search

armadito / armadito-windows-driver

Windows Driver for Armadito
Microsoft Public License
11 stars 6 forks source link

Malware with pure UTF-16 characters in the filename can bypass detection #5

Open SouhailHammou opened 6 years ago

SouhailHammou commented 6 years ago

Files with names containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is done to ANSI, because characters that cannot be converted from Unicode are replaced with '?'.

https://github.com/armadito/armadito-windows-driver/blob/06c826009397c244a13e4d7294587d97d6c41f0b/src/communication.c#L255-L263

Below is an image demonstrating the bug. In the first case, the filename is in Arabic and in the second, the filename's first letter is the greek M (U+039C).

image A fix would require a re-implementation of the parts of the service dealing with filenames to make them support Unicode.

fdechelle commented 6 years ago

@SouhailHammou Thank you for reporting the issue and for suggesting a fix. Another possible fix would be that the driver sends to the user-mode service a HANDLE instead of the file name.