Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!

Embedding an .EXE (or other file) into a .BTM

Aug
1,917
68
Code:
     _x64: 1
   _admin: 1
_elevated: 1

TCC  27.00.18 x64   Windows 10 [Version 10.0.18363.1256]

I have the want to embed an .EXE (or other file) into a .BTM

I remember doing this with .COM files back in the DOS days, and wondered if it could be done with an .EXE or other file.

I discovered that the certutil.exe utility can encode/decode a file. This is part of my Windows 10 Pro 64-bit OS.

After some searching for different techniques, I created a .BTM that will encode an .EXE, which also creates a .BTM to decode the .EXE, then run it;
Code:
@setlocal
@echo off
set exefile=C:\WINDOWS\system32\notepad.exe
:: Does the exefile exist?
iff isfile %exefile then
  Gosub EncodeEXE
  Gosub MakeBatchHeader 
  :: Add the Encoded .EXE to the .BTM
  type %exeName.tmp >> %exeName.btm
  :: Don't need the Encode .EXE anymore
  del /q %exeName.tmp
  Gosub MakeBatchFooter

  *view %exeName.btm
else
  echo %exefile does not exist.
endiff
endlocal
quit

:EncodeEXE
set exeName=%@name[%exefile]
:: Could also use @b64encode function
certutil -encode -f "%exefile" %exeName.b64
Return

:MakeBatchHeader
echo Creating %exeName.btm
echo Depending on the size of %exeName.exe, this could take a while...
::
:: It took 51 seconds on my system
::
do kount in @%exeName.b64 (echo echo %kount >> %exeName.tmp)
if exist %exeName.b64 del /q %exeName.b64

type <<- endtext > %exeName.btm
@setlocal
@echo off

Gosub DecodeEXE

%exeName.exe

if exist %exeName.exe del /q %exeName.exe
endlocal
quit

:DecodeEXE
(
endtext
Return

:MakeBatchFooter
type <<- endtext >> %exeName.btm
)>%exeName.b64
:: Could also use @b64decode function
certutil -decode %exeName.b64 "%exeName.exe" > nul
if exist %exeName.b64 del /q %exeName.b64
Return
endtext
Return

I'm using notepad.exe as an example, as this is on everyone's system, but use an .EXE of your own choosing.

I will likely use this process for some .XLS files, but I thought that using an .EXE would be a better test for possible corruption.

The resulting notepad.btm works, but gives me an error;
Code:
TCC: E:\Utils\notepad.btm [3792]  Command loop

It also displays the decode text on the screen, which is not what I want.

To create the .EXE from the decode, I do;
Code:
(
echo -----BEGIN CERTIFICATE-----
echo TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
.
.
.
echo AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
echo -----END CERTIFICATE-----
)>notepad.b64

I've tried using the TEXT/ENDTEXT commands, and a "Here-Document" TYPE <<-, but this results in the encoded .EXE being corrupt, and not running. I don't think those TCC commands work well with binary data.

The notepad.exe is created, is run, and works as it should. I did
Code:
e:\utils>fc /b c:\windows\system32\notepad.exe notepad.exe
Comparing files C:\WINDOWS\SYSTEM32\notepad.exe and NOTEPAD.EXE
FC: no differences encountered
...which indicated no difference in the files.

Any assistance in getting the indicated problems fixed in my code would be appreciated.

Joe
 
How about making the EXE an alternative data stream (with/without encoding it first)?

Code:
copy myexe.exe mybtm.btm:exestream

I'm surprised you got a copy of notepad.exe to run. Here, if I

Code:
copy c:\windows\system32\notepad.exe .\notepad.exe

the copy won't run (it silently does nothing).

I wonder if UUENCODE/UUDECODE would be a little friendlier. I'm surprised Windows 10's Ubuntu doesn't have them.
 
Hey @vefatica my bad.

I had the notepad.exe.mui file in the en-us sub-directory, which enables it to run from a different location.
Code:
e:\utils\en-us>dir

 Volume in drive E is New Volume   Serial number is 2c1e:6e61
 Directory of  E:\Utils\en-us\*

2020-12-30  15:58         <DIR>    .
2020-12-30  15:58         <DIR>    ..
2019-03-19   1:20          12,288  notepad.exe.mui

Joe
 
Yeah, I did that too. This one, with the b64 file really embedded in the BTM works.

Code:
cdd %tmp
del /q /e target.btm
del /q /e notepad.b64
del /q /e notepad.exe

:: Here, notepad.exe needs %TMP\en_US\notepad.exe.mui

:: Put the encoded file inside TEXT/ENDTEXT in target.btm
:: target.btm will redirect the text to notepad.b64
echo TEXT ^> notepad.b64 > target.btm
certutil -encode c:\windows\system32\notepad.exe notepad.b64 > NUL
copy /b target.btm+notepad.b64 > NUL
echo ENDTEXT >> target.btm

:: target.btm will decode notepad.b64 and run the resulting notepad.exe
TEXT >> target.btm
echo Hello!  I'm target.btm.  I will create .\notepad.exe and execute it.
pause
certutil -decode notepad.b64 notepad.exe > NUL
.\notepad.exe
ENDTEXT

call target.btm

cdd -
 
FYI, target.btm comes out looking like this (with the b64 stuff abbreviated).

Code:
z:\> head /n 4 target.btm & tail /n 6 target.btm
TEXT > notepad.b64
-----BEGIN CERTIFICATE-----
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5v
-----END CERTIFICATE-----
ENDTEXT
echo Hello!  I'm target.btm.  I will create .\notepad.exe and execute it.
pause
certutil -decode notepad.b64 notepad.exe > NUL
.\notepad.exe
 
And (I just discovered this today) you can use TCC's built-in @B64ENCODE and @B64DECODE. But there's one caveat. @B64ENCODE does not put a newline (CRLF) at the end of the encoded file and ENDTEXT must be alone on a line. So when you have appended the encoded file to the target BTM, and it's time to add ENDTEXT, add a newline before it. Here's my EMBEDTEST.BTM again using those functions instead of CERTUTIL.

Code:
cdd %tmp
del /q /e target.btm
del /q /e notepad.b64
del /q /e notepad.exe

:: Put the encoded file inside TEXT/ENDTEXT in target.btm
:: target.btm will redirect the text to notepad.b64

echo TEXT ^> notepad.b64 > target.btm
if %@b64encode[c:\windows\system32\notepad.exe,notepad.b64] != 0 (echo @B64ENCODE failed & quit)
copy /b target.btm+notepad.b64 > NUL
echo ^r^nENDTEXT >> target.btm

:: target.btm will decode notepad.b64 and run the resulting notepad.exe

TEXT >> target.btm
echo Hello!  I'm target.btm.  I will create .\notepad.exe and execute it.
pause
if %@b64decode[notepad.b64,notepad.exe] != 0 (echo @B64DECODE failed & quit)
.\notepad.exe
ENDTEXT

call target.btm

cdd -
 
Last edited:
Hey @vefatica thanks!

I had tried to use @b64encode/@b64decode in my OP, but could not get it working, so I just left it as a comment in the source, and used certutil.exe instead.

No need now for the external utility.

Thanks for figuring out how to get that working. I will add that info to my personal TCMD Help File.

Joe
 
There is a proggie called wbzip.exe, which was around in the days of BartPE, which does exactly this. In essence, it stored the exe file as something like b64encode, into INI files. You could store matching 32 bit and 64 bit proggies and their related attachments in the same file.
 

Similar threads

Back
Top