1:36 p.m.
I've noticed that on an unpatched Windows 7 x64 SP1 machine, the _KTHREAD
structure ends as follows:
+350 ThreadCounters : Ptr64 _KTHREAD_COUNTERS
+358 XSaveState : Ptr64 _XSAVE_STATE
On a version of the machine that is up to date on patches, I see _KTHREAD
ending like this:
+350 ThreadCounters : Ptr64 _KTHREAD_COUNTERS
+358 StateSaveArea : Ptr64 _XSAVE_FORMAT
+360 XSaveState : Ptr64 _XSAVE_STATE
The result is that fields in the _ETHREAD structure are shifted by 8 bytes.
on the patched machine.
I can't be certain that it was a Microsoft Update (I'm only assuming), but
does anyone know which patch causes the update?
At the very least, is there a good method for detecting if a memory image
uses one version of KTHREAD or the other?
Any information would be helpful.
Thanks!
10:51 p.m.
You could pull the GUID from the loaded nt module's PE file and download
PDBs to check (see pdbparse). Or just skip the download and keep a list of
known GUIDs for modules that use one structure over the other. More
generically, you could check the _ETHREAD pool size to determine if there's
an extra member.
MHL
On Wed, Dec 12, 2012 at 1:36 PM, Cutter 409 <cutter409(a)gmail.com> wrote:
I've noticed that on an unpatched Windows 7 x64
SP1 machine, the _KTHREAD
structure ends as follows:
+350 ThreadCounters : Ptr64 _KTHREAD_COUNTERS
+358 XSaveState : Ptr64 _XSAVE_STATE
On a version of the machine that is up to date on patches, I see _KTHREAD
ending like this:
+350 ThreadCounters : Ptr64 _KTHREAD_COUNTERS
+358 StateSaveArea : Ptr64 _XSAVE_FORMAT
+360 XSaveState : Ptr64 _XSAVE_STATE
The result is that fields in the _ETHREAD structure are shifted by 8
bytes. on the patched machine.
I can't be certain that it was a Microsoft Update (I'm only assuming), but
does anyone know which patch causes the update?
At the very least, is there a good method for detecting if a memory image
uses one version of KTHREAD or the other?
Any information would be helpful.
Thanks!
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4354
days inactive
4355
days old
vol-dev@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Cutter 409 -
Michael Hale Ligh