Embedding an .EXE (or other file) into a .BTM

Code:
     _x64: 1
   _admin: 1
_elevated: 1

TCC  27.00.18 x64   Windows 10 [Version 10.0.18363.1256]

I have the want to embed an .EXE (or other file) into a .BTM

I remember doing this with .COM files back in the DOS days, and wondered if it could be done with an .EXE or other file.

I discovered that the certutil.exe utility can encode/decode a file. This is part of my Windows 10 Pro 64-bit OS.

After some searching for different techniques, I created a .BTM that will encode an .EXE, which also creates a .BTM to decode the .EXE, then run it;
Code:
@setlocal
@echo off
set exefile=C:\WINDOWS\system32\notepad.exe
:: Does the exefile exist?
iff isfile %exefile then
  Gosub EncodeEXE
  Gosub MakeBatchHeader 
  :: Add the Encoded .EXE to the .BTM
  type %exeName.tmp >> %exeName.btm
  :: Don't need the Encode .EXE anymore
  del /q %exeName.tmp
  Gosub MakeBatchFooter

  *view %exeName.btm
else
  echo %exefile does not exist.
endiff
endlocal
quit

:EncodeEXE
set exeName=%@name[%exefile]
:: Could also use @b64encode function
certutil -encode -f "%exefile" %exeName.b64
Return

:MakeBatchHeader
echo Creating %exeName.btm
echo Depending on the size of %exeName.exe, this could take a while...
::
:: It took 51 seconds on my system
::
do kount in @%exeName.b64 (echo echo %kount >> %exeName.tmp)
if exist %exeName.b64 del /q %exeName.b64

type <<- endtext > %exeName.btm
@setlocal
@echo off

Gosub DecodeEXE

%exeName.exe

if exist %exeName.exe del /q %exeName.exe
endlocal
quit

:DecodeEXE
(
endtext
Return

:MakeBatchFooter
type <<- endtext >> %exeName.btm
)>%exeName.b64
:: Could also use @b64decode function
certutil -decode %exeName.b64 "%exeName.exe" > nul
if exist %exeName.b64 del /q %exeName.b64
Return
endtext
Return

I'm using notepad.exe as an example, as this is on everyone's system, but use an .EXE of your own choosing.

I will likely use this process for some .XLS files, but I thought that using an .EXE would be a better test for possible corruption.

The resulting notepad.btm works, but gives me an error;
Code:
TCC: E:\Utils\notepad.btm [3792]  Command loop

It also displays the decode text on the screen, which is not what I want.

To create the .EXE from the decode, I do;
Code:
(
echo -----BEGIN CERTIFICATE-----
echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
.
.
.
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
echo -----END CERTIFICATE-----
)>notepad.b64

I've tried using the TEXT/ENDTEXT commands, and a "Here-Document" TYPE <<-, but this results in the encoded .EXE being corrupt, and not running. I don't think those TCC commands work well with binary data.

The notepad.exe is created, is run, and works as it should. I did
Code:
e:\utils>fc /b c:\windows\system32\notepad.exe notepad.exe
Comparing files C:\WINDOWS\SYSTEM32\notepad.exe and NOTEPAD.EXE
FC: no differences encountered
...which indicated no difference in the files.

Any assistance in getting the indicated problems fixed in my code would be appreciated.

Joe
 
May 20, 2008
11,400
99
Syracuse, NY, USA
How about making the EXE an alternative data stream (with/without encoding it first)?

Code:
copy myexe.exe mybtm.btm:exestream

I'm surprised you got a copy of notepad.exe to run. Here, if I

Code:
copy c:\windows\system32\notepad.exe .\notepad.exe

the copy won't run (it silently does nothing).

I wonder if UUENCODE/UUDECODE would be a little friendlier. I'm surprised Windows 10's Ubuntu doesn't have them.
 
Hey @vefatica my bad.

I had the notepad.exe.mui file in the en-us sub-directory, which enables it to run from a different location.
Code:
e:\utils\en-us>dir

 Volume in drive E is New Volume   Serial number is 2c1e:6e61
 Directory of  E:\Utils\en-us\*

2020-12-30  15:58         <DIR>    .
2020-12-30  15:58         <DIR>    ..
2019-03-19   1:20          12,288  notepad.exe.mui

Joe
 
May 20, 2008
11,400
99
Syracuse, NY, USA
Yeah, I did that too. This one, with the b64 file really embedded in the BTM works.

Code:
cdd %tmp
del /q /e target.btm
del /q /e notepad.b64
del /q /e notepad.exe

:: Here, notepad.exe needs %TMP\en_US\notepad.exe.mui

:: Put the encoded file inside TEXT/ENDTEXT in target.btm
:: target.btm will redirect the text to notepad.b64
echo TEXT ^> notepad.b64 > target.btm
certutil -encode c:\windows\system32\notepad.exe notepad.b64 > NUL
copy /b target.btm+notepad.b64 > NUL
echo ENDTEXT >> target.btm

:: target.btm will decode notepad.b64 and run the resulting notepad.exe
TEXT >> target.btm
echo Hello!  I'm target.btm.  I will create .\notepad.exe and execute it.
pause
certutil -decode notepad.b64 notepad.exe > NUL
.\notepad.exe
ENDTEXT

call target.btm

cdd -
 
May 20, 2008
11,400
99
Syracuse, NY, USA
FYI, target.btm comes out looking like this (with the b64 stuff abbreviated).

Code:
z:\> head /n 4 target.btm & tail /n 6 target.btm
TEXT > notepad.b64
-----BEGIN CERTIFICATE-----
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v
-----END CERTIFICATE-----
ENDTEXT
echo Hello!  I'm target.btm.  I will create .\notepad.exe and execute it.
pause
certutil -decode notepad.b64 notepad.exe > NUL
.\notepad.exe
 
May 20, 2008
11,400
99
Syracuse, NY, USA
And (I just discovered this today) you can use TCC's built-in @B64ENCODE and @B64DECODE. But there's one caveat. @B64ENCODE does not put a newline (CRLF) at the end of the encoded file and ENDTEXT must be alone on a line. So when you have appended the encoded file to the target BTM, and it's time to add ENDTEXT, add a newline before it. Here's my EMBEDTEST.BTM again using those functions instead of CERTUTIL.

Code:
cdd %tmp
del /q /e target.btm
del /q /e notepad.b64
del /q /e notepad.exe

:: Put the encoded file inside TEXT/ENDTEXT in target.btm
:: target.btm will redirect the text to notepad.b64

echo TEXT ^> notepad.b64 > target.btm
if %@b64encode[c:\windows\system32\notepad.exe,notepad.b64] != 0 (echo @B64ENCODE failed & quit)
copy /b target.btm+notepad.b64 > NUL
echo ^r^nENDTEXT >> target.btm

:: target.btm will decode notepad.b64 and run the resulting notepad.exe

TEXT >> target.btm
echo Hello!  I'm target.btm.  I will create .\notepad.exe and execute it.
pause
if %@b64decode[notepad.b64,notepad.exe] != 0 (echo @B64DECODE failed & quit)
.\notepad.exe
ENDTEXT

call target.btm

cdd -
 
Last edited:
Nov 2, 2008
231
2
There is a proggie called wbzip.exe, which was around in the days of BartPE, which does exactly this. In essence, it stored the exe file as something like b64encode, into INI files. You could store matching 32 bit and 64 bit proggies and their related attachments in the same file.
 
Similar threads
Thread starter Title Forum Replies Date
p.f.moore Best way of embedding data in a BTM file Support 12
C COMSPEC constantly reset to TCC.EXE Support 6
C updater.exe not catching updates Support 10
L FTYPE in TCC, less quirky than in cmd.exe Support 3
vefatica IF ISAPP ... ".exe" or not? Support 13
L Using TCC.exe through an SSH connection Support 3
fpefpe bash.exe as a tab Support 0
vefatica Piping Cscript.exe to HEAD? Support 9
G Console exe up / down history Support 8
D Unnecessary environment dependencies of TCC.EXE Support 3
vefatica IDE.EXE's command line? Support 19
Joe Caverly PUSHD with UNC path in CMD.EXE Support 2
I how to make TCC default/replace cmd.exe? Support 9
David McClelland TCMD 24 & Perl - perl thinks it's own executable is ...\TCMD24\TCC.EXE??? Support 3
M Command line parsing differences between cmd.exe and TCC Support 6
Joe Caverly Works with CMD.EXE, no output with TCC.EXE Support 7
L WAD ECHO. expansion of non-existent env-vars differs from CMD.exe Support 6
Joe Caverly "Functions" in cmd.exe batch files Support 6
P Symantec Endpoint Protection trapped TCMD.EXE and said it contained WS.Reputation.1 (Virus?) Support 3
CWBillow Everything.exe - 64-bit? Support 8
C How to make list of drive contents when shutdown PC / Everything.exe Support 7
P Labels in batch files: TCC vs CMD.exe Support 9
D Custom ini-file is not read, by tcmd.exe cli Support 6
Joe Caverly CMD.EXE and filename(1).ext Support 3
Joe Caverly CMDebug and TCC.EXE Support 4
vefatica TPIPE.EXE crashes on Ctrl-C Support 9
thorntonpg TCC_RT_21\tcc.exe runs tcstart Support 4
B how to do in "start" command thing like in tcc.exe Support 1
w_krieger v.exe and everything.exe Support 5
E Fixed SHRALIAS doesn't work / SHRALIAS.EXE is missing in v20.11.35 Support 2
C everything.exe .vs. new installs Support 4
TT's Help! Uninstalling TCC did not restore cmd.exe as Win10 default batch file processor. Support 4
T tchelp.exe issues Support 2
vefatica OT: snippingtool.exe Support 14
Alpengreis I have a 0xc0000005 with tcmd.exe and ntdll.dll Support 6
cgunhouse Orphaned conhost.exe processes Support 8
redwdc TCC.exe opens to 11 characters x 3 rows Support 1
D Tab completion differences with cmd.exe Support 3
D WAD The /@ and // arguments to TCMD.EXE have no decernable effect. Support 11
D How to? How to access iPhone from tcmd.exe? Support 1
CWBillow The file tcc.exe is not marked for installation Support 4
T 64 bit TCCLE appears to crash when opening tcc.exe from within tcc.exe window Support 7
R How to? Launch and execute commands in tcmd.exe through MSBuild Script. Support 3
M Console-Mode (*.exe) works in TCC, not in TCMD Support 2
A Download of tcmd64.exe corrupted Support 2
R Difference in behavior of RMDIR vs. CMD.EXE? Support 5
C WAD TCC: (Sys) C:\Program Files\JPSoft\TCMD17\tcc.exe is not a valid Win32 application. Support 6
Joe Caverly How to? Run DOS .exe's the same way Wine does... Support 3
vefatica TCC and dllhost.exe (COM surrogate) Support 4
C 'start tcmd.exe' actually starts tcc.exe Support 7

Similar threads