Disassembly of False Positives for Microsoft Word under SCRAP



Similar documents
Visa Smart Debit/Credit Certificate Authority Public Keys

TitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com

Violating Database - Enforced Security Mechanisms

1. General function and functionality of the malware

Analysis of Win32.Scream

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Abysssec Research. 1) Advisory information. 2) Vulnerable version

Attacking x86 Windows Binaries by Jump Oriented Programming

Title: Bugger The Debugger - Pre Interaction Debugger Code Execution

Reverse Engineering Malware Part 1

The Beast is Resting in Your Memory On Return-Oriented Programming Attacks and Mitigation Techniques To appear at USENIX Security & BlackHat USA, 2014

Fighting malware on your own

Heap-based Buffer Overflow Vulnerability in Adobe Flash Player

Advanced Encryption Standard by Example. 1.0 Preface. 2.0 Terminology. Written By: Adam Berent V.1.7

REpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas

Advanced Encryption Standard by Example. 1.0 Preface. 2.0 Terminology. Written By: Adam Berent V.1.5

A Museum of API Obfuscation on Win32

How Compilers Work. by Walter Bright. Digital Mars

Software Fingerprinting for Automated Malicious Code Analysis

Win32.Winux.txt Wed Nov 21 13:30: ; ; : Win32/Linux.Winux : ; ; : by Benny/29A : ;

Removing Sentinel SuperPro dongle from Applications and details on dongle way of cracking Shub-Nigurrath of ARTeam Version 1.

South Texas Educational Technologies, Inc. TEL (956) FAX (956) Tomorrow s Education Today S. TEXAS BLVD WESLACO, TX 78596

Stitching the Gadgets On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection

esrever gnireenigne tfosorcim seiranib

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

A Tiny Guide to Programming in 32-bit x86 Assembly Language

SERVER CERTIFICATES OF THE VETUMA SERVICE

Software Vulnerabilities

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

TECHNICAL BULLETIN [ 1 / 5 ]

SERVER CERTIFICATES OF THE VETUMA SERVICE

Return-oriented programming without returns

Machine-Level Programming II: Arithmetic & Control

SL-8800 HDCP 2.2 and HDCP 1.x Protocol Analyzer for HDMI User Guide

Pattern Co. Monkey Trouble Wall Quilt. Size: 48" x 58"

Bypassing Windows Hardware-enforced Data Execution Prevention

Community College of Philadelphia Calling Code 218 Employer Scan Client Approved: November 17, 2005 Region (CIRCLE) City MSA

Buffer Overflows. Security 2011

Harnessing Intelligence from Malware Repositories

USB HID to PS/2 Scan Code Translation Table

Mission 1: The Bot Hunter

CROSS REFERENCE. Cross Reference Index Cast ID Number Connector ID Number 111 Engine ID Number Ford Motor Company 109

Off-by-One exploitation tutorial

Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES

Assembly Language: Function Calls" Jennifer Rexford!

The colors in the Federal Standard set have no official names, just five-digit numbers. Any names given below are generic.

64-Bit NASM Notes. Invoking 64-Bit NASM

Test Driven Development in Assembler a little story about growing software from nothing

Bypassing Anti- Virus Scanners

URL encoding uses hex code prefixed by %. Quoted Printable encoding uses hex code prefixed by =.

Geometry Handout 2 ~ Page 1

INTRODUCTION TO MALWARE & MALWARE ANALYSIS

OpenBSD Remote Exploit

Bypassing Sanboxes for fun!!

Cloud Security Is Not (Just) Virtualization Security

Enhancing DNS Security using Dynamic Firewalling with Network Agents

The ASCII Character Set

Unpacked BCD Arithmetic. BCD (ASCII) Arithmetic. Where and Why is BCD used? From the SQL Server Manual. Packed BCD, ASCII, Unpacked BCD

Introduction to Reverse Engineering

Introduction. Figure 1 Schema of DarunGrim2

Luxembourg (Luxembourg): Trusted List

Systems Design & Programming Data Movement Instructions. Intel Assembly

Hotpatching and the Rise of Third-Party Patches

X86-64 Architecture Guide

EMDX3 Multifunction meter Cat No ModbusTable LGR EN v1.01.xls

Chapter 4 Processor Architecture

Application Note RMF Magic 5.1.0: EMC Array Group and EMC SRDF/A Reporting. July 2009

Using Heap Allocation in Intel Assembly Language

CS61: Systems Programing and Machine Organization

Instruction Set Architecture

3. April 2013 IT ZERTIFIKATE. Zertifizierungsstellen / Certification Center. IT Sicherheit UNTERNEHMENSBEREICH IT

Computer Organization and Architecture

"HIGHER EDUCATION VALUES AND OPINIONS SURVEY" ADVANCED PLACEMENT TEACHERS and GUIDANCE COUNSELORS May-June 1994

Z80 Instruction Set. Z80 Assembly Language

Sniffing SAP R GUI Passwords

CS:APP Chapter 4 Computer Architecture Instruction Set Architecture. CS:APP2e

For a 64-bit system. I - Presentation Of The Shellcode

OllyDbg 2.0 Brief Help

Complete 8086 instruction set

ASCII CODES WITH GREEK CHARACTERS

Windows XP SP3 Registry Handling Buffer Overflow

HSR TRAINING COURSE REQUIREMENTS HSR Training Course Guidance Booklet 2

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Analysis and Diversion of Duqu s Driver

Collinearity and concurrence

How to create OpenDocument URL s with SAP BusinessObjects BI 4.0

DATING YOUR GUILD

Online EFFECTIVE AS OF JANUARY 2013

Self Protection Techniques in Malware

Reverse Engineering and Computer Security

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

Practical taint analysis for protecting buggy binaries

HTML Codes - Characters and symbols

OPERATING SYSTEMS MEMORY MANAGEMENT

Evaluating a ROP Defense Mechanism. Vasilis Pappas, Michalis Polychronakis, and Angelos D. Keromytis Columbia University

Overview of IA-32 assembly programming. Lars Ailo Bongo University of Tromsø

Service Instruction. 1.0 SUBJECT: ECi Accessory Cases for Lycoming 4-Cylinder engines with single magneto configurations and TITAN 361 Engines

COMPUTERS ORGANIZATION 2ND YEAR COMPUTE SCIENCE MANAGEMENT ENGINEERING JOSÉ GARCÍA RODRÍGUEZ JOSÉ ANTONIO SERRA PÉREZ

NEOSHO COUNTY COMMUNITY COLLEGE MASTER COURSE SYLLABUS. Medical Administrative Aspects

Transcription:

Disassembly of False Positives for Microsoft Word under SCRAP We evaluated Word application of Microsoft Office 2010 Suite using a 54 KiB document [1] under the SCRAP configuration S 7,4 for one billion instructions. Following is the disassembly of functions where false positives occur, grouped into different Dynamic-link Libraries (DLLs). Exact lines are marked with an arrow. Our anaylsis is limited for Office libraries because their debugging symbols are not publicly avaliable. The first six false positives in kernel32.dll, ntdll.dll, andgdi32.dll are about the way DLL Imports are handled, either with a jump stub or an indirect call, both using the Import Address Table (IAT) [2]. Note that this is very similar to the Procedure Linkage Table (PLT) and Global Offset Table (GOT) structures found in Linux systems. The next two libraries with false positives (comdlg32.dll, msctf.dll) are almost identical, again loading an address from the IAT to a register and calling it a dozen times every 2-3 instructions. Note that, the symbol name starts with imp prefix, which means that it resides in the IAT [3]. MSO.DLL has one case that uses IAT and four cases that use a variant of call/jump table (two cases are using calls, two remaining cases are using jumps). No symbols are publicly available, so we were unable to identify more details. WWLIB.DLL also behaves similar to comdlg32.dll and msctf.dll. Specifically, it loads an address, possibly from IAT, and then repeatedly calls it. Again, no symbols are available. The last library (combase.dll) appears to be using a function pointer inside a loop (probably for a data structure of a generic type) In summary, the majority of the false positives (possibly only with the exception of the last one) can be simply discarded if the address was from the IAT. Going forward, the handling of the dynamic linking can be altered to either not generate such gadget-like sequences (note that the ones from comdlg32.dll and msctf.dll look very much like real attack codes) or possibly patch the instructions themselves and not use indirect jumps/calls for imported functions. 1

Module: kernel32.dll Module Address: 75340000-75480000 Description: Most of the Win32 base APIs, such as memory management, input/output operations, process and thread creation, and synchronization functions. Many of these are implemented within KERNEL32.DLL by calling corresponding functions in the native API, exposed by NTDLL.DLL _DuplicateHandle@28: ->753683E8 jmp dword ptr [ imp DuplicateHandle@28 (753C0494h)] 753683EE int 3 753683EF int 3 753683F0 int 3 753683F1 int 3 753683F2 int 3 753683F3 int 3 _TlsAllocStub@0: ->7535D1F5 jmp dword ptr [ imp TlsAlloc@0 (753C08BCh)] 7535D1FB int 3 7535D1FC int 3 7535D1FD int 3 7535D1FE int 3 7535D1FF int 3 Module: ntdll.dll Module Address: 777E0000-77948000 Description: Windows Native API. The Native API is the interface used by user-mode components of the operating system that must run without support from Win32 or other API subsystems. Most of this API is implemented in NTDLL.DLL and at the upper edge of ntoskrnl.exe (and its variants); the majority of exported symbols within these libraries are prefixed Nt, e.g., NtDisplayString. Native APIs are also used to implement many of the "kernel APIs" or "base APIs" exported by KERNEL32.DLL. The large majority of Windows applications do not call NTDLL.DLL directly. _NtOpenProcessToken@12: 7781C6E0 mov eax,10eh ->7781C6E5 call dword ptr fs:[0c0h] 7781C6EC ret 0Ch 7781C6EF nop _NtReleaseMutant@8: 7781B7F0 mov eax,7001fh ->7781B7F5 call dword ptr fs:[0c0h] 7781B7FC ret 8 7781B7FF nop _ZwSetEvent@8: 7781B6D0 mov eax,7000dh ->7781B6D5 call dword ptr fs:[0c0h] 7781B6DC ret 8 7781B6DF nop 2

Module: gdi32.dll Module Address: 76B70000-76C78000 Description: Graphics Device Interface (GDI) functions that perform primitive drawing functions for output to video displays and printers. Applications call GDI functions directly to perform low-level drawing, text output, font management, and similar functions. _NtGdiGetNearestColor@8: 76BAC48D mov eax,71072h ->76BAC492 call dword ptr fs:[0c0h] 76BAC499 ret 8 76BAC49C nop Module: comdlg32.dll Module Address: 75590000-75617000 Description: Common Dialog Boxes FInitFile: 755917FD mov edi,edi 755917FF push esi 75591800 push 13h 75591802 call dword ptr [ imp GetSystemMetrics@4 (755F31F0h)] 75591808 mov esi,dword ptr [ imp RegisterWindowMessageA@4 (755F3220h)] 7559180E mov dword ptr [_bmouse (755EF264h)],eax 75591813 mov eax,0a0ah 75591818 push offset szmsgwowlfchange (755EF764h) 7559181D mov word ptr [_wwinver (755EF20Ch)],ax 75591823 call esi 75591825 push offset szmsgwowdirchange (755EF77Ch) 7559182A mov dword ptr [_msgwowlfchange (755EF2C8h)],eax 7559182F call esi 75591831 push offset szmsgwowchoosefont_getlogfont (755EF804h) 75591836 mov dword ptr [_msgwowdirchange (755EF2A0h)],eax 7559183B call esi 7559183D push offset szmsglbchangea (755EF83Ch) 75591842 mov dword ptr [_msgwowchoosefont_getlogfont (755EF2C4h)],eax 75591847 call esi 75591849 push offset szmsgshareviolationa (755EF7D4h) 7559184E mov dword ptr [_msglbchangea (755EF24Ch)],eax 75591853 call esi 75591855 push offset szmsgfileoka (755EF7ACh) 7559185A mov dword ptr [_msgshareviolationa (755EF260h)],eax 7559185F call esi 75591861 push offset szmsgcoloroka (755EF79Ch) 75591866 mov dword ptr [_msgfileoka (755EF26Ch)],eax 7559186B call esi 7559186D push offset szmsgsetrgba (755EF7C0h) 75591872 mov dword ptr [_msgcoloroka (755EF274h)],eax 75591877 call esi 75591879 mov esi, dword ptr [ imp RegisterWindowMessageW@4 (755F32BCh)] 7559187F push offset szmsglbchangew (755EF8F8h) 3

75591884 mov dword ptr [_msgsetrgba (755EF278h)],eax 75591889 call esi 7559188B push offset szmsgshareviolationw (755EF8C8h) 75591890 mov dword ptr [_msglbchangew (755EF268h)],eax 75591895 call esi 75591897 push offset szmsgfileokw (755EF878h) 7559189C mov dword ptr [_msgshareviolationw (755EF250h)],eax 755918A1 call esi 755918A3 push offset szmsgcolorokw (755EF858h) 755918A8 mov dword ptr [_msgfileokw (755EF270h)],eax 755918AD call esi 755918AF push offset szmsgsetrgbw (755EF8A0h) 755918B4 mov dword ptr [_msgcolorokw (755EF298h)],eax ->755918B9 call esi 755918BB mov dword ptr [_msgsetrgbw (755EF254h)],eax 755918C0 pop esi 755918C1 ret 755918C2 nop 755918C3 nop 755918C4 nop 755918C5 nop 755918C6 nop Module: msctf.dll Module Address: 76D00000-76DF7000 Description: Microsoft Text Service Module RegisterMSIMEMessage: 76D19767 mov edi,edi 76D19769 push ebx 76D1976A push edi 76D1976B mov ebx,offset g_cs (76DA91BCh) 76D19770 xor edi,edi 76D19772 push ebx 76D19773 inc edi 76D19774 call dword ptr [ imp EnterCriticalSection@4 (76DAB0F8h)] 76D1977A cmp dword ptr [CUIFSystemInfo::m_fInitialized+4 (76DA9160h)],0 76D19781 jne RegisterMSIMEMessage+0FBh (76D19862h) 76D19787 push esi 76D19788 mov esi,dword ptr [ imp RegisterWindowMessageW@4 (76DAB3D8h)] 76D1978E push offset string L"MSIMEService" (76D19874h) 76D19793 call esi 76D19795 push offset string L"MSIMEUIReady" (76D19890h) 76D1979A mov dword ptr [WM_MSIME_SERVICE (76DA90C0h)],eax 76D1979F call esi 76D197A1 push offset string L"MSIMEReconvertReques"... (76D198ACh) 76D197A6 mov dword ptr [WM_MSIME_UIREADY (76DA90B8h)],eax 76D197AB call esi 76D197AD push offset string L"MSIMEReconvert" (76D198D8h) 76D197B2 mov dword ptr [WM_MSIME_RECONVERTREQUEST (76DA90BCh)],eax 76D197B7 call esi 76D197B9 push offset string L"MSIMEDocumentFeed" (76D198F8h) 76D197BE mov dword ptr [WM_MSIME_RECONVERT (76DA90B0h)],eax 4

->76D197C3 call esi 76D197C5 push offset string L"MSIMEQueryPosition" (76D1991Ch) 76D197CA mov dword ptr [WM_MSIME_DOCUMENTFEED (76DA90B4h)],eax ->76D197CF call esi 76D197D1 push offset string L"MSIMEModeBias" (76D19944h) 76D197D6 mov dword ptr [WM_MSIME_QUERYPOSITION (76DA90A8h)],eax ->76D197DB call esi 76D197DD push offset string L"MSIMEShowImePad" (76D19960h) 76D197E2 mov dword ptr [WM_MSIME_MODEBIAS (76DA909Ch)],eax ->76D197E7 call esi 76D197E9 push offset string L"MSIMEMouseOperation" (76D19980h) 76D197EE mov dword ptr [WM_MSIME_SHOWIMEPAD (76DA90ACh)],eax ->76D197F3 call esi 76D197F5 push offset string L"MSIMEKeyMap" (76D199A8h) 76D197FA mov dword ptr [WM_MSIME_MOUSE (76DA90A0h)],eax ->76D197FF call esi 76D19801 cmp dword ptr [WM_MSIME_SERVICE (76DA90C0h)],0 76D19808 mov dword ptr [WM_MSIME_KEYMAP (76DA90A4h)],eax 76D1980D pop esi 76D1980E je RegisterMSIMEMessage+107h (76D1986Eh) 76D19810 cmp dword ptr [WM_MSIME_UIREADY (76DA90B8h)],0 76D19817 je RegisterMSIMEMessage+107h (76D1986Eh) 76D19819 cmp dword ptr [WM_MSIME_RECONVERTREQUEST (76DA90BCh)],0 76D19820 je RegisterMSIMEMessage+107h (76D1986Eh) 76D19822 cmp dword ptr [WM_MSIME_RECONVERT (76DA90B0h)],0 76D19829 je RegisterMSIMEMessage+107h (76D1986Eh) 76D1982B cmp dword ptr [WM_MSIME_DOCUMENTFEED (76DA90B4h)],0 76D19832 je RegisterMSIMEMessage+107h (76D1986Eh) 76D19834 cmp dword ptr [WM_MSIME_QUERYPOSITION (76DA90A8h)],0 76D1983B je RegisterMSIMEMessage+107h (76D1986Eh) 76D1983D cmp dword ptr [WM_MSIME_MODEBIAS (76DA909Ch)],0 76D19844 je RegisterMSIMEMessage+107h (76D1986Eh) 76D19846 cmp dword ptr [WM_MSIME_SHOWIMEPAD (76DA90ACh)],0 76D1984D je RegisterMSIMEMessage+107h (76D1986Eh) 76D1984F cmp dword ptr [WM_MSIME_MOUSE (76DA90A0h)],0 76D19856 je RegisterMSIMEMessage+107h (76D1986Eh) 76D19858 test eax,eax 76D1985A je RegisterMSIMEMessage+107h (76D1986Eh) 76D1985C mov dword ptr [CUIFSystemInfo::m_fInitialized+4 (76DA9160h)],edi 76D19862 push ebx 76D19863 call dword ptr [ imp LeaveCriticalSection@4 (76DAB0E8h)] 76D19869 mov eax,edi 76D1986B pop edi 76D1986C pop ebx 76D1986D ret 76D1986E xor edi,edi 76D19870 jmp RegisterMSIMEMessage+0FBh (76D19862h) 76D19872 nop 76D19873 nop Module: MSO.DLL (Symbols not available) Module Address: 60EB0000-61FFD000 Description: (Common Files\Microsoft Shared\OFFICE14\MSO.DLL) 5

612C569B push ebp 612C569C mov ebp,esp 612C569E mov eax,dword ptr [ebp+0ch] 612C56A1 push esi 612C56A2 cmp eax,1 612C56A5 jne 612C56F5 612C56A7 call dword ptr ds:[60eb1a34h] (_GetCurrentThreadId@0@kernel32.dll) 612C56AD push 2 612C56AF xor esi,esi 612C56B1 push esi 612C56B2 push esi 612C56B3 mov esi,dword ptr ds:[60eb1a10h] (_GetCurrentProcess@0@kernel32.dll) 612C56B9 push 61E7F978h 612C56BE mov dword ptr ds:[61e7f974h],eax 612C56C3 call esi 612C56C5 push eax 612C56C6 call dword ptr ds:[60eb1a0ch] 612C56CC push eax 612C56CD call esi 612C56CF push eax 612C56D0 call dword ptr ds:[60eb194ch] (_DuplicateHandle@28@kernel32.dll) ->612C56D6 call dword ptr ds:[60eb19cch] (_TlsAllocStub@0@kernel32.dll) 612C56DC mov dword ptr ds:[61e3968ch],eax 612C56E1 call 612C57E6 612C56E6 mov ecx,61e7f428h 612C56EB call 612C5823 612B83B8 push ebp 612B83B9 mov ebp,esp 612B83BB cmp dword ptr [ebp+0ch],0 612B83BF jne 612B83C5 612B83C1 mov al,1 612B83C3 jmp 612B83E7 612B83C5 push esi 612B83C6 mov esi,dword ptr [ebp+8] 612B83C9 jmp 612B83E0 612B83CB mov eax,dword ptr [esi] 612B83CD mov ecx,esi ->612B83CF call dword ptr [eax+0ch] 612B83D2 cmp eax,dword ptr [ebp+0ch] 612B83D5 je 612B83EB 612B83D7 mov eax,dword ptr [esi] 612B83D9 mov ecx,esi ->612B83DB call dword ptr [eax+2ch] 612B83DE mov esi,eax 612B83E0 test esi,esi 612B83E2 jne 612B83CB 612B83E4 xor al,al 612B83E6 pop esi 612B83E7 pop ebp 612B83E8 ret 8 6132E06A push ebp 6

6132E06B mov ebp,esp 6132E06D push ecx 6132E06E push ecx 6132E06F push ebx 6132E070 push esi 6132E071 mov ebx,40c0000ah 6132E076 push edi 6132E077 mov esi,ecx 6132E079 cmp dword ptr [ebp+8],ebx 6132E07C jne 6132E229 6132E082 call 613333C5 6132E087 test al,al 6132E089 jne 6132E241 6132E08F and dword ptr [ebp+8],0 6132E093 lea eax,[ebp+8] 6132E096 push eax 6132E097 push 1 6132E099 call 61299A7D 6132E09E cmp dword ptr [esi+50h],0 6132E0A2 je 6132E0B0 6132E0A4 lea eax,[ebp+8] 6132E0A7 push eax 6132E0A8 push ebx 6132E0A9 mov ecx,esi 6132E0AB call 61343AA6 6132E0B0 mov eax,dword ptr [ebp+8] 6132E0B3 cmp byte ptr [eax+8],0 6132E0B7 je 6132E0CB 6132E0B9 test byte ptr [esi+5dh],1 6132E0BD je 6132E0CB 6132E0BF lea eax,[ebp+8] 6132E0C2 push eax 6132E0C3 push ebx 6132E0C4 mov ecx,esi 6132E0C6 call 61646DAB 6132E0CB mov eax,dword ptr [ebp+8] 6132E0CE cmp byte ptr [eax+8],0 6132E0D2 je 6132E106 6132E0D4 lea edi,[esi+38h] 6132E0D7 mov eax,dword ptr [edi] 6132E0D9 push ebx 6132E0DA mov ecx,edi 6132E0DC call dword ptr [eax+10h] 6132E0DF test al,al 6132E0E1 je 6132E106 6132E0E3 mov eax,dword ptr [edi] 6132E0E5 lea ecx,[ebp+8] 6132E0E8 push ecx 6132E0E9 push ebx 6132E0EA mov ecx,edi 6132E0EC call dword ptr [eax+14h] 6132E0EF test al,al 6132E0F1 jne 6132E106 6132E0F3 mov ecx,dword ptr [ebp+8] 7

6132E0F6 test ecx,ecx 6132E0F8 je 6132E0FF 6132E0FA call 61299906 6132E0FF xor al,al 6132E101 jmp 6132E24E 6132E106 mov eax,dword ptr [ebp+8] 6132E109 cmp byte ptr [eax+8],0 6132E10D je 6132E1B4 6132E113 lea edi,[esi+40h] 6132E116 mov eax,dword ptr [edi] 6132E118 mov ecx,edi 6132E11A call dword ptr [eax+4ch] 6132E11D mov dword ptr [ebp-4],eax 6132E120 cmp eax,1 6132E123 jne 6132E12E 6132E125 mov dword ptr [ebp-4],3014h 6132E12C jmp 6132E149 6132E12E push eax 6132E12F call 613333FD 6132E134 test al,al 6132E136 jne 6132E20D 6132E13C cmp dword ptr [ebp-4],41f0h 6132E143 je 6132E20D 6132E149 mov al,byte ptr [esi+5ch] 6132E14C shr al,6 6132E14F test al,1 6132E151 je 6132E172 6132E153 push dword ptr [ebp+0ch] 6132E156 push 0 6132E158 call 61299A7D 6132E15D mov ecx,dword ptr [ebp+8] 6132E160 mov bl,al 6132E162 test ecx,ecx 6132E164 je 6132E16B 6132E166 call 61299906 6132E16B mov al,bl 6132E16D jmp 6132E24E 6132E172 mov eax,dword ptr [edi] 6132E174 mov ecx,edi 6132E176 call dword ptr [eax+44h] 6132E179 test eax,eax 6132E17B je 6132E1B4 6132E17D mov eax,dword ptr [edi] 6132E17F mov ecx,edi 6132E181 call dword ptr [eax+44h] 6132E184 mov edx,dword ptr [eax] 6132E186 mov ecx,eax 6132E188 call dword ptr [edx+10h] 6132E18B mov ecx,dword ptr [esi+44h] 6132E18E mov ebx,eax 6132E190 mov eax,dword ptr [ecx] 6132E192 mov edi,dword ptr [ebx] 6132E194 call dword ptr [eax+60h] 6132E197 push eax 8

6132E198 push dword ptr [ebp-4] 6132E19B mov ecx,ebx ->6132E19D call dword ptr [edi+1ch] 6132E1A0 test al,al 6132E1A2 jne 6132E1AF 6132E1A4 lea eax,[ebp+8] 6132E1A7 push eax 6132E1A8 push 0 6132E1AA call 61299A7D 6132E1AF mov ebx,40c0000ah 6132E1B4 mov eax,dword ptr [ebp+8] 6132E1B7 cmp byte ptr [eax+8],0 6132E1BB je 6132E20D 6132E1BD mov eax,dword ptr [esi] 6132E1BF lea ecx,[ebp-4] 6132E1C2 push ecx 6132E1C3 xor edi,edi 6132E1C5 mov ecx,esi 6132E1C7 mov dword ptr [ebp-4],edi 6132E1CA call dword ptr [eax+50h] 6132E1CD test al,al 6132E1CF je 6132E1FD 6132E1D1 mov ecx,dword ptr [ebp-4] 6132E1D4 lea edx,[ebp-8] 6132E1D7 push edx 6132E1D8 mov dword ptr [ebp-8],edi 6132E1DB mov eax,dword ptr [ecx] 6132E1DD push ebx 6132E1DE call dword ptr [eax+14h] 6132E1E1 test al,al 6132E1E3 je 6132E1F1 6132E1E5 lea eax,[ebp-8] 6132E1E8 push eax 6132E1E9 lea ecx,[ebp+8] 6132E1EC call 612F1C47 6132E1F1 mov ecx,dword ptr [ebp-8] 6132E1F4 cmp ecx,edi 6132E1F6 je 6132E1FD 6132E1F8 call 61299906 6132E1FD mov eax,dword ptr [ebp-4] 6132E200 mov dword ptr [ebp-4],edi 6132E203 cmp eax,edi 6132E205 je 6132E20D 6132E207 mov ecx,dword ptr [eax] 6132E209 push eax 6132E20A call dword ptr [ecx+8] 6132E20D mov ecx,dword ptr [ebp+0ch] 6132E210 lea eax,[ebp+8] 6132E213 push eax 6132E214 call 612F1C47 6132E219 mov ecx,dword ptr [ebp+8] 6132E21C test ecx,ecx 6132E21E je 6132E225 6132E220 call 61299906 9

6132E225 mov al,1 6132E227 jmp 6132E24E 6132E229 cmp dword ptr [ebp+8],3dh 6132E22D jne 6132E241 6132E22F test byte ptr [esi+64h],1 6132E233 jne 6132E241 6132E235 push dword ptr [ebp+0ch] 6132E238 push 0 6132E23A call 612EC0C4 6132E23F jmp 6132E24E 6132E241 push dword ptr [ebp+0ch] 6132E244 mov ecx,esi 6132E246 push dword ptr [ebp+8] 6132E249 call 6132E255 6132E24E pop edi 6132E24F pop esi 6132E250 pop ebx 6132E251 leave 6132E252 ret 8 6133AB45 mov ecx,dword ptr [ecx+14h] 6133AB48 mov eax,dword ptr [ecx] 6133AB4A jmp dword ptr [eax+24h] 6133AB4D mov ecx,dword ptr [ecx+14h] 6133AB50 mov eax,dword ptr [ecx] ->6133AB52 jmp dword ptr [eax+18h] 6133AB55 push ebp 6133AB56 mov ebp,esp 6133AB58 mov eax,dword ptr [ebp+8] 6133AB5B and dword ptr [eax+3ch],0 6133AB5F push eax 6133AB60 call 6130E8F4 6133AB65 pop ebp 6133AB66 ret 4 6129A08F push ebp 6129A090 mov ebp,esp 6129A092 mov eax,dword ptr [ebp+8] 6129A095 test eax,eax 6129A097 je 6129A0CE 6129A099 cmp eax,29h 6129A09C jle 6129A0E4 6129A09E cmp eax,2bh 6129A0A1 jle 6129A0CE 6129A0A3 cmp eax,40000004h 6129A0A8 je 6129A0BB 6129A0AA cmp eax,40c0000ah 6129A0AF jne 6129A0E4 6129A0B1 push dword ptr [ebp+0ch] 6129A0B4 mov eax,dword ptr [ecx] 6129A0B6 call dword ptr [eax+48h] 6129A0B9 jmp 6129A0C3 6129A0BB push dword ptr [ebp+0ch] 6129A0BE mov eax,dword ptr [ecx] 10

6129A0C0 call dword ptr [eax+44h] 6129A0C3 movzx eax,al 6129A0C6 push eax 6129A0C7 call 61299A7D 6129A0CC jmp 6129A0EA 6129A0CE cmp dword ptr [ecx+8],0 6129A0D2 je 6129A0E8 6129A0D4 push dword ptr [ebp+0ch] 6129A0D7 mov ecx,dword ptr [ecx+8] 6129A0DA mov edx,dword ptr [ecx] 6129A0DC push eax 6129A0DD call dword ptr [edx+14h] 6129A0E0 test al,al 6129A0E2 jne 6129A0E8 6129A0E4 xor al,al 6129A0E6 jmp 6129A0EA 6129A0E8 mov al,1 6129A0EA pop ebp 6129A0EB ret 8 6129A0EE mov al,byte ptr [ecx+54h] 6129A0F1 and al,1 6129A0F3 ret 6129A0F4 push 1 6129A0F6 add ecx,0ffffffcch 6129A0F9 call 6133E8BD 6129A0FE ret 6129A0FF mov eax,dword ptr [ecx] 6129A101 call dword ptr [eax+0ch] 6129A104 mov al,1 6129A106 ret 6129A107 xor eax,eax 6129A109 cmp dword ptr [ecx+8],eax 6129A10C je 6129A116 6129A10E mov ecx,dword ptr [ecx+8] 6129A111 mov eax,dword ptr [ecx] ->6129A113 jmp dword ptr [eax+4ch] 6129A116 ret Module: WWLIB.DLL Module Address: 63E30000-650AA000 Description: (Microsoft Office\Office14\WWLIB.DLL) 63E446A7 push ebp 63E446A8 mov ebp,esp 63E446AA push ebx 63E446AB mov ebx,dword ptr [ebp+8] 63E446AE push esi 63E446AF mov esi,dword ptr ds:[63e310c0h] 63E446B5 push edi 63E446B6 mov edi,dword ptr [ebp+0ch] 63E446B9 push dword ptr [edi+0f8h] 63E446BF push ebx 63E446C0 call esi 11

63E446C2 push dword ptr [edi+0fch] 63E446C8 mov dword ptr [edi+0f8h],eax 63E446CE push ebx 63E446CF call esi 63E446D1 push dword ptr [edi+11ch] 63E446D7 mov dword ptr [edi+0fch],eax 63E446DD push ebx 63E446DE call esi 63E446E0 push dword ptr [edi+120h] 63E446E6 mov dword ptr [edi+11ch],eax 63E446EC push ebx 63E446ED call esi 63E446EF push dword ptr [edi+100h] 63E446F5 mov dword ptr [edi+120h],eax 63E446FB push ebx ->63E446FC call esi 63E446FE push dword ptr [edi+108h] 63E44704 mov dword ptr [edi+100h],eax 63E4470A push ebx ->63E4470B call esi 63E4470D push dword ptr [edi+104h] 63E44713 mov dword ptr [edi+108h],eax 63E44719 push ebx ->63E4471A call esi 63E4471C push dword ptr [edi+110h] 63E44722 mov dword ptr [edi+104h],eax 63E44728 push ebx ->63E44729 call esi 63E4472B push dword ptr [edi+114h] 63E44731 mov dword ptr [edi+110h],eax 63E44737 push ebx ->63E44738 call esi 63E4473A push dword ptr [edi+10ch] 63E44740 mov dword ptr [edi+114h],eax 63E44746 push ebx ->63E44747 call esi 63E44749 push dword ptr [edi+130h] 63E4474F mov dword ptr [edi+10ch],eax 63E44755 xor eax,eax 63E44757 cmp dword ptr [edi+108h],0ffffffh 63E44761 push ebx 63E44762 sete al 63E44765 xor eax,dword ptr [edi] 63E44767 and eax,1 63E4476A xor dword ptr [edi],eax 63E4476C call esi 63E4476E push dword ptr [edi+134h] 63E44774 mov dword ptr [edi+130h],eax 63E4477A push ebx 63E4477B call esi 63E4477D push dword ptr [edi+124h] 63E44783 mov dword ptr [edi+134h],eax 63E44789 push ebx 63E4478A call esi 12

63E4478C push dword ptr [edi+128h] 63E44792 mov dword ptr [edi+124h],eax 63E44798 push ebx 63E44799 call esi 63E4479B push dword ptr [edi+12ch] 63E447A1 mov dword ptr [edi+128h],eax 63E447A7 push ebx ->63E447A8 call esi 63E447AA mov dword ptr [edi+12ch],eax 63E447B0 add edi,144h 63E447B6 push dword ptr [edi] 63E447B8 push ebx ->63E447B9 call esi 63E447BB mov dword ptr [edi],eax 63E447BD pop edi 63E447BE pop esi 63E447BF pop ebx 63E447C0 pop ebp 63E447C1 ret 8 Module: combase.dll Module Address: 77590000-776DE000 Description: Microsoft COM for Windows vector destructor iterator : 775B771A mov edi,edi 775B771C push ebp 775B771D mov ebp,esp 775B771F push ebx 775B7720 push esi 775B7721 mov ebx,edx 775B7723 push edi 775B7724 mov edi,dword ptr [ebp+8] 775B7727 mov esi,ebx 775B7729 imul esi,edi 775B772C add esi,ecx 775B772E dec edi 775B772F js vector destructor iterator +20h (775B773Ah) 775B7731 sub esi,ebx 775B7733 mov ecx,esi ->775B7735 call dword ptr [ebp+0ch] 775B7738 jmp vector destructor iterator +1Dh (775B772Eh) 775B773A pop edi 775B773B pop esi 775B773C pop ebx 775B773D pop ebp 775B773E ret 8 13

References [1] The Constitution of the United States, retrieved October 2013 from http://www. constitution.org/cons/constitution.doc. [2] M. Pietrek, Inside Windows An in-depth look into the Win32 Portable Executable file format, part 2, MSDN magazine, pp. 87 100, 2002. [3] Info: Using declspec(dllimport) & declspec(dllexport) in code, retrieved October 2013 from http://support.microsoft.com/kb/132044. 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information