Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

static analysis of memory dumps to find capabilities #1654

Open
williballenthin opened this issue Jul 19, 2023 · 10 comments
Open

static analysis of memory dumps to find capabilities #1654

williballenthin opened this issue Jul 19, 2023 · 10 comments
Labels
enhancement New feature or request

Comments

@williballenthin
Copy link
Collaborator

It would be useful to run capa against memory snapshots, such as those derived from sandbox executions, to identify capabilities of unpacked software.

There might be some subtlety and/or challenges around restricting the feature extraction to the "interesting" regions of memory, like the target image and dynamically allocated regions, skipping libraries. Also, there are potentially many memory image formats to handle. And, we'd need to find/implement solid code analysis in these memory images which might take some work. Do we re-add SMDA as a backend?

This is potentially related to #1649 in that TTD may provide memory snapshots from specific points within a trace to this feature extractor backend.

@williballenthin
Copy link
Collaborator Author

williballenthin commented Jul 19, 2023

minidump resources

focused on minidumps in this comment because its a common format with lots of tool support, so probably a good place to start. there are other memory image formats, too.

SMDA doesn't have a minidump loader. the memory dump loader looks like its loads a flat memory dump at a given start address?

https://github.com/danielplohmann/smda/tree/master/smda/utility

vivisect has a vtype definition for minidump here: https://github.com/vivisect/vivisect/blob/379287a643496f12a734f2b2c9e36a0c6507853c/vstruct/defs/minidump.py#L559

though tbh, i'd sort of like to reduce our dependencies on vivisect if possible.

Fox-IT dissect doesn't have any memory image formats:
https://docs.dissect.tools/en/latest/index.html

but we could use cstruct to build one, perhaps derived from the structures in viv or similar. (note that a bunch of the parsers in dissect are AGPL (!) but fortunately not cstruct or util).

kaitai structure definitions for minidump:
http://formats.kaitai.io/windows_minidump/

libyal research: https://github.com/libyal/libmdmp/blob/main/documentation/Minidump%20(MDMP)%20format.asciidoc

rust-minidump format parser: https://github.com/rust-minidump/rust-minidump/blob/87a29fba5e19cfae5ebf73a57ba31504a3872545/minidump-common/src/format.rs#L1

miasm parser: https://github.com/cea-sec/miasm/blob/2b8366aaa88679609ae56e738ebf9e2f47aa53fc/miasm/loader/minidump.py#L68

7fe6809b3e9c8202777acbbfeec792417633b987ab70dd9e86989c5cc2f2fbf0 (VT) looks like a nice 192KB MDMP containing a metasploit payload that we can use for reference.

https://www.virustotal.com/gui/file/6e3f6e02f455112317305331d63c698d1a1d3714e00e8a72f23323400cd9ab69/content "full" minidump for "C:\Users\00103701\Downloads\a.exe"

@williballenthin
Copy link
Collaborator Author

minidump feature extractor

To extract features from a minidump file, we'll first have to identify functions, basic blocks, instructions (and if possible, files via loaded modules). We'll have to pick an analysis engine, like vivisect, lancelot, etc. to load the minidump and find code. Then we can use it to enumerate those items and extract features; this part is pretty well understood and could be re-used from existing extractors.

The harder part is building the loader and code analyzer. From the minidump we can expect (usually? sometimes?) a list of memory regions, their permissions, a list of threads and their program counters, and maybe some metadata about loaded modules. From this, we can reconstruct an address space and do some code discovery using known entrypoints, like thread program counters, return addresses, module entrypoints and exports, etc. This sort of code analysis is non-negligible; ideally we can rely on existing systems. Like, perhaps we can map the regions into a viv/lancelot workspace and then mark a few locations as known code and rely on their control flow reconstruction to work well enough.

I suppose IDA has support for minidumps already, so we could use this to prove out the idea of extracting features from minidumps. Then, as we implement a headless feature extractor with viv/lancelot/etc. then we can compare the results with what IDA gives.

My guess is that this will be reasonable to get a PoC going and challenging to nail down all the edge cases. But, maybe it's good enough for capa?

@williballenthin
Copy link
Collaborator Author

williballenthin commented Jul 19, 2023

script for showing the layout of a minidump file, using vivisect vstruct
(but pending bug: vivisect/vivisect#625 and vivisect/vivisect#626)

https://github.com/mandiant/capa/blob/willi/mdmp/scripts/show-mdmp.py

❯ python scripts/show-mdmp.py tests/data/7fe6809b3e9c8202777acbbfeec7924
17633b987ab70dd9e86989c5cc2f2fbf0.mdmp_
INFO:vstruct.defs.minidump:Unknown stream type of 21
INFO:vstruct.defs.minidump:Unknown stream type of 22
00000000 (176) MiniDumpHeader: MiniDumpHeader
00000000 (04)   Signature: 0x504d444d (1347241037)
00000004 (04)   Version: 0xa061a793 (2690754451)
00000008 (04)   NumberOfStreams: 0x0000000c (12)
0000000c (04)   StreamDirectoryRVA: 0x00000020 (32)
00000010 (04)   Checksum: 0x00000000 (0)
00000014 (04)   Resv_TimeDateStamp: 0x63c93d30 (1674132784)
00000018 (08)   Flags: 0x00000121 (289)
00000020 (144)   Directory: VArray
00000020 (12)     0: MiniDumpDirectory
00000020 (04)       StreamType: 0x00000003 (3)
00000024 (08)       Location: MiniDumpLocationDescriptor
00000024 (04)         DataSize: 0x00000094 (148)
00000028 (04)         RVA: 0x000006e4 (1764)
0000002c (12)     1: MiniDumpDirectory
0000002c (04)       StreamType: 0x00000004 (4)
00000030 (08)       Location: MiniDumpLocationDescriptor
00000030 (04)         DataSize: 0x00000514 (1300)
00000034 (04)         RVA: 0x00000784 (1924)
00000038 (12)     2: MiniDumpDirectory
00000038 (04)       StreamType: 0x00000005 (5)
0000003c (08)       Location: MiniDumpLocationDescriptor
0000003c (04)         DataSize: 0x00000244 (580)
00000040 (04)         RVA: 0x00001f18 (7960)
00000044 (12)     3: MiniDumpDirectory
00000044 (04)       StreamType: 0x00000006 (6)
00000048 (08)       Location: MiniDumpLocationDescriptor
00000048 (04)         DataSize: 0x000000a8 (168)
0000004c (04)         RVA: 0x0000063c (1596)
00000050 (12)     4: MiniDumpDirectory
00000050 (04)       StreamType: 0x00000007 (7)
00000054 (08)       Location: MiniDumpLocationDescriptor
00000054 (04)         DataSize: 0x00000038 (56)
00000058 (04)         RVA: 0x000000b0 (176)
0000005c (12)     5: MiniDumpDirectory
0000005c (04)       StreamType: 0x0000000f (15)
00000060 (08)       Location: MiniDumpLocationDescriptor
00000060 (04)         DataSize: 0x00000554 (1364)
00000064 (04)         RVA: 0x000000e8 (232)
00000068 (12)     6: MiniDumpDirectory
00000068 (04)       StreamType: 0x00000015 (21)
0000006c (08)       Location: MiniDumpLocationDescriptor
0000006c (04)         DataSize: 0x000001ec (492)
00000070 (04)         RVA: 0x00000c98 (3224)
00000074 (12)     7: MiniDumpDirectory
00000074 (04)       StreamType: 0x00000016 (22)
00000078 (08)       Location: MiniDumpLocationDescriptor
00000078 (04)         DataSize: 0x00000098 (152)
0000007c (04)         RVA: 0x00000e84 (3716)
00000080 (12)     8: MiniDumpDirectory
00000080 (04)       StreamType: 0x00000000 (0)
00000084 (08)       Location: MiniDumpLocationDescriptor
00000084 (04)         DataSize: 0x00000000 (0)
00000088 (04)         RVA: 0x00000000 (0)
0000008c (12)     9: MiniDumpDirectory
0000008c (04)       StreamType: 0x00000000 (0)
00000090 (08)       Location: MiniDumpLocationDescriptor
00000090 (04)         DataSize: 0x00000000 (0)
00000094 (04)         RVA: 0x00000000 (0)
00000098 (12)     10: MiniDumpDirectory
00000098 (04)       StreamType: 0x00000000 (0)
0000009c (08)       Location: MiniDumpLocationDescriptor
0000009c (04)         DataSize: 0x00000000 (0)
000000a0 (04)         RVA: 0x00000000 (0)
000000a4 (12)     11: MiniDumpDirectory
000000a4 (04)       StreamType: 0x00000000 (0)
000000a8 (08)       Location: MiniDumpLocationDescriptor
000000a8 (04)         DataSize: 0x00000000 (0)
000000ac (04)         RVA: 0x00000000 (0)
00000000 (148) MiniDumpThreadListStream: MiniDumpThreadListStream
00000000 (04)   NumberOfThreads: 0x00000003 (3)
00000004 (144)   Threads: VArray
00000004 (48)     0: MiniDumpThread
00000004 (04)       ThreadId: 0x00003e74 (15988)
00000008 (04)       SuspendCount: 0x00000000 (0)
0000000c (04)       PriorityClass: 0x00000020 (32)
00000010 (04)       Priority: 0x00000000 (0)
00000014 (08)       Teb: 0x00251000 (2428928)
0000001c (16)       Stack: MiniDumpMemoryDescriptor
0000001c (08)         StartOfMemoryPage: 0x0019f8bc (1702076)
00000024 (08)         Memory: MiniDumpLocationDescriptor
00000024 (04)           DataSize: 0x00000744 (1860)
00000028 (04)           RVA: 0x0002f4f0 (193776)
0000002c (08)       ThreadContext: MiniDumpLocationDescriptor
0000002c (04)         DataSize: 0x000002cc (716)
00000030 (04)         RVA: 0x000014fe (5374)
00000034 (48)     1: MiniDumpThread
00000034 (04)       ThreadId: 0x000032f8 (13048)
00000038 (04)       SuspendCount: 0x00000001 (1)
0000003c (04)       PriorityClass: 0x00000020 (32)
00000040 (04)       Priority: 0x00000000 (0)
00000044 (08)       Teb: 0x00254000 (2441216)
0000004c (16)       Stack: MiniDumpMemoryDescriptor
0000004c (08)         StartOfMemoryPage: 0x0069fdb0 (6946224)
00000054 (08)         Memory: MiniDumpLocationDescriptor
00000054 (04)           DataSize: 0x00000250 (592)
00000058 (04)           RVA: 0x0002ec98 (191640)
0000005c (08)       ThreadContext: MiniDumpLocationDescriptor
0000005c (04)         DataSize: 0x000002cc (716)
00000060 (04)         RVA: 0x000017ca (6090)
00000064 (48)     2: MiniDumpThread
00000064 (04)       ThreadId: 0x0000398c (14732)
00000068 (04)       SuspendCount: 0x00000001 (1)
0000006c (04)       PriorityClass: 0x00000020 (32)
00000070 (04)       Priority: 0x00000000 (0)
00000074 (08)       Teb: 0x00257000 (2453504)
0000007c (16)       Stack: MiniDumpMemoryDescriptor
0000007c (08)         StartOfMemoryPage: 0x0092fdb0 (9633200)
00000084 (08)         Memory: MiniDumpLocationDescriptor
00000084 (04)           DataSize: 0x00000250 (592)
00000088 (04)           RVA: 0x00009a58 (39512)
0000008c (08)       ThreadContext: MiniDumpLocationDescriptor
0000008c (04)         DataSize: 0x000002cc (716)
00000090 (04)         RVA: 0x00001a96 (6806)
00000000 (1300) MiniDumpModuleListStream: MiniDumpModuleListStream
00000000 (04)   NumberOfModules: 0x0000000c (12)
00000004 (1296)   Modules: VArray
00000004 (108)     0: MiniDumpModule
00000004 (08)       BaseOfImage: 0x00400000 (4194304)
0000000c (04)       SizeOfImage: 0x00016000 (90112)
00000010 (04)       CheckSum: 0x00000000 (0)
00000014 (04)       TimeDateStamp: 0x4aa6154d (1252398413)
00000018 (04)       ModuleNameRva: 0x00000f22 (3874)
0000001c (52)       VersionInfo: VS_FixedFileInfo
0000001c (04)         Signature: 0xfeef04bd (4277077181)
00000020 (04)         StrucVersion: 0x00010000 (65536)
00000024 (04)         FileVersionMS: 0x00020002 (131074)
00000028 (04)         FileVersionLS: 0x000e0000 (917504)
0000002c (04)         ProductVersionMS: 0x00020002 (131074)
00000030 (04)         ProductVersionLS: 0x000e0000 (917504)
00000034 (04)         FileFlagsMask: 0x0000003f (63)
00000038 (04)         FileFlags: 0x00000000 (0)
0000003c (04)         FileOS: 0x00000004 (4)
00000040 (04)         FileType: 0x00000001 (1)
00000044 (04)         FileSubType: 0x00000000 (0)
00000048 (04)         FileDateMS: 0x00000000 (0)
0000004c (04)         FileDateLS: 0x00000000 (0)
00000050 (08)       CvRecord: MiniDumpLocationDescriptor
00000050 (04)         DataSize: 0x0000004a (74)
00000054 (04)         RVA: 0x00001d62 (7522)
00000058 (08)       MiscRecord: MiniDumpLocationDescriptor
00000058 (04)         DataSize: 0x00000000 (0)
0000005c (04)         RVA: 0x00000000 (0)
00000060 (08)       Reserved1: 0x00000000 (0)
00000068 (08)       Reserved2: 0x00000000 (0)
00000070 (108)     1: MiniDumpModule
00000070 (08)       BaseOfImage: 0x771e0000 (1998454784)
00000078 (04)       SizeOfImage: 0x001a4000 (1720320)
0000007c (04)       CheckSum: 0x001ac639 (1754681)
00000080 (04)       TimeDateStamp: 0xea5711f3 (3931574771)
00000084 (04)       ModuleNameRva: 0x00000f44 (3908)
00000088 (52)       VersionInfo: VS_FixedFileInfo
00000088 (04)         Signature: 0xfeef04bd (4277077181)
0000008c (04)         StrucVersion: 0x00010000 (65536)
00000090 (04)         FileVersionMS: 0x000a0000 (655360)
00000094 (04)         FileVersionLS: 0x4a61093c (1247873340)
00000098 (04)         ProductVersionMS: 0x000a0000 (655360)
0000009c (04)         ProductVersionLS: 0x4a61093c (1247873340)
000000a0 (04)         FileFlagsMask: 0x0000003f (63)
000000a4 (04)         FileFlags: 0x00000000 (0)
000000a8 (04)         FileOS: 0x00040004 (262148)
000000ac (04)         FileType: 0x00000002 (2)
000000b0 (04)         FileSubType: 0x00000000 (0)
000000b4 (04)         FileDateMS: 0x00000000 (0)
000000b8 (04)         FileDateLS: 0x00000000 (0)
000000bc (08)       CvRecord: MiniDumpLocationDescriptor
000000bc (04)         DataSize: 0x00000023 (35)
000000c0 (04)         RVA: 0x00001dac (7596)
000000c4 (08)       MiscRecord: MiniDumpLocationDescriptor
000000c4 (04)         DataSize: 0x00000000 (0)
000000c8 (04)         RVA: 0x00000000 (0)
000000cc (08)       Reserved1: 0x00004140 (16704)
000000d4 (08)       Reserved2: 0x00000000 (0)
000000dc (108)     2: MiniDumpModule
000000dc (08)       BaseOfImage: 0x75790000 (1970864128)
000000e4 (04)       SizeOfImage: 0x000f0000 (983040)
000000e8 (04)       CheckSum: 0x000a14e7 (660711)
000000ec (04)       TimeDateStamp: 0x4781ffee (1199701998)
000000f0 (04)       ModuleNameRva: 0x00000f84 (3972)
000000f4 (52)       VersionInfo: VS_FixedFileInfo
000000f4 (04)         Signature: 0xfeef04bd (4277077181)
000000f8 (04)         StrucVersion: 0x00010000 (65536)
000000fc (04)         FileVersionMS: 0x000a0000 (655360)
00000100 (04)         FileVersionLS: 0x4a61093c (1247873340)
00000104 (04)         ProductVersionMS: 0x000a0000 (655360)
00000108 (04)         ProductVersionLS: 0x4a61093c (1247873340)
0000010c (04)         FileFlagsMask: 0x0000003f (63)
00000110 (04)         FileFlags: 0x00000000 (0)
00000114 (04)         FileOS: 0x00040004 (262148)
00000118 (04)         FileType: 0x00000002 (2)
0000011c (04)         FileSubType: 0x00000000 (0)
00000120 (04)         FileDateMS: 0x00000000 (0)
00000124 (04)         FileDateLS: 0x00000000 (0)
00000128 (08)       CvRecord: MiniDumpLocationDescriptor
00000128 (04)         DataSize: 0x00000026 (38)
0000012c (04)         RVA: 0x00001dcf (7631)
00000130 (08)       MiscRecord: MiniDumpLocationDescriptor
00000130 (04)         DataSize: 0x00000000 (0)
00000134 (04)         RVA: 0x00000000 (0)
00000138 (08)       Reserved1: 0x00004140 (16704)
00000140 (08)       Reserved2: 0x00000000 (0)
00000148 (108)     3: MiniDumpModule
00000148 (08)       BaseOfImage: 0x76860000 (1988493312)
00000150 (04)       SizeOfImage: 0x0021c000 (2211840)
00000154 (04)       CheckSum: 0x0021e4ff (2221311)
00000158 (04)       TimeDateStamp: 0xca518c9d (3394342045)
0000015c (04)       ModuleNameRva: 0x00000fca (4042)
00000160 (52)       VersionInfo: VS_FixedFileInfo
00000160 (04)         Signature: 0xfeef04bd (4277077181)
00000164 (04)         StrucVersion: 0x00010000 (65536)
00000168 (04)         FileVersionMS: 0x000a0000 (655360)
0000016c (04)         FileVersionLS: 0x4a6109b6 (1247873462)
00000170 (04)         ProductVersionMS: 0x000a0000 (655360)
00000174 (04)         ProductVersionLS: 0x4a6109b6 (1247873462)
00000178 (04)         FileFlagsMask: 0x0000003f (63)
0000017c (04)         FileFlags: 0x00000000 (0)
00000180 (04)         FileOS: 0x00040004 (262148)
00000184 (04)         FileType: 0x00000002 (2)
00000188 (04)         FileSubType: 0x00000000 (0)
0000018c (04)         FileDateMS: 0x00000000 (0)
00000190 (04)         FileDateLS: 0x00000000 (0)
00000194 (08)       CvRecord: MiniDumpLocationDescriptor
00000194 (04)         DataSize: 0x00000028 (40)
00000198 (04)         RVA: 0x00001df5 (7669)
0000019c (08)       MiscRecord: MiniDumpLocationDescriptor
0000019c (04)         DataSize: 0x00000000 (0)
000001a0 (04)         RVA: 0x00000000 (0)
000001a4 (08)       Reserved1: 0x00004140 (16704)
000001ac (08)       Reserved2: 0x00000000 (0)
000001b4 (108)     4: MiniDumpModule
000001b4 (08)       BaseOfImage: 0x6a950000 (1788149760)
000001bc (04)       SizeOfImage: 0x000a0000 (655360)
000001c0 (04)       CheckSum: 0x0009f710 (653072)
000001c4 (04)       TimeDateStamp: 0xeb7b2a71 (3950717553)
000001c8 (04)       ModuleNameRva: 0x00001014 (4116)
000001cc (52)       VersionInfo: VS_FixedFileInfo
000001cc (04)         Signature: 0xfeef04bd (4277077181)
000001d0 (04)         StrucVersion: 0x00010000 (65536)
000001d4 (04)         FileVersionMS: 0x000a0000 (655360)
000001d8 (04)         FileVersionLS: 0x4a61081b (1247873051)
000001dc (04)         ProductVersionMS: 0x000a0000 (655360)
000001e0 (04)         ProductVersionLS: 0x4a61081b (1247873051)
000001e4 (04)         FileFlagsMask: 0x0000003f (63)
000001e8 (04)         FileFlags: 0x00000000 (0)
000001ec (04)         FileOS: 0x00040004 (262148)
000001f0 (04)         FileType: 0x00000002 (2)
000001f4 (04)         FileSubType: 0x00000000 (0)
000001f8 (04)         FileDateMS: 0x00000000 (0)
000001fc (04)         FileDateLS: 0x00000000 (0)
00000200 (08)       CvRecord: MiniDumpLocationDescriptor
00000200 (04)         DataSize: 0x00000024 (36)
00000204 (04)         RVA: 0x00001e1d (7709)
00000208 (08)       MiscRecord: MiniDumpLocationDescriptor
00000208 (04)         DataSize: 0x00000000 (0)
0000020c (04)         RVA: 0x00000000 (0)
00000210 (08)       Reserved1: 0x00004140 (16704)
00000218 (08)       Reserved2: 0x00000000 (0)
00000220 (108)     5: MiniDumpModule
00000220 (08)       BaseOfImage: 0x75430000 (1967325184)
00000228 (04)       SizeOfImage: 0x000bf000 (782336)
0000022c (04)       CheckSum: 0x000c7c0a (818186)
00000230 (04)       TimeDateStamp: 0x7f567a50 (2136373840)
00000234 (04)       ModuleNameRva: 0x00001058 (4184)
00000238 (52)       VersionInfo: VS_FixedFileInfo
00000238 (04)         Signature: 0xfeef04bd (4277077181)
0000023c (04)         StrucVersion: 0x00010000 (65536)
00000240 (04)         FileVersionMS: 0x00070000 (458752)
00000244 (04)         FileVersionLS: 0x4a610222 (1247871522)
00000248 (04)         ProductVersionMS: 0x000a0000 (655360)
0000024c (04)         ProductVersionLS: 0x4a610222 (1247871522)
00000250 (04)         FileFlagsMask: 0x0000003f (63)
00000254 (04)         FileFlags: 0x00000000 (0)
00000258 (04)         FileOS: 0x00040004 (262148)
0000025c (04)         FileType: 0x00000001 (1)
00000260 (04)         FileSubType: 0x00000000 (0)
00000264 (04)         FileDateMS: 0x00000000 (0)
00000268 (04)         FileDateLS: 0x00000000 (0)
0000026c (08)       CvRecord: MiniDumpLocationDescriptor
0000026c (04)         DataSize: 0x00000023 (35)
00000270 (04)         RVA: 0x00001e41 (7745)
00000274 (08)       MiscRecord: MiniDumpLocationDescriptor
00000274 (04)         DataSize: 0x00000000 (0)
00000278 (04)         RVA: 0x00000000 (0)
0000027c (08)       Reserved1: 0x00004140 (16704)
00000284 (08)       Reserved2: 0x00000000 (0)
0000028c (108)     6: MiniDumpModule
0000028c (08)       BaseOfImage: 0x750a0000 (1963589632)
00000294 (04)       SizeOfImage: 0x0007b000 (503808)
00000298 (04)       CheckSum: 0x00079356 (496470)
0000029c (04)       TimeDateStamp: 0xdca539bb (3701815739)
000002a0 (04)       ModuleNameRva: 0x0000109a (4250)
000002a4 (52)       VersionInfo: VS_FixedFileInfo
000002a4 (04)         Signature: 0xfeef04bd (4277077181)
000002a8 (04)         StrucVersion: 0x00010000 (65536)
000002ac (04)         FileVersionMS: 0x000a0000 (655360)
000002b0 (04)         FileVersionLS: 0x4a610852 (1247873106)
000002b4 (04)         ProductVersionMS: 0x000a0000 (655360)
000002b8 (04)         ProductVersionLS: 0x4a610852 (1247873106)
000002bc (04)         FileFlagsMask: 0x0000003f (63)
000002c0 (04)         FileFlags: 0x00000000 (0)
000002c4 (04)         FileOS: 0x00040004 (262148)
000002c8 (04)         FileType: 0x00000002 (2)
000002cc (04)         FileSubType: 0x00000000 (0)
000002d0 (04)         FileDateMS: 0x00000000 (0)
000002d4 (04)         FileDateLS: 0x00000000 (0)
000002d8 (08)       CvRecord: MiniDumpLocationDescriptor
000002d8 (04)         DataSize: 0x00000025 (37)
000002dc (04)         RVA: 0x00001e64 (7780)
000002e0 (08)       MiscRecord: MiniDumpLocationDescriptor
000002e0 (04)         DataSize: 0x00000000 (0)
000002e4 (04)         RVA: 0x00000000 (0)
000002e8 (08)       Reserved1: 0x00004140 (16704)
000002f0 (08)       Reserved2: 0x00000000 (0)
000002f8 (108)     7: MiniDumpModule
000002f8 (08)       BaseOfImage: 0x75970000 (1972830208)
00000300 (04)       SizeOfImage: 0x00076000 (483328)
00000304 (04)       CheckSum: 0x0007bf51 (507729)
00000308 (04)       TimeDateStamp: 0x4ce6f448 (1290204232)
0000030c (04)       ModuleNameRva: 0x000010e0 (4320)
00000310 (52)       VersionInfo: VS_FixedFileInfo
00000310 (04)         Signature: 0xfeef04bd (4277077181)
00000314 (04)         StrucVersion: 0x00010000 (65536)
00000318 (04)         FileVersionMS: 0x000a0000 (655360)
0000031c (04)         FileVersionLS: 0x4a610749 (1247872841)
00000320 (04)         ProductVersionMS: 0x000a0000 (655360)
00000324 (04)         ProductVersionLS: 0x4a610749 (1247872841)
00000328 (04)         FileFlagsMask: 0x0000003f (63)
0000032c (04)         FileFlags: 0x00000000 (0)
00000330 (04)         FileOS: 0x00040004 (262148)
00000334 (04)         FileType: 0x00000001 (1)
00000338 (04)         FileSubType: 0x00000000 (0)
0000033c (04)         FileDateMS: 0x00000000 (0)
00000340 (04)         FileDateLS: 0x00000000 (0)
00000344 (08)       CvRecord: MiniDumpLocationDescriptor
00000344 (04)         DataSize: 0x00000024 (36)
00000348 (04)         RVA: 0x00001e89 (7817)
0000034c (08)       MiscRecord: MiniDumpLocationDescriptor
0000034c (04)         DataSize: 0x00000000 (0)
00000350 (04)         RVA: 0x00000000 (0)
00000354 (08)       Reserved1: 0x00004140 (16704)
0000035c (08)       Reserved2: 0x00000000 (0)
00000364 (108)     8: MiniDumpModule
00000364 (08)       BaseOfImage: 0x76c50000 (1992622080)
0000036c (04)       SizeOfImage: 0x000be000 (778240)
00000370 (04)       CheckSum: 0x000cd944 (842052)
00000374 (04)       TimeDateStamp: 0x9d768d96 (2641792406)
00000378 (04)       ModuleNameRva: 0x00001124 (4388)
0000037c (52)       VersionInfo: VS_FixedFileInfo
0000037c (04)         Signature: 0xfeef04bd (4277077181)
00000380 (04)         StrucVersion: 0x00010000 (65536)
00000384 (04)         FileVersionMS: 0x000a0000 (655360)
00000388 (04)         FileVersionLS: 0x4a6109b6 (1247873462)
0000038c (04)         ProductVersionMS: 0x000a0000 (655360)
00000390 (04)         ProductVersionLS: 0x4a6109b6 (1247873462)
00000394 (04)         FileFlagsMask: 0x0000003f (63)
00000398 (04)         FileFlags: 0x00000000 (0)
0000039c (04)         FileOS: 0x00040004 (262148)
000003a0 (04)         FileType: 0x00000002 (2)
000003a4 (04)         FileSubType: 0x00000000 (0)
000003a8 (04)         FileDateMS: 0x00000000 (0)
000003ac (04)         FileDateLS: 0x00000000 (0)
000003b0 (08)       CvRecord: MiniDumpLocationDescriptor
000003b0 (04)         DataSize: 0x00000024 (36)
000003b4 (04)         RVA: 0x00001ead (7853)
000003b8 (08)       MiscRecord: MiniDumpLocationDescriptor
000003b8 (04)         DataSize: 0x00000000 (0)
000003bc (04)         RVA: 0x00000000 (0)
000003c0 (08)       Reserved1: 0x00004140 (16704)
000003c8 (08)       Reserved2: 0x00000000 (0)
000003d0 (108)     9: MiniDumpModule
000003d0 (08)       BaseOfImage: 0x75360000 (1966473216)
000003d8 (04)       SizeOfImage: 0x00063000 (405504)
000003dc (04)       CheckSum: 0x00064f32 (413490)
000003e0 (04)       TimeDateStamp: 0xf9ac0921 (4188801313)
000003e4 (04)       ModuleNameRva: 0x00001166 (4454)
000003e8 (52)       VersionInfo: VS_FixedFileInfo
000003e8 (04)         Signature: 0xfeef04bd (4277077181)
000003ec (04)         StrucVersion: 0x00010000 (65536)
000003f0 (04)         FileVersionMS: 0x000a0000 (655360)
000003f4 (04)         FileVersionLS: 0x4a610222 (1247871522)
000003f8 (04)         ProductVersionMS: 0x000a0000 (655360)
000003fc (04)         ProductVersionLS: 0x4a610222 (1247871522)
00000400 (04)         FileFlagsMask: 0x0000003f (63)
00000404 (04)         FileFlags: 0x00000000 (0)
00000408 (04)         FileOS: 0x00040004 (262148)
0000040c (04)         FileType: 0x00000002 (2)
00000410 (04)         FileSubType: 0x00000000 (0)
00000414 (04)         FileDateMS: 0x00000000 (0)
00000418 (04)         FileDateLS: 0x00000000 (0)
0000041c (08)       CvRecord: MiniDumpLocationDescriptor
0000041c (04)         DataSize: 0x00000023 (35)
00000420 (04)         RVA: 0x00001ed1 (7889)
00000424 (08)       MiscRecord: MiniDumpLocationDescriptor
00000424 (04)         DataSize: 0x00000000 (0)
00000428 (04)         RVA: 0x00000000 (0)
0000042c (08)       Reserved1: 0x00004140 (16704)
00000434 (08)       Reserved2: 0x00000000 (0)
0000043c (108)     10: MiniDumpModule
0000043c (08)       BaseOfImage: 0x71df0000 (1910439936)
00000444 (04)       SizeOfImage: 0x00008000 (32768)
00000448 (04)       CheckSum: 0x0000f700 (63232)
0000044c (04)       TimeDateStamp: 0x4e127638 (1309832760)
00000450 (04)       ModuleNameRva: 0x000011a8 (4520)
00000454 (52)       VersionInfo: VS_FixedFileInfo
00000454 (04)         Signature: 0xfeef04bd (4277077181)
00000458 (04)         StrucVersion: 0x00010000 (65536)
0000045c (04)         FileVersionMS: 0x000a0000 (655360)
00000460 (04)         FileVersionLS: 0x4a610001 (1247870977)
00000464 (04)         ProductVersionMS: 0x000a0000 (655360)
00000468 (04)         ProductVersionLS: 0x4a610001 (1247870977)
0000046c (04)         FileFlagsMask: 0x0000003f (63)
00000470 (04)         FileFlags: 0x00000000 (0)
00000474 (04)         FileOS: 0x00040004 (262148)
00000478 (04)         FileType: 0x00000002 (2)
0000047c (04)         FileSubType: 0x00000000 (0)
00000480 (04)         FileDateMS: 0x00000000 (0)
00000484 (04)         FileDateLS: 0x00000000 (0)
00000488 (08)       CvRecord: MiniDumpLocationDescriptor
00000488 (04)         DataSize: 0x00000024 (36)
0000048c (04)         RVA: 0x00001ef4 (7924)
00000490 (08)       MiscRecord: MiniDumpLocationDescriptor
00000490 (04)         DataSize: 0x00000000 (0)
00000494 (04)         RVA: 0x00000000 (0)
00000498 (08)       Reserved1: 0x00004140 (16704)
000004a0 (08)       Reserved2: 0x00000000 (0)
000004a8 (108)     11: MiniDumpModule
000004a8 (08)       BaseOfImage: 0x771d0000 (1998389248)
000004b0 (04)       SizeOfImage: 0x0000a000 (40960)
000004b4 (04)       CheckSum: 0x0000d69c (54940)
000004b8 (04)       TimeDateStamp: 0x378bc3cd (931906509)
000004bc (04)       ModuleNameRva: 0x000011ec (4588)
000004c0 (52)       VersionInfo: VS_FixedFileInfo
000004c0 (04)         Signature: 0xfeef04bd (4277077181)
000004c4 (04)         StrucVersion: 0x00010000 (65536)
000004c8 (04)         FileVersionMS: 0x000a0000 (655360)
000004cc (04)         FileVersionLS: 0x4a610296 (1247871638)
000004d0 (04)         ProductVersionMS: 0x000a0000 (655360)
000004d4 (04)         ProductVersionLS: 0x4a610296 (1247871638)
000004d8 (04)         FileFlagsMask: 0x0000003f (63)
000004dc (04)         FileFlags: 0x00000000 (0)
000004e0 (04)         FileOS: 0x00040004 (262148)
000004e4 (04)         FileType: 0x00000002 (2)
000004e8 (04)         FileSubType: 0x00000000 (0)
000004ec (04)         FileDateMS: 0x00000000 (0)
000004f0 (04)         FileDateLS: 0x00000000 (0)
000004f4 (08)       CvRecord: MiniDumpLocationDescriptor
000004f4 (04)         DataSize: 0x00000000 (0)
000004f8 (04)         RVA: 0x00000000 (0)
000004fc (08)       MiscRecord: MiniDumpLocationDescriptor
000004fc (04)         DataSize: 0x00000000 (0)
00000500 (04)         RVA: 0x00000000 (0)
00000504 (08)       Reserved1: 0x00000000 (0)
0000050c (08)       Reserved2: 0x00000000 (0)
00000000 (580) MiniDumpMemoryListStream: MiniDumpMemoryListStream
00000000 (04)   NumberOfMemoryRanges: 0x00000024 (36)
00000004 (576)   MemoryRanges: VArray
00000004 (16)     0: MiniDumpMemoryDescriptor
00000004 (08)       StartOfMemoryPage: 0x00731ff0 (7544816)
0000000c (08)       Memory: MiniDumpLocationDescriptor
0000000c (04)         DataSize: 0x000002c0 (704)
00000010 (04)         RVA: 0x0000215c (8540)
00000014 (16)     1: MiniDumpMemoryDescriptor
00000014 (08)       StartOfMemoryPage: 0x007324b8 (7546040)
0000001c (08)       Memory: MiniDumpLocationDescriptor
0000001c (04)         DataSize: 0x0000007e (126)
00000020 (04)         RVA: 0x0000241c (9244)
00000024 (16)     2: MiniDumpMemoryDescriptor
00000024 (08)       StartOfMemoryPage: 0x00733cc0 (7552192)
0000002c (08)       Memory: MiniDumpLocationDescriptor
0000002c (04)         DataSize: 0x00000006 (6)
00000030 (04)         RVA: 0x0000249a (9370)
00000034 (16)     3: MiniDumpMemoryDescriptor
00000034 (08)       StartOfMemoryPage: 0x007376d8 (7567064)
0000003c (08)       Memory: MiniDumpLocationDescriptor
0000003c (04)         DataSize: 0x00002000 (8192)
00000040 (04)         RVA: 0x000024a0 (9376)
00000044 (16)     4: MiniDumpMemoryDescriptor
00000044 (08)       StartOfMemoryPage: 0x00743818 (7616536)
0000004c (08)       Memory: MiniDumpLocationDescriptor
0000004c (04)         DataSize: 0x00000008 (8)
00000050 (04)         RVA: 0x000044a0 (17568)
00000054 (16)     5: MiniDumpMemoryDescriptor
00000054 (08)       StartOfMemoryPage: 0x00743cf8 (7617784)
0000005c (08)       Memory: MiniDumpLocationDescriptor
0000005c (04)         DataSize: 0x00000004 (4)
00000060 (04)         RVA: 0x000044a8 (17576)
00000064 (16)     6: MiniDumpMemoryDescriptor
00000064 (08)       StartOfMemoryPage: 0x00744e40 (7622208)
0000006c (08)       Memory: MiniDumpLocationDescriptor
0000006c (04)         DataSize: 0x00003fc8 (16328)
00000070 (04)         RVA: 0x000044ac (17580)
00000074 (16)     7: MiniDumpMemoryDescriptor
00000074 (08)       StartOfMemoryPage: 0x71df4000 (1910456320)
0000007c (08)       Memory: MiniDumpLocationDescriptor
0000007c (04)         DataSize: 0x0000034c (844)
00000080 (04)         RVA: 0x00008474 (33908)
00000084 (16)     8: MiniDumpMemoryDescriptor
00000084 (08)       StartOfMemoryPage: 0x7725302c (1998925868)
0000008c (08)       Memory: MiniDumpLocationDescriptor
0000008c (04)         DataSize: 0x00000100 (256)
00000090 (04)         RVA: 0x000087c0 (34752)
00000094 (16)     9: MiniDumpMemoryDescriptor
00000094 (08)       StartOfMemoryPage: 0x772547ac (1998931884)
0000009c (08)       Memory: MiniDumpLocationDescriptor
0000009c (04)         DataSize: 0x00000100 (256)
000000a0 (04)         RVA: 0x000088c0 (35008)
000000a4 (16)     10: MiniDumpMemoryDescriptor
000000a4 (08)       StartOfMemoryPage: 0x76cfd000 (1993330688)
000000ac (08)       Memory: MiniDumpLocationDescriptor
000000ac (04)         DataSize: 0x00000f54 (3924)
000000b0 (04)         RVA: 0x000089c0 (35264)
000000b4 (16)     11: MiniDumpMemoryDescriptor
000000b4 (08)       StartOfMemoryPage: 0x76d01000 (1993347072)
000000bc (08)       Memory: MiniDumpLocationDescriptor
000000bc (04)         DataSize: 0x00000144 (324)
000000c0 (04)         RVA: 0x00009914 (39188)
000000c4 (16)     12: MiniDumpMemoryDescriptor
000000c4 (08)       StartOfMemoryPage: 0x0092fdb0 (9633200)
000000cc (08)       Memory: MiniDumpLocationDescriptor
000000cc (04)         DataSize: 0x00000250 (592)
000000d0 (04)         RVA: 0x00009a58 (39512)
000000d4 (16)     13: MiniDumpMemoryDescriptor
000000d4 (08)       StartOfMemoryPage: 0x0040d000 (4247552)
000000dc (08)       Memory: MiniDumpLocationDescriptor
000000dc (04)         DataSize: 0x0000705c (28764)
000000e0 (04)         RVA: 0x00009ca8 (40104)
000000e4 (16)     14: MiniDumpMemoryDescriptor
000000e4 (08)       StartOfMemoryPage: 0x0024e000 (2416640)
000000ec (08)       Memory: MiniDumpLocationDescriptor
000000ec (04)         DataSize: 0x000004a8 (1192)
000000f0 (04)         RVA: 0x00010d04 (68868)
000000f4 (16)     15: MiniDumpMemoryDescriptor
000000f4 (08)       StartOfMemoryPage: 0x00251000 (2428928)
000000fc (08)       Memory: MiniDumpLocationDescriptor
000000fc (04)         DataSize: 0x00001000 (4096)
00000100 (04)         RVA: 0x000111ac (70060)
00000104 (16)     16: MiniDumpMemoryDescriptor
00000104 (08)       StartOfMemoryPage: 0x00254000 (2441216)
0000010c (08)       Memory: MiniDumpLocationDescriptor
0000010c (04)         DataSize: 0x00001000 (4096)
00000110 (04)         RVA: 0x000121ac (74156)
00000114 (16)     17: MiniDumpMemoryDescriptor
00000114 (08)       StartOfMemoryPage: 0x00257000 (2453504)
0000011c (08)       Memory: MiniDumpLocationDescriptor
0000011c (04)         DataSize: 0x00001000 (4096)
00000120 (04)         RVA: 0x000131ac (78252)
00000124 (16)     18: MiniDumpMemoryDescriptor
00000124 (08)       StartOfMemoryPage: 0x6a9ce000 (1788665856)
0000012c (08)       Memory: MiniDumpLocationDescriptor
0000012c (04)         DataSize: 0x00001ffc (8188)
00000130 (04)         RVA: 0x000141ac (82348)
00000134 (16)     19: MiniDumpMemoryDescriptor
00000134 (08)       StartOfMemoryPage: 0x759d8000 (1973256192)
0000013c (08)       Memory: MiniDumpLocationDescriptor
0000013c (04)         DataSize: 0x00002e28 (11816)
00000140 (04)         RVA: 0x000161a8 (90536)
00000144 (16)     20: MiniDumpMemoryDescriptor
00000144 (08)       StartOfMemoryPage: 0x759de000 (1973280768)
0000014c (08)       Memory: MiniDumpLocationDescriptor
0000014c (04)         DataSize: 0x00000090 (144)
00000150 (04)         RVA: 0x00018fd0 (102352)
00000154 (16)     21: MiniDumpMemoryDescriptor
00000154 (08)       StartOfMemoryPage: 0x77303000 (1999646720)
0000015c (08)       Memory: MiniDumpLocationDescriptor
0000015c (04)         DataSize: 0x00005a84 (23172)
00000160 (04)         RVA: 0x00019060 (102496)
00000164 (16)     22: MiniDumpMemoryDescriptor
00000164 (08)       StartOfMemoryPage: 0x77309000 (1999671296)
0000016c (08)       Memory: MiniDumpLocationDescriptor
0000016c (04)         DataSize: 0x00002378 (9080)
00000170 (04)         RVA: 0x0001eae4 (125668)
00000174 (16)     23: MiniDumpMemoryDescriptor
00000174 (08)       StartOfMemoryPage: 0x7510a000 (1964023808)
0000017c (08)       Memory: MiniDumpLocationDescriptor
0000017c (04)         DataSize: 0x000038dc (14556)
00000180 (04)         RVA: 0x00020e5c (134748)
00000184 (16)     24: MiniDumpMemoryDescriptor
00000184 (08)       StartOfMemoryPage: 0x75840000 (1971585024)
0000018c (08)       Memory: MiniDumpLocationDescriptor
0000018c (04)         DataSize: 0x00000d08 (3336)
00000190 (04)         RVA: 0x00024738 (149304)
00000194 (16)     25: MiniDumpMemoryDescriptor
00000194 (08)       StartOfMemoryPage: 0x75114000 (1964064768)
0000019c (08)       Memory: MiniDumpLocationDescriptor
0000019c (04)         DataSize: 0x0000023c (572)
000001a0 (04)         RVA: 0x00025440 (152640)
000001a4 (16)     26: MiniDumpMemoryDescriptor
000001a4 (08)       StartOfMemoryPage: 0x76a3f000 (1990455296)
000001ac (08)       Memory: MiniDumpLocationDescriptor
000001ac (04)         DataSize: 0x000034f8 (13560)
000001b0 (04)         RVA: 0x0002567c (153212)
000001b4 (16)     27: MiniDumpMemoryDescriptor
000001b4 (08)       StartOfMemoryPage: 0x75850000 (1971650560)
000001bc (08)       Memory: MiniDumpLocationDescriptor
000001bc (04)         DataSize: 0x00000034 (52)
000001c0 (04)         RVA: 0x00028b74 (166772)
000001c4 (16)     28: MiniDumpMemoryDescriptor
000001c4 (08)       StartOfMemoryPage: 0x76a49000 (1990496256)
000001cc (08)       Memory: MiniDumpLocationDescriptor
000001cc (04)         DataSize: 0x00000364 (868)
000001d0 (04)         RVA: 0x00028ba8 (166824)
000001d4 (16)     29: MiniDumpMemoryDescriptor
000001d4 (08)       StartOfMemoryPage: 0x754e2000 (1968054272)
000001dc (08)       Memory: MiniDumpLocationDescriptor
000001dc (04)         DataSize: 0x00005d8c (23948)
000001e0 (04)         RVA: 0x00028f0c (167692)
000001e4 (16)     30: MiniDumpMemoryDescriptor
000001e4 (08)       StartOfMemoryPage: 0x0069fdb0 (6946224)
000001ec (08)       Memory: MiniDumpLocationDescriptor
000001ec (04)         DataSize: 0x00000250 (592)
000001f0 (04)         RVA: 0x0002ec98 (191640)
000001f4 (16)     31: MiniDumpMemoryDescriptor
000001f4 (08)       StartOfMemoryPage: 0x771d5000 (1998409728)
000001fc (08)       Memory: MiniDumpLocationDescriptor
000001fc (04)         DataSize: 0x00000608 (1544)
00000200 (04)         RVA: 0x0002eee8 (192232)
00000204 (16)     32: MiniDumpMemoryDescriptor
00000204 (08)       StartOfMemoryPage: 0x0019f8bc (1702076)
0000020c (08)       Memory: MiniDumpLocationDescriptor
0000020c (04)         DataSize: 0x00000744 (1860)
00000210 (04)         RVA: 0x0002f4f0 (193776)
00000214 (16)     33: MiniDumpMemoryDescriptor
00000214 (08)       StartOfMemoryPage: 0x0054039b (5505947)
0000021c (08)       Memory: MiniDumpLocationDescriptor
0000021c (04)         DataSize: 0x00000100 (256)
00000220 (04)         RVA: 0x0002fc34 (195636)
00000224 (16)     34: MiniDumpMemoryDescriptor
00000224 (08)       StartOfMemoryPage: 0x753a8000 (1966768128)
0000022c (08)       Memory: MiniDumpLocationDescriptor
0000022c (04)         DataSize: 0x00000648 (1608)
00000230 (04)         RVA: 0x0002fd34 (195892)
00000234 (16)     35: MiniDumpMemoryDescriptor
00000234 (08)       StartOfMemoryPage: 0x753ab000 (1966780416)
0000023c (08)       Memory: MiniDumpLocationDescriptor
0000023c (04)         DataSize: 0x00000048 (72)
00000240 (04)         RVA: 0x0003037c (197500)
00000000 (168) MiniDumpExceptionStream: MiniDumpExceptionStream
00000000 (04)   ThreadId: 0x00003e74 (15988)
00000004 (04)   _MiniDumpExceptionStream__aligntment: 0x00000000 (0)
00000008 (152)   ExceptionRecored: MiniDumpException
00000008 (04)     ExceptionCode: 0xc0000409 (3221226505)
0000000c (04)     ExceptionFlags: 0x00000008 (8)
00000010 (08)     ExceptionRecord: 0x0019fac4 (1702596)
00000018 (08)     ExceptionAddress: 0x0054041b (5506075)
00000020 (04)     NumberParameters: 0x00000001 (1)
00000024 (04)     _MiniDumpException__unusedAlignment: 0x00000000 (0)
00000028 (120)     ExecptionInformation: VArray
00000028 (08)       0: 0x00000015 (21)
00000030 (08)       1: 0x00000000 (0)
00000038 (08)       2: 0x00000000 (0)
00000040 (08)       3: 0x00000000 (0)
00000048 (08)       4: 0x00000000 (0)
00000050 (08)       5: 0x00000000 (0)
00000058 (08)       6: 0x00000000 (0)
00000060 (08)       7: 0x00000000 (0)
00000068 (08)       8: 0x00000000 (0)
00000070 (08)       9: 0x00000000 (0)
00000078 (08)       10: 0x00000000 (0)
00000080 (08)       11: 0x00000000 (0)
00000088 (08)       12: 0x00000000 (0)
00000090 (08)       13: 0x00000000 (0)
00000098 (08)       14: 0x00000000 (0)
000000a0 (08)   ThreadContext: MiniDumpLocationDescriptor
000000a0 (04)     DataSize: 0x000002cc (716)
000000a4 (04)     RVA: 0x00001232 (4658)
00000000 (56) MiniDumpSystemInfoStream: MiniDumpSystemInfoStream
00000000 (02)   ProcessorArchitecture: 0x00000000 (0)
00000002 (02)   ProcessorLevel: 0x00000006 (6)
00000004 (02)   ProcessorRevision: 0x00009e09 (40457)
00000006 (02)   Reserved: 0x00000104 (260)
00000008 (04)   MajorVersion: 0x0000000a (10)
0000000c (04)   MinorVersion: 0x00000000 (0)
00000010 (04)   BuildNumber: 0x00004a65 (19045)
00000014 (04)   PlatformId: 0x00000002 (2)
00000018 (04)   CSDVersionRSA: 0x00000f1c (3868)
0000001c (04)   Reserved1: 0x00000100 (256)
00000020 (04)   CpuInfo1: 0x756e6547 (1970169159)
00000024 (04)   CpuInfo2: 0x49656e69 (1231384169)
00000028 (04)   CpuInfo3: 0x6c65746e (1818588270)
0000002c (04)   CpuInfo4: 0x000906e9 (591593)
00000030 (04)   CpuInfo5: 0xbfebfbff (3219913727)
00000034 (04)   CpuInfo6: 0x00000000 (0)
00000000 (24) MiniDumpMiscInfoStream: MiniDumpMiscInfoStream
00000000 (04)   SizeOfInfo: 0x00000554 (1364)
00000004 (04)   Flags1: 0x000003f7 (1015)
00000008 (04)   ProcessId: 0x000026e0 (9952)
0000000c (04)   ProcessCreateTime: 0x63c93d2f (1674132783)
00000010 (04)   ProcessUserTime: 0x00000000 (0)
00000014 (04)   ProcessKernelTime: 0x00000000 (0)
00000000 (00) MiniDumpUnusedStream: MiniDumpUnusedStream
00000000 (00) MiniDumpUnusedStream: MiniDumpUnusedStream
00000000 (00) MiniDumpUnusedStream: MiniDumpUnusedStream
00000000 (00) MiniDumpUnusedStream: MiniDumpUnusedStream

arch: intel

memory map:
[no memory map]

modules:
[0x00000000400000-0x00000000416000] F:\payload.exe
[0x0000000040d000-0x0000000041405c]
[0x000000771e0000-0x00000077384000] C:\Windows\System32\ntdll.dll
[0x0000007725302c-0x0000007725312c]
[0x000000772547ac-0x000000772548ac]
[0x00000077303000-0x00000077308a84]
[0x00000077309000-0x0000007730b378]
[0x00000075790000-0x00000075880000] C:\Windows\System32\kernel32.dll
[0x00000075840000-0x00000075840d08]
[0x00000075850000-0x00000075850034]
[0x00000076860000-0x00000076a7c000] C:\Windows\System32\KERNELBASE.dll
[0x00000076a3f000-0x00000076a424f8]
[0x00000076a49000-0x00000076a49364]
[0x0000006a950000-0x0000006a9f0000] C:\Windows\System32\apphelp.dll
[0x0000006a9ce000-0x0000006a9cfffc]
[0x00000075430000-0x000000754ef000] C:\Windows\System32\msvcrt.dll
[0x000000754e2000-0x000000754e7d8c]
[0x000000750a0000-0x0000007511b000] C:\Windows\System32\advapi32.dll
[0x0000007510a000-0x0000007510d8dc]
[0x00000075114000-0x0000007511423c]
[0x00000075970000-0x000000759e6000] C:\Windows\System32\sechost.dll
[0x000000759d8000-0x000000759dae28]
[0x000000759de000-0x000000759de090]
[0x00000076c50000-0x00000076d0e000] C:\Windows\System32\rpcrt4.dll
[0x00000076cfd000-0x00000076cfdf54]
[0x00000076d01000-0x00000076d01144]
[0x00000075360000-0x000000753c3000] C:\Windows\System32\ws2_32.dll
[0x000000753a8000-0x000000753a8648]
[0x000000753ab000-0x000000753ab048]
[0x00000071df0000-0x00000071df8000] C:\Windows\System32\wsock32.dll
[0x00000071df4000-0x00000071df434c]
[0x000000771d0000-0x000000771da000] C:\Windows\System32\wow64cpu.dll
[0x000000771d5000-0x000000771d5608]

thread: 15988
eax: 0x00000000000000
ebx: 0x00000000000000
ecx: 0x00000000000000
edx: 0x00000073c05ff5
esi: 0x00000000000000
edi: 0x00000000000002
ebp: 0x0000000019f900 -> stack for thread 15988
esp: 0x0000000019f8c0 -> stack for thread 15988
eip: 0x000000772530ac -> C:\Windows\System32\ntdll.dll

teb: [0x251000-???]
[0x00000000251000-0x00000000252000]

stack: [0x0000000019f8bc-0x000000001a0000]
[0x0000000019f8bc-0x000000001a0000]

thread: 13048
eax: 0x00000000000000
ebx: 0x00000000747690 -> range [0x00000000744e40-0x00000000748e08]
ecx: 0x00000000000000
edx: 0x00000000000000
esi: 0x00000000747690 -> range [0x00000000744e40-0x00000000748e08]
edi: 0x00000000742778
ebp: 0x0000000069ff70 -> stack for thread 13048
esp: 0x0000000069fdb4 -> stack for thread 13048
eip: 0x0000007725482c -> C:\Windows\System32\ntdll.dll

teb: [0x254000-???]
[0x00000000254000-0x00000000255000]

stack: [0x0000000069fdb0-0x000000006a0000]
[0x0000000069fdb0-0x000000006a0000]

thread: 14732
eax: 0x000000772159c0 -> C:\Windows\System32\ntdll.dll
ebx: 0x00000000000000
ecx: 0x00000000000000
edx: 0x00000000000000
esi: 0x0000000024e000 -> range [0x0000000024e000-0x0000000024e4a8]
edi: 0x00000000742778
ebp: 0x0000000092ff70 -> stack for thread 14732
esp: 0x0000000092fdb4 -> stack for thread 14732
eip: 0x0000007725482c -> C:\Windows\System32\ntdll.dll

teb: [0x257000-???]
[0x00000000257000-0x00000000258000]

stack: [0x0000000092fdb0-0x00000000930000]
[0x0000000092fdb0-0x00000000930000]

memory ranges:
[0x0000000019f8bc-0x000000001a0000] stack for thread 15988
[0x0000000024e000-0x0000000024e4a8]
[0x00000000251000-0x00000000252000] TEB for thread 15988
[0x00000000254000-0x00000000255000] TEB for thread 13048
[0x00000000257000-0x00000000258000] TEB for thread 14732
[0x0000000040d000-0x0000000041405c] F:\payload.exe
[0x0000000054039b-0x0000000054049b]
[0x0000000069fdb0-0x000000006a0000] stack for thread 13048
[0x00000000731ff0-0x000000007322b0]
[0x000000007324b8-0x00000000732536]
[0x00000000733cc0-0x00000000733cc6]
[0x000000007376d8-0x000000007396d8]
[0x00000000743818-0x00000000743820]
[0x00000000743cf8-0x00000000743cfc]
[0x00000000744e40-0x00000000748e08]
[0x0000000092fdb0-0x00000000930000] stack for thread 14732
[0x0000006a9ce000-0x0000006a9cfffc] C:\Windows\System32\apphelp.dll
[0x00000071df4000-0x00000071df434c] C:\Windows\System32\wsock32.dll
[0x0000007510a000-0x0000007510d8dc] C:\Windows\System32\advapi32.dll
[0x00000075114000-0x0000007511423c] C:\Windows\System32\advapi32.dll
[0x000000753a8000-0x000000753a8648] C:\Windows\System32\ws2_32.dll
[0x000000753ab000-0x000000753ab048] C:\Windows\System32\ws2_32.dll
[0x000000754e2000-0x000000754e7d8c] C:\Windows\System32\msvcrt.dll
[0x00000075840000-0x00000075840d08] C:\Windows\System32\kernel32.dll
[0x00000075850000-0x00000075850034] C:\Windows\System32\kernel32.dll
[0x000000759d8000-0x000000759dae28] C:\Windows\System32\sechost.dll
[0x000000759de000-0x000000759de090] C:\Windows\System32\sechost.dll
[0x00000076a3f000-0x00000076a424f8] C:\Windows\System32\KERNELBASE.dll
[0x00000076a49000-0x00000076a49364] C:\Windows\System32\KERNELBASE.dll
[0x00000076cfd000-0x00000076cfdf54] C:\Windows\System32\rpcrt4.dll
[0x00000076d01000-0x00000076d01144] C:\Windows\System32\rpcrt4.dll
[0x000000771d5000-0x000000771d5608] C:\Windows\System32\wow64cpu.dll
[0x0000007725302c-0x0000007725312c] C:\Windows\System32\ntdll.dll
[0x000000772547ac-0x000000772548ac] C:\Windows\System32\ntdll.dll
[0x00000077303000-0x00000077308a84] C:\Windows\System32\ntdll.dll
[0x00000077309000-0x0000007730b378] C:\Windows\System32\ntdll.dll

@atxr
Copy link

atxr commented Jul 31, 2023

I finally finished the development of ttd2mdmp
Thanks to this new utility, we can extract minidump files from a TTD trace by specifying a cursor position or a function to hook in the trace!
I made a list of all the information I collected within the dump, you can check it in the README. Some important feature are still missing like python bindings for a better integration with capa and x86 support.
I'll now focus on mdmp analysis within capa!

EDIT
After reading again your message about the minidump feature extractor, I also noticed ttd2mdmp might miss the permissions of memory regions. I'll try to add this feature!

@atxr
Copy link

atxr commented Aug 18, 2023

You mentioned earlier that we should reduce vivisect dependencies
Should I use another parser than the vivisect one or continue with it?


I suppose IDA has support for minidumps already, so we could use this to prove out the idea of extracting features from minidumps

Also, you said IDA as a Minidump feature extractor, but I can't find it. Do you have a link/clue to find it?

@williballenthin
Copy link
Collaborator Author

if viv is the right tool for the job, no problem in using it. if there's another solution that has a modern and healthy code base, all things being equal, consider picking the other one.

for IDA, i meant that IDA can analyze minidumps and find functions, code, strings, etc. I don't think it can produce minidumps.

@williballenthin
Copy link
Collaborator Author

and, given that we have a feature extractor that relies on IDA for the heavy lifting, I meant to suggest that using the capa-explorer IDA plugin is a quick way to prove the idea.

@atxr
Copy link

atxr commented Aug 18, 2023

Alright, got it, thanks for this clear answers!
I'm still trying to figure out how it works by playing a bit with minidumps/vivisect/capa !

@aaronatp
Copy link
Contributor

aaronatp commented Nov 9, 2023

Hi @williballenthin I see this issue is still open. Has any work been done on it?

EDIT: Also, I have read through #1649! If this is still a work in progress, can you write a bit more about why you would like to reduce capa's dependence on vivisect? This may be helpful for understanding the pro's and con's of different minidump loaders.

@atxr
Copy link

atxr commented Sep 25, 2024

Hi @williballenthin !
I recently restarted to work on this subject, hope it's still relevant for the capa project!

So far

  • I worked on the minidump format to understand it a bit more, built a tool to extract a TTD trace context at a given point into a minidump file
  • I analyzed what useful data the minidump file could provide us:
    • Memory info (base address, size, protection...)
    • Memory dump of each section
    • Threads info
    • Loaded modules
  • Read the blogpost about the new CAPE feature in capa (great job BTW!)

Feature extraction

For feature extraction, some work has to be done on what is code and what isn't on the memory dump.
Here are some clues that could help:

  • Exported function for modules
  • Allocation of EXECUTABLE page

The more complicated part is determining what code we want to analyze.
As you said previously, given a minidump file, we can try to rebuild the current stack trace and mark these memory regions as areas of interest.

What I need to know

  • Is this issue still relevant?

  • List of things that we need to integrate memory dump analysis in capa:

    • Feature extractor (can it be handled by another tool? You talked about vivisect, lancelot...)
    • Loader/Code Analysis, but I must confess I don't see exactly what is it about
  • It's a bit unclear to me what role capa is playing, and what viv (and the other backends) are doing in the analysis. I often try to read the source but most of the time end up lost 😭. For now, as far as I understood:

    • The backend is responsible for extracting features = functions/basic blocs/instructions
    • capa loads these features and tries to match them to capabilities defined in capa rules

    Hence, if it's correct, it would mean I only need to provide a feature extractor from minidump files to add this feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants