Curious case of the conhost.exe and condrv.sys

Update

After I posted the question to Twitter, Alex Ionescu (god of NT kernel internals, for those who don’t know) suggested that it could be an export by ordinal from the ntoskrnl.exe. It was not the case in this scenario, but it’s a very good direction for investigation and I didn’t think of it when I encountered the issue.

Following on that lead I dug deeper. Further inspection of the condrv.sys driver confirmed that at least 2 functions from ntoskrnl.exe are imported by the ordinal (0x0001, and 0x0002):

->Import Table
 1. ImageImportDescriptor:
 OriginalFirstThunk: 0x0000A1AC
 TimeDateStamp: 0x00000000 (GMT: Thu Jan 01 00:00:00 1970)
 ForwarderChain: 0x00000000
 Name: 0x0000AA04 ("ntoskrnl.exe")
 FirstThunk: 0x00002088

Ordinal/Hint API name
 ------------ ---------------------------------------
 0x00FF "ExReleasePushLockExclusiveEx"


 0x0002  <------- import by ordinal
 0x05C1 "ObCloseHandle"
 0x067F "PsGetProcessImageFileName"
 0x0001  <------- import by ordinal

so Alex’s explanation points us in a right direction, except the issue is the import table of condrv.sys, not the export table of ntoskrnl.exe; IDA somehow assumes the names of the ‘guessed’ service functions based on the ordinals and does it wrongly – this is what causes confusion and ends up with us staring at an incorrect disassembly.

Old Post

A few months back I came up with an idea to find out how the conhost.exe process is spawn by the OS to co-exist with pretty much every single console applications on the system.

I theorized that if I find out how it is spawn, I may be able to possibly influence this process and make it behave differently from the expected (wishful thinking that perhaps I could find a way to run this process anytime I want and hijack it for e.g. process hollowing or sth along these lines).

After looking at the code of the AllocConsole function (which is a prime suspect here as it allocates consoles after all), I eventually landed in the code that calls NtDeviceIoControlFile with the IOCTL 0x500037.

Quick google search followed and I re-visited an excellent posts from FireEye:

where the very same conhost.exe spawning mechanism is also described, although briefly.

So, there is a way to launch a conhost.exe process bypassing all the WinExec/ShellExecute/ShellExecuteEx/CreateProcess/CreateProcessInternal/etc. API layer. Still, there is no easy way to obtain the handle to that process so the malware that would try to use it would still need to find that process and hijack it. It looks like OS designers took the malicious bit into account and made it a bit harder for the coders to abuse it.

The reason for this post is not the mechanism itself, but the curious issue I encountered while analysing the condrv.sys driver. It is the driver that actually receives the IOCTL 0x500037 and processes it, calling the ZwCreateUserProcess routine in the end, at least, this is my working hypothesis at the moment.

Why hypothesis?

When you analyze the the driver w/o symbols, the system routine the driver calls to launch conhost.exe is not ZwCreateUserProcess, but ExAcquireRundownProtection. A very strange choice. It is only applying the .pdb file to IDA will allow to map that call to ZwCreateUserProcess. Could it be an intentional way to obfuscate the calls? Or, am I missing something? I will admit my kernel mode analysis skills are really rusty.

Ideas, anyone?

This is what I see inside the condrv.sys without symbols (see that 2nd functions):

and with symbols:

A few things about EICAR that you may be not aware of…

Update April 2017

As per info from Vess, the programmer who was responsible responsible for writing the EICAR file was Padgett Peterson.

If you get excited about EICAR file making the news as being able to make AV deleting logs when EICAR is used as a user name, password, User agent, etc. – it’s old news 😉 Read the history of the file including first attempts to abuse it here.

Old Post

When my wife studied her MA in graphic design and branding she got a lot of interesting home work. One of them was… ‘The square’. She spent a lot of time brainstorming and eventually produced a large collection of ideas that got her a good mark. Now, the simple purpose of that exercise was to play around with the idea of… ideas. As simple as it sounds, the moment you start exploring one ‘simple’ subject you will soon find yourself deep in a forest.

As I am adding support for many Quarantine files now (to DeXRAY) I suddenly found myself in a world of Antivirus analysis. One thing that somehow connects all of AV products is not their functionality, or Utopian vision of full protection, but… the EICAR file.

I decided to explore the topic of this file a bit – same as my wife was exploring the square. Yup, here’s a boring story SLASH a bunch of ideas associated with EICAR SLASH and other topics like this …

First of all – in case you don’t know – EICAR is a small file that is used as a test for security products (in the past it was mainly antivirus, but nowadays it should apply to any security solution that looks at files/content of any sort really). Once you deploy/install the solution/product, you can drop the EICAR file all over the place and see if solution picks it up. Notably, some AV vendors apparently do not understand what EICAR’s purpose is and decided not to detect it. I won’t be pointing fingers, but upload EICAR file to VirusTotal and you will know who I am talking about.

Naming conventions in AV is a subject to many debates over many years. EICAR looks like a no-brainer though as it’s an artificial file created with a single purpose and its origin and name are well-documented. It doesn’t help though… it would seem that vendors can’t agree on one, single name. Here is a histogram of names used by AV:

EICAR_test_file                  11
EICAR-Test-File                   7
EICAR-Test-File (not a virus)     4
Eicar test file                   3
EICAR (v)                         2
Eicar-Test-Signature              2
EICAR.Test.File                   2
EICAR.TestFile                    2
EICAR Test File (NOT a Virus!)    1
EICAR.TEST.NOT-A-VIRUS            1
EICAR-Test-File (not a virus) (B) 1
EICAR Test String                 1
DOS.EiracA.Trojan                 1
Marker.Dos.EICAR.dymlmx           1
EICAR.Test.File-NoVirus           1
NORMAL:EICAR-Test-File!84776 [F]  1
EICAR-Test-File!c                 1
EICAR Test-NOT virus!!!           1
Win32.Test.Eicar.a                1
Misc.Eicar-Test-File              1
EICAR_Test                        1
NotAThreat.EICAR[TestFile]        1
qex.eicar.gen.gen                 1
TestFile/Win32.EICAR              1
Virus:DOS/EICAR_Test_File         1
EICAR-AV-Test                     1
EICAR-AV-TEST-FILE                1
EICAR-test[h]                     1

And the bonus: one of these even has a typo. Can you spot it?

EICAR is a very strange phenomenon.

It is an organization. It is a file. It has a dedicated web site. It haz a dedicated con. Its original name is inclusive of Europe, and exclusive of other continents (EICAR stands for ‘European Institute for Computer Antivirus Research’; deprecated name, but always…).

Anagrams of EICAR are ERICA, CERIA and AREIC. They serve no purpose in this article.

Properties:

File size: 68 bytes
MD5: 44D88612FEA8A8F36DE82E1278ABB02F
SHA1: 3395856CE81F2B7382DEE72602F798B642F14140
SHA256: 275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F
CTPH: 3:a+JraNvsgzsVqSwHq9:tJuOgzsko
Entropy: 4.872327687

Eicar is a DOS file and can be executed… but only under old versions of Windows.

eicar

The source code is using the same tricks as shellcodes:

  • code is obfuscated

eicar2

  • it is a self-modifying code (patching itself)

eicar3

eicar4

Does your sandbox solution accept EICAR? Test it.

There exist tools that help you to generate EICAR file and its cousins (file formats embedding EICAR).

There exist a close friend of EICAR called AMTSO (Anti-Malware Testing Standards Organization) that focuses on testing antimalware methods. It produces some more test files to support the original idea introduced by EICAR f.ex. Potentially Unwanted Application equivalent of EICAR:

puaeicar

with the histogram of detection names as follows (VT detection rate: 43/56 – mind you that the file was compiled on 2013-04-04 21:26:07 (Thursday)):

Application.Hacktool.Amtso.A                             5
Riskware ( 0040eff71 )                                   2
AMTSO-Test                                               2
PUA_Test_File                                            2
RiskTool.EICAR-Test-File.r5 (Not a Virus)                1
RiskWare[RiskTool:not-a-virus]/Win32.EICAR-Test-File     1
RiskTool.Win32.AMTSOTestFile (not malicious)             1
Amtso.Test.Pua.A                                         1
W32/PUAtest.B                                            1
AMTSO_PUA_TEST                                           1
RiskTool.Win32!O                                         1
Application.Win32.AmtsoTest.a                            1
Riskware.AMTSO-Test-PUA                                  1
Application/AMTSOPUPTestfile                             1
Trojan.Staser.gen                                        1
Application:W32/AMTSOPUATestfile                         1
W32/TestFile.LCMA-1046                                   1
Backdoor.CPEX.Win32.29390                                1
Risktool.W32.Eicar.Test!c                                1
Hacktool.Win32.EICAR-Test-File.aa                        1
RiskTool.Win32.AMTSOTestFile                             1
not-a-virus:RiskTool.Win32.EICAR-Test-File               1
AMTSO-PUA-Test                                           1
PE:Malware.Generic/QRS!1.9E2D [F]                        1
Riskware.Win32.EICARTestFile.dmxhvk                      1
PUA.AMTSOTest                                            1
SpyCar                                                   1
PUA/AMTSO-Test                                           1
Trojan/W32.Agent.33280.TI                                1
Win32/PUAtest.B potentially unwanted                     1
W32/TestFile                                             1
Win32:AmtsoTest-A [PUP]                                  1
AMTSO-PUA-Test (PUA)                                     1
RiskTool.EICAR-Test-File.a                               1
AMTSO Test File PUA (Not a Virus!)                       1
PUP/Win32.AMTSO_Test                                     1

…and the cloudish EICAR file as well. Here’s the histogram of names given to the cloudish EICAR file (only 23/56 vendors detect it on VT; compilation date:  2010-07-08 23:02:46 (Thursday), ouch!):

AMTSO_TEST_CLOUDCAR                    2
Cldcar-Test!3FB121FBBCCB               2
Trojan.Win32.Generic!BT                2
Trojan.Agent/Gen-CloudTest             1
Virus:DOS/EICAR_Test_File              1
Trojan.Generic                         1
Application.Win32.CloudTest.s          1
Win.Trojan.11584714-1                  1
Amtso.Test.Cloudcar.A                  1
Trojan.Brodcom.Win32.366               1
Trojan.Win32.DangerousObject.dlgbhn    1
AMTSO-CLOUD-Test                       1
Trojan.Win32.Z.Agent.7178[h]           1
CLOUDCAR_Test                          1
UDS:DangerousObject.Multi.Generic      1
DangerousObject.Multi.Generic!c        1
W32/GenBl.3FB121FB!Olympus             1
Mal/Generic-S                          1
AMTSO Test File (NOT a Virus!)         1
Trj/CI.A                               1

There also exist a close friend fo EICAR called GTUBE (Generic Test for Unsolicited Bulk Email) for testing anti-spam solutions. It is also 68 bytes long.

Last, but not least – there exists a shorter version of EICAR and it is 12 bytes SHORTER than the original!

The Base64-encoded EICAR looks like this:

WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JDIDYOUSPOTTHISEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNU
LUZJTEUhJEgrSCo=

You may come across it as it is being used in various tests and… it is a method used by Esafe to save Quarantine files. And… maybe you can’t read this post in case your security product is over protective and detected the BASE64-encoded EICAR string. Well, if it does… it shouldn’t, as I included ‘DIDYOUSPOTTHIS’ in the BASE64 encoding above. Well, did you spot that DIDYOUSPOTTHIS?

EICAR is a tool. I use it to test Quarantine files’ encryption. When I find no encryption, or trivial encryption/encoding – I love EICAR. When I have to dig into some actual code to find out how they transform the original EICAR bytes into sth terrible I absolutely hate this little piece of hybrid data/code ;).