none
Where can I read about AppCertDLLs? RRS feed

  • Question

  • I can not find information on MSDN about mechanism of AppCertDLLs. Where can I read about it?

    I signed my DLL and added path to this key. I see that my DLL is loaded. But it is unloaded immediately. Why? I have no source to read about it.

    lpReserved is 0 in both DLL_PROCESS_ATTACH and DLL_PROCESS_DETACH. DllMain() returns TRUE always. Only kernel32 functions are called in DllMain(DLL_PROCESS_ATTACH).

    • Edited by acbaile Tuesday, October 8, 2019 2:33 PM
    Tuesday, October 8, 2019 2:17 PM

Answers

All replies

  • Here:  https://attack.mitre.org/techniques/T1182/

    It looks like  a dangerous undocumented backdoor. MS can (or even should) patch it anytime.

    -- pa

    Tuesday, October 8, 2019 2:40 PM
  • You can find information on Google, like : Prevent bypass of AppLocker and SAFER alias Software Restriction Policies

    With among other things :

    "AppCertDlls are loaded during the first call of one of the <cite>Win32</cite> functions CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW() and CreateProcessWithTokenW() in every (user) process; their CreateProcessNotify() routine is called with PROCESS_CREATION_QUERY as reason whenever an application is to be started.

    If one of the <cite>AppCertDlls</cite> returns a negative NTSTATUS like 0xC0000372 alias STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY, process creation is denied and the <cite>Win32</cite> functions CreateProcess*() yield an error like 786 alias ERROR_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY; process creation is allowed only if all <cite>AppCertDlls</cite> return a non-negative NTSTATUS like 0x00000000 alias STATUS_SUCCESS.

    Caveat: the NTSTATUS 0xC0000372 alias STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY was chosen deliberately to avoid possible problems in non-interactive processes: as its name implies, it instructs its receiver to deny access without displaying an error message.

    Note: the APPCERT.DLL offered for download use the other NTSTATUS codes to let their caller(s) display error messages.

    Note: <cite>AppCertDlls</cite> are not documented by <cite>Microsoft<sup>®</sup></cite>!

    "

    • Marked as answer by acbaile Tuesday, October 8, 2019 3:26 PM
    Tuesday, October 8, 2019 2:42 PM
  • Here:  https://attack.mitre.org/techniques/T1182/

    It looks like  a dangerous undocumented backdoor. MS can (or even should) patch it anytime.

    -- pa

    It looks like mechanism for extension of Windows functionality. DLL MUST be signed by a valid certificate.
    • Edited by acbaile Tuesday, October 8, 2019 2:48 PM
    Tuesday, October 8, 2019 2:48 PM
  • Why Microsoft does not document AppCertDLLs?
    Tuesday, October 8, 2019 3:10 PM
  • The most likely reason for the absence of documentation is that they don't want you to use it.
    Tuesday, October 8, 2019 3:19 PM
  • The most likely reason for the absence of documentation is that they don't want you to use it.
    Why they don't want it?
    Tuesday, October 8, 2019 3:24 PM
  • I'll guess that its for the same reason that AppInit Dlls are out of favor -- they can introduce security risks and compatibility issues.
    Tuesday, October 8, 2019 3:28 PM
  • Microsoft can introduce analogic public mechanism, but with checking and signing code by Microsoft. It can eliminate security risks. Which compatibility issues do you mean? Can compatibility issue be reason of hiding API?
    Tuesday, October 8, 2019 3:39 PM
  • They aren't very proud of it... 

    -- pa

    Tuesday, October 8, 2019 3:39 PM
  • AppInit Dlls is injected into the process for an unsuspecting application and it is used to alter the way that the application functions, possibly hooking API functions, changing system parameters, etc.  That could cause all sorts of problems
    Tuesday, October 8, 2019 3:44 PM
  • AppInit Dlls is injected into the process for an unsuspecting application and it is used to alter the way that the application functions, possibly hooking API functions, changing system parameters, etc.  That could cause all sorts of problems

    Yes, but danger of knife is not reason to prohibit kitchen knives :) . 

    I remember, i read, Microsoft explained elimination of AppInit_DLLs by problems of security - a lot of malware used it. It seems, even signing did not help.

    Drivers operate in more sensitive part of OS.

    I don't know :) . I want to modify behavior of caret - i write cyrillic too. I would like to see current keyboard layout as color of caret - it will be very convinient. Changing of layout is torture. And i don't see another possibility to realize it. Only API hooking.

    Tuesday, October 8, 2019 3:57 PM
  • Why not signing by Microsoft? I prepare my DLL, I give it to Microsoft (source code - for simplicity), by confidential way. Microsoft checks it, compiles, and signs by special certificate. Another AppInitDLLs, but only DLLs signed by Microsoft are loaded from there.

    Why not? Too much work? :) It seems, developers use AppInitDLLs not very often.

    • Edited by acbaile Tuesday, October 8, 2019 4:07 PM
    Tuesday, October 8, 2019 4:04 PM
  • Does complement function of CreateProcessNotify() exist? I mean function that is called when process is exited. Something like ExitProcessNotify().

    • Edited by acbaile Wednesday, October 9, 2019 4:28 PM
    Wednesday, October 9, 2019 4:18 PM
  • Stefan‍ Kanthak writes on his page:

    -------------------------------------------------------------------------

    PROCESS_CREATION_QUERY

    // Called once for each process that is to be created:

    // return STATUS_SUCCESS to allow process creation or

    // return STATUS_ACCESS_DISABLED_NO_SAFER_UI_BY_POLICY to deny process creation

    PROCESS_CREATION_ALLOWED

    // Called once for each process that is allowed creation

    ---------------------------------------------------------------------------

    I run it on Windows 7, and I see that both are called twice at least - the same process, but different threads:

    ---------------------------------------------------------------------------

    19:40:53.689 - Process 2748 - Thread 964 - DllMain(DLL_PROCESS_ATTACH)

    19:40:53.689 - Process 2748 - Thread 964 - CreateProcessNotify(PROCESS_CREATION_QUERY)
    19:40:53.689 - Process 2748 - Thread 964 - CreateProcessNotify(PROCESS_CREATION_ALLOWED)

    19:41:03.470 - Process 2748 - Thread 1112 - CreateProcessNotify(PROCESS_CREATION_QUERY)
    19:41:03.470 - Process 2748 - Thread 1112 - CreateProcessNotify(PROCESS_CREATION_ALLOWED)

    ---------------------------------------------------------------------------

    Undocumented... Somebody knows something?

    But I run notepad.exe, and my DLL is not loaded to it. Why?? :) It seems, RLWA32 was right. Sorry for my doubts. It is not possible to use this feature without API documentation. Has to be it's for Windows internal using only.

    • Edited by acbaile Wednesday, October 9, 2019 5:12 PM
    Wednesday, October 9, 2019 4:50 PM
  •  I would like to see current keyboard layout as color of caret - it will be very convinient. Changing of layout is torture. And i don't see another possibility to realize it. Only API hooking.

    I like this idea. There should be a more elegant way. Try to ask on the deskthority forum and accessibility forum.

    And Stack Overflow is very resourceful too.

    -- pa

    Thursday, October 10, 2019 9:23 AM