Deceptive NTFS short file names

Are you aware of DLL hijacking? If yes, let’s suppose there is a program that executes the following line of code:

LoadLibrary('riched32.dll');

Its executable has the following name: “i_use_riched32.exe” (just as an example).

Now, take a look at the following contents of a directory containing this executable, the screenshots were taken of three tools: Explorer, FTK Imager Lite, The Sleuth Kit (each one points to the same directory).

svl-explorer
Explorer
svl-ftki
FTK Imager Lite
svl-tsk
The Sleuth Kit

Is the “riched32.dll” library hijacked for the “i_use_riched32.exe” executable? Let’s assume that no attempts to hijack the library have been made outside of the directory shown above.

Continue reading “Deceptive NTFS short file names”