识别GDR和LDR SOS.dll和mscordacwks.dll
[英]Identify GDR and LDR SOS.dll and mscordacwks.dll
问题描述
For the first time I have noticed that one of the mscordacwks DLLs in my collection is different (SVN told me). 
我第一次注意到我的收藏夹中的一个mscordacwks DLL是不同的(SVN告诉我)。 As I did some research I figured out that there are LDR versions and GDR versions of those DLLs. 经过研究,我发现这些DLL有LDR版本和GDR版本。
For the files in question I noticed that one of them is not digitally signed, but the other one is (by Microsoft luckily). 对于有问题的文件,我注意到其中一个不是经过数字签名的,而另一个是(通过Microsoft幸运的)。
So now I have the following questions: 所以现在我有以下问题:
- If I have an LDR and a GDR version, how do I figure out which one is which? 如果我有LDR和GDR版本,如何确定哪个是哪个?
- Are both, GDR and LDR version of the DLL, signed by Microsoft? DLL的GDR和LDR版本都由Microsoft签名吗?
- Since one of them isn't signed, could someone inject malicious code into mscordacwks.dll which then gets executed on my machine with debugging privileges when I use it in WinDbg? 由于其中之一未签名,有人可以将恶意代码注入mscordacwks.dll,然后在WinDbg中使用它时以调试特权在我的计算机上执行该代码吗?
I'll try to find out where I got the unsigned DLL from. 我将尝试找出从何处获得未签名的DLL。 It is quite likely that I downloaded it from some some more or less dubious website when I needed that particular version. 当我需要特定版本时,很可能是从一些或多或少可疑的网站下载了该版本。
FYI: the VirusTotal analysis did not reveal any viruses. 仅供参考: VirusTotal分析未发现任何病毒。
1 个解决方案
解决方案1
-1 已采纳 2014-10-22 20:56:35
Thanks to the help in the comments I can summarize: 感谢评论中的帮助,我可以总结一下:
Digital signatures 数字签名
According to Hans Passant, all Microsoft DLLs should be signed, so we have to be careful with unsigned ones. 根据Hans Passant的说法,所有Microsoft DLL应该都已签名,因此我们必须谨慎对待未签名的DLL。
Unfortunately this statement is not 100% true which I verified for the Mscordacwks.dll 2.0.50727.312 and SOS.dll 2.0.50727.312. 不幸的是,我对Mscordacwks.dll 2.0.50727.312和SOS.dll 2.0.50727.312进行了验证,但该陈述并非100%正确。 Microsoft has shipped that version with Windows Vista. Microsoft已随Windows Vista发行该版本。 I tried that by installing Windows Vista from scratch. 我尝试从头开始安装Windows Vista。
This is the output of sigcheck -h on the DLL which come with Windows Vista: 这是Windows Vista附带的DLL上sigcheck -h的输出:
Verified: Unsigned
Link date: 09:05 19.10.2006
Publisher: Microsoft Corporation
Description: Microsoft .NET External Data Access Support
Product: Microsoft« .NET Framework
Prod version: 2.0.50727.312
File version: 2.0.50727.312 (rtmLHS.050727-3100)
MachineType: 32-bit
MD5: 9252D83D169E84A442BB154A79AC2189
SHA1: 63464F337295D689384BAA514F260C54D06291C6
PESHA1: 99D57B38C554FFD4BEC6E6C2FAD7F77B980CB47B
PE256: EF387EF84028497D5F7D231ED3A6F5FB05C02D96BD3B0E470C6BEBFAD6942AC8
SHA256: 5ADB79D39FC8401CB9542B571EEEC82CAFCADAE2F26997C789E14EC8E9635C08
And also see the detailed information from VirusTotal which has the same hash codes. 还可以从VirusTotal查看具有相同哈希码的详细信息。 Please note the fact that the website is a bit misleading by listing "Authenticode signature block". 请注意,由于列出了“ Authenticode签名块”,该网站存在误导性。 In fact that is just the version information of the file. 实际上,这只是文件的版本信息。 The most important line labelled "Signature verification: Signed file, verified signature" is missing for this DLL. 此DLL缺少标记为“签名验证:签名的文件,已验证的签名”的最重要的行。
This is how it should look like if the file was really signed: 如果文件已真正签名,这应该是这样:
The output of sigcheck and Windows Explorer also show that that the file is not signed : sigcheck和Windows资源管理器的输出还显示该文件未签名 :
Verified: Unsigned
Link date: 09:05 19.10.2006
Publisher: Microsoft Corporation
Description: Microsoft .NET External Data Access Support
Product: Microsoft« .NET Framework
Prod version: 2.0.50727.312
File version: 2.0.50727.312 (rtmLHS.050727-3100)
MachineType: 32-bit
Screenshot of Windows Explorer where the file does not have a digital signatures tab: Windows资源管理器的屏幕快照,其中该文件没有数字签名选项卡:
At the end of the VirusTotal report, you find a statement by NIST (National Institute of Standards and Technology) which says that the file is delivered with Windows Vista Ultimate and that it seems to be safe. 在VirusTotal报告的末尾,您可以找到NIST(美国国家标准技术研究院)的声明,该声明说该文件与Windows Vista Ultimate一起提供,并且看起来很安全。 This is the website I am being led to after I uploaded an unsigned version. 上传未签名的版本后,这是我要转到的网站。
Distinguishing GDR and LDR versions 区分GDR和LDR版本
The SysInternals sigcheck tool displays more information on the version number than Windows Explorer. 与Windows资源管理器相比, SysInternals sigcheck工具在版本号上显示更多信息。 If it includes "GDR", it is a GDR version. 如果包含“ GDR”,则为GDR版本。 If it does not contain GDR, it is an LDR version. 如果不包含GDR,则为LDR版本。
To get a string for comparison in C#, you can use the following code: 要在C#中获取要比较的字符串,可以使用以下代码:
var versionInfo = FileVersionInfo.GetVersionInfo(fullFileName);
var fileVersion = versionInfo.FileVersion;
Affected versions 受影响的版本
I checked all my DLLs for signatures and found more unsigned DLLs than expected. 我检查了所有DLL的签名,发现未签名的DLL超出了预期。 However, most files have already been scanned on VirusTotal before. 但是,大多数文件之前已经在VirusTotal上进行了扫描。 However, none of these versions has a NIST entry . 但是, 这些版本都没有NIST条目 。
- x86 SOS 1.1.4322.2032 VirusTotal x86 SOS 1.1.4322.2032病毒总数
- x86 SOS 2.0.50767.312 VirusTotal 86 SOS 2.0.50767.312 VirusTotal
- x86 Mscordacwks 2.0.50767.312 VirusTotal 86 Mscordacwks 2.0.50767.312 VirusTotal
- x86 Mscordacwks 2.0.50767.3603 VirusTotal 86 Mscordacwks 2.0.50767.3603 VirusTotal
- x86 Mscordacwks 2.0.50727.3623 VirusTotal x86 Mscordacwks 2.0.50727.3623 病毒总计
- x64 SOS 2.0.50767.3074 VirusTotal 64 SOS 2.0.50767.3074 VirusTotal
- x64 Mscordacwks 4.0.30319.1008 VirusTotal x64 Mscordacwks 4.0.30319.1008病毒总数
Malicious code injection 恶意代码注入
As stated by Jeroen Mostert, the DLLMain entry point will be executed, therefore there is the possibility of malicious code injection. 如Jeroen Mostert所述,DLLMain入口点将被执行,因此存在恶意代码注入的可能性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.