SANS ISC: Changing BAT Files On The Fly

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

I often use Windows BAT files, simple ones, to execute a series of commands. And over the years, I learned not to change these BAT files while they were executing, because cmd.exe would "notice" those changes when it has to execute the next command in the BAT file, and read the changed file, leading to undesired results.

But recently, I started to use this to my advantage: change commands in a BAT file while it is executing, without undesired results.

The trick is to only change the commands that still have to be executed. Don't touch the commands that have already executed, and certainly, don't make them shorter or longer.

Although I have not reversed cmd.exe be sure of what I experience, it seems like cmd.exe does not read a BAT all at once, but that it has a filepointer into the BAT file it is processing, and reads the next line to execute after the current line finishes executing.

If you remove bytes before the filepointer (e.g., by changing commands before the current command to make them shorter, or removing commands), the filepointer will no longer point to the beginning of the next line to execute.

Same if you add bytes before the filepointer.

The trick is to change commands after the filepointer, e.g., change commands that have yet to be executed, while leaving the rest of the BAT file intact.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com