Hi fellows,
BintScan could not open the file, because of "
.rpj - invalid argument. FileAlyzer could not open it because of an error in the syntaxis of the filename, foldername or volumename.
Opened it up after renaming it, and these are the contents:
/////////////////
00004D !This program cannot be run in DOS mode.
0012A2 RtlFreeAnsiString
0012C0 RtlUnicodeStringToAnsiString
0012E0 ObQueryNameString
0012FE ZwDuplicateObject
001312 ZwOpenProcess
001322 KeDetachProcess
001334 ObfDereferenceObject
00134C ObReferenceObjectByHandle
001368 KeAttachProcess
00137A PsLookupProcessByProcessId
001398 MmIsAddressValid
0013AC ObOpenObjectByPointer
0013C4 ZwQueryInformationProcess
0013E0 NtBuildNumber
0013F0 ZwOpenProcessToken
001406 IofCompleteRequest
00141C SeReleaseSubjectContext
001436 SePrivilegeCheck
00144A ExGetPreviousMode
00145E SeCaptureSubjectContext
001478 IoDeleteDevice
00148A IoDeleteSymbolicLink
0014A2 RtlInitUnicodeString
0014BA IoCreateSymbolicLink
0014D2 IoCreateDevice
0014E4 ExAllocatePoolWithTag
0014FA ntoskrnl.exe
001516 KfLowerIrql
001524 KfRaiseIrql
0018C8 L3P3`3h3l3t3x3
001949 :!:?:H:k:t:
001973 ?!?3?A?U?{?
002162 _DriverEntry@8
002171 _ProcExpGetComponentFileName@8
002190 _ProcExpGetObjectName@12
0021A9 _ProcExpOpen@8
0021B8 _ProcExpReadKstack@12
0021CE _ProcExpGetMutantOwner@12
0021E8 _ProcExpQueryDep@12
0021FC _ProcExpGetKcontext@12
002213 _ProcExpClose@4
002223 _ProcExpDeviceControl@36
00223C _ProcExpDispatch@8
00224F _ProcExpUnload@4
002260 __imp__RtlFreeAnsiString@4
00227B __imp__strncpy
00228A __imp__RtlUnicodeStringToAnsiString@12
0022B1 __imp__ObQueryNameString@16
0022CD __except_list
0022DB __except_handler3
0022ED __imp__ZwClose@4
0022FE __imp__ZwDuplicateObject@28
00231A __imp__ZwOpenProcess@16
002332 __imp__KeDetachProcess@0
00234B __imp_@ObfDereferenceObject@4
002369 __imp__ObReferenceObjectByHandle@24
00238D __imp__KeAttachProcess@4
0023A6 __imp__PsLookupProcessByProcessId@8
0023CA __imp_@KfLowerIrql@4
0023DF __imp__MmIsAddressValid@4
0023F9 __imp_@KfRaiseIrql@4
00240E __imp__ObOpenObjectByPointer@28
00242E __imp__ZwQueryInformationProcess@20
002452 _NtBuildNumber
002461 __imp__ZwOpenProcessToken@12
00247E __imp_@IofCompleteRequest@8
00249A __imp__SeReleaseSubjectContext@4
0024BB __imp__SePrivilegeCheck@12
0024D6 __imp__ExGetPreviousMode@0
0024F1 __imp__SeCaptureSubjectContext@4
002512 __imp__IoDeleteDevice@4
00252A __imp__IoDeleteSymbolicLink@4
002548 __imp__RtlInitUnicodeString@8
002566 __imp__IoCreateSymbolicLink@8
002584 __imp__IoCreateDevice@28
00259D __imp__ExAllocatePoolWithTag@12
0025BD _RtlFreeAnsiString@4
0025D2 __IMPORT_DESCRIPTOR_ntoskrnl
0025EF _RtlUnicodeStringToAnsiString@12
002610 _ObQueryNameString@16
002626 _RtlUnwind@16
002634 __global_unwind2
002645 __local_unwind2
002655 __abnormal_termination
00266C __seh_longjmp_unwind@4
002683 _ZwClose@4
00268E _ZwDuplicateObject@28
0026A4 _ZwOpenProcess@16
0026B6 _KeDetachProcess@0
0026C9 @ObfDereferenceObject@4
0026E1 _ObReferenceObjectByHandle@24
0026FF _KeAttachProcess@4
002712 _PsLookupProcessByProcessId@8
002730 _MmIsAddressValid@4
002744 _ObOpenObjectByPointer@28
00275E _ZwQueryInformationProcess@20
00277C __imp__NtBuildNumber
002791 _ZwOpenProcessToken@12
0027A8 @IofCompleteRequest@8
0027BE _SeReleaseSubjectContext@4
0027D9 _SePrivilegeCheck@12
0027EE _ExGetPreviousMode@0
002803 _SeCaptureSubjectContext@4
00281E _IoDeleteDevice@4
002830 _IoDeleteSymbolicLink@4
002848 _RtlInitUnicodeString@8
002860 _IoCreateSymbolicLink@8
002878 _IoCreateDevice@28
00288B _ExAllocatePoolWithTag@12
0028A5 __NULL_IMPORT_DESCRIPTOR
0028BF ntoskrnl_NULL_THUNK_DATA
0028D8 __imp__RtlUnwind@16
0028EC @KfLowerIrql@4
0028FB __IMPORT_DESCRIPTOR_HAL
002913 @KfRaiseIrql@4
002923 HAL_NULL_THUNK_DATA
002937 _lh_continue
002944 _lh_dismiss
002950 _lh_return
002965 _lh_unwinding
002973 _gu_return
00297E __unwind_handler
00298F _uh_return
00299A _lu_continue
0029B1 terd:\winddk\1381\lib\i386\free\procexp100.sys
002C5D VeriSign, Inc.1705
002C75 .Class 3 Public Primary Certification Authority0
002CA8 040716000000Z
002CB7 140715235959Z0
002CDF VeriSign, Inc.1
002CF8 VeriSign Trust Network1;09
002D18 2Terms of use at
https://www.verisign.com/rpa (c)041.0,
002D55 %VeriSign Class 3 Code Signing 2004 CA0
002EE7
https://www.verisign.com/rpa01002F15
http://crl.verisign.com/pca3.crl0002F92 Class3CA2048-1-430
002FEC VeriSign, Inc.1705
003004 .Class 3 Public Primary Certification Authority
00311A Washington1
003141 Microsoft Corporation1)0'
003160 Microsoft Code Verification Root0
003185 060523170129Z
003194 160523171129Z0_1
0031BB VeriSign, Inc.1705
0031D3 .Class 3 Public Primary Certification Authority0
003386 Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
003628 VeriSign, Inc.1
003641 VeriSign Trust Network1;09
003661 2Terms of use at
https://www.verisign.com/rpa (c)041.0,
00369E %VeriSign Class 3 Code Signing 2004 CA0
0036C8 060202000000Z
0036D7 070404235959Z0
003720 Sysinternals1>0<
003736 5Digital ID Class 3 - Microsoft Software Validation v21
003777 Headquarters1
00378E Sysinternals0
003871 /http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
0038CB
https://www.verisign.com/rpa000391A
http://ocsp.verisign.com0?00393F 3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
0039B8 47009c3de442d876ef3ae87cca155f6d0
003B2E VeriSign, Inc.1
003B47 VeriSign Trust Network1;09
003B67 2Terms of use at
https://www.verisign.com/rpa (c)041.0,
003BA4 %VeriSign Class 3 Code Signing 2004 CA
//////////////////////////////
Anyone to comment?
polonus
PS. egel = porcupine (Dutch)