Strange <unknown> in KernelThreadCreate Stack

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Someone tell me if this is correct or not:
I run procmon and in the first few entries there is a System (kernel) ThreadCreate event.
In this event under the Stack tab I see some User (U) objects that are simply listed as mem addresses, not as File object names. 
0    ntoskrnl.exe    FsRtlTeardownPerStreamContexts + 0x10f1    0xfffff80002f3b91d    C:\Windows\system32\ntoskrnl.exe
1    ntoskrnl.exe    RtlAreAllAccessesGranted + 0x3ba    0xfffff80002f6dfa2    C:\Windows\system32\ntoskrnl.exe
2    ntoskrnl.exe    PsCreateSystemThread + 0x125    0xfffff80002f1cf39    C:\Windows\system32\ntoskrnl.exe
3    ntoskrnl.exe    NtNotifyChangeDirectoryFile + 0x18f9    0xfffff80002ee76c5    C:\Windows\system32\ntoskrnl.exe
4    ntoskrnl.exe    ObInsertObject + 0x740    0xfffff80002ee5650    C:\Windows\system32\ntoskrnl.exe
5    ntoskrnl.exe    NtTraceControl + 0x35c    0xfffff80002f2571c    C:\Windows\system32\ntoskrnl.exe
6    ntoskrnl.exe    KeSynchronizeExecution + 0x3a43    0xfffff80002c80ed3    C:\Windows\system32\ntoskrnl.exe
7    ntdll.dll    NtTraceControl + 0xa    0x76e22b5a    C:\Windows\System32\ntdll.dll
8    advapi32.dll    StartTraceW + 0x5e0    0x7fefd83eb80    C:\Windows\System32\advapi32.dll
9    advapi32.dll    StartTraceW + 0x414    0x7fefd83e9b4    C:\Windows\System32\advapi32.dll
10    <unknown>    0x13f88af61    0x13f88af61    
11    <unknown>    0x13f8878a2    0x13f8878a2    
12    <unknown>    0x13f8b7457    0x13f8b7457    
13    user32.dll    TranslateMessageEx + 0x2a1    0x76bc9bd1    C:\Windows\System32\user32.dll
14    user32.dll    SetWindowTextW + 0x277    0x76bc72cb    C:\Windows\System32\user32.dll
15    user32.dll    IsDialogMessageW + 0x169    0x76bc6829    C:\Windows\System32\user32.dll
16    ntdll.dll    KiUserCallbackDispatcher + 0x1f    0x76e21225    C:\Windows\System32\ntdll.dll
17    ntoskrnl.exe    KeUserModeCallback + 0xe6    0xfffff80002f6db66    C:\Windows\system32\ntoskrnl.exe
18    win32k.sys    memset + 0xa63e    0xfffff9600016f45e    C:\Windows\System32\win32k.sys
19    win32k.sys    memset + 0x73cb    0xfffff9600016c1eb    C:\Windows\System32\win32k.sys
20    win32k.sys    memset + 0x6c73    0xfffff9600016ba93    C:\Windows\System32\win32k.sys
21    win32k.sys    EngFntCacheLookUp + 0x1771c    0xfffff960001241d8    C:\Windows\System32\win32k.sys
22    win32k.sys    EngSetLastError + 0x7f    0xfffff96000143c6f    C:\Windows\System32\win32k.sys
23    win32k.sys    EngSetLastError + 0xd4a2    0xfffff96000151092    C:\Windows\System32\win32k.sys
24    ntoskrnl.exe    KeSynchronizeExecution + 0x3a43    0xfffff80002c80ed3    C:\Windows\system32\ntoskrnl.exe
25    user32.dll    IsDialogMessageW + 0x19a    0x76bc685a    C:\Windows\System32\user32.dll
26    user32.dll    GetWindowLongPtrA + 0x78    0x76bc3838    C:\Windows\System32\user32.dll
27    user32.dll    SendMessageW + 0x5d    0x76bc6bad    C:\Windows\System32\user32.dll
28    <unknown>    0x13f8b98a4    0x13f8b98a4    
29    <unknown>    0x13f8d8f67    0x13f8d8f67    
30    kernel32.dll    BaseThreadInitThunk + 0xd    0x76cc652d    C:\Windows\System32\kernel32.dll
31    ntdll.dll    RtlUserThreadStart + 0x21    0x76dfc521    C:\Windows\System32\ntdll.dll

This system is infected with the infamous GPU hypervisor malware as seen in the malware forum here. I need to know if others see these <unknown> Stack entries, seen ONLY in System ThreadCreate events.
This will tell me a lot.

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
dlux Members Profile Send Private Message Find Members Posts Add to Buddy List Groupie Joined: 24 July 2012 Status: Offline Points: 55	Post Options Post Reply Quote dlux Report Post Thanks(0) Quote Reply Topic: Strange <unknown> in KernelThreadCreate Stack Posted: 06 January 2013 at 10:36am
	Someone tell me if this is correct or not: I run procmon and in the first few entries there is a System (kernel) ThreadCreate event. In this event under the Stack tab I see some User (U) objects that are simply listed as mem addresses, not as File object names. 0 ntoskrnl.exe FsRtlTeardownPerStreamContexts + 0x10f1 0xfffff80002f3b91d C:\Windows\system32\ntoskrnl.exe 1 ntoskrnl.exe RtlAreAllAccessesGranted + 0x3ba 0xfffff80002f6dfa2 C:\Windows\system32\ntoskrnl.exe 2 ntoskrnl.exe PsCreateSystemThread + 0x125 0xfffff80002f1cf39 C:\Windows\system32\ntoskrnl.exe 3 ntoskrnl.exe NtNotifyChangeDirectoryFile + 0x18f9 0xfffff80002ee76c5 C:\Windows\system32\ntoskrnl.exe 4 ntoskrnl.exe ObInsertObject + 0x740 0xfffff80002ee5650 C:\Windows\system32\ntoskrnl.exe 5 ntoskrnl.exe NtTraceControl + 0x35c 0xfffff80002f2571c C:\Windows\system32\ntoskrnl.exe 6 ntoskrnl.exe KeSynchronizeExecution + 0x3a43 0xfffff80002c80ed3 C:\Windows\system32\ntoskrnl.exe 7 ntdll.dll NtTraceControl + 0xa 0x76e22b5a C:\Windows\System32\ntdll.dll 8 advapi32.dll StartTraceW + 0x5e0 0x7fefd83eb80 C:\Windows\System32\advapi32.dll 9 advapi32.dll StartTraceW + 0x414 0x7fefd83e9b4 C:\Windows\System32\advapi32.dll 10 <unknown> 0x13f88af61 0x13f88af61 11 <unknown> 0x13f8878a2 0x13f8878a2 12 <unknown> 0x13f8b7457 0x13f8b7457 13 user32.dll TranslateMessageEx + 0x2a1 0x76bc9bd1 C:\Windows\System32\user32.dll 14 user32.dll SetWindowTextW + 0x277 0x76bc72cb C:\Windows\System32\user32.dll 15 user32.dll IsDialogMessageW + 0x169 0x76bc6829 C:\Windows\System32\user32.dll 16 ntdll.dll KiUserCallbackDispatcher + 0x1f 0x76e21225 C:\Windows\System32\ntdll.dll 17 ntoskrnl.exe KeUserModeCallback + 0xe6 0xfffff80002f6db66 C:\Windows\system32\ntoskrnl.exe 18 win32k.sys memset + 0xa63e 0xfffff9600016f45e C:\Windows\System32\win32k.sys 19 win32k.sys memset + 0x73cb 0xfffff9600016c1eb C:\Windows\System32\win32k.sys 20 win32k.sys memset + 0x6c73 0xfffff9600016ba93 C:\Windows\System32\win32k.sys 21 win32k.sys EngFntCacheLookUp + 0x1771c 0xfffff960001241d8 C:\Windows\System32\win32k.sys 22 win32k.sys EngSetLastError + 0x7f 0xfffff96000143c6f C:\Windows\System32\win32k.sys 23 win32k.sys EngSetLastError + 0xd4a2 0xfffff96000151092 C:\Windows\System32\win32k.sys 24 ntoskrnl.exe KeSynchronizeExecution + 0x3a43 0xfffff80002c80ed3 C:\Windows\system32\ntoskrnl.exe 25 user32.dll IsDialogMessageW + 0x19a 0x76bc685a C:\Windows\System32\user32.dll 26 user32.dll GetWindowLongPtrA + 0x78 0x76bc3838 C:\Windows\System32\user32.dll 27 user32.dll SendMessageW + 0x5d 0x76bc6bad C:\Windows\System32\user32.dll 28 <unknown> 0x13f8b98a4 0x13f8b98a4 29 <unknown> 0x13f8d8f67 0x13f8d8f67 30 kernel32.dll BaseThreadInitThunk + 0xd 0x76cc652d C:\Windows\System32\kernel32.dll 31 ntdll.dll RtlUserThreadStart + 0x21 0x76dfc521 C:\Windows\System32\ntdll.dll This system is infected with the infamous GPU hypervisor malware as seen in the malware forum here. I need to know if others see these <unknown> Stack entries, seen ONLY in System ThreadCreate events. This will tell me a lot.