Best way to obfuscate a Batch File?

Discussion forum for all Windows batch related topics.

Moderator: DosItHelp

Message
Author
kumarchat
Posts: 1
Joined: 13 Dec 2017 05:54

Re: Best way to obfuscate a Batch File?

#61 Post by kumarchat » 13 Dec 2017 06:04

This doesn't work if I use a HTA application for generating input HTML boxes inside the batch script. The HTML box displays the entire code, any way to do the same?

Squashman
Expert
Posts: 4221
Joined: 23 Dec 2011 13:59

Re: Best way to obfuscate a Batch File?

#62 Post by Squashman » 13 Dec 2017 08:03

Dave, they also posted on SO

FifthAxiom
Posts: 1
Joined: 11 May 2018 08:15

Re: Best way to obfuscate a Batch File?

#63 Post by FifthAxiom » 11 May 2018 08:26

Hi Dave,

There is an error in the batch file. It has to do with re-calling the obfuscated batch file with full path. The problem is you can't determine whether the batch is started from an active console or from the Explorer. Furthermore the pushd and popd commands will not work. I would advise to change the following line:
echo (setlocal enableDelayedExpansion^&for /l %%%%N in (0 1 93) do set "^!@hi@:~%%%%N,1^!=^!@lo@:~%%%%N,1^!")^&cmd /c ^^^^^""%%~f0" ^^!@args@^^!"
echo (setlocal enableDelayedExpansion^&for /l %%%%N in (0 1 93) do set "^!@hi@:~%%%%N,1^!=^!@lo@:~%%%%N,1^!")^&cmd /c ^^^^^""%%~0" ^^!@args@^^!"
I've tested the changes and gave me no errors, even when executed from a parent or child folder.

But hey, thank you for your script. It helped me a lot. Great work!

Curious
Posts: 1
Joined: 11 Aug 2019 08:27

Re: Best way to obfuscate a Batch File?

#64 Post by Curious » 11 Aug 2019 09:50

dbenham wrote:
06 Aug 2017 16:35

Edit 2017-08-31: Bug fix from penpen applied - Added dot to FOR /F delims and bumped version to 1.1
Edit 2017-10-11: Better obscured character mapping in obfuscated file, and bumped version to 1.2
It works great but kasperksy and ESET detect obcusated batch file like a virus, any idea for solve this?

Thanks

duongbangxanh
Posts: 2
Joined: 13 Jan 2020 13:16

Re: Best way to obfuscate a Batch File?

#65 Post by duongbangxanh » 14 Jan 2020 00:36

dbenham wrote:
11 Oct 2017 13:49
Here is how I would do that. My testing shows that it preserves quoted arguments just fine.

Better to transfer control to Unobfuscate.bat, without CALL. This way there is no need for EXIT /B or GOTO :Label.
I went with the version 1.2 definition of @hi@ to better hide the mapping, just in case a user looks at that source code.

Mybatobfuscated.bat

Code: Select all

@if not defined @lo@ Unobfuscate.bat "%~f0" %*
%Á%%æ%%ä%%é%%ð%%¡%%ð%%ç%%ç%
%ô%%æ%%õ%%í%%ð%%ä%%â%%í%%¡%%æ%%ï%%â%%ã%%í%%æ%%å%%æ%%í%%â%%ú%%æ%%å%%æ%%ù%%ñ%%â%%ï%%ô%%ê%%ð%%ï%

%Ó%%Æ%%Î%%¡%%ô%%æ%%õ%%¡%%ç%%ê%%í%%æ%%¡%%ï%%â%%î%%æ%
%ô%%æ%%õ%%¡%%£%%ç%%ï%%¾%%~n1%£%
.............. truncated for brevity
Unobfuscate.bat

Code: Select all

@echo off
setlocal disableDelayedExpansion
for /f "delims=:. tokens=2" %%A in ('chcp') do set "@chcp@=chcp %%A>nul"
chcp 708>nul
set "@lo@= !#$&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~""
set "@hi@=%=%¡%=%¢%=%¤%=%¥%=%§%=%¨%=%©%=%ª%=%«%=%¬%=%­%=%®%=%¯%=%°%=%±%=%²%=%³%=%´%=%µ%=%¶%=%·%=%¸%=%¹%=%º%=%»%=%¼%=%½%=%¾%=%¿%=%À%=%Á%=%Â%=%Ã%=%Ä%=%Å%=%Æ%=%Ç%=%È%=%É%=%Ê%=%Ë%=%Ì%=%Í%=%Î%=%Ï%=%Ð%=%Ñ%=%Ò%=%Ó%=%Ô%=%Õ%=%Ö%=%×%=%Ø%=%Ù%=%Ú%=%Û%=%Ü%=%Ý%=%Þ%=%ß%=%à%=%á%=%â%=%ã%=%ä%=%å%=%æ%=%ç%=%è%=%é%=%ê%=%ë%=%ì%=%í%=%î%=%ï%=%ð%=%ñ%=%ò%=%ó%=%ô%=%õ%=%ö%=%÷%=%ø%=%ù%=%ú%=%û%=%ü%=%ý%=%þ%=%ÿ%=%£%=%"
setlocal enableDelayedExpansion
for /l %%N in (0 1 93) do set "!@hi@:~%%N,1!=!@lo@:~%%N,1!")
setlocal disableDelayedExpansion
cmd /c ^"%*"
%@chcp@%
exit /b
Dave Benam

I can shuffle it, but I don't know how to get back to it. Please help me

dbenham
Expert
Posts: 2414
Joined: 12 Feb 2011 21:02
Location: United States (east coast)

Re: Best way to obfuscate a Batch File?

#66 Post by dbenham » 14 Jan 2020 08:00

It could be done, but as I've said from the very beginning, I have no interest in writing code to de-obfuscate a script that has already been obfuscated.

duongbangxanh
Posts: 2
Joined: 13 Jan 2020 13:16

Re: Best way to obfuscate a Batch File?

#67 Post by duongbangxanh » 14 Jan 2020 09:30

I am extremely grateful if you can help me do that. Because I have scrambled a file and I need to recover it. I could not rewrite the program because it took too much of my time. Please help me

pieh-ejdsch
Posts: 234
Joined: 04 Mar 2014 11:14
Location: germany

Re: Best way to obfuscate a Batch File?

#68 Post by pieh-ejdsch » 15 Jan 2020 13:53

You should simply respect the work done here to achieve an expected result. [Yes, let's be careful.] I want to tell you something: I am usually in a hurry to explain to others how something works, AND then I don't notice how I am selling my work for a null value. It is my fault if it goes like this - but I can act differently in the future if I want to. But it's about "another job".
Can you vaguely remember what you wanted to do with your script? Or maybe not anymore! I also started a lot of things double and triple (and took a lot more than the available time) because I didn't take the time to document the individual states of the work and, above all, also.
Do it this way - it will help you make progress.

dennishay
Posts: 1
Joined: 10 Aug 2020 10:35

Re: Best way to obfuscate a Batch File?

#69 Post by dennishay » 10 Aug 2020 10:59

@Hackoo
I combined the encode / decode functionality into one drag/drop .bat file
Any batch file is encoded and renamed as FILE___.BAT
Dragging an encoded batch file 'FILE___.BAT' will decode the file and rename it 'FILE.DC.BAT', deleting FILE___.BAT

I went this route rather than just reverting the name back to FILE.BAT so that an original batch file wouldn't be overwritten by older code.

Code: Select all

@ECHO OFF
GOTO:CODE

Drag .bat or .cmd file onto this batch file
It will be encoded and name___.bat will be created which will function as normal
To decode name__.bat file drag onto this file as well
encoded file will be deleted and name.DC.bat created

https://www.dostips.com/forum/viewtopic.php?t=7990
substring manipulation https://ss64.com/nt/syntax-substring.html

:CODE
:: if no perameter exit
if "%~1"=="" exit /b
:: if not .bat or .cmd exit
if /i "%~x1" neq ".bat" if /i "%~x1" neq ".cmd" exit /b
:: check to see if last 3 letter in filename are ___, if so decode
set _name=%~n1
if %_name:~-3% equ ___ goto :DECODE

:ENCODE
for /f %%i in ("certutil.exe") do if not exist "%%~$path:i" (
  echo CertUtil.exe not found.
  pause
  exit /b
)
>"temp.~b64" echo(//4mY2xzDQo=
certutil.exe -f -decode "temp.~b64" "%~n1___%~x1"
del "temp.~b64"
copy "%~n1___%~x1" /b + "%~1" /b
GOTO:EOF

:DECODE
:: _result everything but last 3 characters
SET _result=%_name:~0,-3%
:: del old decoded file
if exist "%_result%.DC%~x1" del "%_result%.DC%~x1"
:: save decoded file to file.DC.ext
for /f "skip=1 delims=" %%L in ('CMD /U /C Type "%~1"') do (
   echo %%L
   echo %%L >>"%_result%.DC%~x1"
)
:: del original encoded file
del %~n1%~x1

gfnowadmin
Posts: 1
Joined: 11 Dec 2020 23:53

Re: Best way to obfuscate a Batch File?

#70 Post by gfnowadmin » 12 Dec 2020 00:05

Can someone help me decode this file that was encoded with this tool ?

thanks in advance.

Code: Select all

...
Last edited by aGerman on 12 Dec 2020 06:06, edited 1 time in total.
Reason: Potentially malicious code removed

T3RRY
Posts: 117
Joined: 06 May 2020 10:14

Re: Best way to obfuscate a Batch File?

#71 Post by T3RRY » 12 Dec 2020 05:50

gfnowadmin wrote:
12 Dec 2020 00:05
Can someone help me decode this file that was encoded with this tool ?

thanks in advance.

Going to offer you the benefit of the doubt reagarding ignorance, but in future run a basic scan before posting known malware to the forum.
TrojanDropper:BAT/MalVbsDrper.C

aGerman
Expert
Posts: 4043
Joined: 22 Jan 2010 18:01
Location: Germany

Re: Best way to obfuscate a Batch File?

#72 Post by aGerman » 12 Dec 2020 06:12

Good call, T3RRY!

@gfnowadmin
Hint: Prepend an ECHO command to the lines that obviously contain the obfuscated script code. Maybe you can find out what it contains. At least my antivirus didn't even allow me to get to this point. The script has been removed instantly.

Steffen

T3RRY
Posts: 117
Joined: 06 May 2020 10:14

Re: Best way to obfuscate a Batch File?

#73 Post by T3RRY » 12 Dec 2020 06:38

aGerman wrote:
12 Dec 2020 06:12
Good call, T3RRY!

@gfnowadmin
Hint: Prepend an ECHO command to the lines that obviously contain the obfuscated script code. Maybe you can find out what it contains. At least my antivirus didn't even allow me to get to this point. The script has been removed instantly.

Steffen
Image

I would not recommend even going that far. The simple act of copy pasting that script can result in an infection. [ The file was never saved ]

Post Reply