The nasty [char]160

  • Context

There’s another strange thing with the Gamarue piece of malware: it creates a system hidden folder whose name is [char]160.

  • Steps to create the problem:
    • Open the explorer
    • Right-click, select ‘New’ then ‘Folder’
    • Press ALT and then enter the 4 digits 0160 and hit Enter

    Now we have a folder whose name looks like either empty or is a white space.

  • How PowerShell helps us understand what we did above
    • It confirms we have the same “view” as the Explorer
    • Get-ChildItem .\

    • The folder name is [char]160 and correctly captured by the Get-ChildItem cmdlet
      (Get-ChildItem .\)[-1].FullName.GetEnumerator()|%{            
      '{0}->{1}' -f $_,[int][char]$_}

    • Notice that [char]160 isn’t listed in the invalid characters list of the .Net system.IO.Path class
      [IO.Path]::GetInvalidPathChars()|%{            
       '{0}->{1}' -f $_,[int][char]$_ }

  • How would we have solved this in the old DOS days

We just launch a DOS console and rename the folder using the path completion. We make sure to enclose the path between quotes. That’s it.
We could also have typed ALT+0160 between the quotes instead of using the path completion. We didn’t even need to change the code page to 1251 or 10002.

  • What works in PowerShell

The Get-ChildItem cmdlet partially works. It’s able to output a DirectoryInfo object. It can’t be used with its “Name” parameter.
Join-Path as well as Resolve-Path cmdlets also work:

Casting the string ‘C:\<ALT+0160\' into the .Net DirectoryInfo class also works

[IO.DirectoryInfo]('C:\ \')

Using the methods of the .Net IO.Directory class responsible for enumerating files and/or directories also work if you append a ‘\’ after the [char]160.

[IO.Directory]::EnumerateFiles('C:\ \')            
[IO.Directory]::EnumerateDirectories('C:\ \')            
[IO.Directory]::EnumerateFileSystemEntries('C:\ \')

Using the New-PSDrive cmdlet also work:

  • What are the limits of PowerShell

The Set-Location cmdlet and its alias cd don’t work

We can examine the automatic $Stacktrace variable that contains a stack trace for the most recent error.

The Rename-Item cmdlet and its alias ren don’t work.
Trying move based methods of the .Net Directory and DirectoryInfo class don’t work:

Another technique I found on JayKul‘s web site, http://huddledmasses.org/powershell-power-user-tips-current-directory/, works with a subfolder name

  • Final word

Although I should have done it, I chose not to fill a bug as I found on the .Net IO.Directory Move method the following text that made me think that developpers are aware of the above limits:

ArgumentException
sourceDirName or destDirName is a zero-length string, contains only white space, or contains one or more invalid characters as defined by InvalidPathChars.

[char]160 -match "\s"
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s