04
Loaded C:\WINNT\system32\KERNEL32.dll differs from file image
Posted by Bryan Murphy | Posted in computer forensics, security, Technology, windows | Posted on 04-02-2009
I have recently been updating my Windows Forensics First Responder script and have noticed a number of servers reporting the following when using Sysinternals/Microsoft’s listdlls.exe.
*** Loaded C:\WINNT\system32\KERNEL32.dll differs from file image:
*** File timestamp: Wed Apr 18 12:25:36 2007
*** Loaded image timestamp: Wed Apr 18 12:25:37 2007
*** 0x77e40000 0×102000 5.02.3790.4062 C:\WINNT\system32\KERNEL32.dll
Now I can think of lots of malicious reasons why this would be. In fact I recently wrote on one of these reasons. But I cant think of any legitimate reasons.
I’m not one to jump to conclusions without having evaluated all possibilities but my research is turning up almost nothing.
Can anyone think of a legitimate reason why windows would load kernel32.dll and then something alter it as its going into memory?
Thanks guys.
Perhaps it’s due to a patch that hasn’t been applied by rebooting?
Posted on: 4/Feb/2009@9:39 pm
Rebooted after “patch Tuesday” and its still doing it. Hmmm.
Posted on: 12/Feb/2009@8:18 am