There are many answers to this one.

For starters, consider triplet A, W, UTF8 instead of usual A,W in:

• DnsQueryExA
• DnsQueryExUTF8
• DnsQueryExW

or

• DnsQuery_A
• DnsQuery_UTF8
• DnsQuery_W

Other examples include:

• RunDll32ShimW for Unciode, but not ANSI version RunDll32ShimA
• GetHashFromFile for ANSI and GetHashFromFileW for Unicode
• triplet ShellExec_RunDLL and ShellExec_RunDLLA for ANSI and ShellExec_RunDLLW for Unicode

and many more…

The answer to the #11 is simple – it was an open-ended question really as it could be any executable file really that is dependent on configuration, config file, etc. I wanted to draw your attention to one type of executables specifically though – a type that I touched on in my recent post i.e. Installers. Their stub is always the same and based on their source code – the behavior depends on the installed application and user choices’. I told you it was easy

Changing the file name did the trick. File names that are single characters are treated as drives; if we still want to read the file, we need to use ‘.\’ prefix – see the screen shot for details:

More details here.

Windows Explorer uses desktop.ini files to customize the look and feel of each individual folder. Apart from icon, or image, it is also possible to modify the folder’s name by replacing it with a name specified inside the desktop.ini file. The new name can be either a string inside a DLL, or a less-known mapping via LocalizedResourceName registry key (works at least for XP).

See screenshot for details:

Once I created one folder like this, I copied it multiple times and in the end created the folder full of ‘Riddles’:

The answer may surprise you (or not). It’s just a matter of adding extra blank character at the end of the second ‘Riddle’ directory i.e. these are ‘Riddle’ and ‘Riddle ‘ directories respectively. Obviously, not very visible on the UI.

As usual, one needs to bypass CreateDirectoryA/W and use native APIs directly (otherwise extra blank characters/spaces/ will be trimmed before the buffer is passed to native APIs and the call will fail).

NTFS file system is by design case-sensitive, yet this option is disabled by default.

One needs to change the following option in Registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel]
"obcaseinsensitive"=dword:00000001

and restart the system to be able to create files and directories that are case-sensitive.

Notably, Windows APIs e.g. CreateDirectoryA/W are mapped to NtCreateFile API with OBJ_CASE_INSENSITIVE flag on, so they can’t be used to create case-sensitive files/directories.

There are many answers here and the very same result could be achieved in many ways:

• Unicode/homomorph attack

using Unicode characters e.g. from Russian alphabet; this can be usually easily detected from a command line level:

• GUI attack

it is relatively easy to modify the content of any other window, including windows used by Explorer to display file names (window class is a standard ‘SysListView32′); some malware use GUI attacks to remove their processes’ names from a list of processes shown by Task Manager

• API hooking

trivial to return two exact file names for two different entries

• patching the file system entry directly

and probably a few more…

There is a less known LoadModule API from kernel32.dll that can be used to launch applications the same way as WinExec and others.

The answer is pretty straightforward to anybody who is a programmer. Registry is just a configuration data that is read at some stage. The way the configuration affects OS or application (or DLL) depends on whether it has been read during the system-wide initialization (one off initialization that sets some flags only once after system restart), process/module-specific initialization (that is a one-off for a specific process or module), or is read anytime certain function is executed (thus, changing registry has an immediate effect).

It’s 2012 and time for something new, so I am suspending riddles for the time being. I still have a few more to post, yet from now on it won’t be that frequently.

Yes. It is. One way to do it is to save its own copy as an ADS (Alternate Data Stream) and run it from there. Once executed from ADS, the host file will be able to self-delete itself. So, technically it is a bit of cheating , yet it works – see the screenshot for details.