AppCertDlls:病毒导致 Win32 上的进程创建速度减慢
大约两个月来,我在 Windows XP Home SP3 上遭受了严重的进程创建惩罚。这个问题在创建大量进程的任务中最为明显且烦人,例如 shell 脚本(顺便说一句,Cygwin 上的 bash 脚本)、Makefile,或解压 IzPack 包,例如 SpringSource Tool Suite 安装程序(许多单独的 unpack200.exe JAR 提取器进程)。我确信这是通过观察 bash 脚本诊断输出或观察任务管理器中出现的进程来创建进程的。一旦进程启动并运行,就不会出现明显的延迟。
我已在 Cygwin 邮件列表上报告了该问题,因为我最初错误地认为只有 Cygwin 受到影响,怀疑 Cygwin DLL 中存在错误,或者诸如此类。
Win32(XP Home)更新后速度变慢 - (链接到我在 Cygwin 上的帖子列表)
我想知道是否有什么东西在进程创建挂钩中安装了一些垃圾,我认为 Windows 上可能存在这些垃圾。 (与 Java 中的安全管理器。)病毒,还是安全软件?我也没有自觉安装过。我还怀疑微软的更新出现了故障,但我认为他们现在已经修复了这个问题。
据我所知,Win32上的进程是由CreateProcess创建的。
我怎样才能找出为什么流程创建需要这么长时间以及到底发生了什么? Linux 上是否有类似 strace 的东西,或者甚至可能更好的东西?
I've been enjoying a hefty process creation penalty on my Windows XP Home SP3 for about two months. The problem is most manifest and annoying with tasks that do create lots of processes, such as shell scripts (incidentally, bash scripts on Cygwin), Makefiles, or unpacking an IzPack package such as the SpringSource Tool Suite installer (lots of separate unpack200.exe JAR extractor processes). I'm sure it's process creation from observing bash script diagnostic output, or watching processes appear in task manager. There is no noticeable delay once a process is up and running.
I've reported that problem on the Cygwin mailing list as I initially and erroneously thought only Cygwin was affected, suspecting a bug in the Cygwin DLL, or whatnot.
Slowdown after update on Win32 (XP Home) - (link to my post to the Cygwin list)
I'm wondering whether something has installed some crap into a process creation hook which I presume might exist on Windows. (As with the security manager in Java.) A virus, or security software? I haven't consciously installed either. I also suspected a Microsoft update glitch, but I think they would have fixed that by now.
As far as I know, processes on Win32 are created by CreateProcess.
How can I find out why process creation takes so long and what exactly is going on here? Is there something like strace for Linux, or possibly even something better?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
非常感谢卢克为我指明了正确的方向。 Procmon 是一个很棒的工具。毫不夸张地说,系统内部的新世界为我打开了。通过设置过滤器以包含 Cygwin bash.exe 的父进程 ID = WINPID,然后仅监视单个 ls 命令,很快就找到了罪魁祸首。这是一个挂钩到名为
AppCertDlls的注册表项的恶意软件,我之前当然完全不知道。当我将恶意软件
clipmote.dll移出system32后,进程创建速度立即恢复正常。我猜我是因为安装了有毒的免费软件而感染了这种病毒。
我花了一些时间调查这个问题,发现它既可怕又有趣,所以这就是我的发现,当然,我将感谢所有其他信息或您可能有的任何评论。
恶意软件 DLL 被加载到每个用户进程中,甚至是 Explorer、taskmgr 和 procmon 本身。只有
SYSTEM下的进程(如procexp.exe中所列)似乎仍未受到感染。这里的问题是检查了 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls (至少在我的系统上,但可能在许多系统上,甚至可能是默认情况下)以加载 DLL,这可能通过从调用它们的函数返回值来决定是否允许某些二进制文件运行:
事实上,我在该键下有一个名为
sethdown的条目,但是名字可以是任何东西。根据网上发现的报告,我得出结论,
AppCertDlls挂钩是 Windows 操作系统的常规部分,而不是某种恶意扩展。如果是这样,那么它就是一个病毒入口点,因为它允许将恶意软件动态配置到进程中。具有讽刺意味的是,看起来它实际上是一个安全功能,与 JVM 中的安全管理器没有什么不同(请参阅我原来的问题)。据报道,一个名为
appsec.exe的 Microsoft 实用程序使用了此密钥。然后在加载的“安全”DLL 上调用的函数是 CreateProcessNotify,如上面引用的。据我了解,它被认为只是说是或否 - 但它可以做任何它想做的事。在我的例子中以及我分析的运行 ls.exe 的单个实例中,它创建了五个线程。它们加载或尝试加载其他 DLL 并与注册表交互。谁知道还有什么。
如果有人对这种危险机制有更多了解,我会洗耳恭听。
以下是我在 AppCertDlls 上找到的内容:
01/2007 中早期提及(回复5: Блокировка запуска приложений)
AppCertDlls 在 Sysinternals 论坛 (Autoruns) 上报告,10/2007
关于 AppCertDlls - 01/2008 提到的病毒
有关 AppCertDlls 密钥和 CreateProcessNotify 的更多详细信息, 01/2008
06/ 2010 年感染报告提供了一些详细信息
该恶意软件试图窃取银行帐户信息(显然还有金钱),但它也可能被配置为执行其他操作。
HKEY_CURRENT_USER\Software\AppDataLow\{此处是一些 GUID}下还有其他注册表项。当我使用网上银行时,它一定进行了一些屏幕抓取;它知道使用过 TAN。我记得有一次我感觉我的银行被黑客入侵了,当时我在登录前不久或(可能)登录后看到一个屏幕,要求同时提供大约 20 个 TAN。 WTF,我想,浏览器获取了错误的 URL,然后我关闭了窗口。我应该更关心。我没想到整个问题如此危险。幸运的是,没有受到任何损坏。我想只是运气好而已。以下是我在病毒中发现的重要字符串的列表:
client.dllEAPSFILT.dllKERNEL32.dll我认为前两个可能是它尝试加载的其他病毒库。
_aullshrCompareStringACreateEventACreateFileMappingACreateProcessNotifyCtfImmIsCiceroStartedInThreadCtfImmTIMActivateDllCleanupServerDllStartupServerExitProcessGetThreadContextImmDisableImeImmDisableIMEImmGetConversionListAImmGetVirtualKeyImmRegisterWordAImmSetCandidateWindowInterlockedExchangeAdd代码>iswlowerlstrcmpAMapViewOfFilememsetOpenThreadReadFileRealDriveTypeRegenerateUserEnvironmentRestartDialogSetFilePointer睡眠strchrTerminateThreadUnmapViewOfFilevDbgPrintExWithPrefixVirtualQueryExWaitForMultipleObjectsCicero函数看起来很流氓对我来说,但它是 C:\WINDOWS\system32\imm32.dll 的一部分,即“Windows IMM32 API 客户端库”——无论它是什么。我运行了
sfc.exe,微软的“系统文件检查器”。将对我的程序文件进行更多检查。并获取病毒扫描程序。欢迎推荐。Many thanks to Luke for pointing me in the right direction. Procmon is a fantastic tool. Literally, a new world inside the system opened up for me. And the culprit was quickly found by setting a filter to include
parent process ID = WINPID of a Cygwin bash.exeand then just monitoring a singlelscommand. It was malware hooked into a registry key namedAppCertDlls, of which I was of course totally unaware before.Once I moved the malware
clipmote.dllout ofsystem32, process creation speed was immediately back to normal.I guess I contracted this virus by installing poisoned freeware.
I spent some time investigating this issue and found it both scary and interesting, so here's what I've found, and of course I'll be thankful for all additional information or any comments you might have.
The malware DLL was loaded in every single user process, even Explorer, taskmgr, and procmon itself. Only processes under
SYSTEM(as listed in inprocexp.exe) appear to have remained uninfected.The issue here is that
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDllsis checked (at least on my system, but possibly on many systems, and probably even by default) to load DLLs which may have a say over whether or not some binary is allowed to run or not by returning a value from a function that is called on them:In fact, I had an entry under that key called
sethdown, but the name could be anything.From reports found on the net I conclude that the
AppCertDllshook is a regular part of the Windows operating system, and not some rogue extension. If that is so, it's a virus entry point, as it allows to dynamically configure malware into a process.Looks like it is actually - and ironically - meant to be a security feature, not dissimilar to the security manger in the JVM (see my original question). A Microsoft utility called
appsec.exeis reported to use this key. The function that is then called on the "security" DLL that is loaded isCreateProcessNotify, as quoted above. From what I've understood, it is assumed to just say yes or no - but it can do whatever it wants.In my case and the single instance of running
ls.exethat I analysed, it created five threads. They load or try to load other DLLs and interact with the registry. And who knows what else.If anyone knows more about this dangerous mechanism, I'm all ears.
Here's what I found on
AppCertDlls:early mention in 01/2007 (Re5: Блокировка запуска приложений)
AppCertDlls reported on Sysinternals forum (Autoruns), 10/2007
About AppCertDlls - virus mentioned 01/2008
more details on the AppCertDlls key and CreateProcessNotify, 01/2008
06/2010 infection report providing some details
The malware tried to steal bank account information (and money, obviously), but it could possibly be configured to do other things, too. There were additional registry entries under
HKEY_CURRENT_USER\Software\AppDataLow\{some GUID here}. It must have done some screen scraping while I was doing online banking; it knew used TANs. I remember I once I had the impression my bank was hacked when shortly before or (probably) after login I saw a screen asking for about twenty TANs at once. WTF, I thought, the browser got the wrong URL, and I closed the window. I should have be more concerned. I wouldn't have thought the whole issue to be so dangerous. Fortunately, no damage. Just lucky, I guess.Here's a list of the significant-looking strings I found inside the virus:
client.dllEAPSFILT.dllKERNEL32.dllI think the first two might be other virus libraries it tries to load.
_aullshrCompareStringACreateEventACreateFileACreateFileMappingACreateProcessNotifyCtfImmIsCiceroStartedInThreadCtfImmTIMActivateDllCleanupServerDllStartupServerExitProcessGetThreadContextImmDisableImeImmDisableIMEImmGetConversionListAImmGetVirtualKeyImmRegisterWordAImmSetCandidateWindowInterlockedExchangeAddiswlowerlstrcmpAMapViewOfFilememsetOpenThreadReadFileRealDriveTypeRegenerateUserEnvironmentRestartDialogSetFilePointerSleepstrchrTerminateThreadUnmapViewOfFilevDbgPrintExWithPrefixVirtualQueryExWaitForMultipleObjectsThe
Cicerofunction looked rogue to me, but it is part ofC:\WINDOWS\system32\imm32.dll, the "Windows IMM32 API Client Library" - whatever that is.I ran
sfc.exe, Microsoft's "System File Checker". Will do more checking on my program files. And get a virus scanner. Recommendations welcome.