We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Magicdot: A Hacker's Magic Show of Disappearing Dots and Spaces
Discover how Windows' file path conversion quirks can be exploited to hide malware, redirect operations, and conceal processes - all without admin privileges or zero-days.
-
Windows has a known unfixed issue where trailing dots and spaces are removed from the last element of file paths during DOS to NT path conversion
-
This path conversion behavior can be exploited to:
- Hide files and processes from administrators
- Manipulate file operations to target different files than intended
- Conceal malware by making it appear as legitimate system files
- Bypass security checks and file operation restrictions
-
Symbolic Links combined with trailing dots/spaces can be used to:
- Redirect file operations to arbitrary locations
- Enable unprivileged users to write files to protected locations
- Hide malicious content inside archive files
-
Process concealment techniques include:
- Using long process names (255+ chars) to cause buffer overflows
- Making malware appear as legitimate signed Microsoft executables
- Hiding processes from Task Manager and Process Explorer
-
Key security recommendations:
- Use anti-paths instead of DOS paths for file operations
- Implement proper validation before using “safe” C runtime functions
- Add security checks for symbolic link operations
- Be cautious with backwards compatibility features that could create security risks
-
The issue affects multiple Windows components:
- Archive extractors
- File explorers
- Process management tools
- Shadow copy functionality
- File operation APIs
-
These techniques don’t require admin privileges or zero-day exploits to work effectively