Page 1 of 2

Enabling the internal debug outputs of cmd.exe

Posted: 07 May 2015 00:45
by jeb
Hi,

while I'm trying to building a new technic, I've found an interesting bug in CMD.exe.

It enables a debug output option of cmd.exe that shows how characters, tokens and commands are parsed :!:

Like this
Output wrote:if 4==5 echo Hello

GeToken: (4000) 'if'
GeToken: (4000) '4'
Ungetting: ' 4==5 echo Hello
'
GeToken: (4000) '4'
Ungetting: ' 4==5 echo Hello
'
GeToken: (4000) '4'
GeToken: (4000) '==5'
GeToken: (4000) 'echo'
GeToken: (4000) ' Hello'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
if
Cmd: 4 Type: 39 Args: `5'
Cmd: echo Type: 0 Args: ` Hello'


And to enable it it's quite simple, building a batch file containing some opening parenthesis (a bit more than 256)

Code: Select all

((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((


Then the debug output is constantly activated in that cmd-window.
Tested with Win7 x64 cmd.exe Version 6.1.7601.

I suppose it's a simple buffer overrun bug.

If you put far more brackets you get some odd and long output (I discoverd the bug with over 2000 brackets)

Now, have fun to play with it :D
jeb

Re: Enabling the internal debug outputs of cmd.exe

Posted: 07 May 2015 01:14
by npocmaka_
Wow.
:!:

Does this mean that the max nested expressions in brackets are 256 :?:

Re: Enabling the internal debug outputs of cmd.exe

Posted: 07 May 2015 01:57
by jeb
npocmaka_ wrote:Does this mean that the max nested expressions in brackets are 256


Yes, it's seems so and that's a pity, as I have an idea that would only be perfect with unlimited bracket levels.

Re: Enabling the internal debug outputs of cmd.exe

Posted: 07 May 2015 03:44
by OperatorGK
Ah, Buffer overflow!
I have been tried do it with %cmdcmdline% overflow, digging deep into cmd.exe memory map, but you just discovered this faster than me!
Anyway, nice! Now my researchments will speed up!

Re: Enabling the internal debug outputs of cmd.exe

Posted: 07 May 2015 04:21
by OperatorGK
:!: This bug actually does more than simply turning parser debug mode on!
As I discovered in my previous post about %cmdcmdline% bug, overflowing %cmdcmdline% variable over normal limit causes
cmd.exe to freeze and simply doing nothing. But with this "debug" turned on, it'll actually produce this error window (translated from Russian, might be incorrect!) :

Code: Select all

Instruction at address "0x0b85a3d5" tried to get memory at "0xffffffff".
Memory couldn't be "read".
"OK" - terminating the application.
"Cancel" -- debugging the application.

With buttons OK and Cancel. Clicking on any of this buttons closes the error window, and cmd.exe will think that you pressed Ctrl-C.
:?: All of it is strange. I think debug mode switch memory position and %cmdcmdline% memory position are <8192 bytes near.

I think someone should test it on 32-bit XP.

Re: Enabling the internal debug outputs of cmd.exe

Posted: 07 May 2015 04:56
by jeb
Tested with XP x32 (German): I get no special effects, but when I placed more than 2500 opening brackets, then the cmd windows directly closed.

edit:
The behaviour depends of the number of brackets also on Win7, at some point I get also a modal window with an error message

Re: Enabling the internal debug outputs of cmd.exe

Posted: 07 May 2015 06:11
by dbenham
Amazing :shock: :!: :shock: :!: :shock: :!: :shock: :!:

Dave Benham

Re: Enabling the internal debug outputs of cmd.exe

Posted: 07 May 2015 10:58
by Squashman
Makes me wondering if anyone from Microsoft ever sees some of the stuff you guys hack into batch files.

Re: Enabling the internal debug outputs of cmd.exe

Posted: 20 Oct 2017 06:47
by npocmaka_
On windows 10 GeToken and Ungetting functions are no more printed.

Another way to do this on win10 is this line:

Code: Select all

break&(:#)


Should be last one in the file - without new lines or anything else behind the closing bracket.

All commands except IF and REM are pointed as Type: 0.(I don't know is this type)
IF EQU/GTR/GEQ/LSS/LEQ are Type: 3a
IF == is 39.

If errorlevel is Type: 35.If cmdextversion is 34.If exist is 37.If /? is 3c. If defined is 36 .

Looks there's no IF command of type 38 ?

REM is Type: 2d . Some commands with /? are type 3c


To "heal" the cmd from the debug mode you need 256 @'s (at least works on windows 10):

Code: Select all

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


Re: Enabling the internal debug outputs of cmd.exe

Posted: 21 Oct 2017 18:58
by penpen
npocmaka_ wrote:Looks there's no IF command of type 38 ?
I think you've just partly confirmed what i suspected some time ago (with other token values because of using WinXp instead of Win10):
http://www.dostips.com/forum/viewtopic.php?p=32860#p32860.
Thanks for that. :D
(So the single characters are the token types of the first child in the parse tree.)

Save this batch as "testIf.bat".
Then i tweaked your code to "enableDebug.bat":

Code: Select all

@echo off
call ^
:break 2>nul ^
::
break&(:#)

Now you can see that under Windows 10 the token type 38 should be "not" (ascii('8') == 38; same for the other values):

Code: Select all

Z:\>testIf.bat
if.bat:  4
if.bat:  4
if.bat:  5
if.bat:  5
if.bat:  6
if.bat:  6
if.bat:  7
if.bat:  7
if.bat:  9
if.bat:  9
if.bat:  :
if.bat:  :

Z:\>enableDebug.bat
Z:\>call if not cmdextversion 1 else
Cmd: call  Type: 0 Args: ` if not cmdextversion 1 else'
if
  not
    Cmd: cmdextversion  Type: 34 Args: `1'
  Cmd: else  Type: 0
Cmd: echo  Type: 0 Args: ` if.bat:  8'

Z:\>echo if.bat:  8
if.bat:  8

Z:\>


penpen

Re: Enabling the internal debug outputs of cmd.exe

Posted: 27 Oct 2017 18:44
by dbenham
npocmaka_ wrote:Another way to do this on win10 is this line:

Code: Select all

break&(:#)

Should be last one in the file - without new lines or anything else behind the closing bracket.

To "heal" the cmd from the debug mode you need 256 @'s (at least works on windows 10):

Code: Select all

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

I love it :D
I am not able to get any of the prior methods to work on my Win 7 machine at work. But these methods work great on my Win 10 machine at home.

I saved the first script as "debugBat.bat", and the second as "endDebug.bat"


Dave Benham

Re: Enabling the internal debug outputs of cmd.exe

Posted: 31 Oct 2017 19:17
by carlos
npocmaka_ wrote:On windows 10 GeToken and Ungetting functions are no more printed.

Another way to do this on win10 is this line:

Code: Select all

break&(:#)
Should be last one in the file - without new lines or anything else behind the closing bracket.

[/code]
Wow, excellent discovery @npocmaka

Re: Enabling the internal debug outputs of cmd.exe

Posted: 30 Sep 2019 03:19
by penpen
Yesterday my Windows 10 home updated to win version 1903 (build 18362.387) and i noticed that enabling debug stopped working.
My pc was kind of problematic one because it refused to install that a long time claiming the "Intel Rapid Store Technology (Intel RST)" must be updated first, which was odd, because i don't have any Intel components in my system and the intel software claims "Hardware not found" and aborted installation.

Now i would like to know if that feature stopped working on all actual win10 systems or if i got a "special version".


penpen

Re: Enabling the internal debug outputs of cmd.exe

Posted: 30 Sep 2019 18:42
by ShadowThief
penpen wrote:
30 Sep 2019 03:19
Yesterday my Windows 10 home updated to win version 1903 (build 18362.387) and i noticed that enabling debug stopped working.
My pc was kind of problematic one because it refused to install that a long time claiming the "Intel Rapid Store Technology (Intel RST)" must be updated first, which was odd, because i don't have any Intel components in my system and the intel software claims "Hardware not found" and aborted installation.

Now i would like to know if that feature stopped working on all actual win10 systems or if i got a "special version".


penpen
I'm running Windows 10 Pro 1903 (build 18362.356) and I can't get this to work either, regardless of whether or not I'm using the legacy console.

Re: Enabling the internal debug outputs of cmd.exe

Posted: 01 Oct 2019 13:20
by penpen
So that "undocumented feature" indeed stopped working :cry:
Sad - i liked that a lot.


penpen