This is the 4th and the last time :). Until I come up, or find out (send me your ideas!) about other ways of doing so.
Question is the same: what happened here?
- No malware
- No Unicode
- No case-sensitive file-names
- No blank characters
Answer here
Forensic Riddle #9c – Answer
The answer may surprise you (or not). It’s just a matter of adding extra blank character at the end of the second ‘Riddle’ directory i.e. these are ‘Riddle’ and ‘Riddle ‘ directories respectively. Obviously, not very visible on the UI.
As usual, one needs to bypass CreateDirectoryA/W and use native APIs directly (otherwise extra blank characters/spaces/ will be trimmed before the buffer is passed to native APIs and the call will fail).