AppCertDlls:病毒导致 Win32 上的进程创建速度减慢 [英] AppCertDlls: Process creation slowdown on Win32 caused by virus
问题描述
大约两个月以来,我一直在享受 Windows XP Home SP3 上严重的进程创建惩罚.这个问题在创建大量进程的任务中最为明显和恼人,例如 shell 脚本(顺便说一句,Cygwin 上的 bash 脚本)、Makefiles 或解压 IzPack 包,例如 SpringSource Tool Suite 安装程序(许多单独的 unpack200.exe JAR 提取器进程).我确定这是通过观察 bash 脚本诊断输出或观察任务管理器中出现的进程创建的进程.一旦进程启动并运行,就没有明显的延迟.
我已经在 Cygwin 邮件列表上报告了这个问题,因为我最初错误地认为只有 Cygwin 受到影响,怀疑 Cygwin DLL 中存在错误,或者诸如此类.
Win32 (XP Home) 更新后速度变慢 - (链接到我的帖子到 Cygwin 列表)
我想知道是否有什么东西在进程创建钩子中安装了一些垃圾,我认为 Windows 上可能存在这个钩子.(与 Java 中的安全管理器.)病毒还是安全软件?我也没有自觉安装.我还怀疑是 Microsoft 更新故障,但我认为他们现在应该已经修复了.
据我所知,Win32 上的进程是由 CreateProcess 创建的.
我怎样才能找出为什么流程创建需要这么长时间以及这里到底发生了什么?是否有类似 strace 的 Linux 工具,或者甚至更好的工具?
非常感谢 Luke 为我指明了正确的方向.Procmon 是一个很棒的工具.从字面上看,系统内部的一个新世界为我打开了.通过设置过滤器以包含 Cygwin bash.exe 的 parent process ID = WINPID,然后只监视单个 ls 命令,很快就找到了罪魁祸首.这是一个挂在名为 AppCertDlls 的注册表项中的恶意软件,我之前当然完全不知道.
一旦我将恶意软件 clipmote.dll 移出 system32,进程创建速度立即恢复正常.
我猜我是通过安装有毒的免费软件感染了这种病毒.
我花了一些时间调查这个问题,发现它既可怕又有趣,所以这是我的发现,当然我会感谢所有其他信息或您可能提出的任何意见.
恶意软件 DLL 被加载到每个用户进程中,甚至是 Explorer、taskmgr 和 procmon 本身.只有 SYSTEM 下的进程(如 procexp.exe 中所列)似乎未受感染.
这里的问题是 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls 被检查(至少在我的系统上,但可能在许多系统上,甚至可能在默认情况下)加载DLL 可以通过从对它们调用的函数返回值来决定是否允许运行某些二进制文件:
NTSTATUS STDCALL CreateProcessNotify (LPCWSTR lpApplicationName, ULONG Reason);事实上,我在该键下有一个名为 sethdown 的条目,但名称可以是任何.
RegEnumValue HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls指数:0名称:塞思唐类型:REG_SZ长度:66数据:C:\WINDOWS\system32\clipmote.dll从网上发现的报告中我得出结论,AppCertDlls 钩子是 Windows 操作系统的常规部分,而不是一些流氓扩展.如果是这样,它就是一个病毒入口点,因为它允许将恶意软件动态配置到进程中.
看起来它实际上 - 并且具有讽刺意味 - 意味着成为一项安全功能,与 JVM 中的安全管理器没有什么不同(请参阅我的原始问题).一个名为 appsec.exe 的 Microsoft 实用程序被报告使用此密钥.然后在加载的安全"DLL 上调用的函数是 CreateProcessNotify,如上所述.根据我的理解,假设只是说是或否 - 但它可以为所欲为.
在我的例子和我分析的运行 ls.exe 的单个实例中,它创建了五个线程.它们加载或尝试加载其他 DLL 并与注册表交互.谁知道还有什么.
如果有人更了解这种危险的机制,我会全力以赴.
这是我在 AppCertDlls 上找到的:
早在 01/2007 (Re5: Блокировка запуска прилоa
Sysinternals 论坛 (Autoruns) 上报告的 AppCertDlls,10/2007
关于 AppCertDlls - 提及 01/2008 病毒><块引用>
但微软本身广泛使用这个功能,确切地说,它实际上是被认为是一次性"的事情.仅用于将其用作限制可以运行的应用程序终端服务器 2000. -- Andrew Worobow
有关 AppCertDlls 密钥和 CreateProcessNotify 的更多详细信息,01/2008
恶意软件试图窃取银行账户信息(显然还有钱),但它也可能被配置为做其他事情.HKEY_CURRENT_USER\Software\AppDataLow\{some GUID here} 下还有其他注册表项.当我在做网上银行时,它一定做了一些屏幕抓取;它知道使用了 TAN.我记得我曾经有过我的银行被黑客入侵的印象,当时我在登录前不久或(可能)登录后看到一个屏幕,一次要求大约 20 个 TAN.WTF,我想,浏览器获取了错误的 URL,我关闭了窗口.我应该更关心.我不会认为整个问题如此危险.幸运的是,没有损坏.只是运气好,我猜.
这是我在病毒中发现的重要字符串列表:
client.dllEAPSFILT.dllKERNEL32.dll
我认为前两个可能是它尝试加载的其他病毒库.
_aullshrCompareStringACreateEventACreateFileACreateFileMappingACreateProcessNotifyCtfImmIsCiceroStartedInThreadCtfImmTIMActivateDllCleanupServerDllStartupServerExitProcessGetThreadContextImmDisableImeImmDisableIMEImmGetConversionListAImmGetVirtualKeyImmRegisterWordAImmSetCandidateWindowInterlockedExchangeAddiswlowerlstrcmpAMapViewOfFilememsetOpenThread读取文件RealDriveTypeRegenerateUserEnvironmentRestartDialogSetFilePointer睡眠strchrTerminateThreadUnmapViewOfFilevDbgPrintExWithPrefixVirtualQueryExWaitForMultipleObjects
Cicero 函数对我来说看起来很糟糕,但它是Windows IMM32 API 客户端库"C:\WINDOWS\system32\imm32.dll 的一部分 -不管那是什么.
我运行了 sfc.exe,Microsoft 的系统文件检查器".将对我的程序文件进行更多检查.并获得病毒扫描程序.欢迎提出建议.
I've been enjoying a hefty process creation penalty on my Windows XP Home SP3 for about two months. The problem is most manifest and annoying with tasks that do create lots of processes, such as shell scripts (incidentally, bash scripts on Cygwin), Makefiles, or unpacking an IzPack package such as the SpringSource Tool Suite installer (lots of separate unpack200.exe JAR extractor processes). I'm sure it's process creation from observing bash script diagnostic output, or watching processes appear in task manager. There is no noticeable delay once a process is up and running.
I've reported that problem on the Cygwin mailing list as I initially and erroneously thought only Cygwin was affected, suspecting a bug in the Cygwin DLL, or whatnot.
Slowdown after update on Win32 (XP Home) - (link to my post to the Cygwin list)
I'm wondering whether something has installed some crap into a process creation hook which I presume might exist on Windows. (As with the security manager in Java.) A virus, or security software? I haven't consciously installed either. I also suspected a Microsoft update glitch, but I think they would have fixed that by now.
As far as I know, processes on Win32 are created by CreateProcess.
How can I find out why process creation takes so long and what exactly is going on here? Is there something like strace for Linux, or possibly even something better?
Many thanks to Luke for pointing me in the right direction. Procmon is a fantastic tool. Literally, a new world inside the system opened up for me. And the culprit was quickly found by setting a filter to include parent process ID = WINPID of a Cygwin bash.exe and then just monitoring a single ls command. It was malware hooked into a registry key named AppCertDlls, of which I was of course totally unaware before.
Once I moved the malware clipmote.dll out of system32, process creation speed was immediately back to normal.
I guess I contracted this virus by installing poisoned freeware.
I spent some time investigating this issue and found it both scary and interesting, so here's what I've found, and of course I'll be thankful for all additional information or any comments you might have.
The malware DLL was loaded in every single user process, even Explorer, taskmgr, and procmon itself. Only processes under SYSTEM (as listed in in procexp.exe) appear to have remained uninfected.
The issue here is that HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls is checked (at least on my system, but possibly on many systems, and probably even by default) to load DLLs which may have a say over whether or not some binary is allowed to run or not by returning a value from a function that is called on them:
NTSTATUS STDCALL CreateProcessNotify (LPCWSTR lpApplicationName, ULONG Reason);
In fact, I had an entry under that key called sethdown, but the name could be anything.
RegEnumValue HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
Index: 0
Name: sethdown
Type: REG_SZ
Length: 66
Data: C:\WINDOWS\system32\clipmote.dll
From reports found on the net I conclude that the AppCertDlls hook is a regular part of the Windows operating system, and not some rogue extension. If that is so, it's a virus entry point, as it allows to dynamically configure malware into a process.
Looks like it is actually - and ironically - meant to be a security feature, not dissimilar to the security manger in the JVM (see my original question). A Microsoft utility called appsec.exe is reported to use this key. The function that is then called on the "security" DLL that is loaded is CreateProcessNotify, as quoted above. From what I've understood, it is assumed to just say yes or no - but it can do whatever it wants.
In my case and the single instance of running ls.exe that I analysed, it created five threads. They load or try to load other DLLs and interact with the registry. And who knows what else.
If anyone knows more about this dangerous mechanism, I'm all ears.
Here's what I found on AppCertDlls:
early mention in 01/2007 (Re5: Блокировка запуска приложений)
AppCertDlls reported on Sysinternals forum (Autoruns), 10/2007
About AppCertDlls - virus mentioned 01/2008
But Microsoft itself widely use this feature, exactly, it was in fact conceived as the "one-time" thing. Only for use it as - way to limit the applications that can be run under the terminal server 2000. -- Andrew Worobow
more details on the AppCertDlls key and CreateProcessNotify, 01/2008
06/2010 infection report providing some details
The malware tried to steal bank account information (and money, obviously), but it could possibly be configured to do other things, too. There were additional registry entries under HKEY_CURRENT_USER\Software\AppDataLow\{some GUID here}. It must have done some screen scraping while I was doing online banking; it knew used TANs. I remember I once I had the impression my bank was hacked when shortly before or (probably) after login I saw a screen asking for about twenty TANs at once. WTF, I thought, the browser got the wrong URL, and I closed the window. I should have be more concerned. I wouldn't have thought the whole issue to be so dangerous. Fortunately, no damage. Just lucky, I guess.
Here's a list of the significant-looking strings I found inside the virus:
client.dllEAPSFILT.dllKERNEL32.dll
I think the first two might be other virus libraries it tries to load.
_aullshrCompareStringACreateEventACreateFileACreateFileMappingACreateProcessNotifyCtfImmIsCiceroStartedInThreadCtfImmTIMActivateDllCleanupServerDllStartupServerExitProcessGetThreadContextImmDisableImeImmDisableIMEImmGetConversionListAImmGetVirtualKeyImmRegisterWordAImmSetCandidateWindowInterlockedExchangeAddiswlowerlstrcmpAMapViewOfFilememsetOpenThreadReadFileRealDriveTypeRegenerateUserEnvironmentRestartDialogSetFilePointerSleepstrchrTerminateThreadUnmapViewOfFilevDbgPrintExWithPrefixVirtualQueryExWaitForMultipleObjects
The Cicero function looked rogue to me, but it is part of C:\WINDOWS\system32\imm32.dll, the "Windows IMM32 API Client Library" - whatever that is.
I ran sfc.exe, Microsoft's "System File Checker". Will do more checking on my program files. And get a virus scanner. Recommendations welcome.
这篇关于AppCertDlls:病毒导致 Win32 上的进程创建速度减慢的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
