Malware with pure UTF-16 characters in the filename can bypass detection

[SouhailHammou]

Files with names containing pure UTF-16 characters can bypass detection. The user-mode service will fail to open the file for scanning after the conversion is done to ANSI, because characters that cannot be converted from Unicode are replaced with '?'.

armadito-windows-driver/src/communication.c

Lines 255 to 263 in 06c8260

	// Convert unicode string to ansi string for ring 3 process.
	ntStatus = RtlUnicodeStringToAnsiString(&AnsiString, (PCUNICODE_STRING)FilePath, TRUE);
	if(!NT_SUCCESS(ntStatus)){
	DbgPrint("[-] Error :: ArmaditoGuard!SendScanOrder :: RtlUnicodeStringToAnsiString() routine failed !! \n");
	__leave;
	}
	// Fill the SCAN_MESSAGE_CONTEXT struct.
	RtlCopyMemory(&(scanMessage->FileName), AnsiString.Buffer, AnsiString.Length);

Below is an image demonstrating the bug. In the first case, the filename is in Arabic and in the second, the filename's first letter is the greek M (U+039C).

A fix would require a re-implementation of the parts of the service dealing with filenames to make them support Unicode.

[fdechelle]

@SouhailHammou Thank you for reporting the issue and for suggesting a fix.
Another possible fix would be that the driver sends to the user-mode service a HANDLE instead of the file name.