kntlist kernel object auditing utility, 1, 0, 0, 1700
knTlist kernel object auditing utility, 1, 0, 0, 1700
Copyright (C) 2004-2005 GMG Systems, Inc.

Command Line: kntlist.exe -v -a -o kntlist-dfrws2005-physical-memory1 --kernel ntoskrnl.exe dfrws2005-physical-memory1.dmp --log --cryptsum sha1 --localwrt
beta 1 Interim release.  Licensed to Eoghan Casey.
Microsoft Windows Microsoft Windows  5.1 (Build 2600.Personal Service Pack 2)

28/08/2005  18:50:50 (UTC)
28/08/2005  14:50:50 (local time)

Current User: Computer\Eoghan Casey

BETA EVALUATION VERSION!  NOT FOR COMMERCIAL USE.
Physical memory modules installed on the system: 0xf800000
Physical memory visible to the operating system: 0xf75c000
Highest physical page plus 4096 bytes: 0xf7d0000
MmPagingFile is not at expected offset from MmNumberOfPagingFiles:
	MmPagingFile expected at 0x80480C6C
	MmPagingFile found at 0x80480C40
Processing loaded system module list.
124 system modules found.
Processing unloaded system module table.
8 unloaded system modules found.
Processing service descriptor table.
Processing shadow service descriptor table.
Processing active process list.
The kernel stack could not be determined for one or more threads.
There are 33 processes in the active process list.
Processing cid table.
Processing handle table list head.
Handle table 0xE13C1000 in object table 0xFCC99228 is paged: 0:1074000
Handle table 0xE1BD8000 in object table 0xFF1F62E8 is paged: 0:1b8b000
Processing object directory.
Warning: Directory recursion detected in object directory at base entry: 0xE1E25128
Looking for cloaked system modules.
Processing IDT Table 0x80036400
WARNING: Unable to find module for IDT entry 0x31: 0xfcdbc6a4
WARNING: Unable to find module for IDT entry 0x34: 0xfcd32264
WARNING: Unable to find module for IDT entry 0x39: 0xfcd53144
WARNING: Unable to find module for IDT entry 0x3b: 0xfcd32884
WARNING: Unable to find module for IDT entry 0x3c: 0xfcd33dc4
WARNING: Unable to find module for IDT entry 0x3e: 0xfcd4d164
Processing GDT (callgates only) Table 0x80036000
Processing unloaded system module list.
Reference to cloaked process 0xFF1B5CC0 was found in object 0xFF1B9BA0
Reference to cloaked process 0xFF129460 was found in object 0xFF1B3020
AbsoluteSecurityDescriptor: 0xE1D3B378(1)
AbsoluteSecurityDescriptor: 0xE1D3B378(1)
Reference to cloaked process 0xFF1CCB60 was found in object 0xFF22D020
AbsoluteSecurityDescriptor: 0xE1D3B378(1)
3 active processes were found that were not included in the active process list.
The kernel stack could not be determined for one or more threads.
Eprocess 0xFF1B5CC0: May be cloaked!!!
Eprocess 0xFF129460: May be cloaked!!!
Eprocess 0xFF1CCB60: May be cloaked!!!

28/08/2005  18:51:02 (UTC)
28/08/2005  14:51:02 (local time)