IACRB, Information Assurance Certification Review Board
About IACRB CEPT CASS CSSA CREA CPT Contact Us
 
An industry standard organization.
Formed by information security professionals.
A not-for-profit legal entity with a sole mission to certify individuals.
Requires all exam candidates to pass a hands-on practical examination
Click here to Read More
IA Certifications

Exam Fees
Flat fee of $499 per exam
On-site proctored exams are $399 per voucher
Contact Us to Regsiter!!
#
#
d

#
Certified Reverse Engineering Analyst (CREA) Practical #971
#

 


Table of Contents

1)      Executive Summary
2)      Identification
3)      Behavioral and code analysis findings
4)      Mitigation
Appendix A- Full Anti-virus Scan results
Appendix B – NP_GetEntryPoints code from recent version of NPMywebS.dll

List of Figures

Figure 1: validating current windows user and “Application Data” path
Figure 2: Code to iterate through all user profiles and infect them
Figure 3: Checking windows registry and updating it if necessary
Figure 4: Browser home directory detection and call to InstallPluginChrome
Figure 5: Malware programmer wrong assumption about installed-chrome.txt file
Figure 6: Call to DllRegisterServer from plug-in event handler
Figure 7: Plug-in function pointer setups by NP_GetEntryPoints
Figure 8: NPMyWebS.dll dynamically loads malware and calls its NP_GetEntryPoints function

List of Tables

Table 1: Identification results
Table 2:  Anti-virus detection for the sample
Table 3: Files copied by the malware to victim browser directory
Table 4: Analysis findings

 

Executive Summary

The purpose of this analysis is to learn what the code does and develop a report which contains the details requested in the “Practical Exam Guide” by IACRB.
The analyst found that the malicious code results in installation of a “Browser Helper Object” (BHO) on the affected system in the form of a “Search Toolbar”. The file targets Mozilla Firefox and Netscape browsers. The code also provides an “Update” capability for the installed toolbar. The search toolbar would allow the user to query search engines such as Google and Yahoo but in the meantime it tracks user search/browsing habits. As a result, it could be classified as a spyware or adware. Internet foot-printing shows that the code is affiliated with the MyWebSearchweb sitewhich is known for its adware and spyware activities.  The analyst also analyzed new versions of the code not provided by IACRB but downloaded from MyWebSearch. This data reveals similar functionality in the newer versions of the code.  

You can download the malware binary that was used for this analyst report here.
The password for the malware archvie is infected

Identification

The following table lists the characteristic information about received sample file.
Table 1: Identification results


File name

malware.exe

File Size

49245 bytes

MD5 hash

314e0468433fccd2a52b0b4e192d109b

SHA1 hash

d5d6af77b185612d0c4292ab08929d352fb86b51

SHA256 hash

75b50fbc93248e29efe6ffd506b72bd34f72ecaf2c4138df4acdb0c9b254310e

PEiD

N/A (no known compression/obfuscation found)

PE Structure information

[Base Data]
entrypointaddress.: 0x2b72
timedatestamp: 0x463fc0b3 (Tue May 08 00:13:39 2007)
machinetype: 0x14c (I386)
[sections]
name viradd virsiz rawdsiz
.text 0x1000 0x5b8e 0x6000
.rdata 0x7000 0x12b7 0x2000
.data 0x9000 0x248 0x1000
.rsrc 0xa000 0x520 0x1000
.reloc 0xb000 0x4f6 0x1000
[directory Information]
TLSTable:  N/A (No Thread local storage is used)
Debug: FOUND, Type=2 (CodeView)  PDB File=L:\dev\mws2,2,60,11\Variations\FunWebProductsBar\Release.Plugin\m3Plugin.pdb
[6 exports]
DllRegisterServer, DllUnregisterServer, NP_GetEntryPoints, NP_Initialize, NP_Shutdown, UTB
[7 imports]
KERNEL32.dll,USER32.dll,SHELL32.dll, ADVAPI32.dll,ole32.dll,OLEAUT32.dll,VERSION.dll

Version Information

publisher: MyWebSearch.com
copyright: Copyright (c) 2000, 2001, 2002, 2003, 2004, 2005, 2006
product: My Web Search Plug-in
description: My Web Search Plugin for 32-bit Windows
original name: m3Plugin.DLL
internal name: MyWebSearch Plugin
file version: 1, 0, 1, 3
comments: N/A
signers:  N/A
signing date.:  N/A
verified: Unsigned

Based on IDA pro FLIRT signatures the file is compiled using MS Visual C++ on Tue May 08 00:13:39 2007. It’s a component of a software package named “FunWebProductsBar” from MyWebSearch.com. Courtesy of virustotal.com and/or other sources, the analyst has found the following updated antivirus scan results identifying malicious sample as adware/spyware:
Table 2:  Anti-virus detection for the sample


Anti-virus

Detected As

Sunbelt 3.2.1858.2

MyWebSearch Toolbar

NOD32 4796

Win32/Toolbar.MyWebSearch

McAfee 5868

potentially unwanted program MWS

Kaspersky 7.0.0.125

not-a-virus:AdTool.Win32.MyWebSearch

See appendix A for a full copy of anti-virus scan results and signature updates timestamps.

Behavioral and code analysis findings

The analyst tested this malicious code in a Windows virtual machine to analyze its behavior and functionality. The operating system displays an “Invalid win32 application” error while running the original file (malware.exe). This indicates that the file can’t be run directly and probably needs some kind of “loader”.  The entry point is set to DllMain function which is called when a DLL file is loaded by windows.  However, disassembling this function code shows no interesting behavior. The existence of DllRegisterServer and DllUnregisterServer functions in the export list reveals that the file could be a Windows COM+ DLL file which are normally loaded and registered using regsvr32.exe or rundll32.exe tools.  The following commands were used to test this idea on the file that is now renamed to malware.dll:

  • Regsvr32 malware.dll
  • Rundll32 malware.dll,DllRegisterServer

Invoking the DllRegisterServer function using either of the above commands resulted in creation of the following windows registry entry:
Key name: HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch\bar
Value(s):
PluginPath=c:\files\   
[“c:\files\” is the folder name that contains malware.dll]
No file system or network activities were noticed at this time and it appears that the function did not run completely. The analyst attempted to reverse engineer the detail functionality of DllRegisterServer function in order to discover its detail functionality and find out the reasons of the above incomplete execution.
A combination of static (IDA pro) and runtime analysis (OllyDbg debugger) was used in the reverse engineering process. The following steps were taken to load debug the target DLL inside Ollydbg:

  •  Open regsvr32.exe with “c:\files\malware.dll” command line argument
  • Click open and wait until Ollydbg breaks on the entry point
  • Go to Options->Debugging options->Events and set “Break on new module(DLL)”
  • Press F9 until Ollydbg breaks on  “c:\files\malware.dll”
  • Go to the malware.dll disassembly, right click and choose “Search for all name(label) in current module” and set a breakpoint on DllRegisterServer
  • Uncheck the “Break on new module(DLL)” and press F9 until it breaks on DllRegisterServer
  • From this point on, you will be able to step into the code line by line

The DllRegisterServer function begins with a call to a custom function sub_1000517 (named FindBrowserProfileAndUpdateChrome by the analyst). This function performs the following main tasks:

1) Find the path for special folder “Application Data” by calling SHGetSpecialFolderLocation API call


.text:10005174 sub_1000517 proc near
……….
.text:10005185                 lea     eax, [ebp+appDataPath]
.text:1000518B                 push    ebx             ; int
.text:1000518C                 push    eax             ; int
.text:1000518D                 push    1Ah             ; CSIDL_APPDATA=0x1A={user}\Application Data
.text:1000518F                 mov     [ebp+firefoxProfilesINIFile], offset aMozillaFirefox ; "\\Mozilla\\Firefox\\profiles.ini"
.text:10005196                 mov     [ebp+netscapeProfilesINIFile], offset aNetscapeNsaePr ; "\\Netscape\\NSAE\\profiles.ini"
.text:1000519D                 mov     [ebp+firefoxToolbarChromeName], offset firefoxToolbarChromeName ; "m3ffxtbr"
.text:100051A4                 mov     [ebp+netscapeToolbarChromeName], offset netscapeToolbarChromeName ; "m3ntstbr"
.text:100051AB                 call    FindAppDataPath
…………

.text:10005455 ; int __cdecl FindAppDataPath(int nFolder, int, int)
………..
.text:10005488                 lea     eax, [ebp+pidl]
.text:1000548B                 push    eax             ; ppidl
.text:1000548C                 push    [ebp+nFolder]   ; nFolder=0x1A
.text:1000548F                 push    edi             ; hwndOwner
.text:10005490                 call    ds:SHGetSpecialFolderLocation
.text:10005496                 test    eax, eax
.text:10005498                 jl      short loc_100054DC
……….

2) Find current logged-on windows username (via GetEnvironmentVariableA API call), if the “Application Data” folder is matched to the current logged-on user then attempt to update Mozilla Firefox or Netscape Navigator Chrome registry file (chrome.rdf or installed-chrome.txt) and copy the files listed in the following table to the browser’s installation directory (C:\Program Files\Mozilla Firefox\ on analyst’s system). This could be the reason for the pervious incomplete execution of the code, since these files were not included in the provided sample by IACRB, and the code assumes that the files exist in its current directory.

Table 3: Files copied by the malware to victim browser directory


Filename

Destination

Description

NPMyWebS.dll

[BrowserInstallationDir]\plugins

Browser plug-in

m3ffxtbr.jar/m3ntstbr.jar

[BrowserInstallationDir]\chrome

Chrome JAR package for Firefox or Netscape

m3ffxtbr.manifest/m3ntstbr.manifest

[BrowserInstallationDir]\chrome

Chrome manifest file for Firefox or Netscape


Figure 1: validating current windows user and “Application Data” path

If the “Application Data” folder was not valid, the code will attempt to iterate through all subfolders inside “Document and Settings” directory (FindFirstFileA and FindNextFileA calls), find all writable FireFox and Netscape profiles (custom IsWritableFile function), find the chrome registry files and update them to reflect the installation of “MywebSearch” plug-in. This process has been shown in the following reversed code snip:


Figure 2: Code to iterate through all user profiles and infect them

The completed reversed code of this function with comments, updated function and local variable names is attached to this report.
After completion of FindBrowserProfileAndUpdateChrome function, the code checks windows registry to read “PluginPath” value inside “HKLM\Software\MyWebSearch\bar” key. If the key or value was not found or the read value of “PluginPath” was not equal to current DLL folder name, it attempt to create/update the key and set “PluginPath” value to the current DLL directory name.


Figure 3: Checking windows registry and updating it if necessary

The execution then continues to final stage of plug-in installation which is copying the plug-in DLL, JAR package and manifest files to victim’s browser’s home directory.  The code finds Firefox and Netscape installation directories on the victim’s system and calls a custom function named as InstallPluginChrome by the analyst, which is actually responsible to copy the mentioned files and updating installed-chrome.txt file. The following figure shows portion of DllRegisterServer function related to this process.


Figure 4: Browser home directory detection and call to InstallPluginChrome

The analyst also found an issue in the InstallPluginChrome function, which can prevent the code from proper plug-in installation on victim systems with Mozilla Firefox version 1.5 or higher.  This problem is highlighted in the following code listing of InstallPluginChrome function. The code attempts to open “installed-chrome.txt” file using CreateFileA API call and sets the dwCreationDisposition parameter to OPEN_EXISTING which means that the API call will only succeed if “installed-chrome.txt” file was already present on the victim system. However, this file has been removed from version 1.5 and higher Firefox releases and no longer exists by default (it still can be used to install a new plug-in but it should be created first for this purpose).


Figure 5: Malware programmer wrong assumption about installed-chrome.txt file

A complete reversed and documented code listing of InstallPluginChrome is available in the attached IDA pro database file.
Checking the cross references to the DllRegisterServer function indicates a single call to it from sub_10003998. Since this function is normally called by a loader tool such as rundll32 rather than other functions in the same COM+ module, it can help the analyst to find the original infection/installation vector of the adware.


Figure 6: Call to DllRegisterServer from plug-in event handler

Code analysis shows that sub_10003998 will be called indirectly by the browser after the plug-in has been loaded. The exported NP_GetEntryPoints function is responsible to set function pointers that results in sub_10003998 being called. The following figure shows code listing of this function. The _NPNetscapeFuncs structure (Added to IDA pro structures by the analyst) is passed by browser to this function and the function sets functions pointers inside this structure to the proper functions in its code.


Figure 7: Plug-in function pointer setups by NP_GetEntryPoints

Based on Mozilla developer’s documentation, NP_GetEntryPoints function will be called by the browser immediately after NP_Initilize, but since it was found that the current code copies another DLL file (NPMyWebS.dll) to browser’s plug-ins directory, the browser actually calls NP_GetEntryPoints of NPMyWebS.dll and not the above one. The analyst downloaded a recent version of MyWebSearch toolbar (Firefox version) from the company’s web site, installed it on a VM and reversed the NP_GetEntryPoints function inside NPMyWebS.dll file. It was found that the actual plug-in DLL (NPMyWebS.dll) first checks the windows registry for MyWebSearch key and value. If they are not found then it dynamically loads m3plugin.dll (the current code under analysis) and calls its NP_GetEntryPoints function. This process has been shown in the following code listing.


Figure 8: NPMyWebS.dll dynamically loads malware and calls its NP_GetEntryPoints function

The complete code listing of the above process is included in Appendix B.
Based on the above finding, it’s now clear that the code under analysis (malware.dll or m3plugin.dll) is a form of watchdog code that is loaded by the main search toolbar plug-in(NPMyWebS.dll) to detect any tamper or removal of the toolbar and re-install it again.
Another interesting exported function in malware.dll is UTB. The function simply pushes the address of a custom function named restoreToolbarFunc and calls FindBrowserProfileAndUpdateChrome which was analyzed before. Analysis of the restoreToolbarFunc indicates that it reads the “localstore.rdf file inside victim user’s application data directory. This file stores customized data on plug-ins such as visibility, size and sort orders. The function finds the entry for MyWebSearch toolbar inside this file and checks if the “collapsed” property is set to “true” which means the toolbar won’t be displayed. If so, this property is set back to “false”. This is another measure by the adware to prevent users from simply unloading the toolbar from “View->toolbar” menu option in Mozilla Firefox. The adware probably would add the following windows registry entry to HKLM\Software\Microsoft\Windows\CurrentVersion\Run which will restore the toolbar on every system startup:
Rundll32.exe malware.dll, UTB
The attached IDA pro file has areversed code listing of restoreToolbarFunc.
The following table summarizes all the above behavioral and code analysis findings with regards to CREA practical instructions document:

Table 4: Analysis findings


General function of the malware

The malware sample was found to be a “watchdog” program for “MyWebSearch” Adware. It provides the following main functionalities:

  • Once loaded by the browser toolbar plug-in (NPMyWebS.dll), it will re-copy the adware search toolbar files from the current directory and update the related windows registry key. This behavior is intended to counter anti-spyware or manual removal/tamper
  •   Through another exported function, the malware code can check if the victim user has chosen not to view the search toolbar in the browser. In this case, the code attempts to overwrite this setting and make the toolbar visible again.  

File System activity

Files created:
c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
c:\program files\Mozilla Firefox\chrome\m3ffxtbr.jar (m3ntstbr.jar)
c:\program files\Mozilla Firefox\chrome\ m3ffxtbr.manifest (m3ntstbr.manifest)
Files Accessed/Modified:
c:\program files\Mozilla Firefox\chrome\installed-chrome.txt
c:\program files\Mozilla Firefox\chrome\overlayinfo\browser\content\overlays.rdf
c:\Documents and Settings\[username]\Application Data\Mozilla\Firefox\Profiles\[profile_name]\chrome\chrome.rdf
C:\Documents and Settings\[username]\Application Data\Mozilla\Firefox\Profiles\[profile_name]\localstore.rdf

Windows Registry activity

Modified or created entries:
Key name: HKLM\Software\MyWebSearch\bar
Value: PluginPath=[folder path of the malware]

Network activity

No network activity was noticed

Original infection vector

The code is a component of “MyWebSearch” browser toolbar that is normally downloaded and installed by the victim who thinks it’s a harmless program. After installation, the program would add the following windows registry key to check and fix the toolbar visibility status :
Key name:HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Value: somename=rundll32.exe malware.dll, UTB

Information about development of the malware

The Adware has been developed by MyWebSearch.com. Another adware software named “FunWebProducts” could be installed subsequently on the victim system that has already search toolbar installed. The malware code is compiled using MS Visual C++ on Tue May 08 00:13:39 2007

 Mitigation

The analyst recommends following steps to remove the “MyWebSearch” toolbar from an infected system:

  • Close the Firefox or Netscape browser and remove NPMyWebS.dll file from [browser home dir]\plugins directory
  • Remove m3ffxtbr.jar(m3ntstbr.jar for Netscape) and m3ffxtbr.manifest(m3ntstbr.manifest for Netscape) from chrome [browser home dir]\chrome folder
  • Edit and remove the following lines from installed-chrome.txt:

content,install,url,jar:resource:/chrome/m3ffxtbr.jar!/ or content,install,url,jar:resource:/chrome/m3ntstbr.jar!/

  • Edit and remove any entries for “MyWebSearch” found inside localstore.rdf
  • Remove  the following line from overlays.rdf

chrome://m3ffxtbr/content/menu.xul


Appendix A- Full Anti-virus Scan results

 

Antivirus

Version

Last Update

Result

a-squared

4.5.0.50

2010.01.22

Riskware.AdTool.Win32.MyWebSearch!IK

AhnLab-V3

5.0.0.2

2010.01.22

-

AntiVir

7.9.1.146

2010.01.22

-

Antiy-AVL

2.0.3.7

2010.01.22

AdTool/Win32.MyWebSearch.gen

Authentium

5.2.0.5

2010.01.22

W32/HackTool.UP

Avast

4.8.1351.0

2010.01.22

-

AVG

9.0.0.730

2010.01.22

-

BitDefender

7.2

2010.01.22

-

CAT-QuickHeal

10.00

2010.01.22

-

ClamAV

0.94.1

2010.01.22

Adware.Search-53

Comodo

3669

2010.01.22

ApplicUnwnt.Win32.Toolbar.MyWebSearch

DrWeb

5.0.1.12222

2010.01.22

Adware.Msearch

eSafe

7.0.17.0

2010.01.21

AdTool.Win32.MyWebSe

eTrust-Vet

None

2010.01.22

-

F-Prot

4.5.1.85

2010.01.21

W32/HackTool.UP

F-Secure

9.0.15370.0

2010.01.22

-

Fortinet

4.0.14.0

2010.01.22

Misc/Mywebsearch

GData

19

2010.01.22

-

Ikarus

T3.1.1.80.0

2010.01.22

not-a-virus:AdTool.Win32.MyWebSearch

Jiangmin

13.0.900

2010.01.22

-

K7AntiVirus

7.10.951

2010.01.20

not-a-virus:AdTool.Win32.MyWebSearch

Kaspersky

7.0.0.125

2010.01.22

not-a-virus:WebToolbar.Win32.MyWebSearch.as

McAfee

5868

2010.01.21

potentially unwanted program MWS

McAfee+Artemis

5868

2010.01.21

potentially unwanted program MWS

McAfee-GW-Edition

6.8.5

2010.01.22

-

Microsoft

1.5405

2010.01.22

-

NOD32

4796

2010.01.22

Win32/Toolbar.MyWebSearch

Norman

6.04.03

2010.01.21

-

nProtect

2009.1.8.0

2010.01.22

Trojan-Clicker/W32.MyWebSearch.49245

Panda

10.0.2.2

2010.01.22

-

PCTools

7.0.3.5

2010.01.22

-

Prevx

3.0

2010.01.22

Medium Risk Malware

Rising

22.31.04.04

2010.01.22

Adware.MyWebSearch.f

Sophos

4.50.0

2010.01.22

-

Sunbelt

3.2.1858.2

2010.01.22

MyWebSearch Toolbar

Symantec

20091.2.0.41

2010.01.22

-

TheHacker

6.5.0.9.158

2010.01.22

-

TrendMicro

9.120.0.1004

2010.01.22

-

VBA32

3.12.12.1

2010.01.21

-

ViRobot

2010.1.22.2151

2010.01.22

Not_a_virus:AdTool.MyWebSearch.49245

VirusBuster

5.0.21.0

2010.01.21

-


 

Appendix B – NP_GetEntryPoints code from recent version of NPMywebS.dll

.text:10001175
.text:10001175                 public NP_GetEntryPoints
.text:10001175 NP_GetEntryPoints proc near
.text:10001175
.text:10001175 LibFileName     = byte ptr -104h
.text:10001175 pNPFuncs        = dword ptr  8
.text:10001175
.text:10001175                 push    ebp
.text:10001176                 mov     ebp, esp
.text:10001178                 sub     esp, 104h
.text:1000117E                 push    esi
.text:1000117F                 lea     eax, [ebp+LibFileName]
.text:10001185                 push    104h            ; buffer size
.text:1000118A                 push    eax             ; lpData
.text:1000118B                 push    offset ValueName ; "PluginPath"
.text:10001190                 push    offset cbData   ; "Software\\MyWebSearch\\bar"
.text:10001195                 push    HKEY_LOCAL_MACHINE ; hKey
.text:1000119A                 call    sub_100010CE    ; check if mywebsearch registry key and value exist
.text:1000119F                 add     esp, 14h
.text:100011A2                 test    eax, eax        ; if(EAX==0), the plug-in is not removed  or tampered, so return
.text:100011A4                 jz      loc_1000124E    ; else load m3plugin.dll to fix
.text:100011AA                 mov     esi, ds:lstrcatA
.text:100011B0                 lea     eax, [ebp+LibFileName]
.text:100011B6                 push    offset String2  ; "m3Plugin"
.text:100011BB                 push    eax
.text:100011BC                 call    esi ; lstrcatA
.text:100011BE                 lea     eax, [ebp+LibFileName]
.text:100011C4                 push    offset a_dll    ; ".DLL"
.text:100011C9                 push    eax
.text:100011CA                 call    esi ; lstrcatA  ; appends .dll
.text:100011CC                 push    8               ; dwFlags
.text:100011CE                 lea     eax, [ebp+LibFileName]
.text:100011D4                 push    0               ; hFile
.text:100011D6                 push    eax             ; lpLibFileName=m3plugin.dll
.text:100011D7                 call    ds:LoadLibraryExA ; loads DLL
.text:100011DD                 test    eax, eax        ; (if eax==null) return;
.text:100011DF                 mov     hModule, eax    ; save HANDLE
.text:100011E4                 jz      short loc_10001244
.text:100011E6                 mov     esi, ds:GetProcAddress
.text:100011EC                 push    offset ProcName ; "NP_GetEntryPoints"
.text:100011F1                 push    eax             ; hModule
.text:100011F2                 call    esi ; GetProcAddress ; return pointer to NP_GetEntryPoints in m3plugin.dll
.text:100011F4                 push    offset aNp_initialize ; "NP_Initialize"
.text:100011F9                 mov     ptr_NPGetentryPoints, eax ; save ptr_to NP_GetEntryPoints
.text:100011FE                 push    hModule         ; hModule
.text:10001204                 call    esi ; GetProcAddress
.text:10001206                 push    offset aNp_shutdown ; "NP_Shutdown"
.text:1000120B                 mov     ptr_NPInitialize, eax ; save ptr_to NP_Initialize
.text:10001210                 push    hModule         ; hModule
.text:10001216                 call    esi ; GetProcAddress
.text:10001218                 cmp     hModule, 0
.text:1000121F                 mov     ptr_NPShutdown, eax
.text:10001224                 jz      short loc_10001244
.text:10001226                 mov     ecx, ptr_NPGetentryPoints
.text:1000122C                 test    ecx, ecx     ;check if ptr was not null
.text:1000122E                 jz      short loc_10001244
.text:10001230                 cmp     ptr_NPInitialize, 0
.text:10001237                 jz      short loc_10001244
.text:10001239                 test    eax, eax
.text:1000123B                 jz      short loc_10001244
.text:1000123D                 push    [ebp+pNPFuncs]
.text:10001240                 call    ecx ; calls NPGetentryPoints from m3plugin.dll
.text:10001242                 jmp     short loc_10001251
.text:10001244 ; ---------------------------------------------------------------------------
.text:10001244
.text:10001244 loc_10001244:                         
.text:10001244                 mov     ecx, offset hModule
.text:10001249                 call    sub_10001256     ;unload m3plugin.dll
.text:1000124E
.text:1000124E loc_1000124E:                 
.text:1000124E                 push    4
.text:10001250                 pop     eax
.text:10001251
.text:10001251 loc_10001251:                         
.text:10001251                 pop     esi
.text:10001252                 leave
.text:10001253                 retn    4
.text:10001253 NP_GetEntryPoints endp

 

http://www.mywebsearch.com

https://developer.mozilla.org/en/chrome

http://kb.mozillazine.org/Localstore.rdf


 
#
#
Home | About IACRB | CEPT | CASS | CSSA | CREA | CPT | Contact Us | Sitemap Copyright © 2003-2009 Information Assurance Certification Review Board. All Rights Reserved.