Convert batch script into an executable or higher language

[carlsomo]

Currently I'm programming a "batch compiler". It is different from all current batch compilers, because it never write the source code to hard disk.

Question: are you creating a true exe file on disk or running batch from a RAM drive??

I use QuickBatchFileComiler that writes to disk but it is highly reliable and handles call :labels without problems

I wish someone would come up with a true executable.exe solution.

BTW: encrypted 'file.dll' is a good subterfuge for labeling txt files that no one will likely look at with a txt editor

[carlos]

It uses a new technique for run the source code from memory and not write it to disk.
I'm currently developing it. I optimized the code and technique many times, so the minimal batch compiled file should be a size of 10KB aprox.
The objective of my "compiler" is that it not be detect as false positive for antivirus.
In the next post I post a demo, and i challenge you can get the source code, to give me your comments and help improve security.

[carlos]

this is a example, a proof of concept. Is currently in developing. In this example the compiled batch is outside the executable, in the final version it would be inside the executable. Also, in this example, only Avira detect as a false positive. It also would be removed in the final version.

This is the link for test:
https://docs.google.com/file/d/0B7ry-e4DtQ5ITHBZRHgxQ1lIQ2s/edit?usp=sharing

Inside, the zip there are two files:
main.exe
batch.bin

If someone can get the source code of the batch, please sendme and giveme information by personal message, for improve this application.

[carlsomo]

this is a example, a proof of concept. Is currently in developing. In this example the compiled batch is outside the executable, in the final version it would be inside the executable. Also, in this example, only Avira detect as a false positive. It also would be removed in the final version.

This is the link for test:
https://docs.google.com/file/d/0B7ry-e4DtQ5ITHBZRHgxQ1lIQ2s/edit?usp=sharing

Inside, the zip there are two files:
main.exe
batch.bin

If someone can get the source code of the batch, please sendme and giveme information by personal message, for improve this application.

Carlos
actually the exe is test.exe not main.exe
C:\Windows\Temp\XXXX.dat
C:\Windows\temp\en_US\cmd.exe
and then an mui is attempted to be loaded

I don't know you well enough to allow this on my pc??

[carlsomo]

C# code objects... batch.bin:

Code: Select all

msvcrt.dll   malloc   free   memcpy   _snprintf   memset   exit kernel32.dll   GetCurrentProcessId   GetSystemWindowsDirectoryA   SetEnvironmentVariableA   WriteFile   CloseHandle   CreateJobObjectA   SetInformationJobObject   CreateProcessA   AssignProcessToJobObject   ResumeThread   WaitForSingleObject   SetFileAttributesA   DeleteFileA   CreateFileA   GetFileSize   ReadFile   CreateDirectoryA   ExitProcess advapi32.dll   RegOpenKeyExA   RegQueryValueExA   RegCloseKey

I can't go much furthur without letting the thing run

[carlos]

is possible test running in virtual machine.

[Liviu]

If someone can get the source code of the batch, please sendme

I believe this is the top left corner of the source batch

Code: Select all

@Echo Off
Call :Color 8 "##################" \n
Call :Color F ""
Call :Color A "Final"
Call :Color B " Version"
Call :Color C " 21"
Call :Color F "" \n
Call :Color 8 "##################" \n
Pause >Nul
Exit /B

:Color
SetLocal EnableExtensions EnableDelay
Set "Color=%~1"
Set "Text=%~2"
Set "NewLine=%~3"
If ""=="!Text!" (Set Text=^")
Subst.exe -: "!Temp!" >Nul &-: &Cd \
If Not Exist -.7 (
Echo(|(Pause >Nul &Findstr.exe "^" >-
Set /P "=." >>- <Nul
For /F "delims=;" %%# In ('"Prompt $H
Set /P "=%%#%%#%%#" <Nul >-.3

and giveme information by personal message, for improve this application.

Don't really have suggestions for improvement, other than repeat what I've said before: interpreted code, batch in particular, will always be vulnerable to snooping.

Liviu

P.S. One other drawback of your approach is that it doesn't fully duplicate the source behavior. For example, assuming the source was called "test.cmd", then "test <nul" prints and exits without waiting for "pause" (as expected), while the "compiled" version gets confused and fails.

[carlos]

Please you can say in private your method for get the source this 90% of code, for improve the technique that not write the source code to the disc.

[Liviu]

Please you can say in private your method for get the source this 90% of code, for improve the technique that not write the source code to the disc.

Only posted a cutout of the code for symmetry with http://www.dostips.com/forum/viewtopic.php?p=25519#p25519

And, sorry, but I don't have much advice for improving. It will always be possible to break one way or another. Some more details in the PM.

[carlsomo]

Unfortunately batch to exe by F2KO is the primary converter I have been trying to use. CALL and GOTO seem to break it. Especially when calling anything external. Also use of IF EXIST causes problems as well. The .bat files work nearly flawlessly but once converted they crash & close often.

I wondered if it was a programming issue at first. But when rechecking my .bat files everything worked without incident. So I wrote test scripts to see what specific functions were causing this. The primary problem is IF EXIST regardless of syntax. I even tried adding IF NOT instead of ELSE. Also tried just IF EXIST on its own. For what ever reason that function, or command rather, does not like to work well. It seems that the scripts all work well when opened from within explorer. But for what ever reason falter when opened from the command prompt. Or converted to exe. It even crashed when I made a conversion that called a bat file containing an IF EXIST statement. Trying of course with the existence being both true & false alternatively. I would assume the conversion opens things in the same manner as cmd.exe. Perhaps I should have made a post to try & fix that first. Though if it can't be fixed I think I'm probably hooped far as conversion goes. Most likely best off starting over in another language. Much as I'd rather not.

Try using QuickBatchFileCompiler and the above problems will go away. Calls to :Labels are processed correctly.

[carlos]

Liviu. Now, I understand your view point.
Because cmd.exe only accept plain text instructions. And I avoid write it to the disk, It are in plain in memory. So, even when a pseudo batch compiler uses cmd.exe to interpret, the instructions will be in memory or disk. In my case, was in memory, but only a memory dump was neccesary for get 99% of the code.

Because now I cancel this project, until found a way of fix this.
And about the source code of the batch it was 98% correctly.

[Liviu]

Your technique is clever and novel as far as I can tell. But my point stands that it's not foolproof - and couldn't possibly be so. That much I hinted in the old thread before. There are only few ways to pass data to an arbitrary child process, and even fewer to send commands to $comspec, each of which can be intercepted fairly easily. My advice, again, would be to not waste much time trying to find "a way of fix this", since I don't think it's technically "fixable". I'll leave it at that, and withdraw now from further "decompiling" challenges.

[Ed Dyreen]

I'd like to know how Liviu does a memory dump of "test.exe", I only got as far as HexEdit, but that wasn't useful, please explain

[Liviu]

Memory dumps come for free with windows but that alone doesn't solve the puzzle. Beyond that, sorry, it's carlos' call. So far, his request to keep this private still stands. He can forward you my PM if he wants, or go public with his project and then it's up for open discussion.

[carlos]

Liviu, please wait some time.
I perfectioning the method.
I found a way.