Leave a ⭐ if you like this Repository
Batch Dump is a compact Python utility that watches common system/user directories for newly created compiled .bat files, copies them to the tool directory for inspection, and optionally deobfuscates certain compiled batch stubs by removing a known hex sequence.
The program uses a clean CLI interface, a gradient ASCII logo, and a lightweight watchdog-based file monitor to automate discovery and basic recovery of batch source code.
Caution
This tool is intended for legitimate reverse-engineering, debugging, recovery, and research in environments where you have explicit permission. Do not use this to access or exfiltrate files you are not authorized to access. The author and contributors are not responsible for misuse of this code.
- 📁 Watch & Dump
.batfiles — Monitors a configurable set of likely locations (Temp, Desktop, Documents, Downloads, ProgramData, etc.) and copies newly created.batfiles into the script folder. - 🧩 Deobfuscate Batch Files — Removes a specific byte/hex pattern (
FF FE 26 63 6C 73 0D 0A FF FE 0A 0D) to reveal readable batch source where applicable. - 🎨 Aesthetic CLI — Displays a gradient ASCII logo and menu using
rgbprintand colored output viacolorama. - 🔁 Duplicate protection — Tracks already-processed files to avoid copying the same file multiple times during a session.
-
Run the tool (
python main.py). -
Choose one of the two options:
[1] Dump compiled Batch— start monitoring the configured directories and copy discovered.batfiles to the script directory.[2] Deobfuscate Batch— provide a path to a.batfile and the script will remove the configured hex sequence and open the result in your system editor. (This only works for the Chinese method)
-
The tool prints progress to the console and saves discovered files for offline inspection.
✅ When dumping, any discovered
.batwill be copied into the same folder asmain.py. When deobfuscating, the file is modified in-place (make backups if needed).
-
🐍 Python 3.9+
-
📦 Dependencies:
pip install watchdog rgbprint colorama
-
💾 Access to the directories you want to monitor (run with appropriate permissions).
- Only run this tool on machines you own or where you have explicit permission.
utility.delete_hex()modifies files in-place — always keep backups of originals if you need to preserve them.- Reduce risk for false detections during testing by limiting
utility.possible_pathsto a single controlled directory.
├─ assets/ ➔ Screenshots of the Program in action
│ └─ preview.png ➔ A screenshot of the Program running
├─ main.py ➔ Main program logic and CLI
├─ LICENSE ➔ License file
└─ README.md ➔ Read me file
The script removes the following hex byte sequence (shown as hex groups):
FF FE 26 63 6C 73 0D 0A FF FE 0A 0D
You can change the target pattern by editing the utility.delete_hex() call in BatchDump.deobfuscate(), but doing so is not recommended as it may break the deobfuscation process.
watchdog.Observer+utility.FileCreationHandler(subclass ofFileSystemEventHandler) to react to file creation events.shutil.copy()copies detected files into the running script directory.utility.delete_hex()reads file bytes, replaces occurrences ofbytes.fromhex(hex)withb'', and writes back the result.rgbprint.gradient_print()for the logo and menu;colorama.Forefor colored status lines.
Distributed under the MIT License. See LICENSE for more information.
- Maintainer: @SwezyDev — reach out via Telegram: @Swezy
- Inspiration: public security research and community writeups.
This project is unofficial and is not affiliated with any vendor. It is meant for educational, analysis, and recovery tasks only. Use responsibly and legally.
This utility exists to help researchers and devs recover and inspect compiled/obfuscated batch stubs. Use responsibly — do not use it to spy, exfiltrate, or automate access to systems you don't own or have permission to test.