Skip to content

Instantly share code, notes, and snippets.

@EvanMcBroom

EvanMcBroom/arnold.md

Last active October 14, 2024 02:16
Show Gist options
  • Save EvanMcBroom/ac2b9084bf3c84939efcb9c894fadd07 to your computer and use it in GitHub Desktop.
Save EvanMcBroom/ac2b9084bf3c84939efcb9c894fadd07 to your computer and use it in GitHub Desktop.
Download ZIP
IllBeBack - An Undocumented Function
Raw
arnold.md

IllBeBack - An Undocumented Function

Microsoft purchased the software Softricity SoftGrid in 2006 and renamed it to Microsoft Application Virtualization, or App-V for short. Windows shipped with several libraries in System32 and SysWOW64 to support App-V.

AppVTerminator.dll

One App-V library stands out from all the rest because it only has one exported function named IllBeBack... That's right! A library signed by Microsoft, with Terminator in the name, that only has a single callable function named IllBeBack.

Someone at Microsoft was having some fun, and there's more 😉

Checkout the original name in your preferred PE file viewer (mine is PE-bear). The original name of AppVTerminator.dll was Arnold.dll.

arnold

It gets better. Checkout the time date stamp and you'll see that it was manually edited to match significant years in the Terminator series. In previous versions of Windows the timestamp for the library in System32 was 2027, the year that the Resistance to Skynet was created and the year from which Kyle Reese taveled to protect Sarah Connor. The timestamp for the library in SysWOW64 was 1988, the year that Daniel Dyson was born, the son of the creator of Skynet.

In recent versions of Windows the timestamp continues to change and has unfortunetely become somewhat meaningless. In 20H2 the timestamp for the library in System32 is 2068 and the timestamp for SysWOW64 is 2105

Arnold's Purpose

So what's the point of Arnold.dll? To terminate a process. No kidding! If you reverse engineer the library you'll find that DllMain is empty and IllBeBack does nothing but return True.

The only thing the library does do is have it's entry function call another internal function which calls TerminateProcess(GetCurrentProcess(), 0). The only purpose in life for Arnold.dll is to terminate any process that loads it. We can see this by running the following Python program.

import ctypes

print("Before Arnold.dll is loaded.")
module = ctypes.WinDLL("AppVTerminator.dll")
print("After Arnold.dll is loaded.")

Not only does the second print statement never occur, but you can also see in ProcMon that the program immediately terminates once the library is loaded.

procmon

Undocumented and Unknown

After finding this fun library I searched for references to it online. Aside from the many websites showing automated PDB analyses, a Google search showed that the name was only referenced in a single article by accenture and no where else. The author described how to make a specific Windows service load the library to cause it to terminate, but he never described anything about the library beyond that. I don't think the author knew about the many fun easter eggs hiding within it.

Edit: After searching more I found one reference to AppVTerminator exporting the function IllBeBack in a single comment of one issue on GitHub. Kudos to Hyunjin Song for originally finding the function name! 😄 The comment did not reference the other easter eggs in the library, which to I'm happy to have been able to document here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment