Microsoft (R) COFF/PE Dumper Version 10.00.30319.01 Copyright (C) Microsoft Corporation. All rights reserved. Dump of file rundll32.exe PE signature found File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (x86) 3 number of sections 45D69C8E time date stamp Sat Feb 17 15:11:26 2007 0 file pointer to symbol table 0 number of symbols E0 size of optional header 10F characteristics Relocations stripped Executable Line numbers stripped Symbols stripped 32 bit word machine OPTIONAL HEADER VALUES 10B magic # (PE32) 7.10 linker version 1A00 size of code 6C00 size of initialized data 0 size of uninitialized data 1F98 entry point (01001F98) 1000 base of code 3000 base of data 1000000 image base (01000000 to 0100AFFF) 1000 section alignment 200 file alignment 5.02 operating system version 5.02 image version 4.00 subsystem version 0 Win32 version B000 size of image 400 size of headers 9007 checksum 2 subsystem (Windows GUI) 8000 DLL characteristics Terminal Server Aware 40000 size of stack reserve C000 size of stack commit 100000 size of heap reserve 1000 size of heap commit 0 loader flags 10 number of directories 0 [ 0] RVA [size] of Export Directory 222C [ 78] RVA [size] of Import Directory 4000 [ 6730] RVA [size] of Resource Directory 0 [ 0] RVA [size] of Exception Directory 0 [ 0] RVA [size] of Certificates Directory 0 [ 0] RVA [size] of Base Relocation Directory 1140 [ 1C] RVA [size] of Debug Directory 0 [ 0] RVA [size] of Architecture Directory 0 [ 0] RVA [size] of Global Pointer Directory 0 [ 0] RVA [size] of Thread Storage Directory 11D8 [ 40] RVA [size] of Load Configuration Directory 248 [ 7C] RVA [size] of Bound Import Directory 1000 [ 124] RVA [size] of Import Address Table Directory 0 [ 0] RVA [size] of Delay Import Directory 0 [ 0] RVA [size] of COM Descriptor Directory 0 [ 0] RVA [size] of Reserved Directory SECTION HEADER #1 .text name 1888 virtual size 1000 virtual address (01001000 to 01002887) 1A00 size of raw data 400 file pointer to raw data (00000400 to 00001DFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 60000020 flags Code Execute Read Debug Directories Time Type Size RVA Pointer -------- ------ -------- -------- -------- 45D69C8E cv 25 00001220 620 Format: RSDS, {4D4FD4CB-2F45-4993-9A61-954A8E04A24C}, 1, rundll32.pdb Section contains the following imports: msvcrt.dll 10010DC Import Address Table 1002380 Import Name Table FFFFFFFF time date stamp FFFFFFFF Index of first forwarder reference 77BE0067 DD _controlfp 77BC632C 9E __set_app_type 77BAF6C5 8A __p__fmode 77BAF68E 85 __p__commode 77BF467C BD _adjust_fdiv 77BDE695 A0 __setusermatherr 77BCAE06 142 _initterm 77BAF32F AA __wgetmainargs 77BF37E8 230 _wcmdln 77BCAF41 29C exit 77BCAF77 CF _cexit 77BC3CFC 4F _XcptFilter 77BCAF5C FD _exit 77BCAF8B CC _c_exit 77BC6C74 F4 _except_handler3 77BAD34E 27E _wtoi 77BD0F3E 22B _vsnwprintf KERNEL32.dll 1001008 Import Address Table 10022AC Import Name Table FFFFFFFF time date stamp FFFFFFFF Index of first forwarder reference 77E62FC7 146 GetCurrentThreadId 77E619D1 1DF GetTickCount 77E69577 2A3 QueryPerformanceCounter 77E6C2DC 315 SetErrorMode 77E5F357 75 DeactivateActCtx 77E63C78 143 GetCurrentProcessId 77E64415 161 GetFileAttributesW 77E69A21 2DC SearchPathW 77E5E29C 49 CreateActCtxW 77E5F326 0 ActivateActCtx 77E5C6FA 255 LoadLibraryW 77E523D8 2C1 ReleaseActCtx 77E6239C 258 LocalAlloc 77E4203E 1B8 GetStartupInfoW 77E82060 34B SetUnhandledExceptionFilter 77E7690D 36F UnhandledExceptionFilter 77E42004 35F TerminateProcess 77E63E6F 34 CloseHandle 77E6568B 31C SetFilePointer 77E4184B 2B5 ReadFile 77E64841 56 CreateFileW 77E61C7B 391 WaitForSingleObject 77E42474 69 CreateProcessW 77E9ECF3 398 Wow64EnableWow64FsRedirection 77E5BDA9 3CB lstrcpynW 77E5C256 1C2 GetSystemDirectoryW 77E6128F 187 GetNativeSystemInfo 77E70660 243 IsWow64Process 77E62F9D 142 GetCurrentProcess 77E6B756 111 GetCommandLineW 77E6B1A1 F8 FreeLibrary 77E62419 25C LocalFree 77E5BE30 3CD lstrlenA 77E63143 395 WideCharToMultiByte 7C829E08 171 GetLastError 77E622C9 3CE lstrlenW 77E63D7A 1A0 GetProcAddress 77E4F821 F4 FormatMessageW 77E41FBA 1CA GetSystemTimeAsFileTime GDI32.dll 1001000 Import Address Table 10022A4 Import Name Table FFFFFFFF time date stamp FFFFFFFF Index of first forwarder reference 77C059A3 1A6 GetStockObject USER32.dll 10010A8 Import Address Table 100234C Import Name Table FFFFFFFF time date stamp FFFFFFFF Index of first forwarder reference 77393BBC 2C CharNextW 7738A6B0 248 SetClassLongW 7738BCE1 1BF LoadIconW 7739C6B7 8F DefWindowProcW 77392470 61 CreateWindowExW 7739017A 219 RegisterClassW 773969EE 1BD LoadCursorW 7738B9C6 99 DestroyWindow 7739EE1C 1E6 MessageBoxW 773947A5 1CC LoadStringW imagehlp.dll 10010D4 Import Address Table 1002378 Import Name Table FFFFFFFF time date stamp FFFFFFFF Index of first forwarder reference 76C14601 10 ImageDirectoryEntryToData Header contains the following bound import information: Bound to msvcrt.dll [45D70B06] Sat Feb 17 23:02:46 2007 Bound to KERNEL32.dll [45D70AD8] Sat Feb 17 23:02:00 2007 Contained forwarders bound to NTDLL.DLL [45D70AD8] Sat Feb 17 23:02:00 2007 Bound to GDI32.dll [45D70A3E] Sat Feb 17 22:59:26 2007 Bound to USER32.dll [45D70AC7] Sat Feb 17 23:01:43 2007 Bound to imagehlp.dll [45D70A5D] Sat Feb 17 22:59:57 2007 SECTION HEADER #2 .data name 374 virtual size 3000 virtual address (01003000 to 01003373) 200 size of raw data 1E00 file pointer to raw data (00001E00 to 00001FFF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers C0000040 flags Initialized Data Read Write SECTION HEADER #3 .rsrc name 6730 virtual size 4000 virtual address (01004000 to 0100A72F) 6800 size of raw data 2000 file pointer to raw data (00002000 to 000087FF) 0 file pointer to relocation table 0 file pointer to line numbers 0 number of relocations 0 number of line numbers 40000040 flags Initialized Data Read Only Summary 1000 .data 7000 .rsrc 2000 .text