-
Notifications
You must be signed in to change notification settings - Fork 3
/
GetAdmin_Implant.dll.dumpbin
206 lines (187 loc) · 6.56 KB
/
GetAdmin_Implant.dll.dumpbin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
Dump of file D:\4150\equationGroupWindows\equation_drug\GetAdmin_Implant.dll
PE signature found
File Type: DLL
FILE HEADER VALUES
14C machine (x86)
4 number of sections
45CB5CFD time date stamp Thu Feb 8 19:25:17 2007
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
210E characteristics
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic # (PE32)
7.10 linker version
4800 size of code
1E00 size of initialized data
0 size of uninitialized data
4DDD entry point (68004DDD)
1000 base of code
6000 base of data
68000000 image base (68000000 to 68009FFF)
1000 section alignment
200 file alignment
4.00 operating system version
1.00 image version
4.00 subsystem version
0 Win32 version
A000 size of image
400 size of headers
0 checksum
2 subsystem (Windows GUI)
0 DLL characteristics
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
7440 [ 3B] RVA [size] of Export Directory
6FA8 [ 50] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
9000 [ 3BC] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
6000 [ E4] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
4655 virtual size
1000 virtual address (68001000 to 68005654)
4800 size of raw data
400 file pointer to raw data (00000400 to 00004BFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
SECTION HEADER #2
.rdata name
147B virtual size
6000 virtual address (68006000 to 6800747A)
1600 size of raw data
4C00 file pointer to raw data (00004C00 to 000061FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
Section contains the following imports:
MSVCRT.dll
68006080 Import Address Table
68007078 Import Name Table
0 time date stamp
0 Index of first forwarder reference
299 memset
49 __CxxFrameHandler
1C1 _stricmp
9D _adjust_fdiv
10F _initterm
2C0 strncmp
2C5 strstr
2E3 wcscpy
2E6 wcslen
2E7 wcsncat
2B8 strcmp
2BE strlen
25E free
291 malloc
297 memcpy
13C _local_unwind2
2A7 realloc
1EA _wcsicmp
KERNEL32.dll
68006000 Import Address Table
68006FF8 Import Name Table
0 time date stamp
0 Index of first forwarder reference
249 LoadLibraryExA
2A9 ReadFile
15B GetFileSize
4E CreateFileMappingA
25E MapViewOfFile
252 LocalFree
24B LoadLibraryW
24E LocalAlloc
151 GetEnvironmentVariableW
50 CreateFileW
3B6 lstrcpyA
373 VirtualAlloc
2B6 ReleaseMutex
376 VirtualFree
279 OpenMutexW
169 GetLastError
31B SetLastError
383 WaitForSingleObject
2E CloseHandle
177 GetModuleHandleA
5A CreateMutexA
84 DisableThreadLibraryCalls
347 Sleep
13B GetCurrentProcessId
1DF GetVersionExA
1DE GetVersion
198 GetProcAddress
EF FreeLibrary
248 LoadLibraryA
229 IsBadReadPtr
30E SetFilePointer
USER32.dll
680060CC Import Address Table
680070C4 Import Name Table
0 time date stamp
0 Index of first forwarder reference
99 DestroyWindow
61 CreateWindowExW
26A SetPropA
2B3 UnregisterClassA
2B4 UnregisterClassW
SECTION HEADER #3
.data name
144 virtual size
8000 virtual address (68008000 to 68008143)
200 size of raw data
6200 file pointer to raw data (00006200 to 000063FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C0000040 flags
Initialized Data
Read Write
SECTION HEADER #4
.reloc name
48E virtual size
9000 virtual address (68009000 to 6800948D)
600 size of raw data
6400 file pointer to raw data (00006400 to 000069FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
Read Only
Summary
1000 .data
2000 .rdata
1000 .reloc
5000 .text