nxa
May 14th, 2009, 22:32
Hi,
I dump the PE headers of some kernel modules in Windows XP SP3, and surprises to see that some PE headers is broken, while some are not. Please see below.
Anybody knows why?
Thanks a lot,
NXA
For example, here is the dump of the header of win32k.sys (starting at 0xbf800000). We dont see the PE signature "4da5" at the start.
0xbf800000 00 90 e4 b7 48 13 07 08 00 00 00 00 00 00 00 00
0xbf800010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0xbf800020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Meanwhile, ntoskrnl has no such a problem: we can see "4d5a" signature at the start as expected.
0x804d7000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00
0x804d7010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
0x804d7020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
I dump the PE headers of some kernel modules in Windows XP SP3, and surprises to see that some PE headers is broken, while some are not. Please see below.
Anybody knows why?
Thanks a lot,
NXA
For example, here is the dump of the header of win32k.sys (starting at 0xbf800000). We dont see the PE signature "4da5" at the start.
0xbf800000 00 90 e4 b7 48 13 07 08 00 00 00 00 00 00 00 00
0xbf800010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0xbf800020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Meanwhile, ntoskrnl has no such a problem: we can see "4d5a" signature at the start as expected.
0x804d7000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00
0x804d7010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00
0x804d7020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00