What a process can get from touching another application's dll?

Question

Here is a screenshot of Process Monitor, which shows a process AliIM.exe is doing something with a dll of TeamViewer

Since TeamViewer is a Remote Control app, I have some security concern, will it get my TeamViewer credentials by those actions? The process doesn't ask for admin privilege when starts up.

Process monitor log in csv format, with "show process and thread activity" enabled.

"Time of Day","Process Name","PID","Operation","Path","Result","Detail"

"7:59:16.2471434 PM","AliIM.exe","30332","Process Start","","SUCCESS","Parent PID: 11168, Command line: ""C:\Program Files (x86)\AliWangWang\AliIM.exe"" /run:desktop, Current directory: C:\Program Files (x86)\AliWangWang\, Environment: 

"7:59:16.2471586 PM","AliIM.exe","30332","Thread Create","","SUCCESS","Thread ID: 29216"

"7:59:16.2940980 PM","AliIM.exe","30332","CreateFile","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened"

"7:59:16.2941329 PM","AliIM.exe","30332","QueryBasicInformationFile","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS","CreationTime: 10/22/2013 10:47:30 PM, LastAccessTime: 8/14/2014 2:57:05 PM, LastWriteTime: 8/4/2014 3:36:25 PM, ChangeTime: 8/14/2014 2:57:14 PM, FileAttributes: A"

"7:59:16.2941485 PM","AliIM.exe","30332","CloseFile","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS",""

"7:59:16.2942881 PM","AliIM.exe","30332","CreateFile","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS","Desired Access: Read Data/List Directory, Execute/Traverse, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened"

"7:59:16.2943492 PM","AliIM.exe","30332","CreateFileMapping","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","FILE LOCKED WITH ONLY READERS","SyncType: SyncTypeCreateSection, PageProtection: "

"7:59:16.2944498 PM","AliIM.exe","30332","CreateFileMapping","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS","SyncType: SyncTypeOther"

"7:59:16.2945615 PM","AliIM.exe","30332","Load Image","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS","Image Base: 0x6cff0000, Image Size: 0x1a000"

"7:59:16.2945812 PM","AliIM.exe","30332","CloseFile","C:\Program Files (x86)\TeamViewer\Version8\tv_w32.dll","SUCCESS",""

"7:59:16.2948406 PM","AliIM.exe","30332","CreateFile","C:\Program Files (x86)\TeamViewer\Version8\VERSION.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

"7:59:16.2960652 PM","AliIM.exe","30332","CreateFile","C:\Program Files (x86)\TeamViewer\Version8\CRTDLL.dll","NAME NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a"

score 3 · Accepted Answer · answered Dec 30 '14 at 15:37

What you are observing may be the setup for an attack called DLL Injection, a process by which a malicious program can force the execution of code within another process, in this case teamviewer. This then allows attacks on the executing processes memory footprint, or alterations in its standard behaviour.

There is no easy way to tell what it wants to do, but I would surmise since its Alibaba, that it wants to be able to see connection information inside the encrypted tunnel that Teamviewer uses to protect its connection from eavsdropping. If teamviewer stores crypto keys in ram (as it likely), the program may have access to those keys, or even be able to observe login actions in realtime.

score 1 · Answer 2 · answered Dec 30 '14 at 17:44

May be there are another explanations for that behaviour.

Regular DLL search - with accidentaly same name

Having only this trace we see that the process is seeking three dlls in the TeamViewer folder: tv_w32.dll, VERSION.dll (MS Helper DLL Windows) and CRTDLL.dll (MS C Runtime).

May be there is running a regular DLL search following the search order. And the TeamViewer path seems to be in the search order. Why else should AliIM.exe look for the two MS dlls in that folder?

If this is true, then the process is just looking for a tv_w32.dll and, by accident, TeamViewer has a dll with that name. (On asian pages there seem to be discussions about a tv_w32.dll which is not a part of TeamViewer).

Any kind of missuse / attack
Since we know, that AliIM.exe is malware it may be an attack. In this case AliIM.exe could need "only" some functionality of TeamViewer. It loads the dll and uses the internal TeamViewer functions for own purposes.

Tools like Dependency Walker and Rohtap API Monitor would be helpfull to track it down.

What a process can get from touching another application's dll?

2 Answers2