Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Changing BAT Files On The Fly

Published: 2021-08-02
Last Updated: 2021-08-02 19:51:18 UTC
by Didier Stevens (Version: 1)
0 comment(s)

I often use Windows BAT files, simple ones, to execute a series of commands. And over the years, I learned not to change these BAT files while they were executing, because cmd.exe would "notice" those changes when it has to execute the next command in the BAT file, and read the changed file, leading to undesired results.

But recently, I started to use this to my advantage: change commands in a BAT file while it is executing, without undesired results.

The trick is to only change the commands that still have to be executed. Don't touch the commands that have already executed, and certainly, don't make them shorter or longer.

Although I have not reversed cmd.exe be sure of what I experience, it seems like cmd.exe does not read a BAT all at once, but that it has a filepointer into the BAT file it is processing, and reads the next line to execute after the current line finishes executing.

If you remove bytes before the filepointer (e.g., by changing commands before the current command to make them shorter, or removing commands), the filepointer will no longer point to the beginning of the next line to execute.

Same if you add bytes before the filepointer.

The trick is to change commands after the filepointer, e.g., change commands that have yet to be executed, while leaving the rest of the BAT file intact.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

Keywords: BAT
0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

procdump Version 10.1
Aug 1st 2021
1 day ago by DidierStevens (0 comments)

Unsolicited DNS Queries
Jul 31st 2021
2 days ago by Guy (0 comments)

Infected With a .reg File
Jul 30th 2021
3 days ago by Xme (0 comments)

Apple Patches for CVE-2021-30807
Jul 30th 2021
3 days ago by Yee Ching (0 comments)

Malicious Content Delivered Through archive.org
Jul 29th 2021
4 days ago by Xme (0 comments)

A sextortion e-mail from...IT support?!
Jul 28th 2021
5 days ago by Jan (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
1 month ago by Rick (0 replies)

API port data
created Apr 25th 2021
3 months ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
3 months ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
4 months ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
5 months ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

"Summer of SAM": Microsoft Releases Guidance for CVE-2021-36934
Jul 22nd 2021
1 week ago by Johannes (0 comments)

Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat
Jul 12th 2021
3 weeks ago by Johannes (0 comments)

DIY CD/DVD Destruction - Follow Up
Jul 4th 2021
4 weeks ago by DidierStevens (0 comments)

Maldocs: Protection Passwords
Feb 28th 2021
5 months ago by DidierStevens (0 comments)

An infection from Rig exploit kit
Jun 17th 2019
2 years ago by Brad (0 comments)