Magicdot: A Hacker's Magic Show of Disappearing Dots and Spaces

Windows has a known unfixed issue where trailing dots and spaces are removed from the last element of file paths during DOS to NT path conversion

This path conversion behavior can be exploited to:

• Hide files and processes from administrators
• Manipulate file operations to target different files than intended
• Conceal malware by making it appear as legitimate system files
• Bypass security checks and file operation restrictions

Symbolic Links combined with trailing dots/spaces can be used to:

• Redirect file operations to arbitrary locations
• Enable unprivileged users to write files to protected locations
• Hide malicious content inside archive files

Process concealment techniques include:

• Using long process names (255+ chars) to cause buffer overflows
• Making malware appear as legitimate signed Microsoft executables
• Hiding processes from Task Manager and Process Explorer

Key security recommendations:

• Use anti-paths instead of DOS paths for file operations
• Implement proper validation before using “safe” C runtime functions
• Add security checks for symbolic link operations
• Be cautious with backwards compatibility features that could create security risks

The issue affects multiple Windows components:

• Archive extractors
• File explorers
• Process management tools
• Shadow copy functionality
• File operation APIs

These techniques don’t require admin privileges or zero-day exploits to work effectively