Page 4 of 11 FirstFirst 1234567891011 LastLast
Results 46 to 60 of 154

Thread: NTFS MFT Internals

  1. #46
    I gave you a bit of a bum steer with respect to USB - Serial adapters. The USB connecter has only a transmit and a receive available in it's 4 connector tabs, the other two being +5 volts and ground. So, you have to watch what kind of USB - serial connector you buy. A basic one could give you basic functionality without full handshaking and windbg require the latter.

    This converter uses a chip in the adapter to do that.

    http://www.ftdichip.com/Support/Documents/DataSheets/Cables/DS_Chipi-X.pdf


    bp 1003431 "j (poi(ebp+0x0c)==0�11f) ''; 'gc' "
    Just learning to read this language. From what I know, the bp @ 1003431 is subjected to a j operator which is the windbg if/else statement. So the statement seems to be saying: break if the value in (ebp+c) = 0x11f is true. I think your " after the j operator should have a space, should it not, as in ' ', meaning true/false in windbg jargon.

    I am not too clear on the poi operator yet. I know it is used to dereference a pointer. In this case, in MASM, (ebp+0x0c) is normally an address normally found with square brackets as in [ebp+c]) but in C++ it is a value. This is what I mean about Microsoft, they go out of their way to be vague. The @@ operator also dereferences pointers so what is the difference between poi and @@? It also appears as if you have to find where the message value is in reference to the EBP base, whereas in softice you simple supply the message number and the window handle.

    All in all, in some cases, windbg goes to a lot of trouble to obfuscate a simple issue. As you know, in softice, you give a simple BMSG hwnd msg# and you are done. You can add a conditional statement if you want but you don't have to.

    BTW...anyone reading this who is new to softice should realize, at least in my setup, that softice does not accept the message name anymore, it has to be the message number. At one time you could write BMSG hwnd WM_COMMAND, but now you have to write BMSG hwnd 111.

  2. #47
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    oops yep you said it

    windbg notepad

    Code:
    0:000> bu user32!TranslateMessage ".if ((poi(poi(esp+4)+4))==0x201) { .printf \"weeee waxford clicked me ooohh\\n\" };gc"
    0:000> g
    ModLoad: 5cb70000 5cb96000   C:\WINDOWS\system32\ShimEng.dll
    ModLoad: 6f880000 6fa4a000   C:\WINDOWS\AppPatch\AcGenral.DLL
    ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\WINMM.dll
    ModLoad: 774e0000 7761d000   C:\WINDOWS\system32\ole32.dll
    ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.dll
    ModLoad: 77be0000 77bf5000   C:\WINDOWS\system32\MSACM32.dll
    ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll
    ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
    ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\UxTheme.dll
    ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL
    ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
    weeee waxford clicked me ooohh
    weeee waxford clicked me ooohh
    weeee waxford clicked me ooohh
    weeee waxford clicked me ooohh
    weeee waxford clicked me ooohh

  3. #48
    Quote Originally Posted by blabberer View Post
    oops yep you said it

    windbg notepad

    Code:
    weeee waxford clicked me ooohh
    weeee waxford clicked me ooohh
    weeee waxford clicked me ooohh
    weeee waxford clicked me ooohh
    weeee waxford clicked me ooohh
    Sounds like Waxford is a bit of a pervert.

  4. #49
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    poi(R#) == <size> ptr <seg>:[R#] // dword ptr ds:[eax] or [eax]
    poi(poi(R#)) = " " //[[eax]] etc

    @ is used to tell we are referring a register and not a symbol and cuts down symbol searching time

    so always make it a habit to use

    ? poi(@eax+0x4) so that results emerge faster

    "think typo and hitting enter and waiting for eternity till ~1000 symbol files are downloaded /parsed and /negated"

    Code:
    0:001> ? poi(@esx)
    Bad register error at '@esx)'
    0:001> ? poi(esx)
    Couldn't resolve error at 'esx)'  <---------- symbols searched and no esx symbol neither any esx registers were found

  5. #50
    bu user32!TranslateMessage ".if ((poi(poi(esp+4)+4))==0x201) { .printf \"weeee waxford clicked me ooohh\\n\" };gc"

    Would you be kind enough, kind sir, to break this statement down for me?

    One poi I can deal with but a poi poi sounds like some kind of Hawaiian meal.

    First, you loaded notepad directly with a windbg notepad.

    It seems the inner poi dereference esp+c to a value, then I get lost. What does the outer poi do?

    You seem to be setting a general break on TranslateMessage with WM_LBUTTONDOWN (WMSG 0x201), and if it's true you print that Waxford is a pervert. So '.if' is equivalent to the j operator, is that right? I have not touched on dot operators yet but it seems you can replace the ' ' with { }. Does that mean ' ' applies only to true/false and the { } applies to general statements?

  6. #51
    Quote Originally Posted by blabberer View Post
    poi(R#) == <size> ptr <seg>:[R#] // dword ptr ds:[eax] or [eax]
    So, poi (eax) is equivalent to [eax], meaning the value at the address pointed to by EAX???

    I have never encountered [[eax]]. Is that like finding the value at the EAX address and if it's a ptr, finding the value at that address...like a nested pointer?

    For example, in softice, I sometimes see a ptr in EAX and dump it, to find another ptr, which I dump as well. If I find a value at the second pointer address, that would be the same value as a double poi???

    I am used to @ referencing a pointer and I understood @@ to mean the value at the address pointed to. I get your point about symbols lookup time, which is invaluable, but I need to read more.

  7. #52
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Quote Originally Posted by WaxfordSqueers View Post
    I think your " after the j operator should have a space, should it not, as in ' ', meaning true/false in windbg jargon.
    That is actually 2 separate single quotation marks (''), albeit without a space between them, not a double quotation mark ("), it probably just looks that way in the browser. Works as a copy/paste breakpoint in any case.

    All in all, in some cases, windbg goes to a lot of trouble to obfuscate a simple issue. As you know, in softice, you give a simple BMSG hwnd msg# and you are done. You can add a conditional statement if you want but you don't have to.
    That is very true, it's better in Softice because you don't have to find the WndProc, Softice finds it for you via the BMSG command.

    BTW...anyone reading this who is new to softice should realize, at least in my setup, that softice does not accept the message name anymore, it has to be the message number. At one time you could write BMSG hwnd WM_COMMAND, but now you have to write BMSG hwnd 111.
    Works for me:

    Code:
    01)  BMSG 11010C WM_MENUSELECT
    
    Break due to BP 01: BMSG 11010C WM_MENUSELECT (ET=3.18 seconds)
    hWnd=0011010C wParam=80900000 lParam=00080215 msg=011F WM_MENUSELECT

  8. #53
    Quote Originally Posted by Kayaker View Post
    Works for me:

    Code:
    01)  BMSG 11010C WM_MENUSELECT
    
    Break due to BP 01: BMSG 11010C WM_MENUSELECT (ET=3.18 seconds)
    hWnd=0011010C wParam=80900000 lParam=00080215 msg=011F WM_MENUSELECT
    Weird. It stopped working on my version. I have to look up the message number and enter it in hex. Oddly, once I have entered it in hex, and do a BL, it shows the message name.

    Maybe it's just messing with me. Softice is a very intelligent app.

  9. #54
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    break this statement down

    sure

    Code:
    
    C:\Program Files\Microsoft SDKs\Windows\v7.1\Include>grep -ir -A 2 TranslateMess
    age.* w*
    WinUser.h:TranslateMessage(
    WinUser.h-    __in CONST MSG *lpMsg);
    WinUser.h-
    
    C:\Program Files\Microsoft SDKs\Windows\v7.1\Include>grep -ir -A 4 "typedef.*tag
    MSG.*{" w*u*
    WinUser.h:typedef struct tagMSG {
    WinUser.h-    HWND        hwnd;
    WinUser.h-    UINT        message;
    WinUser.h-    WPARAM      wParam;
    WinUser.h-    LPARAM      lParam;
    
    C:\Program Files\Microsoft SDKs\Windows\v7.1\Include>
    
    
    TranslateMessage takes one parameter ie a pointer to MSG structure 
    so when you have broken on TranslateMessage 
    esp+4 will point ot MSG structure  ie [esp+4]  == addrof (lpMsg) would be something like 0x12345678
    
    MSG structure is defined with 4 memebrs the 2nd member is message 
    
    so if you had 12345678 then 1234567c will point ot Message
    
    [[esp+4]+4] == [[12345678] +4]  == SOME_XXXXX  // 0x201 WM_MOUSECLICK
    
    so that would break into 
    
    hey windby would you please break on TranslateMessage and validate if 
    
    what is pointed by poi (poi(esp+4) +) == what i give you ??
    when you have validated that what i gave you is indeed what you have @ poi(poi(esp+4)) 
    
    will you print this message and simply continue i dont want you to stop and say goodbye 
    please print and getlost
    
    when i feel like i would provide a .else clause and a .elseif clause too 
    
    so you can evaluate multiple conditions and report back to me
    
    try this for fun and move the mouse around notepad click menu etc :)
    
    bu user32!TranslateMessage ".if ((poi(poi(esp+4)+4))==0x201) { .printf \"waxford clicked me\\n\"; gc } .elsif ((poi(poi(esp+4)+4)) == 0x111) {.printf \"waxford double clicked my menu\\n\";gc } .else {gc};"

  10. #55
    Quote Originally Posted by blabberer View Post
    TranslateMessage takes one parameter ie a pointer to MSG structure
    so when you have broken on TranslateMessage
    esp+4 will point ot MSG structure ie [esp+4] == addrof (lpMsg) would be something like 0x12345678
    Appreciate all the info, I am prepping for my trip and may not get a chance to focus on what you are saying.

    Glad I am not the only one who is dyslexic. I keep reversing words when I am typing, but you do ot (to) while i tend to do wrok (work). And you may have noticed my i (I), which I can't seem to control no matter how much I focus. Don't know if it's true dyslexia or something peculiar to typing on a keyboard.

    I have encountered TranslateMessage a lot while tracing code, usually in the loop where Win processes messages. One thing I have never been able to figure out is how to break out of the message loop at times. Sometimes the code leads through the TranslateMessage area and back into the app, and other times it gets into an endless look with PeekMessage, etc.

    Another area where that happens is in WaitForSingleObject and its brethern, especially in the kernel. I need to get deeper into signalling, mutexes and so on and I have one app that uses it extensively. I don't encounter these problems enough to get focused on them. I have no gotten a feel for what it is up to however since it seems to spawn another thread of itself along the way.

  11. #56
    Too lazy to read that crap. Learn math part. I for example long time did not used the km debugger. Beginning study the architecture. At the kernel of not learning on the narvahi canvas"

  12. #57
    Took off on a trip for a while but I have been attacking the same problem about tracking a file read process to the NTFS or MFT level.

    It appears that Notepad makes judicious use of shell32.dll to do it's path work. I would think that would be simple in itself, but it's horribly convoluted the way paths get checked and double checked. As if that's not bad enough, they have an SHItemID list which seems to parallel the MFT attributes, creating a sort of Btree listing that can be broken down into smaller directory/file lists. They have procedures in shell32 and shlwapi to deal with the lists.

    Tell the truth, did anyone know shlwapi means shell lightweight API, and works hand in hand with shell32. Has anyone heard of shell32 before.

    It gets tricky during tracing when working with file system drivers because, as I recall, the filter drivers get stacked. So, I ended up tracing through a driver from Silicon Image for my CD/DVD writer, then there's one from sr.sys for system restore, then fltmgr.sys itself, while en route to Nt_ReadFile.

    I am still encountering the same old problem....the file cache. Notepad is getting loaded in there somehow rather than being read directly from the MFT tables. Even the MFT attributes are in the file cache. It's either that or I have bypassed a piece of code where that is done. Blabberer will be happy to know I have been using Windbg to look at the file cache, and further breaking it down using !ca, !fileobj and db dumps to look at the file remnants to see what is there.

    I have deleted the paging file in XP but have not tried tracing since I did. I can't imagine where else they'd hide copies of the file cache.

    Next thing is to find an app that will choke the file cache, or purge it. I saw mention of a cache app from sysinternals but have yet to track it down. The Net connection on my desktop is wonky.

    There is a possibility that I have gone too far into the shell path/file processing and simply ran past the point where they check the MFT, before checking the cache. Shell32 sure can be tedious to trace through with all the stuff they do to paths. It's unbelievable how many times they check paths and file attributes before finally doing something.

    Anyway, I have traced through most of the pertinent parts and I am making some progress, so I have indicated that in this note to let anyone interested know i am still working in the thread.

  13. #58
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Quote Originally Posted by WaxfordSqueers View Post
    The ref to Ntfs!NtfsReadMftRecord is interesting. I'll have to sift through ntoskrnl symbols and see if there are other NFT references. Maybe even the HAL symbols.

    What I am trying to do is approach the $MFT file from its entry point and trace through it's front end so I can see where it goes, especially from the $ROOT file.

    Each of the first set of files are metafiles and begin with the header 'FILE'. The very first entry in an MFT file is FILE, like MZ is the first entry in an exe file. From there onward, there are attributes at various offsets, and each attribute begins with a number. It's like a PE header and I want to learn to read it.

    Trouble is, as I understand it, once the disk has been accessed, NTFS reads the files and moves info to another location. Also, a file like Notepad, if used regularly, will have a prefetch record and the MFT will likely be bypassed. So I need to catch the NTFS system in the act of initializing the MFT. I want to see what it's initial entry point is into the table, and why.
    Hey Wax,

    I was muddling through this a bit again, trying to figure out where you're at tracing the connection from CreateFile -> MFT, or W(hatever)TF you're doing. This may be of no use, but I was playing with yet another NTFS utility, nfi.exe (Windows NT File System (NTFS) File Sector Information Utility), part of this package:

    http://support.microsoft.com/kb/253066/en-us

    Here's a search for notepad.exe

    Code:
    c:\>nfi c:\windows\system32\notepad.exe
    NTFS File Sector Information Utility.
    Copyright (C) Microsoft Corporation 1999. All rights reserved.
    
    \Windows\winsxs\wow64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_
    none_d5642974be118415\notepad.exe
        $STANDARD_INFORMATION (resident)
        $FILE_NAME (resident)
        $FILE_NAME (resident)
        $DATA (nonresident)
            logical sectors 47708456-47708807 (0x2d7f928-0x2d7fa87)
    
    c:\>nfi c: 47708456
    NTFS File Sector Information Utility.
    Copyright (C) Microsoft Corporation 1999. All rights reserved.
    
    
    ***Logical sector 47708456 (0x2d7f928) on drive C is in file number 15622.
    \Windows\winsxs\wow64_microsoft-windows-notepad_31bf3856ad364e35_6.1.7600.16385_
    none_d5642974be118415\notepad.exe
        $STANDARD_INFORMATION (resident)
        $FILE_NAME (resident)
        $FILE_NAME (resident)
        $DATA (nonresident)
            logical sectors 47708456-47708807 (0x2d7f928-0x2d7fa87)
    What it gives is the MFT # for a given file, i.e. (file number 15622)
    Using NTFSWalker confirmed that's the actual sequential MFT record for notepad.

    I just thought that if you ever get to a point, maybe in NtfsReadMftRecord, you could use the known MFT record number as a breakpoint qualifier for the target file you're chasing. Just a random thought.

    Oh, and if you deleted the prefetch for a file, would it go through the initialization steps of accessing the MFT that you're hoping to catch?

  14. #59
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    well i was going to post the exact same sentiments but refrained from posting it as i thought you might on to a bigger fish
    that i couldn't visualize reading your post

    if you wish to catch some thing about mft etc you need to sit on the other side of the fence
    shell is a muddle and fishes don't thrive there except for an occasional tortoise

    ShellExecute finally crosses the um -> km boundary via ntdll!NtCreateProcessEx and that can be verified in few steps like below
    you don't have to trace its piddle muddle

    lets break on ShellExecuteA and swim along till the net shall we ?


    Code:
    0:000> $ no point using a bulldohhzzer to flatten a mole hill 
    0:000> bp SHELL32!ShellExecuteA
    0:000> g
    
    Breakpoint 0 hit
    SHELL32!ShellExecuteA:
    7ca41150 8bff            mov     edi,edi
    0:000> uf /c @eip  lets see what this shelliwanda calls
    
    
    SHELL32!ShellExecuteA (7ca41150)
      SHELL32!ShellExecuteA+0x4e (7ca4119e):
        call to SHLWAPI!SHGetAppCompatFlags (77f668b4)
      SHELL32!ShellExecuteA+0x64 (7ca411b4):
        call to SHELL32!ShellExecuteExA (7ca40e25) so it calls another wanda lets follow her
    
    0:000> g SHELL32!ShellExecuteExA
    
    
    SHELL32!ShellExecuteExA:
    7ca40e25 8bff            mov     edi,edi
    0:000> uf /c @eip  so wanda the small called wanda the big and gues what she calls wanda the giant
    cut minor minions of the trade we reach here
        call to SHELL32!ShellExecuteExW (7ca02f03)
    
    0:000> g SHELL32!ShellExecuteExW  so we are on a trail lets play along 
    
    SHELL32!ShellExecuteExW:
    7ca02f03 8bff            mov     edi,edi
    0:000> uf /c @eip
    skipping minions we reach another safehouse do we get our tinker tailor soldier or spy here ??
        call to SHELL32!ShellExecuteNormal (7ca02f9e)
    
    0:000> g SHELL32!ShellExecuteNormal
    
    SHELL32!ShellExecuteNormal:
    7ca02f9e 8bff            mov     edi,edi
    0:000> uf /c @eip  woot smoke screen after smoke screen but we are now embedded into their system lets play hooker
    
    0:000> g SHELL32!CShellExecute::ExecuteNormal
    
    7ca02ff1 8bff            mov     edi,edi
    0:000> uf /c @eip  well it is a alley full of thugs waiting with piddle to mudde you 
    but we are wearing  the mythril vest piddles dont do nothing mama
    SHELL32!CShellExecute::ExecuteNormal (7ca02ff1)
      SHELL32!CShellExecute::ExecuteNormal+0x11 (7ca03002):
        call to SHELL32!SetAppStartingCursor (7ca030ea)
      SHELL32!CShellExecute::ExecuteNormal+0x19 (7ca0300a):
        call to SHELL32!CShellExecute::_Init (7ca03442)
      SHELL32!CShellExecute::ExecuteNormal+0x23 (7ca03014):
        call to SHELL32!CShellExecute::_SetWorkingDir (7ca032a6)
      SHELL32!CShellExecute::ExecuteNormal+0x36 (7ca03027):
        call to SHELL32!CShellExecute::_SetFile (7ca03201)
      SHELL32!CShellExecute::ExecuteNormal+0x41 (7ca03032):
        call to SHELL32!CShellExecute::_PerfPidl (7ca03195)
      SHELL32!CShellExecute::ExecuteNormal+0x54 (7ca03045):
        call to SHELL32!CShellExecute::_TryValidateUNC (7ca03155)
      SHELL32!CShellExecute::ExecuteNormal+0x60 (7ca03051):
        call to SHELL32!CShellExecute::_TryHooks (7ca04259)
      SHELL32!CShellExecute::ExecuteNormal+0x6f (7ca03060):
        call to SHELL32!CShellExecute::_TryExecPidl (7ca041b0)
      SHELL32!CShellExecute::ExecuteNormal+0x7b (7ca0306c):
        call to SHELL32!CShellExecute::_VerifyExecTrust (7ca04075)
      SHELL32!CShellExecute::ExecuteNormal+0x8a (7ca0307b):
        call to SHELL32!CShellExecute::_InitAssociations (7ca04539)
      SHELL32!CShellExecute::ExecuteNormal+0xac (7ca03097):
        call to SHELL32!CShellExecute::_TryInvokeApplication (7ca03559) its still trying to shake us off 
    hasn't trusted us yet fully where is the don
      SHELL32!CShellExecute::ExecuteNormal+0xba (7ca030a5):
        call to SHELL32!UEMIsLoaded (7ca03a3c)
      SHELL32!CShellExecute::ExecuteNormal+0xd4 (7ca030bf):
        call to SHELL32!GetUEMAssoc (7ca04cb1)
      SHELL32!CShellExecute::ExecuteNormal+0xe5 (7ca030d0):
        call to SHELL32!UEMFireEvent (7ca04ce5)
      SHELL32!CShellExecute::ExecuteNormal+0xef (7ca030da):
        call to SHELL32!SetAppStartingCursor (7ca030ea)
    0:000> g SHELL32!CShellExecute::_TryInvokeApplication  boom  the fireworks begin 
    we are where piddles wont be muddling us  
    ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
    ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
    ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
    ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.dll
    ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll
    ModLoad: 78130000 78263000   C:\WINDOWS\system32\urlmon.dll
    ModLoad: 3dfd0000 3e1b8000   C:\WINDOWS\system32\iertutil.dll
    eax=00000001 ebx=00001500 ecx=0016cc30 edx=00160608 esi=0016cc30 edi=0013eb5c
    eip=7ca03559 esp=0013eb04 ebp=0013eb14 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
    SHELL32!CShellExecute::_TryInvokeApplication:
    7ca03559 8bff            mov     edi,edi
    0:000> uf /c @eip
    SHELL32!CShellExecute::_TryInvokeApplication (7ca03559)
      SHELL32!CShellExecute::_TryInvokeApplication+0x11 (7ca0356a):
        call to SHELL32!CShellExecute::_SetCmdTemplate (7ca04687)
      SHELL32!CShellExecute::_TryInvokeApplication+0x1d (7ca03576):
        call to SHELL32!CShellExecute::_SetFileAndUrl (7ca0451b)
      SHELL32!CShellExecute::_TryInvokeApplication+0x24 (7ca0357d):
        call to SHELL32!CShellExecute::_TryExecDDE (7ca045d9)
      SHELL32!CShellExecute::_TryInvokeApplication+0x44 (7ca03598):
        call to SHELL32!CShellExecute::_DoExecCommand (7ca035b2)
      SHELL32!CShellExecute::_TryInvokeApplication+0x38 (7ca0f832):
        call to SHELL32!CShellExecute::_SetCmdTemplate (7ca04687)
      SHELL32!CShellExecute::_TryInvokeApplication+0x52 (7ca4dd36):
        call to SHELL32!CShellExecute::_RetryAsync (7cac8e64)
    0:000> g SHELL32!CShellExecute::_DoExecCommand
    eax=00000002 ebx=00001500 ecx=0016cc30 edx=00000000 esi=0016cc30 edi=0013eb5c
    eip=7ca035b2 esp=0013eaf8 ebp=0013eb00 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
    SHELL32!CShellExecute::_DoExecCommand:
    7ca035b2 8bff            mov     edi,edi
    0:000> uf /c @eip
    SHELL32!CShellExecute::_DoExecCommand (7ca035b2)
      SHELL32!CShellExecute::_DoExecCommand+0x9 (7ca035bb):
        call to USER32!NtUserGetForegroundWindow (7e429823)
      SHELL32!CShellExecute::_DoExecCommand+0x14 (7ca035c6):
        call to SHELL32!CShellExecute::_SetCommand (7ca038b3)
      SHELL32!CShellExecute::_DoExecCommand+0x27 (7ca035d9):
        call to SHELL32!CShellExecute::_ExecMayCreateProcess (7ca03feb)  we are with second in command 
    don is watching us from a two way mirror
      SHELL32!CShellExecute::_DoExecCommand+0x3b (7ca035ed):
        call to SHELL32!CShellExecute::_BuildEnvironmentForNewProcess (7ca03df5)
      SHELL32!CShellExecute::_DoExecCommand+0xaf (7ca03661):
        call to SHELL32!_SHCreateProcess (7ca036cb) we passed polygraph did we ?
      SHELL32!CShellExecute::_DoExecCommand+0xe2 (7ca03693):
        call to SHELL32!CShellExecute::_FixActivationStealingApps (7ca039fa)
      SHELL32!CShellExecute::_DoExecCommand+0x108 (7ca036a7):
        call to SHELL32!CShellExecute::_ReportHinst (7ca03a12)
      SHELL32!CShellExecute::_DoExecCommand+0xcf (7ca4dcf1):
        call to USER32!WaitForInputIdle (7e44faf5)
      SHELL32!CShellExecute::_DoExecCommand+0x100 (7ca4dd0b):
        call to SHELL32!CShellExecute::_DDEExecute (7cac8c97)
      SHELL32!CShellExecute::_DoExecCommand+0x120 (7ca4dd17):
        call to SHELL32!CShellExecute::_NotifyShortcutInvoke (7cac7f2d)
      SHELL32!CShellExecute::_DoExecCommand+0x127 (7ca4dd21):
        call to ntdll!RtlGetLastWin32Error (7c90fe21)
      SHELL32!CShellExecute::_DoExecCommand+0x130 (7ca4dd2a):
        call to SHELL32!CShellExecute::_ReportWin32 (7ca04055)
    0:000> g SHELL32!CShellExecute::_ExecMayCreateProcess
    eax=0013eaf0 ebx=00001500 ecx=0016cc30 edx=7c90e514 esi=0016cc30 edi=0013eb5c
    eip=7ca03feb esp=0013eae4 ebp=0013eaf4 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
    SHELL32!CShellExecute::_ExecMayCreateProcess:
    7ca03feb 8bff            mov     edi,edi
    0:000> uf /c @eip
    SHELL32!CShellExecute::_ExecMayCreateProcess (7ca03feb)
      SHELL32!CShellExecute::_ExecMayCreateProcess+0xd (7ca03ff8):
        call to SHELL32!SHRestricted (7c9ec059)
      SHELL32!CShellExecute::_ExecMayCreateProcess+0x40 (7ca0400a):
        call to SHELL32!SHRestricted (7c9ec059)
      SHELL32!CShellExecute::_ExecMayCreateProcess+0x64 (7ca04022):
        call to SHELL32!CShellExecute::_TryValidateUNC (7ca03155)
      SHELL32!CShellExecute::_ExecMayCreateProcess+0x79 (7ca04031):
        call to SHELL32!CShellExecute::_TryWowShellExec (7ca03c20)
      SHELL32!CShellExecute::_ExecMayCreateProcess+0x2c (7ca04041):
        call to SHELL32!CShellExecute::_ReportWin32 (7ca04055)
      SHELL32!CShellExecute::_ExecMayCreateProcess+0x1d (7ca4dcab):
        call to SHELL32!RestrictedApp (7cab53f1)
      SHELL32!CShellExecute::_ExecMayCreateProcess+0x50 (7ca4dcc7):
        call to SHELL32!DisallowedApp (7cab5440)
      SHELL32!CShellExecute::_ExecMayCreateProcess+0x6d (7ca4dcd6):
        call to ntdll!RtlGetLastWin32Error (7c90fe21)
    0:000> g SHELL32!_SHCreateProcess     some more voodoo in black staircases 
    eax=0017052c ebx=00000000 ecx=0016dc7c edx=0016dc7c esi=0016cc30 edi=001717cc
    eip=7ca036cb esp=0013eaa4 ebp=0013eaf4 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
    SHELL32!_SHCreateProcess:
    7ca036cb 8bff            mov     edi,edi
    0:000> uf /c @eip
    SHELL32!_SHCreateProcess (7ca036cb)
      SHELL32!_SHCreateProcess+0xa8 (7ca03773):
        call to SHELL32!CheckForInstallApplication (7ca03f13)
      SHELL32!_SHCreateProcess+0xf7 (7ca037a5):
        call to SHLWAPI!PathFindFileNameW (77f67087)
      SHELL32!_SHCreateProcess+0xfe (7ca037ac):
        call to SHLWAPI!PathMatchSpecW (77f72866)
      SHELL32!_SHCreateProcess+0x381 (7ca037f6):
        call to KERNEL32!CreateProcessW (7c802336)  jason bourne is into the swiss bank with half memory and an id number
    
    0:000> g KERNEL32!CreateProcessW
    eax=00000000 ebx=00171780 ecx=00000000 edx=0013ddea esi=04000410 edi=00000000
    eip=7c802336 esp=0013e020 ebp=0013eaa0 iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    KERNEL32!CreateProcessW:
    7c802336 8bff            mov     edi,edi
    0:000> uf /c @eip
    KERNEL32!CreateProcessW (7c802336)
      KERNEL32!CreateProcessW+0x27 (7c80235d):
        call to KERNEL32!CreateProcessInternalW (7c8197b0)
    0:000> g KERNEL32!CreateProcessInternalW  the gremlins are authenticating and the news has 
    reached the core that j is alive and kicking 
    eax=00000000 ebx=00171780 ecx=00000000 edx=0013ddea esi=04000410 edi=00000000
    eip=7c8197b0 esp=0013dfe8 ebp=0013e01c iopl=0         nv up ei pl zr na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
    KERNEL32!CreateProcessInternalW:
    7c8197b0 68080a0000      push    0A08h
    0:000> uf /c @eip
    KERNEL32!CreateProcessInternalW (7c8197b0)
      KERNEL32!CreateProcessInternalW+0x34d (7c818dd0):
        call to ntdll!ZwAllocateVirtualMemory (7c90cf6e)
      KERNEL32!CreateProcessInternalW+0x37f (7c818dfb):
        call to ntdll!RtlAnsiStringToUnicodeString (7c90eb3b)
      KERNEL32!CreateProcessInternalW+0x752 (7c818f0f):
        call to ntdll!RtlDosPathNameToNtPathName_U (7c9142f5)
      KERNEL32!CreateProcessInternalW+0x788 (7c818f3d):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x78b (7c818f40):
        call to ntdll!RtlDetermineDosPathNameType_U (7c913b8a)
      KERNEL32!CreateProcessInternalW+0x890 (7c818fde):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x91d (7c819015):
        call to ntdll!ZwCreateSection (7c90d17e)
      KERNEL32!CreateProcessInternalW+0x935 (7c81902d):
        call to KERNEL32!BasepIsProcessAllowed (7c819581)
      KERNEL32!CreateProcessInternalW+0xa64 (7c8190ab):
        call to KERNEL32!BasepCheckBadapp (7c8193b3)
      KERNEL32!CreateProcessInternalW+0xae4 (7c8190f3):
        call to KERNEL32!BasepCheckWinSaferRestrictions (7c8195b7)
      KERNEL32!CreateProcessInternalW+0xb80 (7c81913c):
        call to ntdll!NtQuerySection (7c90d8ce)
      KERNEL32!CreateProcessInternalW+0xfdb (7c819188):
        call to KERNEL32!LdrQueryImageFileExecutionOptions (7c81a331)
      KERNEL32!CreateProcessInternalW+0x108b (7c8191d4):
        call to KERNEL32!BasepIsImageVersionOk (7c81a2a3)
      KERNEL32!CreateProcessInternalW+0x11d9 (7c8191f3):
        call to KERNEL32!LoadLibraryA (7c801d7b)
      KERNEL32!CreateProcessInternalW+0x11f0 (7c81920a):
        call to KERNEL32!GetProcAddress (7c80ae40)
      KERNEL32!CreateProcessInternalW+0x1205 (7c81921f):
        call to ntdll!ZwQuerySystemInformation (7c90d92e)
      KERNEL32!CreateProcessInternalW+0x121d (7c819237):
        call to KERNEL32!FreeLibrary (7c80ac7e)
      KERNEL32!CreateProcessInternalW+0x1230 (7c81924a):
        call to KERNEL32!BaseFormatObjectAttributes (7c809398)
      KERNEL32!CreateProcessInternalW+0x1321 (7c8192dc):
        call to ntdll!ZwCreateProcessEx (7c90d15e)       >------------------ we are into the locker retrieving a gun 
    and transferring trillions into unnamed cayman island accounts to gremlins on the other side of dark force
      KERNEL32!CreateProcessInternalW+0xa (7c8197ba):
        call to KERNEL32!_SEH_prolog (7c8024d6)
      KERNEL32!CreateProcessInternalW+0x2ca (7c819a45):
        call to ntdll!ZwQueryInformationJobObject (7c90d7de)
      KERNEL32!CreateProcessInternalW+0x1634 (7c819c60):
        call to KERNEL32!BasepSxsCreateProcessCsrMessage (7c81a99f)
      KERNEL32!CreateProcessInternalW+0x1658 (7c819c84):
        call to ntdll!NtQueryInformationProcess (7c90d7fe)
      KERNEL32!CreateProcessInternalW+0x169d (7c819cc9):
        call to ntdll!RtlAllocateHeap (7c9100c4)
      KERNEL32!CreateProcessInternalW+0x16c7 (7c819cf3):
        call to KERNEL32!GetFullPathNameW (7c80b8f2)
      KERNEL32!CreateProcessInternalW+0x16d7 (7c819d07):
        call to KERNEL32!GetFileAttributesW (7c80b7ec)
      KERNEL32!CreateProcessInternalW+0x1849 (7c819dbb):
        call to KERNEL32!BasePushProcessParameters (7c81a3fb)
      KERNEL32!CreateProcessInternalW+0x185d (7c819dcf):
        call to ntdll!RtlFreeAnsiString (7c910466)
      KERNEL32!CreateProcessInternalW+0x19d0 (7c819e13):
        call to KERNEL32!BaseCreateStack (7c8102bc)
      KERNEL32!CreateProcessInternalW+0x19fd (7c819e40):
        call to KERNEL32!BaseInitializeContext (7c810443)
      KERNEL32!CreateProcessInternalW+0x1a10 (7c819e53):
        call to KERNEL32!BaseFormatObjectAttributes (7c809398)
      KERNEL32!CreateProcessInternalW+0x1a91 (7c819ea1):
        call to ntdll!NtCreateThread (7c90d1ae)
      KERNEL32!CreateProcessInternalW+0x1c3c (7c819f8d):
        call to ntdll!CsrClientCallServer (7c912d91)
      KERNEL32!CreateProcessInternalW+0x1d30 (7c819fd6):
        call to ntdll!NtResumeThread (7c90db3e)
      KERNEL32!CreateProcessInternalW+0x1e15 (7c81a040):
        call to KERNEL32!CreateProcessInternalW+0x1ea5 (7c81a06d)
      KERNEL32!CreateProcessInternalW+0x1e3e (7c81a05b):
        call to KERNEL32!__security_check_cookie (7c8097aa)
      KERNEL32!CreateProcessInternalW+0x1e43 (7c81a060):
        call to KERNEL32!_SEH_epilog (7c802511)
      KERNEL32!CreateProcessInternalW+0x14ca (7c81a34b):
        call to ntdll!RtlAllocateHeap (7c9100c4)
      KERNEL32!CreateProcessInternalW+0x7c1 (7c81d73b):
        call to ntdll!RtlAllocateHeap (7c9100c4)
      KERNEL32!CreateProcessInternalW+0x7e2 (7c81d75c):
        call to ntdll!RtlGetFullPathName_U (7c9143a9)
      KERNEL32!CreateProcessInternalW+0x7f5 (7c81d76f):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x1d0f (7c81d77c):
        call to KERNEL32!_local_unwind2 (7c80df7f)
      KERNEL32!CreateProcessInternalW+0x8ba (7c81d7cb):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x8c7 (7c81d7dc):
        call to ntdll!RtlIsDosDeviceName_U (7c9130a8)
      KERNEL32!CreateProcessInternalW+0x1d04 (7c81d7f0):
        call to KERNEL32!BaseSetLastNTError (7c809419)
      KERNEL32!CreateProcessInternalW+0x1b56 (7c81fdb2):
        call to KERNEL32!GetModuleHandleA (7c80b741)
      KERNEL32!CreateProcessInternalW+0x1b5c (7c81fdb8):
        call to ntdll!RtlImageNtHeader (7c910339)
      KERNEL32!CreateProcessInternalW+0x18c1 (7c81fe48):
        call to ntdll!ZwReadVirtualMemory (7c90d9fe)
      KERNEL32!CreateProcessInternalW+0x19a4 (7c81fee3):
        call to KERNEL32!StuffStdHandle (7c82dfb0)
      KERNEL32!CreateProcessInternalW+0x13bd (7c81ff12):
        call to ntdll!ZwSetInformationProcess (7c90dc9e)
      KERNEL32!CreateProcessInternalW+0xd0a (7c8289b3):
        call to KERNEL32!BaseIsDosApplication (7c828b87)
      KERNEL32!CreateProcessInternalW+0xd54 (7c8289fd):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0xd65 (7c828a0e):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0xdb5 (7c828a5f):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0xdc3 (7c828a6d):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0xdfa (7c828aa4):
        call to ntdll!RtlAllocateHeap (7c9100c4)
      KERNEL32!CreateProcessInternalW+0xe17 (7c828ac1):
        call to ntdll!wcscpy (7c912f60)
      KERNEL32!CreateProcessInternalW+0xe4a (7c828aee):
        unresolvable call: call    edi
      KERNEL32!CreateProcessInternalW+0xe70 (7c828b12):
        call to ntdll!RtlInitUnicodeString (7c901295)
      KERNEL32!CreateProcessInternalW+0x9cf (7c828b63):
        call to KERNEL32!BaseIsDosApplication (7c828b87)
      KERNEL32!CreateProcessInternalW+0x488 (7c829d4d):
        call to ntdll!RtlFreeHeap (7c90ff2d)
      KERNEL32!CreateProcessInternalW+0x4a2 (7c829d64):
        call to ntdll!ZwClose (7c90cfee)
      KERNEL32!CreateProcessInternalW+0x1c50 (7c82ba20):
        call to ntdll!CsrFreeCaptureBuffer (7c91eb1f)
      KERNEL32!CreateProcessInternalW+0x1c11 (7c82ba71):
        call to ntdll!CsrCaptureMessageMultiUnicodeStringsInPlace (7c92064d)
      KERNEL32!CreateProcessInternalW+0x45b (7c82bf36):
        call to ntdll!RtlFreeHeap (7c90ff2d)
      KERNEL32!CreateProcessInternalW+0x1371 (7c82c978):
        call to ntdll!ZwSetInformationProcess (7c90dc9e)
      KERNEL32!CreateProcessInternalW+0xe64 (7c82dac8):
        unresolvable call: call    edi
      KERNEL32!CreateProcessInternalW+0xe35 (7c82dad7):
        call to ntdll!wcscat (7c918132)
      KERNEL32!CreateProcessInternalW+0x195f (7c82df4e):
        call to KERNEL32!StuffStdHandle (7c82dfb0)
      KERNEL32!CreateProcessInternalW+0x191a (7c82dfa1):
        call to KERNEL32!StuffStdHandle (7c82dfb0)
      KERNEL32!CreateProcessInternalW+0x65b (7c82e128):
        call to ntdll!RtlDetermineDosPathNameType_U (7c913b8a)
      KERNEL32!CreateProcessInternalW+0x69d (7c82e142):
        call to KERNEL32!BaseSetLastNTError (7c809419)
      KERNEL32!CreateProcessInternalW+0x6b7 (7c82e153):
        call to KERNEL32!GetLastError (7c830771)
      KERNEL32!CreateProcessInternalW+0x1277 (7c82e566):
        call to KERNEL32!BaseFormatObjectAttributes (7c809398)
      KERNEL32!CreateProcessInternalW+0x5c7 (7c82f2b7):
        call to KERNEL32!SearchPathW (7c80e77c)
      KERNEL32!CreateProcessInternalW+0x5e6 (7c82f2d6):
        call to KERNEL32!GetFileAttributesW (7c80b7ec)
      KERNEL32!CreateProcessInternalW+0x635 (7c82f32d):
        call to KERNEL32!BasepIsSetupInvokedByWinLogon (7c82f3ac)
      KERNEL32!CreateProcessInternalW+0x4f0 (7c82f367):
        call to ntdll!RtlAllocateHeap (7c9100c4)
      KERNEL32!CreateProcessInternalW+0x764 (7c83589c):
        call to KERNEL32!SetLastError (7c80935e)
      KERNEL32!CreateProcessInternalW+0x206 (7c8427e0):
        call to KERNEL32!SetLastError (7c80935e)
      KERNEL32!CreateProcessInternalW+0x264 (7c84281b):
        call to KERNEL32!BasepIsRealtimeAllowed (7c861fcc)
      KERNEL32!CreateProcessInternalW+0x358 (7c842857):
        call to KERNEL32!BaseSetLastNTError (7c809419)
      KERNEL32!CreateProcessInternalW+0x3a0 (7c842876):
        call to ntdll!ZwFreeVirtualMemory (7c90d38e)
      KERNEL32!CreateProcessInternalW+0x682 (7c8428c5):
        call to KERNEL32!CreateFileW (7c810800)
      KERNEL32!CreateProcessInternalW+0x693 (7c8428da):
        call to KERNEL32!CloseHandle (7c809be7)
      KERNEL32!CreateProcessInternalW+0x6b0 (7c8428ea):
        call to KERNEL32!SetLastError (7c80935e)
      KERNEL32!CreateProcessInternalW+0x947 (7c842958):
        call to KERNEL32!BaseSetLastNTError (7c809419)
      KERNEL32!CreateProcessInternalW+0x952 (7c842963):
        call to ntdll!ZwClose (7c90cfee)
      KERNEL32!CreateProcessInternalW+0x997 (7c8429a6):
        call to ntdll!ZwClose (7c90cfee)
      KERNEL32!CreateProcessInternalW+0x9fd (7c8429d0):
        call to ntdll!RtlFreeHeap (7c90ff2d)
      KERNEL32!CreateProcessInternalW+0xa2a (7c8429fa):
        call to ntdll!RtlFreeHeap (7c90ff2d)
      KERNEL32!CreateProcessInternalW+0xa7f (7c842a17):
        call to KERNEL32!SetLastError (7c80935e)
      KERNEL32!CreateProcessInternalW+0xa87 (7c842a1f):
        call to KERNEL32!BaseSetLastNTError (7c809419)
      KERNEL32!CreateProcessInternalW+0xa9e (7c842a36):
        call to ntdll!ZwClose (7c90cfee)
      KERNEL32!CreateProcessInternalW+0xaf9 (7c842a4c):
        call to KERNEL32!SetLastError (7c80935e)
      KERNEL32!CreateProcessInternalW+0xb0e (7c842a5d):
        call to KERNEL32!BaseSetLastNTError (7c809419)
      KERNEL32!CreateProcessInternalW+0xb56 (7c842a7d):
        call to KERNEL32!SetLastError (7c80935e)
      KERNEL32!CreateProcessInternalW+0xbbf (7c842ab5):
        call to KERNEL32!BaseCreateVDMEnvironment (7c8691fe)
      KERNEL32!CreateProcessInternalW+0xc13 (7c842b09):
        call to KERNEL32!BaseCheckVDM (7c869649)
      KERNEL32!CreateProcessInternalW+0xc29 (7c842b1f):
        call to KERNEL32!GetLastError (7c830771)
      KERNEL32!CreateProcessInternalW+0xcae (7c842ba4):
        call to KERNEL32!BaseGetVdmConfigInfo (7c8698e1)
      KERNEL32!CreateProcessInternalW+0xe99 (7c842bf5):
        call to KERNEL32!BaseCreateVDMEnvironment (7c8691fe)
      KERNEL32!CreateProcessInternalW+0xedb (7c842c37):
        call to KERNEL32!BaseCheckVDM (7c869649)
      KERNEL32!CreateProcessInternalW+0xf30 (7c842c8c):
        call to KERNEL32!BaseGetVdmConfigInfo (7c8698e1)
      KERNEL32!CreateProcessInternalW+0xf7c (7c842cd8):
        call to ntdll!RtlDestroyEnvironment (7c923962)
      KERNEL32!CreateProcessInternalW+0x1019 (7c842d12):
        call to ntdll!ZwClose (7c90cfee)
      KERNEL32!CreateProcessInternalW+0x1046 (7c842d3f):
        call to KERNEL32!BuildSubSysCommandLine (7c861e3e)
      KERNEL32!CreateProcessInternalW+0x10b7 (7c842d5f):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x10d1 (7c842d79):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x10e1 (7c842d89):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x1116 (7c842dbe):
        call to ntdll!RtlAllocateHeap (7c9100c4)
      KERNEL32!CreateProcessInternalW+0x1144 (7c842dec):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x1152 (7c842dfa):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x1161 (7c842e09):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x117b (7c842e23):
        call to ntdll!ZwClose (7c90cfee)
      KERNEL32!CreateProcessInternalW+0x11a6 (7c842e4e):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x11c7 (7c842e6f):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x129d (7c842e87):
        call to KERNEL32!DbgUiConnectToDbg (7c8809c2)
      KERNEL32!CreateProcessInternalW+0x12b0 (7c842e9a):
        call to KERNEL32!DbgUiGetThreadDebugObject (7c8809e3)
      KERNEL32!CreateProcessInternalW+0x1332 (7c842ebb):
        call to KERNEL32!BaseSetLastNTError (7c809419)
      KERNEL32!CreateProcessInternalW+0x1355 (7c842ec7):
        call to KERNEL32!BasepIsRealtimeAllowed (7c861fcc)
      KERNEL32!CreateProcessInternalW+0x138b (7c842edd):
        call to KERNEL32!BasepReleasePrivilege (7c830546)
      KERNEL32!CreateProcessInternalW+0x13eb (7c842f0f):
        call to KERNEL32!BaseUpdateVDMEntry (7c868b8a)
      KERNEL32!CreateProcessInternalW+0x1432 (7c842f4e):
        call to ntdll!ZwAllocateVirtualMemory (7c90cf6e)
      KERNEL32!CreateProcessInternalW+0x171d (7c842fe2):
        call to ntdll!wcslen (7c90fe4a)
      KERNEL32!CreateProcessInternalW+0x1730 (7c842ff5):
        call to ntdll!RtlAllocateHeap (7c9100c4)
      KERNEL32!CreateProcessInternalW+0x1746 (7c84300b):
        call to ntdll!wcscpy (7c912f60)
      KERNEL32!CreateProcessInternalW+0x177b (7c843040):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x1788 (7c84304d):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x17a6 (7c84306f):
        unresolvable call: call    esi
      KERNEL32!CreateProcessInternalW+0x1a57 (7c8430c1):
        call to KERNEL32!BaseFormatObjectAttributes (7c809398)
      KERNEL32!CreateProcessInternalW+0x1b03 (7c8430e5):
        call to KERNEL32!DbgPrint (7c8809ac)
      KERNEL32!CreateProcessInternalW+0x1c6a (7c843155):
        call to KERNEL32!BaseSetLastNTError (7c809419)
      KERNEL32!CreateProcessInternalW+0x1c7b (7c843166):
        call to ntdll!NtTerminateProcess (7c90de6e)
      KERNEL32!CreateProcessInternalW+0x1ca8 (7c84318f):
        call to KERNEL32!BasepReplaceProcessThreadTokens (7c861c3b)
      KERNEL32!CreateProcessInternalW+0x1cc0 (7c8431ab):
        call to ntdll!NtTerminateProcess (7c90de6e)
      KERNEL32!CreateProcessInternalW+0x1cdd (7c8431c3):
        call to ntdll!ZwAssignProcessToJobObject (7c90cf8e)
      KERNEL32!CreateProcessInternalW+0x1cf8 (7c8431e2):
        call to ntdll!NtTerminateProcess (7c90de6e)
      KERNEL32!CreateProcessInternalW+0x1d9b (7c843235):
        call to ntdll!ZwClose (7c90cfee)
      KERNEL32!CreateProcessInternalW+0x1e2e (7c843293):
        call to ntdll!RtlDestroyEnvironment (7c923962)
      KERNEL32!CreateProcessInternalW+0x1e77 (7c8432ca):
        call to ntdll!NtRaiseHardError (7c90d9be)
    0:000> g ntdll!ZwCreateProcessEx
    ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\Apphelp.dll
    eax=0013d978 ebx=00000000 ecx=7c9175d4 edx=7c97e178 esi=ffffffff edi=00000001
    eip=7c90d15e esp=0013d598 ebp=0013dfe4 iopl=0         nv up ei ng nz na pe nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000286
    ntdll!ZwCreateProcessEx:
    7c90d15e b830000000      mov     eax,30h
    0:000> uf /c @eip
    ntdll!ZwCreateProcessEx (7c90d15e)  
      ntdll!NtCreateProcessEx+0xa (7c90d168):
        unresolvable call: call    dword ptr [edx]  wow the doctor got his millons to 
    booze we skipped the net and into another realm attacking y1053 cosmic blubb
    
    so sift the cosmic blubb for secrets of universe no point looking at all the thughs with piddles trying to muddle you out
    Last edited by blabberer; August 31st, 2013 at 01:36.

  15. #60
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    Interesting journey, though I think you may have been watching too many movies lately there amigo.

    Wx might be wanting to watch the whole story, from start to finish, but you could also jump to the ending rather than piddling in the middle.

    Break on NtfsReadFileRecord or NtfsReadMftRecord and see what it tells you.

    /* non-Windbg */
    Disassemble ntfs.sys in IDA, with PDB. Rebase to 0
    Get offset of NtfsReadFileRecord
    In Softice get base address with 'driver ntfs', add offset and set breakpoint
    Do stuff

    Code:
    00026B5C _NtfsReadFileRecord@28
    00026B5C
    00026B5C arg_0           = dword ptr  8
    00026B5C arg_4           = dword ptr  0Ch
    00026B5C arg_8           = dword ptr  10h
    00026B5C arg_C           = dword ptr  14h
    00026B5C arg_10          = dword ptr  18h
    00026B5C arg_14          = dword ptr  1Ch
    00026B5C arg_18          = dword ptr  20h
    00026B5C
    00026B5C                 mov     edi, edi
    00026B5E                 push    ebp
    00026B5F                 mov     ebp, esp
    00026B61                 push    ecx
    00026B62                 push    ecx
    00026B63                 push    ebx
    00026B64                 mov     ebx, [ebp+arg_10]
    00026B67                 push    esi
    00026B68                 mov     esi, [ebp+arg_C]
    00026B6B                 push    edi
    00026B6C                 mov     edi, [ebp+arg_8]
    00026B6F                 push    ebx
    00026B70                 push    esi
    00026B71                 push    dword ptr [edi]
    00026B73                 push    [ebp+arg_0]
    00026B76                 call    _NtfsFindCachedFileRecord@16
    00026B7B                 test    al, al
    00026B7D                 jnz     loc_274C7
    00026B83                 push    [ebp+arg_18]
    00026B86                 push    ebx
    00026B87                 push    esi
    00026B88                 push    1
    00026B8A                 push    edi
    00026B8B                 push    [ebp+arg_4]
    00026B8E                 push    [ebp+arg_0]
    00026B91                 call    _NtfsReadMftRecord@28

    http://read.pudn.com/downloads171/sourcecode/windows/vxd/794585/ntfs/mftsup.c__.htm

    Code:
    VOID
    NtfsReadFileRecord (
        IN PIRP_CONTEXT IrpContext,
        IN PVCB Vcb,
        IN PFILE_REFERENCE FileReference,
        OUT PBCB *Bcb,
        OUT PFILE_RECORD_SEGMENT_HEADER *BaseFileRecord,
        OUT PATTRIBUTE_RECORD_HEADER *FirstAttribute,
        OUT PLONGLONG MftFileOffset OPTIONAL
        )
    
    /*++
    
    Routine Description:
    
        This routine reads the specified file record from the Mft, checking that the
        sequence number in the caller's file reference is still the one in the file
        record.
    
    Arguments:
    
        Vcb - Vcb for volume on which Mft is to be read
    
        Fcb - If specified allows us to identify the file which owns the
            invalid file record.
    
        FileReference - File reference, including sequence number, of the file record
            to be read.
    
        Bcb - Returns the Bcb for the file record.  This Bcb is mapped, not pinned.
    
        BaseFileRecord - Returns a pointer to the requested file record.
    
        FirstAttribute - Returns a pointer to the first attribute in the file record.
    
        MftFileOffset - If specified, returns the file offset of the file record.
    
    Return Value:
    
        None
    
    --*/

Similar Threads

  1. NTFS reversing
    By WaxfordSqueers in forum The Newbie Forum
    Replies: 21
    Last Post: April 28th, 2013, 00:56
  2. Qt Internals & Reversing
    By Daniel Pistelli in forum Blogs Forum
    Replies: 11
    Last Post: December 5th, 2008, 04:12
  3. problem with NTFS file encryption
    By Hero in forum The Newbie Forum
    Replies: 10
    Last Post: October 22nd, 2004, 03:49
  4. New project: RSA-65 analysis on GetDataBack for NTFS
    By Lbolt99 in forum RCE Cryptographics
    Replies: 6
    Last Post: August 1st, 2002, 14:48
  5. Write to NTFS
    By tentakkel in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: October 8th, 2001, 17:18

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •