"When there are little demons running around with .bat crypters, you get an exorcism."
If you haven't installed detours, make sure you run "nmake" in the detours src directory.
Exorcism is the first open-source runtime Windows batch deobfuscator that uses DLL injection and function hooking to monitor and log batch file commands as they are executed by cmd.exe.
Warning
π¨ THE BATCH FILE STILL GETS EXECUTED! π¨
This tool DOES NOT prevent malicious batch files from executing. It only logs the commands as they run. DO NOT use this tool on untrusted or malicious batch files unless you are in a completely isolated environment (sandboxed VM, air-gapped system, etc.).
Use at your own risk. This tool is intended for security research, malware analysis, and educational purposes only.
Exorcism hooks into the Windows Command Processor (cmd.exe) at runtime to intercept and log batch commands before they are executed. Unlike static analysis tools that can be fooled by obfuscation techniques, Exorcism captures the actual commands as they are processed by the Windows command interpreter.
- Runtime Analysis: Captures commands as they are actually executed, bypassing most obfuscation techniques
- DLL Injection: Uses Microsoft Detours library for reliable function hooking
- Real-time Monitoring: Live command logging with JSON output format
- Safe Memory Access: Robust pointer validation and memory safety checks
- Cross-Architecture: Supports both x86 and x64 processes
The tool consists of two main components:
- Hook DLL (
cmdtest.dll): A C++ DLL that hooks theFindFixAndRunfunction incmd.exe - Python Controller (
main.py): A Python script that handles DLL injection and log monitoring
- The Python controller launches a new
cmd.exeprocess - The hook DLL is injected into the
cmd.exeprocess using DLL injection - The DLL hooks the internal
FindFixAndRunfunction using Microsoft Detours - Every command executed by the batch file is logged to
cmd_hook.jsonbefore execution - The Python monitor displays the logged commands in real-time
- Windows 10/11 (x64)
- Visual Studio 2019/2022 with C++ development tools
- Python 3.7 or higher
- Administrator privileges (required for DLL injection)
git clone https://github.com/YourUsername/Exorcism.git
cd Exorcism- Open
cmdtest/cmdtest.slnin Visual Studio - Select Release configuration and x64 platform
- Build the solution (Ctrl+Shift+B)
- The compiled DLL will be located at
x64/Release/cmdtest.dll
pip install -r requirements.txt-
Run as Administrator (required for DLL injection):
# Open Command Prompt as Administrator python main.py -
Enter the DLL path when prompted:
Enter the full path to the hook DLL: C:\path\to\Exorcism\x64\Release\cmdtest.dll -
Execute your batch file in the monitored cmd.exe window that appears
-
Monitor the output in real-time as commands are logged
echo Hello World
set VAR=secret_value
if exist file.txt del file.txt
clsThe tool logs commands in JSON format to cmd_hook.json:
{"event_type":"hook_status","message":"FindFixAndRun hook initialized successfully"}
{"arguments":" Hello World","command":"echo","command_type":0,"event_type":"command_execution"}
{"arguments":" VAR=secret_value","command":"set","command_type":0,"event_type":"command_execution"}
{"command":"cls","command_type":0,"event_type":"command_execution"}
{"event_type":"hook_status","message":"FindFixAndRun hook being removed"}The hook DLL uses a hardcoded RVA (Relative Virtual Address) to locate the FindFixAndRun function:
ULONG_PTR rva = 0x116B0; // RVA for FindFixAndRun functionNote: This RVA is specific to certain versions of cmd.exe. If the hook fails, you may need to:
- Use a debugger (x64dbg, IDA Pro) to find the current RVA for
FindFixAndRun - Update the RVA value in
dllmain.cpp - Rebuild the DLL
The Python script automatically:
- Cleans up previous log files
- Launches
cmd.exewith DLL injection - Monitors the JSON log file in real-time
- Provides a rich terminal interface
- Always use in isolated environments when analyzing malicious samples
- Consider using a dedicated analysis VM that can be easily restored
- Monitor network connections and file system changes alongside command logging
- Be aware that some advanced malware may detect the hook and alter behavior
- The current implementation uses hardcoded RVAs which may break with Windows updates
- Consider implementing IAT (Import Address Table) hooking for better compatibility
- Add additional validation for command arguments and redirections
- Implement process monitoring for child processes spawned by batch files
Contributions are welcome! Areas for improvement:
- Better Compatibility: Implement function name-based hooking instead of RVA (IAT (you can probably just rip it from clink src))
- Enhanced Logging: Add support for environment variable expansion logging
- Process Monitoring: Track child processes spawned by batch files
- Network Monitoring: Integration with network activity monitoring
- GUI Interface: Develop a graphical user interface for easier usage
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
- Microsoft Detours library for function hooking capabilities
- nlohmann/json library for safe JSON handling
- Windows XP source code leak for cmd.exe internal structure insights
- The security research community for inspiration and guidance
This tool is intended for:
- Security research
- Malware analysis in controlled environments
- Educational purposes
- Legitimate batch file debugging
Users are solely responsible for compliance with applicable laws and regulations. The authors assume no liability for misuse of this software.
Remember: The batch file WILL execute! Use appropriate safety measures!