Clink Injection and reading commands in cmd before they execute.

[KingKDot]

I've been using clink for a while now and I'm very fascinated on how it injects into cmd.exe and can auto complete commands, etc. I'm trying to make something similar but with deobfuscating windows batch files and my current approach is to inject my own dll into cmd.exe and hook the function that reads the commands after variables are expanded, etc and before any code is executed in order to pull out the fully deobfuscated code. Currently I'm unable to find the function that does this and I've had no luck with x64dbg. Would anyone be able to point me in the right direction (yes I understand I basically have 0 idea wtf I'm doing) Thank you

[chrisant996]

my current approach is to inject my own dll into cmd.exe and hook the function that reads the commands after variables are expanded, etc and before any code is executed in order to pull out the fully deobfuscated code. Currently I'm unable to find the function that does this and I've had no luck with x64dbg.

Are you familiar with grammars, parsers, and lexers? If not, I recommend to do some reading about them. The wikipedia article Syntax (programming languages) looks like a pretty good starting point.

The function you're looking for doesn't exist. In CMD, bash, powershell, zsh, fish, etc the syntax is more complex than simply preprocessing a line of text to expand environment variables. Each language has a grammar, and the grammars aren't line-based.

Here's a quick illustration: Try typing if 1==1 ( echo hello and press Enter. Despite being a line, it's incomplete syntax, and CMD prompts "More?" until you complete the syntax requirements. E.g. enter ) at the "More?" prompt. The same is true in batch scripts, except that if a script file ends without satisfying the syntax requirements then of course CMD can't prompt for more input, so it's just a syntax error. I'm glossing over a lot of details, but hopefully that helps illustrate that the syntax is more complex than just "lines".

Some other search keywords that might help you focus your learning time are "interpreted language vs compiled language" and "lexing" or "parsing" or "programming language grammars".

Good luck with the learning opportunity! Sorry that the project you were hoping to work on isn't possible, but maybe you'll find a way to tackle it from a different angle. Parsing, lexing, grammars/etc are very useful topics; the basics can be understood without too much time/pain/effort, and if the topics are interesting then there's no limit to how deeply they can be explored. Fun stuff.