December 2005 Archives

Timestamps in Thread and Process Objects

By Andreas Schuster on December 13, 2005 2:50 PM

The Windows kernel creates a distinct object for every process and every thread in its memory. It is possible to extract these blocks of data from memory images. At this even the remnants of terminated processes and threads can be found. Among their status information there are several timestamps.

Continue reading Timestamps in Thread and Process Objects.

_ETHREAD version 5.0.2195.7045

By Andreas Schuster on December 12, 2005 3:36 PM

This article provides a listing of the _ETHREAD structure of Microsoft Windows 2000. All data has been produced with the help of the free Microsoft kernel debugger and ntoskrnl.exe version 5.0.2195.7045. Knowledge about this structure could be helpful when analysing a memory dump.

Continue reading _ETHREAD version 5.0.2195.7045.
« November 2005 | Main Index | Archives | February 2006 »

Search

Deutsch

Deutschsprachige Ausgabe

Recent Entries

Tag Cloud

Categories

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.
Powered by Movable Type 5.12