Going BAT…mode crazy

Posted on by

What will the following bat file print? Foo, or Bar?

@echo off

 mode con cp select=65000 > nul
 set jump=+ACQ-
 mode con cp select=437 > nul
 goto %jump%

:+ACQ-
 echo Foo
 goto :eof

:$
 echo Bar
 goto :eof

Here’s the answer:

Batch files can be saved as text files using different encodings, including UTF7, and UTF8 as well as MBCS/DBCS characters sets.

One can therefore enforce encoding and change it not only outside of a batch file, but also on the fly, as is the case in the example above. As a result, the part of the code that executes after first ‘mode’ is encoded in UTF7 (‘+ACQ-‘ is an encoded ‘$’ sign), and the second is OEM-US English.

The below example replaces UTF7 in the above example with Traditional Chinese:

@echo off

 mode con cp select=950 > nul
 set jump=§A¦n
 mode con cp select=65001 > nul
 goto %jump%

:§A¦n
 echo Foo
 goto :eof

:你好
 echo Bar
 goto :eof

If you look at this code using 950 character set (big5) you will see this:

@echo off

 mode con cp select=950 > nul
 set jump=你好
 mode con cp select=65001 > nul
 goto %jump%

:你好
 echo Foo
 goto :eof

:雿末
 echo Bar
 goto :eof

and if you choose to preview as UTF8:

@echo off

 mode con cp select=950 > nul
 set jump=§A¦n
 mode con cp select=65001 > nul
 goto %jump%

:§A¦n
 echo Foo
 goto :eof

:你好
 echo Bar
 goto :eof

Misleading, isn’t it?

When you run this version of script you will see an error from the interpreter – this is a result of it interpreting superfluous UTF8 prefixes that seem to be appearing out of nowhere within the interpreter. Perhaps further study of cmd.exe internals can help to eliminate this quirk. Still, the jump goes to the proper label & errors can be always hidden with standard error redirection:

Beyond good ol’ Run key, Part 124

Posted on by

Most of persistence tricks rely on a modification of Registry, adding files, dropping phantom DLLs, lolbins, etc. Today (for a change), I will describe a trick that is a) a close relative of Office macros & b) introduces yet another file format that security product may need to learn to scan.

The target is Ultraedit – pretty much my favorite editor.

It supports a lot of different mechanisms that could be used for persistence and trickery, but I will describe only one which meets the criteria I specified above.

The editor supports a mechanism of macros. Macros can be easily edited using a dedicated Macro panel. While the commands are primarily editing-related, there is one command that is interesting to us – RunTool:

The macro on the screenshot is called ‘foo’ and runs a tool called ‘notepad’. What is the ‘notepad’ tool you may ask? It is actually not the Windows Notepad, but a reference to a task one can set up in UE Tool Configuration panel:

Not surprisingly, I set it up to actually execute c:\windows\system32\notepad.exe.

Okay, now we have a macro that runs our task called ‘notepad’ and that task in turn runs the actual Windows Notepad.

We can save our macro to a .mac file which is using a proprietary format:

And now we are ready for a final piece of a puzzle…

UE allows us to automatically set macros to run during startup (via command line):

as well as during load and save file events (works in GUI):

With all that in place… Notepad will be running a lot… perhaps as a celebration of these events.

Feels like Office macros – tick. Proprietary file format – tock.