Livekd Could Not Resolve Symbols For Ntoskrnl.exe

| 08-04-2021
[RAND-1-100] Comments



Analysis Date2013-11-23 18:43:31
MD5d031e1ada8f76c447fab00c0e12ad35c
SHA1f0038c59cb07862bd2228677d0b192f99c61091e
Not

Static Details:

NotLivekd could not resolve symbols for ntoskrnl.exe 5
File typePE32 executable for MS Windows (console) Intel 80386 32-bit
Section.text md5: e4862f10194a5d9b860d9b43192d4ca5 sha1: 7767a574291d7774019522f3111bb934014cf782 size: 138240
Section.rdata md5: 329836d3ec5311d3a0bad4f72635ddd7 sha1: 1bac5968c8cf1a9c31db6c7c0df36c008f82ce26 size: 33280
Section.data md5: 10f3565f5bf969e9e32d9ae57f45485e sha1: 4a31776b21374bdd708ed30709519a9bec1892fa size: 6656
Section.rsrc md5: 4f7b1dee92a1b71dca7e11e795c8d20a sha1: 25739d96ff02a0fc02f2319524e0e81e0ee5fa5c size: 423424
Timestamp2012-10-14 19:55:20
Pdb pathc:srclivekdExeReleaselivekd.pdb
VersionLegalCopyright: Copyright © 2000-2012 Mark Russinovich and Ken Johnson
InternalName: livekd
FileVersion: 5.3
CompanyName: Sysinternals - www.sysinternals.com
ProductName: Sysinternals LiveKd
ProductVersion: 5.3
FileDescription: livekd
OriginalFilename: livekd.exe
PEhash68c336935bf05f5c1193f2cd561e833c26b64ecc
AVavgWin32/Sality
AVaviraW32/Sality.AT
AVmcafeeW32/Sality.gen.z
AVmsseVirus:Win32/Sality.AT

Runtime Details:

Screenshot

Process
↳ C:malware.exe

Livekd could not resolve symbols for ntoskrnl.exe 11
RegistryHKEY_CURRENT_USERSoftwareAasppapmmxkvsA1_0 ➝
2768543866
RegistryHKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionpoliciessystemEnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterSvcAntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExplorerAdvancedHidden ➝
2
RegistryHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileEnableFirewall ➝
NULL
RegistryHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsListC:malware.exe ➝
C:malware.exe:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity CenterAntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsGlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USERSoftwareAasppapmmxkvs-9936270071768776769 ➝
178
Creates FileC:TEMPFILESmonitor.exe
Creates FileC:Documents and SettingsAdministratorLocal SettingsTemphxevpi.exe
Creates FileC:WINDOWSSYSTEM.INI
Creates FilePIPESfcApi
Creates FileC:Program FilesAdobeAcrobat 7.0ReaderAcroRd32.exe
Creates FileC:TEMPFILESAcroRd32.exe
Creates FilePIPElsarpc
Creates FileC:TEMPmonitor.exe
Creates FileDeviceAfdEndpoint
Creates FileC:TEMPFILEShxevpi.exe
Deletes FileC:Documents and SettingsAdministratorLocal SettingsTemphxevpi.exe
Creates MutexuxJLpe1m
Creates Mutexservices.exeM_616_
Creates Mutexreader_sl.exeM_976_
Creates Mutexalg.exeM_1844_
Creates Mutexsvchost.exeM_848_
Creates Mutexsvchost.exeM_800_
Creates Mutexlsass.exeM_628_
Creates Mutexsvchost.exeM_1172_
Creates Mutexmalware.exeM_1508_
Creates Mutexspoolsv.exeM_1292_
Creates Mutexsvchost.exeM_1016_
Creates Mutexmonitor.exeM_1184_
Creates Mutexcsrss.exeM_548_
Creates Mutexuserinit.exeM_256_
Creates Mutexsmss.exeM_500_
Creates Mutexwinlogon.exeM_572_
Creates Mutexexplorer.exeM_340_
Creates Mutexsvchost.exeM_1108_
Creates Mutexsvchost.exeM_1204_

The ntoskrnl.exe (GDR branch) from Windows6.1-KB2882822-x64 update does not have public symbols. Where I can report this? Symchk /v /if ntoskrnl.exe /s SRV.E: SymbolsStore.

Process
↳ C:WINDOWSExplorer.EXE

For
Creates Mutexexplorer.exeM_340_
Creates MutexuxJLpe1m

Process
↳ C:Program FilesAdobeAcrobat 7.0Readerreader_sl.exe

  1. If your symbol path is wrong, fix it. If you are using the kernel debugger make sure your local%WINDIR% is not on your symbol path. Then reload symbols using the.reload (Reload Module) command: 0:000.reload ModuleName If your symbol path is correct, you should activate noisy mode so you can see which symbol files dbghelp is loading.
  2. Oct 24, 2005 Re: LiveKD reports 'Could not resolve symbols for ntoskrnl.exe' by Uday K Verma » Fri, 28 Oct 2005 03:54:21 GMT Well, seems like my symbols for ntoskrnl.exe somehow got corrupted or went invalid.
Creates MutexuxJLpe1m
Creates Mutexreader_sl.exeM_976_

Network Details:


Raw Pcap

Livekd Could Not Resolve Symbols For Ntoskrnl.exe 2


Livekd Could Not Resolve Symbols For Ntoskrnl.exe X

Strings