This is the mail archive of the
mailing list for the cygwin project.
RE: The Big List of Dodgy Apps
- From: "Phil Betts" <Phil dot Betts at ascribe dot com>
- To: "The Cygwin-Talk Maiming List" <cygwin-talk at cygwin dot com>
- Date: Tue, 20 Mar 2007 18:01:32 -0000
- Subject: RE: The Big List of Dodgy Apps
- Reply-to: The Cygwin-Talk Maiming List <cygwin-talk at cygwin dot com>
Dave Korn wrote on Tuesday, March 20, 2007 5:24 PM::
> I'll try and find some tuits. If nothing else it
> might save a lot of time just to have the information listed in
> cygcheck. We probably want to give it the ability to detect that a
> badware exists or is installed by looking for 1) registry keys that
> would indicate it has been installed 2) presence of named executables
> in known (i.e. default install) locations and 3) presence of named
> executables in list of current running tasks.
> Anyone can suggest any other useful detection mechanisms?
It seems that most, if not all, of the offenders insert themselves
(or rather get themselves inserted) into every process's DLL list.
I would think it was possible to have cygcheck do something like
sysinternals' process explorer does to get the DLL list, but to do it
only on itself - essentially asking the question "to which DLLs am I
linked?" The expected DLLs can be eliminated from all enquiries. If
the fingerprint of a known offender is detected, it can be reported as
such. Anything else can be reported as a "potential problem".
A database of known offenders' fingerprints can be built up from the
submitted cygcheck output once a problem has been resolved. It may
also be worth building up a whitelist of known innocent fingerprints.
I don't know what the sysinternals license was before MS closed-sourced
their apps, but my guess is that it would be necessary to reverse-
engineer their technique.