问题
Im having trouble understanding how this will evaluate, it comes from a piece of malware I'm dissecting, so beware.
I've removed the ascii giberish and the integers in the foor loop which is likely to have the malicious instructions. So it should be fine, I can provide it if need be.
If i strip down the code the most my basic understanding allows, it is trying to pass this:
cmd.exe /c CmD /V/C"set foo=ASCIIgibberish bazz=moreASCIIgibberish&&for %f in (BunchOfIntegers)do set bar=!bar!!foo:~%f,1!&&if %f == 88 powershell.exe "!bar:~6!""
To:
Interaction.Shell(`here`,0)
So, I am not sure how cmd and powershell would resolve the quotes or variable names since I'm not really familiarized with powershell and cmd precedence.
What i would like to know is
would cmd interpret the ! as a logical not?
if so, how does cmd or powershell evaluate the negation of a literal value?, I want to assume it sees the ascii value and logically negates it, (0001 becomes 1110) but not sure.
Am I correct in assuming that this is just an obfuscated way of saying powershell.exe barSubstringStartingAt6, because as I see it bar is only being assigned character 88 from foo which is 79 chars long, so is not possible to know what would be at bar[6].
Are they just trying to send an overflowed address to powershell?
回答1:
As kindly explained by @MC ND and @lit, !var! is not a logical operator but rather shorthand for delayed expansion syntax. Therefore the statement is just rearranging characters within the variable by using the int within the for loop as an index
来源:https://stackoverflow.com/questions/53748995/operators-and-quote-precedence-in-obfuscated-cmd