RtoL Toolkit

Migration planned

RtoL = right to left

This tool utilizes the Right-to-left mark, a UTF-8 character, to masquerade file extensions. It is possible to create files that seem to end with ".jpg", while still having the "exe" file extension. This isn't a vulnerability in particular and it's certainly not a rootkit kind of disguise. The tool does nothing more than to modify the filename in a way that it looks like on the screenshot.

Limitations & Constraints

As opposed to rootkits, this is not completely stealth. It has certain limitations:

  1. It only works in Windows Explorer and applications that support the Right-to-left mark
  2. The file type is still displayed as "Application" (See screenshot)
  3. You must put the actual file extension (like "exe") before the custom file extension
  4. The cover is blown once editing the filename as the cursor will behave differently
  5. The icon is fixed to the one embedded in the executable's resources or the actual file type's icon

How it works

It seems so mind-blowing, but it's surprisingly trivial. We simply pick a name that ends with "exe", like "Sexy Alexe". Perfect example for a "jpg" executable!

Sexy Alexe.jpg

At least that is how it's displayed. In reality, the filename is built using the Right-to-left mark:

Sexy Al[U+202E]gpj.exe

Characters after the Right-to-left mark are displayed in reverse. So "gpj.exe" becomes "exe.jpg". Very simple, and best of all - it works from Windows XP through Windows 10 altogether!