Disassembly of False Positives for Microsoft Word under SCRAP

Transcription

1 Disassembly of False Positives for Microsoft Word under SCRAP We evaluated Word application of Microsoft Office 2010 Suite using a 54 KiB document [1] under the SCRAP configuration S 7,4 for one billion instructions. Following is the disassembly of functions where false positives occur, grouped into different Dynamic-link Libraries (DLLs). Exact lines are marked with an arrow. Our anaylsis is limited for Office libraries because their debugging symbols are not publicly avaliable. The first six false positives in kernel32.dll, ntdll.dll, andgdi32.dll are about the way DLL Imports are handled, either with a jump stub or an indirect call, both using the Import Address Table (IAT) [2]. Note that this is very similar to the Procedure Linkage Table (PLT) and Global Offset Table (GOT) structures found in Linux systems. The next two libraries with false positives (comdlg32.dll, msctf.dll) are almost identical, again loading an address from the IAT to a register and calling it a dozen times every 2-3 instructions. Note that, the symbol name starts with imp prefix, which means that it resides in the IAT [3]. MSO.DLL has one case that uses IAT and four cases that use a variant of call/jump table (two cases are using calls, two remaining cases are using jumps). No symbols are publicly available, so we were unable to identify more details. WWLIB.DLL also behaves similar to comdlg32.dll and msctf.dll. Specifically, it loads an address, possibly from IAT, and then repeatedly calls it. Again, no symbols are available. The last library (combase.dll) appears to be using a function pointer inside a loop (probably for a data structure of a generic type) In summary, the majority of the false positives (possibly only with the exception of the last one) can be simply discarded if the address was from the IAT. Going forward, the handling of the dynamic linking can be altered to either not generate such gadget-like sequences (note that the ones from comdlg32.dll and msctf.dll look very much like real attack codes) or possibly patch the instructions themselves and not use indirect jumps/calls for imported functions. 1

2 Module: kernel32.dll Module Address: Description: Most of the Win32 base APIs, such as memory management, input/output operations, process and thread creation, and synchronization functions. Many of these are implemented within KERNEL32.DLL by calling corresponding functions in the native API, exposed by NTDLL.DLL ->753683E8 jmp dword ptr [ imp DuplicateHandle@28 (753C0494h)] EE int EF int F0 int F1 int F2 int F3 int 3 _TlsAllocStub@0: ->7535D1F5 jmp dword ptr [ imp TlsAlloc@0 (753C08BCh)] 7535D1FB int D1FC int D1FD int D1FE int D1FF int 3 Module: ntdll.dll Module Address: 777E Description: Windows Native API. The Native API is the interface used by user-mode components of the operating system that must run without support from Win32 or other API subsystems. Most of this API is implemented in NTDLL.DLL and at the upper edge of ntoskrnl.exe (and its variants); the majority of exported symbols within these libraries are prefixed Nt, e.g., NtDisplayString. Native APIs are also used to implement many of the "kernel APIs" or "base APIs" exported by KERNEL32.DLL. The large majority of Windows applications do not call NTDLL.DLL directly. _NtOpenProcessToken@12: 7781C6E0 mov eax,10eh ->7781C6E5 call dword ptr fs:[0c0h] 7781C6EC ret 0Ch 7781C6EF nop _NtReleaseMutant@8: 7781B7F0 mov eax,7001fh ->7781B7F5 call dword ptr fs:[0c0h] 7781B7FC ret B7FF nop _ZwSetEvent@8: 7781B6D0 mov eax,7000dh ->7781B6D5 call dword ptr fs:[0c0h] 7781B6DC ret B6DF nop 2

3 Module: gdi32.dll Module Address: 76B C78000 Description: Graphics Device Interface (GDI) functions that perform primitive drawing functions for output to video displays and printers. Applications call GDI functions directly to perform low-level drawing, text output, font management, and similar functions. 76BAC48D mov eax,71072h ->76BAC492 call dword ptr fs:[0c0h] 76BAC499 ret 8 76BAC49C nop Module: comdlg32.dll Module Address: Description: Common Dialog Boxes FInitFile: FD mov edi,edi FF push esi push 13h call dword ptr [ imp GetSystemMetrics@4 (755F31F0h)] mov esi,dword ptr [ imp RegisterWindowMessageA@4 (755F3220h)] E mov dword ptr [_bmouse (755EF264h)],eax mov eax,0a0ah push offset szmsgwowlfchange (755EF764h) D mov word ptr [_wwinver (755EF20Ch)],ax call esi push offset szmsgwowdirchange (755EF77Ch) A mov dword ptr [_msgwowlfchange (755EF2C8h)],eax F call esi push offset szmsgwowchoosefont_getlogfont (755EF804h) mov dword ptr [_msgwowdirchange (755EF2A0h)],eax B call esi D push offset szmsglbchangea (755EF83Ch) mov dword ptr [_msgwowchoosefont_getlogfont (755EF2C4h)],eax call esi push offset szmsgshareviolationa (755EF7D4h) E mov dword ptr [_msglbchangea (755EF24Ch)],eax call esi push offset szmsgfileoka (755EF7ACh) A mov dword ptr [_msgshareviolationa (755EF260h)],eax F call esi push offset szmsgcoloroka (755EF79Ch) mov dword ptr [_msgfileoka (755EF26Ch)],eax B call esi D push offset szmsgsetrgba (755EF7C0h) mov dword ptr [_msgcoloroka (755EF274h)],eax call esi mov esi, dword ptr [ imp RegisterWindowMessageW@4 (755F32BCh)] F push offset szmsglbchangew (755EF8F8h) 3

4 mov dword ptr [_msgsetrgba (755EF278h)],eax call esi B push offset szmsgshareviolationw (755EF8C8h) mov dword ptr [_msglbchangew (755EF268h)],eax call esi push offset szmsgfileokw (755EF878h) C mov dword ptr [_msgshareviolationw (755EF250h)],eax A1 call esi A3 push offset szmsgcolorokw (755EF858h) A8 mov dword ptr [_msgfileokw (755EF270h)],eax AD call esi AF push offset szmsgsetrgbw (755EF8A0h) B4 mov dword ptr [_msgcolorokw (755EF298h)],eax ->755918B9 call esi BB mov dword ptr [_msgsetrgbw (755EF254h)],eax C0 pop esi C1 ret C2 nop C3 nop C4 nop C5 nop C6 nop Module: msctf.dll Module Address: 76D DF7000 Description: Microsoft Text Service Module RegisterMSIMEMessage: 76D19767 mov edi,edi 76D19769 push ebx 76D1976A push edi 76D1976B mov ebx,offset g_cs (76DA91BCh) 76D19770 xor edi,edi 76D19772 push ebx 76D19773 inc edi 76D19774 call dword ptr [ imp EnterCriticalSection@4 (76DAB0F8h)] 76D1977A cmp dword ptr [CUIFSystemInfo::m_fInitialized+4 (76DA9160h)],0 76D19781 jne RegisterMSIMEMessage+0FBh (76D19862h) 76D19787 push esi 76D19788 mov esi,dword ptr [ imp RegisterWindowMessageW@4 (76DAB3D8h)] 76D1978E push offset string L"MSIMEService" (76D19874h) 76D19793 call esi 76D19795 push offset string L"MSIMEUIReady" (76D19890h) 76D1979A mov dword ptr [WM_MSIME_SERVICE (76DA90C0h)],eax 76D1979F call esi 76D197A1 push offset string L"MSIMEReconvertReques"... (76D198ACh) 76D197A6 mov dword ptr [WM_MSIME_UIREADY (76DA90B8h)],eax 76D197AB call esi 76D197AD push offset string L"MSIMEReconvert" (76D198D8h) 76D197B2 mov dword ptr [WM_MSIME_RECONVERTREQUEST (76DA90BCh)],eax 76D197B7 call esi 76D197B9 push offset string L"MSIMEDocumentFeed" (76D198F8h) 76D197BE mov dword ptr [WM_MSIME_RECONVERT (76DA90B0h)],eax 4

5 ->76D197C3 call esi 76D197C5 push offset string L"MSIMEQueryPosition" (76D1991Ch) 76D197CA mov dword ptr [WM_MSIME_DOCUMENTFEED (76DA90B4h)],eax ->76D197CF call esi 76D197D1 push offset string L"MSIMEModeBias" (76D19944h) 76D197D6 mov dword ptr [WM_MSIME_QUERYPOSITION (76DA90A8h)],eax ->76D197DB call esi 76D197DD push offset string L"MSIMEShowImePad" (76D19960h) 76D197E2 mov dword ptr [WM_MSIME_MODEBIAS (76DA909Ch)],eax ->76D197E7 call esi 76D197E9 push offset string L"MSIMEMouseOperation" (76D19980h) 76D197EE mov dword ptr [WM_MSIME_SHOWIMEPAD (76DA90ACh)],eax ->76D197F3 call esi 76D197F5 push offset string L"MSIMEKeyMap" (76D199A8h) 76D197FA mov dword ptr [WM_MSIME_MOUSE (76DA90A0h)],eax ->76D197FF call esi 76D19801 cmp dword ptr [WM_MSIME_SERVICE (76DA90C0h)],0 76D19808 mov dword ptr [WM_MSIME_KEYMAP (76DA90A4h)],eax 76D1980D pop esi 76D1980E je RegisterMSIMEMessage+107h (76D1986Eh) 76D19810 cmp dword ptr [WM_MSIME_UIREADY (76DA90B8h)],0 76D19817 je RegisterMSIMEMessage+107h (76D1986Eh) 76D19819 cmp dword ptr [WM_MSIME_RECONVERTREQUEST (76DA90BCh)],0 76D19820 je RegisterMSIMEMessage+107h (76D1986Eh) 76D19822 cmp dword ptr [WM_MSIME_RECONVERT (76DA90B0h)],0 76D19829 je RegisterMSIMEMessage+107h (76D1986Eh) 76D1982B cmp dword ptr [WM_MSIME_DOCUMENTFEED (76DA90B4h)],0 76D19832 je RegisterMSIMEMessage+107h (76D1986Eh) 76D19834 cmp dword ptr [WM_MSIME_QUERYPOSITION (76DA90A8h)],0 76D1983B je RegisterMSIMEMessage+107h (76D1986Eh) 76D1983D cmp dword ptr [WM_MSIME_MODEBIAS (76DA909Ch)],0 76D19844 je RegisterMSIMEMessage+107h (76D1986Eh) 76D19846 cmp dword ptr [WM_MSIME_SHOWIMEPAD (76DA90ACh)],0 76D1984D je RegisterMSIMEMessage+107h (76D1986Eh) 76D1984F cmp dword ptr [WM_MSIME_MOUSE (76DA90A0h)],0 76D19856 je RegisterMSIMEMessage+107h (76D1986Eh) 76D19858 test eax,eax 76D1985A je RegisterMSIMEMessage+107h (76D1986Eh) 76D1985C mov dword ptr [CUIFSystemInfo::m_fInitialized+4 (76DA9160h)],edi 76D19862 push ebx 76D19863 call dword ptr [ imp LeaveCriticalSection@4 (76DAB0E8h)] 76D19869 mov eax,edi 76D1986B pop edi 76D1986C pop ebx 76D1986D ret 76D1986E xor edi,edi 76D19870 jmp RegisterMSIMEMessage+0FBh (76D19862h) 76D19872 nop 76D19873 nop Module: MSO.DLL (Symbols not available) Module Address: 60EB FFD000 Description: (Common Files\Microsoft Shared\OFFICE14\MSO.DLL) 5

6 612C569B push ebp 612C569C mov ebp,esp 612C569E mov eax,dword ptr [ebp+0ch] 612C56A1 push esi 612C56A2 cmp eax,1 612C56A5 jne 612C56F5 612C56A7 call dword ptr ds:[60eb1a34h] 612C56AD push 2 612C56AF xor esi,esi 612C56B1 push esi 612C56B2 push esi 612C56B3 mov esi,dword ptr ds:[60eb1a10h] (_GetCurrentProcess@0@kernel32.dll) 612C56B9 push 61E7F978h 612C56BE mov dword ptr ds:[61e7f974h],eax 612C56C3 call esi 612C56C5 push eax 612C56C6 call dword ptr ds:[60eb1a0ch] 612C56CC push eax 612C56CD call esi 612C56CF push eax 612C56D0 call dword ptr ds:[60eb194ch] (_DuplicateHandle@28@kernel32.dll) ->612C56D6 call dword ptr ds:[60eb19cch] (_TlsAllocStub@0@kernel32.dll) 612C56DC mov dword ptr ds:[61e3968ch],eax 612C56E1 call 612C57E6 612C56E6 mov ecx,61e7f428h 612C56EB call 612C B83B8 push ebp 612B83B9 mov ebp,esp 612B83BB cmp dword ptr [ebp+0ch],0 612B83BF jne 612B83C5 612B83C1 mov al,1 612B83C3 jmp 612B83E7 612B83C5 push esi 612B83C6 mov esi,dword ptr [ebp+8] 612B83C9 jmp 612B83E0 612B83CB mov eax,dword ptr [esi] 612B83CD mov ecx,esi ->612B83CF call dword ptr [eax+0ch] 612B83D2 cmp eax,dword ptr [ebp+0ch] 612B83D5 je 612B83EB 612B83D7 mov eax,dword ptr [esi] 612B83D9 mov ecx,esi ->612B83DB call dword ptr [eax+2ch] 612B83DE mov esi,eax 612B83E0 test esi,esi 612B83E2 jne 612B83CB 612B83E4 xor al,al 612B83E6 pop esi 612B83E7 pop ebp 612B83E8 ret E06A push ebp 6

7 6132E06B mov ebp,esp 6132E06D push ecx 6132E06E push ecx 6132E06F push ebx 6132E070 push esi 6132E071 mov ebx,40c0000ah 6132E076 push edi 6132E077 mov esi,ecx 6132E079 cmp dword ptr [ebp+8],ebx 6132E07C jne 6132E E082 call C5 6132E087 test al,al 6132E089 jne 6132E E08F and dword ptr [ebp+8],0 6132E093 lea eax,[ebp+8] 6132E096 push eax 6132E097 push E099 call 61299A7D 6132E09E cmp dword ptr [esi+50h],0 6132E0A2 je 6132E0B0 6132E0A4 lea eax,[ebp+8] 6132E0A7 push eax 6132E0A8 push ebx 6132E0A9 mov ecx,esi 6132E0AB call 61343AA6 6132E0B0 mov eax,dword ptr [ebp+8] 6132E0B3 cmp byte ptr [eax+8],0 6132E0B7 je 6132E0CB 6132E0B9 test byte ptr [esi+5dh],1 6132E0BD je 6132E0CB 6132E0BF lea eax,[ebp+8] 6132E0C2 push eax 6132E0C3 push ebx 6132E0C4 mov ecx,esi 6132E0C6 call 61646DAB 6132E0CB mov eax,dword ptr [ebp+8] 6132E0CE cmp byte ptr [eax+8],0 6132E0D2 je 6132E E0D4 lea edi,[esi+38h] 6132E0D7 mov eax,dword ptr [edi] 6132E0D9 push ebx 6132E0DA mov ecx,edi 6132E0DC call dword ptr [eax+10h] 6132E0DF test al,al 6132E0E1 je 6132E E0E3 mov eax,dword ptr [edi] 6132E0E5 lea ecx,[ebp+8] 6132E0E8 push ecx 6132E0E9 push ebx 6132E0EA mov ecx,edi 6132E0EC call dword ptr [eax+14h] 6132E0EF test al,al 6132E0F1 jne 6132E E0F3 mov ecx,dword ptr [ebp+8] 7

8 6132E0F6 test ecx,ecx 6132E0F8 je 6132E0FF 6132E0FA call E0FF xor al,al 6132E101 jmp 6132E24E 6132E106 mov eax,dword ptr [ebp+8] 6132E109 cmp byte ptr [eax+8],0 6132E10D je 6132E1B4 6132E113 lea edi,[esi+40h] 6132E116 mov eax,dword ptr [edi] 6132E118 mov ecx,edi 6132E11A call dword ptr [eax+4ch] 6132E11D mov dword ptr [ebp-4],eax 6132E120 cmp eax,1 6132E123 jne 6132E12E 6132E125 mov dword ptr [ebp-4],3014h 6132E12C jmp 6132E E12E push eax 6132E12F call FD 6132E134 test al,al 6132E136 jne 6132E20D 6132E13C cmp dword ptr [ebp-4],41f0h 6132E143 je 6132E20D 6132E149 mov al,byte ptr [esi+5ch] 6132E14C shr al,6 6132E14F test al,1 6132E151 je 6132E E153 push dword ptr [ebp+0ch] 6132E156 push E158 call 61299A7D 6132E15D mov ecx,dword ptr [ebp+8] 6132E160 mov bl,al 6132E162 test ecx,ecx 6132E164 je 6132E16B 6132E166 call E16B mov al,bl 6132E16D jmp 6132E24E 6132E172 mov eax,dword ptr [edi] 6132E174 mov ecx,edi 6132E176 call dword ptr [eax+44h] 6132E179 test eax,eax 6132E17B je 6132E1B4 6132E17D mov eax,dword ptr [edi] 6132E17F mov ecx,edi 6132E181 call dword ptr [eax+44h] 6132E184 mov edx,dword ptr [eax] 6132E186 mov ecx,eax 6132E188 call dword ptr [edx+10h] 6132E18B mov ecx,dword ptr [esi+44h] 6132E18E mov ebx,eax 6132E190 mov eax,dword ptr [ecx] 6132E192 mov edi,dword ptr [ebx] 6132E194 call dword ptr [eax+60h] 6132E197 push eax 8

9 6132E198 push dword ptr [ebp-4] 6132E19B mov ecx,ebx ->6132E19D call dword ptr [edi+1ch] 6132E1A0 test al,al 6132E1A2 jne 6132E1AF 6132E1A4 lea eax,[ebp+8] 6132E1A7 push eax 6132E1A8 push E1AA call 61299A7D 6132E1AF mov ebx,40c0000ah 6132E1B4 mov eax,dword ptr [ebp+8] 6132E1B7 cmp byte ptr [eax+8],0 6132E1BB je 6132E20D 6132E1BD mov eax,dword ptr [esi] 6132E1BF lea ecx,[ebp-4] 6132E1C2 push ecx 6132E1C3 xor edi,edi 6132E1C5 mov ecx,esi 6132E1C7 mov dword ptr [ebp-4],edi 6132E1CA call dword ptr [eax+50h] 6132E1CD test al,al 6132E1CF je 6132E1FD 6132E1D1 mov ecx,dword ptr [ebp-4] 6132E1D4 lea edx,[ebp-8] 6132E1D7 push edx 6132E1D8 mov dword ptr [ebp-8],edi 6132E1DB mov eax,dword ptr [ecx] 6132E1DD push ebx 6132E1DE call dword ptr [eax+14h] 6132E1E1 test al,al 6132E1E3 je 6132E1F1 6132E1E5 lea eax,[ebp-8] 6132E1E8 push eax 6132E1E9 lea ecx,[ebp+8] 6132E1EC call 612F1C E1F1 mov ecx,dword ptr [ebp-8] 6132E1F4 cmp ecx,edi 6132E1F6 je 6132E1FD 6132E1F8 call E1FD mov eax,dword ptr [ebp-4] 6132E200 mov dword ptr [ebp-4],edi 6132E203 cmp eax,edi 6132E205 je 6132E20D 6132E207 mov ecx,dword ptr [eax] 6132E209 push eax 6132E20A call dword ptr [ecx+8] 6132E20D mov ecx,dword ptr [ebp+0ch] 6132E210 lea eax,[ebp+8] 6132E213 push eax 6132E214 call 612F1C E219 mov ecx,dword ptr [ebp+8] 6132E21C test ecx,ecx 6132E21E je 6132E E220 call

10 6132E225 mov al,1 6132E227 jmp 6132E24E 6132E229 cmp dword ptr [ebp+8],3dh 6132E22D jne 6132E E22F test byte ptr [esi+64h],1 6132E233 jne 6132E E235 push dword ptr [ebp+0ch] 6132E238 push E23A call 612EC0C4 6132E23F jmp 6132E24E 6132E241 push dword ptr [ebp+0ch] 6132E244 mov ecx,esi 6132E246 push dword ptr [ebp+8] 6132E249 call 6132E E24E pop edi 6132E24F pop esi 6132E250 pop ebx 6132E251 leave 6132E252 ret AB45 mov ecx,dword ptr [ecx+14h] 6133AB48 mov eax,dword ptr [ecx] 6133AB4A jmp dword ptr [eax+24h] 6133AB4D mov ecx,dword ptr [ecx+14h] 6133AB50 mov eax,dword ptr [ecx] ->6133AB52 jmp dword ptr [eax+18h] 6133AB55 push ebp 6133AB56 mov ebp,esp 6133AB58 mov eax,dword ptr [ebp+8] 6133AB5B and dword ptr [eax+3ch],0 6133AB5F push eax 6133AB60 call 6130E8F4 6133AB65 pop ebp 6133AB66 ret A08F push ebp 6129A090 mov ebp,esp 6129A092 mov eax,dword ptr [ebp+8] 6129A095 test eax,eax 6129A097 je 6129A0CE 6129A099 cmp eax,29h 6129A09C jle 6129A0E4 6129A09E cmp eax,2bh 6129A0A1 jle 6129A0CE 6129A0A3 cmp eax, h 6129A0A8 je 6129A0BB 6129A0AA cmp eax,40c0000ah 6129A0AF jne 6129A0E4 6129A0B1 push dword ptr [ebp+0ch] 6129A0B4 mov eax,dword ptr [ecx] 6129A0B6 call dword ptr [eax+48h] 6129A0B9 jmp 6129A0C3 6129A0BB push dword ptr [ebp+0ch] 6129A0BE mov eax,dword ptr [ecx] 10

11 6129A0C0 call dword ptr [eax+44h] 6129A0C3 movzx eax,al 6129A0C6 push eax 6129A0C7 call 61299A7D 6129A0CC jmp 6129A0EA 6129A0CE cmp dword ptr [ecx+8],0 6129A0D2 je 6129A0E8 6129A0D4 push dword ptr [ebp+0ch] 6129A0D7 mov ecx,dword ptr [ecx+8] 6129A0DA mov edx,dword ptr [ecx] 6129A0DC push eax 6129A0DD call dword ptr [edx+14h] 6129A0E0 test al,al 6129A0E2 jne 6129A0E8 6129A0E4 xor al,al 6129A0E6 jmp 6129A0EA 6129A0E8 mov al,1 6129A0EA pop ebp 6129A0EB ret A0EE mov al,byte ptr [ecx+54h] 6129A0F1 and al,1 6129A0F3 ret 6129A0F4 push A0F6 add ecx,0ffffffcch 6129A0F9 call 6133E8BD 6129A0FE ret 6129A0FF mov eax,dword ptr [ecx] 6129A101 call dword ptr [eax+0ch] 6129A104 mov al,1 6129A106 ret 6129A107 xor eax,eax 6129A109 cmp dword ptr [ecx+8],eax 6129A10C je 6129A A10E mov ecx,dword ptr [ecx+8] 6129A111 mov eax,dword ptr [ecx] ->6129A113 jmp dword ptr [eax+4ch] 6129A116 ret Module: WWLIB.DLL Module Address: 63E AA000 Description: (Microsoft Office\Office14\WWLIB.DLL) 63E446A7 push ebp 63E446A8 mov ebp,esp 63E446AA push ebx 63E446AB mov ebx,dword ptr [ebp+8] 63E446AE push esi 63E446AF mov esi,dword ptr ds:[63e310c0h] 63E446B5 push edi 63E446B6 mov edi,dword ptr [ebp+0ch] 63E446B9 push dword ptr [edi+0f8h] 63E446BF push ebx 63E446C0 call esi 11

12 63E446C2 push dword ptr [edi+0fch] 63E446C8 mov dword ptr [edi+0f8h],eax 63E446CE push ebx 63E446CF call esi 63E446D1 push dword ptr [edi+11ch] 63E446D7 mov dword ptr [edi+0fch],eax 63E446DD push ebx 63E446DE call esi 63E446E0 push dword ptr [edi+120h] 63E446E6 mov dword ptr [edi+11ch],eax 63E446EC push ebx 63E446ED call esi 63E446EF push dword ptr [edi+100h] 63E446F5 mov dword ptr [edi+120h],eax 63E446FB push ebx ->63E446FC call esi 63E446FE push dword ptr [edi+108h] 63E44704 mov dword ptr [edi+100h],eax 63E4470A push ebx ->63E4470B call esi 63E4470D push dword ptr [edi+104h] 63E44713 mov dword ptr [edi+108h],eax 63E44719 push ebx ->63E4471A call esi 63E4471C push dword ptr [edi+110h] 63E44722 mov dword ptr [edi+104h],eax 63E44728 push ebx ->63E44729 call esi 63E4472B push dword ptr [edi+114h] 63E44731 mov dword ptr [edi+110h],eax 63E44737 push ebx ->63E44738 call esi 63E4473A push dword ptr [edi+10ch] 63E44740 mov dword ptr [edi+114h],eax 63E44746 push ebx ->63E44747 call esi 63E44749 push dword ptr [edi+130h] 63E4474F mov dword ptr [edi+10ch],eax 63E44755 xor eax,eax 63E44757 cmp dword ptr [edi+108h],0ffffffh 63E44761 push ebx 63E44762 sete al 63E44765 xor eax,dword ptr [edi] 63E44767 and eax,1 63E4476A xor dword ptr [edi],eax 63E4476C call esi 63E4476E push dword ptr [edi+134h] 63E44774 mov dword ptr [edi+130h],eax 63E4477A push ebx 63E4477B call esi 63E4477D push dword ptr [edi+124h] 63E44783 mov dword ptr [edi+134h],eax 63E44789 push ebx 63E4478A call esi 12

13 63E4478C push dword ptr [edi+128h] 63E44792 mov dword ptr [edi+124h],eax 63E44798 push ebx 63E44799 call esi 63E4479B push dword ptr [edi+12ch] 63E447A1 mov dword ptr [edi+128h],eax 63E447A7 push ebx ->63E447A8 call esi 63E447AA mov dword ptr [edi+12ch],eax 63E447B0 add edi,144h 63E447B6 push dword ptr [edi] 63E447B8 push ebx ->63E447B9 call esi 63E447BB mov dword ptr [edi],eax 63E447BD pop edi 63E447BE pop esi 63E447BF pop ebx 63E447C0 pop ebp 63E447C1 ret 8 Module: combase.dll Module Address: DE000 Description: Microsoft COM for Windows vector destructor iterator : 775B771A mov edi,edi 775B771C push ebp 775B771D mov ebp,esp 775B771F push ebx 775B7720 push esi 775B7721 mov ebx,edx 775B7723 push edi 775B7724 mov edi,dword ptr [ebp+8] 775B7727 mov esi,ebx 775B7729 imul esi,edi 775B772C add esi,ecx 775B772E dec edi 775B772F js vector destructor iterator +20h (775B773Ah) 775B7731 sub esi,ebx 775B7733 mov ecx,esi ->775B7735 call dword ptr [ebp+0ch] 775B7738 jmp vector destructor iterator +1Dh (775B772Eh) 775B773A pop edi 775B773B pop esi 775B773C pop ebx 775B773D pop ebp 775B773E ret 8 13

14 References [1] The Constitution of the United States, retrieved October 2013 from constitution.org/cons/constitution.doc. [2] M. Pietrek, Inside Windows An in-depth look into the Win32 Portable Executable file format, part 2, MSDN magazine, pp , [3] Info: Using declspec(dllimport) & declspec(dllexport) in code, retrieved October 2013 from 14