Enabling the internal debug outputs of cmd.exe

[jeb]

Hi,

while I'm trying to building a new technic, I've found an interesting bug in CMD.exe.

It enables a debug output option of cmd.exe that shows how characters, tokens and commands are parsed

Like this

if 4==5 echo Hello

GeToken: (4000) 'if'
GeToken: (4000) '4'
Ungetting: ' 4==5 echo Hello
'
GeToken: (4000) '4'
Ungetting: ' 4==5 echo Hello
'
GeToken: (4000) '4'
GeToken: (4000) '==5'
GeToken: (4000) 'echo'
GeToken: (4000) ' Hello'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
if
Cmd: 4 Type: 39 Args: `5'
Cmd: echo Type: 0 Args: ` Hello'

And to enable it it's quite simple, building a batch file containing some opening parenthesis (a bit more than 256)

Code: Select all

((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((

Then the debug output is constantly activated in that cmd-window.
Tested with Win7 x64 cmd.exe Version 6.1.7601.

I suppose it's a simple buffer overrun bug.

If you put far more brackets you get some odd and long output (I discoverd the bug with over 2000 brackets)

Now, have fun to play with it
jeb

[npocmaka_]

Wow.


Does this mean that the max nested expressions in brackets are 256

[jeb]

Does this mean that the max nested expressions in brackets are 256

Yes, it's seems so and that's a pity, as I have an idea that would only be perfect with unlimited bracket levels.

[OperatorGK]

Ah, Buffer overflow!
I have been tried do it with %cmdcmdline% overflow, digging deep into cmd.exe memory map, but you just discovered this faster than me!
Anyway, nice! Now my researchments will speed up!

[OperatorGK]

This bug actually does more than simply turning parser debug mode on!
As I discovered in my previous post about %cmdcmdline% bug, overflowing %cmdcmdline% variable over normal limit causes
cmd.exe to freeze and simply doing nothing. But with this "debug" turned on, it'll actually produce this error window (translated from Russian, might be incorrect!) :

Code: Select all

Instruction at address "0x0b85a3d5" tried to get memory at "0xffffffff".
Memory couldn't be "read".
"OK" - terminating the application.
"Cancel" -- debugging the application.

With buttons OK and Cancel. Clicking on any of this buttons closes the error window, and cmd.exe will think that you pressed Ctrl-C.
All of it is strange. I think debug mode switch memory position and %cmdcmdline% memory position are <8192 bytes near.

I think someone should test it on 32-bit XP.

[jeb]

Tested with XP x32 (German): I get no special effects, but when I placed more than 2500 opening brackets, then the cmd windows directly closed.

edit:
The behaviour depends of the number of brackets also on Win7, at some point I get also a modal window with an error message

[dbenham]

Amazing

Dave Benham

[Squashman]

Makes me wondering if anyone from Microsoft ever sees some of the stuff you guys hack into batch files.

[npocmaka_]

On windows 10 GeToken and Ungetting functions are no more printed.

Another way to do this on win10 is this line:

Code: Select all

break&(:#)

Should be last one in the file - without new lines or anything else behind the closing bracket.

All commands except IF and REM are pointed as Type: 0.(I don't know is this type)
IF EQU/GTR/GEQ/LSS/LEQ are Type: 3a
IF == is 39.

If errorlevel is Type: 35.If cmdextversion is 34.If exist is 37.If /? is 3c. If defined is 36 .

Looks there's no IF command of type 38 ?

REM is Type: 2d . Some commands with /? are type 3c


To "heal" the cmd from the debug mode you need 256 @'s (at least works on windows 10):

Code: Select all

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

[penpen]

Looks there's no IF command of type 38 ?

I think you've just partly confirmed what i suspected some time ago (with other token values because of using WinXp instead of Win10):
http://www.dostips.com/forum/viewtopic.php?p=32860#p32860.
Thanks for that.
(So the single characters are the token types of the first child in the parse tree.)

Save this batch as "testIf.bat".
Then i tweaked your code to "enableDebug.bat":

Code: Select all

@echo off
call ^
:break 2>nul ^
::
break&(:#)

Now you can see that under Windows 10 the token type 38 should be "not" (ascii('8') == 38; same for the other values):

Code: Select all

Z:\>testIf.bat
if.bat:  4
if.bat:  4
if.bat:  5
if.bat:  5
if.bat:  6
if.bat:  6
if.bat:  7
if.bat:  7
if.bat:  9
if.bat:  9
if.bat:  :
if.bat:  :

Z:\>enableDebug.bat
Z:\>call if not cmdextversion 1 else
Cmd: call  Type: 0 Args: ` if not cmdextversion 1 else'
if
  not
    Cmd: cmdextversion  Type: 34 Args: `1'
  Cmd: else  Type: 0
Cmd: echo  Type: 0 Args: ` if.bat:  8'

Z:\>echo if.bat:  8
if.bat:  8

Z:\>

penpen

[dbenham]

Another way to do this on win10 is this line:

Code: Select all

break&(:#)

Should be last one in the file - without new lines or anything else behind the closing bracket.

To "heal" the cmd from the debug mode you need 256 @'s (at least works on windows 10):

Code: Select all

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

I love it
I am not able to get any of the prior methods to work on my Win 7 machine at work. But these methods work great on my Win 10 machine at home.

I saved the first script as "debugBat.bat", and the second as "endDebug.bat"


Dave Benham

[carlos]

On windows 10 GeToken and Ungetting functions are no more printed.

Another way to do this on win10 is this line:

Code: Select all

break&(:#)

Should be last one in the file - without new lines or anything else behind the closing bracket.

[/code]

Wow, excellent discovery @npocmaka

[penpen]

Yesterday my Windows 10 home updated to win version 1903 (build 18362.387) and i noticed that enabling debug stopped working.
My pc was kind of problematic one because it refused to install that a long time claiming the "Intel Rapid Store Technology (Intel RST)" must be updated first, which was odd, because i don't have any Intel components in my system and the intel software claims "Hardware not found" and aborted installation.

Now i would like to know if that feature stopped working on all actual win10 systems or if i got a "special version".


penpen

[ShadowThief]

Yesterday my Windows 10 home updated to win version 1903 (build 18362.387) and i noticed that enabling debug stopped working.
My pc was kind of problematic one because it refused to install that a long time claiming the "Intel Rapid Store Technology (Intel RST)" must be updated first, which was odd, because i don't have any Intel components in my system and the intel software claims "Hardware not found" and aborted installation.

Now i would like to know if that feature stopped working on all actual win10 systems or if i got a "special version".


penpen

I'm running Windows 10 Pro 1903 (build 18362.356) and I can't get this to work either, regardless of whether or not I'm using the legacy console.

[penpen]

So that "undocumented feature" indeed stopped working
Sad - i liked that a lot.


penpen