Hi all,
I want to dump a kernel module such as XXXX.sys to a PE file on runtime.
Could you tell me if there is any command in WinDbg or other tool?
Thanks.
Marvin
Breaking the copy protection stuff is a criminal offence in the US (though not so in the most other countries).
Beware of this.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
“Marvin(Fan) Zhang” wrote in message news:xxxxx@ntdev…
Hi all,
I want to dump a kernel module such as XXXX.sys to a PE file on runtime. Could you tell me if there is any command in WinDbg or other tool?
Thanks.
Marvin
So some other guy’s driver is loaded in memory, which has deleted its file from disk after load. And you want to dump it to a disk file. Why Marvin Why, ( to open it in IDA ?? 
)
Anyways the file is expanded in memory so it will not be exact replica of original PE file.
This sys use shell to protect itself. It’s very difficult to analyze it by
IDA or other anti-assemble tool. It will unwrap at run time. This is why I
want to dump it from memory.
Marvin
On Fri, Nov 25, 2011 at 9:07 PM, wrote:
> So some other guy’s driver is loaded in memory, which has deleted its file
> from disk after load. And you want to dump it to a disk file. Why Marvin
> Why, ( to open it in IDA ?? )
>
> Anyways the file is expanded in memory so it will not be exact replica of
> original PE file.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
If the driver is embedded as a resource, you can use a resource extractor
like VS. If not, have you considered using an undelete utility ?
//Daniel
“Marvin(Fan) Zhang” wrote in message
news:xxxxx@ntdev…
> Hi all,
> I want to dump a kernel module such as XXXX.sys to a PE file on runtime.
> Could you tell me if there is any command in WinDbg or other tool?
> Thanks.
> Marvin
>
If you have the main executable, you can try to use DriverMonitor by
EP_XOFF it automatically catches drivers before they load and save it a
different folder.
If you cannot get the dropper binary, you can also use RKUnhooker or Kernel
Detective and etc. anti-rootkit tools to dump drivere images from memory to
disk.
Emre TINAZTEPE
On Fri, Nov 25, 2011 at 5:46 PM, wrote:
> If the driver is embedded as a resource, you can use a resource extractor
> like VS. If not, have you considered using an undelete utility ?
>
> //Daniel
>
>
> “Marvin(Fan) Zhang” wrote in message
> news:xxxxx@ntdev…
> > Hi all,
> > I want to dump a kernel module such as XXXX.sys to a PE file on runtime.
> > Could you tell me if there is any command in WinDbg or other tool?
> > Thanks.
> > Marvin
> >
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>Anyways the file is expanded in memory so it will not be exact replica of
original PE file.
It’s also possible for the image to contain discardable sections, in which
case some portions may not exist in memory after they’ve been executed.
-scott
–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@ntdev…
So some other guy’s driver is loaded in memory, which has deleted its file
from disk after load. And you want to dump it to a disk file. Why Marvin
Why, ( to open it in IDA ?? )
Anyways the file is expanded in memory so it will not be exact replica of
original PE file.
Hi Emr,
Could you introduce some useful anti-rootkit toots for that?
Marvin
On Sat, Nov 26, 2011 at 12:27 AM, Emre Tinaztepe
wrote:
> If you have the main executable, you can try to use DriverMonitor by
> EP_XOFF it automatically catches drivers before they load and save it a
> different folder.
> If you cannot get the dropper binary, you can also use RKUnhooker or
> Kernel Detective and etc. anti-rootkit tools to dump drivere images from
> memory to disk.
>
> Emre TINAZTEPE
>
>
> On Fri, Nov 25, 2011 at 5:46 PM, wrote:
>
>> If the driver is embedded as a resource, you can use a resource extractor
>> like VS. If not, have you considered using an undelete utility ?
>>
>> //Daniel
>>
>>
>> “Marvin(Fan) Zhang” wrote in message
>> news:xxxxx@ntdev…
>> > Hi all,
>> > I want to dump a kernel module such as XXXX.sys to a PE file on runtime.
>> > Could you tell me if there is any command in WinDbg or other tool?
>> > Thanks.
>> > Marvin
>> >
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
I have sent you the files you need 
RKUnhooker + Driver Monitor
On Sat, Nov 26, 2011 at 1:32 PM, Marvin(Fan) Zhang wrote:
> Hi Emr,
> Could you introduce some useful anti-rootkit toots for that?
> Marvin
>
>
> On Sat, Nov 26, 2011 at 12:27 AM, Emre Tinaztepe <
> xxxxx@zemana.com> wrote:
>
>> If you have the main executable, you can try to use DriverMonitor by
>> EP_XOFF it automatically catches drivers before they load and save it a
>> different folder.
>> If you cannot get the dropper binary, you can also use RKUnhooker or
>> Kernel Detective and etc. anti-rootkit tools to dump drivere images from
>> memory to disk.
>>
>> Emre TINAZTEPE
>>
>>
>> On Fri, Nov 25, 2011 at 5:46 PM, wrote:
>>
>>> If the driver is embedded as a resource, you can use a resource extractor
>>> like VS. If not, have you considered using an undelete utility ?
>>>
>>> //Daniel
>>>
>>>
>>> “Marvin(Fan) Zhang” wrote in message
>>> news:xxxxx@ntdev…
>>> > Hi all,
>>> > I want to dump a kernel module such as XXXX.sys to a PE file on
>>> runtime.
>>> > Could you tell me if there is any command in WinDbg or other tool?
>>> > Thanks.
>>> > Marvin
>>> >
>>>
>>>
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
use /Break
and breal on entrypoint of driver and dump using .writemem
if the malware is self modifying or self encrypting or using virtual
machines etc to defend itself
single stepping and dumping at appropriate moment you can get a dump
that is quiet readable in ida
Will request initial breakpoint at next boot.
kd> .reboot
Shutdown occurred at (Sun Nov 27 10:12:59.609 2011 (UTC +
5:30))…unloading all symbol tables.
Waiting to reconnect…
Connected to Windows XP 2600 x86 compatible target at (Sun Nov 27
10:13:08.109 2011 (UTC + 5:30)), ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is: SRV*F:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows XP Kernel Version 2600 UP Free x86 compatible
Built by: 2600.xpsp.080413-2111
Machine Name:
Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
* *
* You are seeing this message because you pressed either *
* CTRL+C (if you run kd.exe) or, *
* CTRL+BREAK (if you run WinDBG), *
* on your debugger machine’s keyboard. *
* *
* THIS IS NOT A BUG OR A SYSTEM CRASH *
* *
* If you did not intend to break into the debugger, press the “g” key, then *
* press the “Enter” key now. This message might immediately reappear. If it *
* does, press “g” and “Enter” again. *
* *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
804e3592 cc int 3
kd> kb
ChildEBP RetAddr Args to Child
80550d5c 806b9f57 00000001 805599c0 00000000 nt!RtlpBreakWithStatusInstruction
80550ee8 806af12c 00000000 80087000 8003fc00 nt!ExpInitializeExecutive+0x350
80550f3c 806aedeb 80559c20 805599c0 80551200 nt!KiInitializeKernel+0x35e
00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x2bf
kd> bp 806a9ef9
kd> ln 806a9ef9
(806a9ccf) nt!IopInitializeBuiltinDriver+0x25d | (806a9f3b)
nt!PipAddDevicesToBootDriver
kd> u 806a9ef9 l1
nt!IopInitializeBuiltinDriver+0x25d:
806a9ef9 ff532c call dword ptr [ebx+2Ch]
kd> g
Breakpoint 0 hit
nt!IopInitializeBuiltinDriver+0x25d:
806a9ef9 ff532c call dword ptr [ebx+2Ch]
kd> dt nt!_DRIVER_OBJECT poi(esp)
+0x000 Type : 0n4
+0x002 Size : 0n168
+0x004 DeviceObject : (null)
+0x008 Flags : 2
+0x00c DriverStart : (null)
+0x010 DriverSize : 0
+0x014 DriverSection : (null)
+0x018 DriverExtension : 0x8123fd28 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING “\FileSystem\RAW”
+0x024 HardwareDatabase : 0x8068fa90 _UNICODE_STRING
“\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”
+0x028 FastIoDispatch : (null)
+0x02c DriverInit : 0x806a61f7 long nt!RawInitialize+0
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : (null)
+0x038 MajorFunction : [28] 0x804fa87e long
nt!IopInvalidDeviceRequest+0
kd> bp 806a9ef9 “dt nt!_DRIVER_OBJECT -y DriverName.Buffer poi(esp)”
breakpoint 0 redefined
kd> g
+0x01c DriverName : “\Driver\ACPI”
+0x004 Buffer : 0xe13ae898 “\Driver\ACPI”
nt!IopInitializeBuiltinDriver+0x25d:
806a9ef9 ff532c call dword ptr [ebx+2Ch]
kd>
+0x01c DriverName : “\Driver\ACPI”
+0x004 Buffer : 0xe13ae898 “\Driver\ACPI”
kd>
+0x01c DriverName : “\Driver\ACPI”
+0x004 Buffer : 0xe13ae898 “\Driver\ACPI”
kd> g
+0x01c DriverName : “\Driver\PCI”
+0x004 Buffer : 0xe13f5100 “\Driver\PCI”
nt!IopInitializeBuiltinDriver+0x25d:
806a9ef9 ff532c call dword ptr [ebx+2Ch]
kd> g
+0x01c DriverName : “\Driver\isapnp”
+0x004 Buffer : 0xe13f5b48 “\Driver\isapnp”
nt!IopInitializeBuiltinDriver+0x25d:
806a9ef9 ff532c call dword ptr [ebx+2Ch]
kd> g
+0x01c DriverName : “\Driver\IntelIde”
+0x004 Buffer : 0xe13a3120 “\Driver\IntelIde”
nt!IopInitializeBuiltinDriver+0x25d:
806a9ef9 ff532c call dword ptr [ebx+2Ch]
kd> g
+0x01c DriverName : “\Driver\MountMgr”
+0x004 Buffer : 0xe1402c28 “\Driver\MountMgr”
nt!IopInitializeBuiltinDriver+0x25d:
806a9ef9 ff532c call dword ptr [ebx+2Ch]
somewhere below this you can observe your drivers entrypoint being called
this is for xp you can find similar sequences in all os flavours
On 11/26/11, Emre Tinaztepe wrote:
> I have sent you the files you need RKUnhooker + Driver Monitor
>
> On Sat, Nov 26, 2011 at 1:32 PM, Marvin(Fan) Zhang wrote:
>
>> Hi Emr,
>> Could you introduce some useful anti-rootkit toots for that?
>> Marvin
>>
>>
>> On Sat, Nov 26, 2011 at 12:27 AM, Emre Tinaztepe <
>> xxxxx@zemana.com> wrote:
>>
>>> If you have the main executable, you can try to use DriverMonitor by
>>> EP_XOFF it automatically catches drivers before they load and save it a
>>> different folder.
>>> If you cannot get the dropper binary, you can also use RKUnhooker or
>>> Kernel Detective and etc. anti-rootkit tools to dump drivere images from
>>> memory to disk.
>>>
>>> Emre TINAZTEPE
>>>
>>>
>>> On Fri, Nov 25, 2011 at 5:46 PM, wrote:
>>>
>>>> If the driver is embedded as a resource, you can use a resource
>>>> extractor
>>>> like VS. If not, have you considered using an undelete utility ?
>>>>
>>>> //Daniel
>>>>
>>>>
>>>> “Marvin(Fan) Zhang” wrote in message
>>>> news:xxxxx@ntdev…
>>>> > Hi all,
>>>> > I want to dump a kernel module such as XXXX.sys to a PE file on
>>>> runtime.
>>>> > Could you tell me if there is any command in WinDbg or other tool?
>>>> > Thanks.
>>>> > Marvin
>>>> >
>>>>
>>>>
>>>>
>>>> —
>>>> NTDEV is sponsored by OSR
>>>>
>>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>>> http://www.osr.com/seminars
>>>>
>>>> To unsubscribe, visit the List Server section of OSR Online at
>>>> http://www.osronline.com/page.cfm?name=ListServer
>>>>
>>>
>>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>>> the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
Cool! This is what I want. Thank you very much!
On Sun, Nov 27, 2011 at 12:56 PM, raj_r wrote:
> use /Break
> and breal on entrypoint of driver and dump using .writemem
> if the malware is self modifying or self encrypting or using virtual
> machines etc to defend itself
> single stepping and dumping at appropriate moment you can get a dump
> that is quiet readable in ida
>
> Will request initial breakpoint at next boot.
>
> kd> .reboot
> Shutdown occurred at (Sun Nov 27 10:12:59.609 2011 (UTC +
> 5:30))…unloading all symbol tables.
> Waiting to reconnect…
> Connected to Windows XP 2600 x86 compatible target at (Sun Nov 27
> 10:13:08.109 2011 (UTC + 5:30)), ptr64 FALSE
> Kernel Debugger connection established. (Initial Breakpoint requested)
> Symbol search path is: SRVF:\symbols
> http://msdl.microsoft.com/download/symbols
> Executable search path is:
> Windows XP Kernel Version 2600 UP Free x86 compatible
> Built by: 2600.xpsp.080413-2111
> Machine Name:
> Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055b1c0
> System Uptime: not available
> Break instruction exception - code 80000003 (first chance)
>
> ****************
>
>
> * You are seeing this message because you pressed either
>
> * CTRL+C (if you run kd.exe) or,
>
> * CTRL+BREAK (if you run WinDBG),
>
> * on your debugger machine’s keyboard.
>
>
>
> * THIS IS NOT A BUG OR A SYSTEM CRASH
>
>
>
> * If you did not intend to break into the debugger, press the “g” key,
> then
> * press the “Enter” key now. This message might immediately reappear. If
> it
> * does, press “g” and “Enter” again.
>
>
>
>
>
> nt!RtlpBreakWithStatusInstruction:
> 804e3592 cc int 3
> kd> kb
> ChildEBP RetAddr Args to Child
> 80550d5c 806b9f57 00000001 805599c0 00000000
> nt!RtlpBreakWithStatusInstruction
> 80550ee8 806af12c 00000000 80087000 8003fc00
> nt!ExpInitializeExecutive+0x350
> 80550f3c 806aedeb 80559c20 805599c0 80551200 nt!KiInitializeKernel+0x35e
> 00000000 00000000 00000000 00000000 00000000 nt!KiSystemStartup+0x2bf
>
> kd> bp 806a9ef9
> kd> ln 806a9ef9
> (806a9ccf) nt!IopInitializeBuiltinDriver+0x25d | (806a9f3b)
> nt!PipAddDevicesToBootDriver
>
> kd> u 806a9ef9 l1
> nt!IopInitializeBuiltinDriver+0x25d:
> 806a9ef9 ff532c call dword ptr [ebx+2Ch]
>
> kd> g
> Breakpoint 0 hit
>
> nt!IopInitializeBuiltinDriver+0x25d:
> 806a9ef9 ff532c call dword ptr [ebx+2Ch]
>
> kd> dt nt!_DRIVER_OBJECT poi(esp)
> +0x000 Type : 0n4
> +0x002 Size : 0n168
> +0x004 DeviceObject : (null)
> +0x008 Flags : 2
> +0x00c DriverStart : (null)
> +0x010 DriverSize : 0
> +0x014 DriverSection : (null)
> +0x018 DriverExtension : 0x8123fd28 _DRIVER_EXTENSION
> +0x01c DriverName : _UNICODE_STRING “\FileSystem\RAW”
> +0x024 HardwareDatabase : 0x8068fa90 _UNICODE_STRING
> “\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM”
> +0x028 FastIoDispatch : (null)
> +0x02c DriverInit : 0x806a61f7 long nt!RawInitialize+0
> +0x030 DriverStartIo : (null)
> +0x034 DriverUnload : (null)
> +0x038 MajorFunction : [28] 0x804fa87e long
> nt!IopInvalidDeviceRequest+0
>
>
> kd> bp 806a9ef9 “dt nt!_DRIVER_OBJECT -y DriverName.Buffer poi(esp)”
> breakpoint 0 redefined
> kd> g
> +0x01c DriverName : “\Driver\ACPI”
> +0x004 Buffer : 0xe13ae898 “\Driver\ACPI”
> nt!IopInitializeBuiltinDriver+0x25d:
> 806a9ef9 ff532c call dword ptr [ebx+2Ch]
> kd>
> +0x01c DriverName : “\Driver\ACPI”
> +0x004 Buffer : 0xe13ae898 “\Driver\ACPI”
> kd>
> +0x01c DriverName : “\Driver\ACPI”
> +0x004 Buffer : 0xe13ae898 “\Driver\ACPI”
>
>
> kd> g
> +0x01c DriverName : “\Driver\PCI”
> +0x004 Buffer : 0xe13f5100 “\Driver\PCI”
> nt!IopInitializeBuiltinDriver+0x25d:
> 806a9ef9 ff532c call dword ptr [ebx+2Ch]
> kd> g
> +0x01c DriverName : “\Driver\isapnp”
> +0x004 Buffer : 0xe13f5b48 “\Driver\isapnp”
> nt!IopInitializeBuiltinDriver+0x25d:
> 806a9ef9 ff532c call dword ptr [ebx+2Ch]
> kd> g
> +0x01c DriverName : “\Driver\IntelIde”
> +0x004 Buffer : 0xe13a3120 “\Driver\IntelIde”
> nt!IopInitializeBuiltinDriver+0x25d:
> 806a9ef9 ff532c call dword ptr [ebx+2Ch]
> kd> g
> +0x01c DriverName : “\Driver\MountMgr”
> +0x004 Buffer : 0xe1402c28 “\Driver\MountMgr”
> nt!IopInitializeBuiltinDriver+0x25d:
> 806a9ef9 ff532c call dword ptr [ebx+2Ch]
>
>
> somewhere below this you can observe your drivers entrypoint being called
>
> this is for xp you can find similar sequences in all os flavours
>
>
>
>
> On 11/26/11, Emre Tinaztepe wrote:
> > I have sent you the files you need RKUnhooker + Driver Monitor
> >
> > On Sat, Nov 26, 2011 at 1:32 PM, Marvin(Fan) Zhang > >wrote:
> >
> >> Hi Emr,
> >> Could you introduce some useful anti-rootkit toots for that?
> >> Marvin
> >>
> >>
> >> On Sat, Nov 26, 2011 at 12:27 AM, Emre Tinaztepe <
> >> xxxxx@zemana.com> wrote:
> >>
> >>> If you have the main executable, you can try to use DriverMonitor by
> >>> EP_XOFF it automatically catches drivers before they load and save it a
> >>> different folder.
> >>> If you cannot get the dropper binary, you can also use RKUnhooker or
> >>> Kernel Detective and etc. anti-rootkit tools to dump drivere images
> from
> >>> memory to disk.
> >>>
> >>> Emre TINAZTEPE
> >>>
> >>>
> >>> On Fri, Nov 25, 2011 at 5:46 PM, wrote:
> >>>
> >>>> If the driver is embedded as a resource, you can use a resource
> >>>> extractor
> >>>> like VS. If not, have you considered using an undelete utility ?
> >>>>
> >>>> //Daniel
> >>>>
> >>>>
> >>>> “Marvin(Fan) Zhang” wrote in message
> >>>> news:xxxxx@ntdev…
> >>>> > Hi all,
> >>>> > I want to dump a kernel module such as XXXX.sys to a PE file on
> >>>> runtime.
> >>>> > Could you tell me if there is any command in WinDbg or other tool?
> >>>> > Thanks.
> >>>> > Marvin
> >>>> >
> >>>>
> >>>>
> >>>>
> >>>> —
> >>>> NTDEV is sponsored by OSR
> >>>>
> >>>> For our schedule of WDF, WDM, debugging and other seminars visit:
> >>>> http://www.osr.com/seminars
> >>>>
> >>>> To unsubscribe, visit the List Server section of OSR Online at
> >>>> http://www.osronline.com/page.cfm?name=ListServer
> >>>>
> >>>
> >>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging
> and
> >>> other seminars visit: http://www.osr.com/seminars To unsubscribe,
> visit
> >>> the List Server section of OSR Online at
> >>> http://www.osronline.com/page.cfm?name=ListServer
> >>>
> >>
> >> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging
> and
> >> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> >> the List Server section of OSR Online at
> >> http://www.osronline.com/page.cfm?name=ListServer
> >>
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>