Currently under active development
CMD DeObfuscator is a pure JavaScript library written to deobfuscate
commands passed to CMD.EXE, presenting malicious commands mostly
free of obfuscation characters.
const CMD = require("./index"),
opts = { expand_inline: true };
// Strip escape sequences:
CMD.parse(`p^o^w^e^r^s^h^e^l^l`);
// => [ "powershell" ]
// Command clean-up:
CMD.parse(`w""sc"r"i"p"t e""vil.js`);
// => [ `"wscript" evil.js ]`
// Expand environment variables with substrings:
CMD.parse(`%comspec:~-16,1%%comspec:~-1%%comspec:~-13,1% foo=bar`, opts);
// => [ "Set foo=bar" ]
// Find/replace known values in environment variables:
CMD.parse(`%comspec:cmd=powershell%`)
// => C:\Windows\System32\powershell.exe
// Flattens nested 'CMD.EXE' instances:
CMD.parse(`cmd cmd cmd cmd calc.exe`);
// => [ "calc.exe" ]
// Handles delayed expansion within nested CMD contexts
CMD.parse(`cmd /V:O "set foo=bar& echo !foo!"`);
// => [ "set foo=bar", "echo bar" ]Returns: <string[]>
cmdstr<string> the command string to parseoptions<Object>delayed_expansion<bool> Default:falseexpand_inline<bool> Default:falsevars<Object> Default:{}
CMD.parse(`p^ow^er""she"l"l`);
CMD.parse(`echo !hello!`, { delayed_expansion: true, vars: { hello: "world" } });
CMD.parse(`echo %hello%`, { expand_inline: true, vars: { hello: "world" } });Parses a given command string in to individual commands before applying variable expansion and de-obfuscation filters to each identified command. Returns an array of cleaned-up commands.
If delayed_expansion is set to true, the given cmdstr will be
evaluated as if CMD.EXE had been started with /V:ON or SETLOCAL
EnableDelayedExpansion, thus allowing !foo! to be expanded.
If expand_inline is set to true, environment variables are
expanded each time a CMD.EXE command is identified, rather than only
once at “parse time”. Useful when using the vars object.
The vars object maps environment variables to their values, for
example:
CMD.parse("echo %foo%", { expand_inline: true, vars: { foo: "bar" }));
// => [ "echo bar" ]Attempts to expand all variables in to their expanded form, making analysis of the whole command clearer:
| Input | Deobfuscated Output |
|---|---|
%COMSPEC% | C:\Windows\System32\cmd.exe |
Replaces all occurances of cmd inside the %COMSPEC% var with the
string powershell:
| Input | Deobfuscated Output |
|---|---|
%COMSPEC:cmd=powershell% | C:\Windows\System32\powershell.exe |
Fetches the last seven characters within the %COMSPEC% var:
| Input | Deobfuscated Output |
|---|---|
%COMSPEC:~-7% | cmd.exe |
All escape characters (^) are stripped from the command:
| Input | Deobfuscated Output |
|---|---|
CmD /C p^o^w^e^r^s^h^e^l^l | CmD /C powershell |
All empty strings are removed from the command:
| Input | Deobfuscated Output |
|---|---|
pow""ersh""ell | powershell |
Obfuscation of a command can be achieved by excessive use of
double-quotes, for example: w"s"c"r"i"p"t. The string widening
algorithm merges quoted and non-quoted regions together:
| Input | Deobfuscated Output |
|---|---|
w"s"c"r"i"p"t | ="wscript"= |
Any identified paths are resolved in to their absolute form, meaning we transform this:
| Input | Deobfuscated Output |
|---|---|
C:\foo\bar\baz\..\..\..\Windws\System32\cmd.exe | C:\Windows\System32\cmd.exe |
- How does the Windows Command Interpreter (CMD.EXE) parse scripts?
- WINAPI Parsing C Command-Line Arguments
- Everyone quotes command line arguments the wrong way
- What’s up with the strange treatment of quotation marks and backslashes by CommandLineToArgvW
- DOS Tips: Escapes
- MSDN CommandLineToArgvW function
- Windows Batch Scripting: Command Line Interpretation
- DOS CMD Substrings
- MSDN: Environment Variables
- FireEye: Obfuscation in the Wild
- setting and using a variable within Windows cmd.exe
- Delayed Expansion
- SS64: CMD.exe
- HackInParis Invoke Dosfuscation Slides