Enabling the internal debug outputs of cmd.exe

Discussion forum for all Windows batch related topics.

Moderator: DosItHelp

Post Reply
Message
Author
jeb
Expert
Posts: 904
Joined: 30 Aug 2007 08:05
Location: Germany, Bochum

Enabling the internal debug outputs of cmd.exe

#1 Post by jeb » 07 May 2015 00:45

Hi,

while I'm trying to building a new technic, I've found an interesting bug in CMD.exe.

It enables a debug output option of cmd.exe that shows how characters, tokens and commands are parsed :!:

Like this
Output wrote:if 4==5 echo Hello

GeToken: (4000) 'if'
GeToken: (4000) '4'
Ungetting: ' 4==5 echo Hello
'
GeToken: (4000) '4'
Ungetting: ' 4==5 echo Hello
'
GeToken: (4000) '4'
GeToken: (4000) '==5'
GeToken: (4000) 'echo'
GeToken: (4000) ' Hello'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
Ungetting: '
'
GeToken: (a) '
'
if
Cmd: 4 Type: 39 Args: `5'
Cmd: echo Type: 0 Args: ` Hello'


And to enable it it's quite simple, building a batch file containing some opening parenthesis (a bit more than 256)

Code: Select all

((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((


Then the debug output is constantly activated in that cmd-window.
Tested with Win7 x64 cmd.exe Version 6.1.7601.

I suppose it's a simple buffer overrun bug.

If you put far more brackets you get some odd and long output (I discoverd the bug with over 2000 brackets)

Now, have fun to play with it :D
jeb

npocmaka_
Posts: 481
Joined: 24 Jun 2013 17:10
Location: Bulgaria
Contact:

Re: Enabling the internal debug outputs of cmd.exe

#2 Post by npocmaka_ » 07 May 2015 01:14

Wow.
:!:

Does this mean that the max nested expressions in brackets are 256 :?:

jeb
Expert
Posts: 904
Joined: 30 Aug 2007 08:05
Location: Germany, Bochum

Re: Enabling the internal debug outputs of cmd.exe

#3 Post by jeb » 07 May 2015 01:57

npocmaka_ wrote:Does this mean that the max nested expressions in brackets are 256


Yes, it's seems so and that's a pity, as I have an idea that would only be perfect with unlimited bracket levels.

OperatorGK
Posts: 66
Joined: 13 Jan 2015 06:55

Re: Enabling the internal debug outputs of cmd.exe

#4 Post by OperatorGK » 07 May 2015 03:44

Ah, Buffer overflow!
I have been tried do it with %cmdcmdline% overflow, digging deep into cmd.exe memory map, but you just discovered this faster than me!
Anyway, nice! Now my researchments will speed up!

OperatorGK
Posts: 66
Joined: 13 Jan 2015 06:55

Re: Enabling the internal debug outputs of cmd.exe

#5 Post by OperatorGK » 07 May 2015 04:21

:!: This bug actually does more than simply turning parser debug mode on!
As I discovered in my previous post about %cmdcmdline% bug, overflowing %cmdcmdline% variable over normal limit causes
cmd.exe to freeze and simply doing nothing. But with this "debug" turned on, it'll actually produce this error window (translated from Russian, might be incorrect!) :

Code: Select all

Instruction at address "0x0b85a3d5" tried to get memory at "0xffffffff".
Memory couldn't be "read".
"OK" - terminating the application.
"Cancel" -- debugging the application.

With buttons OK and Cancel. Clicking on any of this buttons closes the error window, and cmd.exe will think that you pressed Ctrl-C.
:?: All of it is strange. I think debug mode switch memory position and %cmdcmdline% memory position are <8192 bytes near.

I think someone should test it on 32-bit XP.

jeb
Expert
Posts: 904
Joined: 30 Aug 2007 08:05
Location: Germany, Bochum

Re: Enabling the internal debug outputs of cmd.exe

#6 Post by jeb » 07 May 2015 04:56

Tested with XP x32 (German): I get no special effects, but when I placed more than 2500 opening brackets, then the cmd windows directly closed.

edit:
The behaviour depends of the number of brackets also on Win7, at some point I get also a modal window with an error message

dbenham
Expert
Posts: 2261
Joined: 12 Feb 2011 21:02
Location: United States (east coast)

Re: Enabling the internal debug outputs of cmd.exe

#7 Post by dbenham » 07 May 2015 06:11

Amazing :shock: :!: :shock: :!: :shock: :!: :shock: :!:

Dave Benham

Squashman
Expert
Posts: 4106
Joined: 23 Dec 2011 13:59

Re: Enabling the internal debug outputs of cmd.exe

#8 Post by Squashman » 07 May 2015 10:58

Makes me wondering if anyone from Microsoft ever sees some of the stuff you guys hack into batch files.

npocmaka_
Posts: 481
Joined: 24 Jun 2013 17:10
Location: Bulgaria
Contact:

Re: Enabling the internal debug outputs of cmd.exe

#9 Post by npocmaka_ » 20 Oct 2017 06:47

On windows 10 GeToken and Ungetting functions are no more printed.

Another way to do this on win10 is this line:

Code: Select all

break&(:#)


Should be last one in the file - without new lines or anything else behind the closing bracket.

All commands except IF and REM are pointed as Type: 0.(I don't know is this type)
IF EQU/GTR/GEQ/LSS/LEQ are Type: 3a
IF == is 39.

If errorlevel is Type: 35.If cmdextversion is 34.If exist is 37.If /? is 3c. If defined is 36 .

Looks there's no IF command of type 38 ?

REM is Type: 2d . Some commands with /? are type 3c


To "heal" the cmd from the debug mode you need 256 @'s (at least works on windows 10):

Code: Select all

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


penpen
Expert
Posts: 1695
Joined: 23 Jun 2013 06:15
Location: Germany

Re: Enabling the internal debug outputs of cmd.exe

#10 Post by penpen » 21 Oct 2017 18:58

npocmaka_ wrote:Looks there's no IF command of type 38 ?
I think you've just partly confirmed what i suspected some time ago (with other token values because of using WinXp instead of Win10):
http://www.dostips.com/forum/viewtopic.php?p=32860#p32860.
Thanks for that. :D
(So the single characters are the token types of the first child in the parse tree.)

Save this batch as "testIf.bat".
Then i tweaked your code to "enableDebug.bat":

Code: Select all

@echo off
call ^
:break 2>nul ^
::
break&(:#)

Now you can see that under Windows 10 the token type 38 should be "not" (ascii('8') == 38; same for the other values):

Code: Select all

Z:\>testIf.bat
if.bat:  4
if.bat:  4
if.bat:  5
if.bat:  5
if.bat:  6
if.bat:  6
if.bat:  7
if.bat:  7
if.bat:  9
if.bat:  9
if.bat:  :
if.bat:  :

Z:\>enableDebug.bat
Z:\>call if not cmdextversion 1 else
Cmd: call  Type: 0 Args: ` if not cmdextversion 1 else'
if
  not
    Cmd: cmdextversion  Type: 34 Args: `1'
  Cmd: else  Type: 0
Cmd: echo  Type: 0 Args: ` if.bat:  8'

Z:\>echo if.bat:  8
if.bat:  8

Z:\>


penpen

dbenham
Expert
Posts: 2261
Joined: 12 Feb 2011 21:02
Location: United States (east coast)

Re: Enabling the internal debug outputs of cmd.exe

#11 Post by dbenham » 27 Oct 2017 18:44

npocmaka_ wrote:Another way to do this on win10 is this line:

Code: Select all

break&(:#)

Should be last one in the file - without new lines or anything else behind the closing bracket.

To "heal" the cmd from the debug mode you need 256 @'s (at least works on windows 10):

Code: Select all

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

I love it :D
I am not able to get any of the prior methods to work on my Win 7 machine at work. But these methods work great on my Win 10 machine at home.

I saved the first script as "debugBat.bat", and the second as "endDebug.bat"


Dave Benham

carlos
Expert
Posts: 487
Joined: 20 Aug 2010 13:57
Location: Chile
Contact:

Re: Enabling the internal debug outputs of cmd.exe

#12 Post by carlos » 31 Oct 2017 19:17

npocmaka_ wrote:On windows 10 GeToken and Ungetting functions are no more printed.

Another way to do this on win10 is this line:

Code: Select all

break&(:#)
Should be last one in the file - without new lines or anything else behind the closing bracket.

[/code]
Wow, excellent discovery @npocmaka

Post Reply