Windows - Batch Obfuscated Stager
Skills:
Defensive AI90%Reading ML Papers80%AI Safety Engineering80%Research Methods70%Security Basics70%
Key Takeaways
The video demonstrates Windows batch obfuscation techniques using batch scripting language, Python, and various tools to create obfuscated variables and payloads, with a focus on evading detection and executing commands like running a calculator.
Full Transcript
hello everyone my name is john hammond welcome back another youtube video and in this video i want to do something a little different um this was a technique that we recently saw at work and it was kind of a clever thing to potentially stage malware or bad stuff or other programs that you want to run within windows in dos or batch within the windows command prompt the cmd.exe scripting language and shell system language and all that so i thought it was kind of neat and kind of clever because they essentially just use variables to stage and leverage and put together potentially just calling a payload or starting something new as another program to kick off and it would be all mangled and put together in like just printable characters english that all look like nonsense and gibberish so a little obfuscation to help potentially stage a payload and i thought it was kind of neat and clever and i thought like oh well you could actually automate like the creation of that and maybe you could get something random every time so it looks different and you could bundle it up and package it and whatever it's a thing um i'm going to obviously neuter that and we're not going to use it to stage malware or bad stuff we'll use a proof of concept just like starting notepad or kickstarting a specific program and uh like calc.exe and make it really easy for us in a testing proof of concept and obviously not doing anything bad or malicious because we don't do that that's not what we do so um disclaimer i am going to be kind of going in cold on this so i'll use python to script it out which yeah isn't native to windows but i'm going to have it installed and we're going to work with it and we'll just use python to decorate and create the actual launcher and thing itself again i'm going in cold on this so i might fumble around a good amount in python this will be kind of a raw off the cuff chill video so anyway let's get to it i guess i'll show you kind of what i'm talking about and we'll hop on over to my screen here let me fire up command prompt and i'll show you this trick right so you can set like any variable to be anything that you want uh within batch and you can then use that variable even in the context that batch and the shell will automatically interpret it'll just take it kind of literally it'll understand interpret that value so you can use that to build out other commands or other things that you want to run and that's kind of interesting and weird so you can see i've just got the set variable here or that that command of that function whatever you really want to call it here and we'll use that to go ahead and create a variable that's just syntax and we'll call it like aaa just as a example and i'm going to set that equal to the word set and that's it now i have the variable aaa that i could access and it's simply the word set as i've defined there uh if we were to go ahead and define another variable i'll go ahead and use aaa to go ahead and set a variable which is kind of funky right because we know that that word set is going to be interpreted and i'll use that to create a new variable called bbb looks weird right because i'm just using set in the place of that including the space and bbb will equal a space character right you kind of see where i'm going this so now i could use aaa with bbb and now create a new variable called ccc and i'll set that equal to an equal sign and that might look weird uh actually we should probably change that to ddd because now i'm going to end up creating variables with just this syntax that we've just created and manifested so the c will be the variable that we end up using and our d will equal equal signs that we use in the actual assignment operation so it looks funny equals equals but i'm literally creating a variable that is just going to be the equal sign right that just ran and it works so now i could use aaa to set bbb to have my actual uh space character there and i'll use ccc as a new variable that i'm going to try and define and i'll use ddd to include that equal sign now i can set it to a value i can set it to hacks or whatever and that executed and now i have the variable ccc if you could keep track of that so let me go ahead and echo out the value of ccc hacks and i've just set that in a weird looking syntax just wrapping and masking behind it all of the actual variables of the commands that will go ahead and create a variable so now you could use this and you could build out in this weird random syntax other character set and create a potential payload that you could hide and mask with this funky thing and you it's obviously all going to be printable characters and it doesn't look like you're creating a long string to invoke memy cats or do anything that you might really want to that's the gist that's the gimmick now let's go ahead and i guess create a script for this i'll make directory um batch guess and i'll hop over in there and i'm going to use sublime text to create a obvious skater dot pi i guess and now that window is opened up we can start to write our code again i'm not a thousand percent positive where i'm going to go with this so complete disclaimer if there's some weird fumbling and i don't do a incredible great job right off the cuff but i'm going to import the random module because i want to essentially create random letters being my variable name and then the python code will just keep track of all that and know how to smartly create the payload um string will give us all those random letters that we could use and our end goal right will be like kickstart a program that'll we'll just start calc right so calc is in c windows system32 calc.exe is that right yeah it is okay cool so if i were to have the syntax for start see windows system32 calc.exe it'll just start it and that's really going to be our proof of concept so goal i guess can equal start c colon windows system32 calc.exe but obviously sure you could replace this with anything you particularly wanted to we saw it in the case of some nefarious stuff and we're not going to do that that's not what we're all about we're going to have this proof of concept to uh kickstarter program in an obfuscated way within batch and windows so let's go ahead and create a variable that we can use as our set operator because we got to start with those right so let's actually define i guess a function before i do this so we can get random mess uh we can i guess apply a length as an optional variable let's just call it like five as the the length of the randomness in that case and let's go ahead and return a list comprehension of string dot ascii lowercase for underscore in range of length and i do want to jitter that a little bit so i i guess we can say min length and max length equals like 10 so for range of random has a rand range function doesn't it if i clear the screen here cls python again i'm using it in windows so import random random dot rand range i think zero to ten yeah cool okay so that'll work just fine for us let's use rand random.rand range and i had to actually choose one of the random letters here so let's use choice around that string list and random will be min len oh i'm jumping around midland and maxlan okay so proof of concept right let's just check out our get random mess and see if it actually works for us please let me out okay let's python obfuscator and i failed into object is not iterable oh that has to be wrapped in range so i did want to keep that gotcha range will go ahead and create the number sequence but random.range is going to return the random number and that's going to be used as the length of our range so that's why we needed that cool let's try that one more time and now we get some random mess uggsy i like that one uh we do need to be careful and that sure we could potentially have a collision with our randomness and we could keep track of that i don't know if i'll need to run into that in this um i can use like a randoms that i can keep track of so rand i guess can equal what we've got and will global randoms really need to do anything because it's already a global variable we can do like if rand not or while i want to check if rand not in randoms then we'll go ahead and add it to our set of random variables that we've seen so let's go ahead and append our rand and then we'll go ahead and return our rand um if i do a while [Music] and then i guess let's do a while rand in randoms how do i i want to get this logic right so that like it'll create that first and python i don't think has a do while does python have a do while uh the danger of me opening up my actual web browser python python do while let me let it do while loop i guess i mean i guess that would work right because it'll just keep randomizing it and then once it knows that it's not in randoms it'll go ahead and return it so i think that should work yeah it's still still going so whatever now let's get our set operator and our set operator will equal a get random mess so the code here that we're going to end up writing should be i'm going to use f strings we'll do set our set operator to equal the word set and that's all that we'll need for that first one right so at the end i guess we will print out our code all joined together with new lines right so now oh i need to actually set the opera oh i need to stink and call the function that's why set all that nonsense into set which is good okay and now we need to get a primitive for a space character so we will use this percent to set a space character get random mess set with the space now including our space character value like variable name will be equal to a space right good and then we need to actually get our equals character so that's the first primitive right equals character equals a get random mess and with this prologue here we've sort of gone ahead and used the set operator with the space character value to get a new variable our equals character equal to equals oh that's so wonky right and then let's get a proof of concept dummy character so now we're using our set operator with our space character with the equals character actually being set uh after i get a dummy name so let's just use variable dummy name and then i'll use our value of our equals character to be oh my face is in the way i'm so sorry how long has that been doing that sorry various equals character equals please subscribe good enough right so if i were to write all that out and i were to copy that if i were to clear the screen and paste all that set is getting in the way of something what's going wrong here set that thing equal to set which it has and i set this other thing equal to a space character so i have set space character aztdm why is the space character not working let's um do a little right here so let's open a payload.bat right and we'll write it in in write mode so like with that as handle we'll do handle dot write and then let's say final code equals all of that so let's write that final code into that handle now when i run this obfuscator i now have a subwool.exe actually just open it here in our payload.bat which includes everything that we need and there is a space character there so if i were to try and run that payload.bat it works okay so uh what is the value of dummy name right now please subscribe excellent okay the thing does the thing that it's supposed to do when it operates as a thing so get random s is working just fine we have kind of a prologue right now right so let's change that variable name to prolog and let's say code can equal our uh i guess an an empty thing and let's do code empty think plus a prologue does that work you can add a raise like that can't you oh i also realized that i typed obfuscator wrong what okay so now that we have all that now we need to be able to start to build out the primitives for getting all the other characters in here the thing that i'm worried about is some of these special characters like the equal sign can i set those just as easily just fine let me get back to the command prompt and we'll do kind of a proof of concept here if i clear the screen and if i were to set a to equal a colon can i echo a and it works just fine i guess so how about a forward slash b can equal uh forward slash yep echo b perfect and a period i think that's all i need um set c to equal a period echo c yep period fantastic okay so now we need to start to build out a library of all the potential characters that we could end up using and generate their randomness for that so let's grab a like and start to build i guess a dictionary of what we know um let's just go ahead and create that dictionary of our own batch alphabet right so for uh character in string dot printable we could we should maybe define a function to be like set a variable now let's do that after we've created the prologue because now that we have the functionality to create variables at a wimp or like on whim let's do a create variable of our name and value so let's return write an f string as we've done before with kind of the prologue-like syntax just this very very last one where we have our proof of concept and we don't need that anymore let's return the f string of setting a var name we'll replace that and then the value right let me zoom out so you can see that just a smidge because i know it's getting wonky when we're doing all this obfuscation our set operator our space character our var name with the equal sign will be set to that value and then we'll return that so for character and string printable we'll go ahead and create a variable now that we can use that function of and we should add this to our dictionary so i'm trying to think about all that things that we need to do here create a variable with the get random mess name so i guess i should actually keep track of that as a variable so var name can equal that value can equal character create a variable with the random variable name with that value and then we'll want to add that to our current code so code.append all that and actually we should make a specific uh var settings list i think creo variable name all of these variables um that's right and now we add it to our alphabet so dot what do i do i'm sorry i'm like my brain is just being fried right now it's still early in the morning alphabet value is what i want to index because i want to be able to know something based off of the specific key equal to that var name right okay good so now let's go ahead and print out the joined rendition of all of the var settings that we've just created so if i were to python 3r obfuscator i totally failed var settings as a tuple why is that var settings.pen var settings was made a list sequence item 0 expected string instance tuple found why did we return oh there's a stinking comma at the very very end of my create variable function wtf why is that there okay cool now we've gone ahead and created variable names for all of the potential letters we could use all the characters and they're all created with randomness they also have a new line in there do i can i actually use that variable as a new line i mean i guess i have to execute this uh that would probably fail i feel like it would whatever let's uh add our var settings into our code after we've defined them and then let's display that out so now i have in my payload here all of this all of this all of this and if i were to go ahead and go ahead and run that payload okay so the semicolon will not work how about the new line which one of these was the new line that was trpd vjxg nice i like that if i echo out that value does it work nope it's been set to nothing how about huy if h-u-y-f-i-d nope also been set to nothing how about this guy this should have a value do any of these have a value let's get um my f variable obviously the most important one f okay i mean so that works whatever i'm cool with it you know not a big deal so now we've had a lot of now we have a lot of potential right because we have defined a randomness way to gain access to all of the potential characters that we might want to use so we could use all of the characters that we have here in our goal and then go ahead and run it so let me start to [Music] build that out let's do a four character in our goal let's get the variable name that we need for one thing so we can use our alphabet index at that character because that's what we set in really the alphabet and let's as a proof of concept just kind of print that out just to see so let's python 3r obfuscator and there is all of our stuff seemingly cool and then we want to get the actual wrapped implementation of that so an f string with the percent signs around it for our character and our goal now let's print out that so we're just getting the values and it'll be executed on the command line right so if i were to join all of that together without a new line because it's going to just be one command now this giant string based off our randomness we'll go ahead and execute the calculator right that's the idea so let's include that as a execute variable right and now let's add it into our code that we run so i should be able to run the obfuscator and that failed um because that needs to be a list on its own sorry because all the others all the other types here are lists so now we're on that and our payload should have that at the very very very very end which you can see it does and theoretically this i'm crossing my fingers here because again this i haven't done this i'm going in cold if i were to run this payload something broke is that the less than symbol i feel like i should remove some of those it's probably breaking stuff did it actually even get down there no i think it started to read in yeah le cpi broke it okay so we gotta remove some of those then let's do um let's create a little bad characters list and remove those and let's change our string dot printable to uh a character set name that we want to use so let's use character set at the very very top here can be equal to our string.printable and then let's have a bad characters and let's say we i mean this can just be a string it doesn't need to be a list so uh that that that and let's see if that's good enough uh character set for bad for bad in bad characters let's go ahead and remove that from the character set so character set can equal character set dot replace just to remove that badness with nothing and then rather than string.printable let's just use character set okay now let's run the obfuscator and take a look at our payload no seemingly weirdness yet but we should run it and find it if we get anything bad clear the screen run the payload and a colon's being funky what is that one doing is that like a null bite what comes after this the square brace oh it's a backslash oh it's escaping the new line huh that's wonky okay so i realize that maybe it's smarter to be using backslashes because it's a windows file system but that's going to be a little bit of an exception to our rule here and we probably have to finagle that a little bit um let's gloss over that for the time being and an exercise left off left to the reader how about that curly brace can i nerf that um now keep in mind i'm doing all this in a very uh whack-a-mole way um but if you are doing this with a legitimate payload and you are trying to do a little bit more with this you could start to group some of the potential bad characters together with a known good character so if i were to set uh clear the screen again set a to equal that curly brace why did that work that time was there another thing that was being weird what is what is what is with the curly brace oh it's the backtick maybe set aid equal a backtick no that's totally fine what the what all right can you run the obfuscator one more time please python hello python3 obfuscator and then payload.bat what square braces being funky oh the backslash actually worked just fine are you like combining things that you shouldn't what is tgkzk tgkzk that equals the underscore and this carrot is being wonky i think that's it let's remove the carrot let's remove any any seemingly direction pointing arrows obfuscator payload please backtick is still being what is going on let's remove the backtick anyway i guess i got distracted and i was trying to tell you that um if you are seeing this issue and you aren't needing to care about all of the potential characters like in this character set out of string printable that we're building you could just be taking the characters that you need out of your goal string out of what you're trying to execute and if there are weird bad characters just morph them into another so when i say that it'll be like oh sure if you were tripping up on the colon just combine it with the c colon and that might make it behave a little bit better uh uh um python 3 obfuscator python 3. payload.bat and our curly brace is still being weird so let's just remove the curly brace we don't need it whatever i'm fine with it i don't care cls payload bat here we go underscores why why all right remove the underscores now let's run the obfuscator now let's run the payload go go go go go this is unreal we should realistically only care about the stuff in the goal so maybe for the sake of our sanity and mine i guess my my sanity let's just change this to the character in the goal string create variables specific to those and that's an easy fix like we don't really need to do that so uh i didn't run the obfuscator so that's going to fail clear python 3 obfuscator run the payload and we ran calc all right so that added an extra seven minutes that we really really didn't need um anyway i think that's kind of neat i have uh one other idea that we could take advantage here and use um and i don't know if it'll work but that's our obfuscator um and we could actually add in a in our prologue right let's just create a little at echo off so it doesn't spit that all out um run the obfuscator run the payload and add echo off is not going to behave fine i don't think we need it we we we actually didn't even end up using it or it wasn't present in the artifact that we found this in so if anything i think this does a good job and that this file alone might not trigger any edr or antivirus thing because you are hiding this and masking this payload with a little bit of obfuscation and now we've randomized it so it can be a different thing every single time that's a little neat um let's try and take this one step further so here we go we're at a checkpoint right milestone one we've kind of completed what we wanted to for this video and that already took me a half hour now we're going to once again kind of explore an uncharted territory because i haven't done this yet so bear with me with all of my mess-ups but here's the thing that you can do let me show you this um batch can convert an an ascii number or an integer into the ascii character representation so if i were to use cmd slash c and then exit with a number right let's go 65 because that's in the ascii table the value representing a capital letter a there we go that will work and now i can echo out this percent sign equals exit code ascii and it's the letter a right so if i could do this for 66 now i've got b and i can do this for like 92 or 91 and now i've got that symbol so maybe that will also help us get out of the issue of maybe help that'll help us avoid the issue of running into those characters that were being problematic because we can convert it from a value we could set that as we need to in our code and that way we can mangle this a little bit more because we can do other weird things with numbers um and this was not present in the uh potential artifact that we found that was doing this this is just my mental abomination and diabolical disaster so batch will let you do the modulus operator we can go ahead and set and if we are to set we need to use a slash a because set slash a is a for doing arithmetic and that grants you the opportunity to use the modulus operator so let's set mod equal to like let's go to um mod like 4 so that's 2 divided by 4 and the remainder well 2 can't divide by 4 so it's going to get a remainder of 2. modulus operator is getting the remainder of a division operation so the way we could get a number that we want is to take one number that we're looking for like say we're looking to get the number eight and if i were to multiply this by any random number two three four five six and if i were to take that number once again and multiply it by that same number two three four five five one down now i've gotten a remainder of 8 or excuse me a remainder of 0. did i go too high or something what was weird in that or do i have those values backwards i think maybe i have those values backwards 22 23. i just did this does it need to be [Music] it probably needs to be parenthesized this was something that i was testing ahead of time okay okay okay whatever let's go 230 that thing and then yeah okay so it needs to be in parentheses cool i'm not crazy thank you um add random numbers to that three four five six and let's take that down a step now you have too much numbers so two three two two three five how about that two two three six please there we go i don't know what the threshold in batch is for these numbers uh but i guess we can figure that out and we'll put it in the range of like a thousand uh or so if i were to go nine nine nine nine how does that work versus nine nine nine eight okay cool so what if i went for 255 times that value or i guess 126 is the highest ascii value that we can represent right so let's do 126 times that 126. all right we'll we'll use that as our threshold nine four nines quad nine will be what we will work with that is enough tinkering and and play um let's experiment and this might be a totally failed initiative i don't know if i can get this right but now we've got some other primitives that we want to work with we want to use our set operator to create variables and we will need the prologue to go ahead and create a slash and an a because now we'll have a new way of defining variables if we were to use this method um before i do this i guess i'll call this um obvious skater 2 or yeah i mean second obvious game so my tab complete works a little bit better so now we're going to be defining a slash and let's do that for a slash character and an a character so our equals character has been set and this create variable name i should honestly use our [Music] i guess i create like a second prologue right you know what i'm saying let's do that let's take this prologue here and then go ahead and create a second prologue where now we can use the create variable syntax and kind of as we did in goal but now we're going to end up doing it for just the string forward slash a because we need that as part of our set slash a syntax so the var name will be a get random mess the character is still going to be a character and let's create a second prologue to append creating it and we've defined that already so i think that's good yeah yeah let's create that second prologue list here good so now our code can equal our prologue plus our second prologue do i have a second character anywhere i don't know why it created that for me now we can redefine our create variable and do some weird stuff here's what we can do now that we've got the capability to create things with a slash a we can use our set operator with our space character with the value of the alphabet that we're working in with a slash with the value of the alphabet slash a with another space character following that with a variable name set to a value this will not work immediately because we need to go ahead and get the value based off of our modulus so i'm going to define this as steps and this will probably end up being the last step but now what we need to do is determine the character that we want so we can test if that value is or i guess if like length of value is 1 otherwise we'll raise an assert error i guess a value error right i can only handle one character for obfuscation sure totally fine um i hope my face wasn't in the way for like half of this video what we need to do now is set a variable to oh geez we're gonna get super recursive here are we no we need to first know the value that we have so ascii value equals the ord of that value and ord is right right ord will return the ordinal python 3 ord of capital a 65. great that's good exit please so with that we get the ascii value and we need to then get it as a variable that we're going to define with the modulus so we're going to set oh boy sorry this is hurting my mind right now set operator i gotta zoom out i gotta zoom out because this is getting so lengthy set slash a to equal the let's set some parentheses no no because i don't want the parentheses i want python to figure it out for me so python needs to do the get a random number so um multiplier right can equal random.rain random.rand range of 1000 to 999. so the in the a mod b equals c modulus operation that we're doing our a is going to be c times our multiplier modulus b times our multiplier minus one right so i am not going to have any shame and i'm just going to define it that so uh ascii value is really what the c that we want because that's what we know our modulus is going to end up as so a can equal the ascii value multiplied by the multiplier and then b can equal the ascii value multiplied by the multiplier minus one great so now i'm going to have a set operator space character alphabet um set slash a so we can get into the math sorry i'm just thinking and this is bending my mind right now bar name equals character can equal the parentheses and we don't even need parentheses anymore because we've already done that math for us thanks to python so that will be a mod b right so that has now given me a random [Music] that has given me the number but now i need to convert it back okay so now i can just use that cmd slash b now i can just exit with that value and we might not end up using the var name to do that because we probably need a temporary var name for that so for that variable right unless you can you do that exit with with the math in there or does it have to be through set like let's try that cmd slash c exits paste and then echo the equals exit code ascii no that fails how about 65 okay so we just can't do math like that so let's slash a mod with our 65 with our 65 and then let's try and cmd slash c exit with our mod value which should work and we try and exit with that now we have a so we do need to use that temporary variable and that will be a get random mess name so now rather than using var name for the first one we will need to use a temporary variable set to that and then we'll need to go ahead and exit with the value of that temporary one so ooh i want to define the variables to be able to execute cmd c because that's going to get annoying we can do that right because we already have our create variable primitives and that's just less of them or should be using should we be using these get our second layer of create variable after we've redefined it should we be using that to go ahead and create cmd i mean we can't we need we need that we need that after the fact so slash a we're going to end up having and we're also going to have cmd we already have the slash where do you have the c uh we need exit and we need the space even though we've already defined the space up top we just haven't kept track of that in our alphabet range so steps equals all of that um we should call this mod create variable rather than create variable because we're going to need to create variable repeatedly so i guess we should just kind of create we already did create those we created all those variables so now we just need to use all of those in a string so how should we do that steps steps plus equals that this is probably an extremely confusing video and i'm sorry steps equals that and now we need to do for character in cmd slash c exit and then we need to include all of those we need to take pieces pieces dot append the format string of the value of the alphabet that we know with our character because now we'll have cmd slash all the way up to exit and then we will do pieces dot append a f-string with the value of our temporary variable so we'll eventually have cmd slash c slash exit slash and the the value of mod kind of just as we had us just as we did before and then we need to go ahead and set set with a create with the create variable pieces actually should equal this a list with just all the pieces put together so that's on one line because this will go ahead and create the temporary variable with the numeric value of the value that we want and then for character in cmd slash c exit to stage that into an exit code and then we have to go ahead and set the variable name of the var name to really be the exit value so when i run create variable will var name take the spot just fine i think it will so steps will now equal a set operator with a space with the alphabet and we don't actually need this new alphabet slash a because we aren't doing any math in this we're just setting a variable to that and we could do that with a create variable because that's just going to return it is it not yeah steps create variable with the var name as we have done good oh man this is still blowing my mind because now i scrolled down i was like wait didn't we need to do that for the goal anyway um var name should be our equals exit code ascii theoretically right and this might fail this might completely fail i realize i'm going on almost an hour and i is this is still on a whim so let's create that variable as the last step and then we need to return all of these put together so return oh we need to add that into the add the pieces into the steps return all those pieces no return all those steps because those are all of the lines that we're building and the steps that are necessary to create a variable with this modulus operator so all of the code now we'll need to create all of these so for the character in the goal we are going to pass in a random mess as the variable name and then set the value wait what did modcreatevalue used to do okay it would just run the function and it passed in the value and we already figured that out because we set value in a in a modulus ordinal thing so for character and goal we still just need to do all this but now we're going to end up calling mod create variable with the var name and the variable and that's going to return a a list so var settings needs to actually add on this right and then all that alphabet works oh gosh this is extremely confusing i don't know if that worked honestly i honestly don't know let's see what's wrong with it python second obfuscator alphabet is not defined excuse me where are we trying to run alphabet line 42 second prologue oh i guess we really should move that up alphabet should probably be defined like way way up here here we go it ran okay z types wow that's a very nice random word that you generated oh boy so this should equal what set slash a to mod can equal that right 115. what is what is the first one that we work with out of string.printable python3 import string.printable excuse me oh import string duh string.printable i can type printable holy cow zero now let's take the ord of that 48 that's not good is that right what did we do wrong whatever uh let's try and run all this and just see if it works no no not in python please okay paste all that in and that's failing um totally fine let's just get up to the very very first uh execution of creating a variable so let's run payload.bat cmd slash exit equals oh oh no what's going on it needs the percent sign why is it doing that cnbc equals do i need a second percent sign and all that to like escape it that's going to look really weird man let's do it let's do it python 3 second payload again let's just get all the exit codes oh i'm missing a percent sign in one of these percent percent that exit ascii is not exit do i need the literals there what's happening oh wait a second i did have it there it's just sorry the equal sign is was weirding me out yeah reload the thing now let's payload.bat oh it did it oh and it did it because it was s because it's for start oh did it do it did it work did it let's go let's go let's see this a t oh holy crap all right let's just run the whole thing let's send it send it boys i hello can i have the whole can i have the whole payload back please thank you all right one more time one more time do the thing that is awesome oh my gosh now okay so i'm a little worried i'm a little weirded out with this one because obviously we are running cmd slash c exit and that's invoking cmd that's like starting a whole nother process so i want to open up like procmod or something and just let that run and see what happens uh so let's do that we're at the hour mark this has been a long long show but um do i have sys internals cis internals nope probably not all right let's get to chrome and let's download cis internals cis internals i want to watch and see like the serious amount of cmd.exe just flare up my computer or if that even happens but that's one way of obfuscating and that looks dirty right like that that's crazy [Laughter] we could amp up those numbers if we wanted to and i guess we could probably finagle this a little bit more but let's let's download cis internals and see how we do i hope that was fun thanks for tolerating all of that guys holy crap i hope that was a good time all right we'll wait for assist internals to download and i guess we'll review really everything that we went over here so we went in a lot of different places and i'm sorry for that but eventually all we wanted to do was obfuscate the process of running a program we used calc as our proof of concept we wanted to define all of the potential characters that we might be using in that string to run the command start calculator and define them in like random variables and uh maybe we could actually do that with string.printable now and we won't have the issue can i try that are you guys cool with me trying that rather than just looping through goal now to create the character set let's use all the characters and let's not remove them because i think this new method will actually allow us to like using the modulus as a means to hide it even further that should let us build out the entire printable character set and it's cruising it's going oh i broke it cnb c6 oh it's the stinking less than symbols i guess those are still getting in the way because you need to use them as as part of set so that's why it dies all right i did a bad job of doing a recap because i got distracted that takes a while to stage everything but yep the pipe's still going weird which we don't exactly need do we need pipes i mean it'd be cool to actually have pipes so let's try and keep the pipes in there and see if that was just the square braces that were making an issue nope what is it is it the pipes let's take the pipes out how is cis internals doing oh they're downloaded okay cool what oh did i not run the stinking obfuscator again second obfuscator payload let's uh let's get system turtles cruising while we're doing that let's drag this down and like let's run procmod just to see how absurd it is oh it popped calc not that it didn't it didn't pulp it didn't pop calc it's not an exploit but it's a cool obfuscation technique wow uh all right so let's see what we got can i filter for um process name is cmd.exe yeah add the item please okay so if i just start cmd cmd will it show in procmod yeah okay it's doing its thing oh boy i don't need all that can i can i clear that actually how do i clear i do want a process start operation so include only that cool so now if i try and use this filtered technique using the modulus operator using that batch gimmick to convert ascii into an actual letter do we get a crap ton of cmd.exe payloads yep there they go that's surprisingly is that like not enough or is it just like oh i think is it is it refreshing or something i mean the process id stays the same here comes calc you know what however long that took that time is plenty that is plenty fast and the hackers don't need to worry about how much time it takes oh wow look at the tool tip can i hover over it again i want to see that again i want you to show me the tool tip show me the arguments exit code ask equals four wow and all the variables oh that's super cool that's a mess that was super fun though i hope i hope that was i hope that was a good watch i know it took us a long long time but i think we got a lot of really neat stuff out of that and that's how you could potentially obfuscate just a little kickstarter just a stager and i don't know tinker with it again this is for the sake of education this is for the stake the sake of learning and seeing how crazy it is when you have this obfuscated thing and it's just batch you know it's just cmd um i showcased another video how you could disable the command prompt and that's not a real security measure it's not encouraged or enforced as one but it's a thing you could do the same way this is a thing you could do so we just got randomness to be able to define variables and then we were able to use those variables as part of the actual command that was ran and build them out to create any essential scripting that we want we just did it with one goal just running one command to pop a calculator but that's it and this is messy dirty code but this was all totally off the cuff and that was really really cool and kind of fun and that was fantastic when it worked so that's been a lot of me talking this has been an hour long video and i'm sure you have stuff that you have to get back to in your life so let's wrap it up here thank you so so much for watching this has probably been one of the most fun videos i've done in a long while and it was good to get into python and just mess around for a little bit so uh if you did like this video please do press that like button maybe leave a comment please subscribe do the whole youtube algorithm thing i'm super duper grateful and maybe we can do more stuff like this in the future i had a lot of fun i hope you did too and let's let's call it a day thanks so much everybody i love you i'll see you in the next video take care
Original Description
To help support me, check out Kite! Kite is a coding assistant that helps you faster, on any IDE offer smart completions and documentation. https://www.kite.com/get-kite/?utm_medium=referral&utm_source=youtube&utm_campaign=johnhammond&utm_content=description-only (disclaimer, affiliate link) Hang with our community on Discord! https://johnhammond.org/discord
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: https://patreon.com/johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: http://paypal.me/johnhammond010
GitHub: https://github.com/JohnHammond
Site: http://www.johnhammond.org
Twitter: https://twitter.com/_johnhammond
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Defensive AI
View skill →Related Reads
📰
📰
📰
📰
AI is reshaping compliance operations across the U.S. government — and the shift is accelerating.
Medium · Data Science
I Spent a Week Trying to Break an AI. The Hard Part Wasn’t Breaking It.
Medium · Machine Learning
Everyone Is Chasing AI Benchmarks, Almost Nobody Is Measuring Truth
Hackernoon
Politeness Is Not a Security Model — Hooks & MCP in Claude Code, Deep Dive Part 5
Medium · Programming
🎓
Tutor Explanation
DeepCamp AI