Magicdot: A Hacker's Magic Show of Disappearing Dots and Spaces

Discover how Windows' file path conversion quirks can be exploited to hide malware, redirect operations, and conceal processes - all without admin privileges or zero-days.

Key takeaways
  • Windows has a known unfixed issue where trailing dots and spaces are removed from the last element of file paths during DOS to NT path conversion

  • This path conversion behavior can be exploited to:

    • Hide files and processes from administrators
    • Manipulate file operations to target different files than intended
    • Conceal malware by making it appear as legitimate system files
    • Bypass security checks and file operation restrictions
  • Symbolic Links combined with trailing dots/spaces can be used to:

    • Redirect file operations to arbitrary locations
    • Enable unprivileged users to write files to protected locations
    • Hide malicious content inside archive files
  • Process concealment techniques include:

    • Using long process names (255+ chars) to cause buffer overflows
    • Making malware appear as legitimate signed Microsoft executables
    • Hiding processes from Task Manager and Process Explorer
  • Key security recommendations:

    • Use anti-paths instead of DOS paths for file operations
    • Implement proper validation before using “safe” C runtime functions
    • Add security checks for symbolic link operations
    • Be cautious with backwards compatibility features that could create security risks
  • The issue affects multiple Windows components:

    • Archive extractors
    • File explorers
    • Process management tools
    • Shadow copy functionality
    • File operation APIs
  • These techniques don’t require admin privileges or zero-day exploits to work effectively