Best way to obfuscate a Batch File?

[kumarchat]

This doesn't work if I use a HTA application for generating input HTML boxes inside the batch script. The HTML box displays the entire code, any way to do the same?

[Squashman]

Dave, they also posted on SO

[FifthAxiom]

Hi Dave,

There is an error in the batch file. It has to do with re-calling the obfuscated batch file with full path. The problem is you can't determine whether the batch is started from an active console or from the Explorer. Furthermore the pushd and popd commands will not work. I would advise to change the following line:

echo (setlocal enableDelayedExpansion^&for /l %%%%N in (0 1 93) do set "^!@hi@:~%%%%N,1^!=^!@lo@:~%%%%N,1^!")^&cmd /c ^^^^^""%%~f0" ^^!@args@^^!"
echo (setlocal enableDelayedExpansion^&for /l %%%%N in (0 1 93) do set "^!@hi@:~%%%%N,1^!=^!@lo@:~%%%%N,1^!")^&cmd /c ^^^^^""%%~0" ^^!@args@^^!"

I've tested the changes and gave me no errors, even when executed from a parent or child folder.

But hey, thank you for your script. It helped me a lot. Great work!

[Curious]

Edit 2017-08-31: Bug fix from penpen applied - Added dot to FOR /F delims and bumped version to 1.1
Edit 2017-10-11: Better obscured character mapping in obfuscated file, and bumped version to 1.2

It works great but kasperksy and ESET detect obcusated batch file like a virus, any idea for solve this?

Thanks

[duongbangxanh]

Here is how I would do that. My testing shows that it preserves quoted arguments just fine.

Better to transfer control to Unobfuscate.bat, without CALL. This way there is no need for EXIT /B or GOTO :Label.
I went with the version 1.2 definition of @hi@ to better hide the mapping, just in case a user looks at that source code.

Mybatobfuscated.bat

Code: Select all

@if not defined @lo@ Unobfuscate.bat "%~f0" %*
%Á%%æ%%ä%%é%%ð%%¡%%ð%%ç%%ç%
%ô%%æ%%õ%%í%%ð%%ä%%â%%í%%¡%%æ%%ï%%â%%ã%%í%%æ%%å%%æ%%í%%â%%ú%%æ%%å%%æ%%ù%%ñ%%â%%ï%%ô%%ê%%ð%%ï%

%Ó%%Æ%%Î%%¡%%ô%%æ%%õ%%¡%%ç%%ê%%í%%æ%%¡%%ï%%â%%î%%æ%
%ô%%æ%%õ%%¡%%£%%ç%%ï%%¾%%~n1%£%
.............. truncated for brevity

Unobfuscate.bat

Code: Select all

@echo off
setlocal disableDelayedExpansion
for /f "delims=:. tokens=2" %%A in ('chcp') do set "@chcp@=chcp %%A>nul"
chcp 708>nul
set "@lo@= !#$&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~""
set "@hi@=%=%¡%=%¢%=%¤%=%¥%=%§%=%¨%=%©%=%ª%=%«%=%¬%=%­%=%®%=%¯%=%°%=%±%=%²%=%³%=%´%=%µ%=%¶%=%·%=%¸%=%¹%=%º%=%»%=%¼%=%½%=%¾%=%¿%=%À%=%Á%=%Â%=%Ã%=%Ä%=%Å%=%Æ%=%Ç%=%È%=%É%=%Ê%=%Ë%=%Ì%=%Í%=%Î%=%Ï%=%Ð%=%Ñ%=%Ò%=%Ó%=%Ô%=%Õ%=%Ö%=%×%=%Ø%=%Ù%=%Ú%=%Û%=%Ü%=%Ý%=%Þ%=%ß%=%à%=%á%=%â%=%ã%=%ä%=%å%=%æ%=%ç%=%è%=%é%=%ê%=%ë%=%ì%=%í%=%î%=%ï%=%ð%=%ñ%=%ò%=%ó%=%ô%=%õ%=%ö%=%÷%=%ø%=%ù%=%ú%=%û%=%ü%=%ý%=%þ%=%ÿ%=%£%=%"
setlocal enableDelayedExpansion
for /l %%N in (0 1 93) do set "!@hi@:~%%N,1!=!@lo@:~%%N,1!")
setlocal disableDelayedExpansion
cmd /c ^"%*"
%@chcp@%
exit /b

Dave Benam

I can shuffle it, but I don't know how to get back to it. Please help me

[dbenham]

It could be done, but as I've said from the very beginning, I have no interest in writing code to de-obfuscate a script that has already been obfuscated.

[duongbangxanh]

I am extremely grateful if you can help me do that. Because I have scrambled a file and I need to recover it. I could not rewrite the program because it took too much of my time. Please help me

[pieh-ejdsch]

You should simply respect the work done here to achieve an expected result. [Yes, let's be careful.] I want to tell you something: I am usually in a hurry to explain to others how something works, AND then I don't notice how I am selling my work for a null value. It is my fault if it goes like this - but I can act differently in the future if I want to. But it's about "another job".
Can you vaguely remember what you wanted to do with your script? Or maybe not anymore! I also started a lot of things double and triple (and took a lot more than the available time) because I didn't take the time to document the individual states of the work and, above all, also.
Do it this way - it will help you make progress.

[dennishay]

@Hackoo
I combined the encode / decode functionality into one drag/drop .bat file
Any batch file is encoded and renamed as FILE___.BAT
Dragging an encoded batch file 'FILE___.BAT' will decode the file and rename it 'FILE.DC.BAT', deleting FILE___.BAT

I went this route rather than just reverting the name back to FILE.BAT so that an original batch file wouldn't be overwritten by older code.

Code: Select all

@ECHO OFF
GOTO:CODE

Drag .bat or .cmd file onto this batch file
It will be encoded and name___.bat will be created which will function as normal
To decode name__.bat file drag onto this file as well
encoded file will be deleted and name.DC.bat created

https://www.dostips.com/forum/viewtopic.php?t=7990
substring manipulation https://ss64.com/nt/syntax-substring.html

:CODE
:: if no perameter exit
if "%~1"=="" exit /b
:: if not .bat or .cmd exit
if /i "%~x1" neq ".bat" if /i "%~x1" neq ".cmd" exit /b
:: check to see if last 3 letter in filename are ___, if so decode
set _name=%~n1
if %_name:~-3% equ ___ goto :DECODE

:ENCODE
for /f %%i in ("certutil.exe") do if not exist "%%~$path:i" (
  echo CertUtil.exe not found.
  pause
  exit /b
)
>"temp.~b64" echo(//4mY2xzDQo=
certutil.exe -f -decode "temp.~b64" "%~n1___%~x1"
del "temp.~b64"
copy "%~n1___%~x1" /b + "%~1" /b
GOTO:EOF

:DECODE
:: _result everything but last 3 characters
SET _result=%_name:~0,-3%
:: del old decoded file
if exist "%_result%.DC%~x1" del "%_result%.DC%~x1"
:: save decoded file to file.DC.ext
for /f "skip=1 delims=" %%L in ('CMD /U /C Type "%~1"') do (
   echo %%L
   echo %%L >>"%_result%.DC%~x1"
)
:: del original encoded file
del %~n1%~x1

[gfnowadmin]

Can someone help me decode this file that was encoded with this tool ?

thanks in advance.

Code: Select all

...

[T3RRY]

Can someone help me decode this file that was encoded with this tool ?

thanks in advance.

Going to offer you the benefit of the doubt reagarding ignorance, but in future run a basic scan before posting known malware to the forum.
TrojanDropper:BAT/MalVbsDrper.C

[aGerman]

Good call, T3RRY!

@gfnowadmin
Hint: Prepend an ECHO command to the lines that obviously contain the obfuscated script code. Maybe you can find out what it contains. At least my antivirus didn't even allow me to get to this point. The script has been removed instantly.

Steffen

[T3RRY]

Good call, T3RRY!

@gfnowadmin
Hint: Prepend an ECHO command to the lines that obviously contain the obfuscated script code. Maybe you can find out what it contains. At least my antivirus didn't even allow me to get to this point. The script has been removed instantly.

Steffen

I would not recommend even going that far. The simple act of copy pasting that script can result in an infection. [ The file was never saved ]

[JN-]

First post here. Unsure how to address, tag dbneham re: his fab obfuscation util. I have used it successfully for near a dozen utils, but my last batch util has a problem. Anyway, thanks for such a very useful tool, brilliant.

In my last batch file util I needed to do division, I used a powershell piece of code to do this, supplied by another user, thank you.

The powershell code works perfectly in the batch file whether obfuscated or un-obfuscated.

The problem is that the cmd window font type and size gets changed in the obfuscated batch file when the Powershell code is used. This then needs to be changed back again to standard Win 10 defaults for readability.