Ok, so Windows XP SP3 is out.
With this new version:
whosthere-alt.exe still works without requiring any modifications.
whosthere.exe does not work because this is the more ‘gentle’ and ‘stealth’ 🙂 version of the tool and requires precise memory addresses.
But that’s why I released the passthehash.idc IDA script; so you can easily get these addresses yourself.
And that’s also the reason why the new version of whosthere.exe has a new -a switch that allows you to use specify these addresses without having to recompile the tool.
This new version is going to be released soon, but if you want it right now, email me (please, try to email me if you REALLY need it :)).
I haven’t tested iam/iam-alt but the same thing observed with whosthere/whosthere-alt should apply to these tools.
In case you were wondering, the new addresses you need for Windows XP SP3 English are:
whosthere -a 75753BA0:7573FDEC:757D0C98:757D0CA0:757CFC60:757CFE54