堆栈内存溢出
  简体   繁体   English

AppCertDlls:由病毒引起的Win32进程创建减慢

[英]AppCertDlls: Process creation slowdown on Win32 caused by virus

 原文  2010-12-04 16:09:13       winapi/ registry/ virus/ createprocess/ malware

问题描述

I've been enjoying a hefty process creation penalty on my Windows XP Home SP3 for about two months. 我在Windows XP Home SP3上享受了大约两个月的巨额创作惩罚。 The problem is most manifest and annoying with tasks that do create lots of processes, such as shell scripts (incidentally, bash scripts on Cygwin), Makefiles, or unpacking an IzPack package such as the SpringSource Tool Suite installer (lots of separate unpack200.exe JAR extractor processes). 对于创建大量进程的任务,例如shell脚本(顺便unpack200.exe ,Cygwin上的bash脚本),Makefile,或者解压缩IzPack包(如SpringSource Tool Suite安装程序)(许多单独的unpack200.exe ),问题最明显和烦人。 JAR提取器进程)。 I'm sure it's process creation from observing bash script diagnostic output, or watching processes appear in task manager. 我确信它是通过观察bash脚本诊断输出创建进程,或者观察进程出现在任务管理器中。 There is no noticeable delay once a process is up and running. 一旦进程启动并运行,没有明显的延迟。

I've reported that problem on the Cygwin mailing list as I initially and erroneously thought only Cygwin was affected, suspecting a bug in the Cygwin DLL, or whatnot. 我已经在Cygwin邮件列表上报告了这个问题,因为我最初并错误地认为只有Cygwin受到影响,怀疑Cygwin DLL中的错误,或者诸如此类的东西。

Slowdown after update on Win32 (XP Home) - (link to my post to the Cygwin list) 在Win32(XP Home)上更新后减速 - (链接到我的帖子到Cygwin列表)

I'm wondering whether something has installed some crap into a process creation hook which I presume might exist on Windows. 我想知道是否有东西已经安装了一些废话到我认为可能存在于Windows上的进程创建钩子。 (As with the security manager in Java .) A virus, or security software? (与Java中安全管理器一样 。)病毒或安全软件? I haven't consciously installed either. 我也没有有意识地安装过。 I also suspected a Microsoft update glitch, but I think they would have fixed that by now. 我还怀疑微软更新故障,但我认为他们现在已经解决了这个问题。

As far as I know, processes on Win32 are created by CreateProcess . 据我所知,Win32上的进程是由CreateProcess创建的。

How can I find out why process creation takes so long and what exactly is going on here? 我怎样才能找出为什么流程创建需要这么长时间以及这里到底发生了什么? Is there something like strace for Linux, or possibly even something better? 是否有类似于Linux的strace ,甚至可能更好的东西?

1 个解决方案

解决方案1
 4 已采纳  2010-12-12 22:00:01

Many thanks to Luke for pointing me in the right direction. 非常感谢卢克指出我正确的方向。 Procmon is a fantastic tool. Procmon是一个很棒的工具。 Literally, a new world inside the system opened up for me. 从字面上看,系统内部的新世界为我开启了。 And the culprit was quickly found by setting a filter to include parent process ID = WINPID of a Cygwin bash.exe and then just monitoring a single ls command. 通过设置过滤器以包括parent process ID = WINPID of a Cygwin bash.exe然后只监视单个ls命令,很快就找到了罪魁祸首。 It was malware hooked into a registry key named AppCertDlls , of which I was of course totally unaware before. 它被恶意软件挂钩到名为AppCertDlls的注册表项中,我当然完全没有意识到这一点。

Once I moved the malware clipmote.dll out of system32 , process creation speed was immediately back to normal. 一旦我将恶意软件clipmote.dll移出system32 ,进程创建速度立即恢复正常。

I guess I contracted this virus by installing poisoned freeware. 我想我通过安装有毒的免费软件来感染这种病毒。

I spent some time investigating this issue and found it both scary and interesting, so here's what I've found, and of course I'll be thankful for all additional information or any comments you might have. 我花了一些时间来调查这个问题并发现它既可怕又有趣,所以这就是我找到的,当然我会感谢您提供的所有其他信息或任何评论。

The malware DLL was loaded in every single user process, even Explorer, taskmgr, and procmon itself. 恶意软件DLL在每个用户进程中加载​​,甚至是Explorer,taskmgr和procmon本身。 Only processes under SYSTEM (as listed in in procexp.exe ) appear to have remained uninfected. 只有SYSTEM下的进程(如procexp.exeprocexp.exe )似乎仍未受到感染。

The issue here is that HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls is checked (at least on my system, but possibly on many systems, and probably even by default) to load DLLs which may have a say over whether or not some binary is allowed to run or not by returning a value from a function that is called on them: 这里的问题是HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls被检查(至少在我的系统上,但可能在很多系统上,甚至可能在默认情况下),以加载可能对是否有发言权的DLL通过从调用它们的函数返回一个值,允许某些二进制文件运行: 

NTSTATUS STDCALL CreateProcessNotify (LPCWSTR lpApplicationName, ULONG Reason);

In fact, I had an entry under that key called sethdown , but the name could be anything. 事实上,我在该键下有一个名为sethdown的条目,但名字可能是任何东西。 

RegEnumValue HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls

Index:  0
Name:   sethdown
Type:   REG_SZ
Length: 66
Data:   C:\WINDOWS\system32\clipmote.dll

From reports found on the net I conclude that the AppCertDlls hook is a regular part of the Windows operating system, and not some rogue extension. 从网上发现的报告中我得出结论, AppCertDlls钩子是Windows操作系统的常规部分,而不是一些流氓扩展。 If that is so, it's a virus entry point, as it allows to dynamically configure malware into a process. 如果是这样,它就是病毒入口点,因为它允许将恶意软件动态配置到进程中。

Looks like it is actually - and ironically - meant to be a security feature, not dissimilar to the security manger in the JVM (see my original question). 看起来它实际上 - 并且具有讽刺意味 - 意味着是一个安全功能,与JVM中的安全管理器没有什么不同(请参阅我原来的问题)。 A Microsoft utility called appsec.exe is reported to use this key. 据报道,名为appsec.exe的Microsoft实用程序将使用此密钥。 The function that is then called on the "security" DLL that is loaded is CreateProcessNotify , as quoted above. 然后在加载的“安全”DLL上调用的函数是CreateProcessNotify ,如上所述。 From what I've understood, it is assumed to just say yes or no - but it can do whatever it wants. 根据我的理解,假设只是说是或否 - 但它可以做任何想做的事情。

In my case and the single instance of running ls.exe that I analysed, it created five threads. 在我的案例和我分析的运行ls.exe的单个实例中,它创建了五个线程。 They load or try to load other DLLs and interact with the registry. 他们加载或尝试加载其他DLL并与注册表进行交互。 And who knows what else. 谁知道还有什么。

If anyone knows more about this dangerous mechanism, I'm all ears. 如果有人知道更多关于这种危险的机制,我会全力以赴。

Here's what I found on AppCertDlls : 这是我在AppCertDlls发现的:

early mention in 01/2007 (Re 5 : Блокировка запуска приложений) 在01/2007提及(Re 5 :Блокировказапускаприложений)

AppCertDlls reported on Sysinternals forum (Autoruns), 10/2007 AppCertDlls报道了Sysinternals论坛(Autoruns),2007年10月

About AppCertDlls - virus mentioned 01/2008 关于AppCertDlls - 病毒提到01/2008

But Microsoft itself widely use this feature, exactly, it was in fact conceived as the "one-time" thing. 但微软本身广泛使用这一功能,确切地说,它实际上被认为是“一次性”的东西。 Only for use it as - way to limit the applications that can be run under the terminal server 2000. -- Andrew Worobow 仅用于限制可在终端服务器2000下运行的应用程序的方式。 - Andrew Worobow

more details on the AppCertDlls key and CreateProcessNotify, 01/2008 有关AppCertDlls键和CreateProcessNotify的更多详细信息,01/2008

06/2010 infection report providing some details 06/2010感染报告提供了一些细节

The malware tried to steal bank account information (and money, obviously), but it could possibly be configured to do other things, too. 恶意软件试图窃取银行账户信息(显然也是钱),但它也可能被配置为做其他事情。 There were additional registry entries under HKEY_CURRENT_USER\\Software\\AppDataLow\\{some GUID here} . HKEY_CURRENT_USER\\Software\\AppDataLow\\{some GUID here}下有其他注册表项。 It must have done some screen scraping while I was doing online banking; 在我做网上银行业务的时候,它一定做了一些屏幕刮擦; it knew used TANs. 它知道用过的TAN。 I remember I once I had the impression my bank was hacked when shortly before or (probably) after login I saw a screen asking for about twenty TANs at once. 我记得我曾经有过这样的印象:我的银行在不久之前或(可能)登录后被黑客攻击我看到一个屏幕一次要求大约20个TAN。 WTF, I thought, the browser got the wrong URL, and I closed the window. WTF,我想,浏览器输入了错误的URL,我关闭了窗口。 I should have be more concerned. 我应该更加关注。 I wouldn't have thought the whole issue to be so dangerous. 我不会认为整个问题是如此危险。 Fortunately, no damage. 幸运的是,没有损坏。 Just lucky, I guess. 幸运的是,我想。

Here's a list of the significant-looking strings I found inside the virus: 这是我在病毒中发现的重要字符串列表:

  • client.dll
  • EAPSFILT.dll
  • KERNEL32.dll

I think the first two might be other virus libraries it tries to load. 我认为前两个可能是它试图加载的其他病毒库。

  • _aullshr
  • CompareStringA
  • CreateEventA
  • CreateFileA
  • CreateFileMappingA
  • CreateProcessNotify
  • CtfImmIsCiceroStartedInThread
  • CtfImmTIMActivate
  • DllCleanupServer
  • DllStartupServer
  • ExitProcess
  • GetThreadContext
  • ImmDisableIme
  • ImmDisableIME
  • ImmGetConversionListA
  • ImmGetVirtualKey
  • ImmRegisterWordA
  • ImmSetCandidateWindow
  • InterlockedExchangeAdd
  • iswlower
  • lstrcmpA
  • MapViewOfFile
  • memset
  • OpenThread
  • ReadFile
  • RealDriveType
  • RegenerateUserEnvironment
  • RestartDialog
  • SetFilePointer
  • Sleep
  • strchr
  • TerminateThread
  • UnmapViewOfFile
  • vDbgPrintExWithPrefix
  • VirtualQueryEx
  • WaitForMultipleObjects

The Cicero function looked rogue to me, but it is part of C:\\WINDOWS\\system32\\imm32.dll , the "Windows IMM32 API Client Library" - whatever that is. Cicero函数看起来很流氓,但它是C:\\WINDOWS\\system32\\imm32.dll ,“Windows IMM32 API客户端库”的一部分 - 不管是什么。

I ran sfc.exe , Microsoft's "System File Checker". 我运行了微软的“系统文件检查器” sfc.exe Will do more checking on my program files. 将对我的程序文件进行更多检查。 And get a virus scanner. 并获得病毒扫描程序。 Recommendations welcome. 建议欢迎。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Win32进程创建顺序 - Win32 process creation order 如何在C ++中检测Win32进程的创建/终止 - How to detect win32 process creation/termination in c++ Win32 opengl Window 创建 - Win32 opengl Window creation 使用 Gdiplus 在 Win32 中创建位图 - Bitmap creation in Win32 using Gdiplus 结束win32进程vbscript - End win32 process vbscript 用于Process.BeginOutputReadLine的Win32 API - win32 api for Process.BeginOutputReadLine 处理上一次运行的进程win32 - Handle to last run process win32 Win32 进程间通信分配 - Win32 Inter Process Communication Assignment Win32确定进程ID - Win32 determine process ID 最干净的方法来停止Win32上的进程? - Cleanest way to stop a process on Win32?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM