AMSI modules are loaded by some printer drivers |
||
Issue description
Some printer drivers indirectly cause AMSI modules to load, and we will then subsequently warn about those modules as part of 3P blocking efforts.
Kaspersky has a repro for this and has provided the following stack trace:
amsi_plugin64.dll.6c842308d5b1b426c880448364d2e8e8!AmsiPluginSrv::FinalConstruct() Line 206 C++
amsi_plugin64.dll.6c842308d5b1b426c880448364d2e8e8!ATL::CComCreator<ATL::CComObject<AmsiPluginSrv> >::CreateInstance(void * riid={...}, const _GUID & ppv=0x000000770edfcce8, void * *) Line 2009 C++
amsi_plugin64.dll.6c842308d5b1b426c880448364d2e8e8!ATL::CComClassFactory::CreateInstance(IUnknown * pUnkOuter, const _GUID & riid, void * * ppvObj) Line 3738 C++
combase.dll!ICoCreateInstanceEx(const _GUID & OriginalClsid, IUnknown * punkOuter=0x0000000000000000, unsigned long dwClsCtx, _COSERVERINFO * pServerInfo=0x0000000000000000, unsigned long dwCount=0x00000001, unsigned long dwActvFlags=0x00000000, tagMULTI_QI * pResults=0x000000770edfd040, ActivationPropertiesIn * pActIn=0x0000000000000000) Line 1680 C++
combase.dll!CComActivator::DoCreateInstance(const _GUID & Clsid={...}, IUnknown * punkOuter=0x0000000000000000, unsigned long dwClsCtx=0x00000001, _COSERVERINFO * pServerInfo=0x0000000000000000, unsigned long dwCount=0x00000001, tagMULTI_QI * pResults=0x000000770edfd040, ActivationPropertiesIn * pActIn=0x0000000000000000) Line 368 C++
combase.dll!CoCreateInstance(const _GUID & rclsid={...}, IUnknown * pUnkOuter=0x0000000000000000, unsigned long dwContext=0x00000001, const _GUID & riid, void * * ppv=0x000000770edfd0c0) Line 120 C++
amsi.dll!ATL::CComContainedObject<class CAmsiAntimalware>::`vector deleting destructor'(unsigned int) Unknown
amsi.dll!ATL::CComCreator<class ATL::CComObject<class CAmsiAntimalware> >::CreateInstance(void *,struct _GUID const &,void * *) Unknown
amsi.dll!ATL::CComClassFactory::CreateInstance(struct IUnknown *,struct _GUID const &,void * *) Unknown
combase.dll!ICoCreateInstanceEx(const _GUID & OriginalClsid, IUnknown * punkOuter=0x0000000000000000, unsigned long dwClsCtx, _COSERVERINFO * pServerInfo=0x0000000000000000, unsigned long dwCount=0x00000001, unsigned long dwActvFlags=0x00000000, tagMULTI_QI * pResults=0x000000770edfd700, ActivationPropertiesIn * pActIn=0x0000000000000000) Line 1680 C++
combase.dll!CComActivator::DoCreateInstance(const _GUID & Clsid={...}, IUnknown * punkOuter=0x0000000000000000, unsigned long dwClsCtx=0x00000001, _COSERVERINFO * pServerInfo=0x0000000000000000, unsigned long dwCount=0x00000001, tagMULTI_QI * pResults=0x000000770edfd700, ActivationPropertiesIn * pActIn=0x0000000000000000) Line 368 C++
combase.dll!CoCreateInstance(const _GUID & rclsid={...}, IUnknown * pUnkOuter=0x0000000000000000, unsigned long dwContext=0x00000001, const _GUID & riid, void * * ppv=0x0000026a44c63900) Line 120 C++
amsi.dll!AmsiInitialize () Unknown
jscript.dll!COleScript::Initialize(void) Unknown
jscript.dll!CJScriptClassFactory::CreateInstance(struct IUnknown *,struct _GUID const &,void * *) Unknown
combase.dll!ICoCreateInstanceEx(const _GUID & OriginalClsid, IUnknown * punkOuter=0x0000000000000000, unsigned long dwClsCtx, _COSERVERINFO * pServerInfo=0x0000000000000000, unsigned long dwCount=0x00000001, unsigned long dwActvFlags=0x00000000, tagMULTI_QI * pResults=0x000000770edfdc80, ActivationPropertiesIn * pActIn=0x0000000000000000) Line 1680 C++
combase.dll!CComActivator::DoCreateInstance(const _GUID & Clsid={...}, IUnknown * punkOuter=0x0000000000000000, unsigned long dwClsCtx=0x00000001, _COSERVERINFO * pServerInfo=0x0000000000000000, unsigned long dwCount=0x00000001, tagMULTI_QI * pResults=0x000000770edfdc80, ActivationPropertiesIn * pActIn=0x0000000000000000) Line 368 C++
combase.dll!CoCreateInstance(const _GUID & rclsid={...}, IUnknown * pUnkOuter=0x0000000000000000, unsigned long dwContext=0x00000001, const _GUID & riid, void * * ppv=0x0000026a3effbe10) Line 120 C++
PrintConfig.dll!JScriptLib::CJScriptHost::EnsureScript(void) Unknown
PrintConfig.dll!JScriptLib::CJScriptHost::Parse(void) Unknown
PrintConfig.dll!PrintConfig::CJScriptSite::InitializeScriptHost(struct JScriptLib::IJScriptDocument *) Unknown
PrintConfig.dll!PrintConfig::CJScriptSite::Initialize(void *,struct JScriptLib::IJScriptDocument *) Unknown
PrintConfig.dll!CreateJScriptSite () Unknown
PrintConfig.dll!PSUI::CPrintTicketProvider::EnsureJScriptSite(void) Unknown
PrintConfig.dll!UniDrvUI::CPrintTicketProvider::ConvertDevModeToPrintTicketInternal(unsigned long,struct _devicemodeW *,struct IXMLDOMDocument2 *) Unknown
PrintConfig.dll!UniDrvUI::CPrintTicketProvider::ConvertDevModeToPrintTicket(unsigned long,struct _devicemodeW *,struct IXMLDOMDocument2 *) Unknown
PrintConfig.dll!UniDrvUI::PerformJScriptDevmodeValidation(struct UniDrvUI::_COMMONINFO *,void *,struct _devicemodeW * *,unsigned long,unsigned long *,struct _UNIDRVEXTRA * *) Unknown
PrintConfig.dll!UniDrvUI::BFillCommonInfoDevmode(struct UniDrvUI::_COMMONINFO *,struct _devicemodeW *,struct _devicemodeW *,int,int) Unknown
PrintConfig.dll!UniDrvUI::LSimpleDocumentProperties(struct _DOCUMENTPROPERTYHEADER *) Unknown
PrintConfig.dll!UniDrvUI::DrvDocumentPropertySheets(struct _PROPSHEETUI_INFO *,__int64) Unknown
PrintConfig.dll!PrintConfig::DrvDocumentPropertySheets(struct _PROPSHEETUI_INFO *,__int64) Unknown
PrintConfig.dll!ExceptionBoundary<class <lambda_d0bc0e909aae8326444c65acaef0bdf1> >(class <lambda_d0bc0e909aae8326444c65acaef0bdf1> &&) Unknown
PrintConfig.dll!DrvDocumentPropertySheets () Unknown
winspool.drv!DocumentPropertySheets () Unknown
winspool.drv!DocumentPropertiesWNative(struct HWND__ *,void *,unsigned short *,struct _devicemodeW *,unsigned long,struct _devicemodeW *,unsigned long) Unknown
winspool.drv!DocumentPropertiesW () Unknown
> chrome.dll!printing::CreateDevMode(void * printer=0x0000026a48ab1388, _devicemodeW * in=0x0000000000000000) Line 510 C++
chrome.dll!printing::PrintBackendWin::GetPrinterSemanticCapsAndDefaults(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & printer_name, printing::PrinterSemanticCapsAndDefaults * printer_info=0x000000770edff1a0) Line 260 C++
chrome.dll!printing::GetSettingsOnBlockingPool(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & device_name={...}, const printing::PrinterBasicInfo & basic_info, scoped_refptr<printing::PrintBackend> print_backend={...}) Line 134 C++
chrome.dll!`anonymous namespace'::FetchCapabilitiesAsync(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & device_name={...}) Line 49 C++
chrome.dll!base::internal::Invoker<base::internal::BindState<std::unique_ptr<base::Value,std::default_delete<base::Value> > (*)(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > &),std::basic_string<char,std::char_traits<char>,std::allocator<char> > >,std::unique_ptr<base::Value,std::default_delete<base::Value> > ()>::Run(base::internal::BindStateBase * base) Line 665 C++
chrome.dll!base::internal::ReturnAsParamAdapter<std::unique_ptr<base::Value,std::default_delete<base::Value> > >(base::OnceCallback<std::unique_ptr<base::Value,std::default_delete<base::Value> > ()> func={...}, std::unique_ptr<base::Value,std::default_delete<base::Value> > * result=0x0000026a42c71d90) Line 20 C++
chrome.dll!base::internal::Invoker<base::internal::BindState<void (*)(base::OnceCallback<bool ()>, bool *),base::OnceCallback<bool ()>,bool *>,void ()>::RunOnce(base::internal::BindStateBase * base) Line 649 C++
chrome.dll!base::`anonymous namespace'::PostTaskAndReplyRelay::RunTaskAndPostReply(base::`anonymous namespace'::PostTaskAndReplyRelay relay={...}) Line 79 C++
chrome.dll!base::internal::Invoker<base::internal::BindState<void (*)(base::(anonymous namespace)::PostTaskAndReplyRelay),base::(anonymous namespace)::PostTaskAndReplyRelay>,void ()>::RunOnce(base::internal::BindStateBase * base=0x0000026a45a50590) Line 649 C++
chrome.dll!base::debug::TaskAnnotator::RunTask(const char * queue_function, base::PendingTask * pending_task=0x000000770edff9a8) Line 101 C++
chrome.dll!base::internal::TaskTracker::RunOrSkipTask(base::internal::Task task, base::internal::Sequence * sequence, bool can_run_task) Line 530 C++
chrome.dll!base::internal::TaskTracker::RunAndPopNextTask(scoped_refptr<base::internal::Sequence> sequence={...}, base::internal::CanScheduleSequenceObserver * observer=0x0000026a453ce250) Line 404 C++
chrome.dll!base::internal::SchedulerWorker::RunWorker() Line 329 C++
chrome.dll!base::internal::SchedulerWorker::RunBackgroundPooledWorker() Line 230 C++
chrome.dll!base::`anonymous namespace'::ThreadFunc(void * params=0x0000026a45a8d550) Line 94 C++
kernel32.dll!BaseThreadInitThunk () Unknown
ntdll.dll!RtlUserThreadStart () Unknown
,
Oct 4
From comment #1, note that (3) is prohibitively expensive: The registrations are in HKLM\Software\Microsoft\AMSI\Providers. Which means we'd have to copy the entire HKLM hive in order to omit just a few entries :(
,
Oct 4
Another silly idea: - Patch the AMSI module at load time to effectively neuter its entrypoints.
,
Nov 10
,
Nov 12
Current best-of-breed idea: (1) Determine when printing is occurring, and disable blocking during this time period. This could be a one way switch, but we should do be able to scope this to when the print dialog is open. (2) Wait for OOP printing to land and then we can rip out this hack.
,
Nov 23
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1d2a25684afc592e35ac7a4ec5e3d62b67976b42 commit 1d2a25684afc592e35ac7a4ec5e3d62b67976b42 Author: Patrick Monette <pmonette@chromium.org> Date: Fri Nov 23 21:27:09 2018 Disable the NtMapViewOfSection hook when printing is initiated Due to an issue with printing drivers possibly loading third-party DLLs that mustn't be blocked, initiating a printing operation now disables the hook in chrome_elf for the remainder of the process' lifetime. This is a short term solution to allow us to ship third-party blocking. Bug: 809738, 892294 Change-Id: I0b583197c2b619226e5a4a05836451b9f30eb133 Reviewed-on: https://chromium-review.googlesource.com/c/1312166 Reviewed-by: Robert Kaplow <rkaplow@chromium.org> Reviewed-by: Chris Hamilton <chrisha@chromium.org> Reviewed-by: Lei Zhang <thestig@chromium.org> Commit-Queue: Patrick Monette <pmonette@chromium.org> Cr-Commit-Position: refs/heads/master@{#610672} [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome/browser/conflicts/module_database_win.cc [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome/browser/conflicts/module_database_win.h [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome/browser/conflicts/module_load_attempt_log_listener_win.cc [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome/browser/conflicts/third_party_metrics_recorder_win.cc [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome/browser/conflicts/third_party_metrics_recorder_win.h [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome/browser/printing/DEPS [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome/browser/printing/print_preview_dialog_controller.cc [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome/browser/printing/printing_message_filter.cc [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome_elf/BUILD.gn [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome_elf/chrome_elf_test_stubs.cc [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome_elf/chrome_elf_x64.def [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome_elf/chrome_elf_x86.def [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome_elf/third_party_dlls/hook.cc [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome_elf/third_party_dlls/logs.h [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome_elf/third_party_dlls/logs_unittest.cc [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome_elf/third_party_dlls/main_unittest_exe.cc [rename] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome_elf/third_party_dlls/public_api.cc [rename] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/chrome_elf/third_party_dlls/public_api.h [modify] https://crrev.com/1d2a25684afc592e35ac7a4ec5e3d62b67976b42/tools/metrics/histograms/histograms.xml |
||
►
Sign in to add a comment |
||
Comment 1 by chrisha@chromium.org
, Oct 4