Posted by Bryan Murphy | Posted in computer forensics, security, Technology, windows | Posted on 04-02-2009
*** Loaded C:\WINNT\system32\KERNEL32.dll differs from file image:
*** File timestamp: Wed Apr 18 12:25:36 2007
*** Loaded image timestamp: Wed Apr 18 12:25:37 2007
*** 0x77e40000 0×102000 5.02.3790.4062 C:\WINNT\system32\KERNEL32.dll
Now I can think of lots of malicious reasons why this would be. In fact I recently wrote on one of these reasons. But I cant think of any legitimate reasons.
I’m not one to jump to conclusions without having evaluated all possibilities but my research is turning up almost nothing.
Can anyone think of a legitimate reason why windows would load kernel32.dll and then something alter it as its going into memory?