Author: dlux
Subject: Strange <unknown> in KernelThreadCreate Stack
Posted: 06 January 2013 at 10:36am
Someone tell me if this is correct or not:
I run procmon and in the first few entries there is a System (kernel) ThreadCreate event.
In this event under the Stack tab I see some User (U) objects that are simply listed as mem addresses, not as File object names.
0 ntoskrnl.exe FsRtlTeardownPerStreamContexts + 0x10f1 0xfffff80002f3b91d C:\Windows\system32\ntoskrnl.exe
1 ntoskrnl.exe RtlAreAllAccessesGranted + 0x3ba 0xfffff80002f6dfa2 C:\Windows\system32\ntoskrnl.exe
2 ntoskrnl.exe PsCreateSystemThread + 0x125 0xfffff80002f1cf39 C:\Windows\system32\ntoskrnl.exe
3 ntoskrnl.exe NtNotifyChangeDirectoryFile + 0x18f9 0xfffff80002ee76c5 C:\Windows\system32\ntoskrnl.exe
4 ntoskrnl.exe ObInsertObject + 0x740 0xfffff80002ee5650 C:\Windows\system32\ntoskrnl.exe
5 ntoskrnl.exe NtTraceControl + 0x35c 0xfffff80002f2571c C:\Windows\system32\ntoskrnl.exe
6 ntoskrnl.exe KeSynchronizeExecution + 0x3a43 0xfffff80002c80ed3 C:\Windows\system32\ntoskrnl.exe
7 ntdll.dll NtTraceControl + 0xa 0x76e22b5a C:\Windows\System32\ntdll.dll
8 advapi32.dll StartTraceW + 0x5e0 0x7fefd83eb80 C:\Windows\System32\advapi32.dll
9 advapi32.dll StartTraceW + 0x414 0x7fefd83e9b4 C:\Windows\System32\advapi32.dll
10 <unknown> 0x13f88af61 0x13f88af61
11 <unknown> 0x13f8878a2 0x13f8878a2
12 <unknown> 0x13f8b7457 0x13f8b7457
13 user32.dll TranslateMessageEx + 0x2a1 0x76bc9bd1 C:\Windows\System32\user32.dll
14 user32.dll SetWindowTextW + 0x277 0x76bc72cb C:\Windows\System32\user32.dll
15 user32.dll IsDialogMessageW + 0x169 0x76bc6829 C:\Windows\System32\user32.dll
16 ntdll.dll KiUserCallbackDispatcher + 0x1f 0x76e21225 C:\Windows\System32\ntdll.dll
17 ntoskrnl.exe KeUserModeCallback + 0xe6 0xfffff80002f6db66 C:\Windows\system32\ntoskrnl.exe
18 win32k.sys memset + 0xa63e 0xfffff9600016f45e C:\Windows\System32\win32k.sys
19 win32k.sys memset + 0x73cb 0xfffff9600016c1eb C:\Windows\System32\win32k.sys
20 win32k.sys memset + 0x6c73 0xfffff9600016ba93 C:\Windows\System32\win32k.sys
21 win32k.sys EngFntCacheLookUp + 0x1771c 0xfffff960001241d8 C:\Windows\System32\win32k.sys
22 win32k.sys EngSetLastError + 0x7f 0xfffff96000143c6f C:\Windows\System32\win32k.sys
23 win32k.sys EngSetLastError + 0xd4a2 0xfffff96000151092 C:\Windows\System32\win32k.sys
24 ntoskrnl.exe KeSynchronizeExecution + 0x3a43 0xfffff80002c80ed3 C:\Windows\system32\ntoskrnl.exe
25 user32.dll IsDialogMessageW + 0x19a 0x76bc685a C:\Windows\System32\user32.dll
26 user32.dll GetWindowLongPtrA + 0x78 0x76bc3838 C:\Windows\System32\user32.dll
27 user32.dll SendMessageW + 0x5d 0x76bc6bad C:\Windows\System32\user32.dll
28 <unknown> 0x13f8b98a4 0x13f8b98a4
29 <unknown> 0x13f8d8f67 0x13f8d8f67
30 kernel32.dll BaseThreadInitThunk + 0xd 0x76cc652d C:\Windows\System32\kernel32.dll
31 ntdll.dll RtlUserThreadStart + 0x21 0x76dfc521 C:\Windows\System32\ntdll.dll
This system is infected with the infamous GPU hypervisor malware as seen in the malware forum here. I need to know if others see these <unknown> Stack entries, seen ONLY in System ThreadCreate events.
This will tell me a lot.
Subject: Strange <unknown> in KernelThreadCreate Stack
Posted: 06 January 2013 at 10:36am
Someone tell me if this is correct or not:
I run procmon and in the first few entries there is a System (kernel) ThreadCreate event.
In this event under the Stack tab I see some User (U) objects that are simply listed as mem addresses, not as File object names.
0 ntoskrnl.exe FsRtlTeardownPerStreamContexts + 0x10f1 0xfffff80002f3b91d C:\Windows\system32\ntoskrnl.exe
1 ntoskrnl.exe RtlAreAllAccessesGranted + 0x3ba 0xfffff80002f6dfa2 C:\Windows\system32\ntoskrnl.exe
2 ntoskrnl.exe PsCreateSystemThread + 0x125 0xfffff80002f1cf39 C:\Windows\system32\ntoskrnl.exe
3 ntoskrnl.exe NtNotifyChangeDirectoryFile + 0x18f9 0xfffff80002ee76c5 C:\Windows\system32\ntoskrnl.exe
4 ntoskrnl.exe ObInsertObject + 0x740 0xfffff80002ee5650 C:\Windows\system32\ntoskrnl.exe
5 ntoskrnl.exe NtTraceControl + 0x35c 0xfffff80002f2571c C:\Windows\system32\ntoskrnl.exe
6 ntoskrnl.exe KeSynchronizeExecution + 0x3a43 0xfffff80002c80ed3 C:\Windows\system32\ntoskrnl.exe
7 ntdll.dll NtTraceControl + 0xa 0x76e22b5a C:\Windows\System32\ntdll.dll
8 advapi32.dll StartTraceW + 0x5e0 0x7fefd83eb80 C:\Windows\System32\advapi32.dll
9 advapi32.dll StartTraceW + 0x414 0x7fefd83e9b4 C:\Windows\System32\advapi32.dll
10 <unknown> 0x13f88af61 0x13f88af61
11 <unknown> 0x13f8878a2 0x13f8878a2
12 <unknown> 0x13f8b7457 0x13f8b7457
13 user32.dll TranslateMessageEx + 0x2a1 0x76bc9bd1 C:\Windows\System32\user32.dll
14 user32.dll SetWindowTextW + 0x277 0x76bc72cb C:\Windows\System32\user32.dll
15 user32.dll IsDialogMessageW + 0x169 0x76bc6829 C:\Windows\System32\user32.dll
16 ntdll.dll KiUserCallbackDispatcher + 0x1f 0x76e21225 C:\Windows\System32\ntdll.dll
17 ntoskrnl.exe KeUserModeCallback + 0xe6 0xfffff80002f6db66 C:\Windows\system32\ntoskrnl.exe
18 win32k.sys memset + 0xa63e 0xfffff9600016f45e C:\Windows\System32\win32k.sys
19 win32k.sys memset + 0x73cb 0xfffff9600016c1eb C:\Windows\System32\win32k.sys
20 win32k.sys memset + 0x6c73 0xfffff9600016ba93 C:\Windows\System32\win32k.sys
21 win32k.sys EngFntCacheLookUp + 0x1771c 0xfffff960001241d8 C:\Windows\System32\win32k.sys
22 win32k.sys EngSetLastError + 0x7f 0xfffff96000143c6f C:\Windows\System32\win32k.sys
23 win32k.sys EngSetLastError + 0xd4a2 0xfffff96000151092 C:\Windows\System32\win32k.sys
24 ntoskrnl.exe KeSynchronizeExecution + 0x3a43 0xfffff80002c80ed3 C:\Windows\system32\ntoskrnl.exe
25 user32.dll IsDialogMessageW + 0x19a 0x76bc685a C:\Windows\System32\user32.dll
26 user32.dll GetWindowLongPtrA + 0x78 0x76bc3838 C:\Windows\System32\user32.dll
27 user32.dll SendMessageW + 0x5d 0x76bc6bad C:\Windows\System32\user32.dll
28 <unknown> 0x13f8b98a4 0x13f8b98a4
29 <unknown> 0x13f8d8f67 0x13f8d8f67
30 kernel32.dll BaseThreadInitThunk + 0xd 0x76cc652d C:\Windows\System32\kernel32.dll
31 ntdll.dll RtlUserThreadStart + 0x21 0x76dfc521 C:\Windows\System32\ntdll.dll
This system is infected with the infamous GPU hypervisor malware as seen in the malware forum here. I need to know if others see these <unknown> Stack entries, seen ONLY in System ThreadCreate events.
This will tell me a lot.