如何在内核转储中获取 Section 对象的内容
How to get the content of a Section object in a kernel dump
来自 3thParty 供应商的部分对象被命名为 rpsPdf10.mutex,其预期用途是通过向其写入布尔标志来模拟信号量。
使用 LiveKd 并在 SO 的大量帮助下,我发出了以下命令,试图获取此 Section 对象的详细信息。
0: kd>!process 0 0 3thParty.exe
...
PROCESS fffffa800ea80060
SessionId: 0 Cid: 0a00 Peb: fffdf000 ParentCid: 014c
DirBase: 99349000 ObjectTable: fffff8a004448bf0 HandleCount: 338.
Image: 3thParty.exe
...
0: kd> !handle 0 7 fffffa800ea80060
...
08 fffff8a012e26710 Section rpsPdf10.mutex
...
0: kd> !object fffff8a012e26710
Object: fffff8a012e26710 Type: (fffffa800cd7cea0) Section
ObjectHeader: fffff8a012e266e0 (new version)
HandleCount: 38 PointerCount: 39
Directory Object: fffff8a00a980080 Name: rpsPdf10.mutex
0: kd> dt -r1 nt!_SECTION_OBJECT 0xfffff8a012e26710
+0x000 StartingVa : 0x00000022`00000100 Void
+0x008 EndingVa : 0x00000000`0008dfb0 Void
+0x010 Parent : 0xfffffa80`c0000001 Void
+0x018 LeftChild : (null)
+0x020 RightChild : 0xfffffa80`00000034 Void
+0x028 Segment : 0xfffff8a0`102d7820 _SEGMENT_OBJECT
+0x000 BaseAddress : 0xfffffa80`0fbed900 Void
+0x008 TotalNumberOfPtes : 1
+0x010 SizeOfSegment : _LARGE_INTEGER 0x1
+0x018 NonExtendedPtes : 0x1000
+0x01c ImageCommitment : 0
+0x020 ControlArea : (null)
+0x028 Subsection : (null)
+0x030 MmSectionFlags : 0xfffffa80`10987b10 _MMSECTION_FLAGS
+0x038 MmSubSectionFlags : 0x00000000`03400000 _MMSUBSECTION_FLAGS
我觉得这一切都是正确的,但我怎样才能找到该部分的内容?
注意事项 机器是 32 位,os 是 win7,windbg 版本是内部预览 16278 命令是 arch agnostic 和指针算法(如果有的话)拱依赖
并且遍历是在实时二进制文件上进行的,而不是在转储中,因为该页面很有可能已在转储中分页并且演示可能不确定我可能会在稍后添加到这个答案
获取内容表单部分有点复杂
(有几种类型的Section like
1) ALPC 部分(com 对象)
2) 文件备份部分
3) PageFileBacked 部分等
下面的演练是针对页面文件支持的部分(most 普通类型)
假设您编译并执行了下面的代码
该 exe 将在全局命名空间
中创建一个 SectionObject
并且内容将由 PagingFile 支持,并将等待
按键
#include <windows.h>
#include <stdio.h>
#define bsize 256
int main(){
char szMsg[]={"Message from blabb to lieven from Stack Overflow."};
int ret = NULL;
HANDLE hMap = CreateFileMapping((HANDLE)-1,NULL,4,0,bsize,"Global\MyMap");
if(hMap){
PCHAR buff = (PCHAR) MapViewOfFile(hMap,0xf001f,0,0,bsize);
if(buff){
CopyMemory(buff, szMsg, sizeof(szMsg));
ret = getchar();
UnmapViewOfFile(buff);
}
CloseHandle(hMap);
}
return ret;
}
假设进程正在等待按键启动 livekd 或设置实时内核调试连接,如果它是 运行 在远程机器/vm
C:>livekd -k "c:\Program Files\Windows Kits\Debuggers\x86\cdb.exe"
LiveKd v5.62 - Execute kd/windbg on a live system
Launching c:\Program Files\Windows Kits\Debuggers\x86\cdb.exe:
Microsoft (R) Windows Debugger Version 10.0.16278.1000 X86
获取 _EPROCESS 并设置上下文
kd> !process 0 0 secobj.exe
PROCESS 8605ab28 SessionId: 1 Cid: 0fbc Peb: 7ffd9000 ParentCid: 0af4
DirBase: 7e2712e0 ObjectTable: c288ba00 HandleCount: 9.
Image: secobj.exe
kd> .process /p /r 8605ab28
Implicit process is now 8605ab28
kd> ? @$proc
Evaluate expression: -2046448856 = 8605ab28
kd> ?? (char *)@$proc->ImageFileName
char * 0x8605ac94
"secobj.exe"
在我们的进程通知中查找类型为 Section 的句柄
部分在全局命名空间中命名 windbg 为我们解密
kd> !handle 0 3 @$proc Section
Searching for handles of type Section
PROCESS 8605ab28 SessionId: 1 Cid: 0fbc Peb: 7ffd9000 ParentCid: 0af4
DirBase: 7e2712e0 ObjectTable: c288ba00 HandleCount: 9.
Image: secobj.exe
Handle table at c288ba00 with 9 entries in use
0024: Object: c238e9c8 GrantedAccess: 000f0007 Entry: c37b7048
Object: c238e9c8 Type: (84ec6040) Section
ObjectHeader: c238e9b0 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 98a0f170 Name: MyMap
转储 SectionObject
kd> dt nt!_SECTION_OBJECT c238e9c8
+0x000 StartingVa : 0xc227e2c8 Void
+0x004 EndingVa : 0x00d3db6c Void
+0x008 Parent : 0xb0d3db20 Void
+0x00c LeftChild : (null)
+0x010 RightChild : 0x00000003 Void
+0x014 Segment : 0xc36aba20 _SEGMENT_OBJECT
kd> $$ 注意 Last Segment 成员不是 SEGMENT_OBJECT 而是
nt!_segment 或实际上指向此部分的 ControlArea 的指针
kd> dt nt!_SEGMENT 0xc36aba20
+0x000 ControlArea : 0x85182d08 _CONTROL_AREA
+0x004 TotalNumberOfPtes : 1
+0x008 SegmentFlags : _SEGMENT_FLAGS
+0x00c NumberOfCommittedPages : 1
+0x010 SizeOfSegment : 0x1000
+0x018 ExtendInfo : (null)
+0x018 BasedAddress : (null)
+0x01c SegmentLock : _EX_PUSH_LOCK
+0x020 u1 : <unnamed-tag>
+0x024 u2 : <unnamed-tag>
+0x028 PrototypePte : 0xc36aba50 _MMPTE
+0x030 ThePtes : [1] _MMPTE
kd>$$可以把union u2展开,把union的FirstMappedVa dump出来看看本节内容
kd> dt nt!_SEGMENT u2.FirstMappedVa 0xc36aba20
+0x024 u2 :
+0x000 FirstMappedVa : 0x000e0000 Void
倾倒内容
kd> da 0xe0000
000e0000 "Message from blabb to lieven fro"
000e0020 "m Stack Overflow."
kd>
或者执行 !ca 获取指向第一页的 FirstMappedVa
如果内容大于一页边界,则获取它们是
有点乏味,因为它们可能已被调出并需要执行
操作,因此处理页面错误以使它们进入视图
kd> !ca poi(0xc36aba20)
ControlArea @ 85182d08
Segment c36aba20 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 0 Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 00000000 ModWriteCount 0 System Views 0
WritableRefs 0
Flags (2000) Commit
Pagefile-backed section
Segment @ c36aba20
ControlArea 85182d08 ExtendInfo 00000000
Total Ptes 1
Segment Size 1000 Committed 1
CreatingProcess 8605ab28 FirstMappedVa e0000 <-------------
ProtoPtes c36aba50
Flags (80000) ProtectionMask
Subsection 1 @ 85182d58
ControlArea 85182d08 Starting Sector 0 Number Of Sectors 0
Base Pte c36aba50 Ptes In Subsect 1 Unused Ptes 0
Flags 8 Sector Offset 0 Protection 4
kd>
添加另一个答案以显示另一个页面文件支持的部分内容
您可能需要转到创建进程并查看其虚拟地址而不是当前进程的位置
你可能知道 shell 在共享部分 global counters 中保留了一些
0104: Object: c2255450 GrantedAccess: 00000006 Entry: c5d9b208
Object: c2255450 Type: (84ec6040) Section
ObjectHeader: c2255438 (new version)
HandleCount: 6 PointerCount: 7
Directory Object: 9d662520 Name: windows_shell_global_counters
检索它们的代码
#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#include <shlwapi.h>
#pragma comment(lib,"shlwapi.lib")
//add all items in the ... place holder in arrays below
PCHAR enuname[] = { "GLOBALCOUNTER_SEARCHMANAGER",...};
int foo [] = { GLOBALCOUNTER_SEARCHMANAGER,...};
void main (void) {
long cval = NULL;
for(int i =0; i < _countof(foo) ;i++) {
cval = SHGlobalCounterGetValue((SHGLOBALCOUNTER)foo[i]);
printf ("%65s = %0x\n" ,enuname[i], cval);
}
}
编译并执行这个你可能会得到这样的结果(记住计数器是易变的所以你可能需要足够快来比较)
C:\secobj\shglob>shglob.exe | head -n 13
GLOBALCOUNTER_SEARCHMANAGER = 0
GLOBALCOUNTER_SEARCHOPTIONS = 0
GLOBALCOUNTER_FOLDERSETTINGSCHANGE = 0
GLOBALCOUNTER_RATINGS = 0
GLOBALCOUNTER_APPROVEDSITES = 0
GLOBALCOUNTER_RESTRICTIONS = 5
GLOBALCOUNTER_SHELLSETTINGSCHANGED = 2
GLOBALCOUNTER_SYSTEMPIDLCHANGE = 0
GLOBALCOUNTER_OVERLAYMANAGER = 0
GLOBALCOUNTER_QUERYASSOCIATIONS = 0
GLOBALCOUNTER_IESESSIONS = 0
GLOBALCOUNTER_IEONLY_SESSIONS = 0
GLOBALCOUNTER_APPLICATION_DESTINATIONS = 83
查看当前进程
kd> ? @$proc
Evaluate expression: -2033240552 = 86cf3618
kd> ?? (char *)@$proc->ImageFileName
char * 0x86cf3784
"cdb.exe"
kd> !handle 0 3 @$proc Section
0164: Object: c2255450 GrantedAccess: 00000006 Entry: c3df32c8
Object: c2255450 Type: (84ec6040) Section
ObjectHeader: c2255438 (new version)
HandleCount: 11 PointerCount: 12
Directory Object: 9d662520 Name: windows_shell_global_counters
kd> dc @@c++(((nt!_segment *)((nt!_section_object *) 0xc2255450)->Segment)->u2.FirstMappedVa)
00290000 ???????? ???????? ???????? ???????? ????????????????
00290010 ???????? ???????? ???????? ???????? ????????????????
00290020 ???????? ???????? ???????? ???????? ????????????????
00290030 ???????? ???????? ???????? ???????? ????????????????
00290040 ???????? ???????? ???????? ???????? ????????????????
00290050 ???????? ???????? ???????? ???????? ????????????????
00290060 ???????? ???????? ???????? ???????? ????????????????
00290070 ???????? ???????? ???????? ???????? ????????????????
可能是这个当前进程获得了 OpenFileMapping 的句柄但还没有映射它或者页面被调出(livekd 不能使用 pagein)我们似乎无法查看此部分内容
让我们看看是谁创建了这个共享部分
kd> ? @@c++(((nt!_segment *)((nt!_section_object *) 0xc2255450)->Segment)->u1.CreatingProcess)
Evaluate expression: -2050635184 = 85c5ca50
kd> !process 85c5ca50 0
PROCESS 85c5ca50 SessionId: 1 Cid: 0af4 Peb: 7ffd9000 ParentCid: 0704
DirBase: 7e271420 ObjectTable: c5d873c8 HandleCount: 888.
Image: explorer.exe
看起来合乎逻辑explorer.exe似乎创建了这个共享部分
让我们通过从创建进程虚拟地址转储 0n13 双字来检查
kd> .process /p /r 85c5ca50
kd> dc @@c++(((nt!_segment *)((nt!_section_object *) 0xc2255450)->Segment)->u2.FirstMappedVa) l0n13
00290000 00000000 00000000 00000000 00000000 ................
00290010 00000000 00000005 00000002 00000000 ................
00290020 00000000 00000000 00000000 00000000 ................
00290030 00000083 ....
来自 3thParty 供应商的部分对象被命名为 rpsPdf10.mutex,其预期用途是通过向其写入布尔标志来模拟信号量。
使用 LiveKd 并在 SO 的大量帮助下,我发出了以下命令,试图获取此 Section 对象的详细信息。
0: kd>!process 0 0 3thParty.exe
...
PROCESS fffffa800ea80060
SessionId: 0 Cid: 0a00 Peb: fffdf000 ParentCid: 014c
DirBase: 99349000 ObjectTable: fffff8a004448bf0 HandleCount: 338.
Image: 3thParty.exe
...
0: kd> !handle 0 7 fffffa800ea80060
...
08 fffff8a012e26710 Section rpsPdf10.mutex
...
0: kd> !object fffff8a012e26710
Object: fffff8a012e26710 Type: (fffffa800cd7cea0) Section
ObjectHeader: fffff8a012e266e0 (new version)
HandleCount: 38 PointerCount: 39
Directory Object: fffff8a00a980080 Name: rpsPdf10.mutex
0: kd> dt -r1 nt!_SECTION_OBJECT 0xfffff8a012e26710
+0x000 StartingVa : 0x00000022`00000100 Void
+0x008 EndingVa : 0x00000000`0008dfb0 Void
+0x010 Parent : 0xfffffa80`c0000001 Void
+0x018 LeftChild : (null)
+0x020 RightChild : 0xfffffa80`00000034 Void
+0x028 Segment : 0xfffff8a0`102d7820 _SEGMENT_OBJECT
+0x000 BaseAddress : 0xfffffa80`0fbed900 Void
+0x008 TotalNumberOfPtes : 1
+0x010 SizeOfSegment : _LARGE_INTEGER 0x1
+0x018 NonExtendedPtes : 0x1000
+0x01c ImageCommitment : 0
+0x020 ControlArea : (null)
+0x028 Subsection : (null)
+0x030 MmSectionFlags : 0xfffffa80`10987b10 _MMSECTION_FLAGS
+0x038 MmSubSectionFlags : 0x00000000`03400000 _MMSUBSECTION_FLAGS
我觉得这一切都是正确的,但我怎样才能找到该部分的内容?
注意事项
并且遍历是在实时二进制文件上进行的,而不是在转储中,因为该页面很有可能已在转储中分页并且演示可能不确定我可能会在稍后添加到这个答案
获取内容表单部分有点复杂
(有几种类型的Section like
1) ALPC 部分(com 对象)
2) 文件备份部分
3) PageFileBacked 部分等
下面的演练是针对页面文件支持的部分(most 普通类型)
假设您编译并执行了下面的代码
该 exe 将在全局命名空间
中创建一个 SectionObject
并且内容将由 PagingFile 支持,并将等待
按键
#include <windows.h>
#include <stdio.h>
#define bsize 256
int main(){
char szMsg[]={"Message from blabb to lieven from Stack Overflow."};
int ret = NULL;
HANDLE hMap = CreateFileMapping((HANDLE)-1,NULL,4,0,bsize,"Global\MyMap");
if(hMap){
PCHAR buff = (PCHAR) MapViewOfFile(hMap,0xf001f,0,0,bsize);
if(buff){
CopyMemory(buff, szMsg, sizeof(szMsg));
ret = getchar();
UnmapViewOfFile(buff);
}
CloseHandle(hMap);
}
return ret;
}
假设进程正在等待按键启动 livekd 或设置实时内核调试连接,如果它是 运行 在远程机器/vm
C:>livekd -k "c:\Program Files\Windows Kits\Debuggers\x86\cdb.exe"
LiveKd v5.62 - Execute kd/windbg on a live system
Launching c:\Program Files\Windows Kits\Debuggers\x86\cdb.exe:
Microsoft (R) Windows Debugger Version 10.0.16278.1000 X86
获取 _EPROCESS 并设置上下文
kd> !process 0 0 secobj.exe
PROCESS 8605ab28 SessionId: 1 Cid: 0fbc Peb: 7ffd9000 ParentCid: 0af4
DirBase: 7e2712e0 ObjectTable: c288ba00 HandleCount: 9.
Image: secobj.exe
kd> .process /p /r 8605ab28
Implicit process is now 8605ab28
kd> ? @$proc
Evaluate expression: -2046448856 = 8605ab28
kd> ?? (char *)@$proc->ImageFileName
char * 0x8605ac94
"secobj.exe"
在我们的进程通知中查找类型为 Section 的句柄 部分在全局命名空间中命名 windbg 为我们解密
kd> !handle 0 3 @$proc Section
Searching for handles of type Section
PROCESS 8605ab28 SessionId: 1 Cid: 0fbc Peb: 7ffd9000 ParentCid: 0af4
DirBase: 7e2712e0 ObjectTable: c288ba00 HandleCount: 9.
Image: secobj.exe
Handle table at c288ba00 with 9 entries in use
0024: Object: c238e9c8 GrantedAccess: 000f0007 Entry: c37b7048
Object: c238e9c8 Type: (84ec6040) Section
ObjectHeader: c238e9b0 (new version)
HandleCount: 1 PointerCount: 2
Directory Object: 98a0f170 Name: MyMap
转储 SectionObject
kd> dt nt!_SECTION_OBJECT c238e9c8
+0x000 StartingVa : 0xc227e2c8 Void
+0x004 EndingVa : 0x00d3db6c Void
+0x008 Parent : 0xb0d3db20 Void
+0x00c LeftChild : (null)
+0x010 RightChild : 0x00000003 Void
+0x014 Segment : 0xc36aba20 _SEGMENT_OBJECT
kd> $$ 注意 Last Segment 成员不是 SEGMENT_OBJECT 而是
nt!_segment 或实际上指向此部分的 ControlArea 的指针
kd> dt nt!_SEGMENT 0xc36aba20
+0x000 ControlArea : 0x85182d08 _CONTROL_AREA
+0x004 TotalNumberOfPtes : 1
+0x008 SegmentFlags : _SEGMENT_FLAGS
+0x00c NumberOfCommittedPages : 1
+0x010 SizeOfSegment : 0x1000
+0x018 ExtendInfo : (null)
+0x018 BasedAddress : (null)
+0x01c SegmentLock : _EX_PUSH_LOCK
+0x020 u1 : <unnamed-tag>
+0x024 u2 : <unnamed-tag>
+0x028 PrototypePte : 0xc36aba50 _MMPTE
+0x030 ThePtes : [1] _MMPTE
kd>$$可以把union u2展开,把union的FirstMappedVa dump出来看看本节内容
kd> dt nt!_SEGMENT u2.FirstMappedVa 0xc36aba20
+0x024 u2 :
+0x000 FirstMappedVa : 0x000e0000 Void
倾倒内容
kd> da 0xe0000
000e0000 "Message from blabb to lieven fro"
000e0020 "m Stack Overflow."
kd>
或者执行 !ca 获取指向第一页的 FirstMappedVa
如果内容大于一页边界,则获取它们是
有点乏味,因为它们可能已被调出并需要执行
操作,因此处理页面错误以使它们进入视图
kd> !ca poi(0xc36aba20)
ControlArea @ 85182d08
Segment c36aba20 Flink 00000000 Blink 00000000
Section Ref 1 Pfn Ref 0 Mapped Views 1
User Ref 2 WaitForDel 0 Flush Count 0
File Object 00000000 ModWriteCount 0 System Views 0
WritableRefs 0
Flags (2000) Commit
Pagefile-backed section
Segment @ c36aba20
ControlArea 85182d08 ExtendInfo 00000000
Total Ptes 1
Segment Size 1000 Committed 1
CreatingProcess 8605ab28 FirstMappedVa e0000 <-------------
ProtoPtes c36aba50
Flags (80000) ProtectionMask
Subsection 1 @ 85182d58
ControlArea 85182d08 Starting Sector 0 Number Of Sectors 0
Base Pte c36aba50 Ptes In Subsect 1 Unused Ptes 0
Flags 8 Sector Offset 0 Protection 4
kd>
添加另一个答案以显示另一个页面文件支持的部分内容 您可能需要转到创建进程并查看其虚拟地址而不是当前进程的位置
你可能知道 shell 在共享部分 global counters 中保留了一些
0104: Object: c2255450 GrantedAccess: 00000006 Entry: c5d9b208
Object: c2255450 Type: (84ec6040) Section
ObjectHeader: c2255438 (new version)
HandleCount: 6 PointerCount: 7
Directory Object: 9d662520 Name: windows_shell_global_counters
检索它们的代码
#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#include <shlwapi.h>
#pragma comment(lib,"shlwapi.lib")
//add all items in the ... place holder in arrays below
PCHAR enuname[] = { "GLOBALCOUNTER_SEARCHMANAGER",...};
int foo [] = { GLOBALCOUNTER_SEARCHMANAGER,...};
void main (void) {
long cval = NULL;
for(int i =0; i < _countof(foo) ;i++) {
cval = SHGlobalCounterGetValue((SHGLOBALCOUNTER)foo[i]);
printf ("%65s = %0x\n" ,enuname[i], cval);
}
}
编译并执行这个你可能会得到这样的结果(记住计数器是易变的所以你可能需要足够快来比较)
C:\secobj\shglob>shglob.exe | head -n 13
GLOBALCOUNTER_SEARCHMANAGER = 0
GLOBALCOUNTER_SEARCHOPTIONS = 0
GLOBALCOUNTER_FOLDERSETTINGSCHANGE = 0
GLOBALCOUNTER_RATINGS = 0
GLOBALCOUNTER_APPROVEDSITES = 0
GLOBALCOUNTER_RESTRICTIONS = 5
GLOBALCOUNTER_SHELLSETTINGSCHANGED = 2
GLOBALCOUNTER_SYSTEMPIDLCHANGE = 0
GLOBALCOUNTER_OVERLAYMANAGER = 0
GLOBALCOUNTER_QUERYASSOCIATIONS = 0
GLOBALCOUNTER_IESESSIONS = 0
GLOBALCOUNTER_IEONLY_SESSIONS = 0
GLOBALCOUNTER_APPLICATION_DESTINATIONS = 83
查看当前进程
kd> ? @$proc
Evaluate expression: -2033240552 = 86cf3618
kd> ?? (char *)@$proc->ImageFileName
char * 0x86cf3784
"cdb.exe"
kd> !handle 0 3 @$proc Section
0164: Object: c2255450 GrantedAccess: 00000006 Entry: c3df32c8
Object: c2255450 Type: (84ec6040) Section
ObjectHeader: c2255438 (new version)
HandleCount: 11 PointerCount: 12
Directory Object: 9d662520 Name: windows_shell_global_counters
kd> dc @@c++(((nt!_segment *)((nt!_section_object *) 0xc2255450)->Segment)->u2.FirstMappedVa)
00290000 ???????? ???????? ???????? ???????? ????????????????
00290010 ???????? ???????? ???????? ???????? ????????????????
00290020 ???????? ???????? ???????? ???????? ????????????????
00290030 ???????? ???????? ???????? ???????? ????????????????
00290040 ???????? ???????? ???????? ???????? ????????????????
00290050 ???????? ???????? ???????? ???????? ????????????????
00290060 ???????? ???????? ???????? ???????? ????????????????
00290070 ???????? ???????? ???????? ???????? ????????????????
可能是这个当前进程获得了 OpenFileMapping 的句柄但还没有映射它或者页面被调出(livekd 不能使用 pagein)我们似乎无法查看此部分内容
让我们看看是谁创建了这个共享部分
kd> ? @@c++(((nt!_segment *)((nt!_section_object *) 0xc2255450)->Segment)->u1.CreatingProcess)
Evaluate expression: -2050635184 = 85c5ca50
kd> !process 85c5ca50 0
PROCESS 85c5ca50 SessionId: 1 Cid: 0af4 Peb: 7ffd9000 ParentCid: 0704
DirBase: 7e271420 ObjectTable: c5d873c8 HandleCount: 888.
Image: explorer.exe
看起来合乎逻辑explorer.exe似乎创建了这个共享部分
让我们通过从创建进程虚拟地址转储 0n13 双字来检查
kd> .process /p /r 85c5ca50
kd> dc @@c++(((nt!_segment *)((nt!_section_object *) 0xc2255450)->Segment)->u2.FirstMappedVa) l0n13
00290000 00000000 00000000 00000000 00000000 ................
00290010 00000000 00000005 00000002 00000000 ................
00290020 00000000 00000000 00000000 00000000 ................
00290030 00000083 ....