- 论坛徽章:
- 0
|
Link:\r\n\r\nhttp://www.eygle.com/archives/2004/12/oeouwindowseiea.html\r\n\r\n好久没关心windows的东西了 \r\n\r\n今天见到有人问lsass.exe进程,翻了点东西,记录些东西在这里。供大家参考商榷。\r\n___________________________________________\r\nlsass - lsass.exe - 进程信息\r\n进程文件: lsass or lsass.exe\r\n进程名称: 本地安全权限服务\r\n描述: 本地安全权限服务,控制Windows安全机制。\r\n常见错误: N/A\r\n是否为系统进程: 是\r\n\r\n该进程为系统进程,不能在任务管理器里终止,记得以前在命令行kill该进程,可能会导致系统蓝屏(不确认了)。\r\n\r\n微软的说明如下:\r\n\r\nLsass.exe - You cannot end this process from Task Manager. \r\nThis is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user\'s access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token. \r\n\r\nLink:\r\nhttp://support.microsoft.com/default.aspx?scid=kb;en-us;263201&sd=tech\r\n\r\n意思是说:\r\n这是一个本地的安全授权服务,并且它会为使用winlogon服务的授权用户生成一个进程。这个进程是通过使用授权的包,例如默认的msgina.dll来执行的。如果授权是成功的,lsass就会产生用户的进入令牌,令牌别使用启动初始的shell 。其他的由用户初始化的进程会继承这个令牌的。\r\n\r\n但是适当的担心是有必要的,已知的部分病毒跟lsass有关。\r\n首先,微软缺省的lsass.exe位于c:\\windows\\System32\\lsass.exe\r\n\r\n我们应该清楚正常运行lsass需要的动态链接库:\r\n[php]\r\nC:\\>tlist 720\r\n 720 lsass.exe\r\n CWD: C:\\WINDOWS\\system32\\\r\n CmdLine: C:\\WINDOWS\\system32\\lsass.exe\r\n VirtualSize: 43208 KB PeakVirtualSize: 49040 KB\r\n WorkingSetSize: 1360 KB PeakWorkingSetSize: 10640 KB\r\n NumberOfThreads: 19\r\n 732 Win32StartAddr:0x74497f07 LastErr:0x00000000 State:Waiting\r\n 736 Win32StartAddr:0x7c94798d LastErr:0x00000000 State:Waiting\r\n 740 Win32StartAddr:0x7c930760 LastErr:0x00000000 State:Waiting\r\n 744 Win32StartAddr:0x7c949fae LastErr:0x00000000 State:Waiting\r\n 748 Win32StartAddr:0x0000028e LastErr:0x00000000 State:Waiting\r\n 764 Win32StartAddr:0x7c930aca LastErr:0x00000000 State:Waiting\r\n 792 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting\r\n 800 Win32StartAddr:0x00040d64 LastErr:0x00000000 State:Waiting\r\n 812 Win32StartAddr:0x74488c23 LastErr:0x00000000 State:Waiting\r\n 1700 Win32StartAddr:0x74488c23 LastErr:0x00000000 State:Waiting\r\n 212 Win32StartAddr:0x77dbb479 LastErr:0x00000000 State:Waiting\r\n 364 Win32StartAddr:0x77c0a341 LastErr:0x000003e5 State:Waiting\r\n 376 Win32StartAddr:0x77c0a341 LastErr:0x00000000 State:Waiting\r\n 380 Win32StartAddr:0x77c0a341 LastErr:0x00000000 State:Waiting\r\n 3056 Win32StartAddr:0x759d8831 LastErr:0x00000000 State:Waiting\r\n 1048 Win32StartAddr:0x77e56bf0 LastErr:0x0000006d State:Waiting\r\n 2628 Win32StartAddr:0x00000000 LastErr:0x000003f0 State:Waiting\r\n 3204 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting\r\n 3032 Win32StartAddr:0x77e56bf0 LastErr:0x00000000 State:Waiting\r\n 5.1.2600.2180 shp 0x01000000 lsass.exe\r\n 5.1.2600.2180 shp 0x7c920000 ntdll.dll\r\n 5.1.2600.2180 shp 0x7c800000 kernel32.dll\r\n 5.1.2600.2180 shp 0x77da0000 ADVAPI32.dll\r\n 5.1.2600.2180 shp 0x77e50000 RPCRT4.dll\r\n 5.1.2600.2525 shp 0x74480000 LSASRV.dll\r\n 5.1.2600.2180 shp 0x71a90000 MPR.dll\r\n 5.1.2600.2180 shp 0x77d10000 USER32.dll\r\n 5.1.2600.2180 shp 0x77ef0000 GDI32.dll\r\n 5.1.2600.2180 shp 0x76db0000 MSASN1.dll\r\n 7.0.2600.2180 shp 0x77be0000 msvcrt.dll\r\n 5.1.2600.2180 shp 0x5fdd0000 NETAPI32.dll\r\n 5.1.2600.2180 shp 0x76770000 NTDSAPI.dll\r\n 5.1.2600.2180 shp 0x76ef0000 DNSAPI.dll\r\n 5.1.2600.2180 shp 0x71a20000 WS2_32.dll\r\n 5.1.2600.2180 shp 0x71a10000 WS2HELP.dll\r\n 5.1.2600.2180 shp 0x76f30000 WLDAP32.dll\r\n 5.1.2600.2180 shp 0x77fc0000 Secur32.dll\r\n 5.1.2600.2180 shp 0x71b70000 SAMLIB.dll\r\n 5.1.2600.2180 shp 0x743a0000 SAMSRV.dll\r\n 5.1.2600.2180 shp 0x76760000 cryptdll.dll\r\n 5.1.2600.2180 shp 0x5cc30000 ShimEng.dll\r\n 0x58fb0000 AcGenral.DLL\r\n 5.1.2600.2180 shp 0x76b10000 WINMM.dll\r\n 5.1.2600.2180 shp 0x76990000 ole32.dll\r\n 5.1.2600.2180 shp 0x770f0000 OLEAUT32.dll\r\n 5.1.2600.2180 shp 0x77bb0000 MSACM32.dll\r\n 5.1.2600.2180 shp 0x77bd0000 VERSION.dll\r\n 6.0.2900.2180 shp 0x773a0000 SHELL32.dll\r\n 6.0.2900.2180 shp 0x77f40000 SHLWAPI.dll\r\n 5.1.2600.2180 shp 0x759d0000 USERENV.dll\r\n 6.0.2900.2180 shp 0x5adc0000 UxTheme.dll\r\n 5.1.2600.2180 shp 0x76300000 IMM32.DLL\r\n 5.1.2600.2180 shp 0x62c20000 LPK.DLL\r\n 1.420.2600.2180 sh 0x73fa0000 USP10.dll\r\n 5.82.2900.2180 shp 0x77180000 comctl32.dll\r\n 5.82.2900.2180 shp 0x5d170000 comctl32.dll\r\n 5.1.2600.2180 shp 0x20000000 msprivs.dll\r\n 5.1.2600.2180 shp 0x71c70000 kerberos.dll\r\n 5.1.2600.2180 shp 0x77c40000 msv1_0.dll\r\n 5.1.2600.2180 shp 0x76d30000 iphlpapi.dll\r\n 5.1.2600.2180 shp 0x74410000 netlogon.dll\r\n 5.1.2600.2180 shp 0x76790000 w32time.dll\r\n 6.0.8168.0 shp 0x75ff0000 MSVCP60.dll\r\n 5.1.2600.2180 shp 0x767c0000 schannel.dll\r\n 5.131.2600.2180 sh 0x765e0000 CRYPT32.dll\r\n 5.1.2600.2180 shp 0x742e0000 wdigest.dll\r\n 5.1.2600.2161 shp 0x0ffd0000 rsaenh.dll\r\n 5.1.2600.2180 shp 0x74370000 scecli.dll\r\n 5.1.2600.2180 shp 0x76060000 SETUPAPI.dll\r\n 5.1.2600.2180 shp 0x74340000 ipsecsvc.dll\r\n 5.1.2600.2180 shp 0x77fe0000 AUTHZ.dll\r\n 5.1.2600.2180 shp 0x73ed0000 oakley.DLL\r\n 5.1.2600.2180 shp 0x742d0000 WINIPSEC.DLL\r\n 5.1.2600.2180 shp 0x74300000 pstorsvc.dll\r\n 0x43000000 GoogleDesktopNetwork1.dll\r\n 5.1.2600.2180 shp 0x719c0000 mswsock.dll\r\n 5.1.2600.2180 shp 0x60fd0000 hnetcfg.dll\r\n 5.1.2600.2180 shp 0x71a00000 wshtcpip.dll\r\n 5.1.2600.2180 shp 0x74320000 psbase.dll\r\n 5.1.2600.2133 shp 0x68100000 dssenh.dll\r\n\r\n[/php]\r\n\r\n大家可以看到,Google的桌面搜索也需要在此注册,这个进程是权限控制所必需的。\r\n有的软件验证和更新或验证注册信息,会使用500端口通信(Internet Key Exchange(IKE)-Internet密钥交换用端口),有时可能会被误报为病毒或木马。\r\n\r\n通常我认为,只要对windows的进程有适当的认识,不依赖防病毒工具,我们仍然可以敏感的认识到异常进程或异常Dll,从而发现可疑进程,找出问题所在。\r\ntlist这个简单的小工具就曾经帮助我发现过几个杀毒软件不能及时识别的病毒。\r\n\r\n目前已知的和lsass相关的病毒有:\r\nW32.HLLW.Lovgate.C@mm - Symantec Corporation\r\nW32.Mydoom.L@mm - Symantec Corporation\r\nW32.Nimos.Worm - Symantec Corporation\r\nW32.Sasser.E.Worm (Lsasss.exe) - McAfee\r\n\r\n所以大家还是应该适当的留意一下这个进程。 |
|
免费注册
发表于 2004-12-26 10:34
