3 Methods to Spoof Fake File Extensions in Windows

Chef Editor

Ultimate Extension Spoofing Tutorial
Dog help you if you have to do this for s of files! Generally you should pay more attention to the executable file format such as. Extension Spoofing Tutorial By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service , privacy policy and cookie policy , and that your continued use of the website is subject to these policies. Sign up or log in Sign up using Google. To answer your implied question, I learn something new every day from your blog. Post Your Answer Discard By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service , privacy policy and cookie policy , and that your continued use of the website is subject to these policies.

Your Answer


There is no limit that this file must be an. It can also be a resume. This technique will work as you want it to. Using this technique you will be able to spoof any extension available on the windows platform to any other extension. Now lets start the real spoofing extension. Refer to the image in case of any confusion. This might be time taking to find for some but if you read the image carefully then you might find this char set easily.

Now exe is same as exe when we apply the char set due to obvious reasons. So I have taken the example of. This technique works for exe the same way. Now it should look like this:. That simple to spoof the extension. So you no longer need to pay for extension spoofers now!!! This is a Free give away technique for penetration testers and ethical hackers purely for educational purposes.

An example of a double extension is:. The file above is actually an executable file but is shown as notes. The next step to make the file look more convincing is to change the file icon to Notepad icon.

As you can see from the example image below, it looks like a normal text file. This is a very old trick and a few antivirus applications like COMODO will warn you when it detects a double extension in a filename.

This trick uses Right to Left unicode to reverse the last six characters so that the extension is spoofed. For example, a notes. Although the file extension clearly shows as. Since the Right to Left override character cannot be typed from the keyboard and is only shown in the Character Map program found in Windows, one can simply download a free third party program called BabelMap to generate the RTLO character for copying to clipboard and paste it when renaming a file.

Fortunately most major web browsers have stepped up to blacklist the right to left override character so that the correct file extensions are shown correctly when a user attempts to download the file with a spoofed extension using the RTLO trick.

An older version of WinRAR 4. An example is a notes. Then using a hex editor, go to the end of the file and modify the notes. However people who extract the file will be safe from this spoofing exploit as they will see that it is an executable. WinRAR 5 and above has been patched from this exploit. Hence it is always advisable to keep your software up to date even if it is not an internet related application. Oh My God, it is very dangerous, the best solution is to install a program as a shield of the registry to see suspect tentative.

Did you enjoy this post?

Since Windows users are more careful with executable extension and pay less attention to safer extensions such as image formats, there are a couple of ways to trick the careless user into thinking that an EXE file is a JPG image file instead. Lesser known tricks of spoofing extensions Posted: September 30, by Malwarebytes Labs Last updated: October 26, It is a well-known fact that malware using social engineering tricks is designed to hide itself from being an obvious executable. Malicious attachments are sent with specially crafted icons that are pretending to be . Using this technique you will be able to spoof any extension available on the windows platform to any other extension. Step 2: Now lets start the real spoofing extension. Open the windows Character map by going to start as shown in the Image.