popup
Static | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Static Analysis

PE Compile Time

2021-05-15 21:44:55

PDB Path

G:\源码\hello\Release\netfilterdrv.pdb

PE Imphash

b5403fb8687d7afd40fd8cf3b4dfe29b

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x00005de8 0x00005e00 6.33706862811
.rdata 0x00007000 0x000005f4 0x00000600 4.53936050908
.data 0x00008000 0x00009428 0x00002800 0.689083630572
INIT 0x00012000 0x00000b48 0x00000c00 5.48718881188
.reloc 0x00013000 0x00000694 0x00000800 6.04338394911

Imports

Library fwpkclnt.sys:
0x407044 FwpmFilterAdd0
0x407048 FwpmCalloutAdd0
0x407050 FwpmSubLayerAdd0
0x407060 FwpmEngineClose0
0x407064 FwpmEngineOpen0
Library ntoskrnl.exe:
0x407078 IofCallDriver
0x40707c IoCreateFile
0x407080 IoFreeIrp
0x407098 ZwReadFile
0x40709c ZwWriteFile
0x4070a0 ZwClose
0x4070a4 IoFileObjectType
0x4070b8 sprintf
0x4070c8 MmIsAddressValid
0x4070cc strlen
0x4070d0 strncmp
0x4070d4 strncpy
0x4070d8 wcscat
0x4070dc wcslen
0x4070e0 wcsncmp
0x4070e4 RtlInitAnsiString
0x4070e8 strcat
0x4070ec strcmp
0x4070f0 strncat
0x407100 wcscpy
0x407114 KeResetEvent
0x407118 KeInitializeTimerEx
0x40711c KeSetTimerEx
0x407124 ZwCreateKey
0x407128 ZwOpenKey
0x40712c ZwFlushKey
0x407130 ZwQueryValueKey
0x407134 ZwSetValueKey
0x40713c RtlLengthSid
0x407144 RtlCreateAcl
0x40715c ZwSetSecurityObject
0x407164 _allmul
0x407168 PsProcessType
0x40716c SeExports
0x407170 strchr
0x407174 strncpy_s
0x407178 MmProbeAndLockPages
0x40717c MmUnlockPages
0x407180 IoAllocateMdl
0x407184 IoFreeMdl
0x407188 IoReuseIrp
0x40718c IoAllocateIrp
0x407190 RtlUnwind
0x407198 KeSetEvent
0x40719c KeInitializeEvent
0x4071a0 KeGetCurrentThread
0x4071a8 KeBugCheckEx
0x4071ac ExFreePoolWithTag
0x4071b8 strcpy
0x4071bc memset
0x4071c0 memcpy
0x4071c4 strstr
Library NETIO.SYS:
0x407008 WskDeregister
0x407014 WskRegister
Library HAL.dll:
0x407000 KeGetCurrentIrql
Library WDFLDR.SYS:
0x40701c WdfVersionBind
0x407020 WdfVersionBindClass
0x407028 WdfVersionUnbind
!This program cannot be run in DOS mode.
h.rdata
H.data
b.reloc
QQQQj j
hQaxXPj
PPPPj j
tXVhxadvj
hQaxXP
hQaxXP
tOhxadvj
uhQaxXh
hQaxXPj
hQaxXW
ShQaxXj(j
hQaxXS
u/hQaxXV
hQaxXV
tQhQaxXPj
SVhzcdvj,j
hzcdvV
hzcdvV
hzcdvW
Whzcdvj
hQaxXP
hQaxXPj
hQaxXW
URPQQh`k@
UQPXY]Y[
1213a8a5441e9bf3fe1216110cded656
%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x
%sc=%s
%08X%08X
http://
\hello\Release\netfilterdrv.pdb
.text$mn
.text$s
.idata$5
.00cfg
.gfids
.rdata
.rdata$sxdata
.rdata$zzzdbg
.xdata$x
.kmdfclassbind$a
.kmdfclassbind$c
.kmdfclassbind$d
.kmdftypeinit$a
.kmdftypeinit$c
.idata$2
.idata$3
.idata$4
.idata$6
atsv2,.817(<1/=.6>893986)}
)HSRX,0'1
@lr}:'
Difmdjtnif9!jlhum
Hcdcxw;)tb~|,i}mk*isqeidg|jng/
n|nm"xjj$bqylneiwhfn(~eo:x=7(1/hda`c'tdkp+oebfl/fvfd-#/-=y>1'8+gxsm`cfralo&snaffe$e
e`bone<p5a22q:6&:
URbaapu{y[Ki`i`nbZ[LG]WFTM_L`cui{lg}\T
{wddCbt|jg`cfrmp][OHRT@d{tn`a``}etZ
lxwjgqd{.b~m
FwpsCalloutRegister1
FwpsCalloutUnregisterById0
FwpmEngineOpen0
FwpmEngineClose0
FwpmTransactionBegin0
FwpmTransactionCommit0
FwpmTransactionAbort0
FwpmSubLayerAdd0
FwpmSubLayerDeleteByKey0
FwpmCalloutAdd0
FwpmFilterAdd0
FwpmFilterDeleteById0
FwpsAcquireClassifyHandle0
FwpsReleaseClassifyHandle0
FwpsCompleteClassify0
FwpsAcquireWritableLayerDataPointer0
FwpsApplyModifiedLayerData0
fwpkclnt.sys
memcpy
memset
strcpy
RtlInitUnicodeString
ExFreePoolWithTag
IoDeleteSymbolicLink
KeGetCurrentThread
KeInitializeEvent
KeSetEvent
KeWaitForSingleObject
ExAllocatePoolWithTag
IoAllocateIrp
IofCallDriver
IoCreateFile
IoFreeIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
ObfDereferenceObject
ZwQueryInformationFile
ZwSetInformationFile
ZwReadFile
ZwWriteFile
ZwClose
IoFileObjectType
KeEnterCriticalRegion
KeLeaveCriticalRegion
PsTerminateSystemThread
KeSetBasePriorityThread
sprintf
CmUnRegisterCallback
CmRegisterCallbackEx
CmCallbackGetKeyObjectID
MmIsAddressValid
strlen
strncmp
strncpy
wcscat
wcslen
wcsncmp
RtlInitAnsiString
strcat
strcmp
strncat
strstr
ExAcquireSpinLockExclusive
ExReleaseSpinLockExclusive
wcscpy
RtlAnsiStringToUnicodeString
RtlFreeUnicodeString
RtlCreateSecurityDescriptor
RtlSetDaclSecurityDescriptor
KeResetEvent
KeInitializeTimerEx
KeSetTimerEx
PsCreateSystemThread
ZwCreateKey
ZwOpenKey
ZwFlushKey
ZwQueryValueKey
ZwSetValueKey
NtQueryInformationToken
RtlLengthSid
RtlConvertSidToUnicodeString
RtlCreateAcl
RtlAddAccessAllowedAce
RtlSetOwnerSecurityDescriptor
PsLookupProcessByProcessId
ObOpenObjectByPointer
ZwOpenProcessTokenEx
ZwSetSecurityObject
PsGetProcessImageFileName
_allmul
PsProcessType
SeExports
strchr
strncpy_s
MmProbeAndLockPages
MmUnlockPages
IoAllocateMdl
IoFreeMdl
IoReuseIrp
ntoskrnl.exe
RtlUnwind
WskRegister
WskCaptureProviderNPI
WskReleaseProviderNPI
WskDeregister
NETIO.SYS
KeBugCheckEx
KeGetCurrentIrql
HAL.dll
RtlCopyUnicodeString
WdfVersionUnbind
WdfVersionBind
WdfVersionBindClass
WdfVersionUnbindClass
WDFLDR.SYS
1"1(1,1W1_1t1z1
2:2l2u2
414<4H4c4q4x4
5'52575B5G5M5[5b5h5v5}5
6;6B6W6y6
6!7*797B7I7R7a7g7o7v7
8Z8a8i8p8{8
9!9(92999C9J9T9[9e9o9y9
:<;J;X;d;z;
=.=R=o=v=
>!>/>B>t>
252C2T2e2s2
253Q3\3k3q3
4$4.434\4j4
5M6w6Y>g>m>
>[?m?s?
0(080B0I0W0]0g0
1L1n1t1
132[2a2u2
3#3-333H3V3v3
4 4=4W4p4
5[5h5x5
6)6>6H6Z6c6q6
747:7D7N7X7y7
8 8?8{8
9 9Z9f9r9
;#;.;7;C;\;e;s;{;
>A>Q>]>w>
?2?=?O?d?r?
(0e0u0
1:1[1h1t1y1
4*4/4]4f4l4t4y4
6%6C6R6e6t6
7"7<7_7
8,888Z8f8
:*:;:Z:m:}:
<<<_<l<
>*>3>]>h>s>~>
?#?+?3?;?C?K?S?c?
0Q0\0f0x0
121_1j1|1
2?2M2)4:4}4
4%515J5Y5|5
0:0I0Y0
1'1E1Y1h1u1
2!3+3D3N3Y3
474I4W4^4~4
585M5^5m5z5
8M8f8l8r8x8~8
9!9'9-93999
</<8<Y<_<e<k<q<x<
2T3X3`3h3
0!0*010
Washington1
Redmond1
Microsoft Corporation1806
/Microsoft Windows Third Party Component CA 20120
201215221533Z
211202221533Z0
Washington1
Redmond1
Microsoft Corporation1;09
2Microsoft Windows Hardware Compatibility Publisher0
9&~76}4
V?0s0P
E0C1)0'
Microsoft Operations Puerto Rico1
232825+4631910
chttp://www.microsoft.com/pkiops/crl/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crl0
ehttp://www.microsoft.com/pkiops/certs/Microsoft%20Windows%20Third%20Party%20Component%20CA%202012.crt0
V%E%Tj
Washington1
Redmond1
Microsoft Corporation1200
)Microsoft Root Certificate Authority 20100
120418234838Z
270418235838Z0
Washington1
Redmond1
Microsoft Corporation1806
/Microsoft Windows Third Party Component CA 20120
-g<'<V
}PH.=C
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
p%|Yi1$
Washington1
Redmond1
Microsoft Corporation1806
/Microsoft Windows Third Party Component CA 2012
(https://www.microsoft.com/en-us/windows 0
20210516055854.798Z0
Washington1
Redmond1
Microsoft Corporation1-0+
$Microsoft Ireland Operations Limited1&0$
Thales TSS ESN:86DF-4BBC-93351%0#
Microsoft Time-Stamp Service
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 20100
201015172825Z
220112172825Z0
Washington1
Redmond1
Microsoft Corporation1-0+
$Microsoft Ireland Operations Limited1&0$
Thales TSS ESN:86DF-4BBC-93351%0#
Microsoft Time-Stamp Service0
TU\47v
Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
Washington1
Redmond1
Microsoft Corporation1200
)Microsoft Root Certificate Authority 20100
100701213655Z
250701214655Z0|1
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 20100
$`2X`F
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
oK0D$"<
r~akow
Washington1
Redmond1
Microsoft Corporation1-0+
$Microsoft Ireland Operations Limited1&0$
Thales TSS ESN:86DF-4BBC-93351%0#
Microsoft Time-Stamp Service
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 20100
20210516021955Z
20210517021955Z0w0=
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 2010
Washington1
Redmond1
Microsoft Corporation1&0$
Microsoft Time-Stamp PCA 2010
Ajjjjj
@ImagePath
320000
[]{Blob
D:P(A;;GA;;;SY)(A;;GA;;;BA)
@KmdfLibrary
Meag}ouJoihm`u`oiUmwu`n`u
@nsczmd} Tc|whggt
HusiKlooi`SZO
LnfddfMlgfeqBt}oWtg{xOefr}qdz
URbaapu{y[S{fsU
USh`|t`{e[Ka`sfsh`|_V`nci
p]Juutmmu_euualoUIirmqolt'Umwu`n`u
USh`|t`{e[Ka`sfsh`|_V`nci
p]Juutmmu_euualoUIirmqolt'Umwu`n`uT@ngnbe|jngs
UDbpa`dUnbrnjm}eu
U?8Zffuoikrmq
Globalsign
Legal_Policy_Statement
Antivirus Signature
Bkav Clean
Elastic Clean
DrWeb Clean
ClamAV Clean
CMC Clean
CAT-QuickHeal Clean
ALYac Clean
Malwarebytes Clean
VIPRE Clean
AegisLab Trojan.Win32.Generic.4!c
Sangfor Trojan.Win32.Retliften.A
CrowdStrike Clean
BitDefender Rootkit.Agent.AJIH
K7GW Clean
K7AntiVirus Clean
BitDefenderTheta Clean
Cyren Clean
Symantec Clean
ESET-NOD32 Win32/Agent.ADFG
Zoner Clean
TrendMicro-HouseCall Clean
Paloalto Clean
Cynet Clean
Kaspersky Clean
Alibaba Clean
NANO-Antivirus Clean
SUPERAntiSpyware Clean
MicroWorld-eScan Rootkit.Agent.AJIH
Tencent Clean
Ad-Aware Clean
Sophos Clean
Comodo Clean
F-Secure Clean
Baidu Clean
Zillya Clean
TrendMicro Clean
FireEye Clean
Emsisoft Rootkit.Agent.AJIH (B)
Ikarus Clean
GData Win32.Rootkit.Netfilter.O
Jiangmin Clean
MaxSecure Clean
Avira Clean
Antiy-AVL Clean
Kingsoft Clean
Gridinsoft Clean
Arcabit Rootkit.Agent.AJIH
ViRobot Clean
ZoneAlarm Clean
Microsoft Trojan:Win32/Retliften.A
TACHYON Clean
AhnLab-V3 Clean
Acronis Clean
McAfee Artemis!CB34374F1B5F
MAX malware (ai score=85)
VBA32 Clean
Cylance Clean
Panda Clean
APEX Clean
Rising Rootkit.Hijacker!1.D587 (CLASSIC)
Yandex Clean
SentinelOne Clean
eGambit Clean
Fortinet Clean
Webroot W32.Trojan.Gen
Cybereason Clean
Avast Clean
Qihoo-360 Clean
No IRMA results available.