fwmemmap.sys - Firmware Memory Map Provider

info
MZ
PE
resources
imports
foremost
version info
signature
hexdump
disasm
log
discuss
donate

filename	fwmemmap.sys
size	7168 (0x1c00)
md5	64d1e19261c90c09e1b1f35d245c44e9

type	PE32 executable (native) Intel 80386, for MS Windows
mimetype	application/x-dosexec

clamav	OK
virustotal	→ scan with virustotal.com

histogram

MZ Header

signature	MZ
bytes_in_last_block	0x90
blocks_in_file	3
num_relocs	0
header_paragraphs	4
min_extra_paragraphs	0
max_extra_paragraphs	0xffff
ss	0
sp	0xb8
checksum	0
ip	0
cs	0
reloc_table_offset	0x40
overlay_number	0
reserved0	0
oem_id	0
oem_info	0
reserved2	0
reserved3	0
reserved4	0
reserved5	0
reserved6	0
lfanew	0xd8

Rich Header

lib id	version	times used
1	0	16
123	50727	5
109	50727	1
110	50727	2
124	50727	1
120	50727	1

DOS stub

00000000: 0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000010: 69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000020: 74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000030: 6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|

PE Header

Signature	PE
Machine	0x14c
NumberOfSections	7
TimeDateStamp	0x49f8b1dd
PointerToSymbolTable	0
NumberOfSymbols	0
SizeOfOptionalHeader	0xe0
Characteristics	0x102
Magic	0x10b
LinkerVersion	8.0
SizeOfCode	0xa00
SizeOfInitializedData	0xa00
SizeOfUninitializedData	0
AddressOfEntryPoint	0x50c7
BaseOfCode	0x1000
BaseOfData	0x2000
ImageBase	0x10000
SectionAlignment	0x1000
FileAlignment	0x200
OperatingSystemVersion	6.0
ImageVersion	6.0
SubsystemVersion	6.0
Reserved1	0
SizeOfImage	0x8000
SizeOfHeaders	0x400
CheckSum	0x6b46
Subsystem	1
DllCharacteristics	0x400
SizeOfStackReserve	0x40000
SizeOfStackCommit	0x1000
SizeOfHeapReserve	0x100000
SizeOfHeapCommit	0x1000
LoaderFlags	0
NumberOfRvaAndSizes	0x10

Sections

name	va	vsize	raw size	flags
.text	0x1000	0xb0	0x200	R-X CODE
.rdata	0x2000	0xbf	0x200	R-- IDATA
.data	0x3000	0xc	0x200	RW- IDATA
PAGE	0x4000	0x3e4	0x400	R-X CODE
INIT	0x5000	0x316	0x400	RWX CODE DISCARDABLE
.rsrc	0x6000	0x3d8	0x400	R-- IDATA DISCARDABLE
.reloc	0x7000	0xaa	0x200	R-- IDATA DISCARDABLE

Data Directory

type	va	size
EXPORT	0	0
IMPORT	0x5148	0x3c
RESOURCE	0x6000	0x3d8
EXCEPTION	0	0
SECURITY	0x1800	0x400
BASERELOC	0x7000	0x68
DEBUG	0x2050	0x1c
ARCHITECTURE	0	0
GLOBALPTR	0	0
TLS	0	0
LOAD_CONFIG	0	0
Bound_IAT	0	0
IAT	0x2000	0x48
Delay_IAT	0	0
CLR_Header	0	0

show previews

type	name	size	cp
VERSION	#1	884	0

module_name	hint	function_name
ntoskrnl.exe	459	IoCreateSymbolicLink
ntoskrnl.exe	449	IoCreateDevice
ntoskrnl.exe	469	IoDeleteDevice
ntoskrnl.exe	471	IoDeleteSymbolicLink
ntoskrnl.exe	807	KeTickCount
ntoskrnl.exe	642	IofCompleteRequest
ntoskrnl.exe	1902	memcpy
ntoskrnl.exe	1904	memset
ntoskrnl.exe	125	ExFreePoolWithTag
ntoskrnl.exe	1350	RtlInitUnicodeString
ntoskrnl.exe	103	ExAllocatePoolWithTag
HAL.dll	105	x86BiosCall
HAL.dll	107	x86BiosReadMemory
HAL.dll	104	x86BiosAllocateBuffer
HAL.dll	108	x86BiosWriteMemory
HAL.dll	106	x86BiosFreeBuffer

StringTable 040904B0

CompanyName	Geoff Chappell
FileDescription	Firmware Memory Map Provider
FileVersion	1.0.0.0 built by: WinDDK
InternalName	fwmemmap.sys
LegalCopyright	Copyright (C) 2009. Geoff Chappell. All rights reserved.
OriginalFilename	fwmemmap.sys
ProductName	Firmware Memory Map Tool
ProductVersion	1.0.0.0

VS_FIXEDFILEINFO

FileVersion	1.0.0.0
ProductVersion	1.0.0.0
StrucVersion	0x10000
FileFlagsMask	0x3f
FileFlags	0
FileOS	0x40004
FileType	3
FileSubtype	7

OpenSSL (terse)
ASN.1 (verbose)

Signers (1)

issuer: /CN=My Own Testing Authority

serial: 30D43F0573AF32AC45202E65B68619D3

Certificates (1)

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            30:d4:3f:05:73:af:32:ac:45:20:2e:65:b6:86:19:d3
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=My Own Testing Authority
        Validity
            Not Before: Feb 12 06:45:23 2009 GMT
            Not After : Dec 31 23:59:59 2039 GMT
        Subject: CN=My Own Testing Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (1024 bit)
                Modulus:
                    00:c7:80:34:94:50:d1:3a:39:62:ac:17:69:fb:ab:
                    76:5d:43:74:a5:13:16:e2:54:d9:59:87:c0:f1:bf:
                    ed:8d:7a:62:c0:0d:b6:68:07:4a:4c:67:63:fb:1a:
                    e6:59:a4:49:ae:85:7b:5e:61:19:7f:eb:3a:a0:56:
                    32:f9:18:f8:6f:ca:5e:c8:fb:03:da:52:54:65:f2:
                    4f:bb:61:4b:fd:32:cc:09:0c:52:93:be:20:9b:71:
                    d6:97:39:44:e2:16:75:bc:18:93:33:bf:63:5e:f6:
                    78:cd:70:fb:6e:e0:79:6c:8e:75:1d:aa:99:8a:77:
                    79:49:e9:95:4e:5b:a6:4c:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            2.5.29.1: 
                0K...\.W.#.{%/.......%0#1!0...U....My Own Testing Authority..0.?.s.2.E .e....
    Signature Algorithm: md5WithRSAEncryption
         95:55:fc:af:74:03:cf:f6:32:fc:e3:e3:e1:98:5b:38:ba:fa:
         f0:61:75:da:7e:c0:9b:1e:3e:76:ac:cf:e1:30:90:d9:f5:a1:
         9a:78:6d:48:8c:33:ca:a0:a5:41:bd:54:d6:60:e7:4b:36:ed:
         7f:a6:6d:f6:b7:70:39:99:8c:3c:bb:82:f7:5f:18:52:7c:60:
         b7:ca:4f:64:44:cf:ba:38:24:8d:57:35:77:75:bd:6b:c6:8c:
         35:81:72:85:d3:04:9c:72:8f:54:8b:ea:48:c7:c1:9a:2f:b9:
         1a:1b:80:04:3c:14:b7:f4:f7:02:bf:f7:3e:91:e9:82:83:4d:
         da:b8

pkcs7-signedData

SHA1: nil

1.3.6.1.4.1.311.2.1.4

1.3.6.1.4.1.311.2.1.15

00 3c 00 3c 00 3c 00 4f  00 62 00 73 00 6f 00 6c  |.<.<.<.O.b.s.o.l|
00 65 00 74 00 65 00 3e  00 3e 00 3e              |.e.t.e.>.>.>    |

SHA1

b1 36 a0 39 da ff cf 20 a6 a7 83 4c cc 6a c6 1d |.6.9... ...L.j..| a2 6d ce 14 |.m.. |

2
- 30:D4:3F:05:73:AF:32:AC:45:20:2E:65:B6:86:19:D3
- RSA-MD5: nil
- CN: My Own Testing Authority
- 2009-02-12 06:45:23 UTC: 2039-12-31 23:59:59 UTC
- CN: My Own Testing Authority
- #5
  - rsaEncryption: nil
  - C7:80:34:94:50:D1:3A:39:62:AC:17:69:FB:AB:76:5D:
    43:74:A5:13:16:E2:54:D9:59:87:C0:F1:BF:ED:8D:7A:
    62:C0:0D:B6:68:07:4A:4C:67:63:FB:1A:E6:59:A4:49:
    AE:85:7B:5E:61:19:7F:EB:3A:A0:56:32:F9:18:F8:6F:
    CA:5E:C8:FB:03:DA:52:54:65:F2:4F:BB:61:4B:FD:32:
    CC:09:0C:52:93:BE:20:9B:71:D6:97:39:44:E2:16:75:
    BC:18:93:33:BF:63:5E:F6:78:CD:70:FB:6E:E0:79:6C:
    8E:75:1D:AA:99:8A:77:79:49:E9:95:4E:5B:A6:4C:B9: 0x010001
- 2.5.29.1
  - aa 5c b9 57 a5 23 a7 7b 25 2f ad 1b ba 18 1c f2 |.\.W.#.{%/......|
    - CN: My Own Testing Authority
    - 30 d4 3f 05 73 af 32 ac 45 20 2e 65 b6 86 19 d3 |0.?.s.2.E .e....|

RSA-MD5:

95 55 fc af 74 03 cf f6  32 fc e3 e3 e1 98 5b 38  |.U..t...2.....[8|
ba fa f0 61 75 da 7e c0  9b 1e 3e 76 ac cf e1 30  |...au.~...>v...0|
90 d9 f5 a1 9a 78 6d 48  8c 33 ca a0 a5 41 bd 54  |.....xmH.3...A.T|
d6 60 e7 4b 36 ed 7f a6  6d f6 b7 70 39 99 8c 3c  |.`.K6...m..p9..<|
bb 82 f7 5f 18 52 7c 60  b7 ca 4f 64 44 cf ba 38  |..._.R|`..OdD..8|
24 8d 57 35 77 75 bd 6b  c6 8c 35 81 72 85 d3 04  |$.W5wu.k..5.r...|
9c 72 8f 54 8b ea 48 c7  c1 9a 2f b9 1a 1b 80 04  |.r.T..H.../.....|
3c 14 b7 f4 f7 02 bf f7  3e 91 e9 82 83 4d da b8  |<.......>....M..|

#0
- CN: My Own Testing Authority
- 30:D4:3F:05:73:AF:32:AC:45:20:2E:65:B6:86:19:D3
SHA1: nil

1.3.6.1.4.1.311.2.1.12
- nil
contentType: 1.3.6.1.4.1.311.2.1.4

messageDigest:

33 7e dc 06 fe f5 e5 e2  ab 55 ee a9 ee 38 51 a1  |3~.......U...8Q.|
b0 10 1b 35                                       |...5            |

rsaEncryption:

a8 f9 36 c8 42 a4 c2 86  32 7e 75 18 c4 b4 8c 9d  |..6.B...2~u.....|
84 e1 10 2e 90 15 4e 2e  1a 9d 04 aa c3 56 06 5c  |......N......V.\|
c2 d1 04 f7 50 df 6d c0  f2 ae c2 77 f1 f1 e5 18  |....P.m....w....|
25 29 e7 eb a2 d3 ab 37  d5 e8 0e 61 4c 48 ae ff  |%).....7...aLH..|
55 4f cd d8 b7 68 66 1b  ee 17 8e b2 af 0a 03 d0  |UO...hf.........|
9c 03 ce eb ac 5d b4 0f  68 5c f1 4d b8 05 76 a9  |.....]..h\.M..v.|
e5 d3 52 1c 2d b2 00 2b  29 c7 df 85 b7 3f 14 f6  |..R.-..+)....?..|
d3 3e 0e 88 19 3d be d5  bf ad 68 26 97 72 d5 13  |.>...=....h&.r..|