`
ImageBase	`0x10000000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x10eb000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_GUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`bf644fdcf3832dd5e80ae8a00b67da85`
SHA1	`94646899ecf01a2ca487408e14e1cc60029a06af`
SHA256	`fa541c0cf84b4d43ea6d17bd3272072d3018281d5be51d9630369aa026f2b99c`
SHA3	`f9c1762cd7356d2efb08e9e78513c0e6ddbf5c465261a0a34bae1379a94cba51`
VirtualSize	`0xb79eb3`
VirtualAddress	`0x1000`
SizeOfRawData	`0xb7a000`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.71193`

.rdata

MD5	`2bb8fb66789d51a46ee0ce018bae54ba`
SHA1	`be7cf73c37925785ece430916f7cf9a551650f4b`
SHA256	`8f28dd17aed0c9c6dd1a39784dc6a3b1b58c6fbbdb6c247dd2438b668791d1b5`
SHA3	`b681bc6ce07a5faa0799e5e51315d53e42327afcc5239fa9fb47554c69598b46`
VirtualSize	`0x4cfcb8`
VirtualAddress	`0xb7b000`
SizeOfRawData	`0x4cfe00`
PointerToRawData	`0xb7a400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.70684`

.data

MD5	`0ed8eec3810585ef947987468f24101c`
SHA1	`8749204ffb653110ed3dfe1696cc92ec8d9c8c27`
SHA256	`a55506df243c07846479cd5f50d4c44a6a5d4f3486eb7db3a923bd28157e095d`
SHA3	`6a09fd7926c1b0ba5b440cc83c3569825063572439aa6778df5c40350821ea23`
VirtualSize	`0x43324`
VirtualAddress	`0x104b000`
SizeOfRawData	`0x16e00`
PointerToRawData	`0x104a200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.51222`

.rsrc

MD5	`82fea56a21afb952770c21fabf40c28b`
SHA1	`0e47b6c1388af775b3cc88c9a29838c4f3267c3a`
SHA256	`946c527f46cf1e48a05a6748e41268969732f94d4fa3cc8f1becad8bafc564a5`
SHA3	`16cb26bffc4addd0c9433c31fc9b1468ec590f11154365450fe1705460184ff5`
VirtualSize	`0x1e0`
VirtualAddress	`0x108f000`
SizeOfRawData	`0x200`
PointerToRawData	`0x1061000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`4.73383`

.reloc

MD5	`64dda3f29330bd8a61a55f5bbb2d2160`
SHA1	`59ca1ffd0b346ae75c6d6f6e36802489424660a5`
SHA256	`a58e542eb72c4a2bcee10152ebe5ff9ac2b1be5fff182d58ab1dbbca6069cb7f`
SHA3	`b704b6f15ee2888f04730ae3ebc2426e60fd3096e26a4f03c78448883364cb8b`
VirtualSize	`0x5ade8`
VirtualAddress	`0x1090000`
SizeOfRawData	`0x5ae00`
PointerToRawData	`0x1061200`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`6.68726`

Imports

DNSAPI.dll	`DnsQuery_A` `DnsFree`
IPHLPAPI.DLL	`GetBestInterfaceEx` `GetAdaptersAddresses`
ole32.dll	`CoTaskMemFree`
PSAPI.DLL	`EnumProcessModules` `GetModuleInformation` `GetModuleBaseNameA`
SHLWAPI.dll	`StrRetToStrW`
WINMM.dll	`timeGetTime`
WS2_32.dll	`WSASetEvent` `WSAStartup` `WSAWaitForMultipleEvents` `WSASendTo` `WSASend` `WSARecvFrom` `WSARecv` `WSAIoctl` `WSAEventSelect` `WSAEnumNetworkEvents` `getaddrinfo` `WSACloseEvent` `socket` `shutdown` `setsockopt` `send` `recv` `listen` `WSACleanup` `connect` `closesocket` `accept` `getservbyname` `getservbyport` `gethostbyname` `gethostbyaddr` `ntohs` `inet_ntoa` `inet_addr` `htons` `htonl` `WSAStringToAddressW` `WSASetLastError` `WSAAddressToStringW` `WSAGetLastError` `getsockopt` `getsockname` `getpeername` `bind` `ioctlsocket` `ntohl` `freeaddrinfo` `getnameinfo` `WSACreateEvent`
KERNEL32.dll	`LoadLibraryExW` `InterlockedFlushSList` `RtlUnwind` `GetStringTypeW` `LCMapStringW` `CompareStringW` `DecodePointer` `EncodePointer` `AcquireSRWLockExclusive` `ReleaseSRWLockExclusive` `GetStartupInfoW` `InitializeSListHead` `IsProcessorFeaturePresent` `UnhandledExceptionFilter` `FreeLibraryAndExitThread` `ExitProcess` `CreatePipe` `SystemTimeToTzSpecificLocalTime` `FileTimeToSystemTime` `SetEnvironmentVariableA` `VirtualAlloc` `VirtualFree` `VirtualQuery` `GetSystemInfo` `GetTickCount` `SleepEx` `RtlCaptureContext` `GetProcAddress` `HeapAlloc` `HeapFree` `GetProcessHeap` `GetProcessHeaps` `HeapLock` `HeapUnlock` `HeapWalk` `GetCurrentProcess` `GetCurrentProcessId` `GetCurrentThreadId` `OpenThread` `GetLastError` `GetThreadContext` `SetThreadContext` `SuspendThread` `ResumeThread` `IsDebuggerPresent` `WaitForSingleObject` `CloseHandle` `LoadLibraryW` `GetModuleFileNameW` `GetModuleHandleW` `CreateToolhelp32Snapshot` `Thread32First` `Thread32Next` `OutputDebugStringW` `FlushInstructionCache` `VirtualProtect` `TlsAlloc` `TlsSetValue` `TlsFree` `MultiByteToWideChar` `WideCharToMultiByte` `GetComputerNameW` `OpenProcess` `TerminateProcess` `FreeLibrary` `GetModuleHandleExW` `GetCurrentThread` `InterlockedExchange` `InterlockedCompareExchange` `Sleep` `LoadLibraryA` `GetSystemDirectoryA` `ReadFile` `CreateEventW` `WriteFile` `GetProcessId` `ExpandEnvironmentStringsW` `LocalFree` `MapViewOfFile` `UnmapViewOfFile` `CreateFileMappingA` `CreateProcessW` `GetFileAttributesW` `AllocConsole` `GetVersion` `GetDriveTypeW` `GetDiskFreeSpaceExW` `GetVolumeInformationW` `GetVolumePathNameW` `GetOverlappedResult` `CancelIo` `SetFileTime` `CreateFileW` `CreateThread` `InitializeCriticalSection` `EnterCriticalSection` `LeaveCriticalSection` `DeleteCriticalSection` `SetEvent` `WaitForMultipleObjects` `GetLogicalDrives` `GetSystemDirectoryW` `GetShortPathNameW` `GetLongPathNameW` `GetFileAttributesExW` `ReadDirectoryChangesW` `GetStdHandle` `InterlockedIncrement` `InterlockedDecrement` `SetStdHandle` `GetProcessAffinityMask` `GetNativeSystemInfo` `RaiseException` `SetThreadPriority` `GetThreadPriority` `GetExitCodeThread` `TryEnterCriticalSection` `DuplicateHandle` `TlsGetValue` `GetCurrentDirectoryW` `GetExitCodeProcess` `GetSystemTimeAsFileTime` `QueryPerformanceCounter` `QueryPerformanceFrequency` `GetFileType` `GetConsoleMode` `SetConsoleMode` `GetEnvironmentVariableW` `DebugBreak` `GetWindowsDirectoryW` `GetEnvironmentStringsW` `FreeEnvironmentStringsW` `SetEnvironmentVariableW` `IsValidCodePage` `GetACP` `GetCPInfo` `IsDBCSLeadByteEx` `FormatMessageW` `GetCommandLineW` `GetLocaleInfoW` `GetThreadLocale` `AttachConsole` `GetTimeZoneInformation` `CreateFileMappingW` `GetFileInformationByHandle` `DeviceIoControl` `MoveFileExW` `WaitForSingleObjectEx` `WaitForMultipleObjectsEx` `ResetEvent` `GetConsoleOutputCP` `PeekNamedPipe` `PeekConsoleInputW` `ReadConsoleInputW` `GetTimeFormatW` `GetDateFormatW` `FlushFileBuffers` `FormatMessageA` `GetSystemTime` `SystemTimeToFileTime` `GetFileSize` `LockFileEx` `UnlockFile` `HeapDestroy` `HeapCompact` `HeapReAlloc` `DeleteFileW` `DeleteFileA` `GetVersionExA` `CreateFileA` `FlushViewOfFile` `GetFileAttributesA` `GetDiskFreeSpaceA` `GetTempPathA` `HeapSize` `HeapValidate` `GetVersionExW` `CreateMutexW` `GetTempPathW` `UnlockFileEx` `SetEndOfFile` `GetFullPathNameA` `SetFilePointer` `LockFile` `OutputDebugStringA` `GetDiskFreeSpaceW` `GetFullPathNameW` `HeapCreate` `AreFileApisANSI` `GetModuleFileNameA` `SetUnhandledExceptionFilter` `VerSetConditionMask` `GetTempFileNameA` `GetThreadTimes` `IsWow64Process` `VerifyVersionInfoW` `ReleaseSemaphore` `CreateSemaphoreA` `CreateEventA` `InitOnceExecuteOnce` `SetLastError` `InitializeCriticalSectionAndSpinCount` `FindClose` `FindFirstFileW` `FindNextFileW` `ReadConsoleA` `ReadConsoleW` `CreateDirectoryW` `RemoveDirectoryW` `SetFileAttributesW` `FindFirstFileExW` `SetFilePointerEx` `GetConsoleCP` `IsValidLocale` `GetUserDefaultLCID` `EnumSystemLocalesW` `GetOEMCP` `FindFirstFileExA` `FindNextFileA` `GetCommandLineA` `WriteConsoleW` `InitializeConditionVariable` `WakeAllConditionVariable` `SetConsoleCtrlHandler` `GetNumberOfConsoleInputEvents` `InterlockedExchangeAdd` `PeekConsoleInputA` `ExitThread` `SleepConditionVariableCS`
USER32.dll	`GetUserObjectInformationW` `GetProcessWindowStation` `PeekMessageW` `MessageBoxW` `MsgWaitForMultipleObjectsEx`
ADVAPI32.dll	`GetFileSecurityW` `ReportEventW` `GetSecurityDescriptorGroup` `GetSecurityDescriptorOwner` `ConvertSidToStringSidA` `GetCurrentHwProfileA` `IsValidSid` `GetTokenInformation` `OpenProcessToken` `RegQueryValueExW` `RegOpenKeyExW` `RegEnumKeyExW` `RegCloseKey` `LookupAccountSidW` `RegCreateKeyExW` `RegDeleteValueW` `RegEnumValueW` `RegNotifyChangeKeyValue` `RegSetValueExW` `GetUserNameW` `CryptAcquireContextW` `CryptReleaseContext` `CryptDestroyKey` `CryptSetHashParam` `CryptGetHashParam` `CryptImportKey` `RegisterEventSourceW` `CryptCreateHash` `CryptHashData` `CryptDestroyHash` `CryptGenRandom` `DeregisterEventSource`
SHELL32.dll	`SHGetSpecialFolderLocation` `SHGetPathFromIDListW` `SHBindToParent` `SHGetDesktopFolder` `SHFileOperationW`
bcrypt.dll	`BCryptGenRandom`

Delayed Imports

frida_gadget_wait_for_permission_to_resume

Ordinal	`1`
Address	`0x57f03`

2

Type	`RT_MANIFEST`
Language	English - United States
Codepage	UNKNOWN
Size	`0x17d`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.91161`
MD5	`1e4a89b11eae0fcf8bb5fdd5ec3b6f61`
SHA1	`4260284ce14278c397aaf6f389c1609b0ab0ce51`
SHA256	`4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df`
SHA3	`4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353`

Version Info

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2021-Nov-02 19:16:09
Version	`0.0`
SizeofData	`123`
AddressOfRawData	`0x10463b4`
PointerToRawData	`0x10457b4`
Referenced File	C:\Users\frida\Buildbot\frida-windows\build\build\frida-windows\Win32-Release\bin\frida-gadget.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics	`0`
TimeDateStamp	2021-Nov-02 19:16:09
Version	`0.0`
SizeofData	`20`
AddressOfRawData	`0x1046430`
PointerToRawData	`0x1045830`

IMAGE_DEBUG_TYPE_POGO

Characteristics	`0`
TimeDateStamp	2021-Nov-02 19:16:09
Version	`0.0`
SizeofData	`916`
AddressOfRawData	`0x1046444`
PointerToRawData	`0x1045844`

TLS Callbacks

StartAddressOfRawData	`0x110467e8`
EndAddressOfRawData	`0x110467e9`
AddressOfIndex	`0x1108cfd8`
AddressOfCallbacks	`0x10b7b5a8`
SizeOfZeroFill	`0`
Characteristics	`IMAGE_SCN_ALIGN_1BYTES`
Callbacks	`0x10159A9D`

Load Configuration

Size	`0xbc`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x1105db44`
SEHandlerTable	`0x110461a4`
SEHandlerCount	`132`

RICH Header

XOR Key	`0xf8feed4b`
Unmarked objects	`0`
241 (40116)	`44`
243 (40116)	`214`
242 (40116)	`63`
199 (41118)	`17`
C++ objects (VS 2015/2017/2019 runtime 29118)	`76`
C objects (VS 2015/2017/2019 runtime 29118)	`19`
ASM objects (VS 2015/2017/2019 runtime 29118)	`29`
C objects (VS2008 SP1 build 30729)	`2`
Imports (VS2008 SP1 build 30729)	`25`
Total imports	`356`
Unmarked objects (#2)	`21`
ASM objects (VS2019 Update 8 (16.8.2) compiler 29334)	`2`
C++ objects (VS2019 Update 8 (16.8.2) compiler 29334)	`611`
C objects (VS2019 Update 8 (16.8.2) compiler 29334)	`1166`
Exports (VS2019 Update 8 (16.8.2) compiler 29334)	`1`
Resource objects (VS2019 Update 8 (16.8.2) compiler 29334)	`1`
Linker (VS2019 Update 8 (16.8.2) compiler 29334)	`1`

Errors

Leave a comment

No comments yet.