一个进程通过接触另一个应用程序的 dll 能得到什么?

tag-icon tag-icon windows procmon
一个进程通过接触另一个应用程序的 dll 能得到什么?

以下是进程监视器的屏幕截图,其中显示了进程 AliIM.exe 正在使用 TeamViewer 的 dll 执行某些操作

进程监控记录

由于 TeamViewer 是一款远程控制应用程序,我有些担心安全问题,它会通过这些操作获取我的 TeamViewer 凭据吗?该进程在启动时不会要求管理员权限。

进程监视日志采用 csv 格式,并启用“显示进程和线程活动”。

"Time of Day","Process Name","PID","Operation","Path","Result","Detail"

"7:59:16.2471434 PM","AliIM.exe","30332","Process Start","","SUCCESS","Parent PID: 11168, Command line: ""C:\Program Files (x86)\AliWangWang\AliIM.exe"" /run:desktop, Current directory: C:\Program Files (x86)\AliWangWang\, Environment: 

"7:59:16.2471586 PM","AliIM.exe","30332","Thread Create","","SUCCESS","Thread ID: 29216"

"7:59:16.2940980 PM","AliIM.exe","30332","CreateFile","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"

"7:59:16.2941329 PM","AliIM.exe","30332","QueryBasicInformationFile","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS","CreationTime: 10/22/2013 10:47:30 PM, LastAccessTime: 8/14/2014 2:57:05 PM, LastWriteTime: 8/4/2014 3:36:25 PM, ChangeTime: 8/14/2014 2:57:14 PM, FileAttributes: A"

"7:59:16.2941485 PM","AliIM.exe","30332","CloseFile","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS",""

"7:59:16.2942881 PM","AliIM.exe","30332","CreateFile","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"

"7:59:16.2943492 PM","AliIM.exe","30332","CreateFileMapping","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "

"7:59:16.2944498 PM","AliIM.exe","30332","CreateFileMapping","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS","SyncType: SyncTypeOther"

"7:59:16.2945615 PM","AliIM.exe","30332","Load Image","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS","Image Base: 0x6cff0000, Image Size: 0x1a000"

"7:59:16.2945812 PM","AliIM.exe","30332","CloseFile","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS",""

"7:59:16.2948406 PM","AliIM.exe","30332","CreateFile","C:\Program Files (x86)\TeamViewer\Version8\VERSION.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

"7:59:16.2960652 PM","AliIM.exe","30332","CreateFile","C:\Program Files (x86)\TeamViewer\Version8\CRTDLL.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

答案1

你所观察到的可能是一场名为DLL 注入,恶意程序可以通过该进程强制执行另一个进程(在本例中为 teamviewer)内的代码。然后,这允许对正在执行的进程的内存占用进行攻击,或更改其标准行为。

没有简单的方法可以知道它想要做什么,但我猜想,因为它是阿里巴巴,它希望能够看到 Teamviewer 用于保护其连接免遭窃听的加密隧道内的连接信息。如果 teamviewer 将加密密钥存储在 RAM 中(很可能如此),则该程序可能有权访问这些密钥,甚至能够实时观察登录操作。

答案2

这种行为可能还有其他解释。

常规 DLL 搜索 - 意外出现相同名称

仅通过这个跟踪,我们就可以看到该进程正在 TeamViewer 文件夹中寻找三个 dll:tv_w32.dllVERSION.dll(MS Helper DLL Windows)和CRTDLL.dll(MS C Runtime)。

可能正在运行常规 DLL 搜索搜索顺序。而且 TeamViewer 路径似乎在搜索顺序中。否则 AliIM.exe 为什么要在该文件夹中查找两个 MS dll?

如果这是真的,那么该过程只是在寻找 tv_w32.dll,而碰巧的是,TeamViewer 有一个同名的 dll。(在亚洲页面上似乎有关于 tv_w32.dll 的讨论,但它不是 TeamViewer 的一部分)。

任何形式的滥用/攻击
由于我们知道 AliIM.exe 是恶意软件,因此它可能是一种攻击。在这种情况下,AliIM.exe 可能“仅”需要 TeamViewer 的一些功能。它会加载 dll 并使用内部 TeamViewer 函数来达到自己的目的。

类似的工具依赖性遍历器Rohtap API监控将有助于追踪它。

相关内容