Today, I wrote a tool called sym32guid which aims at retrieving all stored Program DataBase (*.PDB File) GUID (Globally Unique Identifier) from a physical memory dump. To do why? The first goal was to use use symbols as additional information regarding unexported functions like the über-famous msv1_0!MsvpPasswordValidate, but it looks it can also be used to detect Virus and Trojan…
The target machine is a Windows Vista SP1 32bits, I’ve installed last week inside a Virtual Machine and I’ve extracted the physical memory dump from the windows hibernation file through SandMan Framework.
Sym32GUID - Symbols 32bits GUID dumper.
Matthieu Suiche (c) 2008 - http://www.msuiche.net
Searching for PDB signature....
Guid: {5b360e5e-6cb4-4fed-aace-dc446ac26a6b} PDB: bootmgr.pdb
Guid: {01b4cd8a-8437-4a8c-b6bf-20da89086b5c} PDB: dxapi.pdb
Guid: {c1772914-3219-4cc8-a5d6-b9e083420760} PDB: luafv.pdb
Guid: {ff6c84fc-d2e5-4d92-8d1b-cd38165357ea} PDB: diskdump.pdb
Guid: {abe17e2b-a5fc-4268-9a35-2fa52d3ba68e} PDB: msacm32.pdb
Guid: {f4e61857-4910-4231-8000-c5ce88b4d6e6} PDB: ksuser.pdb
Guid: {3376eb68-740d-46ed-9f9c-095791216b12} PDB: qagent.pdb
Guid: {ef783696-2ace-4995-9135-86e950a0dcde} PDB: mgmtapi.pdb
Guid: {3ceab1e1-dc75-4adf-ad90-ddf2983ada17} PDB: main.pdb
Guid: {c87b26a9-4f69-4f2c-b840-274f2f92085d} PDB: MFPS.pdb
Guid: {52bcd81d-e4c1-4b42-91c9-ddebc15b213b} PDB: intl.pdb
Guid: {d44d8060-ea0b-4211-8894-40831430abe7} PDB: oobefldr.pdb
Guid: {8d6249e0-dba8-466a-b545-ca680b3541ee} PDB: glu32.pdb
Guid: {09463a53-f731-4e8f-a4dd-528945738ac7} PDB: wuapi.pdb
Guid: {13c87af1-e9a5-4c12-8acc-fae8a92a77ce} PDB: dxva2.pdb
Guid: {baa51a0e-f312-473b-ac4c-ba694e867cb5} PDB: icm32.pdb
Guid: {9f6ca43b-973a-4823-ba82-0c51a37513d3} PDB: msdmo.pdb
Guid: {9d95f9c7-ae33-4799-aeab-f5ad264c40a8} PDB: aclui.pdb
Guid: {ec36dd80-0c84-40ee-b65f-f673059562dc} PDB: FXSMON.pdb
Guid: {abfc57f5-72d7-4675-a81a-488c2a30d970} PDB: cscapi.pdb
Guid: {af02eb9b-cd67-4ab0-a33d-c299abce16cd} PDB: cscui.pdb
Guid: {fc2b56b8-2613-4912-95a3-f60ae1061ecc} PDB: ddraw.pdb
Guid: {c0e31437-4eb3-4d6d-8f52-6ae5f3476dc6} PDB: TCPMON.pdb
Guid: {6a735a67-dd84-4d78-b665-73d98f265806} PDB: w:\Starteam\1999_ThinPrint\SE\Dev
\Quellcodes\MSdev\TPVMMon\Release English\TPVMMon.pdb
Guid: {0825361b-f2ef-4b18-9fd5-e2ada3dc7264} PDB: eappprxy.pdb
Guid: {03d7dbf2-52f4-48a4-84a9-e17fb7734ee6} PDB: ntkrpamp.pdb
(...)
Guid: {f6dc669d-d565-4fff-8767-fc756dc8141c} PDB: kbdus.pdb
Guid: {90140190-0102-7375-6572-33322e706462} PDB: !#HSTR:Trojan:Win32/Busky.EI
Guid: {9942c1ad-f742-4a3c-8682-8a7925e3f0d0} PDB: appwiz.pdb
Guid: {ee6f2dea-68d5-45a9-9bf5-30f52acf7e31} PDB: HNetCfg.pdb
(...)
Guid: {a6364233-9105-49f3-a054-e0bd5869f65f} PDB: win32k.pdb
Guid: {65bc1194-c0d0-420d-be9d-26b894a4dddd} PDB: dxg.pdb
Guid: {c75665db-de52-4724-8b6c-0d9389c4d326} PDB: TSddd.pdb
Guid: {4baaedc2-8c46-4577-adf9-5aca59f7f6c9} PDB: clfs.pdb
Guid: {271175d5-763c-48a7-9600-8af3b4096251} PDB: ci.pdb
Guid: {032c7493-d12b-4132-b060-690307a1cf02} PDB: kdcom.pdb
Guid: {bc65b112-97d7-4f25-bb01-7884612e1efb} PDB: pshed.pdb
Guid: {02125e70-512a-456f-bb0e-955ad9d31525} PDB: bootvid.pdb
Guid: {17d8e566-7c50-42ad-b862-830e99e1d3a5} PDB: mcupdate_GenuineIntel.pdb
[TOTAL:] Sym32GUID retrieved 697 GUID signatures.
And we see the presence of !#HSTR:Trojan:Win32/Busky.EI. Awesome nop? :) This might means that old school ASM virus programmers are dead now. Moreover, it also proves that Visual Studio can do Anti-virus job with its debug directory.
Sym32GUID - Symbols 32bits GUID dumper.
Matthieu Suiche (c) 2008 - http://www.msuiche.net
Usage: Sym32Guid.exe [option] dumpfile
Commands:
-u Print the remote url to download the symbol from Microsoft server.
Sample:
Sym32Guid.exe memory.dump Search guid.
Sym32Guid.exe -u memory.dump Search guid and print msdl url.