In this post I will present an old trick from mid 90s used by hackers to
code stored in Windows
.bat files. The trick is simple and works on all versions
of Windows up to Windows 10.
Let’s start with a simple command:
As we can see
cmd.exe expands all environmental variables
to their values before executing command.
What will happen when we try to use a variable that is not defined, let’s try:
cmd.exe cannot resolve variable it just gives up and passes
%foo% to the command. Let’s try this again but this time
As we can see nothing was printed, so inside
.bat files undefined
environmental variables are expanded to empty strings.
cmd.exe allows using variables inside
command names like this:
we may use this trick to obfuscate commands stored inside
So actual algorithm goes like this:
- Choose some set of environmental variables that you are certain are
not defined on most of the machines e.g. single or two letter variables like
- Insert random variable from point 1 every character or two
of every command stored inside
- Do not insert environmental variables inside other variables, transforming
Using this trick we may change this obvious and innocent looking
As a bonus since expansion will not work on command prompt just copying and pasting lines
.bat file won’t work, this give us additional layer of “security”.