Line for windows 4 4 1 824

Bytes JMP 002B0600 .text C:\WINDOWS\system32\winlogon.exe[780] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 .text C:\WINDOWS\system32\winlogon.exe[780] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 .text C:\WINDOWS\system32\winlogon.exe[780] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 .text C:\WINDOWS\system32\winlogon.exe[780] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 .text C:\WINDOWS\system32\winlogon.exe[780] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC .text C:\WINDOWS\system32\services.exe[824] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\services.exe[824] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62].text C:\WINDOWS\system32\services.exe[824] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\services.exe[824] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62].text C:\WINDOWS\system32\services.exe[824] ADVAPI32.dll!SetServiceObjectSecurity 77E36D59 5 Bytes JMP 002B1014 .text C:\WINDOWS\system32\services.exe[824] ADVAPI32.dll!ChangeServiceConfigA 77E36E41 5 Bytes JMP 002B0804 .text C:\WINDOWS\system32\services.exe[824] ADVAPI32.dll!ChangeServiceConfigW 77E36FD9 5 Bytes JMP 002B0A08 .text C:\WINDOWS\system32\services.exe[824] ADVAPI32.dll!ChangeServiceConfig2A 77E370D9 5 Bytes JMP 002B0C0C .text C:\WINDOWS\system32\services.exe[824] ADVAPI32.dll!ChangeServiceConfig2W 77E37161 5 Bytes JMP 002B0E10 .text C:\WINDOWS\system32\services.exe[824] ADVAPI32.dll!CreateServiceA 77E371E9 5 Bytes JMP 002B01F8 .text C:\WINDOWS\system32\services.exe[824] ADVAPI32.dll!CreateServiceW 77E37381 5 Bytes JMP 002B03FC .text C:\WINDOWS\system32\services.exe[824] ADVAPI32.dll!DeleteService 77E37489 5 Bytes JMP 002B0600 .text C:\WINDOWS\system32\services.exe[824] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 .text C:\WINDOWS\system32\services.exe[824] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 .text C:\WINDOWS\system32\services.exe[824] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 .text C:\WINDOWS\system32\services.exe[824] USER32.dll!SetWinEventHook 7E4317F7 5 Bytes JMP 002C01F8 .text C:\WINDOWS\system32\services.exe[824] USER32.dll!UnhookWinEvent 7E4318AC 5 Bytes JMP 002C03FC .text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 000901F8 .text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62].text C:\WINDOWS\system32\lsass.exe[836] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 000903FC .text C:\WINDOWS\system32\lsass.exe[836] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62].text C:\WINDOWS\system32\lsass.exe[836] ADVAPI32.dll!SetServiceObjectSecurity 77E36D59 5 Bytes JMP 002B1014 .text C:\WINDOWS\system32\lsass.exe[836] ADVAPI32.dll!ChangeServiceConfigA 77E36E41 5 Bytes JMP 002B0804 .text C:\WINDOWS\system32\lsass.exe[836] ADVAPI32.dll!ChangeServiceConfigW 77E36FD9 5 Bytes JMP 002B0A08 .text C:\WINDOWS\system32\lsass.exe[836] ADVAPI32.dll!ChangeServiceConfig2A 77E370D9 5 Bytes JMP 002B0C0C .text C:\WINDOWS\system32\lsass.exe[836] ADVAPI32.dll!ChangeServiceConfig2W 77E37161 5 Bytes JMP 002B0E10 .text C:\WINDOWS\system32\lsass.exe[836] ADVAPI32.dll!CreateServiceA 77E371E9 5 Bytes JMP 002B01F8 .text C:\WINDOWS\system32\lsass.exe[836] ADVAPI32.dll!CreateServiceW 77E37381 5 Bytes JMP 002B03FC .text C:\WINDOWS\system32\lsass.exe[836] ADVAPI32.dll!DeleteService 77E37489 5 Bytes JMP 002B0600 .text C:\WINDOWS\system32\lsass.exe[836] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 002C0804 .text C:\WINDOWS\system32\lsass.exe[836] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 002C0A08 .text C:\WINDOWS\system32\lsass.exe[836] USER32.dll!SetWindowsHookExA 7E431211 5 Bytes JMP 002C0600 .text

Occurs. The original overwritten data is then stored to certain sectors on disk for later file content counterfeiting. The infector also modifies the entry point of infected file to address of the 824 bytes codes. II.4. 2 Rootkit’s survive-reboot strategy The previous variants of TDL/TDSS survive reboot by creating themselves startup services and keep their malicious codes in files normally. So what’s new in this TDL3? The author(s) made their decision to go lower & deeper. The rootkit no longer uses file system to store its files, it reads and writes directly onto disk’s sectors. The main rootkit’s code is stored at the last sectors of the disk with the sector number is calculated by formula total_number_of_disk – (number_of_rootkit_sector + number_of_overwritten_data_sector). The next time system reboots, when the 824 bytes in infected driver gets executed, it waits for file system’s setup finishing (by registering itself a filesystem notification routine), then loads and runs the rootkit stored at last sectors of the disk. Figure 5 demonstates how TDL3 performs the installation: the real rootkit’s codes and overwritten atapi.sys’s data are placed into a buffer at 0×817e1000. Total size of data to be written down is 0×5e00 bytes. Next, it writes this buffer into continous sectors start at sector number 0×3fffc0. Notice that 4 bytes of written buffer is the signature of the rootkit – ‘TDL3’ (without quotes). The 824 bytes loader also checks for this signature when it reads back these sectors. Figure 4. 824 bytes loader check for TDL3 signature II.4. 3 Rootkit’s direct read/write feature Another interesting feature of the infector/dropper is its approach to issue read/write/query requests directly to hard disk via the infected miniport driver dispatch routine. Figure 5. TDL3 uses SCSI requests to write rootkit codes to harddisk For example, as seen in the Figure 5,

966 Moore Team Rankings PPG 18.2 28th OPP PPG 21.8 13th RUSH YDS/G 102.0 25th PASS YDS/G 208.9 28th 2024 Division Standings TEAM W L T PCT Lions 15 2 0 .882 Vikings 14 3 0 .824 Packers 11 6 0 .647 Bears 5 12 0 .294 Last Game Packers 11 - 6 - 0 22 Final 24 Bears 5 - 12 - 0 Sun 5 Jan 2025 NFL 2024 Leaders Pass Yards Leaders 4,918 Burrow 4,629 Goff 4,500 Mayfield Rush Yards Leaders 2,005 Barkley 1,921 Henry 1,456 Robinson Rec Yards Leaders 1,708 Chase 1,533 Jefferson 1,282 Thomas Pass TD Leaders 43 Burrow 41 Jackson 41 Mayfield Rush TD Leaders 16 Gibbs 16 Cook 16 Henry Rec TD Leaders 17 Chase 13 McLaurin 12 St. Brown QB Rating Leaders 119.6 Jackson 111.8 Goff 108.5 Burrow Sack Leaders 17.5 Hendrickson 14.0 Garrett 13.5 Bonitto NFL 2024 Rankings PPG Rankings 33.2 30.9 30.5 29.5 28.5 27.8 Opp PPG Rankings 17.7 17.8 18.3 19.2 19.5 19.9 Total Yards Rankings 424.9 409.5 399.6 376.3 370.8 369.8 Rush Yards Rankings 187.6 179.3 154.1 149.2 146.8 146.4 Pass Yards Rankings 289.3 277.5 265.0 260.2 257.6 257.6 Sack Leaders 63.0 54.0 52.0 49.0 49.0 46.0 NFL Fantasy 2024 Fantasy RB Rankings 322.3 Barkley 317.4 Henry 310.9 Gibbs Fantasy WR Rankings 276 Chase 214.5 Jefferson 201.2 St. Brown Fantasy TE Rankings 158.6 Kittle 150.7 Bowers 138.8 McBride Fantasy K Rankings 192 Aubrey 191 Boswell 179 Dicker NFL 2024 Betting Best Record ATS 12-5-1 12-6 14-7 12-6 11-6 11-6-1 Worst Record ATS 2-15 4-13 5-12 5-12 6-11 6-11 NFL 2024 Division Standings NFC East W L T PCT Eagles 14 3 0 .824 Commanders 12 5 0 .706 NFC North W L T PCT Lions 15 2 0 .882 Vikings 14 3 0 .824 NFC South W L T PCT Buccaneers 10 7 0 .588 Falcons 8 9 0 .471 NFC West W L T PCT Rams 10 7 0 .588 Seahawks 10 7 0 .588 AFC East W L T PCT Bills 13 4 0 .765 Dolphins 8 9 0 .471 AFC North W L T PCT Ravens 12 5 0 .706 Steelers 10 7 0 .588 AFC South W L T PCT Texans 10 7 0 .588 Colts 8 9 0 .471 AFC West W L T PCT Chiefs 15 2 0 .882 Chargers 11 6 0 .647