Skip to content

Deobfuscate batch scripts obfuscated using string substitution and escape character techniques.

License

Notifications You must be signed in to change notification settings

TargetPackage/batch_deobfuscator

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

76 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Introduction

By using this Python script, you can deobfuscate a batch script that is obfuscated with string substitution, escape character techniques, and more.

Original project by DissectMalware, additional modifications made by gdesmar. We just expanded functionality and added additional commentary to the codebase to make the deobfuscation process easier to understand.

NOTE: This should ONLY be ran on a virtual machine in an isolated environment to minimize the risk of accidental damage to your system. The creators of this tool are not responsible for any damage caused by its usage.

Running the script

To run the script:

python3 batch_interpreter.py --file c:\test\obfuscated_file.bat

Options

$ python3 batch_interpreter.py --help
usage: batch_interpreter.py [-h] [-f FILE] [-o OUTPUT] [-v] [-m] [-e]

options:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  The path of obfuscated batch file
  -o OUTPUT, --output OUTPUT
                        The path the deobfuscated batch file should be written
                        to (default: stdout)
  -v, --verbose         Whether to include additional information in the
                        output, such as child commands and comments
  -m, --math            Whether to attempt to execute mathematical operations
                        in the batch file
  -e, --exitcodes       Whether to attempt to store command exit codes and
                        replace `%=exitcodeAscii%` with the appropriate value

Example

python3 batch_interpreter.py -f ../examples/huntress-2024-russian-roulette.bat -o ../examples/deobfuscated-verbose.bat --math --exitcodes --verbose
python3 batch_interpreter.py -f ../examples/huntress-2024-russian-roulette.bat -o ../examples/deobfuscated.bat --math --exitcodes

Use as a lib

from batch_deobfuscator.batch_interpreter import BatchDeobfuscator, handle_bat_file
deobfuscator = BatchDeobfuscator()
deobfuscated_script = handle_bat_file(deobfuscator, "./obfuscated_file.bat")

Developing

Setup

$ git clone https://github.com/TargetPackage/batch_deobfuscator
$ cd batch_deobfuscator
$ pip3 install -e ".[dev]"

Testing

$ python3 -m pytest

Add -v for extra information, useful if tests are failing and you aren't sure why.

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%