I'm seeing a strange anomaly in some systems I support. GMER flags the cdd.dll thread in csrss.exe, and when I run Process Explorer with Elevated Admin rights, I am:
- unable to view any loaded DLLs in either csrss.exe process
- unable to view actual thread start addresses (instead of winsrv.DLL and CSRSRV.dll, I see either 0x0 or !RtlUserThreadStart
- unable to view any csrss.exe thread's stack
- unable to suspend or kill any thread in csrss.exe
- Strings in memory show "Error opening process"
No other tool I've ran detects anything malicious. Process Hacker is able to access the threads.
2 things I know...I think...
- This is abnormal behavior (most other systems I look at give Elevated Admin full access to csrss.exe memory)
- This is consistent with rootkit-like hiding behavior.
Can anyone explain why an Admin running PE with elevated rights would see these anomalies....other than an unknown rootkit?
Aucun commentaire:
Enregistrer un commentaire