Analysis:20130911-malware
Analysis by Kradorex Xeron (talk) 22:57, 29 September 2013 (EDT)
Contents
File Overview
[+] mgifragd.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 9b5da0df71b3ac50a836672793c29f1d [+] rksmkjjl.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 3debe84b92cc387bcbfc3034793a8dc6 [+] sggmfdxd.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 6faecc658746004333fa946c53d3424e [+] sgipopnq.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 4cf7869df6f7a65d3b33e82795f5eebf [+] tgdtrhmg.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 1a411d28f17298c43f2072596a44ef01 [+] wkjdctce.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit > [MIME] application/x-dosexec > [MD5 ] 6d383a9e45c651ade3df88522c0ff409 [+] xpneklio.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 9607d960108e3c8217a71eb7ee81f0c5 [+] xvoidaio.exe > [TYPE] MS-DOS executable PE for MS Windows (GUI) Intel 80386 > [MIME] application/x-dosexec > [MD5 ] 595257b15af9ef944aa6aee850088fd0
File Disassembly
mgifragd.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
mgifragd.exe: file format pei-i386
Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words
Time/Date Wed Sep 11 03:00:09 2013
Magic 010b (PE32)
MajorLinkerVersion 7
MinorLinkerVersion 0
SizeOfCode 00012000
SizeOfInitializedData 00082000
SizeOfUninitializedData 00000000
AddressOfEntryPoint 00009795
BaseOfCode 00001000
BaseOfData 00013000
ImageBase 00400000
SectionAlignment 00001000
FileAlignment 00001000
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00106000
SizeOfHeaders 00001000
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 00100000
SizeOfStackCommit 00001000
SizeOfHeapReserve 00100000
SizeOfHeapCommit 00001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0001474c 000000a0 Import Directory [parts of .idata]
Entry 2 00102000 000031d2 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00013000 00000138 Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 CLR Runtime Header
Entry f 00000000 00000000 Reserved
There is an import table in .rdata at 0x41474c
The Import Tables (interpreted .rdata section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
0001474c 00014800 00000000 00000000 000149d2 00013014
DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name Bound-To
1496a 811 SuspendThread
1497a 656 ReadFile
14986 792 SetThreadPriority
1499a 393 GetProcAddress
149ac 853 VirtualAlloc
1495e 886 WriteFile
14df6 44 CloseHandle
1492c 446 GetTickCount
14dda 689 RtlUnwind
14dce 507 HeapSize
14dbe 545 LCMapStringW
14950 120 DeleteFileA
149bc 869 WaitForSingleObject
1493c 359 GetModuleHandleA
14dae 544 LCMapStringA
14d9c 643 RaiseException
14d8a 418 GetStringTypeW
14d78 415 GetStringTypeA
14d5e 428 GetSystemTimeAsFileTime
14d48 304 GetCurrentProcessId
14de6 780 SetStdHandle
14924 809 Sleep
14d32 306 GetCurrentThreadId
14d18 638 QueryPerformanceCounter
14d06 753 SetFilePointer
14ad0 412 GetStartupInfoA
14ae2 253 GetCommandLineA
14af4 456 GetVersionExA
14b04 501 HeapFree
14b10 171 ExitProcess
14b1e 817 TerminateProcess
14b32 303 GetCurrentProcess
14b46 414 GetStdHandle
14b56 357 GetModuleFileNameA
14b6c 834 UnhandledExceptionFilter
14b88 227 FreeEnvironmentStringsA
14ba2 319 GetEnvironmentStrings
14bba 228 FreeEnvironmentStringsW
14bd4 873 WideCharToMultiByte
14bea 346 GetLastError
14bfa 321 GetEnvironmentStringsW
14c14 762 SetHandleCount
14c26 336 GetFileType
14c34 499 HeapDestroy
14c42 497 HeapCreate
14c50 856 VirtualFree
14c5e 495 HeapAlloc
14c6a 505 HeapReAlloc
14c78 593 MultiByteToWideChar
14c8e 859 VirtualProtect
14ca0 424 GetSystemInfo
14cb0 861 VirtualQuery
14cc0 558 LoadLibraryA
14cd0 235 GetACP
14cda 380 GetOEMCP
14ce6 241 GetCPInfo
14cf2 219 FlushFileBuffers
14e04 349 GetLocaleInfoA
00014760 000148ec 00000000 00000000 00014a18 00013100
DLL Name: USER32.dll
vma: Hint/Ord Member-Name Bound-To
149e0 268 GetDC
149e8 270 GetDesktopWindow
14a0a 445 LoadImageA
149fc 439 LoadCursorA
00014774 000147f4 00000000 00000000 00014a40 00013008
DLL Name: GDI32.dll
vma: Hint/Ord Member-Name Bound-To
14a24 71 CreatePen
14a30 524 SelectObject
00014788 0001490c 00000000 00000000 00014a4a 00013120
DLL Name: WS2_32.dll
vma: Hint/Ord Member-Name Bound-To
80000003 3 <none>
80000012 18 <none>
0001479c 00014900 00000000 00000000 00014a78 00013114
DLL Name: WINMM.dll
vma: Hint/Ord Member-Name Bound-To
14a66 62 mciSendCommandA
14a56 26 auxSetVolume
000147b0 000147ec 00000000 00000000 00014a96 00013000
DLL Name: AVIFIL32.dll
vma: Hint/Ord Member-Name Bound-To
14a82 3 AVIClearClipboard
000147c4 00014918 00000000 00000000 00014ac2 0001312c
DLL Name: WinSCard.dll
vma: Hint/Ord Member-Name Bound-To
14ab4 6 SCardCancel
14aa4 7 SCardConnectA
000147d8 00000000 00000000 00000000 00000000 00000000
Embedded Resources
mgifragd.exe: file format pei-i386
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00011eea 00401000 00401000 00001000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .rdata 00001e16 00413000 00413000 00013000 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 00002000 00415000 00415000 00015000 2**2
CONTENTS, ALLOC, LOAD, DATA
3 .xcode 0007a000 00418000 00418000 00017000 2**2
CONTENTS, ALLOC, LOAD, DATA
4 .rsrc 000031d2 00502000 00502000 00091000 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
rksmkjjl.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
rksmkjjl.exe: file format pei-i386
Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words
Time/Date Wed Jun 16 00:28:57 2010
Magic 010b (PE32)
MajorLinkerVersion 6
MinorLinkerVersion 0
SizeOfCode 00032a00
SizeOfInitializedData 00006a00
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000068d0
BaseOfCode 00001000
BaseOfData 00034000
ImageBase 00400000
SectionAlignment 00001000
FileAlignment 00000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 0003c000
SizeOfHeaders 00000400
CheckSum 00041a40
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 00100000
SizeOfStackCommit 00001000
SizeOfHeapReserve 00100000
SizeOfHeapCommit 00001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00034cd0 0000008c Import Directory [parts of .idata]
Entry 2 0003b000 00000530 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00034000 0000041c Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 CLR Runtime Header
Entry f 00000000 00000000 Reserved
There is an import table in .rdata at 0x434cd0
The Import Tables (interpreted .rdata section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
00034cd0 0003515c 00000000 00000000 000351b8 00034400
DLL Name: WINMM.dll
vma: Hint/Ord Member-Name Bound-To
35184 132 mmioAdvance
351a6 190 waveOutGetPitch
35178 124 mixerOpen
35192 162 timeGetSystemTime
00034ce4 00034ff8 00000000 00000000 0003576c 0003429c
DLL Name: USER32.dll
vma: Hint/Ord Member-Name Bound-To
354a4 366 GetWindowLongA
353fe 311 GetMenuState
353ee 307 GetMenuItemID
356d0 658 ShowWindow
35688 640 SetWindowLongA
355ce 515 PostQuitMessage
35224 74 CopyRect
3563e 579 SetActiveWindow
35514 417 IsDialogMessageA
35558 439 LoadBitmapA
3567c 618 SetPropA
35498 362 GetWindow
352be 198 EndDialog
35666 609 SetMenuItemBitmaps
355ae 511 PeekMessageA
3538e 289 GetKeyState
3570a 686 UnhookWindowsHookEx
35444 345 GetSubMenu
351e2 27 CallWindowProcA
35650 599 SetForegroundWindow
353da 306 GetMenuItemCount
3534e 272 GetDlgCtrlID
354b6 371 GetWindowPlacement
35534 430 IsWindowEnabled
35460 347 GetSysColorBrush
353bc 302 GetMenuCheckMarkDimensions
35488 355 GetTopWindow
35618 566 SendDlgItemMessageA
35528 429 IsWindow
352d6 225 ExitWindowsEx
354cc 372 GetWindowRect
35734 699 UpdateWindow
35290 182 DrawIcon
352ca 200 EndPaint
355e0 523 PtInRect
3569a 643 SetWindowPos
35506 381 GrayStringA
3540e 314 GetMessageA
354ee 376 GetWindowTextLengthA
355a0 478 MessageBoxA
351d0 26 CallNextHookEx
354dc 375 GetWindowTextA
35580 458 LoadStringA
3541c 316 GetMessagePos
351f4 52 CharUpperA
352e6 235 GetActiveWindow
35754 720 WinHelpA
35720 691 UnregisterClassA
355ec 534 RegisterClassA
356aa 646 SetWindowTextA
3529c 194 EnableMenuItem
356de 665 SystemParametersInfoA
355fe 554 ReleaseDC
35272 151 DestroyMenu
3536c 278 GetFocus
353b2 300 GetMenu
35378 279 GetForegroundWindow
35760 726 wsprintfA
35230 82 CreateDialogIndirectParamA
3539c 296 GetLastActivePopup
35202 57 CheckMenuItem
352f8 243 GetCapture
355be 513 PostMessageA
356f6 682 TranslateMessage
35566 441 LoadCursorA
3558e 473 MapWindowPoints
351c2 13 BeginPaint
35306 246 GetClassInfoA
3562e 571 SendMessageA
352ae 196 EnableWindow
35212 64 ClientToScreen
35438 330 GetPropA
35336 267 GetCursorPos
35316 252 GetClassNameA
356bc 650 SetWindowsHookExA
35474 349 GetSystemMetrics
35452 346 GetSysColor
35326 255 GetClientRect
3535e 273 GetDlgItem
35280 153 DestroyWindow
35574 445 LoadIconA
3542c 325 GetParent
35546 433 IsWindowVisible
3560a 556 RemovePropA
35346 268 GetDC
35260 142 DefWindowProcA
35744 707 ValidateRect
3524e 96 CreateWindowExA
00034cf8 00034d9c 00000000 00000000 0003587a 00034040
DLL Name: GDI32.dll
vma: Hint/Ord Member-Name Bound-To
3581a 519 SaveDC
357d8 352 GetClipBox
35802 512 RestoreDC
3586e 590 TextOutA
3583a 555 SetMapMode
357ba 143 DeleteObject
357ca 221 ExtTextOutA
357e6 363 GetDeviceCaps
357f6 419 GetRelAbs
357ae 140 DeleteDC
3585c 578 SetWindowExtEx
35824 520 ScaleViewportExtEx
3580e 513 RoundRect
35788 51 CreateDIBitmap
3579a 53 CreateEllipticRgn
35848 574 SetViewportExtEx
35778 39 CreateBitmap
00034d0c 00034de4 00000000 00000000 000361be 00034088
DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name Bound-To
35a86 317 GetCurrentThread
3603c 810 SetStdHandle
3591c 140 DuplicateHandle
35c2a 464 GetThreadLocale
35bf0 434 GetStringTypeA
35884 25 Beep
360d2 854 TlsGetValue
35fc8 774 SetEnvironmentVariableA
35cea 500 GlobalFlags
361a6 953 lstrcpynA
359b4 218 FindResourceA
35dfa 550 IsBadCodePtr
35a5a 312 GetCurrentDirectoryA
35d98 537 InitializeCriticalSection
35ac0 334 GetEnvironmentStringsA
359f0 237 FreeEnvironmentStringsA
35eea 600 LocalUnlock
35f04 603 LockResource
35a48 264 GetCommandLineA
35e4e 570 LCMapStringA
361b2 956 lstrlenA
36182 944 lstrcmpA
35c8c 489 GetWindowsDirectoryA
35b0e 342 GetFileAttributesA
358ac 52 CompareStringA
35b9c 395 GetOEMCP
35e5e 571 LCMapStringW
3596e 188 FileTimeToSystemTime
35b4e 353 GetFullPathNameA
35e2a 559 IsDebuggerPresent
3602c 795 SetLastError
3607a 839 Sleep
360ee 856 Toolhelp32ReadProcessMemory
35a32 245 GetACP
35b88 375 GetModuleHandleA
35986 197 FindClose
359c4 229 FlushFileBuffers
35cf8 501 GlobalFree
35d56 520 HeapCreate
35c3c 472 GetTimeZoneInformation
35be0 433 GetStdHandle
35e6e 583 LeaveCriticalSection
35d4a 518 HeapAlloc
35dca 542 InterlockedDecrement
35d7e 528 HeapReAlloc
3618e 947 lstrcmpiA
35eb4 592 LocalFileTimeToFileTime
360e0 855 TlsSetValue
35c56 478 GetVersion
35eda 597 LocalReAlloc
35d2c 505 GlobalLock
3604c 812 SetSystemTime
35af4 336 GetEnvironmentVariableA
35b72 373 GetModuleFileNameA
358d0 77 CreateFileA
36082 844 SystemTimeToFileTime
3592e 143 EnterCriticalSection
35f34 667 RaiseException
360c8 853 TlsFree
35f6e 739 SetConsoleCursorInfo
35d3a 512 GlobalUnlock
35946 175 ExitProcess
35a72 314 GetCurrentProcess
358be 53 CompareStringW
36154 903 WideCharToMultiByte
35fe2 776 SetErrorMode
3589e 46 CloseHandle
35e3e 567 IsValidLocale
35e86 584 LoadLibraryA
3609a 845 SystemTimeToTzSpecificLocalTime
35b24 347 GetFileSize
3588c 44 ClearCommError
35954 187 FileTimeToLocalFileTime
35f62 714 RtlUnwind
35c64 479 GetVersionExA
3605c 827 SetUnhandledExceptionFilter
35a3c 252 GetCPInfo
35d72 524 HeapFree
35c14 441 GetSystemDirectoryA
35ab0 331 GetDriveTypeA
35d8c 530 HeapSize
35992 201 FindFirstFileA
35f14 618 MulDiv
35d64 522 HeapDestroy
35b40 350 GetFileType
35f46 681 ReadFile
35e96 589 LoadResource
35de2 546 InterlockedIncrement
35904 136 DosDateTimeToFileTime
36176 941 lstrcatA
35db4 539 InitializeSListHead
359a4 211 FindNextFileA
35fb8 771 SetEndOfFile
35e1a 556 IsBadWritePtr
36008 782 SetFilePointer
35d06 502 GlobalGetAtomNameA
35ba8 408 GetProcAddress
3616a 916 WriteFile
35ea6 590 LocalAlloc
35f52 693 ReleaseActCtx
36136 883 VirtualAlloc
35ada 335 GetEnvironmentStringsW
35f86 760 SetConsoleTextAttribute
35a9a 318 GetCurrentThreadId
35ece 594 LocalFree
35c02 437 GetStringTypeW
35e0a 553 IsBadReadPtr
35fa0 765 SetCurrentDirectoryA
35bce 431 GetStartupInfoA
35d1c 504 GlobalHandle
35cd8 497 GlobalFindAtomA
35ca4 492 GlobalAddAtomA
358de 122 DeleteCriticalSection
35b62 361 GetLastError
35bba 419 GetProcessVersion
358f6 124 DeleteFileA
35a0a 238 FreeEnvironmentStringsW
3601a 791 SetHandleCount
3619a 950 lstrcpyA
35f1e 619 MultiByteToWideChar
35a24 239 FreeLibrary
36146 886 VirtualFree
360bc 852 TlsAlloc
35b32 349 GetFileTime
3610c 864 UnhandledExceptionFilter
359d8 230 FlushInstructionCache
35ef8 601 LockFile
36128 865 UnlockFile
35cc4 496 GlobalDeleteAtom
35c74 481 GetVolumeInformationA
35ff2 780 SetFileAttributesA
35cb6 494 GlobalAlloc
00034d20 00035170 00000000 00000000 000361dc 00034414
DLL Name: comdlg32.dll
vma: Hint/Ord Member-Name Bound-To
361cc 7 GetFileTitleA
00034d34 00034d5c 00000000 00000000 00036330 00034000
DLL Name: ADVAPI32.dll
vma: Hint/Ord Member-Name Bound-To
362a8 457 RegCloseKey
362b6 461 RegCreateKeyExA
36202 26 AddUsersToEncryptedFile
36246 350 LsaEnumeratePrivileges
3631c 597 SystemFunction016
36260 360 LsaICLookupNamesWithCreds
36296 431 OpenThreadToken
362c8 466 RegDeleteValueA
362ea 505 RegSetValueExA
362da 482 RegOpenKeyExA
3627c 404 MSChapSrvChangePassword
361ea 20 AddAccessDeniedAceEx
36230 320 LockServiceDatabase
362fc 558 SetSecurityDescriptorControl
3621c 229 GetAclInformation
00034d48 00000000 00000000 00000000 00000000 00000000
Embedded Resources
rksmkjjl.exe: file format pei-i386
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 000329fb 00401000 00401000 00000400 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .rdata 0000237b 00434000 00434000 00032e00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 00004000 00437000 00437000 00035200 2**2
CONTENTS, ALLOC, LOAD, DATA
3 .rsrc 00000530 0043b000 0043b000 00039200 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
sggmfdxd.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sggmfdxd.exe: File format not recognized
Embedded Resources
BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sggmfdxd.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sggmfdxd.exe: File format not recognized
sgipopnq.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sgipopnq.exe: File format not recognized
Embedded Resources
BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: sgipopnq.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: sgipopnq.exe: File format not recognized
tgdtrhmg.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: tgdtrhmg.exe: File format not recognized
Embedded Resources
BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: tgdtrhmg.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: tgdtrhmg.exe: File format not recognized
wkjdctce.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit)
Private Headers
wkjdctce.exe: file format pei-i386
Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words
Time/Date Tue Sep 10 16:24:00 2013
Magic 010b (PE32)
MajorLinkerVersion 7
MinorLinkerVersion 10
SizeOfCode 00006000
SizeOfInitializedData 0000a000
SizeOfUninitializedData 00000000
AddressOfEntryPoint 00003164
BaseOfCode 00001000
BaseOfData 00007000
ImageBase 00400000
SectionAlignment 00001000
FileAlignment 00001000
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00011000
SizeOfHeaders 00001000
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 00100000
SizeOfStackCommit 00001000
SizeOfHeapReserve 00100000
SizeOfHeapCommit 00001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 00006788 0000003c Import Directory [parts of .idata]
Entry 2 0000f000 00001810 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 00001000 00000130 Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 CLR Runtime Header
Entry f 00000000 00000000 Reserved
There is an import table in .text at 0x406788
The Import Tables (interpreted .text section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
00006788 000068ec 00000000 00000000 000068f4 00001128
DLL Name: msi.dll
vma: Hint/Ord Member-Name Bound-To
80000047 71 <none>
0000679c 000067c4 00000000 00000000 00006c04 00001000
DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name Bound-To
6bb2 332 GetPriorityClass
6e12 365 GetStringTypeA
68fc 52 CreateEventA
690c 394 GetTickCount
691c 364 GetStdHandle
692c 318 GetModuleHandleA
6940 813 lstrcmpA
694c 403 GetVersionExA
695c 666 SetFilePointerEx
6970 115 EnterCriticalSection
6988 825 lstrlenA
6994 94 DeleteCriticalSection
69ac 518 MultiByteToWideChar
69c2 200 FreeLibraryAndExitThread
69de 319 GetModuleHandleW
69f2 461 InterlockedExchange
6a08 446 HeapFree
6a14 56 CreateFileA
6a22 459 InterlockedCompareExchange
6a40 144 ExitProcess
6a4e 684 SetStdHandle
6a5e 577 ReadFile
6a6a 199 FreeLibrary
6a78 493 LocalFree
6a84 458 InitializeCriticalSectionAndSpinCount
6aac 474 IsDebuggerPresent
6ac0 316 GetModuleFileNameA
6ad6 773 WideCharToMultiByte
6aec 483 LoadLibraryA
6afc 287 GetEnvironmentStringsW
6b16 404 GetVersionExW
6b26 770 WaitForSingleObjectEx
6b3e 672 SetLastError
6b4e 786 WriteFile
6b5a 769 WaitForSingleObject
6b70 482 LeaveCriticalSection
6b88 270 GetCurrentProcessId
6b9e 78 CreateSemaphoreA
6e24 368 GetStringTypeW
6bc6 222 GetCommandLineA
6bd8 285 GetEnvironmentStrings
6bf0 271 GetCurrentThread
6c12 362 GetStartupInfoA
6c24 402 GetVersion
6c32 719 TerminateProcess
6c46 269 GetCurrentProcess
6c5a 735 UnhandledExceptionFilter
6c76 197 FreeEnvironmentStringsA
6c90 198 FreeEnvironmentStringsW
6caa 668 SetHandleCount
6cbc 300 GetFileType
6cca 272 GetCurrentThreadId
6ce0 727 TlsSetValue
6cee 724 TlsAlloc
6cfa 725 TlsFree
6d04 726 TlsGetValue
6d12 305 GetLastError
6d22 444 HeapDestroy
6d30 442 HeapCreate
6d3e 757 VirtualFree
6d4c 603 RtlUnwind
6d58 457 InitializeCriticalSection
6d74 152 FatalAppExitA
6d84 211 GetCPInfo
6d90 205 GetACP
6d9a 330 GetOEMCP
6da6 440 HeapAlloc
6db2 754 VirtualAlloc
6dc2 449 HeapReAlloc
6dd0 471 IsBadWritePtr
6de0 343 GetProcAddress
6df2 480 LCMapStringA
6e02 481 LCMapStringW
000067b0 00000000 00000000 00000000 00000000 00000000
Embedded Resources
wkjdctce.exe: file format pei-i386
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00005e36 00401000 00401000 00001000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .data 00006000 00407000 00407000 00007000 2**2
CONTENTS, ALLOC, LOAD, DATA
2 .rsrc 00001810 0040f000 0040f000 0000d000 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
xpneklio.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xpneklio.exe: File format not recognized
Embedded Resources
BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xpneklio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xpneklio.exe: File format not recognized
xvoidaio.exe
(MS-DOS executable PE for MS Windows (GUI) Intel 80386)
Private Headers
BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xvoidaio.exe: File format not recognized
Embedded Resources
BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored BFD: xvoidaio.exe (.data): Section flag STYP_COPY (0x10) ignored objdump: xvoidaio.exe: File format not recognized
