You could pull the GUID from the loaded nt module&#39;s PE file and download PDBs to check (see pdbparse). Or just skip the download and keep a list of known GUIDs for modules that use one structure over the other. More generically, you could check the _ETHREAD pool size to determine if there&#39;s an extra member. <div>
<br></div><div>MHL</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Dec 12, 2012 at 1:36 PM, Cutter 409 <span dir="ltr">&lt;<a href="mailto:cutter409@gmail.com" target="_blank">cutter409@gmail.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I&#39;ve noticed that on an unpatched Windows 7 x64 SP1 machine, the _KTHREAD structure ends as follows:<br><br>+350 ThreadCounters  : Ptr64 _KTHREAD_COUNTERS<br>
+358 XSaveState       : Ptr64 _XSAVE_STATE<br><br>On a version of the machine that is up to date on patches, I see _KTHREAD ending like this:<br>
<br>+350 ThreadCounters  : Ptr64 _KTHREAD_COUNTERS<br>+358 StateSaveArea   : Ptr64 _XSAVE_FORMAT<br>+360 XSaveState       : Ptr64 _XSAVE_STATE<br><br>The result is that fields in the _ETHREAD structure are shifted by 8 bytes. on the patched machine.<br>

<br>I can&#39;t be certain that it was a Microsoft Update (I&#39;m only assuming), but does anyone know which patch causes the update?<br><br>At the very least, is there a good method for detecting if a memory image uses one version of KTHREAD or the other?<br>

<br>Any information would be helpful.<br><br>Thanks!<br>
<br>_______________________________________________<br>
Vol-dev mailing list<br>
<a href="mailto:Vol-dev@volatilityfoundation.org">Vol-dev@volatilityfoundation.org</a><br>
<a href="http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev" target="_blank">http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev</a><br>
<br></blockquote></div><br></div>