本「
IT談話館」一般公開記事は、10年以上の実務経験を持つ上級Windowsエンジニアを想定しています。
本館は、Windowsカーネル深層を解析し、クラッシュ原因をはじめとするシステム内の「異様な動き」を検出・分析する
超高度な技術と実績を保有しています。
Windows 10 Active Memory DumpとDLL解析(応用)
本「IT談話館」の「一般公開記事」は、「Active Memory Dump とカーネルメモリダンプ」の解析結果を基に起草されています。「本館」主筆の「豊田孝」はDKOM(Direct Kernel Object Manipulation)ベースの解析手法の第一人者であり、Windowsカーネル空間の解析分野では世界の先頭を走っています。
現在、セキュリティー問題を無視することはできません。Microsoft社側の負担だけではなく、同社製品の利用者側の負担も増しています。困ったことではありますが、当面避けられません。セキュリティーの視点から「Windows10ソフトウェアセンサー」を見た場合、本「IT談話館」の確認範囲では、「カーネル層保護ロジック」に加え、次のような保護メカニズム階層が考案・実装されています。下記リンクはすべて本館記事を指しています。
- Silo/Server Silo
- Job
- Session
- Protected Process
- Mandatory Integrity Control(MIC)
- Windows API(+CPU)
- CPU
本稿では、「Windows 10 Active Memory DumpとDLL解析(基礎)」に引き続き、Windows 10システムから導入されたActive Memory Dumpを解析し、上記の「Windows API(+CPU)」に関連するアプリケーション(プロセス)とライブラリ(DLL)の関係を解析します。今回の作業で使用する本館の独自解析コードは、次のような機能を実装し、最新OS環境で採取された「Windows 10 Active Memory Dumpとカーネルメモリダンプ」の解析にも無修正で適応できます。なお、解析コードの開発知識の習得には、「時間と予算の投資」が必要です。
- 解析対象DLLのPEフォーマット情報を収集する
- DLLのイメージベースアドレスを表示する
- DLLのフルパス情報を表示する
- DLLのロード理由を表示する
- DLLのフラグ値を表示する
- DLL間の親子関係を表示する
本稿で解析対象とするActive Memory Dumpは次のようなものです。
0: kd> vertarget
Windows 10 Kernel Version 18362 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 18362.1.amd64fre.19h1_release.190318-1202
Machine Name:
Kernel base = 0xfffff804`59a00000 PsLoadedModuleList = 0xfffff804`59e480b0
Debug session time: Sun Nov 3 09:56:47.110 2019 (UTC + 9:00)
System Uptime: 0 days 1:42:54.949
このダンプの採取時にはGoogle社のChromeが動作中でしたから、ここでは、Chrome関連プロセスに関する情報を解析します。ChromeはSandboxベースで複数のインスタンスを起動しています。インスタンスの中にはすでに役割終え、動作を終了しているものあります。動作終了済みのインスタンスは解析できませんから、まずは、このあたりのシステム概要を把握し、本格的な解析作業を始める前の準備を整えます。
Started..
-0xFFFFC489270130C0 ProL->00 Peb->0x00000046b3b11000 VmDelete->1 SelfDelete->0 chrome.exe
+0xFFFFC48924B9A080 ProL->00 Peb->0x0000007194d17000 VmDelete->0 SelfDelete->0 chrome.exe
+0xFFFFC489267EE080 ProL->00 Peb->0x00000063d361e000 VmDelete->0 SelfDelete->0 chrome.exe
+0xFFFFC48924BF5080 ProL->00 Peb->0x00000002c0ce7000 VmDelete->0 SelfDelete->0 chrome.exe
+0xFFFFC48925830080 ProL->00 Peb->0x00000083aa7a7000 VmDelete->0 SelfDelete->0 chrome.exe
+0xFFFFC48925CCE080 ProL->00 Peb->0x000000ba99a14000 VmDelete->0 SelfDelete->0 chrome.exe
-0xFFFFC489250EC080 ProL->00 Peb->0x0000007de87b9000 VmDelete->1 SelfDelete->0 chrome.exe
-0xFFFFC48925437080 ProL->00 Peb->0x000000eff40ae000 VmDelete->1 SelfDelete->0 chrome.exe
-0xFFFFC489264E1080 ProL->00 Peb->0x000000536f069000 VmDelete->1 SelfDelete->1 chrome.exe
-0xFFFFC48920B72080 ProL->00 Peb->0x00000061df82c000 VmDelete->1 SelfDelete->1 chrome.exe
+0xFFFFC48926DEB080 ProL->00 Peb->0x0000003ff7c47000 VmDelete->0 SelfDelete->0 chrome.exe
Ended..
この情報では、2ヶ所のデータが赤色で表示されています。2番目の赤色表示のChromeプロセス「0xFFFFC489250EC080」の割り当てられていたVM(仮想メモリ)はすでに削除されていますから、今回の解析対象プロセスからは除外することになります。第1の赤色表示プロセス「0xFFFFC48924B9A080」のVMは削除されていません。解析対象情報がメモリに残っていることになりますから、本稿ではこのプロセスが依存しているDLL群の情報を解析することにします。
本館の独自解析コードを実行すると、次のような結果が返されてきます。
+0xFFFFC48924B9A080 chrome.exe Peb->0x0000007194d17000
+000 Base:0x00007ff6e2c40000 Parent->0x0000000000000000 LdR->04 Flags->0x000022cc chrome.exe
+001 Base:0x00007ff880740000 Parent->0x0000000000000000 LdR->00 Flags->0x0000a2c4 ntdll.dll
+002 Base:0x00007ff87fbe0000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc KERNEL32.DLL
+003 Base:0x00007ff87dfa0000 Parent->0x00007ff87fbe0000 LdR->00 Flags->0x0008a2cc KERNELBASE.dll
+004 Base:0x00007ff870dc0000 Parent->0x00007ff6e2c40000 LdR->00 Flags->0x100822ec chrome_elf.dll
+005 Base:0x00007ff876fb0000 Parent->0x00007ff6e2c40000 LdR->00 Flags->0x0008a2ec VERSION.dll
+006 Base:0x00007ff8803f0000 Parent->0x00007ff876fb0000 LdR->00 Flags->0x0008a2ec msvcrt.dll
+007 Base:0x00007ff87fac0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc ADVAPI32.dll
+008 Base:0x00007ff8805e0000 Parent->0x00007ff87fac0000 LdR->00 Flags->0x000ca2cc sechost.dll
+009 Base:0x00007ff87fdf0000 Parent->0x00007ff8805e0000 LdR->00 Flags->0x0008a2cc RPCRT4.dll
+010 Base:0x00007ff87d050000 Parent->0x00007ff87fac0000 LdR->02 Flags->0x0008a2cc CRYPTBASE.DLL
+011 Base:0x00007ff87e770000 Parent->0x00007ff87d050000 LdR->00 Flags->0x000ca2cc bcryptPrimitives.dll
+012 Base:0x00007ff871520000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc WINMM.dll
+013 Base:0x00007ff8714e0000 Parent->0x00007ff871520000 LdR->00 Flags->0x000ca2cc WINMMBASE.dll
+014 Base:0x00007ff87d7a0000 Parent->0x00007ff8714e0000 LdR->00 Flags->0x000ca2cc cfgmgr32.dll
+015 Base:0x00007ff87e470000 Parent->0x00007ff87d7a0000 LdR->00 Flags->0x0008a2cc ucrtbase.dll
+016 Base:0x00007ff87edb0000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc user32.dll
+017 Base:0x00007ff87d7f0000 Parent->0x00007ff87edb0000 LdR->00 Flags->0x0008a2cc win32u.dll
+018 Base:0x00007ff880500000 Parent->0x00007ff87edb0000 LdR->00 Flags->0x000ca2cc GDI32.dll
+019 Base:0x00007ff87e570000 Parent->0x00007ff880500000 LdR->00 Flags->0x000ca2cc gdi32full.dll
+020 Base:0x00007ff87e250000 Parent->0x00007ff87e570000 LdR->00 Flags->0x000ca2cc msvcp_win.dll
+021 Base:0x00007ff8803c0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc IMM32.DLL
+022 Base:0x00007ff87f3d0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc SHELL32.dll
+023 Base:0x00007ff8802b0000 Parent->0x00007ff87f3d0000 LdR->00 Flags->0x0008a2cc shcore.dll
+024 Base:0x00007ff87ff70000 Parent->0x00007ff8802b0000 LdR->00 Flags->0x0008a2cc combase.dll
+025 Base:0x00007ff87d820000 Parent->0x00007ff87f3d0000 LdR->00 Flags->0x0008a2cc windows.storage.dll
+026 Base:0x00007ff87d640000 Parent->0x00007ff87d820000 LdR->00 Flags->0x000ca2cc profapi.dll
+027 Base:0x00007ff87d680000 Parent->0x00007ff87d820000 LdR->00 Flags->0x000ca2cc powrprof.dll
+028 Base:0x00007ff87d610000 Parent->0x00007ff87d680000 LdR->00 Flags->0x0008a2cc UMPDC.dll
+029 Base:0x00007ff87fb70000 Parent->0x00007ff87d820000 LdR->00 Flags->0x0008a2cc shlwapi.dll
+030 Base:0x00007ff87d620000 Parent->0x00007ff87d820000 LdR->00 Flags->0x0008a2cc kernel.appcore.dll
+031 Base:0x00007ff87d780000 Parent->0x00007ff87f3d0000 LdR->00 Flags->0x000ca2cc cryptsp.dll
+032 Base:0x00007ff854a50000 Parent->0x0000000000000000 LdR->04 Flags->0x000822cc chrome.dll
+033 Base:0x00007ff87b970000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc uxtheme.dll
+034 Base:0x00007ff87d500000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc USERENV.dll
+035 Base:0x00007ff87c240000 Parent->0x00007ff87dfa0000 LdR->03 Flags->0x0008a2cc gpapi.dll
+036 Base:0x00007ff8782c0000 Parent->0x00007ff8802b0000 LdR->03 Flags->0x000ca2cc wkscli.dll
+037 Base:0x00007ff87e440000 Parent->0x00007ff8782c0000 LdR->00 Flags->0x000ca2cc bcrypt.dll
+038 Base:0x00007ff87cbd0000 Parent->0x00007ff8802b0000 LdR->03 Flags->0x000ca2cc netutils.dll
+039 Base:0x00007ff87fca0000 Parent->0x00007ff8803c0000 LdR->03 Flags->0x0008a2cc MSCTF.dll
+040 Base:0x00007ff87e7f0000 Parent->0x00007ff87fca0000 LdR->00 Flags->0x0008a2cc OLEAUT32.dll
+041 Base:0x00007ff87ec50000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc ole32.dll
+042 Base:0x00007ff875760000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc Secur32.dll
+043 Base:0x00007ff87d530000 Parent->0x00007ff875760000 LdR->02 Flags->0x000ca2cc SSPICLI.DLL
+044 Base:0x00007ff86b710000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc DWrite.dll
+045 Base:0x00007ff87eb10000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc WS2_32.dll
+046 Base:0x00007ff8692f0000 Parent->0x0000000000000000 LdR->04 Flags->0x1008a2cc COMCTL32.dll
+047 Base:0x00007ff880530000 Parent->0x00007ff87ff70000 LdR->03 Flags->0x000ca2cc clbcatq.dll
+048 Base:0x00007ff87ba40000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc twinapi.appcore.dll
+049 Base:0x00007ff87bf50000 Parent->0x00007ff87ba40000 LdR->00 Flags->0x0008a2cc RMCLIENT.dll
+050 Base:0x00007ff868000000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc twinapi.dll
+051 Base:0x00007ff879330000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc NLAapi.dll
+052 Base:0x00007ff87cb90000 Parent->0x00007ff879330000 LdR->00 Flags->0x000ca2cc IPHLPAPI.DLL
+053 Base:0x00007ff87fde0000 Parent->0x00007ff87cb90000 LdR->03 Flags->0x000ca2cc NSI.dll
+054 Base:0x00007ff878c00000 Parent->0x00007ff87cb90000 LdR->03 Flags->0x000ca2cc dhcpcsvc6.DLL
+055 Base:0x00007ff878be0000 Parent->0x00007ff87cb90000 LdR->03 Flags->0x000ca2cc dhcpcsvc.DLL
+056 Base:0x00007ff87cbe0000 Parent->0x00007ff87cb90000 LdR->03 Flags->0x000ca2cc DNSAPI.dll
+057 Base:0x00007ff86e0d0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc imjptip.dll
+058 Base:0x00007ff8768e0000 Parent->0x00007ff86e0d0000 LdR->00 Flags->0x0008a2cc iertutil.dll
+059 Base:0x00007ff8734b0000 Parent->0x00007ff86e0d0000 LdR->00 Flags->0x000ca2cc OLEACC.dll
+060 Base:0x00007ff879a20000 Parent->0x00007ff86e0d0000 LdR->00 Flags->0x000ca2cc PROPSYS.dll
+061 Base:0x00007ff87c650000 Parent->0x00007ff87fac0000 LdR->03 Flags->0x000ca2cc ntmarta.dll
+062 Base:0x00007ff86dce0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc imjpapi.dll
+063 Base:0x00007ff87e2f0000 Parent->0x00007ff86dce0000 LdR->00 Flags->0x0008a2cc CRYPT32.dll
+064 Base:0x00007ff87d660000 Parent->0x00007ff87e2f0000 LdR->00 Flags->0x000ca2cc MSASN1.dll
+065 Base:0x00007ff875b30000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc imjkapi.dll
+066 Base:0x00007ff878d80000 Parent->0x00007ff86dce0000 LdR->03 Flags->0x0008a2cc policymanager.dll
+067 Base:0x00007ff878cf0000 Parent->0x00007ff878d80000 LdR->00 Flags->0x0008a2cc msvcp110_win.dll
+068 Base:0x00007ff872af0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc imjppred.dll
+069 Base:0x00007ff87a090000 Parent->0x00007ff872af0000 LdR->00 Flags->0x000ca2cc Cabinet.dll
+070 Base:0x00007ff86dba0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc imetip.dll
+071 Base:0x00007ff86d9e0000 Parent->0x00007ff86dba0000 LdR->00 Flags->0x0008a2cc DUI70.dll
+072 Base:0x00007ff86d020000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc imecfm.dll
+073 Base:0x00007ff87be70000 Parent->0x00007ff86d020000 LdR->00 Flags->0x000ca2cc wer.dll
+074 Base:0x00007ff879b10000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc mscms.dll
+075 Base:0x00007ff8799f0000 Parent->0x00007ff879b10000 LdR->00 Flags->0x0008a2cc ColorAdapterClient.dll
+076 Base:0x00007ff86fa30000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc Windows.UI.dll
+077 Base:0x00007ff872850000 Parent->0x00007ff86fa30000 LdR->00 Flags->0x0008a2cc TextInputFramework.dll
+078 Base:0x00007ff86f910000 Parent->0x00007ff86fa30000 LdR->00 Flags->0x0008a2cc InputHost.dll
+079 Base:0x00007ff873620000 Parent->0x00007ff872850000 LdR->00 Flags->0x0008a2cc CoreUIComponents.dll
+080 Base:0x00007ff87b440000 Parent->0x00007ff872850000 LdR->00 Flags->0x0008a2cc CoreMessaging.dll
+081 Base:0x00007ff8776f0000 Parent->0x00007ff86f910000 LdR->00 Flags->0x0008a2cc wintypes.dll
+082 Base:0x00007ff879de0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc WTSAPI32.dll
+083 Base:0x00007ff87c6c0000 Parent->0x00007ff879de0000 LdR->03 Flags->0x000ca2cc WINSTA.dll
+084 Base:0x00007ff877d10000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc MMDevApi.dll
+085 Base:0x00007ff87d410000 Parent->0x00007ff877d10000 LdR->00 Flags->0x000ca2cc DEVOBJ.dll
+086 Base:0x00007ff876da0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc WINHTTP.dll
+087 Base:0x00007ff87c500000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc FirewallAPI.dll
+088 Base:0x00007ff87c210000 Parent->0x00007ff87c500000 LdR->03 Flags->0x0008a2cc fwbase.dll
+089 Base:0x00007ff87ca30000 Parent->0x00007ff87e2f0000 LdR->03 Flags->0x000ca2cc DPAPI.dll
+090 Base:0x00007ff876750000 Parent->0x00007ff87f3d0000 LdR->03 Flags->0x000ca2cc LINKINFO.dll
+091 Base:0x00007ff872160000 Parent->0x00007ff87c500000 LdR->03 Flags->0x0008a2cc FWPolicyIOMgr.dll
+092 Base:0x00007ff86e4d0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc MsSpellCheckingFacility.dll
+093 Base:0x00007ff873b60000 Parent->0x00007ff86e4d0000 LdR->00 Flags->0x0008a2cc Bcp47Langs.dll
+094 Base:0x00007ff86fb90000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc OneCoreUAPCommonProxyStub.dll
+095 Base:0x00007ff86f040000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc dataexchange.dll
+096 Base:0x00007ff87ad80000 Parent->0x00007ff86f040000 LdR->00 Flags->0x000ca2cc d3d11.dll
+097 Base:0x00007ff87aba0000 Parent->0x00007ff86f040000 LdR->00 Flags->0x0008a2cc dcomp.dll
+098 Base:0x00007ff87c320000 Parent->0x00007ff87ad80000 LdR->00 Flags->0x000ca2cc dxgi.dll
+099 Base:0x00007ff87c290000 Parent->0x00007ff880500000 LdR->01 Flags->0x000ca2cc dxcore.dll
+100 Base:0x00007ff84d940000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc Windows.Media.dll
+101 Base:0x00007ff862f00000 Parent->0x00007ff84d940000 LdR->00 Flags->0x0008a2cc RTWorkQ.DLL
+102 Base:0x00007ff875550000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc atlthunk.dll
+103 Base:0x00007ff860f50000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc directmanipulation.dll
+104 Base:0x00007ff87bd90000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc dwmapi.dll
+105 Base:0x00007ff86c3b0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc explorerframe.dll
+106 Base:0x00007ff875a80000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc imesearchdll.dll
+107 Base:0x00007ff867050000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc wpnapps.dll
+108 Base:0x00007ff877e20000 Parent->0x00007ff867050000 LdR->00 Flags->0x0008a2cc XmlLite.dll
+109 Base:0x00007ff877a60000 Parent->0x00007ff867050000 LdR->03 Flags->0x0008a2cc usermgrcli.dll
+110 Base:0x00007ff87ce80000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc mswsock.dll
+111 Base:0x00007ff871e80000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc wbemprox.dll
+112 Base:0x00007ff875460000 Parent->0x00007ff871e80000 LdR->00 Flags->0x000ca2cc wbemcomn.dll
+113 Base:0x00007ff8782e0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc wlanapi.dll
+114 Base:0x00007ff871a90000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc wbemsvc.dll
+115 Base:0x00007ff871b50000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc fastprox.dll
+116 Base:0x00007ff870d20000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc amsi.dll
+117 Base:0x00007ff870c20000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc MpOav.dll
+118 Base:0x00007ff871970000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc wmiutils.dll
+119 Base:0x00007ff8767a0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc WmiPerfInst.dll
+120 Base:0x00007ff879820000 Parent->0x00007ff8767a0000 LdR->00 Flags->0x000ca2cc pdh.dll
+121 Base:0x00007ff866070000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc Windows.Devices.Bluetooth.dll
+122 Base:0x00007ff86ee90000 Parent->0x00007ff866070000 LdR->00 Flags->0x0008a2cc Windows.Networking.HostName.dll
+123 Base:0x00007ff85a780000 Parent->0x00007ff866070000 LdR->00 Flags->0x0008a2cc Windows.Networking.dll
+124 Base:0x00007ff864de0000 Parent->0x00007ff866070000 LdR->00 Flags->0x0008a2cc BiWinrt.dll
+125 Base:0x00007ff86a780000 Parent->0x00007ff85a780000 LdR->00 Flags->0x0008a2cc Windows.Networking.Connectivity.dll
+126 Base:0x00007ff8654f0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc Windows.Devices.Enumeration.dll
+127 Base:0x00007ff87a1d0000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc Windows.Devices.Radios.dll
+128 Base:0x00007ff878680000 Parent->0x0000000000000000 LdR->04 Flags->0x000ca2cc NETAPI32.dll
+129 Base:0x00007ff876fc0000 Parent->0x00007ff878680000 LdR->02 Flags->0x000ca2cc SAMCLI.DLL
+130 Base:0x00007ff876d30000 Parent->0x00007ff876fc0000 LdR->03 Flags->0x000ca2cc SAMLIB.dll
+131 Base:0x00007ff875800000 Parent->0x0000000000000000 LdR->04 Flags->0x0008a2cc webauthn.dll
+132 Base:0x00007ff86f080000 Parent->0x0000000000000000 LdR->04 Flags->0x000822cc psmachine_64.dll
Ended..
かなりの情報量が返されています。実務解析を進める場合には、解析目的に応じて、DLLのPEフォーマット情報、DLL間の親子関係、DLLロードの理由、あるいは、微妙に異なるFlags値などを基に事実を確認しながら、いろいろな角度からデータ分析を行うことになります。この作業は創造的であり、かつ、たいへん魅力的なものです。次の出力情報は、Flags値に着目し、標準的な値を除外した結果です。
+0xFFFFC48924B9A080 chrome.exe Peb->0x0000007194d17000
+000 Base:0x00007ff6e2c40000 Parent->0x0000000000000000 LdR->04 Flags->0x000022cc chrome.exe
+001 Base:0x00007ff880740000 Parent->0x0000000000000000 LdR->00 Flags->0x0000a2c4 ntdll.dll
+004 Base:0x00007ff870dc0000 Parent->0x00007ff6e2c40000 LdR->00 Flags->0x100822ec chrome_elf.dll
+005 Base:0x00007ff876fb0000 Parent->0x00007ff6e2c40000 LdR->00 Flags->0x0008a2ec VERSION.dll
+006 Base:0x00007ff8803f0000 Parent->0x00007ff876fb0000 LdR->00 Flags->0x0008a2ec msvcrt.dll
+032 Base:0x00007ff854a50000 Parent->0x0000000000000000 LdR->04 Flags->0x000822cc chrome.dll
+046 Base:0x00007ff8692f0000 Parent->0x0000000000000000 LdR->04 Flags->0x1008a2cc COMCTL32.dll
+132 Base:0x00007ff86f080000 Parent->0x0000000000000000 LdR->04 Flags->0x000822cc psmachine_64.dll
Ended..
2つのDLLが赤色で表示されています。これらのDLLのFlags値の8桁目を見ると、構成ファイル内の情報を基に動的に切り替えロードされています。インターネットを検索してみると、「chrome_elf.dll」に関する障害報告が結構あります。Flags値は「0x100822ec」となっており、下2桁目の「e」は静的インポートを示し、このDLLが存在しない、あるいは、改ざんされているなどの問題を抱えている場合には、Chromeは動作を開始できなかったり、異様な動きになるでしょう。「COMCTL32.dll」も同じように切り替えロードが発生していますが、Flags値「0x1008a2cc」の下4桁目の「a」はこのDLLが次のようにガードされていることを示しています。
4160 DLL characteristics
High entropy VA supported
Dynamic base
NX compatible
Guard
「COMCTL32.dll」は改ざんへの不安は軽減されますが、構成ファイルの設定ミスには注意が必要になります。一方、「chrome_elf.dll」にはこのGuardは設定されていませんから、構成ファイルの設定ミスに加え、第3者による改ざんへの不安が残ります。