Unicode Characters in File Names/Paths

  • Description: This technique involves using non-standard characters, specifically Unicode characters, within file or directory names. This can include:

    • Characters from different alphabets/scripts (e.g., Cyrillic, Chinese, Arabic, Georgian).

    • Visually similar characters (homoglyphs) that look like standard ASCII characters but are different (e.g., a Cyrillic 'а' instead of a Latin 'a').

    • Invisible or zero-width characters embedded within filenames.

  • Mechanism: The bypass works by exploiting limitations or inconsistencies in how different tools, applications, or even the OS itself render, handle, or search for these non-standard characters.

    • Filenames might render incorrectly or as blank spaces/question marks in some tools or command prompts.

    • Searching for the file using standard keyboard input becomes difficult or impossible.

    • String filters in memory analysis tools (like System Informer) might fail to match if they don't correctly handle the specific Unicode encoding or if the searched string doesn't exactly match the Unicode sequence.

    • Visually deceptive names can trick ScreenSharers during manual folder inspection.

  • Why Cheaters Use It: The primary goal is obfuscation and hindering detection. It makes files harder to find, identify, and analyze using standard methods and tools, effectively hiding cheats in plain sight or within complex, hard-to-navigate directory structures.

  • Detection:

    • Search Everything (Regex): Use regex patterns designed to find non-standard characters, such as regex:[^\x00-\x7F] (finds non-ASCII) or more specific patterns targeting certain character ranges. Rancio's "Unicode Detector" tool is specifically designed for this.

    • Visual Inspection: Be vigilant for filenames that look slightly "off," contain unusual symbols, or have inconsistent spacing.

    • Tool Output: Pay attention to how different tools render filenames. Question marks or rendering errors can be indicative.

    • Advanced Parsing Tools: Tools like MFTECmd or INDXRipper, which parse filesystem metadata directly, may handle Unicode paths more reliably than tools relying on standard OS APIs.

PreviousSpoofed ExtensionsNextAlternate Data Streams (ADS)

Last updated