Loaded C:\WINNT\system32\KERNEL32.dll differs from file image

Posted By: Bryan Murphy  Published in computer forensics, it, security, windows Tags:

4

Feb

I have recently been updating my Windows Forensics First Responder script and have noticed a number of servers reporting the following when using Sysinternals/Microsoft’s listdlls.exe.

*** Loaded C:\WINNT\system32\KERNEL32.dll differs from file image:
*** File timestamp:         Wed Apr 18 12:25:36 2007
*** Loaded image timestamp: Wed Apr 18 12:25:37 2007
*** 0x77e40000  0×102000  5.02.3790.4062  C:\WINNT\system32\KERNEL32.dll

Now I can think of lots of malicious reasons why this would be.  In fact I recently wrote on one of these reasons.   But I cant think of any legitimate reasons.

I’m not one to jump to conclusions without having evaluated all possibilities but my research is turning up almost nothing.

Can anyone think of a legitimate reason why windows would load kernel32.dll and then something alter it as its going into memory?

Thanks guys.

2 Responsed To This Post
Subsribes to this topic Comment RSS or TrackBack URL
mygif_alt
Mike N. Says, in 2-4-2009 at 21:39:18 from 68.84.191.248    

Perhaps it’s due to a patch that hasn’t been applied by rebooting?

mygif
irq13 Says, in 2-12-2009 at 08:18:35 from 35.8.114.126    

Rebooted after “patch Tuesday” and its still doing it. Hmmm.

Leave A Reply

 Username (*required)

 Email Address (*private)

 Website (*optional)

Inform me when someone post new message here

Please Note: Comments Moderation maybe active so there is no need to resubmit your comment

Categories

Monthly Archives

Feeds

Blogroll

Meta