Sunday, June 10, 2012

Malware Analysis Tutorial 29: Stealthy Library Loading II (Using Self-Modifying APC)



Learning Goals:
  1. Practice WinDbg for Intercepting Driver Loading
  2. Trace and Modify Control Flow Using IMM
  3. Understand the techniques employed at Max++ for hiding library loading
  4. Understand image loading notifier, asynchronous procedure call, kernel and normal routines.
Applicable to:
  1. Operating Systems
  2. Assembly Language
  3. Operating System Security
1. Introduction

This tutorial analyzes the malicious driver B48DADF8.sys. We assume that you have retrieved the driver from the hidden drive, following the instructions of Tutorial 28.

2. Lab Configuration

We need two windows images: one for taking notes and one for actually running the malware. Also a kernel mode WinDbg instance is needed on the host.

To set up the Notes images, you can follow the instructions of Tutorial 20. The basic idea is to start two instances of IMM, using one to debug the other. Then at 0x004E6095 to set a breakpoint and skip the instruction when there will be an illegal memory write. Once B48DADF8.sys is loaded, in the second IMM (as shown in Figure 1), if we check the executable modules (View -> Executable Modules), we can find out the entry of the driver is +1259. Jumping to that address, we can see the driver entry (which makes a bunch of calls on hooking image loading and creation of driver device).

Figure 1. Identify B48DADF8.sys Entry

The set up of the windows image for debugging and WinDbg should follow the instructions of Tutorial 28. We need to stop at the entry of the driver. This could be achieved by first finding out the starting address of the module in WinDbg, and then plus offset 1259.

kd> g
nt!DebugService2+0x10:
80506d3e cc              int     3
kd> g
nt!DebugService2+0x10:
80506d3e cc              int     3
kd> lm
start    end        module name
804d7000 806ed680   nt         (pdb symbols)          c:\windows\symbols\ntoskrnl.pdb\47A5AC97343A4A7ABF14EFD9E99337722\ntoskrnl.pdb
faf0c000 faf11000   B48DADF8   (deferred)            
faf54000 faf5c000   _          (deferred)          

First, we learned that the B48DADF8 module starts at faf0c000. Given that the offset of the entry is 1259, we can set a breakpoint at faf0d259, as shown below.  


kd> bp faf0d259
*** ERROR: Module load completed but symbols could not be loaded for B48DADF8.sys
kd> g
Wed May 30 09:55:24.281 2012 (UTC - 4:00): Breakpoint 0 hit
B48DADF8+0x1259:
faf0d259 55              push    ebp
kd> u
B48DADF8+0x1259:
faf0d259 55              push    ebp
faf0d25a 8bec            mov     ebp,esp
faf0d25c 56              push    esi
faf0d25d 8b7508          mov     esi,dword ptr [ebp+8]
faf0d260 893518f0f0fa    mov     dword ptr [B48DADF8+0x3018 (faf0f018)],esi
faf0d266 33c0            xor     eax,eax
faf0d268 6882d0f0fa      push    offset B48DADF8+0x1082 (faf0d082)
faf0d26d c746384cd1f0fa  mov     dword ptr [esi+38h],offset B48DADF8+0x114c (faf0d14c)

You can verify that the code starts at faf0d259 (shown in the WinDbg dump above) matches the instructions in the IMM window in Figure 1. From now on, we can start the analysis. The basic approach is to execute the driver in the WinDbg instance and annotate the code in the WinNotes image.



3.Hook Up Driver with New Device and Set Image Load Notifier

We now observe the first section of the code at the beginning of the driver loading. Figure 3 shows the annotated code.

Figure 3. First Part of B48DADF8.sys


The first interesting part is that the driver takes itself (DRIVER_OBJECT) and saves to a global variable. It first reads from EBP+8, i.e., the first parameter to a driver (PDRIVER_OBJECT), as shown in the first highlighted part. We will see that the malware later will need this value.

We can verify that the value ffb81268 is really a driver object as shown below. It is clear that the driver object is not fully set up yet, e.g., the DeviceObject is null.

kd> dd esp
f7c88920  faf4d121 ffb81268 00000000 02002000
...
kd> dd _DRIVER_OBJECT ffb81268
Couldn't resolve error at '_DRIVER_OBJECT ffb81268'
kd> dt _DRIVER_OBJECT ffb81268
nt!_DRIVER_OBJECT
   +0x000 Type             : 0n4
   +0x002 Size             : 0n168
   +0x004 DeviceObject     : (null)
   +0x008 Flags            : 4
   +0x00c DriverStart      : (null)
   +0x010 DriverSize       : 0
   +0x014 DriverSection    : 0xffb8c8f0 Void
   +0x018 DriverExtension  : 0xffb81310 _DRIVER_EXTENSION
   +0x01c DriverName       : _UNICODE_STRING "\driver\4157114776"
   ...

Next B48DADF8.sys tries to call function psSetLoadImageNotifyRoutine at to +1082. This is clearly an operation that tries to hide the loading of modules.  We are not getting into the details yet, but we can set a breakpoint on it. We can see that the breakpoint will be hit multiple times and DebugService + 2bde is not hit any more.

Then, B48DADF8.sys tries to create an IO device and hooks itself up as the driver for that device. According to MSDN,  IoCreateDevice() has 6 parameters: PDRIVER_OBJECT, DriverExtension, DeviceName, DeviceType, DeviceCharacteristics, Exclusive, PDEVICE_OBJECT.

From the WinDbg dump below, we can soon infer that the name of the new device is \??\EBB02C33..\#...0CFE and the device type is FILE_DEVICE_UNKNOWN. This is confirmed by the following WinDbg dump:


kd> dd esp
f7c888fc  ffb81268 00000000 faed6114 00000022
...
kd> dt _UNICODE_STRING faed6114
nt!_UNICODE_STRING
 "\??\EBB02C33#910D#415d#BB61#FBD3CC1D0CFE"
   +0x000 Length           : 0x50
   +0x002 MaximumLength    : 0x52
   +0x004 Buffer           : 0xfaed60c0  "\??\EBB02C33#910D#415d#BB61#FBD3CC1D0CFE"

4.Hide Driver Module
We now discuss the efforts of B48DADF8.sys to hide itself. This part contains no more than 20 instructions, as shown in Figure 4.
Figure 4. Hide Driver Module B48DADF8.sys

At the beginning of the code, ESI points to the _DRIVER_OBJECT of B48DADF8, and then the code retrieves the word at offset 0x14 of the _DRIVER_OBJECT, and now EDX points to DriverSection (whose data type is _LDR_DATA_TABLE_ENTRY). Using WinDbg, we can easily verify its contents as below. You can see that it's full DLL name is "\??\... C2CAD...B48DADF8.sys".

kd> dt _LDR_DATA_TABLE_ENTRY ffbd61b0 -r1
nt!_LDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x8055b1c0 - 0xffbacea8 ]
      +0x000 Flink            : 0x8055b1c0 _LIST_ENTRY [ 0x8131db20 - 0xffbd61b0 ]
      +0x004 Blink            : 0xffbacea8 _LIST_ENTRY [ 0xffbd61b0 - 0x811974c8 ]
   +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
      +0x000 Flink            : (null)
      +0x004 Blink            : (null)
   +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x630069 - 0x0 ]
      +0x000 Flink            : 0x00630069 _LIST_ENTRY
      +0x004 Blink            : (null)
   +0x018 DllBase          : 0xfaedc000 Void
   +0x01c EntryPoint       : 0xfaedd259 Void
   +0x020 SizeOfImage      : 0x5000
   +0x024 FullDllName      : _UNICODE_STRING "\??\C2CAD972#4079#4fd3#A68D#AD34CC121074\B48DADF8.sys"
      +0x000 Length           : 0x6a
      +0x002 MaximumLength    : 0x6a
      +0x004 Buffer           : 0xe1a678c8  "\??\C2CAD972#4079#4fd3#A68D#AD34CC121074\B48DADF8.sys"
   +0x02c BaseDllName      : _UNICODE_STRING "B48DADF8.sys"
      +0x000 Length           : 0x18
      +0x002 MaximumLength    : 0x18
      +0x004 Buffer           : 0xffbd61fc  "B48DADF8.sys"
   +0x034 Flags            : 0x1104000
   +0x038 LoadCount        : 1
   +0x03a TlsIndex         : 0x49
   +0x03c HashLinks        : _LIST_ENTRY [ 0xffffffff - 0x4f51 ]
      +0x000 Flink            : 0xffffffff _LIST_ENTRY
      +0x004 Blink            : 0x00004f51 _LIST_ENTRY
   +0x03c SectionPointer   : 0xffffffff Void
   +0x040 CheckSum         : 0x4f51
   +0x044 TimeDateStamp    : 0xfffffffe
   +0x044 LoadedImports    : 0xfffffffe Void
   +0x048 EntryPointActivationContext : (null)
   +0x04c PatchInformation : 0x00340042 Void


The next couple of instructions (from 0x100012CE to 0x100012D2 in figure 4) clears the FullDLLName. After 0x100012D2, if you display the same DriverSection again, you would notice that the FullDllName is gone, as shown below. However, the BaseDllName is still there, I guess the malware author forgot to clear it as well.

kd> dt _LDR_DATA_TABLE_ENTRY ffbd61b0
nt!_LDR_DATA_TABLE_ENTRY
   ...
   +0x024 FullDllName      : _UNICODE_STRING ""
   +0x02c BaseDllName      : _UNICODE_STRING "B48DADF8.sys"
   ...

Next, B48DADF8.sys tries to remove itself from the module list. As shown in Figure 4, at 100012D6, EAX and ECX now have the FLINK and BLINK of the first module of the InLoadOrderModule list. The next four instructions constitute a typical REMOVE_NODE operation on a doubly linked list, which removes B48DADF8 module from the list.

Challenge 2. Explain the logic of code from 100012D6 to 100012E3 in Figure 4.

4.Hook Up on PCI Device
The next step (function 0x100011D0) is to hook up on the PCI Device by copying from the original PCI driver. This is shown in Figure 5.
Figure 5. Copy from PCI Driver
As shown in Figure 5, the first step of function 0x100011D0 is to retrieve the PCI Driver object by name "driver\PCI". Then it copies several attributes of the PCI driver to the current driver, such as driver_start, driver_init, driver size, and driver name. However, the driver major functions 0xfaed514c (an array that contains the IRP handler entry addresses) is not changed. Here all entries are redirected to 0xfaed514, as shown below (which dumps the contents of the B4DADF8.sys driver object, before and after the call of 0x100011D0.

kd> dt _DRIVER_OBJECT ffb80b90
nt!_DRIVER_OBJECT
   +0x000 Type             : 0n0
   +0x002 Size             : 0n168
   +0x004 DeviceObject     : 0xffbb4af8 _DEVICE_OBJECT
   +0x008 Flags            : 4
   +0x00c DriverStart      : (null)
   +0x010 DriverSize       : 0
   +0x014 DriverSection    : 0xffb8c8f0 Void
   +0x018 DriverExtension  : 0xffb80c38 _DRIVER_EXTENSION
   +0x01c DriverName       : _UNICODE_STRING "\driver\4157114776"
   +0x024 HardwareDatabase : (null)
   +0x028 FastIoDispatch   : (null)
   +0x02c DriverInit       : 0xfaf572c5     long  +0
   +0x030 DriverStartIo    : (null)
   +0x034 DriverUnload     : (null)
   +0x038 MajorFunction    : [28] 0xfaed514c     long  +0
kd> p
...
kd> dt _DRIVER_OBJECT ffb80b90
nt!_DRIVER_OBJECT
   +0x000 Type             : 0n0
   +0x002 Size             : 0n168
   +0x004 DeviceObject     : 0xffbb4af8 _DEVICE_OBJECT
   +0x008 Flags            : 4
   +0x00c DriverStart      : 0xfaafc000 Void
   +0x010 DriverSize       : 0x10a80
   +0x014 DriverSection    : 0x8131d8a0 Void
   +0x018 DriverExtension  : 0xffb80c38 _DRIVER_EXTENSION
   +0x01c DriverName       : _UNICODE_STRING "\Driver\PCI"
   +0x024 HardwareDatabase : (null)
   +0x028 FastIoDispatch   : (null)
   +0x02c DriverInit       : 0xfab0a004     long  +fffffffffab0a004
   +0x030 DriverStartIo    : (null)
   +0x034 DriverUnload     : (null)
   +0x038 MajorFunction    : [28] 0xfaed514c     long  +0

Challenge 3. Note that at this moment, the PCI device has not been completely hooked up to the new driver. Find a way to find out where the new driver is eventually set as the handling driver for the PCI device.

5.Image Loading
We now go back to study the image loading call at +1082, which is discussed earlier in section 3. Max++ sets +1082 as the call back function whenever NtImageLoad is called. This first, of course, disrupts WinDbg in monitoring image loading. But the code itself is doing a lot of malicious stuff. Let's set a breakpoint at +1082 and watch its behavior. The set up is shown as below:

kd> lm
start    end        module name
804d7000 806ed680   nt         (pdb symbols)          c:\windows\symbols\ntoskrnl.pdb\47A5AC97343A4A7ABF14EFD9E99337722\ntoskrnl.pdb
faee4000 faee9000   B48DADF8   (deferred)            
faf64000 faf6c000   _          (deferred)            

Unloaded modules:
...
kd> bp faee4000 + 1082
*** ERROR: Module load completed but symbols could not be loaded for B48DADF8.sys
kd> g
Mon Jun  4 08:34:46.187 2012 (UTC - 4:00): Breakpoint 0 hit
B48DADF8+0x1082:
faee5082 55              push    ebp

Figure 6 displays the major function of +1082 (also written as 0x10001082).
Figure 6. Function Body of 0x10001082

As shown in Figure 6, the majority part of +1082 is to set up and queue an APC object (Asynchronous Procedure Call). APC is frequently used in I/O operation, it stands for an object that will be executed a while later.

See the highlighted parts in Figure 6, the control flow is very clear: Max++ first tries to call ExAllocatePool to reserve 30 bytes of kernel memory for the APC object, then it calls KeInitializeAPC and KeInsertQueue to queue the APC call. We need to look at the details of KeInitializeAPC. According to ReactOS documentation, the prototype of KeInitializeAPC is shown below:

VOID NAPI KeInitializeAPC(
        IN PKAPC pApc,
        IN PKTHREAD thread, 
        IN KAPC_ENVIRONMENT env,
        IN PKKERNEL_ROUTINE kernelRoutine,
        IN PKROUNDOWN_ROUTINE rundownRoutine,
        IN PKNORMAL_ROUTINE normalRoutine,
        IN KPROCESSOR_MODE mode,
        IN VOID context
)




The dump from WinDbg can be found in the following:
kd> dd esp
f7c88bb4  ffbb2e48 81176320 00000000 faee530c
f7c88bc4  faee52f0 71a50000 00000001 00000000

Here, the kernelRoutine is faee530c (+130c), rundownRoutine is faee52f0 (+12f0), and normalRoutine is 71a50000 (your job: find out which module does it belong to), mode is 1. By MSDN documentation, if mode is 1 and normalRoutine is not 0, this is a user mode APC, which will call the normalRoutine later. However, to be safe, we want to set up breakpoints on all of the routines +130c, +12f0, 71a50000.
Pay special attention, at this moment, the normal routine is 71a50000!

Interestingly, it's the kernel routine 130c which is hit first. The following is the call stack:
kd> kv
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
f7c88d4c 804de855 00000001 00000000 f7c88d64 B48DADF8+0x130c
f7c88d4c 7c90e4f4 00000001 00000000 f7c88d64 nt!KiServiceExit+0x58 (FPO: [0,0] TrapFrame @ f7c88d64)
0012c8f8 7c91624a 0017c0e0 0012c984 0012ceac 0x7c90e4f4
0012cbb8 7c9164b3 00000000 0017c0e0 0012ceac 0x7c91624a
0012ce60 7c801bbd 0017c0e0 0012ceac 0012ce8c 0x7c9164b3
0012cec8 7c801d72 7ffdfc00 00000000 00000000 0x7c801bbd
0012cedc 7c801da8 0012d15c 00000000 00000000 0x7c801d72
0012cef8 71ab78f1 0012d15c 00155218 0017f410 0x7c801da8
0012d27c 71ab496d 0017f694 0017f420 00000000 0x71ab78f1
0012d29c 71ab49cc 0017f410 c000010e 00000000 0x71ab496d
0012d2b8 71ab40a3 00000002 00000001 00000006 0x71ab49cc
0012d310 003c2315 00000002 00000001 00000006 0x71ab40a3
0012d604 003c24ef 0012d634 7c906786 7c903400 0x3c2315
0012d648 003c2507 00401166 003c0000 fffffffe 0x3c24ef
0012ffd0 8054b6b8 0012ffc8 81176320 ffffffff 0x3c2507
00413a40 ec81ec8b 0000030c d98b5653 f4b58d57 nt!ExFreePoolWithTag+0x676 (FPO: [Non-Fpo])
00413a4c f4b58d57 8bfffffd f45589c3 0000c0e8 0xec81ec8b
00413a50 8bfffffd f45589c3 0000c0e8 10c38300 0xf4b58d57
00413a54 f45589c3 0000c0e8 10c38300 0cf85d89 0x8bfffffd
00413a58 00000000 10c38300 0cf85d89 f3b58dff 0xf45589c3

Challenge 4. Analyze who triggers +130c. (hint: 0x71 range is the mwsock.dll, 0x7c range is ntdll.dll).

Now let's study what the function +130c (0x1000130c in IMM) is doing. Figure 7 shows its function body.

Figure 7. Function Body of +1307
The first part of +130c is pretty interesting. It's a collection of exchange functions, which essentially rotates 6 words on top of the stack. In the following, we show you the contents of the stack before the rotation.

kd> dd esp
f7c88d00  804e60f1 ffb9b638 f7c88d48 f7c88d3c
f7c88d10  f7c88d40 f7c88d44 f7c88d64 0012c834
...

The stack contents after the rotation is shown below. You can find that 0x804e60f1 is shifted to the right (now the 6'th word in the stack).
kd> dd esp
f7c88d00  ffb9b638 f7c88d48 f7c88d3c f7c88d40
f7c88d10  f7c88d44 804e60f1 f7c88d64 0012c834





Why does Max++ have to do this? The reason is that the function copyMaliciousCodeToNewVM (the call located at 10001327 in Figure 7) actually consumes 5 additional words in stack. In the following, we display the stack contents after the call of copyMaliciousCodeToNewVM is completed.
kd> dd esp
f7c88d14  804e60f1 f7c88d64 0012c834 f7c88d64
f7c88d24  ffffffff 804e2490 804f2001 7c90e4f4

 You can notice that 804e60f1 is now at the top of the stack. At this moment, the control flow (at 0x10001332) is going to jump to ntoskrnl.ObfDereferenceObject, which when finishes, will jump to 0x804e60f1 (which is originally the return address of +130c). By manipulating the stack this way, Max++ can successfully confuse the control flow analysis performed by static analysis tools.

Now let's observe the logic of copyMaliciousCodeToNewVM , which is located at +100f. Figure 8 shows its function body

Figure 8. Function Body of +100f

The logic of copyMalicoiusCodeToNewVM (+100f) is very simple, it first lowers the IRQ level and then it allocates a small piece from the memory and copies the contents of +1338 to the target address (0x00380000).Recall the "Stealthy 0x00380000 memory segment" in Tutorial 27,it's now your job to figure out what is copied into the region 0x00380000.

Challenge 5. Figure out what is copied by the copyMaliciousCodeToNewVM.

Then the JMP ntoskrnl.obfDerefrenceObject de-references the new driver object and returns to the system call that triggers the kernel function +130c.

Figure 9 shows the contents of the copyMalicoiusCodeToNewVM (+100f). If you look it its logic, it basically matches the description above. However, there is one thing we'd like you to pay special attention:

Challenge 6. See figure 9, where is the new VM address (allocated by ZwAllocatevirtualMemory, i.e., 0x00380000) stored at?
Figure 9. Function Body of copyMalicousCodeToNewVM (0x1000100f)


If you look at the two highlighed instructions in Figure 9, you might notice that the 3rd parameter of 0x1000100F (copyMaliciousCodeToNewVM) is used to store 0x00380000. But why?

Challenge 7. Figure out what is the motivation for storing 0x00380000 in the 3rd parameter of 0x1000100F.

To solve the above challenge, we need to go back to Figure 8, and we notice that it's f7c88d3cwhich is passed to the call of 0x1000100F (copyMaliciousCodeToNewVM).
Looking at the ReactOS information about kernel routine (search for PKKERNEL_ROUTINE on ReactOS), you will find that kernel routine (130c) accepts 5 parameters: APC, pNormal_Routine, Normal_Context, System_Arg, System_Arg2). So the f7c88d3c is actually the NORMAL_CONTEXT parameter of the KERNEL_ROUTINE.! Similarly, you would find that f7c88d48 (the second parameter) is the NORMAL_ROUTINE.

Now, look the highlighted part in Figure 9 (two yellow underlines and three thicker ones), you will find that copyMalicoiusCodeToNewVM writes value 0x00380000 into both the place holders for NORMAL_CONTEXT and NORMAL_ROUTINE!

Lab Configuration for Analyzing  Code 0x00380000: 
Clearly, the next step we would like to pursue is to debug the code located at 0x00380000 (originally copied from 0x10001338). Interestingly, if you set a hardware BP in WinDbg, the debugger never stops on 0x00380000. We suspect that somehow hardware BP is cleared at some point. Only the software BP works in this scenario ("bp 0x00380000"), and in some scenarios you might find that your IMM actually gets the INT3 (software BP) interrupt and you have to now debug it in IMM. Figure 10 shows you the screen of IMM when the software BP is intercepted. You can see that the "instruction" at 0x00380000 is "INT3".

Figure 10. Interesting Debugging Behavior of WinDbg/IMM
Open Challenge: Figure out why the software BP set by WinDbg is intercepted by Immunity Debugger. (conjecture: the debug port of the operating system is reset by Max++).

Figure 11. Code at 0x00380000

Figure 11 displays the logic of code at 0x00380000 (originally copied from 0x10001338). It mainly consists of three steps: (1) it searches for module "kernel32.dll", (2) it searches for funciton LoadLibraryW in the PE header, (3) it invokes function +1404 (we named it LoadMax++00x86).

The main part of function LoadMax++00x86 (located at +1404) is shown in Figure 12.

Figure 12. Load Max++.00.x86

The major bulk of the funciton + 1404 is the call of LoadLibraryW("\.\C2CAD...max++.00.x86").

Challenge 8. Prove the above statement is true (especially, why is its parameter "\.\C2CAD...max++.00.x86"?).

Summary:
Up to now, combined with Tutorial 27, we have shown you the complete picture of the stealthy remote DLL loading technique. Max++ loads max++.x86.dll via three steps: (1) load B48DADF8.sys; (2) load max++.00.x86; and (3) load max++.x86.dll. During each step, a variety of techniques are employed to hide the trace, e.g., by modifying the kernel data structures of libraries. There are also techniques that we have not completely understand, see the open challenge in this tutorial.

100 comments:

  1. If you need your ex-girlfriend or ex-boyfriend to come crawling back to you on their knees (even if they're dating somebody else now) you have to watch this video
    right away...

    (VIDEO) Text Your Ex Back?

    ReplyDelete
    Replies
    1. Dr. Fu'S Security Blog: Malware Analysis Tutorial 29: Stealthy Library Loading Ii (Using Self-Modifying Apc) >>>>> Download Now

      >>>>> Download Full

      Dr. Fu'S Security Blog: Malware Analysis Tutorial 29: Stealthy Library Loading Ii (Using Self-Modifying Apc) >>>>> Download LINK

      >>>>> Download Now

      Dr. Fu'S Security Blog: Malware Analysis Tutorial 29: Stealthy Library Loading Ii (Using Self-Modifying Apc) >>>>> Download Full

      >>>>> Download LINK mN

      Delete
  2. FIND OUT How You WILL Master Your Habits And Reprogram Your Subconscious Brain To Get Any Result You Want In Your Personal Development and Fulfillment!

    Introducing... Procrastinating Your Procrastination!

    ReplyDelete
  3. It is very interesting topics and also content. Because first time we will post one education related post.it is exiting movement.so too many people’s had feeler this.

    Shop Drawings Preparation
    Shop Drawings Preparation in USA

    ReplyDelete
  4. Thanks for sharing, very informative blog.
    ReverseEngineering

    ReplyDelete
  5. Our research papers for sale online is reputable and known for offering high quality papers. We normally offer top paper writing services services in all disciplines of study.

    ReplyDelete
  6. Nice Post. To get study abroad in any course. For students who is looking for study medicine in abroad, we will help with end to end services with zero cost.
    Skolarrssolutions
    Mbbs in Russia
    Mbbs in UK
    Mbbs in Malaysia

    ReplyDelete
  7. Completing quality Already Written Essays can be an uphill task, in a time when instructors give a range of assignments. Anyone seeking Nursing Papers for Sale will want to hire a qualified writer to handle their Non Plagiarized Essays.

    ReplyDelete
  8. This comment has been removed by the author.

    ReplyDelete
  9. Congratulation to you. I am happy after reading your post that you have posted in this blog. Thanks for this wonderful post and hoping to post more of this.
    Army Men Toy Strike War For PC

    ReplyDelete
  10. Here, I have the chance to investigate my insight as far as doing numerous specialized functions as much as an I can. I am fundamentally utilized in HP printer division where I am offering loads of administrations, for example, 123.hp.com/setup ready for uncovering numerous outcomes. We are helping you in the event that you have the zero plan to get recuperate of spring up message in this administration area. Interface us by means of dialing toll free number. We are exceptionally on edge going to determine specialized issue.

    ReplyDelete
  11. (except that I got some error logs on memcache). best pressure cooker

    ReplyDelete
  12. And He Sent Me This. I Don’t Think He’s Taking sad shayari

    ReplyDelete
  13. This is a powerful application designed as an entertainment program in all entertainment centers. Play, stream, and control multimedia files.
    This is a new milestone in turning your computer into an entertainment center.
    JRiver Media Center lets you manage all your media files, including photos, audio, video, and TV in one smart app.
    In addition to Media Player and Media Manager, you can transfer data from CD / DVD / Blu-ray Disc, copy (rip), media files, manage, burn discs, etc.
    Download This Multimedia crack free From Given below Link:
    https://softserialskey.com/jriver-media-center-crack/

    ReplyDelete
  14. Great Article
    Cyber Security Projects


    Networking Security Projects

    JavaScript Training in Chennai

    JavaScript Training in Chennai

    The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

    ReplyDelete
  15. If you are facing any issues with your smartphones, you can use the flash file to repair different issues. It contains the operating system of your device in its original form and it is unique for every phone. micromax a106 flash file s/w ver v10

    ReplyDelete
  16. This is such a wonderful post. I have learned new things here. your writing style is great. keep up the good work. looking forward to more amazing reads.
    GoAssignmentHelp also has many services like academic writing service case study help, assignments help australia, check my grammar and all other academic writing which is not easily available at one place. We do have discount facilities case study help on the first orders. So, what are you waiting for

    ReplyDelete
  17. I¦ve learn a few excellent stuff here. Certainly worth bookmarking for revisiting. I wonder how so much attempt you place to create this type of fantastic informative web site. 야한동영상

    ReplyDelete
  18. Awesome dispatch! I am indeed getting apt to over this info, is truly neighborly my buddy. Likewise fantastic blog here among many of the costly info you acquire. Reserve up the beneficial process you are doing here. 야동

    ReplyDelete
  19. Intimately, the article is in reality the best on this precious topic. I agree with your conclusions and also can thirstily look forward to your coming updates. 한국야동닷컴

    ReplyDelete
  20. Good web site! I truly love how it is simple on my eyes and the data are well written. I am wondering how I might be notified when a new post has been made. 중국야동넷

    ReplyDelete
  21. This was an incredible post. Really loved studying your site post. Your data was very informative and helpful. I think you’ll proceed posting and updating frequently. Looking forward to your subsequent one. 일본야동닷컴

    ReplyDelete
  22. They can disrobe before you. If you need to recruit them for joy by blending with prominent Call Girls in Chanakyapuri, you can appreciate the night with a solitary call or WhatsApp message. On the off chance that you are frugal yet need to appreciate pleasurable closeness proceed to visit the spot while our agency furnish you with respectable and proficient Call Girls in Chanakyapuri to excite your remain. Our escort agency, Chanakyapuri Call Girls have connections to Call Girls in Chanakyapuri with the most blazing, sizzling and enchanting highlights. At long last, we know about some deceitful demonstrations submitted by most Call Girls in Chanakyapuri. You are really supposed to go for Call Girls in Chanakyapuri if you really want to have the best escort. You will surely be astonished to explore their natural beauty and looks. The Call Girls in Chanakyapuri always thinks of their clients.

    ReplyDelete
  23. We have actual scenarios that cause your purpose to double or treble. An escort maidservant is your partner for every action you want to do with them, similar to the Escorts Service in Chanakyapuri do. For your convenience, Eager for any of this young lady’s room, then you will be meeting with an independent, and clever young Escorts Service in Chanakyapuri committed to suit you an incredible social and suggestive experienceThe availability of Top Escorts Service in Chanakyapuri and other forms of Escorts, such as those associated with VIPs, makes it a popular choice amongst those who cannot afford their companion. Escorts Service in Chanakyapuri For Booking of Escorts Service in Chanakyapuri Delhi. Each and every detail that I have narrated here about my bodily assets is fully authentic and reliable We attempt the best Prostitutes in Chanakyapuri to be capable it give you the best assistance from our Escorts Service in Chanakyapuri. We have each sort of the young lady that can give you harmony and body love when you will invest enough energy with that young lady. But at the end of the day, human behavior is unpredictable and often goes against the tenets of probity and established norms. In this article, we will be delving a bit deep into the world of Escorts Service in Chanakyapuri

    ReplyDelete
  24. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates 온라인카지노사이트

    ReplyDelete
  25. Great blog here! Additionally your website quite a bit up very fast! What web host are you the use of? Can I am getting your affiliate hyperlink on your host? 온라인카지노사이트

    ReplyDelete
  26. Whoah this weblog is great i like studying your articles. Keep up the good work! You already know, a lot of people are searching around for this information, you could aid them great! 온카지노사이트인포

    ReplyDelete
  27. Hard to ignore such an amazing article like this. You really amazed me with your writing talent. Thank you for sharing again. 토토사이트핫

    ReplyDelete
  28. https://crackknow.com/wondershare-uniconverter-crack-download-2020/
    Wondershare UniConverter Crack is a powerful and easy-to-use video converter with built-in media tools. Wondershare UniConverter can download audio and video files from the Internet and convert them to other formats, using voice to record actions on the screen, save and transfer data. You can download media, AVS Video Converter from Crack to iOS and Android devices.

    ReplyDelete
  29. https://crackpropc.com/easeus-partition-master-crack/
    Easeus Partition Master License Key disk partitioning tool that’s a genuinely recognizable to-do partition of a disc drive. For the reason that the capacity is held by it, let you can alter the storage. Next, for millions of people, it’s satisfying on an everyday basis. It has come to be quite beneficial now. The officials also have left it covers.

    ReplyDelete
  30. https://muzamilpc.com/window-7-crack/
    Window 7 Ultimate 2021 Crack Edition 64 Bit includes every new improvement from Home Premium and Professional, simultaneously with plenty of additions that only resemble in this edition of the OS. The critical difference is how you buy them. Windows 7 Ultimate Crack 64 Bit is possible for anyone to purchase, whereas Windows 7 Program only available for business customers who have signed up to qualifying from the Microsoft licensing scheme.

    ReplyDelete
  31. https://oceancrack.com/stellar-phoenix-windows-data-recovery-key-crack/
    Cracked Here is a useful place where you can easily find Activators, Patch, Full version software Free Download, License key, serial key, keygen, Activation Key and Torrents. Get all of these by easily just on a single click.

    ReplyDelete
  32. I am happy after reading your post that you have posted in this blog. Thanks for this wonderful post and hoping to post more of this.

    Pixologic ZBrush Crack

    ReplyDelete
  33. I read your article very carefully. I think you should also write an article about it ac motor supplier. This will be beneficial for others I guess thank you.

    ReplyDelete
  34. Great post! You provide the lab work related to programing. I like your post. Further, Residential painters in Boise ID present the best quality work.

    ReplyDelete
  35. First time visit on this blog, This is Realy Greatful Article. I Read Whole Content. Know more about check online result of
    Satta King

    ReplyDelete
  36. To begin with, let us take a gander at what the item is. The oil is a compound taken from the Cannabis plant. The oil is produced by extraction at that point weakened utilizing a transporter oil, normally hemp or coconut oil
    일본경마

    magosucowep

    ReplyDelete
  37. Good Web-site, Preserve the great job. thnx. this piece of writing is pleasant and very informative. 토토

    ReplyDelete
  38. Well I truly enjoyed reading it. This subject offered by you is very helpful and accurate.
    카지노사이트

    ReplyDelete
  39. it’s awesome and I found this one informative
    토토

    ReplyDelete
  40. This is the right blog for anyone who wants to find out about this topic. You realize so much its almost hard to argue with you (not that I actually would want…HaHa). You definitely put a new spin on a topic thats been written about for years. Great stuff, just great!

    카지노사이트

    ReplyDelete
  41. I totally agree with how approachable the new online course of this naming brand is. A As new to this, they made the lessons very easy to understand and entertaining
    경마사이트

    magosucowep

    ReplyDelete
  42. "Are you looking for Leolist Kootenays? We have the best alternative of Leolist Kootenays here on https://kootenays.xgirl.ca/
    Visit kootenays.xgirl.ca/ today and find the best results related to Leolist Kootenays."

    ReplyDelete
  43. Such an amazing and helpful post this is. I really really love it. It’s so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also. 블랙잭사이트

    ReplyDelete
  44. Easily, the article is actually the best topic on this registry related issue. I fit in with your conclusions and will eagerly look forward to your next updates. 파칭코

    ReplyDelete
  45. Keep up the good work , I read few blog posts on this internet site and I believe that your site is really interesting and contains lots of fantastic info . 메이저사이트

    ReplyDelete
  46. Thanks for sharing this vast knowledge to us in this single article. I really appreciate your work. You are going well. Keep it up and keep sharing.
    온라인경마
    경마사이트

    ReplyDelete
  47. I needed several examples to write an article on this subject, and your article was of great help to me 카지노사이트

    ReplyDelete
  48. Well I definitely liked reading it. This information offered by you is very constructive for proper planning 사설토토

    ReplyDelete
  49. Awesome Details in this Article, Very Useful.
    Know more About of Satta King

    ReplyDelete
  50. It seems like I've never seen an article of a kind like . It literally means the best thorn. It seems to be a fantastic article. It is the best among articles related to 바카라사이트. seems very easy, but it's a difficult kind of article, and it's perfect.

    ReplyDelete
  51. O-group Africa Trading Limited is a subsidiary of the O-group, which operates in Africa and working as gold bar manufacturers,
    diamond jewellery manufacturers and wholesale diamond suppliers.

    ReplyDelete
  52. 먹튀검증업체January 4, 2022 at 11:53 PM

    I like the helpful info you provide in your articles. I’ll bookmark your blog and check again here frequently. I’m quite sure I’ll learn plenty of new stuff right here! Good luck for the next. 먹튀검증업체

    ReplyDelete
  53. I think a lot of articles related to are disappearing someday. That's why it's very hard to find, but I'm very fortunate to read your writing. When you come to my site, I have collected articles related to 크레이지슬롯.

    ReplyDelete

  54. Nice information. I’ve bookmarked your site, and I’m adding your RSS feeds to my Google account to get updates instantly. DiskGenius Professional Serial Key

    ReplyDelete
  55. As I am looking at your writing, 파워볼사이트 I regret being unable to do outdoor activities due to Corona 19, and I miss my old daily life. If you also miss the daily life of those days, would you please visit my site once? My site is a site where I post about photos and daily life when I was free.

    ReplyDelete
  56. That's a really impressive new idea! 안전한놀이터 It touched me a lot. I would love to hear your opinion on my site. Please come to the site I run once and leave a comment. Thank you.

    ReplyDelete
  57. https://gameeffect.xyz Lots of people have adored the overall game of baseball for a long time. There are actually fans around the world, from devoted little-leaguers to die-difficult spectators. This article has ideas to confirm how pleasant baseball really is.

    ReplyDelete
  58. https://gamezoom.xyz Obtaining a workout spouse can considerably boost your muscles-creating final results. Your lover can be quite a valuable source of inspiration for adhering to your training session treatment, and forcing you to definitely optimize your efforts as you workout. Possessing a dependable lover to work through with will also help keep you safe simply because you will use a spotter.

    ReplyDelete
  59. From one day, I noticed that many people post a lot of articles related to 온라인슬롯 . Among them, I think your article is the best among them!!I

    ReplyDelete
  60. Youre so right. Im there with you. Your weblog is definitely worth a read if anyone comes throughout it. Im lucky I did because now Ive received a whole new view of this. 먹튀검증사이트

    ReplyDelete
  61. Excellent read, I just passed this onto a friend who was doing a little research on that. And he actually bought me lunch as I found it for him smile Therefore let me rephrase that: Thank you for lunch. 메이저사이트

    ReplyDelete
  62. This is an excellent post I seen thanks to share it. It is really what I wanted to see hope in future you will continue for sharing such a excellent post 야한동영상

    Please visit once. I leave my blog address below
    야설
    야한동영상

    ReplyDelete
  63. Everyone has something in their mind, so am I. Let’s share out thoughts and hang out sometimes. Reach me at my site. 일본야동

    Please visit once. I leave my blog address below
    한국야동
    일본야동

    ReplyDelete
  64. Beautiful. However those who suffered losses and may not feel quite so charitable are no less deserving of our good wishes at this time 한국야동닷컴

    Please visit once. I leave my blog address below
    국산야동
    한국야동닷컴

    ReplyDelete
  65. Awesome dispatch! I am indeed getting apt to over this info, is truly neighborly my buddy. Likewise fantastic blog here among many of the costly info you acquire. Reserve up the beneficial process you are doing here. 국산야동

    Please visit once. I leave my blog address below
    야설
    국산야동

    ReplyDelete
  66. Nice knowledge gaining article. This post is really the best on this valuable topic. 중국야동넷

    Please visit once. I leave my blog address below
    야설
    중국야동넷

    ReplyDelete
  67. This is the perfect post.메이저토토사이트 It helped me a lot. If you have time, I hope you come to my site and share your opinions. Have a nice day.

    ReplyDelete
  68. What a nice post! I'm so happy to read this. 토토사이트추천 What you wrote was very helpful to me. Thank you. Actually, I run a site similar to you. If you have time, could you visit my site? Please leave your comments after reading what I wrote. If you do so, I will actively reflect your opinion. I think it will be a great help to run my site. Have a good day.

    ReplyDelete
  69. You Can Also Get Cracked Software For Windows & Mac Free Download
    https://tijacrack.com/easeus-partition-master-crack/

    ReplyDelete
  70. It seems like I've never seen an article of a kind like . It literally means the best thorn. It seems to be a fantastic article. It is the best among articles related to 메이저안전놀이터. seems very easy, but it's a difficult kind of article, and it's perfect.

    ReplyDelete
  71. First of all, thank you for letting me see this information. I think this article can give me a lot of inspiration. I would appreciate 바카라사이트 if you could post more good contents in the future.

    ReplyDelete
  72. Your article was very impressive to me. It was unexpected information, here is also interesting information for travel bloggers According to Croatia Airlines ticket cancellation policy you can cancel your travel plans within 24 hours of purchasing and get an entire refund. You can submit cancellation requests through the airline's website, or call our customer care number.

    ReplyDelete
  73. Respectable admin thanks for helping people by your posts as i was searching for these posts from a long time and am a blogger working on my site
    clave avast driver updater

    ReplyDelete
  74. I like your all post. You have done really good work. Thank you for the information you provide, it helped me a lot.I hope to have many more entries or so from you.
    Very interesting blog.
    aspc4u.com
    Windows 7 Ultimate Crack

    ReplyDelete
  75. Hello, I am one of the most impressed people in your article. 토토사이트순위 I'm very curious about how you write such a good article. Are you an expert on this subject? I think so. Thank you again for allowing me to read these posts, and have a nice day today. Thank you.

    ReplyDelete
  76. I've been looking for photos and articles on this topic over the past few days due to a school assignment, 파워볼사이트 and I'm really happy to find a post with the material I was looking for! I bookmark and will come often! Thanks :D

    ReplyDelete
  77. Business Quote is dedicated to helping UK businesses access expertise, decrease their bills, obtain better service, connect with the newest technology, and grow stronger enterprises. The content on this website is geared at businesses in the UK. This website is free to use, but we may get a charge from the supplier or middleman we link you to. business mobile contracts

    ReplyDelete
  78. When I initially commented I clicked the -Notify me when new comments are added- checkbox and now each time a remark is added I get four emails with the identical comment. Is there any approach you can remove me from that service? Thanks! 토토

    ReplyDelete
  79. You have remarked very interesting details ! Also visit my site: 경마사이트

    ReplyDelete
  80. But wanna comment on few general things, The website pattern is perfect, the content material is really fantastic 토토

    ReplyDelete
  81. Dr. Fu'S Security Blog: Malware Analysis Tutorial 29: Stealthy Library Loading Ii (Using Self-Modifying Apc) >>>>> Download Now

    >>>>> Download Full

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 29: Stealthy Library Loading Ii (Using Self-Modifying Apc) >>>>> Download LINK

    >>>>> Download Now

    Dr. Fu'S Security Blog: Malware Analysis Tutorial 29: Stealthy Library Loading Ii (Using Self-Modifying Apc) >>>>> Download Full

    >>>>> Download LINK GI

    ReplyDelete
  82. I was impressed by your writing. Your writing is impressive. I want to write like you.스포츠토토사이트 I hope you can read my post and let me know what to modify. My writing is in I would like you to visit my blog.

    ReplyDelete
  83. I’m very pleased to discover this site. I want to to thank you for ones time for this particularly wonderful read!! I definitely savored every part of it and i also have you saved as a favorite to see new information on your blog. 먹튀사이트

    ReplyDelete

  84. I guess I am the only one who came here to share my very own experience. Guess what!? I am using my laptop for almost thepast 6 years, but I had no idea of solving some basic issues. I do not know how to Download Cracked Pro Softwares But thankfully, I recently visited is a website named Crack Softwares Free Download
    Kite Compositor Crack
    Windows 7 Activator Crack
    Navicat Premium Crack
    OAutoTune Artist Crack
    DriveDx Crack
    <a

    ReplyDelete
  85. Papers get to operate through Bible helpers and also plagiarism checkers to be certain that the author did not find idle at any stage in the process. Language inconsistencies won't be a thing with your newspapers as the specialists of our school paper writing support are passionate about writing and are always excited to strike you with something fresh. By: 안전놀이터


    ReplyDelete