① e5cc_8哪個參數設定地址
一、 概述
「黑鳳梨」(BlackTech,T-APT-03)是一個長期活躍在亞洲地區的APT組織,其最早的活動可見於2011年,由2017年5月被國外安全公司進行披露。
近期,騰訊御見威脅情報中心抓獲了一例該APT組織的最新攻擊活動,該次攻擊採用office文檔為誘餌進行魚叉攻擊,通過最新的0day漏洞來投遞載荷。載荷為代號為PLEAD的RAT木馬,該木馬主體是可直接執行的二進制代碼(shellcode),精湛短小,非常容易免殺。
從2011年至今,騰訊御見威脅情報中心在跨度長達6年的時間內對該組織進行追蹤,總共捕捉到數百個樣本和c&c域名。
二、 載荷投遞
1、 本次載荷投遞
本次攻擊採用魚叉攻擊的方式,誘餌文件為繁體的攜帶有最新office 0day的文檔:
該惡意文檔內嵌了一個PEPayload,兩個OLE對象,OLE的對象的目的是拉起PE Payload。其中OLE1則包含了0day CVE-2018-0802的漏洞利用程序,OLE 2包含了CVE-2017-11882的漏洞利用程序,這兩個漏洞均位於Microsoft Office的公式編輯器Eqnedt32.exe中。
(1) 漏洞分析
微軟在11月份發布的補丁中,修復了CVE-2017-11882漏洞,通過二進制patch的方式對存在棧溢出的函數和調用者進行了長度校驗,同時對Eqnedt32.exe增加了ASLR防護措施,增加了漏洞利用的難度。CVE-2017-11882棧溢出漏洞存在於Eqnedt32.exe處理公式中字體名字的過程中,由騰訊電腦管家報告的高危漏洞CVE-2018-0802同樣也是一個棧溢出漏洞,也位於Eqnedt32.exe處理公式中字體名字的過程。
1) 關鍵數據結構
漏洞存在於Office的公式編輯器組件Eqnedit.exe(Equation Editor)中。Equation Editor和MathType都是Design Science開發的公式編輯軟體,都採用MTEF(MathType』s Equation Format)格式來存儲公式數據。Equation Editor生成的公式數據匯存放在Office 文檔的一個OLEObject中,該object class為Equation.3,而obj data區存放的是公式的私有數據OLE Equation Objects。OLE Equation Objects包括兩部分,頭部是28位元組的EQNOLEFILEHDR結構,其後則是MTEF數據:
MTEF數據則包括兩部分,一部分是MTEF Header,一部分是描述公式內容的MTEF Byte Stream:
MTEFByte Stream包括一系列的記錄records,每一個record以tagbyte開始,tagbyte的低4位描述該record的類型,高4位描述該record的屬性。
2) 漏洞溢出分析
該漏洞發生在從MTEF Byte Stream中解析Font Record時出現棧溢出。下圖是截獲的樣本中的Font Record二進制數據:
Font Record結構如下:
對照上圖的二進制數據,tag type 是8,tface 為0×0,style為0×1,剩下的則是字體名字。
漏洞發生在sub_421E39函數中,它主要用來初始化一個結構體LOGFONT,該結構體定義如下:
其中字體名字lfFaceName是一個長度為0×20的字元數組。
函數sub_421E39代碼如下:
在sub_421E39函數一開始,調用strcpy復制傳入的字體名字,可以看到在這過程中,沒有任何的長度校驗,如果傳入的字體名字長度超過0×20,那麼這里將會產生溢出。
sub_421E39函數在sub_421774函數中被調用,這是sub_421774函數的部分代碼:
從中可以看到,sub_421E39函數初始化的LOGFONT結構體是保存在棧上的,如果構造足夠長的字體名字,那麼sub_421E39函數裡面的strcpy操作,將會溢出覆蓋掉sub_421774函數的返回地址。
從代碼中另外可以看到,CVE-2017-11882所在的漏洞函數,也同樣會被sub_421774函數調用到。
(2) 漏洞利用分析
1) 觸發漏洞前
在調用sub_421E39前查看當前的調試信息,棧上第一個參數正是字體名字,也是一段精心構造的shellcode。
2) 觸發棧溢出
可以發現棧上的一個返回地址0x1d14e2被修改為了0x1d0025。
由於11月份修補的Eqnedt32.exe中增加了ASLR的防護措施,無法知道當前模塊載入的基地址,但是可以利用相對地址不會改變這個特性,通過棧溢出就可以實現將棧上的地址0x1d14e2改為與其相對偏移0x14BD的一個地址,也即是將0x1d14e2的低16位修改為0×0025。
3) Shellcode
ret跳轉到shellcode:
跳轉到WinExec執行惡意PE:
而%tmp%\DAT9689.tmp是該文檔內嵌並已經釋放出來的一個惡意PE可執行文件。
2、 歷史載荷投遞分析
該組織最常使用魚叉攻擊,採用發內容緊貼熱點話題的誘餌文件進行攻擊。
該組織攻擊者善於偽裝,包括使用文檔類圖標、反轉字元、雙擴展名、漏洞利用等。偽裝方式分布為:
(1) 偽裝成文檔圖標,同正常文檔打包在同一壓縮包中,誘騙點擊
(2) 使用特殊的unicode字元(RTLO)反轉文件名實現偽裝
(3) 使用雙重文件名實現偽裝(不顯示擴展名的情況下極具欺騙性)
(4) 使用漏洞打包成惡意文檔文件
三、 載荷分析
本次攻擊使用的是一個代號為PLEAD的後門程序,該木馬的核心功能以shellcode的形式存在,外殼實現的功能通常是分配一塊內存,並將加密的shellcode解密到該內存中,完成後直接跳轉到相應的內存塊執行。為了對抗安全軟體的查殺,外殼的代碼千變萬化,但核心的shellcode至今只發現了三個差異較大的版本:
版本
大小
出現時間
特點
版本1 6544 2012年 Shellcode中實現注入到ie中執行主功能代碼
版本2 5912 2014年 直接執行主功能函數,去掉了注入ie的代碼
版本3 3512 2015年 去掉了提示字元串等信息,精簡大小
外殼行為分析:
創建互斥量,防止重復運行:互斥量格式為將當前時間格式化為以下格式字元串:
1….%02d%02d%02d_%02d%02d…2,
如1….20180109_0945…2
shellcode存放在局部數組中,極難檢測:
解密演算法如下:
獲取用戶名、計算機名、本機IP地址、系統版本,加密發送到C2,使用http協議:
命令分發:
命令代碼
功能
C 獲取瀏覽器上網代理設置和安裝軟體列表信息
L 獲取本地磁碟列表及類型
E 執行一條命令/文件,並通過管道取得執行結果返回(CMDShell)
P 並從指定URL重新下載文件到指定位置
G 上傳指定文件
D 刪除指定文件
A Sleep 指定時間
四、 總結
隨著「互聯網+」時代的來臨,政府、企業把更多的業務向雲端遷移,各行各業都在構建自己的大數據中心,數據價值凸顯。在這種趨勢下面,根據騰訊御見威脅情報中心的監測數據表明,政府、企業所面臨的APT攻擊變得越來越頻繁和常見。騰訊企業安全針對APT防禦方面提供了多種解決方案,騰訊御界、騰訊御點等產品均可以檢測和防禦本次APT攻擊。
五、 參考資料
https://www.easyaq.com/news/661053968.shtml
http://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/
附錄:IOCs
Hash:
C2:
greeting.hopewill.com
beersale.servebeer.com
pictures.happyforever.com
cert.dynet.com
soo.dtdns.net
rio.onmypc.org
paperspot.wikaba.com
sysinfo.itemdb.com
asus0213.asuscomm.com
firstme.mysecondarydns.com
nspo.itaiwans.com
injure.ignorelist.com
dcns.sonicecation.com
seting.herbalsolo.com
kh7710103.qnoddns.org.cn
zing.youdontcare.com
moutain.onmypc.org
icst.compress.to
twcert.compress.to
festival.lflinkup.net
xuite.myMom.info
avira.justdied.com
showgirls.mooo.com
linenews.mypicture.info
zip.zyns.com
sushow.xxuz.com
applestore.dnset.com
superapple.sendsmtp.com
newspaper.otzo.com
yahoo.zzux.com
microsfot.ikwb.com
facebook.itsaol.com
amazon.otzo.com
cecs.ben-wan.com
av100.mynetav.net
rdec.compress.to
forums.toythieves.com
kukupy.chatnook.com
pictures.wasson.com
moea.crabdance.com
hinet.homenet.org
freeonshop.x24hr.com
blognews.onmypc.org
ametoy.acmetoy.com
usamovie.mylftv.com
timehigh.ddns.info
ikwb55.ikwb.com
dpp.edesizns.com
hehagame.Got-Game.org
wendy.uberleet.com
needjustword.bbsindex.com
front.fartit.com
accounts.fartit.com
177.135.177.54
18.163.14.217
60.249.208.167
220.133.73.13
220.134.10.17
122.147.248.69
220.132.50.81
111.249.102.102
118.163.14.217
59.124.71.29
220.134.98.3
61.219.96.18
114.27.132.233
123.110.131.86
61.58.90.63
122.117.107.178
114.39.59.244
61.222.32.205
60.251.199.226
61.56.11.42
61.58.90.11
123.110.131.86
210.67.101.84
210.242.211.175
211.23.191.4
203.74.123.121
59.125.7.185
59.125.132.175
59.120.169.51
125.227.241.2
125.227.225.181
118.163.168.223
1.170.118.233
dcns.chickenkiller.com
subnotes.ignorelist.com
mozila.strangled.net
boe.pixarworks.com
moc.mrface.com
su27.oCry.com
motc.linestw.com
ting.qpoe.com
blognews.ezua.com
nevery.b0ne.com
jog.punked.us
africa.themafia.info
tios.nsicscores.com
dream.wikaba.com
pcphoto.servehalflife.com
17ublog.1mb.com
effinfo.effers.com
edit.ctotw.tw
tw.chatnook.com
twnic.crabdance.com
asus.strangled.net
furniture.home.kg
newpower.jkub.com
cypd.slyip.com
tabf.garrarufaworld.com
wordhasword.darktech.org
techlaw.linestw.com
techlawilo.effers.com
support.bonbonkids.hk
zany.strangled.net
flog.pgp.com.mx
job.jobical.com
picture.diohwm.com
npa.dynamicdns.org.uk
webmail.24-7.ro
docsedit.cleansite.us
fastnews.ezua.com
INetGIS.faceboktw.com
teacher.yahoomit.com
idb.jamescyoung.com
picture.brogrammer.org
idb.jamescyoung.com
picture.brogrammer.org
movieonline.redirectme.net
formosa.happyforever.com
mirdc.happyforever.com
webey.sbfhome.net
cust.compradecedines.com.ar
cwb.soportetechmdp.com.ar
tw.shop.tm
music.ftp.sh
forums.happyforever.com
專
② 如何調出UltraEdit-32中的函數,在昨側顯示,便於查看
View-->views/lists--->Function list
肯定是你的位置被隱藏了,方法1:
四處找找,在隱藏位置附近時,滑鼠會變成拖動,操作至正常位置。
方法2,找到配置文件,直接修改位置坐標。
配置文件在c:\windows\UEDIT32.INI
這是我配置文件的內容,你拷過去,重建一個文件,記得要將以前文件備份。
[Settings]
Language File=C:\Program Files\UltraEdit\wordfile.txt
Spell Directory=C:\PROGRA~1\ULTRAE~1\
MousePos=0
Days to expire=-1
WindowPos=2,3,0,0,-1,-1,333,352,1029,779
Status Bar=5
Tool Bar=5
LineNumOff=0
Large Icons=0
Show Codes=0
Minimize on File Close=0
Minimize to SysTray=0
AlwaysOnTop=0
Save Filter=1
Column Marker 1 On=0
Column Marker 2 On=0
Replace All From Top=1
Ruler On=0
Fix Left Pane=0
Vertical Line Numbers=0
Hex Columns=16
MacroWarning=1
UseSpaces1=0
UseSpaces2=0
UseSpaces3=0
UseSpaces4=0
UseSpaces5=0
UseSpaces6=0
UseSpaces7=0
UseSpaces8=0
UseSpaces9=0
UseSpaces10=0
UseSpaces11=0
Force OEM=0
Version=V7.20
NoAutoSaveNewFiles=0
NoAutoSaveFTPFiles=1
NoDragDrop=0
IgnoreFileChange=0
AutoFileChange=0
Backup=0
BackupTime=0
Multiple Instances=0
Auto Indent=1
Last File=C:\WINDOWS\UEDIT32.INI
Auto Detect Unix=1
Auto Convert Unix=1
Default Read Only=0
Save File Format as Input=1
Use Windows Default Dir=0
Filter=1
FindInFiles-Use Windows=1
File Open Uses Active File=1
Save Bookmarks=1
Num Recent Files=4
Custom Colors=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
ShowCmd=3
FileListonFileMenu=0
Trim Spaces on Exit=0
Correct Syntax=1
Syntax Highlighting=1
Wrap Type1=0
Wrap Column1=80
InputConvert1=0
File Extensions1=Default
Auto Complete File1=
Wrap Type2=0
Wrap Column2=80
InputConvert2=0
File Extensions2=
Auto Complete File2=
Wrap Type3=0
Wrap Column3=80
InputConvert3=0
File Extensions3=
Auto Complete File3=
Wrap Type4=0
Wrap Column4=80
InputConvert4=0
File Extensions4=
Auto Complete File4=
Wrap Type5=0
Wrap Column5=80
InputConvert5=0
File Extensions5=
Auto Complete File5=
Wrap Type6=0
Wrap Column6=80
InputConvert6=0
File Extensions6=
Auto Complete File6=
Wrap Type7=0
Wrap Column7=80
InputConvert7=0
File Extensions7=
Auto Complete File7=
Wrap Type8=0
Wrap Column8=80
InputConvert8=0
File Extensions8=
Auto Complete File8=
Wrap Type9=0
Wrap Column9=80
InputConvert9=0
File Extensions9=
Auto Complete File9=
Wrap Type10=0
Wrap Column10=80
InputConvert10=0
File Extensions10=
Auto Complete File10=
Wrap Type11=0
Wrap Column11=80
InputConvert11=0
File Extensions11=
Auto Complete File11=
Macro Directory=
Default Save Directory=
Default Backup Directory=
No Temp=0
SlimDialog=0
Absolute Home=0
TitleNameOnly=0
Left Delims=" ,{}<>"'"
Right Delims=" ,{}<>"'"
[TagList]
TagListFilename=C:\Program Files\UltraEdit\taglist.txt
[Open Files]
Open File0=
Remember Files=0
[File Types]
0=*.*
1=*.TXT
2=*.DOC
3=*.BAT
4=*.INI
5=*.C;*.CPP
6=*.H;*.HPP
7=*.HTML;*.HTM;*.JAVA;*.JAV
8=
9=
[File Desc]
0=All Files, (*.*)
1=Text Files, (*.TXT)
2=Doc Files, (*.DOC)
3=Batch Files, (*.BAT)
4=INI Files, (*.INI)
5='C' Files, (*.C, *.CPP)
6=Header Files, (*.H, *.HPP)
7=HTML/Java Files, (*.HTML, *.JAVA, *.HTM, *.JAV)
8=
9=
[ToolBarState1-v61-Summary]
Bars=13
ScreenCX=1024
ScreenCY=768
[MDI Tabs]
HDocked Size=2163448
VDocked Size=2163195
Float Size=2818877
Dock Horz=1
[Output Window]
HDocked Size=656120
VDocked Size=8389126
Float Size=8389126
Dock Horz=1
[File View]
HDocked Size=43974853
VDocked Size=42795149
Float Size=43974853
Open Files - Names Only=0
Current Select=Open Files\
[Macro List Dock]
HDocked Size=13828251
VDocked Size=13828251
Float Size=13828251
Dock Horz=0
[Tag List Dock]
HDocked Size=13828251
VDocked Size=42795163
Float Size=13828251
Dock Horz=0
[Function List]
HDocked Size=12583055
VDocked Size=42795300
Float Size=12583055
Dock Horz=0
[Find/Replace in Files]
MatchCase=0
MatchWord=0
RegularExpression=0
SearchSubs=1
UseOutputWindow=1
FilesToSearch=0
[PageSetup]
DisableHeaderSeparator=0
DisableFooterSeparator=0
PrintLineNumbers=0
PrintWrap=1
Print2Pages=0
PrintSyntax=0
Header=
Footer=
[Font]
Height=-13
Weight=400
PitchAndFamily=49
FaceName=Courier New
CharSetDef=0
CharSet=0
[Paragraph Formatting]
HangingIndent=0
HangingIndentColumn=4
LeftMargin=4
Right Margin=80
Align=0
MarginType=0
[Project]
LastProject=
[Print Settings]
Orientation=1
Paper=1
[Func List]
Window Pos=0,1,0,0,-1,-1,186,207,668,460
[FixedFont]
Height=-13
Weight=400
PitchAndFamily=49
FaceName=Courier New
CharSetDef=0
CharSet=0
[Language 1 Colors]
Colors=0,8421376,8421376,8421504,255,16711680,255,33023,32768,4210816,16711680,16711680,16711680,
Colors Back=16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,
Colors Auto Back=1,1,1,1,1,1,1,1,1,1,1,1,1,
Font Style=0,0,0,0,0,0,0,0,0,0,0,0,0,
[Language 2 Colors]
Colors=0,8421376,8421376,8421504,255,16711680,255,33023,32768,4210816,16711680,16711680,16711680,
Colors Back=16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,
Colors Auto Back=1,1,1,1,1,1,1,1,1,1,1,1,1,
Font Style=0,0,0,0,0,0,0,0,0,0,0,0,0,
[Language 3 Colors]
Colors=0,8421376,8421376,8421504,255,16711680,255,33023,32768,4210816,16711680,16711680,16711680,
Colors Back=16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,
Colors Auto Back=1,1,1,1,1,1,1,1,1,1,1,1,1,
Font Style=0,0,0,0,0,0,0,0,0,0,0,0,0,
[Language 4 Colors]
Colors=0,8421376,8421376,8421504,255,16711680,255,33023,32768,4210816,16711680,16711680,16711680,
Colors Back=16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,
Colors Auto Back=1,1,1,1,1,1,1,1,1,1,1,1,1,
Font Style=0,0,0,0,0,0,0,0,0,0,0,0,0,
[Language 5 Colors]
Colors=0,8421376,8421376,8421504,255,16711680,255,33023,32768,4210816,16711680,16711680,16711680,
Colors Back=16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,
Colors Auto Back=1,1,1,1,1,1,1,1,1,1,1,1,1,
Font Style=0,0,0,0,0,0,0,0,0,0,0,0,0,
[Language 6 Colors]
Colors=0,8421376,8421376,8421504,255,16711680,255,33023,32768,4210816,16711680,16711680,16711680,
Colors Back=16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,
Colors Auto Back=1,1,1,1,1,1,1,1,1,1,1,1,1,
Font Style=0,0,0,0,0,0,0,0,0,0,0,0,0,
[Language 7 Colors]
Colors=0,8421376,8421376,8421504,255,16711680,255,33023,32768,4210816,16711680,16711680,16711680,
Colors Back=16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,
Colors Auto Back=1,1,1,1,1,1,1,1,1,1,1,1,1,
Font Style=0,0,0,0,0,0,0,0,0,0,0,0,0,
[Language 8 Colors]
Colors=0,8421376,8421376,8421504,255,16711680,255,33023,32768,4210816,16711680,16711680,16711680,
Colors Back=16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,
Colors Auto Back=1,1,1,1,1,1,1,1,1,1,1,1,1,
Font Style=0,0,0,0,0,0,0,0,0,0,0,0,0,
[Language 9 Colors]
Colors=0,8421376,8421376,8421504,255,16711680,255,33023,32768,4210816,16711680,16711680,16711680,
Colors Back=16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,
Colors Auto Back=1,1,1,1,1,1,1,1,1,1,1,1,1,
Font Style=0,0,0,0,0,0,0,0,0,0,0,0,0,
[Language 10 Colors]
Colors=0,8421376,8421376,8421504,255,16711680,255,33023,32768,4210816,16711680,16711680,16711680,
Colors Back=16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,16777215,
Colors Auto Back=1,1,1,1,1,1,1,1,1,1,1,1,1,
Font Style=0,0,0,0,0,0,0,0,0,0,0,0,0,
[FavoriteFiles]
0=D:\work\old_machine\others\record\2006\April\060413\mem.txt
[Find in File History]
0=D:\work\customer\Amoi\CI_Ref_from_Gary\DvB_FTA\DvB_FTA\
FileName_0=*.*
1=D:\work\ref\Reference_Design\SupraTVI78_Ref\middleware\
FileName_1=
2=D:\work\old_machine\July\
FileName_2=
3=C:\work\p4force\Ref\Reference_Design\SupraTV_I68_NewRef\EWOSDSOURCE\
FileName_3=
4=C:\work\p4force\Ref\Tools_Utils\idev_Src_I78\
FileName_4=
5=C:\work\p4force\Ref\Tools_Utils\
FileName_5=
6=E:\SOFT\NEWSOFT\ZA\FG\
FileName_6=
7=
FileName_7=
8=
FileName_8=
9=
FileName_9=
[Tools]
Tool Cmd0=""
Tool Dir0=""
Tool Menu0=""
Capture0=1
Capture Mode0=0
WinProg0=0
SaveAllFiles0=0
Tool Cmd1=""
Tool Dir1=""
Tool Menu1=""
Capture1=1
Capture Mode1=0
WinProg1=0
SaveAllFiles1=0
Tool Cmd2=""
Tool Dir2=""
Tool Menu2=""
Capture2=1
Capture Mode2=0
WinProg2=0
SaveAllFiles2=0
Tool Cmd3=""
Tool Dir3=""
Tool Menu3=""
Capture3=1
Capture Mode3=0
WinProg3=0
SaveAllFiles3=0
Tool Cmd4=""
Tool Dir4=""
Tool Menu4=""
Capture4=1
Capture Mode4=0
WinProg4=0
SaveAllFiles4=0
Tool Cmd5=""
Tool Dir5=""
Tool Menu5=""
Capture5=1
Capture Mode5=0
WinProg5=0
SaveAllFiles5=0
Tool Cmd6=""
Tool Dir6=""
Tool Menu6=""
Capture6=1
Capture Mode6=0
WinProg6=0
SaveAllFiles6=0
Tool Cmd7=""
Tool Dir7=""
Tool Menu7=""
Capture7=1
Capture Mode7=0
WinProg7=0
SaveAllFiles7=0
Tool Cmd8=""
Tool Dir8=""
Tool Menu8=""
Capture8=1
Capture Mode8=0
WinProg8=0
SaveAllFiles8=0
Tool Cmd9=""
Tool Dir9=""
Tool Menu9=""
Capture9=1
Capture Mode9=0
WinProg9=0
SaveAllFiles9=0
[FTP Account -]
Account Address=
User Name=anonymous
User Account=
Save Password=1
Password=33
Initial Dir=
Use Proxy=0
Proxy Server=
Proxy Port=21
Cache Password=0
Path Leading Char=/
Path Separator Char=/
Server Type=0
Transfer Mode=0
Passive Mode=0
Current Dir=
[FTP Account - xoceco]
Account Address=ftp://ftp.xoceco.com.cn/
User Name=
User Account=rdtemp
Save Password=1
Password=0b0b050e0b4f0501
Initial Dir=
Use Proxy=0
Proxy Server=
Proxy Port=21
Cache Password=0
Path Leading Char=/
Path Separator Char=/
Server Type=0
Transfer Mode=1
Passive Mode=0
Current Dir=
[FTP Accounts]
0=xoceco
1=
Last Account=xoceco
Close On Exit=1
Col Width 0=140
Col Width 1=120
Col Width 2=75
[ASCII Table]
Window Pos=0,1,0,0,-1,-1,0,38,437,333
[ToolBarState1-v61-Bar0]
BarID=59392
XPos=-2
YPos=-2
Docking=1
MRUDockID=59419
MRUDockLeftPos=-2
MRUDockTopPos=-2
MRUDockRightPos=807
MRUDockBottomPos=29
MRUFloatStyle=8192
MRUFloatXPos=67
MRUFloatYPos=63
[ToolBarState1-v61-Bar1]
BarID=59393
[ToolBarState1-v61-Bar2]
BarID=59419
Bars=5
Bar#0=0
Bar#1=65679
Bar#2=0
Bar#3=59392
Bar#4=0
[ToolBarState1-v61-Bar3]
BarID=59422
Bars=3
Bar#0=0
Bar#1=152
Bar#2=0
[ToolBarState1-v61-Bar4]
BarID=59420
Bars=3
Bar#0=0
Bar#1=205
Bar#2=0
[ToolBarState1-v61-Bar5]
BarID=59421
Bars=7
Bar#0=0
Bar#1=427
Bar#2=0
Bar#3=32973
Bar#4=0
Bar#5=32975
Bar#6=0
[ToolBarState1-v61-Bar6]
BarID=143
Visible=0
XPos=-2
YPos=-2
Docking=1
MRUDockID=59419
MRUDockLeftPos=-2
MRUDockTopPos=27
MRUDockRightPos=1022
MRUDockBottomPos=60
MRUFloatStyle=8196
MRUFloatXPos=-416
MRUFloatYPos=193
[ToolBarState1-v61-Bar7]
BarID=152
Visible=0
XPos=-2
YPos=6
Docking=1
MRUDockID=59422
MRUDockLeftPos=-2
MRUDockTopPos=6
MRUDockRightPos=1022
MRUDockBottomPos=16
MRUFloatStyle=4
MRUFloatXPos=-2147483648
MRUFloatYPos=0
[ToolBarState1-v61-Bar8]
BarID=205
XPos=-2
YPos=-2
Docking=1
MRUDockID=59420
MRUDockLeftPos=-2
MRUDockTopPos=-2
MRUDockRightPos=139
MRUDockBottomPos=651
MRUFloatStyle=4
MRUFloatXPos=-2147483648
MRUFloatYPos=0
[ToolBarState1-v61-Bar9]
BarID=427
Visible=0
XPos=6
YPos=-2
Docking=1
MRUDockID=59421
MRUDockLeftPos=6
MRUDockTopPos=-2
MRUDockRightPos=298
MRUDockBottomPos=651
MRUFloatStyle=4
MRUFloatXPos=-2147483648
MRUFloatYPos=0
[ToolBarState1-v61-Bar10]
BarID=32973
Visible=0
XPos=266
YPos=-2
Docking=1
MRUDockID=59421
MRUDockLeftPos=266
MRUDockTopPos=-2
MRUDockRightPos=421
MRUDockBottomPos=651
MRUFloatStyle=4
MRUFloatXPos=-2147483648
MRUFloatYPos=150
[ToolBarState1-v61-Bar11]
BarID=32975
Visible=0
XPos=-2
YPos=-2
Docking=1
MRUDockID=0
MRUDockLeftPos=0
MRUDockTopPos=0
MRUDockRightPos=20
MRUDockBottomPos=57650
MRUFloatStyle=4
MRUFloatXPos=-2147483648
MRUFloatYPos=-1
[ToolBarState1-v61-Bar12]
BarID=59423
Horz=1
Floating=1
XPos=-412
YPos=213
Bars=3
Bar#0=0
Bar#1=143
Bar#2=0
[Find/Replace]
FindString="views"
ReplaceString="Idev_avix"
MatchCase=0
Direction=1
RegularExpression=0
MatchWord=0
ReplaceMode=0
ListLines=1
SearchSubDir=1
AllowRewind=1
UnixRE=0
Select Word=1
Find Selected=1
Close After Replace=0
SearchHexAscii=0
[Find History]
0="views"
1="0"
2="DRV_WRITEIO"
3="CI_DATA_REG"
4="DRV_Ioctl"
5="DRV_Ioctl"
6="CI_SIZE_MS_REG"
7="DRV_TSIGNAL"
8="CI_COM_STAT_REG"
9="CI_SIZE_LS_REG"
[Replace History]
0="Idev_avix"
1=" "
2="."
[Recent File List]
File1=C:\WINDOWS\UEDIT32.INI
File2=C:\Program Files\UltraEdit\SSCE4332.DLL
File3=C:\Program Files\UltraEdit\ue32ctmn.dll
File4=C:\Program Files\UltraEdit\uedit32.REG