關於windows上的lsass.exe進程作者:eygle出處:http://blog.eygle.com日期:December 26, 2004
« 安裝cronolog,格式化Apache的記錄檔 | Blog首頁 | 配置AWStats,Apache日誌分析工具 »
今天見到有人問lsass.exe進程,翻了點東西,記錄些東西在這裡。
lsass - lsass.exe - 進程資訊
進程檔案: lsass or lsass.exe
進程名稱: 本地安全許可權服務
描述: 本地安全許可權服務,控制Windows安全機制。
常見錯誤: N/A
是否為系統進程: 是
該進程為系統進程,不能在工作管理員裡終止,記得以前在命令列kill該進程,可能會導致系統藍屏(不確認了)。
微軟的說明如下:
Lsass.exe - You cannot end this process from Task Manager.
This is the local security authentication server, and it generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.
Link
意思是說:
這是一個本地的安全授權服務,並且它會為使用winlogon服務的授權使用者產生一個進程。這個進程是通過使用授權的包,例如預設的msgina.dll來執行的。如果授權是成功的,lsass就會產生使用者的進入令牌,令牌別使用啟動初始的shell 。其他的由使用者初始化的進程會繼承這個令牌的。
但是適當的擔心是有必要的,已知的部分病毒跟lsass有關。
首先,微軟預設的lsass.exe位於c:/windows/System32/lsass.exe
我們應該清楚正常運行lsass需要的動態連結程式庫:
C:/>tlist 720 720 lsass.exe CWD: C:/WINDOWS/system32/ CmdLine: C:/WINDOWS/system32/lsass.exe VirtualSize: 43208 KB PeakVirtualSize: 49040 KB WorkingSetSize: 1360 KB PeakWorkingSetSize: 10640 KB NumberOfThreads: 19 732 Win32StartAddr:0x74497f07 LastErr:0x00000000 State:Waiting 736 Win32StartAddr:0x7c94798d LastErr:0x00000000 State:Waiting 740 Win32StartAddr:0x7c930760 LastErr:0x00000000 State:Waiting 744 Win32StartAddr:0x7c949fae LastErr:0x00000000 State:Waiting 748 Win32StartAddr:0x0000028e LastErr:0x00000000 State:Waiting 764 Win32StartAddr:0x7c930aca LastErr:0x00000000 State:Waiting 792 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting 800 Win32StartAddr:0x00040d64 LastErr:0x00000000 State:Waiting 812 Win32StartAddr:0x74488c23 LastErr:0x00000000 State:Waiting 1700 Win32StartAddr:0x74488c23 LastErr:0x00000000 State:Waiting 212 Win32StartAddr:0x77dbb479 LastErr:0x00000000 State:Waiting 364 Win32StartAddr:0x77c0a341 LastErr:0x000003e5 State:Waiting 376 Win32StartAddr:0x77c0a341 LastErr:0x00000000 State:Waiting 380 Win32StartAddr:0x77c0a341 LastErr:0x00000000 State:Waiting 3056 Win32StartAddr:0x759d8831 LastErr:0x00000000 State:Waiting 1048 Win32StartAddr:0x77e56bf0 LastErr:0x0000006d State:Waiting 2628 Win32StartAddr:0x00000000 LastErr:0x000003f0 State:Waiting 3204 Win32StartAddr:0x00000000 LastErr:0x00000000 State:Waiting 3032 Win32StartAddr:0x77e56bf0 LastErr:0x00000000 State:Waiting 5.1.2600.2180 shp 0x01000000 lsass.exe 5.1.2600.2180 shp 0x7c920000 ntdll.dll 5.1.2600.2180 shp 0x7c800000 kernel32.dll 5.1.2600.2180 shp 0x77da0000 ADVAPI32.dll 5.1.2600.2180 shp 0x77e50000 RPCRT4.dll 5.1.2600.2525 shp 0x74480000 LSASRV.dll 5.1.2600.2180 shp 0x71a90000 MPR.dll 5.1.2600.2180 shp 0x77d10000 USER32.dll 5.1.2600.2180 shp 0x77ef0000 GDI32.dll 5.1.2600.2180 shp 0x76db0000 MSASN1.dll 7.0.2600.2180 shp 0x77be0000 msvcrt.dll 5.1.2600.2180 shp 0x5fdd0000 NETAPI32.dll 5.1.2600.2180 shp 0x76770000 NTDSAPI.dll 5.1.2600.2180 shp 0x76ef0000 DNSAPI.dll 5.1.2600.2180 shp 0x71a20000 WS2_32.dll 5.1.2600.2180 shp 0x71a10000 WS2HELP.dll 5.1.2600.2180 shp 0x76f30000 WLDAP32.dll 5.1.2600.2180 shp 0x77fc0000 Secur32.dll 5.1.2600.2180 shp 0x71b70000 SAMLIB.dll 5.1.2600.2180 shp 0x743a0000 SAMSRV.dll 5.1.2600.2180 shp 0x76760000 cryptdll.dll 5.1.2600.2180 shp 0x5cc30000 ShimEng.dll 0x58fb0000 AcGenral.DLL 5.1.2600.2180 shp 0x76b10000 WINMM.dll 5.1.2600.2180 shp 0x76990000 ole32.dll 5.1.2600.2180 shp 0x770f0000 OLEAUT32.dll 5.1.2600.2180 shp 0x77bb0000 MSACM32.dll 5.1.2600.2180 shp 0x77bd0000 VERSION.dll 6.0.2900.2180 shp 0x773a0000 SHELL32.dll 6.0.2900.2180 shp 0x77f40000 SHLWAPI.dll 5.1.2600.2180 shp 0x759d0000 USERENV.dll 6.0.2900.2180 shp 0x5adc0000 UxTheme.dll 5.1.2600.2180 shp 0x76300000 IMM32.DLL 5.1.2600.2180 shp 0x62c20000 LPK.DLL 1.420.2600.2180 sh 0x73fa0000 USP10.dll 5.82.2900.2180 shp 0x77180000 comctl32.dll 5.82.2900.2180 shp 0x5d170000 comctl32.dll 5.1.2600.2180 shp 0x20000000 msprivs.dll 5.1.2600.2180 shp 0x71c70000 kerberos.dll 5.1.2600.2180 shp 0x77c40000 msv1_0.dll 5.1.2600.2180 shp 0x76d30000 iphlpapi.dll 5.1.2600.2180 shp 0x74410000 netlogon.dll 5.1.2600.2180 shp 0x76790000 w32time.dll 6.0.8168.0 shp 0x75ff0000 MSVCP60.dll 5.1.2600.2180 shp 0x767c0000 schannel.dll 5.131.2600.2180 sh 0x765e0000 CRYPT32.dll 5.1.2600.2180 shp 0x742e0000 wdigest.dll 5.1.2600.2161 shp 0x0ffd0000 rsaenh.dll 5.1.2600.2180 shp 0x74370000 scecli.dll 5.1.2600.2180 shp 0x76060000 SETUPAPI.dll 5.1.2600.2180 shp 0x74340000 ipsecsvc.dll 5.1.2600.2180 shp 0x77fe0000 AUTHZ.dll 5.1.2600.2180 shp 0x73ed0000 oakley.DLL 5.1.2600.2180 shp 0x742d0000 WINIPSEC.DLL 5.1.2600.2180 shp 0x74300000 pstorsvc.dll 0x43000000 GoogleDesktopNetwork1.dll 5.1.2600.2180 shp 0x719c0000 mswsock.dll 5.1.2600.2180 shp 0x60fd0000 hnetcfg.dll 5.1.2600.2180 shp 0x71a00000 wshtcpip.dll 5.1.2600.2180 shp 0x74320000 psbase.dll 5.1.2600.2133 shp 0x68100000 dssenh.dll
|
大家可以看到,Google的案頭搜尋也需要在此註冊,這個進程是許可權控制所必需的。
有的軟體驗證和更新或驗證註冊資訊,會使用500連接埠通訊(Internet Key Exchange(IKE)-Internet金鑰交換用連接埠),有時可能會被誤判為病毒或木馬。
通常我認為,只要對windows的進程有適當的認識,不依賴防病毒工具,我們仍然可以敏感的認識到異常進程或異常Dll,從而發現可疑進程,找出問題所在。
tlist這個簡單的小工具就曾經協助我發現過幾個殺毒軟體不能及時識別的病毒。
目前已知的和lsass相關的病毒有:
W32.HLLW.Lovgate.C@mm - Symantec Corporation
W32.Mydoom.L@mm - Symantec Corporation
W32.Nimos.Worm - Symantec Corporation
W32.Sasser.E.Worm (Lsasss.exe) - McAfee
所以大家還是應該適當的留意一下這個進程。