Introduction

As we’ve seen many times before, malware authors are always trying to get at important system folders on victim systems. Some reasons for this are:

  • To locate and attack actual operating system files
  • To impersonate or spoof system files or create files with similar names in an attempt to circumvent detection. For example – a malware creates a file called “krnl32.dll” in the machine’s WINDOWS\system32 folder, which has a high resemblence to the legitimate file entitled Kernel32.dll
  • To hide data from computer users. The system folders are either hidden or the location is not known to most non-technical computer users. There are also many files in the system folders with seemingly obscure names

What are Special Folders?

The Windows API supplies several ways in which a programmer can locate these so-called “Special Folders.” From Wikipedia1:

On Microsoft Windows, a special folder is a folder which is presented to the user through an interface as an abstract concept instead of an absolute folder path. (The synonymous term shell folder is sometimes used instead.) Special folders make it possible for any application to ask the operating system where an appropriate location for certain kinds of files can be found, regardless of what version or language of Windows is being used.

Essentially, special folders are nicknames rather than file paths and these nicknames are mapped to a hard file-path at runtime so that a programmer can tap into any of these folders, such as AppData or the Recycle Bin. While the location of AppData and Recycle Bin can vary from machine to machine, the special folder is guaranteed to always reference it as long as the physical folder exists at all on the system.

Malware is often interested in writing to or reading from special folders for reasons mentioned above, so knowledge of how this system works is beneficial for analysts.

How Special Folders are referenced

Each Special Folder has something called a Constant Special Item ID List or CSIDL for short and/or a KNOWNFOLDERID.

According to MSDN, CSIDLs serve the following purpose2:

provide a unique system-independent way to identify special folders used frequently by applications, but which may not have the same name or location on any given system.

In plain English, they are simply ID numbers for these special-folders which Windows uses to reference them.

CSIDLs can be passed to the following functions as arguments:

SHGetFolderLocation
SHGetFolderPath
SHGetSpecialFolderLocation
SHGetSpecialFolderPath

SHGetFolderPath and SHGetSpecialFolderPath both provide the absolute paths to the requested CSIDL/special folder. The SHGetFolderLocation and SHGetSpecialFolderLocation provide instead a ITEMIDLIST data structure to the folder 3 . This can be seen in the _out_ parameters in the following function prototypes:

HRESULT SHGetFolderLocation(
_In_ HWND hwndOwner,
_In_ int nFolder,
_In_ HANDLE hToken,
_Reserved_ DWORD dwReserved,
_Out_ PIDLIST_ABSOLUTE *ppidl
);

HRESULT SHGetFolderPath(
_In_ HWND hwndOwner,
_In_ int nFolder,
_In_ HANDLE hToken,
_In_ DWORD dwFlags,
_Out_ LPTSTR pszPath
);

After Windows 7, the CSIDLs have been replaced with KNOWNFOLDERIDs. One of the key differences between the CSIDLs and the KNOWNFOLDERIDs is that the KNOWNFOLDERIDs use GUIDs and the CSIDLs are just regular preprocessor macros.

For reference, here are links to the MSDN pages for the CSIDLs and the highly-related KNOWNFOLDERIDs:

CSIDLs
KNOWNFOLDERIDs

As a practical example of how this is used in malware, the Spora ransomware uses SHGetSpecialFolderPathW4 to grab the CSIDL 0x1A. This is somewhat cryptic because the MSDN page doesn’t tell us which Special Folder 0x1A corresponds to. However, it does tell us that the definitions for the CSIDLs are inside of the file shlobj.h. Doing a search for this file lead to the file on SourceForge which defined CSIDL 0x1A as CSIDL_APPDATA: The AppData folder5. It’s important to note that the CSIDLs are defined in shlobj.h as decimal values rather than hex, but 0x1A is decimal 26 so that’s just a very basic conversion. In this example, the Spora ransomware is targeting the AppData folder on the victim machine.

Conclusion

While this is definitely not the most secretive way to conceal system or “special folder” access, it is one way that is less obvious than an API call such as GetSystemDirectory or GetProcessDirectory for malware to access important folders.

Bibliography

1.
Special folder – Wikipedia. Wikipedia. https://en.wikipedia.org/wiki/Special_folder. Accessed April 27, 2017.
2.
CSIDL (Windows). Microsoft Developer Network (MSDN). https://msdn.microsoft.com/en-us/library/windows/desktop/bb762494(v=vs.85).aspx. Accessed April 27, 2017. [Source]
3.
ITEMIDLIST structure (Windows). MSDN. https://msdn.microsoft.com/en-us/library/windows/desktop/bb773321(v=vs.85).aspx. Accessed April 27, 2017. [Source]
4.
Hahn K. Spora – the Shortcut Worm that is also a Ransomware | G DATA. G DATA Blog. https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware. Published January 18, 2017. Accessed April 27, 2017.
5.
MinGW – Minimalist GNU for Windows / mingw-org-wsl / [b6761d] /include/shlobj.h . SourceForge. https://sourceforge.net/p/mingw/mingw-org-wsl/ci/master/tree/include/shlobj.h. Published June 5, 2013. Accessed April 27, 2017.