Unicode, Windows and Social-Engineering

Inspired by relentless coding’s post I figured I wanted to see how this technique fared with Microsoft Windows 8, Resource Hacker (from now on RH) and Python. Let’s see if it is possible (or even hard) to reproduce on Windows 8.

First, let’s take a suitable binary. I’ll just use putty but feel free to use something from the Metasploit payload if you’re so inclined. Let’s start RH and then change it to a powerpoint icon. Open your chosen binary in RH and then replace the icon file. Load wmploc.dll and choose icon number 732.


You might need to fiddle around a bit with it or use alternative means to modify your binary. Perhaps use pyinstaller with some custom Python code. The end result should at least look something like this.


Now, let’s use Python to add some unicode to the filename. We’re going to add a part to the filename that is read right to left instead of the ordinary (in our case) left to right.


import os
os.rename("c:/tmp/putty.exe", u"Michael Jacksson - Ripped by \u202E3pm.SCR")

Note that at the end of the second argument in the rename function we can find \u202E, which is the unicode equivalent of writing right to left. After executing the code the end result looks like this. :)


Obviously running putty is pretty harmless, in fact it wont even start in its current state. It’ll complain about arguments. But, this can be done with something far more malicious in a phishing campaign or perhaps placed on USB drives that are dropped on close to the target.