Currently under active development
CMD DeObfuscator
is a pure JavaScript library written to deobfuscate
commands passed to CMD.EXE
, presenting malicious commands mostly
free of obfuscation characters.
const CMD = require("./index"),
opts = { expand_inline: true };
// Strip escape sequences:
CMD.parse(`p^o^w^e^r^s^h^e^l^l`);
// => [ "powershell" ]
// Command clean-up:
CMD.parse(`w""sc"r"i"p"t e""vil.js`);
// => [ `"wscript" evil.js ]`
// Expand environment variables with substrings:
CMD.parse(`%comspec:~-16,1%%comspec:~-1%%comspec:~-13,1% foo=bar`, opts);
// => [ "Set foo=bar" ]
// Find/replace known values in environment variables:
CMD.parse(`%comspec:cmd=powershell%`)
// => C:\Windows\System32\powershell.exe
// Flattens nested 'CMD.EXE' instances:
CMD.parse(`cmd cmd cmd cmd calc.exe`);
// => [ "calc.exe" ]
// Handles delayed expansion within nested CMD contexts
CMD.parse(`cmd /V:O "set foo=bar& echo !foo!"`);
// => [ "set foo=bar", "echo bar" ]
Returns: <string[]>
cmdstr
<string> the command string to parseoptions
<Object>delayed_expansion
<bool> Default:false
expand_inline
<bool> Default:false
vars
<Object> Default:{}
CMD.parse(`p^ow^er""she"l"l`);
CMD.parse(`echo !hello!`, { delayed_expansion: true, vars: { hello: "world" } });
CMD.parse(`echo %hello%`, { expand_inline: true, vars: { hello: "world" } });
Parses a given command string in to individual commands before applying variable expansion and de-obfuscation filters to each identified command. Returns an array of cleaned-up commands.
If delayed_expansion
is set to true
, the given cmdstr
will be
evaluated as if CMD.EXE had been started with /V:ON
or SETLOCAL
EnableDelayedExpansion
, thus allowing !foo!
to be expanded.
If expand_inline
is set to true
, environment variables are
expanded each time a CMD.EXE command is identified, rather than only
once at “parse time”. Useful when using the vars
object.
The vars
object maps environment variables to their values, for
example:
CMD.parse("echo %foo%", { expand_inline: true, vars: { foo: "bar" }));
// => [ "echo bar" ]
Attempts to expand all variables in to their expanded form, making analysis of the whole command clearer:
Input | Deobfuscated Output |
---|---|
%COMSPEC% | C:\Windows\System32\cmd.exe |
Replaces all occurances of cmd
inside the %COMSPEC%
var with the
string powershell
:
Input | Deobfuscated Output |
---|---|
%COMSPEC:cmd=powershell% | C:\Windows\System32\powershell.exe |
Fetches the last seven characters within the %COMSPEC%
var:
Input | Deobfuscated Output |
---|---|
%COMSPEC:~-7% | cmd.exe |
All escape characters (^
) are stripped from the command:
Input | Deobfuscated Output |
---|---|
CmD /C p^o^w^e^r^s^h^e^l^l | CmD /C powershell |
All empty strings are removed from the command:
Input | Deobfuscated Output |
---|---|
pow""ersh""ell | powershell |
Obfuscation of a command can be achieved by excessive use of
double-quotes, for example: w"s"c"r"i"p"t
. The string widening
algorithm merges quoted and non-quoted regions together:
Input | Deobfuscated Output |
---|---|
w"s"c"r"i"p"t | \"wscript\" |
Any identified paths are resolved in to their absolute form, meaning we transform this:
Input | Deobfuscated Output |
---|---|
C:\foo\bar\baz\..\..\..\Windws\System32\cmd.exe | C:\Windows\System32\cmd.exe |
- How does the Windows Command Interpreter (CMD.EXE) parse scripts?
- WINAPI Parsing C Command-Line Arguments
- Everyone quotes command line arguments the wrong way
- What’s up with the strange treatment of quotation marks and backslashes by CommandLineToArgvW
- DOS Tips: Escapes
- MSDN CommandLineToArgvW function
- Windows Batch Scripting: Command Line Interpretation
- DOS CMD Substrings
- MSDN: Environment Variables
- FireEye: Obfuscation in the Wild
- setting and using a variable within Windows cmd.exe
- Delayed Expansion
- SS64: CMD.exe
- HackInParis Invoke Dosfuscation Slides