суббота, 3 декабря 2011 г.

wincheck rc8.1

Download mirror
Changelog:
  • New -st option to check System Threads. Print ETHREAD, ETHREAD.StartAddress, Y if this thread is worker thread, KTHREAD.InitialStack and KTHREAD.StackLimit. Example output for my xp 32bit machine looks like:
    Thread 867C5020 Start 80683528 N stack F79FC000 limit F79F9000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C5BD8 Start 80533CD0 Y stack F7A08000 limit F7A05000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C5960 Start 80533CD0 Y stack F7A0C000 limit F7A09000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C56E8 Start 80533CD0 Y stack F7A10000 limit F7A0D000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C5470 Start 80533CD0 Y stack F7A14000 limit F7A11000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C4020 Start 80533CD0 Y stack F7A18000 limit F7A15000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C4DA8 Start 80533CD0 Y stack F7A1C000 limit F7A19000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C4B30 Start 80533CD0 Y stack F7A20000 limit F7A1D000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C48B8 Start 80533CD0 Y stack F7A24000 limit F7A21000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C4640 Start 80533CD0 Y stack F7A28000 limit F7A25000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C43C8 Start 80533CD0 Y stack F7A2C000 limit F7A29000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C3020 Start 80533CD0 Y stack F7A30000 limit F7A2D000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C3DA8 Start 80533CD0 Y stack F7A34000 limit F7A31000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C3B30 Start 80533CD0 Y stack F7A38000 limit F7A35000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867C38B8 Start 806091A8 N stack F7A3C000 limit F7A39000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867BF020 Start 80508898 N stack F7A40000 limit F7A3D000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867BFDA8 Start 8064226E N stack F7A44000 limit F7A41000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867BFB30 Start 8053B3E8 N stack F7A48000 limit F7A45000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867BF8B8 Start 8053B6DE N stack F7A4C000 limit F7A49000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867EAA20 Start 804EC6E8 N stack F7A50000 limit F7A4D000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867EA7A8 Start 804EC6E8 N stack F7A54000 limit F7A51000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867A5BC8 Start 8050AC2A N stack F7A58000 limit F7A55000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 867A5530 Start F74BDB10 N stack F7A5C000 limit F7A59000 ACPI.sys
    Thread 867325C0 Start F739C91E N stack F7A64000 limit F7A61000 dmio.sys
    Thread 86740DA8 Start F72DBB40 N stack F7A68000 limit F7A65000 PGPwded.sys
    Thread 8672E9E0 Start F72DBB40 N stack F7A6C000 limit F7A69000 PGPwded.sys
    Thread 86717A40 Start F720DB85 N stack F7A70000 limit F7A6D000 NDIS.sys
    Thread 865BB458 Start F77D1F90 N stack F7A90000 limit F7A8D000 \SystemRoot\system32\DRIVERS\redbook.sys
    Thread 86482DA8 Start F5F8381A N stack F7AA4000 limit F7AA1000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    Thread 86482B30 Start F5F8381A N stack F7AA8000 limit F7AA5000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    Thread 864828B8 Start F5F8381A N stack F7AAC000 limit F7AA9000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    Thread 86482640 Start F5F6CCFA N stack F7AB0000 limit F7AAD000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    Thread 863DE7D8 Start F781C92D N stack F7AC8000 limit F7AC5000 \SystemRoot\system32\DRIVERS\raspptp.sys
    Thread 863E9020 Start F781D103 N stack F7AC4000 limit F7AC1000 \SystemRoot\system32\DRIVERS\raspptp.sys
    Thread 86143598 Start F64B9E96 N stack F7166000 limit F7163000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    Thread 86395020 Start F64B9E96 N stack F716E000 limit F716B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    Thread 86371B18 Start F64B9E96 N stack F7172000 limit F716F000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    Thread 85CC16F0 Start F60156D0 N stack F1D37000 limit F1D34000 \SystemRoot\system32\DRIVERS\parport.sys
    Thread 862B1AC0 Start F1D2C038 N stack F1D2B000 limit F1D28000 \SystemRoot\system32\DRIVERS\rasacd.sys
    Thread 85C636F0 Start F72DBB40 N stack F1D23000 limit F1D20000 PGPwded.sys
    Thread 86310B70 Start EEF75A99 N stack F1D1F000 limit F1D1C000 \SystemRoot\system32\DRIVERS\rdbss.sys
    Thread 85C366F0 Start EEF75A99 N stack F1D13000 limit F1D10000 \SystemRoot\system32\DRIVERS\rdbss.sys
    Thread 85C356F0 Start EEF5D8AF N stack F177D000 limit F177A000 \SystemRoot\system32\DRIVERS\rdbss.sys
    Thread 86616A78 Start 805EE5B8 N stack F7AC0000 limit F7ABD000 \WINDOWS\system32\ntkrnlpa.exe
    Thread 862A4308 Start EEF679C1 N stack EE2D0000 limit EE2CD000 \SystemRoot\system32\DRIVERS\rdbss.sys
    Thread 863B7DA8 Start F733D2A6 N stack F5EEA000 limit F5EE7000 PGPfsfd.sys
    Thread 862D8DA8 Start EB1AC7D8 N stack EF223000 limit EF220000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    Thread 86600598 Start EB1AC7D8 N stack F0A1B000 limit F0A18000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    Thread 86312580 Start EB1AC7D8 N stack EB320000 limit EB31D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    Thread 862F7B38 Start EB18E82C N stack EB300000 limit EB2FD000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    Thread 8636F220 Start EB18BD18 N stack F5EFA000 limit F5EF7000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    Thread 865FDDA8 Start F5195A48 N stack F5F06000 limit F5F03000 \??\C:\WINDOWS\system32\drivers\hcmon.sys
    Thread 85E03798 Start EB260B32 N stack EB16F000 limit EB16C000 \SystemRoot\system32\DRIVERS\srv.sys
    Thread 85E51798 Start EB260B32 N stack EB177000 limit EB174000 \SystemRoot\system32\DRIVERS\srv.sys
    Thread 861EC718 Start EBA847B6 N stack EBB1B000 limit EBB18000 \SystemRoot\System32\Drivers\HTTP.sys
    Thread 861BA8E8 Start EBA847B6 N stack EBAE7000 limit EBAE4000 \SystemRoot\System32\Drivers\HTTP.sys
    Thread 861BA670 Start EBA847B6 N stack EBCB7000 limit EBCB4000 \SystemRoot\System32\Drivers\HTTP.sys
    Thread 862409E0 Start EBA847B6 N stack EBCBB000 limit EBCB8000 \SystemRoot\System32\Drivers\HTTP.sys
    Thread 861F9A98 Start EBA81DDA N stack EBCA7000 limit EBCA4000 \SystemRoot\System32\Drivers\HTTP.sys

    This new option is supported on both 32 and 64 bit platforms. It does not work on w2k only bcs of strange global processes locking policy on this ancient windows
  • From Unknown Executable Memory (-uem option) are excluded ranges used by PEB.ApiSetMap and PEB.ReadOnlySharedMemoryBase (windows 7 & 8)
  • Fixed some misprints in output

Комментариев нет:

Отправить комментарий