{"id":9059,"date":"2024-01-12T23:39:35","date_gmt":"2024-01-12T23:39:35","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9059"},"modified":"2024-02-23T22:24:23","modified_gmt":"2024-02-23T22:24:23","slug":"adding-characters-to-command-line-processing","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/01\/12\/adding-characters-to-command-line-processing\/","title":{"rendered":"Adding character(s) to Command Line processing"},"content":{"rendered":"\n<p>In my <a href=\"https:\/\/www.hexacorn.com\/blog\/2020\/08\/30\/certulitis-one-tool-that-keeps-on-giving\/\" data-type=\"post\" data-id=\"7428\">old post about certutil<\/a> I mentioned that it accepts a number of less-known Unicode characters passed to its command line. Powershell <a href=\"https:\/\/github.com\/PowerShell\/PowerShell\/blob\/e453c006d39a2fa57a903df2d0ea33ddd0cb43dd\/src\/System.Management.Automation\/engine\/parser\/CharTraits.cs#L255\">accepting a number of Unicode characters<\/a> representing &#8220;-&#8221; and its variations is a very well-known fact too.<\/p>\n\n\n\n<p>What&#8217;s new? You may ask&#8230;<\/p>\n\n\n\n<p>Processing command line was never easy. All Operating Systems, their various shells as well as many command line tools come with their own command line parsing ideas and quirks, but, I bet, whoever designed many of these command line argument parsers didn&#8217;t really see the Unicode character set coming&#8230;<\/p>\n\n\n\n<p>In recent years we moved away from a simple world of &#8220;-&#8220;, &#8220;&#8211;&#8220;, and &#8220;\/&#8221; as command\/options switches towards the world that is well&#8230; kinda developing now. <\/p>\n\n\n\n<p>In 2024 we have a number of popular Windows programs that accept a lot of Unicode  characters as &#8216;special&#8217; (either as a part of a command line, or &#8216;pasted&#8217; to the program):<\/p>\n\n\n\n<ul>\n<li>\\t (Unicode 0x0009) &#8211; &lt;Character Tabulation&gt; (HT, TAB) \/\/ \\t needs to be interpreted<\/li>\n\n\n\n<li>\\n (Unicode 0x000A) &#8211; (EOL, LF, NL) \/\/ \\n needs to be interpreted<\/li>\n\n\n\n<li>\\r (Unicode 0x000D) &#8211; &lt;Carriage Return&gt; (CR) \/\/ \\r needs to be interpreted<\/li>\n\n\n\n<li>&#8221; &#8221; (Unicode 0x0020) &#8211; Space (SP) \/\/ ignore quotes<\/li>\n\n\n\n<li>&#8221; (Unicode 0x0022) &#8211; Quotation Mark<\/li>\n\n\n\n<li>&#8216; (Unicode 0x0027) &#8211; Apostrophe<\/li>\n\n\n\n<li>&#8211; (Unicode 0x002D) &#8211; Hyphen-Minus<\/li>\n\n\n\n<li>\/ (Unicode 0x002F) &#8211; Solidus, slash, forward slash<\/li>\n\n\n\n<li>\u2013 (Unicode 0x0096 &#8211; mapped to 0xFB in codepage 437)<\/li>\n\n\n\n<li>&#8221;&nbsp;&#8221; (Unicode 0x00A0) &#8211; No-Break Space (NBSP) \/\/ ignore quotes<\/li>\n\n\n\n<li><strong>\u2013<\/strong> (Unicode 0x2013) &#8211; En Dash<\/li>\n\n\n\n<li><strong>\u2014<\/strong> (Unicode 0x2014) &#8211; Em Dash<\/li>\n\n\n\n<li><strong>\u201c<\/strong> (Unicode 0x201C) &#8211; Left Double Quotation Mark<\/li>\n\n\n\n<li><strong>\u201d<\/strong> (Unicode 0x201D) &#8211; Right Double Quotation Mark<\/li>\n\n\n\n<li>&#8220;\u202f&#8221; (Unicode 0x202F) &#8211; Narrow No-Break Space (NNBSP) \/\/ ignore quotes<\/li>\n\n\n\n<li><strong><strong>\u2212<\/strong><\/strong> (Unicode 0x2212) &#8211; Minus Sign<\/li>\n\n\n\n<li>and possibly more<\/li>\n<\/ul>\n\n\n\n<p>While not all programs accept these yet, we can already list a few that actually do: <\/p>\n\n\n\n<ul>\n<li>certutil.exe<\/li>\n\n\n\n<li>powershell.exe<\/li>\n\n\n\n<li>pwsh.exe<\/li>\n\n\n\n<li>certreq.exe<\/li>\n\n\n\n<li>conhost.exe<\/li>\n<\/ul>\n\n\n\n<p>You may ask&#8230; what&#8217;s a big deal?<\/p>\n\n\n\n<p>Well, the big deal is that many assumptions about how command line arguments are passed to programs shaped the whole industry obsessively focused on detection engineering fixated on &#8220;recognizable command line patterns&#8221;. <\/p>\n\n\n\n<p>These Unicode characters break a lot of these assumptions&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my old post about certutil I mentioned that it accepts a number of less-known Unicode characters passed to its command line. Powershell accepting a number of Unicode characters representing &#8220;-&#8221; and its variations is a very well-known fact too. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/01\/12\/adding-characters-to-command-line-processing\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[79],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9059"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9059"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9059\/revisions"}],"predecessor-version":[{"id":9092,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9059\/revisions\/9092"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9059"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9059"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9059"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}