オンサイトセミナー
豊田孝の「IT談話館」 Windowsメモリフォレンジックを依頼する WinDbg




本「IT談話館」はDKOMベースの高度なメモリフォレンジックサービスを提供しています!



Windows 10 Active Memory DumpとDLL解析


 本稿では、Windows 10システムから導入されたActive Memory Dumpを解析し、アプリケーション(プロセス)とライブラリ(DLL)の初歩的な解析例をご紹介いたします。Active Memory Dumpに関しましては、本館別稿「Windows 10 Active Memory Dumpとカーネルメモリダンプ」の参照をお願いいたします。

 今回の作業で使用する解析コードは、次のような機能を実装しております。  表示される情報のイメージを掴んでいただくために、セッションマネージャー「smss.exe」プロセスの解析結果をご覧いただきましょう。
Started..
+0xFFFFDB8B67365640	smss.exe
	  0:BaseAddress:0x00007ff70d970000	\SystemRoot\System32\smss.exe
	  1:BaseAddress:0x00007ffb92c00000	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\ntdll.dll
Ended..
 セッションマネージャー「smss.exe」プロセスは、一個のDLL「ntdll.dll」をロードしているにすぎません。実行結果を見ますと、「ntdll.dll」のビルド時に使用されたリンカーバージョンは「12.10」です。LReasonはロード理由を示し、次のように定義されています。
1: kd> dt ntkrnlmp!_LDR_DLL_LOAD_REASON
   LoadReasonStaticDependency = 0n0
   LoadReasonStaticForwarderDependency = 0n1
   LoadReasonDynamicForwarderDependency = 0n2
   LoadReasonDelayloadDependency = 0n3
   LoadReasonDynamicLoad = 0n4
   LoadReasonAsImageLoad = 0n5
   LoadReasonAsDataLoad = 0n6
   LoadReasonUnknown = 0n-1
 この情報によれば、「LReason->0x0」というのは「静的リンク」ということになります。通常と異なる理由でロードされているDLLを検出したような場合には、情報の中の「BaseAddress:0x00007ffb92c00000」を頼りに、PEフォーマットの解析作業を行うことになります。
Directory Information	Base->0x00007ffb92c00000
	00	VA->0x142850	Size->0x11a97
	01	VA->0x000000	Size->0x00000
	02	VA->0x170000	Size->0x69398
	03	VA->0x15d000	Size->0x0da94
	04	VA->0x1d1000	Size->0x06450
	05	VA->0x1da000	Size->0x004b4
	06	VA->0x119420	Size->0x00054
	07	VA->0x000000	Size->0x00000
	08	VA->0x000000	Size->0x00000
	09	VA->0x000000	Size->0x00000
	10	VA->0x110b20	Size->0x000f4
	11	VA->0x000000	Size->0x00000
	12	VA->0x000000	Size->0x00000
	13	VA->0x000000	Size->0x00000
	14	VA->0x000000	Size->0x00000
	15	VA->0x000000	Size->0x00000
Section Information
	01: VA->0x0000000000001000	Name->.text
	02: VA->0x000000000010f000	Name->RT
	03: VA->0x0000000000110000	Name->.rdata
	04: VA->0x0000000000155000	Name->.data
	05: VA->0x000000000015d000	Name->.pdata
	06: VA->0x000000000016b000	Name->.mrdata
	07: VA->0x000000000016f000	Name->.00cfg
	08: VA->0x0000000000170000	Name->.rsrc
	09: VA->0x00000000001da000	Name->.reloc
 本稿では、これ以上のPEフォーマット情報の解析工程は割愛させていただきます。ここで取り上げたセッションマネージャー「smss.exe」はセキュリティー上きわめて重要なプロセスの一つであり、その役割はさらに重要性を増しています(参照)。

 次に、「Winlogon.exe」プロセスの解析結果を見てみましょう。
Started..
+0xFFFFE000220005C0	winlogon.exe
  0:	ImageBase(0x00007FF7E4110000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\System32\WinLogon.exe
  1:	ImageBase(0x00007FFCB0440000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\ntdll.dll
  2:	ImageBase(0x00007FFCB02E0000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\KERNEL32.DLL
  3:	ImageBase(0x00007FFCAD290000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\KERNELBASE.dll
  4:	ImageBase(0x00007FFCAF7F0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\msvcrt.dll
  5:	ImageBase(0x00007FFCAE1A0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\sechost.dll
  6:	ImageBase(0x00007FFCAF890000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\RPCRT4.dll
  7:	ImageBase(0x00007FFCACE80000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\powrprof.dll
  8:	ImageBase(0x00007FFCB0390000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\advapi32.dll
  9:	ImageBase(0x00007FFCAC990000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\System32\bcrypt.dll
 10:	ImageBase(0x00007FFCACED0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\system32\profapi.dll
 11:	ImageBase(0x00007FFCABFC0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\winsta.dll
 12:	ImageBase(0x00007FFCAFB90000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\system32\user32.dll
 13:	ImageBase(0x00007FFCAFA00000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\GDI32.dll
 14:	ImageBase(0x00007FFCAF9C0000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\IMM32.DLL
 15:	ImageBase(0x00007FFCADDE0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\MSCTF.dll
 17:	ImageBase(0x00007FFCACEF0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\shcore.dll
 18:	ImageBase(0x00007FFCAFE40000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\combase.dll
 19:	ImageBase(0x00007FFCAB720000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\System32\UxTheme.dll
 20:	ImageBase(0x00007FFCAC870000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\System32\CRYPTBASE.DLL
 21:	ImageBase(0x00007FFCACCA0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\System32\bcryptPrimitives.dll
 23:	ImageBase(0x00007FFCACAA0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\System32\SspiCli.dll
 24:	ImageBase(0x00007FFCAB610000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\apphelp.dll
 26:	ImageBase(0x00007FFCAC1C0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\ntmarta.dll
 27:	ImageBase(0x00007FFCAC0C0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\System32\MPR.dll
 28:	ImageBase(0x00007FFCAAEF0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\wtsapi32.dll
 29:	ImageBase(0x00007FFCAC520000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\System32\USERENV.dll
 31:	ImageBase(0x00007FFCABAC0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\firewallapi.dll
 33:	ImageBase(0x00007FFCA7E70000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\System32\wkscli.dll
 34:	ImageBase(0x00007FFCAC0B0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\System32\netutils.dll
 35:	ImageBase(0x00007FFCABEE0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\System32\AUTHZ.dll
Ended..
 先のセッションマネージャー「smss.exe」プロセスの解析結果と比較しますと、ロードされているライブラリの数が大幅に増えています。リンカーバージョンは最新バージョンに統一されています。ライブラリリストを一瞥し、たとえば、「Name->C:\WINDOWS\System32\AUTHZ.dll」などから、この「Winlogon.exe」プロセスの特徴や役割を理解することができます。

 LReason情報を見ますと、ライブラリはいろいろな方法でロードされていることがわかります。「LReason->0x3」は「 LoadReasonDelayloadDependency = 0n3」と定義されておりますから、必要とされるまでロードされないことを示しています。「LReason->0x4」ではなく、「LReason->0x3」となっている点が重要な意味を持っています。次に、複数起動されている「Chrome.exe」インスタンスの一つの解析結果を見てみましょう。
Started..
+0xFFFFE000238545C0	chrome.exe
  0:	ImageBase(0x00007FF71E980000)	Linker(12.00)	LReason->0x4	Name->C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
  1:	ImageBase(0x00007FFCB0440000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\ntdll.dll
  2:	ImageBase(0x00007FFCB02E0000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\KERNEL32.DLL
  3:	ImageBase(0x00007FFCAD290000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\KERNELBASE.dll
  4:	ImageBase(0x00007FFCB0390000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\ADVAPI32.dll
  5:	ImageBase(0x00007FFCAF7F0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\msvcrt.dll
  6:	ImageBase(0x00007FFCAE1A0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\sechost.dll
  7:	ImageBase(0x00007FFCAF890000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\RPCRT4.dll
  8:	ImageBase(0x00007FFCAFB90000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\USER32.dll
  9:	ImageBase(0x00007FFCAFA00000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\GDI32.dll
 10:	ImageBase(0x00007FFCA4590000)	Linker(12.00)	LReason->0x0	Name->C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.101\chrome_elf.dll
 11:	ImageBase(0x00007FFCA2850000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\VERSION.dll
 12:	ImageBase(0x00007FFCAB1B0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\WINMM.dll
 13:	ImageBase(0x00007FFCAC520000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\USERENV.dll
 14:	ImageBase(0x00007FFCACED0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\profapi.dll
 15:	ImageBase(0x00007FFCAAEF0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\WTSAPI32.dll
 16:	ImageBase(0x00007FFCAB0A0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\WINMMBASE.dll
 17:	ImageBase(0x00007FFCAD470000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\cfgmgr32.dll
 18:	ImageBase(0x00007FFCAB7C0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\DEVOBJ.dll
 19:	ImageBase(0x00007FFCAF9C0000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\IMM32.DLL
 20:	ImageBase(0x00007FFCADDE0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\MSCTF.dll
 21:	ImageBase(0x00007FFCAE2B0000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\SHELL32.dll
 22:	ImageBase(0x00007FFCAD4C0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\windows.storage.dll
 23:	ImageBase(0x00007FFCAFE40000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\combase.dll
 24:	ImageBase(0x00007FFCADF40000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\shlwapi.dll
 25:	ImageBase(0x00007FFCACE70000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\kernel.appcore.dll
 26:	ImageBase(0x00007FFCACEF0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\shcore.dll
 27:	ImageBase(0x00007FFCACE80000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\powrprof.dll
 28:	ImageBase(0x00007FFC87B40000)	Linker(12.00)	LReason->0x4	Name->C:\Program Files (x86)\Google\Chrome\Application\45.0.2454.101\chrome.dll
 29:	ImageBase(0x00007FFCAE010000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\USP10.dll
 30:	ImageBase(0x00007FFCAFE30000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\PSAPI.DLL
 31:	ImageBase(0x00007FFCAFCE0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\ole32.dll
 32:	ImageBase(0x00007FFCADAF0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\OLEAUT32.dll
 33:	ImageBase(0x00007FFCAD180000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\WINTRUST.dll
 34:	ImageBase(0x00007FFCACE50000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\MSASN1.dll
 35:	ImageBase(0x00007FFCACFB0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\CRYPT32.dll
 36:	ImageBase(0x00007FFCA3070000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\NETAPI32.dll
 37:	ImageBase(0x00007FFCAC6F0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\HID.DLL
 38:	ImageBase(0x00007FFCA5DA0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\OLEACC.dll
 39:	ImageBase(0x00007FFCA9880000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\Secur32.dll
 40:	ImageBase(0x00007FFCA4EC0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10240.16384_none_f41f7b285750ef43\COMCTL32.dll
 41:	ImageBase(0x00007FFCA4250000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\credui.dll
 42:	ImageBase(0x00007FFCA4220000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\NTDSAPI.dll
 43:	ImageBase(0x00007FFCB00C0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\WS2_32.dll
 44:	ImageBase(0x00007FFCAF7E0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\NSI.dll
 45:	ImageBase(0x00007FFCA9980000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\pdh.dll
 46:	ImageBase(0x00007FFCA7E70000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\wkscli.dll
 47:	ImageBase(0x00007FFCAC0E0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\srvcli.dll
 48:	ImageBase(0x00007FFCAC0B0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\netutils.dll
 49:	ImageBase(0x00007FFCAC990000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\bcrypt.dll
 50:	ImageBase(0x00007FFCAC870000)	Linker(12.10)	LReason->0x1	Name->C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
 51:	ImageBase(0x00007FFCACCA0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\bcryptPrimitives.dll
 52:	ImageBase(0x00007FFCA9570000)	Linker(12.10)	LReason->0x1	Name->C:\WINDOWS\SYSTEM32\SAMCLI.DLL
 53:	ImageBase(0x00007FFCACAA0000)	Linker(12.10)	LReason->0x1	Name->C:\WINDOWS\SYSTEM32\SSPICLI.DLL
 54:	ImageBase(0x00007FFCAC1C0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\ntmarta.dll
 55:	ImageBase(0x00007FFCAB720000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\uxtheme.dll
 56:	ImageBase(0x00007FFCA6010000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\SYSTEM32\dwrite.dll
 57:	ImageBase(0x00007FFCAACE0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\system32\dwmapi.dll
 58:	ImageBase(0x00007FFCAA060000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\NLAapi.dll
 59:	ImageBase(0x00007FFCA99D0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
 60:	ImageBase(0x00007FFCA9870000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\WINNSI.DLL
 61:	ImageBase(0x00007FFCA79A0000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\audioses.dll
 62:	ImageBase(0x00007FFCA8950000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\wintypes.dll
 63:	ImageBase(0x00007FFCA83D0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\MMDevAPI.DLL
 64:	ImageBase(0x00007FFCAAD30000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\PROPSYS.dll
 65:	ImageBase(0x00007FFCA7BE0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\dhcpcsvc6.DLL
 66:	ImageBase(0x00007FFCAE200000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\system32\clbcatq.dll
 67:	ImageBase(0x00007FFCA7BB0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\dhcpcsvc.DLL
 68:	ImageBase(0x00007FFCADC10000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\SETUPAPI.dll
 69:	ImageBase(0x00007FFCABD70000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\gpapi.dll
 70:	ImageBase(0x00007FFCA7820000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\wlanapi.dll
 71:	ImageBase(0x00007FFC90200000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\System32\Wpc.dll
 72:	ImageBase(0x00007FFCA90F0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\System32\msvcp_win.dll
 73:	ImageBase(0x00007FFCA8FF0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\ucrtbase.dll
 74:	ImageBase(0x00007FFCAC2A0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\system32\DPAPI.dll
 75:	ImageBase(0x00007FFCAC690000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\mswsock.dll
 76:	ImageBase(0x00007FFCA9890000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\SYSTEM32\WINHTTP.dll
 77:	ImageBase(0x00007FFCAC430000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\DNSAPI.dll
 78:	ImageBase(0x00007FFCA7F30000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\System32\fwpuclnt.dll
 79:	ImageBase(0x00007FFCA37D0000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\rasadhlp.dll
 80:	ImageBase(0x00007FFCABFC0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\WINSTA.dll
 81:	ImageBase(0x00007FFCA7270000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\directmanipulation.dll
 82:	ImageBase(0x00007FFCAC720000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\cryptsp.dll
 83:	ImageBase(0x00007FFCAC340000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\rsaenh.dll
 84:	ImageBase(0x00007FFC9D160000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\dataexchange.dll
 85:	ImageBase(0x00007FFCA5140000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\d2d1.dll
 86:	ImageBase(0x00007FFCAAA30000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\d3d11.dll
 87:	ImageBase(0x00007FFCAB0D0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\dcomp.dll
 88:	ImageBase(0x00007FFCAA990000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\dxgi.dll
 89:	ImageBase(0x00007FFCAB810000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\system32\twinapi.appcore.dll
 90:	ImageBase(0x00007FFC99160000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\explorerframe.dll
 91:	ImageBase(0x00007FFCA71F0000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\SYSTEM32\bthprops.cpl
 92:	ImageBase(0x00007FFCA73A0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\BluetoothApis.dll
 93:	ImageBase(0x00007FFCA4C80000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\IME\IMEJP\imjptip.dll
 94:	ImageBase(0x00007FFCA4A60000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\IME\IMEJP\imjpapi.dll
 95:	ImageBase(0x00007FFCA5D60000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\IME\shared\imjkapi.dll
 96:	ImageBase(0x00007FFCA5C90000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\IME\IMEJP\imjppred.dll
 97:	ImageBase(0x00007FFCA40C0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\policymanager.dll
 98:	ImageBase(0x00007FFCA4020000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\msvcp110_win.dll
 99:	ImageBase(0x00007FFCA81B0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\XmlLite.dll
100:	ImageBase(0x00007FFCA5710000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\IME\shared\imetip.dll
101:	ImageBase(0x00007FFCA4620000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\DUI70.dll
102:	ImageBase(0x00007FFCA68D0000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\IME\shared\imecfm.dll
103:	ImageBase(0x00007FFCA74A0000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\wer.dll
104:	ImageBase(0x00007FFCA7B10000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\IME\SHARED\imesearchdll.dll
105:	ImageBase(0x00007FFC97FC0000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\cryptnet.dll
106:	ImageBase(0x00007FFCAE060000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\system32\WLDAP32.dll
107:	ImageBase(0x00007FFC96380000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\SYSTEM32\mscms.dll
108:	ImageBase(0x00007FFCA4390000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\LINKINFO.dll
109:	ImageBase(0x00007FFC98FD0000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\Windows.Storage.Search.dll
110:	ImageBase(0x00007FFCA56E0000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\edputil.dll
111:	ImageBase(0x00007FFCA5870000)	Linker(12.10)	LReason->0x0	Name->C:\WINDOWS\SYSTEM32\iertutil.dll
112:	ImageBase(0x00007FFCAB610000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\apphelp.dll
113:	ImageBase(0x00007FFC98F40000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\SearchFolder.dll
114:	ImageBase(0x00007FFC93980000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\System32\StructuredQuery.dll
118:	ImageBase(0x00007FFC999E0000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\mssprxy.dll
119:	ImageBase(0x00007FFCAAF10000)	Linker(12.10)	LReason->0x3	Name->C:\WINDOWS\SYSTEM32\SAMLIB.dll
120:	ImageBase(0x00007FFCA8000000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\system32\avrt.dll
121:	ImageBase(0x00007FFC98330000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\devenum.dll
122:	ImageBase(0x00007FFCAB260000)	Linker(12.10)	LReason->0x4	Name->C:\WINDOWS\SYSTEM32\msdmo.dll
123:	ImageBase(0x00007FFCA7570000)	Linker(12.10)	LReason->0x4	Name->C:\Windows\System32\BitsProxy.dll
 先の「smss.exe」と「winlogon.exe」の2つのプロセスはMicrosoft社のいわば純正アプリケーションですが、「chrome.exe」はGoogle社のアプリケーションです。使用されているリンカーバージョンにその違いが表れている印象です。ロードされているライブラリ情報からは、ブラウザーの複雑さが伝わってきます。最後に、Windows XP環境で採取されたカーネルメモリダンプの解析結果をご紹介しておきます。
kd> vertarget
Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 2600.xpsp_sp3_qfe.130704-0421
Machine Name:
Kernel base = 0x804d9000 PsLoadedModuleList = 0x805561c0
Debug session time: Sun Jul 20 17:07:14.593 2014 (UTC + 9:00)
System Uptime: 0 days 0:07:35.140

Started..
+0x8A5C3BE8	explorer.exe
  0:	ImageBase(0x01000000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\Explorer.EXE
  1:	ImageBase(0x7C940000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\ntdll.dll
  2:	ImageBase(0x7C800000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\kernel32.dll
  3:	ImageBase(0x77D80000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\ADVAPI32.dll
  4:	ImageBase(0x77E30000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\RPCRT4.dll
  5:	ImageBase(0x77FA0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\Secur32.dll
  6:	ImageBase(0x75ED0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\BROWSEUI.dll
  7:	ImageBase(0x77ED0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\GDI32.dll
  8:	ImageBase(0x77CF0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\USER32.dll
  9:	ImageBase(0x77BC0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\msvcrt.dll
 10:	ImageBase(0x76970000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\ole32.dll
 11:	ImageBase(0x77F20000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\SHLWAPI.dll
 12:	ImageBase(0x770D0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\OLEAUT32.dll
 13:	ImageBase(0x7E740000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\SHDOCVW.dll
 14:	ImageBase(0x765C0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\CRYPT32.dll
 15:	ImageBase(0x77C40000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\MSASN1.dll
 16:	ImageBase(0x75410000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\CRYPTUI.dll
 17:	ImageBase(0x59250000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\NETAPI32.dll
 18:	ImageBase(0x77BB0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\VERSION.dll
 19:	ImageBase(0x40290000)	Linker(08.00)	LReason->0x0	Name->C:\WINDOWS\system32\WININET.dll
 20:	ImageBase(0x00400000)	Linker(08.00)	LReason->0x0	Name->C:\WINDOWS\system32\Normaliz.dll
 21:	ImageBase(0x442A0000)	Linker(08.00)	LReason->0x0	Name->C:\WINDOWS\system32\urlmon.dll
 22:	ImageBase(0x40930000)	Linker(08.00)	LReason->0x0	Name->C:\WINDOWS\system32\iertutil.dll
 23:	ImageBase(0x76BE0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\WINTRUST.dll
 24:	ImageBase(0x76C40000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\IMAGEHLP.dll
 25:	ImageBase(0x76F10000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\WLDAP32.dll
 26:	ImageBase(0x7D5B0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\SHELL32.dll
 27:	ImageBase(0x58730000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\UxTheme.dll
 28:	ImageBase(0x5A620000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\ShimEng.dll
 29:	ImageBase(0x567F0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\AppPatch\AcGenral.DLL
 30:	ImageBase(0x76AF0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\WINMM.dll
 31:	ImageBase(0x77B90000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\MSACM32.dll
 32:	ImageBase(0x7E8C0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\USERENV.dll
 33:	ImageBase(0x762E0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\IMM32.DLL
 34:	ImageBase(0x60740000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\LPK.DLL
 35:	ImageBase(0x73F80000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\USP10.dll
 36:	ImageBase(0x77160000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
 37:	ImageBase(0x5AB60000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\comctl32.dll
 38:	ImageBase(0x73620000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\msctfime.ime
 39:	ImageBase(0x4EDC0000)	Linker(06.00)	LReason->0x0	Name->C:\WINDOWS\system32\imjp81.ime
 40:	ImageBase(0x648F0000)	Linker(06.00)	LReason->0x0	Name->C:\WINDOWS\system32\imjp81k.dll
 41:	ImageBase(0x76D90000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\appHelp.dll
 42:	ImageBase(0x76F80000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\CLBCATQ.DLL
 43:	ImageBase(0x77000000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\COMRes.dll
 44:	ImageBase(0x76570000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\System32\cscui.dll
 45:	ImageBase(0x76550000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\System32\CSCDLL.dll
 46:	ImageBase(0x59020000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\themeui.dll
 47:	ImageBase(0x762D0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\MSIMG32.dll
 48:	ImageBase(0x00010000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\xpsp2res.dll
 49:	ImageBase(0x3B100000)	Linker(06.00)	LReason->0x0	Name->C:\WINDOWS\IME\IMJP8_1\Dicts\IMJPCD.DIC
 50:	ImageBase(0x71C90000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\actxprxy.dll
 51:	ImageBase(0x5D960000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\msutb.dll
 52:	ImageBase(0x74660000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\MSCTF.dll
 53:	ImageBase(0x76930000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\LINKINFO.dll
 54:	ImageBase(0x76940000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\ntshrui.dll
 55:	ImageBase(0x76AD0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\ATL.DLL
 56:	ImageBase(0x76040000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\SETUPAPI.dll
 57:	ImageBase(0x40B20000)	Linker(08.00)	LReason->0x0	Name->C:\WINDOWS\system32\ieframe.dll
 58:	ImageBase(0x7E1E0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\NETSHELL.dll
 59:	ImageBase(0x76BB0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\credui.dll
 60:	ImageBase(0x42E00000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\dot3api.dll
 61:	ImageBase(0x76E30000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\rtutils.dll
 62:	ImageBase(0x7D1D0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\dot3dlg.dll
 63:	ImageBase(0x4D550000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\OneX.DLL
 64:	ImageBase(0x76F00000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\WTSAPI32.dll
 65:	ImageBase(0x762B0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\WINSTA.dll
 66:	ImageBase(0x4A830000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\eappcfg.dll
 67:	ImageBase(0x75FD0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\MSVCP60.dll
 68:	ImageBase(0x46110000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\eappprxy.dll
 69:	ImageBase(0x76D10000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\iphlpapi.dll
 70:	ImageBase(0x719E0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\WS2_32.dll
 71:	ImageBase(0x719D0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\WS2HELP.dll
 72:	ImageBase(0x7C9E0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\msi.dll
 73:	ImageBase(0x68000000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\rsaenh.dll
 74:	ImageBase(0x00400000)	Linker(08.00)	LReason->0x0	Name->C:\WINDOWS\system32\webcheck.dll
 75:	ImageBase(0x74CD0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\MLANG.dll
 76:	ImageBase(0x75AA0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\stobject.dll
 77:	ImageBase(0x74A30000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\BatMeter.dll
 78:	ImageBase(0x74A10000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\POWRPROF.dll
 79:	ImageBase(0x72C70000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\wdmaud.drv
 80:	ImageBase(0x72C60000)	Linker(07.00)	LReason->0x0	Name->C:\WINDOWS\system32\msacm32.drv
 81:	ImageBase(0x77B80000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\midimap.dll
 82:	ImageBase(0x72F80000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\WZCSAPI.DLL
 83:	ImageBase(0x5BA30000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\wzcdlg.dll
 84:	ImageBase(0x4A5A0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\WINHTTP.dll
 85:	ImageBase(0x71A50000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\MPR.dll
 86:	ImageBase(0x75EB0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\System32\drprov.dll
 87:	ImageBase(0x71B60000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\System32\ntlanman.dll
 88:	ImageBase(0x71C20000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\System32\NETUI0.dll
 89:	ImageBase(0x71BE0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\System32\NETUI1.dll
 90:	ImageBase(0x71BD0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\System32\NETRAP.dll
 91:	ImageBase(0x71B40000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\System32\SAMLIB.dll
 92:	ImageBase(0x75EC0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\System32\davclnt.dll
 93:	ImageBase(0x71600000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\browselc.dll
 94:	ImageBase(0x6C330000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\DUSER.dll
 95:	ImageBase(0x71800000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\shdoclc.dll
 96:	ImageBase(0x758B0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\MSGINA.dll
 97:	ImageBase(0x73520000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\ODBC32.dll
 98:	ImageBase(0x76300000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\comdlg32.dll
 99:	ImageBase(0x1F840000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\odbcint.dll
100:	ImageBase(0x73AF0000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\sti.dll
101:	ImageBase(0x74A20000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\CFGMGR32.dll
102:	ImageBase(0x22000000)	Linker(11.00)	LReason->0x0	Name->C:\Program Files\ESET\ESET Smart Security\shellExt.dll
103:	ImageBase(0x5E340000)	Linker(07.10)	LReason->0x0	Name->C:\WINDOWS\system32\MSISIP.DLL
104:	ImageBase(0x7DFC0000)	Linker(08.00)	LReason->0x0	Name->C:\WINDOWS\system32\wshext.dll
Ended..
 この解析結果からは、次のような事情を読み取ることができます。  ロードされているライブラリーの機能概要は、次のようなコマンド操作で調査できます。
kd> x shellExt!*
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for shellExt.dll - 
22001e30          shellExt!DllCanUnloadNow ()
22001e60          shellExt!DllGetClassObject ()
22003a90          shellExt!ESS_ShellExtension_install ()
22003b10          shellExt!ESS_ShellExtension_uninstall ()



本「IT談話館」はDKOMベースの高度なメモリフォレンジックサービスを提供しています!



 実務的な解析コードの開発技術の導入をご予定の場合には、所属チーム内でご協議の上、本「IT談話館」の「オンサイトセミナー」の受講をご検討いただけますと幸いでございます。


サービスメニュー
Windowsクラッシュダンプ解析サービス 技術資料 WinDbg

Copyright©豊田孝 2004- 2017
本日は2017-10-21です。