 #28480  by evelyette
 Wed May 11, 2016 8:14 am

I've been trying to determine how ESET SysInspector http://support.eset.com/kb762/?viewlocale=en_US checks whether a DLL in system32 is valid or not. Below is a screenshot of an example, where ESET SysInspector flags the DLL with "Status 5 (unknown)", rather than "Status 1 (fine)". The executable is quite large and everything happens in the program startup, which makes it somewhat annoying to reverse engineer.
bug3.png (107.61 KiB) Viewed 836 times
Does anybody know how tools like ESET SysInspector check whether the file. It must check the file size, file hash, etc. I'm interested in the following:

1. What exactly the check routines check on the system files in order to mark them with status unknown/fine?

2. Does the system have any information about existing files stored somewhere in registry, so it knows the valid hash of a system file, as well as other details. Such information must be linked with the TrustedInstaller, which must modify the information once the update has been installed on the system. If for example, TrustedInstalled installs a new kernel32.dll into the system32 folder, what information needs to store into the system registry (or someplace else) in order to verify that the new file is indeed correct.

3. This is strongly linked with SFC.EXE, which is why I would also like to know how this small tool checks whether the file is valid or not - disregarding the fact about whether the file was placed into the system32 folder by TrustedInstaller or by a highly technical administrator. I'm researching how exactly the verification occurs and what checks are being made by SFC.EXE as well as other tools like ESET SysInspector.
 #28482  by Vrtule
 Wed May 11, 2016 12:36 pm
I expect that system files are digitaly signed by a certificate from Microsoft. So, you can obtain certificate common name CN and check whether the signature is valid (WinVerifyTrust). Howerver, I don't know whether ESET does this but I think that this procedure is just a part of their doings.

There also is (or was, in the elder days) a service monitoring changes to certain system files that was replacing the changes ones with the original ones. Not sure how this thing works today.
 #28483  by evelyette
 Wed May 11, 2016 3:07 pm

Thank you for your response. First, I would like to inform you that the service, which was monitoring the system files and replaced them with their original couterparts was only present in Windows up until Windows XP (not sure if it was available in prior Windows than Windows XP). Therefore, starting from Vista, the service is not there anymore and system administrator can take ownership of the system files and modify them.

I've check whether the WinVerifyTrust function is in the imports of SysInspector.exe as well as sfc.exe, but it isn't. These are the functions imported by the sfc.exe:
I hope the listing isn't too long. Any other thoughts about this are welcome.
 #28491  by raiden
 Thu May 12, 2016 8:39 am

I have no idea about ESET internals, but you should have checked dynamic imports as well. Process Explorer dynamically uses the same API (WinVerifyTrust) to check the integrity of an executable file.
 #28499  by evelyette
 Sat May 14, 2016 5:08 pm

I've used the following program (obtained from https://msdn.microsoft.com/en-us/librar ... s.85).aspx), which calls the WinVerifyTrust manually.
Code: Select all
// Copyright (C) Microsoft.  All rights reserved.
// Example of verifying the embedded signature of a PE file by using 
// the WinVerifyTrust function.

#define _UNICODE 1
#define UNICODE 1

#include <tchar.h>
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Softpub.h>
#include <wincrypt.h>
#include <wintrust.h>

// Link with the Wintrust.lib file.
#pragma comment (lib, "wintrust")

BOOL VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
	LONG lStatus;
	DWORD dwLastError;

	// Initialize the WINTRUST_FILE_INFO structure.

	memset(&FileData, 0, sizeof(FileData));
	FileData.cbStruct = sizeof(WINTRUST_FILE_INFO);
	FileData.pcwszFilePath = pwszSourceFile;
	FileData.hFile = NULL;
	FileData.pgKnownSubject = NULL;

	WVTPolicyGUID specifies the policy to apply on the file

	1) The certificate used to sign the file chains up to a root
	certificate located in the trusted root certificate store. This
	implies that the identity of the publisher has been verified by
	a certification authority.

	2) In cases where user interface is displayed (which this example
	does not do), WinVerifyTrust will check for whether the
	end entity certificate is stored in the trusted publisher store,
	implying that the user trusts content from this publisher.

	3) The end entity certificate has sufficient permission to sign
	code, as indicated by the presence of a code signing EKU or no


	// Initialize the WinVerifyTrust input data structure.

	// Default all fields to 0.
	memset(&WinTrustData, 0, sizeof(WinTrustData));

	WinTrustData.cbStruct = sizeof(WinTrustData);

	// Use default code signing EKU.
	WinTrustData.pPolicyCallbackData = NULL;

	// No data to pass to SIP.
	WinTrustData.pSIPClientData = NULL;

	// Disable WVT UI.
	WinTrustData.dwUIChoice = WTD_UI_NONE;

	// No revocation checking.
	WinTrustData.fdwRevocationChecks = WTD_REVOKE_NONE;

	// Verify an embedded signature on a file.
	WinTrustData.dwUnionChoice = WTD_CHOICE_FILE;

	// Verify action.
	WinTrustData.dwStateAction = WTD_STATEACTION_VERIFY;

	// Verification sets this value.
	WinTrustData.hWVTStateData = NULL;

	// Not used.
	WinTrustData.pwszURLReference = NULL;

	// This is not applicable if there is no UI because it changes 
	// the UI to accommodate running applications instead of 
	// installing applications.
	WinTrustData.dwUIContext = 0;

	// Set pFile.
	WinTrustData.pFile = &FileData;

	// WinVerifyTrust verifies signatures as specified by the GUID 
	// and Wintrust_Data.
	lStatus = WinVerifyTrust(

	switch (lStatus)
		Signed file:
		- Hash that represents the subject is trusted.

		- Trusted publisher without any verification errors.

		- UI was disabled in dwUIChoice. No publisher or
		time stamp chain errors.

		- UI was enabled in dwUIChoice and the user clicked
		"Yes" when asked to install and run the signed
		wprintf_s(L"The file \"%s\" is signed and the signature "
			L"was verified.\n",

		// The file was not signed or had a signature 
		// that was not valid.

		// Get the reason for no signature.
		dwLastError = GetLastError();
		if (TRUST_E_NOSIGNATURE == dwLastError ||
			// The file was not signed.
			wprintf_s(L"The file \"%s\" is not signed.\n",
			// The signature was not valid or there was an error 
			// opening the file.
			wprintf_s(L"An unknown error occurred trying to "
				L"verify the signature of the \"%s\" file.\n",


		// The hash that represents the subject or the publisher 
		// is not allowed by the admin or user.
		wprintf_s(L"The signature is present, but specifically "

		// The user clicked "No" when asked to install and run.
		wprintf_s(L"The signature is present, but not "

		The hash that represents the subject or the publisher
		was not explicitly trusted by the admin and the
		admin policy has disabled user trust. No signature,
		publisher or time stamp errors.
		wprintf_s(L"CRYPT_E_SECURITY_SETTINGS - The hash "
			L"representing the subject or the publisher wasn't "
			L"explicitly trusted by the admin and admin policy "
			L"has disabled user trust. No signature, publisher "
			L"or timestamp errors.\n");

		// The UI was disabled in dwUIChoice or the admin policy 
		// has disabled user trust. lStatus contains the 
		// publisher or time stamp chain error.
		wprintf_s(L"Error is: 0x%x.\n",

	// Any hWVTStateData must be released by a call with close.
	WinTrustData.dwStateAction = WTD_STATEACTION_CLOSE;

	lStatus = WinVerifyTrust(

	return true;

int _tmain(int argc, _TCHAR* argv[])
	if (argc > 1)

	return 0;

I've called the program manually on a [*]trusted original kernel32.dll and an [*]untrusted custom tital.dll, but only obtained the same information as presented below - both files are not signed, but that is not what I'm looking for. I'm looking for how Windows and programs like IE.exe differentiate between a trusted copy of kernel32.dll and a custom DLL titan.dll, which was copied there by system administrator.
C:\Users\user\Desktop>winverifytrust.exe C:\Windows\System32\kernel32.dll
The file "C:\Windows\System32\kernel32.dll" is not signed.

C:\Users\user\Desktop>winverifytrust.exe C:\Windows\System32\titan.dll
The file "C:\Windows\System32\tital.dll" is not signed.
Additionally, for comparison, I'm adding the descriptions of both files, which can be seen below:

First, the trusted kernel32.dll:
First, the trusted kernel32.dll:
Then, the untrusted titan.dll:
Then, the untrusted titan.dll:
If anybody knows about how the file integrity of the files is checked, I would be more than interested in knowing any details about that. Are the sfc.exe (and other tools like ESET, IE, etc) checking for the description fields of a DLL, like file description, type, file version, product name, product version, copyright, etc? There are two use-cases I'm interested in:

1. Additional DLL or SYS in System32: an application puts an additional DLL or a driver SYS into the kernel32 directory. How does sfc.exe/sysinspector determine the file is genuine or not?

2. Replaced DLL or SYS in System32: an application replaces a DLL or driver SYS in the kernel32 directory (requires administrative privileges). Are there any additional checks being done by the sfc.exe/sysinspector in order to determine if the file is genuine or not? Are there any additional registry entries stored in registry or any files on the filesystem, which contain SHA1 of the previous original DLL, which is being checked by such tools and reported if hash doesn't match?

Any details are welcome.
 #28500  by raiden
 Sat May 14, 2016 7:36 pm
First off, the MSDN code handles embedded digital signatures only, not security catalog signatures. It can't differentiate between not signed and signed by catalog executable.

I have added some extra piece of code to the MSDN example to make it work. I had to add some definitions because visual studio 2005 doesn't have the required headers. The code is dirty and is coded in hurry (sorry).

BTW, the original code isn't mine. All credits goes to the sysinternals gang.

anyway hope it helps.

Include File (stdafx.h):
Code: Select all
#pragma once

#ifndef _WIN32_WINNT		// Allow use of features specific to Windows XP or later.                   
#define _WIN32_WINNT 0x0501	// Change this to the appropriate value to target other versions of Windows.

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <tchar.h>
#include <Softpub.h>
#include <wincrypt.h>
#include <wintrust.h>


    DWORD cbStruct;
    LPWSTR pwszReferenceTag;
    DWORD dwAttrTypeAndAction;
    DWORD cbValue;
    BYTE *pbValue;
    DWORD dwReserved;

typedef struct CRYPTCATMEMBER_
    DWORD cbStruct;
    LPWSTR pwszReferenceTag;
    LPWSTR pwszFileName;
    GUID gSubjectType;
    DWORD fdwMemberFlags;
    struct SIP_INDIRECT_DATA_* pIndirectData;
    DWORD dwCertVersion;
    DWORD dwReserved;
    HANDLE hReserved;
    CRYPT_ATTR_BLOB sEncodedIndirectData;
    CRYPT_ATTR_BLOB sEncodedMemberInfo;

typedef struct CATALOG_INFO_
    DWORD cbStruct;
    WCHAR wszCatalogFile[MAX_PATH];

typedef struct CRYPTCATCDF_
    DWORD cbStruct;
    HANDLE hFile;
    DWORD dwCurFilePos;
    DWORD dwLastMemberOffset;
    BOOL fEOF;
    LPWSTR pwszResultDir;
    HANDLE hCATStore;


typedef BOOL (WINAPI *_CryptCATAdminAcquireContext)(HCATADMIN*,const GUID*,DWORD);
typedef BOOL (WINAPI *_CryptCATAdminCalcHashFromFileHandle) (HANDLE,DWORD*,BYTE*,DWORD);
typedef BOOL (WINAPI *_CryptCATAdminReleaseCatalogContext) (HCATADMIN,HCATINFO,DWORD);
typedef BOOL (WINAPI *_CryptCATCatalogInfoFromContext) (HCATINFO, CATALOG_INFO *, DWORD);
typedef BOOL (WINAPI *_CryptCATAdminReleaseContext) (
   HCATADMIN hCatAdmin,
   DWORD     dwFlags
Main File:
Code: Select all
#include "stdafx.h"

// Copyright (C) Microsoft.  All rights reserved.
// Example of verifying the embedded signature of a PE file by using 
// the WinVerifyTrust function.

// Link with the Wintrust.lib file.
#pragma comment (lib, "wintrust")

BOOL VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
    LONG lStatus;
    HANDLE hFile;
    DWORD dwHash;
    BYTE bHash[100];
    HCATINFO hCatInfo;
    HCATADMIN hCatAdmin;

    WINTRUST_DATA wd = { 0 };
    WINTRUST_FILE_INFO wfi = { 0 };
    WINTRUST_CATALOG_INFO wci = { 0 };

    ////set up structs to verify files with cert signatures
    memset(&wfi, 0, sizeof(wfi));
    wfi.cbStruct               = sizeof( WINTRUST_FILE_INFO );
    wfi.pcwszFilePath          = pwszSourceFile;
    wfi.hFile                  = NULL;
    wfi.pgKnownSubject         = NULL;

    memset(&wd, 0, sizeof(wd));
    wd.cbStruct                = sizeof( WINTRUST_DATA );
    wd.dwUnionChoice           = WTD_CHOICE_FILE;
    wd.pFile                   = &wfi;
    wd.dwUIChoice              = WTD_UI_NONE;
    wd.fdwRevocationChecks     = WTD_REVOKE_NONE;
    wd.dwStateAction           = 0;
    wd.dwProvFlags             = WTD_SAFER_FLAG;
    wd.hWVTStateData           = NULL;
    wd.pwszURLReference        = NULL;
    wd.pPolicyCallbackData    = NULL;
    wd.pSIPClientData        = NULL;
    wd.dwUIContext            = 0;

    lStatus = WinVerifyTrust( NULL, &WintrustVerifyGuid, &wd );

    ////if failed, try to verify using catalog files
    if (lStatus != ERROR_SUCCESS)
        //open the file
        if (hFile == INVALID_HANDLE_VALUE)
            return FALSE;

		HMODULE hWintrust = GetModuleHandle( TEXT( "wintrust.dll" ) );
		_CryptCATAdminCalcHashFromFileHandle CryptCATAdminCalcHashFromFileHandle = (_CryptCATAdminCalcHashFromFileHandle) GetProcAddress( hWintrust, "CryptCATAdminCalcHashFromFileHandle" );

        dwHash = sizeof(bHash);
        if (!CryptCATAdminCalcHashFromFileHandle(hFile, &dwHash, bHash, 0))
            return FALSE;

        //Create a string form of the hash (used later in pszMemberTag)
        LPWSTR pszMemberTag = new WCHAR[dwHash * 2 + 1];
        for ( DWORD dw = 0; dw < dwHash; ++dw )
            wsprintfW( &pszMemberTag[dw * 2], L"%02X", bHash[dw] );

		_CryptCATAdminAcquireContext CryptCATAdminAcquireContext = (_CryptCATAdminAcquireContext) GetProcAddress( hWintrust, "CryptCATAdminAcquireContext" );

        if (!CryptCATAdminAcquireContext(&hCatAdmin, &DriverActionGuid, 0))
            return FALSE;

		_CryptCATAdminEnumCatalogFromHash CryptCATAdminEnumCatalogFromHash = (_CryptCATAdminEnumCatalogFromHash) GetProcAddress( hWintrust, "CryptCATAdminEnumCatalogFromHash" );

        //find the catalog which contains the hash
        hCatInfo = CryptCATAdminEnumCatalogFromHash(hCatAdmin, bHash, dwHash, 0, NULL);

        if ( hCatInfo )
			_CryptCATCatalogInfoFromContext CryptCATCatalogInfoFromContext = (_CryptCATCatalogInfoFromContext) GetProcAddress( hWintrust, "CryptCATCatalogInfoFromContext" );
            CATALOG_INFO ci = { 0 };
            CryptCATCatalogInfoFromContext( hCatInfo, &ci, 0 );

            memset(&wci, 0, sizeof(wci));
            wci.cbStruct                 = sizeof( WINTRUST_CATALOG_INFO );
            wci.pcwszCatalogFilePath     = ci.wszCatalogFile;
            wci.pcwszMemberFilePath      = pwszSourceFile;
            wci.pcwszMemberTag           = pszMemberTag;

            memset(&wd, 0, sizeof(wd));
            wd.cbStruct                    = sizeof( WINTRUST_DATA );
            wd.dwUnionChoice               = WTD_CHOICE_CATALOG;
            wd.pCatalog                    = &wci;
            wd.dwUIChoice                  = WTD_UI_NONE;
            wd.fdwRevocationChecks         = WTD_STATEACTION_VERIFY;
            wd.dwProvFlags                 = 0;
            wd.hWVTStateData               = NULL;
            wd.pwszURLReference            = NULL;
            wd.pPolicyCallbackData        = NULL;
            wd.pSIPClientData            = NULL;
            wd.dwUIContext                = 0;

            lStatus = WinVerifyTrust( NULL, &WintrustVerifyGuid, &wd );
			_CryptCATAdminReleaseCatalogContext CryptCATAdminReleaseCatalogContext = (_CryptCATAdminReleaseCatalogContext) GetProcAddress( hWintrust, "CryptCATAdminReleaseCatalogContext" );

            CryptCATAdminReleaseCatalogContext( hCatAdmin, hCatInfo, 0 );

		_CryptCATAdminReleaseContext CryptCATAdminReleaseContext = (_CryptCATAdminReleaseContext) GetProcAddress( hWintrust, "CryptCATAdminReleaseContext" );

        CryptCATAdminReleaseContext( hCatAdmin, 0 );
        delete[] pszMemberTag;

    if (lStatus != ERROR_SUCCESS)
        return false;
        return true;

int _tmain(int argc, _TCHAR* argv[])
    if(argc > 1)
        if( VerifyEmbeddedSignature(argv[1]) )
			_tprintf( TEXT( "\nVerified ...\n" ) );
			_tprintf( TEXT( "\nVerification failed ...\n" ) );

    return 0;
 #28503  by evelyette
 Sun May 15, 2016 7:37 am
I've set a breakpoint on WinVerifyTrust in WinDbg, which can be seen on the picture below, but the breakpoint wasn't hit when starting ESET SysInspector or sfc.exe, so I'm assuming that function isn't being used to check the integrity of files.
winverify.png (2.11 KiB) Viewed 775 times
I've also run the sfc.exe command like this, where there are three use-cases:
  • Original Untampered File: the file kernel32.dll is the original file and there is nothing wrong with it, so the integrity passes.
  • File not in Store: if we run sfc.exe on a non-existent file nonexistent.dll, a message will be displayed that windows resource protection cannot perform the requested operation.
  • Replaced Tampered File: if administrator has replaced the file that is in store with a new file, Windows resource protection will find integrity violations and save the details into CBS.log.
winverify1.png (7.33 KiB) Viewed 775 times
The details are included into the CBS.log, which contains the following - note that there are some hashes being verified in the store.
2016-05-15 09:28:32, Info CSI 00000155 [SR] Beginning Verify and Repair transaction
2016-05-15 09:28:32, Info CSI 00000156 Hashes for file member \??\C:\Windows\System32\loghours.dll do not match actual file [l:24{12}]"loghours.dll" :
Found: {l:32 b:3R0SwHabqO6QywaLD5LoyoybfqNwhvdMZ6oOM9lT16o=} Expected: {l:32 b:qYvtQSJ3j0i4CGCj/b4ZeqfAUMR7f94Ad0zrp1EJw9Y=}
2016-05-15 09:28:32, Info CSI 00000157 [SR] Repairing corrupted file [ml:520{260},l:46{23}]"\??\C:\Windows\System32"\[l:24{12}]"loghours.dll" from store
2016-05-15 09:28:32, Info CSI 00000158 Repair results created:
POQ 34 starts:
0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\be3b78627baed101a90000001406cc06._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms"
1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\be3b78627baed101aa0000001406cc06.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms"
2: Move File: Source = [l:214{107}]"\SystemRoot\WinSxS\Temp\PendingRenames\cc627f627baed101ab0000001406cc06.$$_system32_21f9a9c4a2f8b514.cdf-ms", Destination = [l:126{63}]"\SystemRoot\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms"
3: Hard Link File: Source = [l:240{120}]"\SystemRoot\WinSxS\amd64_microsoft-windows-scheduleui_31bf3856ad364e35_6.1.7600.16385_none_d0b7a7aa2b6c0a20\loghours.dll", Destination = [l:72{36}]"\??\C:\Windows\System32\loghours.dll"

POQ 34 ends.
2016-05-15 09:28:32, Info CSI 00000159 [SR] Verify complete
This is also the check with sigcheck.exe , which clearly differentiates the libraries.
C:\Users\user\Desktop>sigcheck -a c:\windows\system32\kernel32.dll

Sigcheck v2.51 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Verified: Signed
Signing date: 4:29 13.2.2016
Publisher: Microsoft Windows
Company: Microsoft Corporation
Description: Windows NT BASE API Client DLL
Product: Microsoft« Windows« Operating System
Prod version: 6.1.7601.23349
File version: 6.1.7601.23349 (win7sp1_ldr.160210-0600)
MachineType: 64-bit
Binary Version: 6.1.7601.23349
Original Name: kernel32
Internal Name: kernel32
Copyright: ⌐ Microsoft Corporation. All rights reserved.
Comments: n/a
Entropy: 6.246

C:\Users\user\Desktop>sigcheck -a c:\windows\system32\loghours.dll

Sigcheck v2.51 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Verified: Unsigned
Link date: 14:49 11.5.2016
Publisher: n/a
Company: n/a
Description: n/a
Product: n/a
Prod version: n/a
File version: n/a
MachineType: 64-bit
Binary Version: n/a
Original Name: n/a
Internal Name: n/a
Copyright: n/a
Comments: n/a
Entropy: 5.294
I'm interested to find out the details about:

1. Which files are protected inside the system32 and which aren't (for which the integrity protections exist). Note that all DLLs inside system32 are not in the store, like rasser.dll (whereever the DLL comes from).
2. How is the integrity of the files, which are in the store checked in order to determine whether they have been tampered with? I'm interested in the exact win32 API being used to check the existence of signatures as well as where the signatures are being stored and how do existing tools modify the signatures - like windows updater?

I would like to determine the internals of the integrity protections.
 #28520  by evelyette
 Tue May 17, 2016 10:41 pm
One more thing. When starting IE in protected mode - provided by ESET, we can attach to iexplore.exe with WinDbg, but IE will fail to load any DLL. WinDbg will display a number of messages like this, where it wants to load the titan.dll, which is available in the system32 folder, but WinDbg fails to load it. Notice a number of tries to load the DLL, but none of them is successful, so the titan.dll is not loaded. The titan.dll is a custom DLL placed there by the administrator and is not loaded only in protected IE mode, while it loads fine when starting IE normally.
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
The continuous tries to load the titan.dll are there because of the interaction with the IE process, which requires that DLL, but fails to load it. I've instructed WinDbg to break upon loading a DLL as seen below:
0:023> g
ModLoad: 000007fe`fc280000 000007fe`fc3cb000 C:\Windows\system32\titan.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\ESET\ESET Smart Security\eOppBrowser.dll -
00000000`0001014a c3 ret
At that point, the call stack is the following:
# Child-SP RetAddr : Args to Child : Call Site
00 00000000`04a2dd18 000007fe`f20bc8b4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00100021 : 0x1014a
01 00000000`04a2dd20 000007fe`f20bbdef : 00000000`000004ec 00000000`00199930 ffffffff`ffffffff 000007fe`f20bd2c6 : eOppBrowser!eplg_opp_init+0x1894
02 00000000`04a2ddb0 00000000`7738678c : 00000000`001959b8 00000000`00000000 00000000`00000000 000007fe`f20bc58d : eOppBrowser!eplg_opp_init+0xdcf
03 00000000`04a2de20 00000000`773863e1 : 00000000`00000424 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrpMapViewOfSection+0x136
04 00000000`04a2ded0 00000000`77375da3 : 00000000`00000000 00000000`04a2e390 00000000`c0150008 00000000`00000000 : ntdll!LdrpFindOrMapDll+0x231
05 00000000`04a2e020 00000000`77375fcf : 00000000`00000000 00000000`00000000 00000000`002b2460 000007fe`fd139a82 : ntdll!LdrpLoadDll+0x2f3
06 00000000`04a2e220 000007fe`f20bbf7b : 00000000`00000000 00000000`00000000 00000000`002cc230 00000000`04a2e330 : ntdll!LdrLoadDll+0xed
07 00000000`04a2e290 000007fe`f20bbf37 : 00000000`04a2e341 00000000`00000000 00000000`002cc230 00000000`00000003 : eOppBrowser!eplg_opp_init+0xf5b
08 00000000`04a2e2d0 000007fe`fd140176 : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000044 : eOppBrowser!eplg_opp_init+0xf17
09 00000000`04a2e310 000007fe`fd12c7a1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : KERNELBASE!LoadLibraryExW+0x2a3
0a 00000000`04a2e390 000007fe`fc7205b6 : 00000000`00000000 00000000`002c9af0 00000000`00000000 000007fe`fc700000 : KERNELBASE!LoadLibraryExA+0x51
The eOppBrowser!eplg_opp_init+0x1894 instruction is on the call stack - I've attached the eOppBrowser.dll to this thread. Any throughts about why WinDbg is unable to load the DLL when started in protected mode provided by the ESET? The password for the zip is KernelMode.
(174.4 KiB) Downloaded 28 times
 #28531  by Vrtule
 Wed May 18, 2016 6:23 pm

If I read your last post correctly, IE, when run under ESET's protected mode, is unable to load a custom DLL. Or does this happen only in case WinDbg is attached to the process? It seems to me that the problem lies within ESET's DLL (it may be a bug or feature, who knows). It would be best to reverse the relevant part of the DLL (the NtMapViewOfSection hook routine).
 #28532  by evelyette
 Wed May 18, 2016 8:09 pm

I've enabled loader snaps and the following is displayed in WinDbg; note that when IE is running under ESET's protected mode, the IE is unable to load the DLL, regardless of whether a debugger is attached or not.
0810:0704 @ 53652843 - LdrpResolveFileName - ENTER: DLL name: C:\Windows\system32\titan.dll
0810:0704 @ 53652843 - LdrpResolveFileName - RETURN: Status: 0x00000000
0810:0704 @ 53652843 - LdrpResolveDllName - ENTER: DLL name: C:\Windows\system32\titan.dll
0810:0704 @ 53652859 - LdrpResolveDllName - RETURN: Status: 0x00000000
0810:0704 @ 53652859 - LdrpSearchPath - RETURN: Status: 0x00000000
0810:0704 @ 53652859 - LdrpMapViewOfSection - ENTER: DLL name: C:\Windows\system32\titan.dll
ModLoad: 000007fe`efb10000 000007fe`efc5b000 C:\Windows\system32\titan.dll
0810:0704 @ 53652859 - LdrpMapViewOfSection - RETURN: Status: 0xc0000022
0810:0704 @ 53652859 - LdrpFindOrMapDll - RETURN: Status: 0xc0000022
0810:0704 @ 53652859 - LdrpLoadDll - RETURN: Status: 0xc0000022
0810:0704 @ 53652875 - LdrLoadDll - RETURN: Status: 0xc0000022
I've seen this is an access denied error code, which happens when the process has been denied access to the object - the DLL in this case. This makes sense since the process is started in protected mode, but now we need to investigate what's happening behind the curtains. Note that the DLL has been signed with a self-signed certificate, which could be a likely cause of this, but where is the exact function actually checking this and then denying loading the DLL? I would like to investigate this further in order to determine what's happening and if the self-signed certificate is a culprit for this, after which I need to determine whether signing a DLL with a valid certificate (signed with proper CA) will resolve the issue or not.

The !token command reports the following:
0:033> !token
Thread is not impersonating. Using process token...
TS Session ID: 0x1
User: S-1-5-21-1975552498-1196766895-2187975934-1000
User Groups:
00 S-1-5-21-1975552498-1196766895-2187975934-513
Attributes - Mandatory Default Enabled
01 S-1-1-0
Attributes - Mandatory Default Enabled
02 S-1-5-114
Attributes - Mandatory Default Enabled
03 S-1-5-21-1975552498-1196766895-2187975934-1001
Attributes - Mandatory Default Enabled
04 S-1-5-32-544
Attributes - Mandatory Default Enabled Owner
05 S-1-5-32-559
Attributes - Mandatory Default Enabled
06 S-1-5-32-545
Attributes - Mandatory Default Enabled
07 S-1-5-4
Attributes - Mandatory Default Enabled
08 S-1-2-1
Attributes - Mandatory Default Enabled
09 S-1-5-11
Attributes - Mandatory Default Enabled
10 S-1-5-15
Attributes - Mandatory Default Enabled
11 S-1-5-113
Attributes - Mandatory Default Enabled
12 S-1-5-5-0-102540
Attributes - Mandatory Default Enabled LogonId
13 S-1-2-0
Attributes - Mandatory Default Enabled
14 S-1-5-64-10
Attributes - Mandatory Default Enabled
15 S-1-16-8192
Attributes - GroupIntegrity GroupIntegrityEnabled
Primary Group: S-1-5-21-1975552498-1196766895-2187975934-513
00 0x000000005 SeIncreaseQuotaPrivilege Attributes -
01 0x000000008 SeSecurityPrivilege Attributes -
02 0x000000009 SeTakeOwnershipPrivilege Attributes -
03 0x00000000a SeLoadDriverPrivilege Attributes -
04 0x00000000b SeSystemProfilePrivilege Attributes -
05 0x00000000c SeSystemtimePrivilege Attributes -
06 0x00000000d SeProfileSingleProcessPrivilege Attributes -
07 0x00000000e SeIncreaseBasePriorityPrivilege Attributes -
08 0x00000000f SeCreatePagefilePrivilege Attributes -
09 0x000000011 SeBackupPrivilege Attributes -
10 0x000000012 SeRestorePrivilege Attributes -
11 0x000000013 SeShutdownPrivilege Attributes -
12 0x000000014 SeDebugPrivilege Attributes -
13 0x000000016 SeSystemEnvironmentPrivilege Attributes -
14 0x000000017 SeChangeNotifyPrivilege Attributes - Enabled Default
15 0x000000018 SeRemoteShutdownPrivilege Attributes -
16 0x000000019 SeUndockPrivilege Attributes -
17 0x00000001c SeManageVolumePrivilege Attributes -
18 0x00000001d SeImpersonatePrivilege Attributes -
19 0x00000001e SeCreateGlobalPrivilege Attributes - Enabled Default
20 0x000000021 SeIncreaseWorkingSetPrivilege Attributes -
21 0x000000022 SeTimeZonePrivilege Attributes -
22 0x000000023 SeCreateSymbolicLinkPrivilege Attributes -
Auth ID: 0:190af
Impersonation Level: Anonymous
TokenType: Primary
Is restricted token: no.
SandBoxInert: 0
Elevation Type: 1 (Default)
Integrity Level: S-1-16-8192
Token Virtualized: Disabled
UIAccess: 0