A forum for reverse engineering, OS internals and malware analysis 

All off-topic discussion goes here.
 #11380  by vlzj
 Wed Feb 01, 2012 11:20 am
Hello,

I've bsods my computer. Bsods came from ntoskrnl.exe file. There is a
little information ntoskrnl.exe in wiki: h++p://en.wikipedia.org/wiki/Windows_NT_kernel

I've seen an interesting situation and want to clarify if you have this situation or not.

Download the XueTr:

h++p://xuetr.com/download/XueTr.zip

h++p://imageshack.us/photo/my-images/811/54282407.png

At Kernel Module section, right click the ntoskrnl.exe file and click
dump memory section,when dumping of ntoskrnl.exe done.

h++p://technet.microsoft.com/en-us/sysinternals/bb897439

Download the strings program.

and lets execute this command at dmp file.

strings ntoskrnl.exe.dmp > ntoskrnl.exe.dmp.txt

At the end of ntoskrnl.exe.dmp.txt file we'll see some strings that
we entered search at google and web addresses that we entered the browser.

Is it normal to see these strings in ntoskrnl.exe dump?

or is it a malware that infects the ntoskrnl.exe?

Thanks in advance.
 #11394  by vlzj
 Wed Feb 01, 2012 8:47 pm
Output of "netstat -b -p TCP -v" gives the attachment screenshot.
Have you ever encountered this situation?
Attachments
2.PNG
2.PNG (12.75 KiB) Viewed 575 times
 #11408  by EP_X0FF
 Thu Feb 02, 2012 3:01 pm
Screenshot is interesting. Are you sure you don't have any ntoskrnl.exe -->process<-- running? Usually network connection of this type shown as [System]
 #11427  by vlzj
 Sat Feb 04, 2012 12:00 pm
@EP_X0FF At comodo there is not running ntoskrnl.exe process.

I am thinking in this issue for 2 months. I've written a program which indicates where
the programs came from and their dependicies. It is not finished yet.

At attachment #1: ntos.png There is screenshot of the program where the ntoskrnl.exe came
from.

ntoskrnl.exe i386 compressed is: ntoskrnl.exe compressed exists in i386 folder.
expanded is: ntoskrnl.exe file is expanded.
exists in sp2 and sp3 is: ntoskrnl.exe file came with sp2 and sp3. It is good to indicate
that sometime Microsoft updates the ntoskrnl.exe file with some of security situations with
windows update.

But we need to debug ntoskrnl.exe file running state and dependency dlls at where and why
end of the ntoskrnl.exe file has these strings?

Fresh install of win xp sp3 has this strings as well.(without network connection so probably,
we can't say this is a malware which infects ntoskrnl.exe)

We can't accuse someone at this state.
Because maybe it is malware or we don't know running state of ntoskrnl.exe even we don't know
the source code.(Only we can debug ntosrnl.exe file and trying to understand internals)
Attachments
ntos.png
ntos.png (1.62 KiB) Viewed 504 times