Manalyzer :: cbf5f3b0e3f16066926a1acf72b64cc5b9ab76c952bbab23f7b2d58c36a8e965

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
Compilation Date	2002-Apr-09 05:35:13
Debug artifacts	\src\wdm\DevMng\objfre\i386\DevMng.pdb objfre\i386\DevMng.sys

Plugin Output

Suspicious	The PE is possibly packed.	`Unusual section name found: init` `Unusual section name found: page` `Section INIT is both writable and executable.`
Suspicious	The file contains overlay data.	`655 bytes of data starting at offset 0x12e0.`
Suspicious	No VirusTotal score.	`This file has never been scanned on VirusTotal.`

Hashes

MD5	`5d488b247d739d0e2047b09ca97cb108`
SHA1	`ff4a6509f29ed8a2e628c2f05c018a1d6a5b55e4`
SHA256	`cbf5f3b0e3f16066926a1acf72b64cc5b9ab76c952bbab23f7b2d58c36a8e965`
SHA3	`60fc6cf9a7fc82ea0abfbe8ecc099343c28649eea26a1d78732aa2649d1cb9ab`
SSDeep	`96:cOKFttJnYpLfEqj7KufK8yuUbsPX1wX1FZuprCQofH8DWqA:cV2fxj7KufK8yuLFwFvcrSH8M`
Imports Hash	`6347a01619e630be88daec967faa92e3`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xc0`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`6`
TimeDateStamp	2002-Apr-09 05:35:13
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE` `IMAGE_FILE_LINE_NUMS_STRIPPED` `IMAGE_FILE_LOCAL_SYMS_STRIPPED`

Image Optional Header

Magic	`PE32`
LinkerVersion	`5.0`
SizeOfCode	`0xe40`
SizeOfInitializedData	`0x1e0`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000034A (Section: init)`
BaseOfCode	`0x2c0`
BaseOfData	`0xde0`
ImageBase	`0x10000`
SectionAlignment	`0x20`
FileAlignment	`0x20`
OperatingSystemVersion	`5.0`
ImageVersion	`5.0`
SubsystemVersion	`5.0`
Win32VersionValue	`0`
SizeOfImage	`0x12e0`
SizeOfHeaders	`0x2c0`
Checksum	`0x10fba`
Subsystem	`IMAGE_SUBSYSTEM_NATIVE`
SizeofStackReserve	`0x40000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

init

MD5	`927c5846109842d693f57b4005978230`
SHA1	`33a3e7e7cf4e53315ad30d97e3dfebbd0827eb73`
SHA256	`db313b54235660edb7b48ee1469a159aff3e66f1389b3c909e6b6e3ca9e5d4e8`
SHA3	`9b6f20b499d83e33a5e2edc1d62d48075a74b23c886ca5068e8c8c36c36fe535`
VirtualSize	`0x216`
VirtualAddress	`0x2c0`
SizeOfRawData	`0x220`
PointerToRawData	`0x2c0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`5.64696`

page

MD5	`a554998011eb23ada7e6e217db349609`
SHA1	`dbd4d4f401c3804c7f8011ed8dd67447f436c3cf`
SHA256	`20f1851165c9b305e495dc445c1f640286c2bdc37522ba5bed8899fee799712b`
SHA3	`4fe1ed3e21a6194d5b86d5c67560d682cc0c2e99c727885e5756671e240a0469`
VirtualSize	`0x1fb`
VirtualAddress	`0x4e0`
SizeOfRawData	`0x200`
PointerToRawData	`0x4e0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`6.07587`

.text

MD5	`293491a2fba78f1e8d2813c3da9d6434`
SHA1	`61da17d075e81eedeaeb3028d8f717808c0902e3`
SHA256	`cbad851618c66f6aadd0b158fbce545836b1c9400ac4329739037b85478f9202`
SHA3	`0be2dadb4833b6cf8c697274a43b9e8cfff3d378bde7c8b8dfcb0bd815373b06`
VirtualSize	`0x6f5`
VirtualAddress	`0x6e0`
SizeOfRawData	`0x700`
PointerToRawData	`0x6e0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`6.31177`

.rdata

MD5	`716b3652ec5840d6a960130d92eb870d`
SHA1	`e6bda61907e2f2b9cb6ea5b403ac6f5250c7cf5a`
SHA256	`71c78759f55fde430668e9422205e50a66e67937f9551f8264876e052b29a4e1`
SHA3	`13234c498c893a2384b76017f13c07cdf492bca31e4770147bb78b70f1e24596`
VirtualSize	`0xd4`
VirtualAddress	`0xde0`
SizeOfRawData	`0xe0`
PointerToRawData	`0xde0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_NOT_PAGED` `IMAGE_SCN_MEM_READ`
Entropy	`2.67928`

INIT

MD5	`699909860e9f4ab540aac227373e9245`
SHA1	`09b8c46a6ee8481fdaa95c7fbbc268b9f2961dc9`
SHA256	`6ecfd420340a0e5f7cf1c9349b69ebd17fb707572afafa98ae58dc3bb1794b37`
SHA3	`9bd873b6c1b41e80ec702d00af1f854a65134c8b70f2ac0621ee0408627cf3a8`
VirtualSize	`0x31a`
VirtualAddress	`0xec0`
SizeOfRawData	`0x320`
PointerToRawData	`0xec0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.99596`

.reloc

MD5	`19aea5bf0b3d781e3710ae155d7d7cc8`
SHA1	`0c1fc3aaeb34e68a9207f0063a54d2eab57757e1`
SHA256	`c0460345349e1dd9e73c122ee8092a7fb50d868ed5fe9f4cf8bcfe1a4a58f0dd`
SHA3	`dc8cda0b3c85c0471f4750f3dbafab49b6cee1be83982794de5a9be1949aa37b`
VirtualSize	`0xe2`
VirtualAddress	`0x11e0`
SizeOfRawData	`0x100`
PointerToRawData	`0x11e0`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`4.09733`

Imports

ntoskrnl.exe	`ExRegisterCallback` `RtlInitUnicodeString` `KeInitializeSpinLock` `IoCreateDevice` `RtlAnsiStringToUnicodeString` `RtlInitAnsiString` `IofCompleteRequest` `IoDeleteSymbolicLink` `ExUnregisterCallback` `ExFreePool` `IoCreateSymbolicLink` `ExCreateCallback` `KeRemoveEntryDeviceQueue` `KeRemoveDeviceQueue` `KeInsertDeviceQueue` `ObfDereferenceObject` `RtlFreeUnicodeString` `IoGetDeviceObjectPointer` `sprintf` `KeInitializeDeviceQueue` `strncmp` `ExAllocatePoolWithTag` `IoReleaseCancelSpinLock` `IoDeleteDevice` `IoAcquireCancelSpinLock`
HAL.dll	`KfAcquireSpinLock` `KfReleaseSpinLock`

Delayed Imports

Version Info

IMAGE_DEBUG_TYPE_MISC

Characteristics	`0`
TimeDateStamp	2002-Apr-09 05:35:13
Version	`0.0`
SizeofData	`272`
AddressOfRawData	`0`
PointerToRawData	`0x12e0`
Referenced File	objfre\i386\DevMng.sys

IMAGE_DEBUG_TYPE_FPO

Characteristics	`0`
TimeDateStamp	2002-Apr-09 05:35:13
Version	`0.0`
SizeofData	`320`
AddressOfRawData	`0`
PointerToRawData	`0x13f0`

IMAGE_DEBUG_TYPE_CODEVIEW

Characteristics	`0`
TimeDateStamp	2002-Apr-09 05:35:13
Version	`0.0`
SizeofData	`63`
AddressOfRawData	`0`
PointerToRawData	`0x1530`
Referenced File	\src\wdm\DevMng\objfre\i386\DevMng.pdb

TLS Callbacks

Load Configuration

RICH Header

XOR Key	`0x8d3ba141`
Unmarked objects	`0`
Total imports	`27`
19 (9049)	`5`
C objects (VS98 build 8168)	`6`

Errors

Leave a comment

No comments yet.