b33d8741d4b6d23f9f1de7435379fc84

Summary

Architecture IMAGE_FILE_MACHINE_I386
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date 2016-Jan-04 20:12:16
Detected languages English - United States
Process Default Language
Swedish - Sweden
Debug artifacts C:\Users\Henrik\Documents\c++\debugging-ane\Debug ANE\Release\windebug.pdb
CompanyName Henrik Andersson
FileDescription Windebug ANE Core dll
FileVersion 0.23.0.3
InternalName WinDebug.dll
LegalCopyright Copyright Henrik "Henke37" Andersson (C) 2015
OriginalFilename WinDebug.dll
ProductName Windows debugging ANE
ProductVersion 0.23.0.3

Plugin Output

Info Matching compiler(s): Microsoft Visual C++ v6.0 DLL
Malicious The PE contains functions mostly used by malware. [!] The program may be hiding some of its imports:
  • GetProcAddress
  • LoadLibraryW
  • LoadLibraryExA
 Functions which can be used for anti-debugging purposes:
  • CreateToolhelp32Snapshot
  • CheckRemoteDebuggerPresent
  • FindWindowW
 Code injection capabilities:
  • OpenProcess
  • CreateRemoteThread
  • VirtualAllocEx
  • WriteProcessMemory
  • VirtualAlloc
 Code injection capabilities (process hollowing):
  • SetThreadContext
  • WriteProcessMemory
  • ResumeThread
 Code injection capabilities (PowerLoader):
  • FindWindowW
  • GetWindowLongW
 Can access the registry:
  • RegEnumValueW
  • RegOpenKeyExW
  • RegEnumKeyExW
  • RegSetValueExW
  • RegCloseKey
  • RegDeleteValueW
  • RegQueryInfoKeyW
  • RegDeleteKeyW
  • RegGetValueW
 Memory manipulation functions often used by packers:
  • VirtualProtectEx
  • VirtualAllocEx
  • VirtualAlloc
 Leverages the raw socket API to access the Internet:
  • #14
  • #15
 Functions related to the privilege level:
  • OpenProcessToken
  • AdjustTokenPrivileges
 Interacts with services:
  • OpenSCManagerW
  • EnumServicesStatusExW
 Enumerates drivers present on the system:
  • GetDeviceDriverFileNameW
  • EnumDeviceDrivers
 Manipulates other processes:
  • ReadProcessMemory
  • OpenProcess
  • Process32FirstW
  • Process32NextW
  • WriteProcessMemory
 Deletes entries from the event log:
  • EvtClearLog
 Changes object ACLs:
  • SetKernelObjectSecurity
 Can take screenshots:
  • FindWindowW
  • GetDC
  • PrintWindow
  • CreateCompatibleDC

Hashes

MD5 b33d8741d4b6d23f9f1de7435379fc84
SHA1 a8098b0c637653efd458d114b7a6b18705fb6f7b
SHA256 cc2c10f663fdd6389f9c0c3dfc2b9185d0f590dc91a655aa5ea2d41f6c8957f0
SHA3 023cd47c9fa00c59a7790273c8c5821fdc1344c0dc445e91099c7a9bfe374d42
SSDeep 1536:YwsxRFKNSlT1EEbcZPLvWPU+ljWdHvMfz4MQ8EycJNAwKn9SGi:qfFUG2EYZjvWPwHvAEkEycJNAwK9Li
Imports Hash 454fd91198b0216f6c8a3e65d59b41ba

DOS Header

e_magic MZ
e_cblp 0x90
e_cp 0x3
e_crlc 0
e_cparhdr 0x4
e_minalloc 0
e_maxalloc 0xffff
e_ss 0
e_sp 0xb8
e_csum 0
e_ip 0
e_cs 0
e_ovno 0
e_oemid 0
e_oeminfo 0
e_lfanew 0x110

PE Header

Signature PE
Machine IMAGE_FILE_MACHINE_I386
NumberofSections 5
TimeDateStamp 2016-Jan-04 20:12:16
PointerToSymbolTable 0
NumberOfSymbols 0
SizeOfOptionalHeader 0xe0
Characteristics IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
IMAGE_FILE_EXECUTABLE_IMAGE

Image Optional Header

Magic PE32
LinkerVersion 11.0
SizeOfCode 0xce00
SizeOfInitializedData 0x7200
SizeOfUninitializedData 0
AddressOfEntryPoint 0x0000D1F3 (Section: .text)
BaseOfCode 0x1000
BaseOfData 0xe000
ImageBase 0x37de0000
SectionAlignment 0x1000
FileAlignment 0x200
OperatingSystemVersion 6.0
ImageVersion 0.0
SubsystemVersion 6.0
Win32VersionValue 0
SizeOfImage 0x17000
SizeOfHeaders 0x400
Checksum 0
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
DllCharacteristics IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
SizeofStackReserve 0x100000
SizeofStackCommit 0x1000
SizeofHeapReserve 0x100000
SizeofHeapCommit 0x1000
LoaderFlags 0
NumberOfRvaAndSizes 16

.text

MD5 f0c0464931b93b12d69f294e66ad4881
SHA1 25f3ece288f11250322ed6c306ef64b96ffc26c3
SHA256 5c91af625b93124c63efa0f6136c4fe03c0c10aace0a438eeaf1701bf071d6bc
SHA3 7409b2577c15bc7f2249c1fffa05865cca2ed0d295ae6f0af7b3f0737babc18a
VirtualSize 0xcc71
VirtualAddress 0x1000
SizeOfRawData 0xce00
PointerToRawData 0x400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Entropy 6.24528

.rdata

MD5 3e80b01fa118d5870e516fad173dfedc
SHA1 78937ab2199b6033f1fd1405e5eab1f6b2ef4477
SHA256 90c736ca54b18cf2be554afd5183531b3cf384d65df8974c9b5c69f1bf1307e8
SHA3 a4b9ed59518f7f26943a10d0690bba6ab52bbe9430b4ab4e8dd1ac5552b1013a
VirtualSize 0x4393
VirtualAddress 0xe000
SizeOfRawData 0x4400
PointerToRawData 0xd200
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 5.8841

.data

MD5 4462786a4b8f08086c38bb619bfed3e3
SHA1 386af522b4b7282bf8d2b940d42c4ac6cbde89b8
SHA256 c8434b402868d2988099c3bf2f20c4853d9cadb3e7830843145f711fee5ae558
SHA3 2881c888b3f904f6168b2b8622356c7c4b8725d6d385dd30707d8ebed53ec368
VirtualSize 0x4f8
VirtualAddress 0x13000
SizeOfRawData 0x200
PointerToRawData 0x11600
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Entropy 4.10233

.rsrc

MD5 718e107a1886ff9ba5a80ee3b7e23a43
SHA1 aa07d92199fd629de5d6b561b89710c945b8af42
SHA256 3a2ac6a2ca1ff1ff49ad538364e40d385ba11d5b26265b72cf058c42e3af79dc
SHA3 674c83ddea08e76e22a79a0201c7972b4693555ec8ae16663f57097b9e11adab
VirtualSize 0xb28
VirtualAddress 0x14000
SizeOfRawData 0xc00
PointerToRawData 0x11800
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Entropy 3.56364

.reloc

MD5 42c89e15ad23dd2d48c170ae375a9651
SHA1 debdbae0bc1e0647a947cf48a309b19dd341fe9d
SHA256 c43daa26faf24768b83a9e7a026b3b1a8a5ebc29547b6f25797c48a1836ac96b
SHA3 2c5be6465c1286b5f9019f15d04ba39e7add4707788323cece028c02a2029fbd
VirtualSize 0x1bee
VirtualAddress 0x15000
SizeOfRawData 0x1c00
PointerToRawData 0x12400
PointerToRelocations 0
PointerToLineNumbers 0
NumberOfLineNumbers 0
NumberOfRelocations 0
Characteristics IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
Entropy 5.33247

Imports

Adobe AIR.dll FREGetObjectAsBool
FREGetObjectAsDouble
FREGetObjectAsInt32
FREGetArrayLength
FREGetArrayElementAt
FREAcquireBitmapData
FREInvalidateBitmapDataRect
FREReleaseBitmapData
FRESetContextNativeData
FRESetObjectProperty
FREGetObjectAsUTF8
FREGetObjectType
FRENewObjectFromInt32
FREReleaseByteArray
FREAcquireByteArray
FREGetObjectProperty
FRENewObject
FREDispatchStatusEventAsync
FREGetContextActionScriptData
FRENewObjectFromUint32
FRENewObjectFromBool
FRECallObjectMethod
FRENewObjectFromUTF8
FREGetContextNativeData
FREGetObjectAsUint32
PSAPI.DLL GetPerformanceInfo
GetProcessMemoryInfo
EnumPageFilesW
GetDeviceDriverFileNameW
EnumDeviceDrivers
QueryWorkingSet
InitializeProcessForWsWatch
GetMappedFileNameW
GetWsChangesEx
dbghelp.dll SymEnumTypesW
MiniDumpWriteDump
SymCleanup
SymGetModuleBase64
StackWalk64
SymRefreshModuleList
SymSetOptions
SymFromIndexW
SymGetTypeInfo
SymGetOptions
SymEnumTypesByNameW
SymInitializeW
SymFromNameW
SymFunctionTableAccess64
SymSetSearchPathW
SymGetLineFromAddrW64
SymGetSearchPathW
SymFromAddrW
wevtapi.dll EvtClearLog
EvtRender
EvtNextChannelPath
EvtNext
EvtClose
EvtQuery
EvtOpenChannelEnum
WS2_32.dll #14
#15
IPHLPAPI.DLL GetTcpTable2
KERNEL32.dll DecodePointer
EncodePointer
IsDebuggerPresent
DebugSetProcessKillOnExit
CloseHandle
GetThreadContext
SetThreadContext
ReadProcessMemory
OpenThread
GetProcessId
Module32FirstW
CreateToolhelp32Snapshot
Module32NextW
DebugActiveProcess
QueryPerformanceCounter
OpenProcess
ContinueDebugEvent
WaitForDebugEvent
GetCurrentProcess
GetLastError
CreateRemoteThread
FileTimeToSystemTime
WideCharToMultiByte
MultiByteToWideChar
lstrlenW
FormatMessageW
LocalFree
Heap32ListNext
Heap32Next
Heap32First
Heap32ListFirst
Process32FirstW
Process32NextW
Thread32First
Thread32Next
GetThreadSelectorEntry
VirtualQueryEx
VirtualFreeEx
VirtualProtectEx
VirtualAllocEx
WriteProcessMemory
CreateFileW
GetProcAddress
OutputDebugStringW
UnregisterWait
SetProcessAffinityMask
SetPriorityClass
GetProcessDEPPolicy
GetProcessPriorityBoost
QueryFullProcessImageNameW
SetProcessPriorityBoost
GetProcessTimes
GetPriorityClass
GetProcessHandleCount
GetExitCodeProcess
TerminateProcess
FlushInstructionCache
RegisterWaitForSingleObject
DebugBreakProcess
GetProcessAffinityMask
CheckRemoteDebuggerPresent
FreeLibrary
LoadLibraryW
GetProcessVersion
GetCurrentProcessId
VirtualFree
VirtualAlloc
SetLastError
GetSystemDEPPolicy
IsProcessorFeaturePresent
GetLargePageMinimum
GetSystemInfo
GetVersion
GetProcessIdOfThread
TerminateThread
GetThreadPriorityBoost
SetThreadPriority
SetThreadPriorityBoost
GetExitCodeThread
SetThreadIdealProcessor
GetThreadPriority
GetThreadId
GetCurrentThreadId
GetThreadTimes
SuspendThread
ResumeThread
WaitForSingleObject
RaiseException
InterlockedExchange
LoadLibraryExA
GetSystemTimeAsFileTime
DisableThreadLibraryCalls
DebugActiveProcessStop
USER32.dll IsHungAppWindow
GetWindowInfo
WindowFromPoint
FindWindowW
GetClassLongW
EnumWindows
GetWindowTextLengthW
GetDC
GetGUIThreadInfo
GetWindowLongW
ReleaseDC
PrintWindow
GetGuiResources
GetWindowTextW
IsWindowUnicode
EnumChildWindows
IsWindowVisible
GetWindowThreadProcessId
EnumThreadWindows
GetWindowRect
GetWindowDC
GetClientRect
GetClassInfoW
GDI32.dll CreateBitmap
CreateCompatibleDC
DeleteObject
SelectObject
GetDIBits
ADVAPI32.dll OpenProcessToken
RegEnumValueW
RegOpenKeyExW
RegEnumKeyExW
RegSetValueExW
RegCloseKey
GetKernelObjectSecurity
GetAclInformation
CopySid
InitializeSecurityDescriptor
ConvertStringSidToSidW
SetSecurityDescriptorDacl
GetAce
LookupAccountSidW
SetKernelObjectSecurity
InitializeAcl
FreeSid
AddAce
GetLengthSid
ConvertSidToStringSidW
GetSecurityDescriptorDacl
CloseServiceHandle
OpenSCManagerW
EnumServicesStatusExW
RegDeleteValueW
LookupPrivilegeValueW
AdjustTokenPrivileges
RegQueryInfoKeyW
RegDeleteKeyW
RegGetValueW
ole32.dll CoUninitialize
StringFromGUID2
CoCreateInstance
CoInitialize
MSVCR110.dll ??3@YAXPAX@Z
free
realloc
??1type_info@@UAE@XZ
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
__CppXcptFilter
_amsg_exit
_malloc_crt
_initterm
??_U@YAPAXI@Z
?terminate@@YAXXZ
_lock
_unlock
_calloc_crt
__dllonexit
_onexit
__clean_type_info_names_internal
_except_handler4_common
memcpy
__CxxFrameHandler3
_CxxThrowException
??_V@YAXPAX@Z
??2@YAPAXI@Z
malloc
_initterm_e
memset
??1exception@std@@UAE@XZ
MSVCP110.dll ?_Xlength_error@std@@YAXPBD@Z
?_Xout_of_range@std@@YAXPBD@Z
?_Xbad_alloc@std@@YAXXZ
mscoree.dll (delay-loaded) CLRCreateInstance
GetVersionFromProcess
CreateDebuggingInterfaceFromVersion

Delayed Imports

Attributes 0x1
Name mscoree.dll
ModuleHandle 0x13180
DelayImportAddressTable 0x13170
DelayImportNameTable 0x10994
BoundDelayImportTable 0x109f8
UnloadDelayImportTable 0
TimeStamp 1970-Jan-01 00:00:00

WinDebugANEContextFinalizer

Ordinal 1
Address 0x6e60

WinDebugANEContextInitializer

Ordinal 2
Address 0x6e90

WinDebugANEFinalizer

Ordinal 3
Address 0x5e90

WinDebugANEInitializer

Ordinal 4
Address 0x6e40

1

Type RT_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.11094
MD5 e910f8c943d414e1ccfff9ec93fb8a1b
SHA1 a09c7b80a751e4f88af0005c4163472c0944be04
SHA256 dad0bd1972c3dc38f81c4b0969cce9bcdb72d1359f0ce9ac99587d4f3a6e1d3b
SHA3 b631d4932a318cba71f63461374c1b7b1118186c8aa74cd2979815c54c72d05c

2

Type RT_ICON
Language Process Default Language
Codepage UNKNOWN
Size 0x128
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.9874
MD5 7566ce55681134d6d28aec7056060505
SHA1 da64bd202c559e87d74ced07d639de9fa09429bb
SHA256 c6de35944a778c8729f577f7f585ab1a502e7af93e54330211194f69dec531ff
SHA3 a1aa1781d48a7be2b30712fd8c41fce16c36c6ed14e95f1ad8725ab95452db1c

104

Type RT_GROUP_ICON
Language Process Default Language
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 2.02322
Detected Filetype Icon file
MD5 7a9605cb416b1a091d889b9d9f37ec66
SHA1 866c01641d672b6cd69901c1e055f174f47b35bb
SHA256 6bcce1250099cc08d574211b3debabb0244cd2641f6d960538e7ddc97d319164
SHA3 af43e622bf6c842d1ada2985f8e68920ff7b22d8a0b1a12871968c23b5065651

106

Type RT_GROUP_ICON
Language UNKNOWN
Codepage UNKNOWN
Size 0x14
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 1.84274
Detected Filetype Icon file
MD5 f64c60b749269fcf6659c450dda98486
SHA1 42945c3496bc4e1943a1a05926a9b5ee31d3e450
SHA256 ae172a9a2fd008910b537c92a95b38bfba0e5bbdaaca719bf686e6415a7a2ba1
SHA3 443830acdeb37f2b7f844756492b2b11f9fb93e9171617d8c799cebfd05cb37f

1 (#2)

Type RT_VERSION
Language Swedish - Sweden
Codepage UNKNOWN
Size 0x598
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 3.46447
MD5 aeb99831b4a69ccff15d88b6c1ae4916
SHA1 174ac0f7b6aefe0f71e0c26d66a83756aa4352e6
SHA256 428a2ee3dc9c29d4de0f41ccdb9f46106df0e4e3014ae8047f09b768807625e8
SHA3 6cbc0da603c27ece3b0f4455c33f7cf83198bbd964ffe03bb6f6cf1d3665baf3

2 (#2)

Type RT_MANIFEST
Language English - United States
Codepage UNKNOWN
Size 0x17d
TimeDateStamp 1980-Jan-01 00:00:00
Entropy 4.91161
MD5 1e4a89b11eae0fcf8bb5fdd5ec3b6f61
SHA1 4260284ce14278c397aaf6f389c1609b0ab0ce51
SHA256 4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df
SHA3 4bb9e8b5a714cae82782f3831cc2d45f4bf4a50a755fe584d2d1893129d68353

Version Info

Signature 0xfeef04bd
StructVersion 0x10000
FileVersion 0.23.0.3
ProductVersion 0.23.0.3
FileFlags (EMPTY)
FileOs VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
FileType VFT_DLL
Language UNKNOWN
CompanyName Henrik Andersson
FileDescription Windebug ANE Core dll
FileVersion (#2) 0.23.0.3
InternalName WinDebug.dll
LegalCopyright Copyright Henrik "Henke37" Andersson (C) 2015
OriginalFilename WinDebug.dll
ProductName Windows debugging ANE
ProductVersion (#2) 0.23.0.3
Resource LangID Swedish - Sweden

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics 0
TimeDateStamp 2016-Jan-04 20:12:16
Version 0.0
SizeofData 99
AddressOfRawData 0x100e8
PointerToRawData 0xf2e8
Referenced File C:\Users\Henrik\Documents\c++\debugging-ane\Debug ANE\Release\windebug.pdb

IMAGE_DEBUG_TYPE_VC_FEATURE

Characteristics 0
TimeDateStamp 2016-Jan-04 20:12:16
Version 0.0
SizeofData 16
AddressOfRawData 0x1014c
PointerToRawData 0xf34c

TLS Callbacks

Load Configuration

Size 0x48
TimeDateStamp 1970-Jan-01 00:00:00
Version 0.0
GlobalFlagsClear (EMPTY)
GlobalFlagsSet (EMPTY)
CriticalSectionDefaultTimeout 0
DeCommitFreeBlockThreshold 0
DeCommitTotalFreeThreshold 0
LockPrefixTable 0
MaximumAllocationSize 0
VirtualMemoryThreshold 0
ProcessAffinityMask 0
ProcessHeapFlags (EMPTY)
CSDVersion 0
Reserved1 0
EditList 0
SecurityCookie 0x37df3018
SEHandlerTable 0x37df0370
SEHandlerCount 16

RICH Header

XOR Key 0x7acd1148
Unmarked objects 0
Imports (50929) 4
ASM objects (50929) 2
C objects (50929) 12
188 (30716) 1
C++ objects (50929) 7
C objects (50323) 1
185 (30716) 20
Imports (VS2008 SP1 build 30729) 3
Total imports 256
210 (VS2012 UPD4 build 61030) 64
Exports (VS2012 UPD4 build 61030) 1
Resource objects (VS2012 UPD4 build 61030) 1
151 1
Linker (VS2012 UPD4 build 61030) 1

Errors

<-- -->