-
Notifications
You must be signed in to change notification settings - Fork 5
/
CallStacks.nim
111 lines (104 loc) · 11.3 KB
/
CallStacks.nim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
import Structs
#[
SourceImage: C:\Windows\system32\wbem\wmiprvse.exe
CallTrace:
C:\Windows\SYSTEM32\ntdll.dll + 9d204
C:\Windows\System32\KERNELBASE.dll + 2c13e
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll + c669
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll + c71b
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll + 2fde
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll + 2b9e
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll + 2659
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll + 11b6
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CorperfmonExt.dll + c144
C:\Windows\System32\KERNEL32.DLL + 17034
C:\Windows\SYSTEM32\ntdll.dll + 52651
NB Don't include first frame as this will automatically be recorded by the syscall in NtOpenProcess
]#
var wmiCallStack*:seq[HelperStackFrame] = @[
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\kernelbase.dll", offset: 0x2c13e, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CorperfmonExt.dll", offset: 0xc669, totalStackSize: 0, requiresLoadLibrary: true, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CorperfmonExt.dll", offset: 0xc71b, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CorperfmonExt.dll", offset: 0x2fde, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CorperfmonExt.dll", offset: 0x2b9e, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CorperfmonExt.dll", offset: 0x2659, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CorperfmonExt.dll", offset: 0x11b6, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\CorperfmonExt.dll", offset: 0xc144, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\kernel32.dll", offset: 0x17034, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\ntdll.dll", offset: 0x52651, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0)
]
#[
SourceImage: C:\Windows\system32\svchost.exe
CallTrace:
C:\Windows\SYSTEM32\ntdll.dll + 9d204
C:\Windows\System32\KERNELBASE.dll + 32ea6
C:\Windows\System32\lsm.dll + e959
C:\Windows\System32\RPCRT4.dll + 79633
C:\Windows\System32\RPCRT4.dll + 13711
C:\Windows\System32\RPCRT4.dll + dd77b
C:\Windows\System32\RPCRT4.dll + 5d2ac
C:\Windows\System32\RPCRT4.dll + 5a408
C:\Windows\System32\RPCRT4.dll + 3a266
C:\Windows\System32\RPCRT4.dll + 39bb8
C:\Windows\System32\RPCRT4.dll + 48a0f
C:\Windows\System32\RPCRT4.dll + 47e18
C:\Windows\System32\RPCRT4.dll + 47401
C:\Windows\System32\RPCRT4.dll + 46e6e
C:\Windows\System32\RPCRT4.dll + 4b542
C:\Windows\SYSTEM32\ntdll.dll + 20330
C:\Windows\SYSTEM32\ntdll.dll + 52f26
C:\Windows\System32\KERNEL32.DLL + 17034
C:\Windows\SYSTEM32\ntdll.dll + 52651
]#
var rpcCallStack*:seq[HelperStackFrame] = @[
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\kernelbase.dll", offset: 0x32ea6, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\lsm.dll", offset: 0xe959, totalStackSize: 0, requiresLoadLibrary: true, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x79633, totalStackSize: 0, requiresLoadLibrary: true, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x13711, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0xdd77b, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x5d2ac, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x5a408, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x3a266, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x39bb8, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x48a0f, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x47e18, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x47401, totalStackSize: 0, requiresLoadLibrary: true, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x46e6e, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\RPCRT4.dll", offset: 0x4b542, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\ntdll.dll", offset: 0x20330, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\ntdll.dll", offset: 0x52f26, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\kernel32.dll", offset: 0x17034, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\ntdll.dll", offset: 0x52651, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
]
#[
SourceImage: C:\Windows\system32\svchost.exe
CallTrace:
C:\Windows\SYSTEM32\ntdll.dll + 9d204
C:\Windows\System32\KERNELBASE.dll + 2c13e
C:\Windows\system32\sysmain.dll + 80e5f
C:\Windows\system32\sysmain.dll + 60ce6
C:\Windows\system32\sysmain.dll + 2a7d3
C:\Windows\system32\sysmain.dll + 2a331
C:\Windows\system32\sysmain.dll + 66cf1
C:\Windows\system32\sysmain.dll + 7b59e
C:\windows\system32\sysmain.dll + 67ecf
C:\Windows\system32\svchost.exe + 4300
C:\Windows\System32\sechost.dll + df78
C:\Windows\System32\KERNEL32.DLL + 17034
C:\Windows\SYSTEM32\ntdll.dll + 52651
]#
var svchostCallStack*:seq[HelperStackFrame] = @[
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\kernelbase.dll", offset: 0x2c13e, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\system32\\sysmain.dll", offset: 0x80e5f, totalStackSize: 0, requiresLoadLibrary: true, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\system32\\sysmain.dll", offset: 0x60ce6, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\system32\\sysmain.dll", offset: 0x2a7d3, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\system32\\sysmain.dll", offset: 0x2a331, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\system32\\sysmain.dll", offset: 0x66cf1, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\system32\\sysmain.dll", offset: 0x7b59e, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\system32\\sysmain.dll", offset: 0x67ecf, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\svchost.exe", offset: 0x4300, totalStackSize: 0, requiresLoadLibrary: true, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\sechost.dll", offset: 0xdf78, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\kernel32.dll", offset: 0x17034, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0),
HelperStackFrame(dllName: "C:\\Windows\\SYSTEM32\\ntdll.dll", offset: 0x52651, totalStackSize: 0, requiresLoadLibrary: false, setsFramePointer: false, returnAddress: 0,pushRbp: false,countOfCodes: 0,pushRbpIndex: 0)
]
# x86 call stacks