Tuesday, April 7, 2015

Using Process Explorer to Troubleshoot and Diagnose

Understanding how Process Explorer’s dialogs and options work is all fine and good, but what about using it for some actual troubleshooting or to diagnose a problem? Today’s Geek School lesson will try and help you learn how to do just that.

Not that long ago, we started investigating all sorts of malware and crapware that gets installed automatically any time you don’t pay attention while installing software. Nearly every piece of freeware on the market, including the “reputable” ones, are bundling toolbars, search hijacking awfulness, or adware, and some of it is hard to troubleshoot.
We’ve seen many computers from people that we know that have so much spyware and adware installed that the PC barely even loads anymore. Trying to load the web browser, especially, is nearly impossible, as all of the adware and tracking software competes for resources to steal your private information and sell it to the highest bidder.
So naturally, we wanted to do a bit of investigation into how some of these work, and there’s no better place to start than the Conduit Search malware that has claimed hundreds of millions of computers worldwide. This nefarious awfulness hijacks your search engine in your browser, changes your home page, and most annoyingly, it takes over your New Tab page no matter what your browser is set to.
We’ll start with looking at that, and then we’ll show you how to use Process Explorer to troubleshoot errors that talk about locked files and folders that are in use.
And then we’ll round it out with another look at how some adware these days are hiding themselves behind Microsoft processes so they appear legit in Process Explorer or Task Manager, even though they really aren’t.

Investigating the Conduit Search Malware

As we mentioned, the Conduit search hijacker is one of the most persistent, awful, and terrible things that nearly every one of your relatives probably has on their computer. They bundle their software in shady ways with any freeware they can, and in many instances, even if you select to opt-out, the hijacker will still be installed.
Conduit installs what they call “Search Protect”, which they claim prevents malware from making changes to your browser. What they don’t mention is that it also prevents you from making any changes to their browser unless you use their Search Protect panel to make those changes, which most people won’t know about since it’s buried in the system tray.
Not only will Conduit redirect all of your searches to their own custom Bing page, it will set that as  your home page. One would have to assume that Microsoft is paying them for all this traffic to Bing, since they are also passing some ?pc=conduit type of arguments in the query string.
Fun fact: the company behind this piece of garbage is worth 1.5 Billion dollars and JP Morgan invested $100 million into them. Being evil is profitable.

Conduit Hijacks the New Tab Page… But How?

Hijacking your search and home page is trivial for any malware — this is where Conduit steps up the evil and somehow rewrites the New Tab page to force it to show Conduit, even if you change every single setting.
You can uninstall all of your browsers, or even install a browser you didn’t have installed before, like Firefox or Chrome, and Conduit will still manage to hijack the New Tab page.

Somebody should be in jail, but they are probably on a yacht.
It doesn’t take much in terms of geek skills to eventually deduce that the problem is the Search Protect application running in the system tray. Kill that process, and suddenly your new tabs open just the way the browser maker intended.

But how, exactly, does it do this? There are no add-ons or extensions installed into any of the browsers. There aren’t any plugins. The registry is clean. How do they do it?
This is where we turn to Process Explorer to do some investigation. First, we’ll find the Search Protect process in the list, which is easy enough because it is properly named, but if you weren’t sure, you can always open up the window and use the little bulls-eye icon next to the binoculars to figure out which process belongs to a window.

Now you can simply select the appropriate process, which in this case was one of the three that run automatically by the Windows Service that Conduit installs. How did I know that it was a Windows Service that restarts it? Because the color of that row is pink, of course. Armed with that knowledge, I could always go stop or delete the service (though in this particular case, you can simply uninstall from Uninstall Programs in Control Panel).
Now that you’ve selected the process, you can use the CTRL + H or CTRL + D shortcut keys to open the Handles view or the DLLs view, or you can use the View -> Lower Pane View menu to do it.
Note: in the world of Windows, a “handle” is an integer value that is used to uniquely identify a resource in memory like a window, an open file, a process, or many other things. Each open application window on your computer has a unique “window handle”, for example, that can be used to reference it.
DLLs, or dynamic link libraries, are shared pieces of compiled code that are stored in a separate file to be shared among multiple applications. For instance, instead of having every application write their own File Open / Save dialogs, all applications can simply use the common dialog code provided by Windows in the comdlg32.dll file.
Looking through the list of handles for a few minutes brought us a little bit closer to what was going on, because we found handles to Internet Explorer and Chrome, both of which are currently open on the test system. We’ve definitely confirmed that Search Protect is doing something to our open browser windows, but we’ll need to do a little more research to figure out exactly what.

The next thing to do is double-click the process in the list to open up the details view, and then flip over to the Image tab, which will give you information about the full path to the executable, the command line, and even the working folder. We’ll click the Explore button to take a look at the installation folder and see what else is hiding there.

Interesting! We’ve found a number of DLL files here, but for some weird reason none of these DLL files were listed in the DLL view for the Search Protect process when we were looking at it earlier. This could be a problem.






Any time you want to see whether a DLL file is currently being used by any application on your system, you can pop up the search pane by going to the Find menu, hitting CTRL + F, or just clicking the binoculars icon on the toolbar. Now type in part of the name of the DLL, or even the full name if you’d like.
We chose to search for just the beginning, “SPVC”, since that was the common tie between them all, and sure enough, it looks like those DLLs are being loaded directly into each of the browser processes running on our computer.

Clicking on one of the items in the list and switching over to the Threads page confirmed what we were worried about. Both Chrome and Internet Explorer were running threads using the SPVC32.dll or SPVC64.dll files from the Search Protect malware, and this is how they were hijacking our new tab page — not by changing settings, but by hijacking the browser from within.
Note: In Windows, a thread is what the operating system allocates processor time to run. A process in Windows is what we’re used to thinking of as geeks and system admin types, but technically threads are actually the only thing that runs in Windows, not processes. Certain processes may have only one thread of execution, but others may have many threads that are all running separately from one another, usually communicating with some sort of in-process communication mechanism.
You can also double-click on any of the threads to see the full execution stack, which can be useful to see what functions are being called and attempt to figure out what the problem is.

You might be wondering how the Search Protect application managed to get Google Chrome to load that DLL, and the answer is that Windows provides a feature called DLL Injection. A process can inject a DLL into another process, and then hijack certain API functions. This is how certain applications override Windows features or features in other applications. It’s a very complicated subject that we definitely can’t get into in this lesson, but if you really want to read more, you can check out this guide.
It’s also worth noting that you can see the CPU usage per thread by digging into this level of details, which can be very useful when troubleshooting an application that has plugins. You could use this to figure out that a particular DLL file is taking up too much of the processor time, and then do some research on what that component belongs to.

Dealing with Locked Files or Folders

Since it’s unlikely that you’ll be investigating malware all the time, it’s also helpful to use Process Explorer for other tasks, like dealing with those “In Use” dialogs that you can any time you try to delete or move or modify a file or folder that is being used by another process, especially when you aren’t sure what process is locking it up.

When you get an error like that one, just head over to Process Explorer, open up the search with CTRL + F or the icon, and then type in the name of the folder listed above (or more descriptive full path if the name is very vague).
You’ll very quickly see a process in the list that has your file or folder open, and you can double-click on it to identify the process in the list.

Your immediate reaction might be to just close that process, but you don’t necessarily have to do that. You can also right-click on the file or folder in the list of handles (Use the CTRL + H option to bring up the Handles list) and choose the Close Handle option. That resource is now unlocked!

Note: If you’re deleting something, this is a perfectly fine option, but if you are just trying to edit or move that item, you should probably open the offending application and deal with it there so you don’t lose any data.

Researching Processes that Look Safe but Aren’t

During our malware research we’ve noticed another problem that is becoming more prevalent, so it is wise to keep an eye on it in the future. What is that problem? Malware is hiding behind legitimate Windows processes, and it’s doing a good job.
The problem is the Windows rundll32.exe utility, which can be used to arbitrarily run functions from DLL files. Since this utility is signed by Microsoft it shows up as a completely legit process in the list, but in reality what they are doing is just moving all of their malware / adware code into a .DLL file instead of a .EXE file, and then loading up the malware with rundll32.exe instead. In fact, if you see rundll32.exe running as an “own process” in the light blue color shown below, it’s nearly always something that shouldn’t be running.
In the example below, you can see that even though we used the Verified Signer feature to validate that item, when we hover over it and look at the full path, it is actually loading up a DLL that turns out to be part of an adware product.
Note: before you start screaming about running an anti-virus scan, we’ll note that we did, and it didn’t come back with anything. Much of this crapware, adware, and spyware is ignored by anti-virus utilities.

Double-clicking to open up the details shows more of the problem, and we can also see the directory that the badware is running out of, which we’ll use to investigate further.

Inside that directory we found a number of files that were being updated constantly in the background.

The rest of the investigation led into some other tools that weren’t SysInternals, and that we’ll probably cover at a later date, but suffice it to say that this is just a piece of malware that was running in conjunction with another crapware application.
The important point here is that malware is able to hide itself behind legitimate Windows executables, so be sure to keep your eyes peeled for anything similar.




No comments:

Post a Comment