add dump test 1

This commit is contained in:
nganhkhoa 2020-06-05 19:37:13 +07:00
parent c8ce82e8a7
commit 8c642f6ba0
11 changed files with 65669 additions and 0 deletions

View File

@ -0,0 +1,118 @@
address,process,fullpath
0xffff948957c6c080,svchost.exe,
0xffff948957caa080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895ad15080,powershell.exe,
0xffff94895ad1a080,CodeHelper.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\resources\app\out\vs\platform\files\node\watcher\win32\CodeHelper.exe
0xffff94895b394080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
0xffff94895ba28080,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
0xffff94895ba2b080,sppsvc.exe,\Windows\System32\sppsvc.exe
0xffff94895ba433c0,audiodg.exe,\Windows\System32\audiodg.exe
0xffff94895bb21380,powershell.exe,\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
0xffff94895bb25080,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
0xffff94895bb28080,conhost.exe,\Windows\System32\conhost.exe
0xffff94895bb8a080,conhost.exe,\Windows\System32\conhost.exe
0xffff94895cbc9080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
0xffff94895ce98400,svchost.exe,\Windows\System32\svchost.exe
0xffff94895cea7080,MemCompression,
0xffff94895ceb5380,svchost.exe,\Windows\System32\svchost.exe
0xffff94895cec9080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895cf2e3c0,svchost.exe,\Windows\System32\svchost.exe
0xffff94895cf5c400,svchost.exe,\Windows\System32\svchost.exe
0xffff94895cf90400,svchost.exe,\Windows\System32\svchost.exe
0xffff94895cf98400,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e017440,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e02b380,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e072400,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e077400,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e0ce400,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e0d8400,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e1670c0,sqlwriter.exe,\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
0xffff94895e169380,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e16a080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e16b080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e16c080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e16d080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e170080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e171080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e172080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e174080,spoolsv.exe,\Windows\System32\spoolsv.exe
0xffff94895e1780c0,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e38b080,WindowsInterna,\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe
0xffff94895e390080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e391080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e392080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e394080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e395080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e396080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895e3990c0,wlms.exe,\Windows\System32\wlms\wlms.exe
0xffff94895e54e4c0,NisSrv.exe,\ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\NisSrv.exe
0xffff94895e929480,smartscreen.ex,\Windows\System32\smartscreen.exe
0xffff94895e92a080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
0xffff94895e9412c0,Windows.WARP.J,\Windows\System32\Windows.WARP.JITService.exe
0xffff94895e9512c0,MsMpEng.exe,\ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MsMpEng.exe
0xffff94895e970080,SearchUI.exe,\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
0xffff94895eaaf440,sihost.exe,\Windows\System32\sihost.exe
0xffff94895eaee480,svchost.exe,\Windows\System32\svchost.exe
0xffff94895eaf54c0,svchost.exe,\Windows\System32\svchost.exe
0xffff94895eaf84c0,svchost.exe,\Windows\System32\svchost.exe
0xffff94895eb4f080,svchost.exe,
0xffff94895eb57380,svchost.exe,\Windows\System32\svchost.exe
0xffff94895eb5b4c0,taskhostw.exe,\Windows\System32\taskhostw.exe
0xffff94895ebbd3c0,svchost.exe,\Windows\System32\svchost.exe
0xffff94895ebc2440,ctfmon.exe,\Windows\System32\ctfmon.exe
0xffff94895ec48400,svchost.exe,\Windows\System32\svchost.exe
0xffff94895ec5e080,userinit.exe,
0xffff94895ec62080,explorer.exe,\Windows\explorer.exe
0xffff94895ec70080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895ec77080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895ec934c0,svchost.exe,\Windows\System32\svchost.exe
0xffff94895eccc4c0,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
0xffff94895ece5080,dllhost.exe,\Windows\System32\dllhost.exe
0xffff94895edca080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895edda080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895edf6080,StartMenuExper,\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
0xffff94895ef1b480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
0xffff94895efb9080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895f089480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
0xffff94895f118480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
0xffff94895f119080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895f122380,SearchIndexer.,\Windows\System32\SearchIndexer.exe
0xffff94895f19e080,Windows.WARP.J,\Windows\System32\Windows.WARP.JITService.exe
0xffff94895f2020c0,MicrosoftEdge.,\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
0xffff94895f2074c0,ApplicationFra,\Windows\System32\ApplicationFrameHost.exe
0xffff94895f267440,cmd.exe,\Windows\System32\cmd.exe
0xffff94895f2c8080,SgrmBroker.exe,\Windows\System32\SgrmBroker.exe
0xffff94895f2db080,SkypeBackgroun,\Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe
0xffff94895f2dd080,SkypeApp.exe,\Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeApp.exe
0xffff94895f3be480,browser_broker,\Windows\System32\browser_broker.exe
0xffff94895f3c5080,YourPhone.exe,\Program Files\WindowsApps\Microsoft.YourPhone_1.20041.91.0_x64__8wekyb3d8bbwe\YourPhone.exe
0xffff94895f3ce400,svchost.exe,\Windows\System32\svchost.exe
0xffff94895f419080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895f449080,WinStore.App.e,\Program Files\WindowsApps\Microsoft.WindowsStore_12005.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe
0xffff94895f44b480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
0xffff94895f4b1080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895f4e5080,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
0xffff94895f4e9240,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
0xffff94895f571480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
0xffff94895f5880c0,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
0xffff94895f58e080,VBoxTray.exe,\Windows\System32\VBoxTray.exe
0xffff94895f5c7080,svchost.exe,\Windows\System32\svchost.exe
0xffff94895f603080,MicrosoftEdgeS,\Windows\System32\MicrosoftEdgeSH.exe
0xffff94895f7c7080,OneDrive.exe,\Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe
0xffff94895f7c8080,SecurityHealth,\Windows\System32\SecurityHealthSystray.exe
0xffff94895f7ca380,SecurityHealth,\Windows\System32\SecurityHealthService.exe
0xffff94895fce60c0,backgroundTask,\Windows\System32\backgroundTaskHost.exe
0xffff94895fdd2080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
0xffff94895ffce080,MicrosoftEdgeC,
0xffff94895ffe2080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
0xffff94895ffef080,backgroundTask,\Windows\System32\backgroundTaskHost.exe
0xffff94895fff2480,conhost.exe,\Windows\System32\conhost.exe
0xffff9489600c50c0,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
0xffff9489600cf340,eprocess_scan.,\Users\User\Desktop\lpus-0.3-alpha\target\release\eprocess_scan.exe
0xffff9489602ec080,dllhost.exe,\Windows\System32\dllhost.exe
0xffff9489602f0080,conhost.exe,
0xffff9489602f5080,svchost.exe,\Windows\System32\svchost.exe
0xffff9489603ca080,Windows.WARP.J,\Windows\System32\Windows.WARP.JITService.exe
0xffff948960acc080,svchost.exe,\Windows\System32\svchost.exe
0xffff948960ad3080,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
0xffff9489610de080,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
1 address process fullpath
2 0xffff948957c6c080 svchost.exe
3 0xffff948957caa080 svchost.exe \Windows\System32\svchost.exe
4 0xffff94895ad15080 powershell.exe
5 0xffff94895ad1a080 CodeHelper.exe \Users\User\AppData\Local\Programs\Microsoft VS Code\resources\app\out\vs\platform\files\node\watcher\win32\CodeHelper.exe
6 0xffff94895b394080 Code.exe \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
7 0xffff94895ba28080 MicrosoftEdgeC \Windows\System32\MicrosoftEdgeCP.exe
8 0xffff94895ba2b080 sppsvc.exe \Windows\System32\sppsvc.exe
9 0xffff94895ba433c0 audiodg.exe \Windows\System32\audiodg.exe
10 0xffff94895bb21380 powershell.exe \Windows\System32\WindowsPowerShell\v1.0\powershell.exe
11 0xffff94895bb25080 MicrosoftEdgeC \Windows\System32\MicrosoftEdgeCP.exe
12 0xffff94895bb28080 conhost.exe \Windows\System32\conhost.exe
13 0xffff94895bb8a080 conhost.exe \Windows\System32\conhost.exe
14 0xffff94895cbc9080 Code.exe \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
15 0xffff94895ce98400 svchost.exe \Windows\System32\svchost.exe
16 0xffff94895cea7080 MemCompression
17 0xffff94895ceb5380 svchost.exe \Windows\System32\svchost.exe
18 0xffff94895cec9080 svchost.exe \Windows\System32\svchost.exe
19 0xffff94895cf2e3c0 svchost.exe \Windows\System32\svchost.exe
20 0xffff94895cf5c400 svchost.exe \Windows\System32\svchost.exe
21 0xffff94895cf90400 svchost.exe \Windows\System32\svchost.exe
22 0xffff94895cf98400 svchost.exe \Windows\System32\svchost.exe
23 0xffff94895e017440 svchost.exe \Windows\System32\svchost.exe
24 0xffff94895e02b380 svchost.exe \Windows\System32\svchost.exe
25 0xffff94895e072400 svchost.exe \Windows\System32\svchost.exe
26 0xffff94895e077400 svchost.exe \Windows\System32\svchost.exe
27 0xffff94895e0ce400 svchost.exe \Windows\System32\svchost.exe
28 0xffff94895e0d8400 svchost.exe \Windows\System32\svchost.exe
29 0xffff94895e1670c0 sqlwriter.exe \Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
30 0xffff94895e169380 svchost.exe \Windows\System32\svchost.exe
31 0xffff94895e16a080 svchost.exe \Windows\System32\svchost.exe
32 0xffff94895e16b080 svchost.exe \Windows\System32\svchost.exe
33 0xffff94895e16c080 svchost.exe \Windows\System32\svchost.exe
34 0xffff94895e16d080 svchost.exe \Windows\System32\svchost.exe
35 0xffff94895e170080 svchost.exe \Windows\System32\svchost.exe
36 0xffff94895e171080 svchost.exe \Windows\System32\svchost.exe
37 0xffff94895e172080 svchost.exe \Windows\System32\svchost.exe
38 0xffff94895e174080 spoolsv.exe \Windows\System32\spoolsv.exe
39 0xffff94895e1780c0 svchost.exe \Windows\System32\svchost.exe
40 0xffff94895e38b080 WindowsInterna \Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe
41 0xffff94895e390080 svchost.exe \Windows\System32\svchost.exe
42 0xffff94895e391080 svchost.exe \Windows\System32\svchost.exe
43 0xffff94895e392080 svchost.exe \Windows\System32\svchost.exe
44 0xffff94895e394080 svchost.exe \Windows\System32\svchost.exe
45 0xffff94895e395080 svchost.exe \Windows\System32\svchost.exe
46 0xffff94895e396080 svchost.exe \Windows\System32\svchost.exe
47 0xffff94895e3990c0 wlms.exe \Windows\System32\wlms\wlms.exe
48 0xffff94895e54e4c0 NisSrv.exe \ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\NisSrv.exe
49 0xffff94895e929480 smartscreen.ex \Windows\System32\smartscreen.exe
50 0xffff94895e92a080 Code.exe \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
51 0xffff94895e9412c0 Windows.WARP.J \Windows\System32\Windows.WARP.JITService.exe
52 0xffff94895e9512c0 MsMpEng.exe \ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MsMpEng.exe
53 0xffff94895e970080 SearchUI.exe \Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
54 0xffff94895eaaf440 sihost.exe \Windows\System32\sihost.exe
55 0xffff94895eaee480 svchost.exe \Windows\System32\svchost.exe
56 0xffff94895eaf54c0 svchost.exe \Windows\System32\svchost.exe
57 0xffff94895eaf84c0 svchost.exe \Windows\System32\svchost.exe
58 0xffff94895eb4f080 svchost.exe
59 0xffff94895eb57380 svchost.exe \Windows\System32\svchost.exe
60 0xffff94895eb5b4c0 taskhostw.exe \Windows\System32\taskhostw.exe
61 0xffff94895ebbd3c0 svchost.exe \Windows\System32\svchost.exe
62 0xffff94895ebc2440 ctfmon.exe \Windows\System32\ctfmon.exe
63 0xffff94895ec48400 svchost.exe \Windows\System32\svchost.exe
64 0xffff94895ec5e080 userinit.exe
65 0xffff94895ec62080 explorer.exe \Windows\explorer.exe
66 0xffff94895ec70080 svchost.exe \Windows\System32\svchost.exe
67 0xffff94895ec77080 svchost.exe \Windows\System32\svchost.exe
68 0xffff94895ec934c0 svchost.exe \Windows\System32\svchost.exe
69 0xffff94895eccc4c0 Code.exe \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
70 0xffff94895ece5080 dllhost.exe \Windows\System32\dllhost.exe
71 0xffff94895edca080 svchost.exe \Windows\System32\svchost.exe
72 0xffff94895edda080 svchost.exe \Windows\System32\svchost.exe
73 0xffff94895edf6080 StartMenuExper \Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
74 0xffff94895ef1b480 RuntimeBroker. \Windows\System32\RuntimeBroker.exe
75 0xffff94895efb9080 svchost.exe \Windows\System32\svchost.exe
76 0xffff94895f089480 RuntimeBroker. \Windows\System32\RuntimeBroker.exe
77 0xffff94895f118480 RuntimeBroker. \Windows\System32\RuntimeBroker.exe
78 0xffff94895f119080 svchost.exe \Windows\System32\svchost.exe
79 0xffff94895f122380 SearchIndexer. \Windows\System32\SearchIndexer.exe
80 0xffff94895f19e080 Windows.WARP.J \Windows\System32\Windows.WARP.JITService.exe
81 0xffff94895f2020c0 MicrosoftEdge. \Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
82 0xffff94895f2074c0 ApplicationFra \Windows\System32\ApplicationFrameHost.exe
83 0xffff94895f267440 cmd.exe \Windows\System32\cmd.exe
84 0xffff94895f2c8080 SgrmBroker.exe \Windows\System32\SgrmBroker.exe
85 0xffff94895f2db080 SkypeBackgroun \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe
86 0xffff94895f2dd080 SkypeApp.exe \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeApp.exe
87 0xffff94895f3be480 browser_broker \Windows\System32\browser_broker.exe
88 0xffff94895f3c5080 YourPhone.exe \Program Files\WindowsApps\Microsoft.YourPhone_1.20041.91.0_x64__8wekyb3d8bbwe\YourPhone.exe
89 0xffff94895f3ce400 svchost.exe \Windows\System32\svchost.exe
90 0xffff94895f419080 svchost.exe \Windows\System32\svchost.exe
91 0xffff94895f449080 WinStore.App.e \Program Files\WindowsApps\Microsoft.WindowsStore_12005.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe
92 0xffff94895f44b480 RuntimeBroker. \Windows\System32\RuntimeBroker.exe
93 0xffff94895f4b1080 svchost.exe \Windows\System32\svchost.exe
94 0xffff94895f4e5080 RuntimeBroker. \Windows\System32\RuntimeBroker.exe
95 0xffff94895f4e9240 MicrosoftEdgeC \Windows\System32\MicrosoftEdgeCP.exe
96 0xffff94895f571480 RuntimeBroker. \Windows\System32\RuntimeBroker.exe
97 0xffff94895f5880c0 RuntimeBroker. \Windows\System32\RuntimeBroker.exe
98 0xffff94895f58e080 VBoxTray.exe \Windows\System32\VBoxTray.exe
99 0xffff94895f5c7080 svchost.exe \Windows\System32\svchost.exe
100 0xffff94895f603080 MicrosoftEdgeS \Windows\System32\MicrosoftEdgeSH.exe
101 0xffff94895f7c7080 OneDrive.exe \Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe
102 0xffff94895f7c8080 SecurityHealth \Windows\System32\SecurityHealthSystray.exe
103 0xffff94895f7ca380 SecurityHealth \Windows\System32\SecurityHealthService.exe
104 0xffff94895fce60c0 backgroundTask \Windows\System32\backgroundTaskHost.exe
105 0xffff94895fdd2080 Code.exe \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
106 0xffff94895ffce080 MicrosoftEdgeC
107 0xffff94895ffe2080 Code.exe \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
108 0xffff94895ffef080 backgroundTask \Windows\System32\backgroundTaskHost.exe
109 0xffff94895fff2480 conhost.exe \Windows\System32\conhost.exe
110 0xffff9489600c50c0 Code.exe \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
111 0xffff9489600cf340 eprocess_scan. \Users\User\Desktop\lpus-0.3-alpha\target\release\eprocess_scan.exe
112 0xffff9489602ec080 dllhost.exe \Windows\System32\dllhost.exe
113 0xffff9489602f0080 conhost.exe
114 0xffff9489602f5080 svchost.exe \Windows\System32\svchost.exe
115 0xffff9489603ca080 Windows.WARP.J \Windows\System32\Windows.WARP.JITService.exe
116 0xffff948960acc080 svchost.exe \Windows\System32\svchost.exe
117 0xffff948960ad3080 RuntimeBroker. \Windows\System32\RuntimeBroker.exe
118 0xffff9489610de080 MicrosoftEdgeC \Windows\System32\MicrosoftEdgeCP.exe

View File

@ -0,0 +1,121 @@
PDB for Amd64, guid: e7477a03-a707-8050-cb79-36455ce346b5, age: 1
NtLoadDriver() -> 0x0
pool: 0xffff948957c6c000 | eprocess: 0xffff948957c6c080 | | svchost.exe
pool: 0xffff948957caa000 | eprocess: 0xffff948957caa080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895ad15000 | eprocess: 0xffff94895ad15080 | | powershell.exe
pool: 0xffff94895ad1a000 | eprocess: 0xffff94895ad1a080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\resources\app\out\vs\platform\files\node\watcher\win32\CodeHelper.exe | CodeHelper.exe
pool: 0xffff94895b394000 | eprocess: 0xffff94895b394080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
pool: 0xffff94895ba28000 | eprocess: 0xffff94895ba28080 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
pool: 0xffff94895ba2b000 | eprocess: 0xffff94895ba2b080 | \Windows\System32\sppsvc.exe | sppsvc.exe
pool: 0xffff94895ba43360 | eprocess: 0xffff94895ba433c0 | \Windows\System32\audiodg.exe | audiodg.exe
pool: 0xffff94895bb21310 | eprocess: 0xffff94895bb21380 | \Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe
pool: 0xffff94895bb25000 | eprocess: 0xffff94895bb25080 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
pool: 0xffff94895bb28000 | eprocess: 0xffff94895bb28080 | \Windows\System32\conhost.exe | conhost.exe
pool: 0xffff94895bb8a000 | eprocess: 0xffff94895bb8a080 | \Windows\System32\conhost.exe | conhost.exe
pool: 0xffff94895cbc9000 | eprocess: 0xffff94895cbc9080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
pool: 0xffff94895ce98390 | eprocess: 0xffff94895ce98400 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895cea7040 | eprocess: 0xffff94895cea7080 | | MemCompression
pool: 0xffff94895ceb5310 | eprocess: 0xffff94895ceb5380 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895cec9000 | eprocess: 0xffff94895cec9080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895cf2e350 | eprocess: 0xffff94895cf2e3c0 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895cf5c390 | eprocess: 0xffff94895cf5c400 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895cf90390 | eprocess: 0xffff94895cf90400 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895cf98390 | eprocess: 0xffff94895cf98400 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e0173c0 | eprocess: 0xffff94895e017440 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e02b310 | eprocess: 0xffff94895e02b380 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e072390 | eprocess: 0xffff94895e072400 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e077390 | eprocess: 0xffff94895e077400 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e0ce390 | eprocess: 0xffff94895e0ce400 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e0d8390 | eprocess: 0xffff94895e0d8400 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e167040 | eprocess: 0xffff94895e1670c0 | \Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe | sqlwriter.exe
pool: 0xffff94895e169310 | eprocess: 0xffff94895e169380 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e16a000 | eprocess: 0xffff94895e16a080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e16b000 | eprocess: 0xffff94895e16b080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e16c000 | eprocess: 0xffff94895e16c080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e16d000 | eprocess: 0xffff94895e16d080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e170000 | eprocess: 0xffff94895e170080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e171000 | eprocess: 0xffff94895e171080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e172000 | eprocess: 0xffff94895e172080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e174000 | eprocess: 0xffff94895e174080 | \Windows\System32\spoolsv.exe | spoolsv.exe
pool: 0xffff94895e178040 | eprocess: 0xffff94895e1780c0 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e38b000 | eprocess: 0xffff94895e38b080 | \Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe | WindowsInterna
pool: 0xffff94895e390000 | eprocess: 0xffff94895e390080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e391000 | eprocess: 0xffff94895e391080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e392000 | eprocess: 0xffff94895e392080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e394000 | eprocess: 0xffff94895e394080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e395000 | eprocess: 0xffff94895e395080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e396000 | eprocess: 0xffff94895e396080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895e399040 | eprocess: 0xffff94895e3990c0 | \Windows\System32\wlms\wlms.exe | wlms.exe
pool: 0xffff94895e54e450 | eprocess: 0xffff94895e54e4c0 | \ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\NisSrv.exe | NisSrv.exe
pool: 0xffff94895e929410 | eprocess: 0xffff94895e929480 | \Windows\System32\smartscreen.exe | smartscreen.ex
pool: 0xffff94895e92a000 | eprocess: 0xffff94895e92a080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
pool: 0xffff94895e941250 | eprocess: 0xffff94895e9412c0 | \Windows\System32\Windows.WARP.JITService.exe | Windows.WARP.J
pool: 0xffff94895e951230 | eprocess: 0xffff94895e9512c0 | \ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MsMpEng.exe | MsMpEng.exe
pool: 0xffff94895e970000 | eprocess: 0xffff94895e970080 | \Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | SearchUI.exe
pool: 0xffff94895eaaf3b0 | eprocess: 0xffff94895eaaf440 | \Windows\System32\sihost.exe | sihost.exe
pool: 0xffff94895eaee420 | eprocess: 0xffff94895eaee480 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895eaf5430 | eprocess: 0xffff94895eaf54c0 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895eaf8430 | eprocess: 0xffff94895eaf84c0 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895eb4f000 | eprocess: 0xffff94895eb4f080 | | svchost.exe
pool: 0xffff94895eb57310 | eprocess: 0xffff94895eb57380 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895eb5b430 | eprocess: 0xffff94895eb5b4c0 | \Windows\System32\taskhostw.exe | taskhostw.exe
pool: 0xffff94895ebbd340 | eprocess: 0xffff94895ebbd3c0 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895ebc23b0 | eprocess: 0xffff94895ebc2440 | \Windows\System32\ctfmon.exe | ctfmon.exe
pool: 0xffff94895ec48380 | eprocess: 0xffff94895ec48400 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895ec5e000 | eprocess: 0xffff94895ec5e080 | | userinit.exe
pool: 0xffff94895ec62000 | eprocess: 0xffff94895ec62080 | \Windows\explorer.exe | explorer.exe
pool: 0xffff94895ec70000 | eprocess: 0xffff94895ec70080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895ec77000 | eprocess: 0xffff94895ec77080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895ec93430 | eprocess: 0xffff94895ec934c0 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895eccc450 | eprocess: 0xffff94895eccc4c0 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
pool: 0xffff94895ece5000 | eprocess: 0xffff94895ece5080 | \Windows\System32\dllhost.exe | dllhost.exe
pool: 0xffff94895edca000 | eprocess: 0xffff94895edca080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895edda000 | eprocess: 0xffff94895edda080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895edf6000 | eprocess: 0xffff94895edf6080 | \Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | StartMenuExper
pool: 0xffff94895ef1b420 | eprocess: 0xffff94895ef1b480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
pool: 0xffff94895efb9000 | eprocess: 0xffff94895efb9080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895f089420 | eprocess: 0xffff94895f089480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
pool: 0xffff94895f118420 | eprocess: 0xffff94895f118480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
pool: 0xffff94895f119000 | eprocess: 0xffff94895f119080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895f122310 | eprocess: 0xffff94895f122380 | \Windows\System32\SearchIndexer.exe | SearchIndexer.
pool: 0xffff94895f19e000 | eprocess: 0xffff94895f19e080 | \Windows\System32\Windows.WARP.JITService.exe | Windows.WARP.J
pool: 0xffff94895f202040 | eprocess: 0xffff94895f2020c0 | \Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | MicrosoftEdge.
pool: 0xffff94895f207440 | eprocess: 0xffff94895f2074c0 | \Windows\System32\ApplicationFrameHost.exe | ApplicationFra
pool: 0xffff94895f2673c0 | eprocess: 0xffff94895f267440 | \Windows\System32\cmd.exe | cmd.exe
pool: 0xffff94895f2c8000 | eprocess: 0xffff94895f2c8080 | \Windows\System32\SgrmBroker.exe | SgrmBroker.exe
pool: 0xffff94895f2db000 | eprocess: 0xffff94895f2db080 | \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe | SkypeBackgroun
pool: 0xffff94895f2dd000 | eprocess: 0xffff94895f2dd080 | \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeApp.exe | SkypeApp.exe
pool: 0xffff94895f3be420 | eprocess: 0xffff94895f3be480 | \Windows\System32\browser_broker.exe | browser_broker
pool: 0xffff94895f3c5000 | eprocess: 0xffff94895f3c5080 | \Program Files\WindowsApps\Microsoft.YourPhone_1.20041.91.0_x64__8wekyb3d8bbwe\YourPhone.exe | YourPhone.exe
pool: 0xffff94895f3ce390 | eprocess: 0xffff94895f3ce400 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895f419000 | eprocess: 0xffff94895f419080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895f449000 | eprocess: 0xffff94895f449080 | \Program Files\WindowsApps\Microsoft.WindowsStore_12005.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe | WinStore.App.e
pool: 0xffff94895f44b420 | eprocess: 0xffff94895f44b480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
pool: 0xffff94895f4b1000 | eprocess: 0xffff94895f4b1080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895f4e5000 | eprocess: 0xffff94895f4e5080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
pool: 0xffff94895f4e91d0 | eprocess: 0xffff94895f4e9240 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
pool: 0xffff94895f571420 | eprocess: 0xffff94895f571480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
pool: 0xffff94895f588040 | eprocess: 0xffff94895f5880c0 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
pool: 0xffff94895f58e000 | eprocess: 0xffff94895f58e080 | \Windows\System32\VBoxTray.exe | VBoxTray.exe
pool: 0xffff94895f5c7000 | eprocess: 0xffff94895f5c7080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff94895f603000 | eprocess: 0xffff94895f603080 | \Windows\System32\MicrosoftEdgeSH.exe | MicrosoftEdgeS
pool: 0xffff94895f7c7000 | eprocess: 0xffff94895f7c7080 | \Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe | OneDrive.exe
pool: 0xffff94895f7c8000 | eprocess: 0xffff94895f7c8080 | \Windows\System32\SecurityHealthSystray.exe | SecurityHealth
pool: 0xffff94895f7ca320 | eprocess: 0xffff94895f7ca380 | \Windows\System32\SecurityHealthService.exe | SecurityHealth
pool: 0xffff94895fce6040 | eprocess: 0xffff94895fce60c0 | \Windows\System32\backgroundTaskHost.exe | backgroundTask
pool: 0xffff94895fdd2000 | eprocess: 0xffff94895fdd2080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
pool: 0xffff94895ffce000 | eprocess: 0xffff94895ffce080 | | MicrosoftEdgeC
pool: 0xffff94895ffe2000 | eprocess: 0xffff94895ffe2080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
pool: 0xffff94895ffef000 | eprocess: 0xffff94895ffef080 | \Windows\System32\backgroundTaskHost.exe | backgroundTask
pool: 0xffff94895fff2400 | eprocess: 0xffff94895fff2480 | \Windows\System32\conhost.exe | conhost.exe
pool: 0xffff9489600c5040 | eprocess: 0xffff9489600c50c0 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
pool: 0xffff9489600cf2b0 | eprocess: 0xffff9489600cf340 | \Users\User\Desktop\lpus-0.3-alpha\target\release\eprocess_scan.exe | eprocess_scan.
pool: 0xffff9489602ec000 | eprocess: 0xffff9489602ec080 | \Windows\System32\dllhost.exe | dllhost.exe
pool: 0xffff9489602f0000 | eprocess: 0xffff9489602f0080 | | conhost.exe
pool: 0xffff9489602f5000 | eprocess: 0xffff9489602f5080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff9489603ca000 | eprocess: 0xffff9489603ca080 | \Windows\System32\Windows.WARP.JITService.exe | Windows.WARP.J
pool: 0xffff948960acc000 | eprocess: 0xffff948960acc080 | \Windows\System32\svchost.exe | svchost.exe
pool: 0xffff948960ad3000 | eprocess: 0xffff948960ad3080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
pool: 0xffff9489610de000 | eprocess: 0xffff9489610de080 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
NtUnloadDriver() -> 0x0

View File

@ -0,0 +1,29 @@
import re
import csv
vp = re.compile(r'^(0x[0-9a-f]+)\s+(.{15})\s+\d+\s+\d+.*$')
vol = map(lambda x: x.group(1, 2), filter(lambda x: x is not None, map(vp.match, open('eprocess_volscan.txt', 'r').read().split('\n'))))
with open('eprocess_volscan.csv', 'w', newline='') as f:
writer = csv.writer(f)
writer.writerow(['address', 'process'])
for v in vol:
a, b = list(v)
a = hex(int(a, 16) + 0xffff000000000000)
b = b.rstrip(' ')
writer.writerow([a, b])
# lp = re.compile(r'pool: 0x[0-9a-f]+ \| file object: (0x[0-9a-f]+) \| offsetby: 0x[0-9a-f]+\s+(.*)$', re.MULTILINE)
lpus = re.finditer(r'pool: 0x[0-9a-f]+ \| eprocess: (0x[0-9a-f]+) \| ([^|]*) \| (.*)$',
open('eprocess_scan_log.txt', 'r', encoding='utf-8').read(), re.MULTILINE)
with open('eprocess_lpusscan.csv', 'w', newline='', encoding='utf-8') as f:
writer = csv.writer(f)
writer.writerow(['address', 'process', 'fullpath'])
for v in lpus:
a, b, c = list(v.groups())
writer.writerow([a, c, b])

View File

@ -0,0 +1,75 @@
address,process
0xffff948957c67080,VBoxService.ex
0xffff948957c6c080,svchost.exe
0xffff948957caa080,svchost.exe
0xffff948957ce3080,svchost.exe
0xffff948957d1b080,svchost.exe
0xffff948957ddf040,Registry
0xffff94895ac79400,smss.exe
0xffff94895ad15080,powershell.exe
0xffff94895b0452c0,csrss.exe
0xffff94895ba28080,MicrosoftEdgeC
0xffff94895bb25080,MicrosoftEdgeC
0xffff94895bdb0080,winlogon.exe
0xffff94895bdf51c0,services.exe
0xffff94895ca5f280,fontdrvhost.ex
0xffff94895ca6a280,fontdrvhost.ex
0xffff94895ca70380,svchost.exe
0xffff94895caf6400,svchost.exe
0xffff94895cb3a380,svchost.exe
0xffff94895cbd8400,svchost.exe
0xffff94895cc15440,svchost.exe
0xffff94895cc223c0,svchost.exe
0xffff94895cc5b380,svchost.exe
0xffff94895ccae400,svchost.exe
0xffff94895cdac400,svchost.exe
0xffff94895cdae400,svchost.exe
0xffff94895ce19400,svchost.exe
0xffff94895ce1b080,svchost.exe
0xffff94895ce98400,svchost.exe
0xffff94895cea7080,MemCompression
0xffff94895ceb5380,svchost.exe
0xffff94895cf2e3c0,svchost.exe
0xffff94895cf90400,svchost.exe
0xffff94895cf98400,svchost.exe
0xffff94895e017440,svchost.exe
0xffff94895e02b380,svchost.exe
0xffff94895e077400,svchost.exe
0xffff94895e0ce400,svchost.exe
0xffff94895e0d8400,svchost.exe
0xffff94895e169380,svchost.exe
0xffff94895e171080,svchost.exe
0xffff94895e391080,SearchProtocol
0xffff94895e54e4c0,NisSrv.exe
0xffff94895e929480,smartscreen.ex
0xffff94895e9412c0,Windows.WARP.J
0xffff94895e9512c0,MsMpEng.exe
0xffff94895e970080,SearchUI.exe
0xffff94895eaaf440,sihost.exe
0xffff94895eaee480,svchost.exe
0xffff94895eaf54c0,svchost.exe
0xffff94895eaf84c0,svchost.exe
0xffff94895eb5b4c0,taskhostw.exe
0xffff94895ebbd3c0,svchost.exe
0xffff94895ebc2440,ctfmon.exe
0xffff94895ec5e080,userinit.exe
0xffff94895eccc4c0,Code.exe
0xffff94895ece5080,dllhost.exe
0xffff94895edf6080,StartMenuExper
0xffff94895ef1b480,RuntimeBroker.
0xffff94895f2074c0,ApplicationFra
0xffff94895f2dd080,SkypeApp.exe
0xffff94895f3be480,browser_broker
0xffff94895f3c5080,YourPhone.exe
0xffff94895f3ce400,svchost.exe
0xffff94895f449080,WinStore.App.e
0xffff94895f44b480,RuntimeBroker.
0xffff94895f4e9240,MicrosoftEdgeC
0xffff94895f571480,RuntimeBroker.
0xffff94895f7ca380,SecurityHealth
0xffff94895ffce080,MicrosoftEdgeC
0xffff94895fff2480,conhost.exe
0xffff9489600c50c0,Code.exe
0xffff9489602ec080,dllhost.exe
0xffff9489603ca080,Windows.WARP.J
0xffff948960acc080,svchost.exe
1 address process
2 0xffff948957c67080 VBoxService.ex
3 0xffff948957c6c080 svchost.exe
4 0xffff948957caa080 svchost.exe
5 0xffff948957ce3080 svchost.exe
6 0xffff948957d1b080 svchost.exe
7 0xffff948957ddf040 Registry
8 0xffff94895ac79400 smss.exe
9 0xffff94895ad15080 powershell.exe
10 0xffff94895b0452c0 csrss.exe
11 0xffff94895ba28080 MicrosoftEdgeC
12 0xffff94895bb25080 MicrosoftEdgeC
13 0xffff94895bdb0080 winlogon.exe
14 0xffff94895bdf51c0 services.exe
15 0xffff94895ca5f280 fontdrvhost.ex
16 0xffff94895ca6a280 fontdrvhost.ex
17 0xffff94895ca70380 svchost.exe
18 0xffff94895caf6400 svchost.exe
19 0xffff94895cb3a380 svchost.exe
20 0xffff94895cbd8400 svchost.exe
21 0xffff94895cc15440 svchost.exe
22 0xffff94895cc223c0 svchost.exe
23 0xffff94895cc5b380 svchost.exe
24 0xffff94895ccae400 svchost.exe
25 0xffff94895cdac400 svchost.exe
26 0xffff94895cdae400 svchost.exe
27 0xffff94895ce19400 svchost.exe
28 0xffff94895ce1b080 svchost.exe
29 0xffff94895ce98400 svchost.exe
30 0xffff94895cea7080 MemCompression
31 0xffff94895ceb5380 svchost.exe
32 0xffff94895cf2e3c0 svchost.exe
33 0xffff94895cf90400 svchost.exe
34 0xffff94895cf98400 svchost.exe
35 0xffff94895e017440 svchost.exe
36 0xffff94895e02b380 svchost.exe
37 0xffff94895e077400 svchost.exe
38 0xffff94895e0ce400 svchost.exe
39 0xffff94895e0d8400 svchost.exe
40 0xffff94895e169380 svchost.exe
41 0xffff94895e171080 svchost.exe
42 0xffff94895e391080 SearchProtocol
43 0xffff94895e54e4c0 NisSrv.exe
44 0xffff94895e929480 smartscreen.ex
45 0xffff94895e9412c0 Windows.WARP.J
46 0xffff94895e9512c0 MsMpEng.exe
47 0xffff94895e970080 SearchUI.exe
48 0xffff94895eaaf440 sihost.exe
49 0xffff94895eaee480 svchost.exe
50 0xffff94895eaf54c0 svchost.exe
51 0xffff94895eaf84c0 svchost.exe
52 0xffff94895eb5b4c0 taskhostw.exe
53 0xffff94895ebbd3c0 svchost.exe
54 0xffff94895ebc2440 ctfmon.exe
55 0xffff94895ec5e080 userinit.exe
56 0xffff94895eccc4c0 Code.exe
57 0xffff94895ece5080 dllhost.exe
58 0xffff94895edf6080 StartMenuExper
59 0xffff94895ef1b480 RuntimeBroker.
60 0xffff94895f2074c0 ApplicationFra
61 0xffff94895f2dd080 SkypeApp.exe
62 0xffff94895f3be480 browser_broker
63 0xffff94895f3c5080 YourPhone.exe
64 0xffff94895f3ce400 svchost.exe
65 0xffff94895f449080 WinStore.App.e
66 0xffff94895f44b480 RuntimeBroker.
67 0xffff94895f4e9240 MicrosoftEdgeC
68 0xffff94895f571480 RuntimeBroker.
69 0xffff94895f7ca380 SecurityHealth
70 0xffff94895ffce080 MicrosoftEdgeC
71 0xffff94895fff2480 conhost.exe
72 0xffff9489600c50c0 Code.exe
73 0xffff9489602ec080 dllhost.exe
74 0xffff9489603ca080 Windows.WARP.J
75 0xffff948960acc080 svchost.exe

View File

@ -0,0 +1,77 @@
Volatility Foundation Volatility Framework 2.6.1
Offset(P) Name PID PPID PDB Time created Time exited
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
0x0000948957c67080 VBoxService.ex 1604 596 0x00000000205e9002 2020-06-04 20:20:35 UTC+0000
0x0000948957c6c080 svchost.exe 6904 596 0x0000000009506002 2020-06-04 06:25:45 UTC+0000 2020-06-04 06:27:55 UTC+0000
0x0000948957caa080 svchost.exe 6448 596 0x000000006a7bc002 2020-06-04 06:21:12 UTC+0000
0x0000948957ce3080 svchost.exe 1508 596 0x000000001ff45002 2020-06-04 20:20:35 UTC+0000
0x0000948957d1b080 svchost.exe 1444 596 0x000000001e3b9002 2020-06-04 20:20:35 UTC+0000
0x0000948957ddf040 Registry 68 4 0x0000000000341002 2020-06-04 20:20:13 UTC+0000
0x000094895ac79400 smss.exe 324 4 0x0000000101742002 2020-06-04 20:20:19 UTC+0000
0x000094895ad15080 powershell.exe 408 1060 0x00000000b5241002 2020-06-04 07:19:20 UTC+0000 2020-06-04 07:20:22 UTC+0000
0x000094895b0452c0 csrss.exe 416 408 0x0000000002e84002 2020-06-04 20:20:33 UTC+0000
0x000094895ba28080 MicrosoftEdgeC 1436 772 0x000000011866b002 2020-06-04 07:16:47 UTC+0000
0x000094895bb25080 MicrosoftEdgeC 2776 772 0x00000000d2641002 2020-06-04 07:16:57 UTC+0000
0x000094895bdb0080 winlogon.exe 544 480 0x0000000001add002 2020-06-04 20:20:33 UTC+0000
0x000094895bdf51c0 services.exe 596 488 0x0000000016c16002 2020-06-04 20:20:33 UTC+0000
0x000094895ca5f280 fontdrvhost.ex 680 544 0x0000000019366002 2020-06-04 20:20:33 UTC+0000
0x000094895ca6a280 fontdrvhost.ex 688 488 0x0000000015d1b002 2020-06-04 20:20:33 UTC+0000
0x000094895ca70380 svchost.exe 708 596 0x0000000017338002 2020-06-04 20:20:33 UTC+0000
0x000094895caf6400 svchost.exe 824 596 0x0000000019ad0002 2020-06-04 20:20:34 UTC+0000
0x000094895cb3a380 svchost.exe 876 596 0x000000001a2b4002 2020-06-04 20:20:34 UTC+0000
0x000094895cbd8400 svchost.exe 384 596 0x000000001950d002 2020-06-04 20:20:34 UTC+0000
0x000094895cc15440 svchost.exe 420 596 0x000000001c315002 2020-06-04 20:20:34 UTC+0000
0x000094895cc223c0 svchost.exe 592 596 0x000000001c549002 2020-06-04 20:20:34 UTC+0000
0x000094895cc5b380 svchost.exe 1064 596 0x000000001d1a4002 2020-06-04 20:20:34 UTC+0000
0x000094895ccae400 svchost.exe 1148 596 0x000000001ddbf002 2020-06-04 20:20:34 UTC+0000
0x000094895cdac400 svchost.exe 1372 596 0x000000001ca24002 2020-06-04 20:20:35 UTC+0000
0x000094895cdae400 svchost.exe 1452 596 0x00000000206dd002 2020-06-04 20:20:35 UTC+0000
0x000094895ce19400 svchost.exe 1632 596 0x0000000023c4f002 2020-06-04 20:20:35 UTC+0000
0x000094895ce1b080 svchost.exe 1640 596 0x0000000022b39002 2020-06-04 20:20:35 UTC+0000
0x000094895ce98400 svchost.exe 1772 596 0x0000000020e71002 2020-06-04 06:20:37 UTC+0000
0x000094895cea7080 MemCompression 1812 4 0x00000000236f8002 2020-06-04 06:20:37 UTC+0000
0x000094895ceb5380 svchost.exe 1868 596 0x0000000025c34002 2020-06-04 06:20:37 UTC+0000
0x000094895cf2e3c0 svchost.exe 1936 596 0x0000000024179002 2020-06-04 06:20:37 UTC+0000
0x000094895cf90400 svchost.exe 1660 596 0x0000000022790002 2020-06-04 06:20:37 UTC+0000
0x000094895cf98400 svchost.exe 1352 596 0x0000000025171002 2020-06-04 06:20:37 UTC+0000
0x000094895e017440 svchost.exe 2088 596 0x0000000021120002 2020-06-04 06:20:38 UTC+0000
0x000094895e02b380 svchost.exe 2128 596 0x0000000027d28002 2020-06-04 06:20:38 UTC+0000
0x000094895e077400 svchost.exe 2160 596 0x0000000025ec9002 2020-06-04 06:20:38 UTC+0000
0x000094895e0ce400 svchost.exe 2208 596 0x00000000260c0002 2020-06-04 06:20:38 UTC+0000
0x000094895e0d8400 svchost.exe 2232 596 0x000000002652a002 2020-06-04 06:20:38 UTC+0000
0x000094895e169380 svchost.exe 2928 596 0x000000002e054002 2020-06-04 06:20:39 UTC+0000
0x000094895e171080 svchost.exe 2684 596 0x000000002ad7c002 2020-06-04 06:20:39 UTC+0000
0x000094895e391080 SearchProtocol 1648 5160 0x000000009b248002 2020-06-04 07:26:11 UTC+0000
0x000094895e54e4c0 NisSrv.exe 2016 596 0x00000000b4eff002 2020-06-04 06:28:41 UTC+0000
0x000094895e929480 smartscreen.ex 3256 772 0x00000000c11d6002 2020-06-04 07:16:27 UTC+0000
0x000094895e9412c0 Windows.WARP.J 5712 5580 0x00000000c0f76002 2020-06-04 07:16:26 UTC+0000
0x000094895e9512c0 MsMpEng.exe 4676 596 0x0000000044f09002 2020-06-04 06:28:33 UTC+0000
0x000094895e970080 SearchUI.exe 4692 772 0x0000000057496002 2020-06-04 06:21:01 UTC+0000
0x000094895eaaf440 sihost.exe 432 1292 0x0000000043c29002 2020-06-04 06:20:50 UTC+0000
0x000094895eaee480 svchost.exe 1588 596 0x0000000043ecd002 2020-06-04 06:20:50 UTC+0000
0x000094895eaf54c0 svchost.exe 3152 596 0x0000000045d46002 2020-06-04 06:20:50 UTC+0000
0x000094895eaf84c0 svchost.exe 3672 596 0x00000000465a3002 2020-06-04 06:20:50 UTC+0000
0x000094895eb5b4c0 taskhostw.exe 4124 1064 0x0000000046bc4002 2020-06-04 06:20:50 UTC+0000
0x000094895ebbd3c0 svchost.exe 4232 596 0x000000004306e002 2020-06-04 06:20:50 UTC+0000
0x000094895ebc2440 ctfmon.exe 4300 4232 0x0000000041c8c002 2020-06-04 06:20:50 UTC+0000
0x000094895ec5e080 userinit.exe 4400 544 0x0000000046ed7002 2020-06-04 06:20:51 UTC+0000 2020-06-04 06:21:20 UTC+0000
0x000094895eccc4c0 Code.exe 6968 3736 0x00000000bb0c4002 2020-06-04 07:19:16 UTC+0000
0x000094895ece5080 dllhost.exe 4648 772 0x00000000502b5002 2020-06-04 06:20:53 UTC+0000
0x000094895edf6080 StartMenuExper 4972 772 0x0000000053638002 2020-06-04 06:21:00 UTC+0000
0x000094895ef1b480 RuntimeBroker. 5092 772 0x0000000056e70002 2020-06-04 06:21:00 UTC+0000
0x000094895f2074c0 ApplicationFra 5336 772 0x000000005c223002 2020-06-04 06:21:04 UTC+0000
0x000094895f2dd080 SkypeApp.exe 5412 772 0x000000005fea5002 2020-06-04 06:21:05 UTC+0000
0x000094895f3be480 browser_broker 5544 772 0x0000000060a28002 2020-06-04 06:21:05 UTC+0000
0x000094895f3c5080 YourPhone.exe 5588 772 0x000000006315e002 2020-06-04 06:21:05 UTC+0000
0x000094895f3ce400 svchost.exe 5580 596 0x0000000063376002 2020-06-04 06:21:05 UTC+0000
0x000094895f449080 WinStore.App.e 5952 772 0x00000001142d1002 2020-06-04 06:22:36 UTC+0000
0x000094895f44b480 RuntimeBroker. 5860 772 0x0000000061748002 2020-06-04 06:21:06 UTC+0000
0x000094895f4e9240 MicrosoftEdgeC 6048 772 0x0000000063ba6002 2020-06-04 06:21:07 UTC+0000
0x000094895f571480 RuntimeBroker. 6908 772 0x000000006dcb1002 2020-06-04 06:21:16 UTC+0000
0x000094895f7ca380 SecurityHealth 2248 596 0x000000006f4ba002 2020-06-04 06:21:21 UTC+0000
0x000094895ffce080 MicrosoftEdgeC 3288 772 0x00000000bd993002 2020-06-04 07:16:41 UTC+0000 2020-06-04 07:19:52 UTC+0000
0x000094895fff2480 conhost.exe 5696 1892 0x0000000058bc3002 2020-06-04 07:19:49 UTC+0000
0x00009489600c50c0 Code.exe 1060 3736 0x000000003859d002 2020-06-04 07:19:17 UTC+0000
0x00009489602ec080 dllhost.exe 4156 772 0x000000009589c002 2020-06-04 07:16:29 UTC+0000
0x00009489603ca080 Windows.WARP.J 7068 5580 0x00000000bb4da002 2020-06-04 07:16:48 UTC+0000
0x0000948960acc080 svchost.exe 3204 596 0x00000000c4173002 2020-06-04 07:19:47 UTC+0000

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,29 @@
import re
import csv
vp = re.compile(r'(0x[0-9a-f]+)\s+\d+\s+[01]\s+[RWDrwd-]+\s+(.*)')
vol = map(lambda x: x.group(1, 2), filter(lambda x: x is not None, map(vp.match, open('file_volscan.txt', 'r').read().split('\n'))))
with open('file_volscan.csv', 'w', newline='') as f:
writer = csv.writer(f)
writer.writerow(['address', 'file'])
for v in vol:
a, b = list(v)
a = hex(int(a, 16) + 0xffff000000000000)
writer.writerow([a, b])
# lp = re.compile(r'pool: 0x[0-9a-f]+ \| file object: (0x[0-9a-f]+) \| offsetby: 0x[0-9a-f]+\s+(.*)$', re.MULTILINE)
lpus = map(lambda x: x.group(1, 2), filter(lambda x: x is not None, map(vp.match, open('file_volscan.txt', 'r').read().split('\n'))))
lpus = re.finditer(r'pool: 0x[0-9a-f]+ \| file object: (0x[0-9a-f]+) \| offsetby: 0x[0-9a-f]+\s+(.*)$',
open('file_scan_log.txt', 'r', encoding='utf-8').read(), re.MULTILINE)
with open('file_lpusscan.csv', 'w', newline='', encoding='utf-8') as f:
writer = csv.writer(f)
writer.writerow(['address', 'file'])
for v in lpus:
a, b = list(v.groups())
writer.writerow([a, b])

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

50
logs/dump_test/1/stat.py Normal file
View File

@ -0,0 +1,50 @@
import pandas as pd
elpus = pd.read_csv('eprocess_lpusscan.csv')
flpus = pd.read_csv('file_lpusscan.csv', encoding='utf-8')
evol = pd.read_csv('eprocess_volscan.csv')
fvol = pd.read_csv('file_volscan.csv')
print('''
A simple statistics for LPUS and Volatility
Environment: Windows 10 2019 (build number 18362) on VirtualBox
RAM: 4GB
> The VM is downloaded through Microsoft
LPUS scan _EPROCESS and _FILE_OBJECT.
The scan time: approximate 5 minutes.
After that, use VirtualBox command to generate the memory image
> "C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" debugvm "<name>" dumpvmcore --filename "/path/to/<name>.elf"
Volatility version is at 5f685e5
> The latest release of Volatility doesn't have support for Windows build no. 18362
Then compare the log from LPUS and the two volatility command with profile Win10x64_18362:
- psscan to scan _EPROCESS, approximate 30 minutes
- filescan to scan _EPROCESS, approximate 2-3 hours
(The log file is then converted to csv files, see 'eprocess_to_csv.py' and 'file_to_csv.py')
''')
print('==================================================')
print('_EPROCESS')
print('lpus scan: ', elpus['address'].shape, 'results')
print('volatility scan: ', evol['address'].shape, 'results')
print('volatility scan misses lpus: ', elpus['address'][~elpus['address'].isin(evol['address'])].shape, 'results')
print('lpus scan misses volatility: ', evol['address'][~evol['address'].isin(elpus['address'])].shape, 'results')
print('==================================================')
print('_FILE_OBJECT')
print('lpus scan: ', flpus['address'].shape, 'results')
print('volatility scan: ', fvol['address'].shape, 'results')
print('volatility scan misses lpus: ', flpus['address'][~flpus['address'].isin(fvol['address'])].shape, 'results')
print('lpus scan misses volatility: ', fvol['address'][~fvol['address'].isin(flpus['address'])].shape, 'results')