https://github.com/franckferman/memento-rtlo

🔄 Memento: Right-to-Left Override (RTLO) Extension Spoofing File Renamer.
https://github.com/franckferman/memento-rtlo

cyber-security cybersecurity cybersecurity-awareness cybersecurity-tools extension-spoof extension-spoofer pentest pentest-scripts pentest-tools pentesting powershell powershell-script redteam redteam-tools redteaming spoofer spoofing spoofing-attack

Last synced: 2 months ago
JSON representation

🔄 Memento: Right-to-Left Override (RTLO) Extension Spoofing File Renamer.

• Host: GitHub
• URL: https://github.com/franckferman/memento-rtlo
• Owner: franckferman
• License: agpl-3.0
• Created: 2023-11-12T15:26:03.000Z (over 1 year ago)
• Default Branch: stable
• Last Pushed: 2025-03-13T11:55:27.000Z (3 months ago)
• Last Synced: 2025-03-13T12:35:18.470Z (3 months ago)
• Topics: cyber-security, cybersecurity, cybersecurity-awareness, cybersecurity-tools, extension-spoof, extension-spoofer, pentest, pentest-scripts, pentest-tools, pentesting, powershell, powershell-script, redteam, redteam-tools, redteaming, spoofer, spoofing, spoofing-attack
• Language: PowerShell
• Homepage: https://github.com/franckferman/Memento/
• Size: 208 KB
• Stars: 3
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        


[![Contributors][contributors-shield]](https://github.com/franckferman/Memento-RTLO/graphs/contributors)

[![Stargazers][stars-shield]](https://github.com/franckferman/Memento-RTLO/stargazers)

[![License][license-shield]](https://github.com/franckferman/Memento-RTLO/blob/stable/LICENSE)



  



🔄 Memento-RTLO



    File extension spoofing tool using Right-to-Left Override (RLO) for .exe, .hta, .bat, and .vbs.

    


    Leverage RTLO (U+202E) to manipulate file extensions for research, red team, and awareness.





## 📜 Table of Contents

  Click to collapse/expand

  


    
📖 About

    
🛠️ Installation

    
🎮 Usage

    
🌠 Star Evolution

    
📜 License

    
📞 Contact

  


## 📖 About

Memento-RTLO is a PowerShell-based tool designed to spoof file extensions using the Right-to-Left Override (RLO) Unicode character (U+202E).

It allows creating filenames that appear harmless (e.g., .pdf, .jpeg) while remaining executable — for security research, red teaming, technical curiosity, and user awareness purposes.

> ⚠️ **Note**: This technique is widely flagged by modern antivirus and endpoint protection systems.

> It is not a stealth method, but rather a well-known attack vector used primarily for educational demonstrations and technical experimentation.

> Memento-RTLO is a learning and research project, not a sophisticated bypass tool.

### ⚙️ What is RTLO Extension Spoofing

The Right-to-Left Override (RLO) character is a Unicode control character used for bidirectional text formatting (mainly in Arabic, Hebrew, and similar languages).

When inserted inside a filename, everything that follows appears in reverse order, including the extension — thus spoofing the visual appearance of the file while retaining its original executable nature.

This technique aims to trick users into running dangerous files, thinking they are harmless documents or images.

However, modern security solutions generally detect and block such files, which makes this approach mostly useful for awareness, testing, and fun exercises.

(🔼 Back to top)


## 🚀 Installation

### Prerequisites

- **Windows OS** (Tested on **Windows 10 & 11** — may work on older versions but not officially supported).

- **PowerShell 5.1 or higher** (pre-installed on modern Windows).

> ⚠️ **Note**: 100% **pure PowerShell**, **no external software required**.

### Getting Memento-RTLO

#### Option 1: One-liner with `Invoke-WebRequest` (Recommended)

```powershell

Invoke-WebRequest https://raw.githubusercontent.com/franckferman/Memento-RTLO/stable/MementoRTLO.ps1 -OutFile MementoRTLO.ps1

```

#### Option 2: Clone via Git

```powershell

git clone https://github.com/franckferman/Memento-RTLO.git

```

#### Option 3: **Direct Download** from GitHub

1. Go to GitHub repo.

2. Click `<> Code` → `Download ZIP`.

3. Extract the archive to your desired location.

(🔼 Back to top)


## 🎮 Usage

### Getting started

1. Temporarily allow script execution:

```powershell

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process

```

> 🛑 Important: This command temporarily adjusts the execution policy to allow script execution for the current process only, minimizing security risks.

> Always examine scripts before executing them to ensure safety.

2. Run the script (_with at least a file to spoof_):

```powershell

.\MementoRTLO.ps1 --file "C:\Path\to\file.exe"

```

> ℹ️ You will be prompted to select a spoof pattern interactively, unless you specify --choice.

Alternatively, for a streamlined approach, combine the execution policy adjustment with script launch in a single line:

```powershell

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process; .\MementoRTLO.ps1 --file "C:\Path\to\file.exe"

```

### ⚙️ Command-line options

```powershell

.\MementoRTLO.ps1 --file  [--choice ] [--replace]

```

| Option                    | Description                                                           | Example                                    |

|--------------------------|-----------------------------------------------------------------------|--------------------------------------------|

| `--file `           | **(Required)** Path to the file to spoof.                             | `--file "C:\Users\user\test.exe"`          |

| `--choice `       | (Optional) Pick a spoof pattern directly (index, see `--show-list`).   | `--choice 1`                               |

| `--replace`               | (Optional) Replace original file (default is to create a copy).        | `--replace`                                |

| `--show-list`             | (Optional) Show available spoof patterns and exit.                    | `--show-list`                              |

| `/help`, `--help`, `-help`| (Optional) Show this help message.                                    | `/help` or `--help`                        |

(🔼 Back to top)


## 🌠 Star Evolution

Explore the star history of this project and see how it has evolved over time:



  

    

    

  



Your support is greatly appreciated. We're grateful for every star! Your backing fuels our passion. ✨

## 📚 License

This project is licensed under the GNU Affero General Public License, Version 3.0. For more details, please refer to the LICENSE file in the repository: [Read the license on GitHub](https://github.com/franckferman/Memento-RTLO/blob/stable/LICENSE)

(🔼 Back to top)


## 📞 Contact

[![ProtonMail][protonmail-shield]](mailto:[email protected])

[![LinkedIn][linkedin-shield]](https://www.linkedin.com/in/franckferman)

[![Twitter][twitter-shield]](https://www.twitter.com/franckferman)

(🔼 Back to top)


[contributors-shield]: https://img.shields.io/github/contributors/franckferman/Memento-RTLO.svg?style=for-the-badge

[contributors-url]: https://github.com/franckferman/Memento-RTLO/graphs/contributors

[stars-shield]: https://img.shields.io/github/stars/franckferman/Memento-RTLO.svg?style=for-the-badge

[stars-url]: https://github.com/franckferman/Memento-RTLO/stargazers

[license-shield]: https://img.shields.io/github/license/franckferman/Memento-RTLO.svg?style=for-the-badge

[license-url]: https://github.com/franckferman/Memento-RTLO/blob/stable/LICENSE

[protonmail-shield]: https://img.shields.io/badge/ProtonMail-8B89CC?style=for-the-badge&logo=protonmail&logoColor=blueviolet

[linkedin-shield]: https://img.shields.io/badge/-LinkedIn-black.svg?style=for-the-badge&logo=linkedin&colorB=blue

[twitter-shield]: https://img.shields.io/badge/-Twitter-black.svg?style=for-the-badge&logo=twitter&colorB=blue