"When there are little demons running around with .bat crypters, you get an exorcism."
Exorcism is a runtime Windows batch deobfuscator/debugger that uses DLL injection and function hooking to pause, edit, skip, and log batch commands as they are processed by cmd.exe.
Warning
π¨ DEBUGGING IS NOT A SANDBOX! π¨
This tool can pause and skip commands at its current hook point, but the target cmd.exe and any analyzed batch file still run on your system. DO NOT use this tool on untrusted or malicious batch files unless you are in a completely isolated environment (sandboxed VM, air-gapped system, etc.).
Use at your own risk. This tool is intended for security research, malware analysis, and educational purposes only.
Exorcism hooks into the Windows Command Processor (cmd.exe) at runtime to intercept and log batch commands before they are executed. Unlike static analysis tools that can be fooled by obfuscation techniques, Exorcism captures the actual commands as they are processed by the Windows command interpreter.
- Runtime Analysis: Captures commands as they are actually processed, bypassing most obfuscation techniques
- Interactive Debugging: Pause before execution, continue, skip, edit, or auto-handle repeated commands
- DLL Injection: Uses the Rust
detourcrate for reliable function hooking - Real-time Monitoring: Live command logging with JSON output format
- Safe Memory Access: Robust pointer validation and memory safety checks
- Cross-Architecture: Supports both x86 and x64 processes
The tool consists of two main components:
- Hook DLL (
cmdtest.dll): A Rust DLL that hooks theFindFixAndRunfunction incmd.exe - Python Controller (
main.py): A Python script that handles DLL injection and log monitoring
- The Python controller launches a new
cmd.exeprocess - The hook DLL is injected into the
cmd.exeprocess using DLL injection - The DLL hooks the internal
FindFixAndRunfunction using the Rustdetourcrate - Every command reaches a Python-controlled breakpoint before execution
- The Python monitor lets you continue, skip, edit, or auto-handle repeated commands
- Decisions and command activity are logged to
cmd_hook.json
- Windows 10/11 (x64)
- Rust stable toolchain
- Python 3.7 or higher
- Administrator privileges (required for DLL injection)
git clone https://github.com/YourUsername/Exorcism.git
cd Exorcism- Build and stage the Rust hook DLL:
build_cmdtest.bat
- The staged DLL will be located at
bin\cmdtest.dll, whichmain.pyuses as its default hook DLL path.
pip install -r requirements.txt-
Run as Administrator (required for DLL injection):
# Open Command Prompt as Administrator python main.py -
Enter the DLL path when prompted:
Enter the full path to the hook DLL [C:\path\to\Exorcism\bin\cmdtest.dll]: -
Execute your batch file in the monitored cmd.exe window that appears
-
Choose a debugger action when each command breaks:
c: continue onces: skip oncee: edit the command line before it runsa: always continue that exact commandk: always skip that exact commandi: continue now and silently continue future repeats
echo Hello World
set VAR=secret_value
if exist file.txt del file.txt
clsThe tool logs commands in JSON format to cmd_hook.json:
[
{
"event_type": "hook_status",
"message": "FindFixAndRun hook initialized successfully"
},
{
"arguments": " Hello World",
"break_id": 1,
"command": "echo",
"command_type": 0,
"event_type": "debug_break",
"message": "Paused before command execution"
},
{
"arguments": " Hello World",
"break_id": 1,
"command": "echo",
"event_type": "debug_decision",
"message": "continue"
},
{
"arguments": " Hello World",
"command": "echo",
"command_type": 0,
"event_type": "command_execution"
},
{
"arguments": " VAR=secret_value",
"command": "set",
"command_type": 0,
"event_type": "command_execution"
},
{
"command": "cls",
"command_type": 0,
"event_type": "command_execution"
},
{
"event_type": "hook_status",
"message": "FindFixAndRun hook being removed"
}
]main.py resolves the FindFixAndRun RVA from the matching cmd.exe public symbols before launching the monitored shell, then passes it to the hook DLL through EXORCISM_FIND_FIX_AND_RUN_RVA. The matching PDB is cached locally under .symbols/.
The hook DLL also keeps a fallback RVA:
const DEFAULT_FIND_FIX_AND_RUN_RVA: usize = 0x116B0;Note: This RVA is specific to certain versions of cmd.exe. If the hook fails, you may need to:
- Check that symbol resolution logged a current
FindFixAndRunRVA whenmain.pystarted. - Use a debugger (x64dbg, IDA Pro) to find the current RVA for
FindFixAndRunif symbols are unavailable. - Set
EXORCISM_FIND_FIX_AND_RUN_RVA=0x...before runningmain.py, or update the fallback incmdtest/src/lib.rsand rebuild withbuild_cmdtest.bat.
The Python script automatically:
- Cleans up previous log files
- Cleans up previous debugger response files in
.exorcism_debug/ - Launches
cmd.exewith DLL injection - Monitors the JSON log file in real-time
- Writes debugger decisions back to the hook DLL
- Provides a rich terminal interface
- Always use in isolated environments when analyzing malicious samples
- Consider using a dedicated analysis VM that can be easily restored
- Monitor network connections and file system changes alongside command logging
- Be aware that some advanced malware may detect the hook and alter behavior
- The current implementation uses hardcoded RVAs which may break with Windows updates
- Consider implementing IAT (Import Address Table) hooking for better compatibility
- Add additional validation for command arguments and redirections
- Implement process monitoring for child processes spawned by batch files
Contributions are welcome! Areas for improvement:
- Better Compatibility: Implement function name-based hooking instead of RVA (IAT (you can probably just rip it from clink src))
- Enhanced Logging: Add support for environment variable expansion logging
- Process Monitoring: Track child processes spawned by batch files
- Network Monitoring: Integration with network activity monitoring
- GUI Interface: Develop a graphical user interface for easier usage
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
- The Rust
detourcrate for function hooking capabilities - Windows XP source code leak for cmd.exe internal structure insights
- The security research community for inspiration and guidance
This tool is intended for:
- Security research
- Malware analysis in controlled environments
- Educational purposes
- Legitimate batch file debugging
Users are solely responsible for compliance with applicable laws and regulations. The authors assume no liability for misuse of this software.
Remember: The batch file WILL execute! Use appropriate safety measures!