downgrade.org » windows forensics dll memory manipution http://downgrade.org The rantings and insight of an ethical hacker, coder and IT samurai. Mon, 05 Sep 2011 20:17:17 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Loaded C:\WINNT\system32\KERNEL32.dll differs from file image http://downgrade.org/2009/02/04/loaded-cwinntsystem32kernel32dll-differs-from-file-image http://downgrade.org/2009/02/04/loaded-cwinntsystem32kernel32dll-differs-from-file-image#comments Wed, 04 Feb 2009 18:24:27 +0000 Bryan Murphy http://downgrade.org/?p=346 I have recently been updating my Windows Forensics First Responder script and have noticed a number of servers reporting the following when using Sysinternals/Microsoft’s listdlls.exe.

*** Loaded C:\WINNT\system32\KERNEL32.dll differs from file image:
*** File timestamp:         Wed Apr 18 12:25:36 2007
*** Loaded image timestamp: Wed Apr 18 12:25:37 2007
*** 0x77e40000  0×102000  5.02.3790.4062  C:\WINNT\system32\KERNEL32.dll

Now I can think of lots of malicious reasons why this would be.  In fact I recently wrote on one of these reasons.   But I cant think of any legitimate reasons.

I’m not one to jump to conclusions without having evaluated all possibilities but my research is turning up almost nothing.

Can anyone think of a legitimate reason why windows would load kernel32.dll and then something alter it as its going into memory?

Thanks guys.

]]> http://downgrade.org/2009/02/04/loaded-cwinntsystem32kernel32dll-differs-from-file-image/feed 2