问题
I've made a simple program in Visual Basic, then gave it JPG extension and set it up to be run from shortcut with command line cmd.exe /c my_program.jpg, according to this and this guides.
Everything is fine so far, but I'd like to run my program from an image without command prompt opening.
I know that such thing is possible, because I can run programs from PDF, RTF or Word documents because most of PDF files have JS API features, and Microsoft Office documents have VBA and macro support. Maybe some steganography thingamajig can do the trick?
回答1:
This is hard to believe, but it's actually true. My investigation (with Rohitab API Monitor) shows that upon finding the file, cmd.exe first invokes CreateProcessW - and only if that fails (in this case, with error 193 == ERROR_BAD_EXE_FORMAT), tries ShellExecuteW.
This behavior is actually documented in KB811528 - Command Prompt (Cmd.exe) Runs Files That Do Not Have Executable File Name Extensions. Sure, the article mentions in passing that this can lead to execution of viruses (as if it's nothing special).
This doesn't apply to Windows Explorer/shell32 dialogs/most other programs that open files - since they invoke ShellExecute right away. But this does generally apply to programs that execute command lines with system or CreateProcess! (Do you remember processes like setup.tmp during InstallShield-based installations? They are examples.)
Not all programs that run arbitrary commands are affected. E.g. Total Commander is not: it calls ShellExecute even for command lines.
Now, regarding you specific question. The 2nd guide actually showcases an exploit (assuming it's not just a scam) - the author specially crafts the image to exploit some vulnerability in Windows Photo Gallery (that probably has been patched by now) to make it execute the contained code. This isn't supposed to be normally possible.
So, you have two options:
- Launch your program through another program (with shortcut or otherwise),
but replace
cmdwith something that doesn't create a console window.wscriptcomes to mind. - Use some "intelligent" image format that's supposed to contain executable code. I'm not aware of any image ones - after all, images are supposed to contain pictures, not code!
- There are, of course, more than a few compound/"intelligent" formats (of which you named a few). Yet, they tend to impose strict limitations on when code inside them can be invoked and what it is allowed to do. I'll have you know that these limitations were introduced specifically as a response to others doing what you're trying to do.
回答2:
I have trouble believing that, given what you said.
CMD will execute any image file (that's a program file like an exe - nothing to do with pictures at all) that has a recognised executable extension or has an unknown extension. jpg are known as a document type file, so they are opened as a document by Windows Photo Gallery. Explorer won't execute a unknown extension. Both CMD and Explorer uses Explorer's file extensions database to work out how to open document files.
So you need to explain why it works on your computer when it won't work on a standard configured Windows computer.
来源:https://stackoverflow.com/questions/31855240/execute-exe-as-jpg