[nitpick] Stop running cmd /ver on start

[reversing-dev]

Version and Platform (required):

• Binary Ninja Version: 3.4.4271 Personal, b7fd028d
• OS: windows
• OS Version: 11
• CPU Architecture: x86_64

Bug Description: Binja runs C:\WINDOWS\system32\cmd.exe /c "ver" when starting the binaryninja.exe

Steps To Reproduce: Use procmon or something to look at all the process starts Run binaryninja.exe

Expected Behavior: Don't run cmd.exe?

Screenshots:

Additional Information: Okay, this is a nitpick, but nobody wants to see random cmd.exe running on the box.

[psifertex]

I can't find any references to this in the source at all. Are you sure there isn't a plugin doing this?

Just took a look through Qt as well in case it was in there and didn't see it. Possibly in some dependency? Does procmon give you the ability to tell what API call created the cmd.exe process so you could use a debugger and break on it and figure out what's in the call stack? I don't have a windows VM handy unfortunately right now to check myself.

[reversing-dev]

Seems to be from Python. This is a fresh install, I didn't add any new plugins.

ModLoad: 000001eb`bb6c0000 000001eb`bb6cf000   C:\binja\plugins\python\python3.DLL
ModLoad: 000001eb`bb6c0000 000001eb`bb6cf000   C:\binja\plugins\python\python3.DLL
ModLoad: 00007ffd`34d60000 00007ffd`34d7f000   C:\binja\plugins\python\_ctypes.pyd
ModLoad: 00007ffd`35080000 00007ffd`3508b000   C:\binja\plugins\python\libffi-7.dll
ModLoad: 00007ffd`34ca0000 00007ffd`34cb5000   C:\binja\plugins\python\_socket.pyd
ModLoad: 00007ffd`32910000 00007ffd`32919000   C:\binja\plugins\python\select.pyd
Breakpoint 0 hit
KERNELBASE!CreateProcessW:
00007ffd`4b5bfe80 4c8bdc          mov     r11,rsp

0:000> k
 # Child-SP          RetAddr               Call Site
00 00000065`407b8c08 00007ffd`4c7864f4     KERNELBASE!CreateProcessW
01 00000065`407b8c10 00007ffc`f03da2c3     KERNEL32!CreateProcessWStub+0x54
02 00000065`407b8c70 00007ffc`f03da0fd     python310!PyInterpreterState_GetConfigCopy+0x383
03 00000065`407b8d90 00007ffc`f02feddf     python310!PyInterpreterState_GetConfigCopy+0x1bd
04 00000065`407b8e50 00007ffc`f02fc8c5     python310!PyEval_EvalFrameDefault+0x347f
05 00000065`407b91a0 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0xf65
06 00000065`407b94f0 00007ffc`f02f552e     python310!PyFunction_Vectorcall+0x87
07 00000065`407b9540 00007ffc`f02f6054     python310!PyType_GenericNew+0x6ca
08 00000065`407b9610 00007ffc`f0329307     python310!PyType_GenericNew+0x11f0
09 00000065`407b9640 00007ffc`f030122d     python310!PyObject_Call+0x1bf
0a 00000065`407b96a0 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x58cd
0b 00000065`407b99f0 00007ffc`f0329410     python310!PyFunction_Vectorcall+0x87
0c 00000065`407b9a40 00007ffc`f032928b     python310!PyVectorcall_Call+0xb8
0d 00000065`407b9aa0 00007ffc`f030122d     python310!PyObject_Call+0x143
0e 00000065`407b9b00 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x58cd
0f 00000065`407b9e50 00007ffc`f0301b71     python310!PyFunction_Vectorcall+0x87
10 00000065`407b9ea0 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x6211
11 00000065`407ba1f0 00007ffc`f02fc067     python310!PyFunction_Vectorcall+0x87
12 00000065`407ba240 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x707
13 00000065`407ba590 00007ffc`f02fc067     python310!PyFunction_Vectorcall+0x87
14 00000065`407ba5e0 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x707
15 00000065`407ba930 00007ffc`f02fc067     python310!PyFunction_Vectorcall+0x87
16 00000065`407ba980 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x707
17 00000065`407bacd0 00007ffc`f02fd4e8     python310!PyFunction_Vectorcall+0x87
18 00000065`407bad20 00007ffc`f02abb09     python310!PyEval_EvalFrameDefault+0x1b88
19 00000065`407bb070 00007ffc`f03105b6     python310!PyObject_FastCallDictTstate+0x15d
1a 00000065`407bb0b0 00007ffc`f031043f     python310!PyEval_EvalCode+0x82
1b 00000065`407bb130 00007ffc`f031033f     python310!PyNumber_Negative+0x45f
1c 00000065`407bb180 00007ffc`f02f09d7     python310!PyNumber_Negative+0x35f
1d 00000065`407bb1b0 00007ffc`f03293b4     python310!Py_HashPointer+0x1257
1e 00000065`407bb200 00007ffc`f0329197     python310!PyVectorcall_Call+0x5c
1f 00000065`407bb260 00007ffc`f03292cf     python310!PyObject_Call+0x4f
20 00000065`407bb290 00007ffc`f030122d     python310!PyObject_Call+0x187
21 00000065`407bb2f0 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x58cd
22 00000065`407bb640 00007ffc`f02fd4e8     python310!PyFunction_Vectorcall+0x87
23 00000065`407bb690 00007ffc`f02fc8c5     python310!PyEval_EvalFrameDefault+0x1b88
24 00000065`407bb9e0 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0xf65
25 00000065`407bbd30 00007ffc`f02fc067     python310!PyFunction_Vectorcall+0x87
26 00000065`407bbd80 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x707
27 00000065`407bc0d0 00007ffc`f02fc067     python310!PyFunction_Vectorcall+0x87
28 00000065`407bc120 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x707
29 00000065`407bc470 00007ffc`f02e4769     python310!PyFunction_Vectorcall+0x87
2a 00000065`407bc4c0 00007ffc`f0310c23     python310!PyObject_CallFunction+0xa25
2b 00000065`407bc510 00007ffc`f0310b5c     python310!PyObject_CallMethodIdObjArgs+0x137
2c 00000065`407bc5a0 00007ffc`f031085d     python310!PyObject_CallMethodIdObjArgs+0x70
2d 00000065`407bc5f0 00007ffc`f031bf99     python310!PyObject_CallFunctionObjArgs+0x11d
2e 00000065`407bc660 00007ffc`f03d011e     python310!PyImport_ImportModuleLevelObject+0x369
2f 00000065`407bc700 00007ffc`f0303957     python310!PySys_GetSizeOf+0x666
30 00000065`407bc7a0 00007ffc`f02abb09     python310!PyEval_EvalFrameDefault+0x7ff7
31 00000065`407bcaf0 00007ffc`f03105b6     python310!PyObject_FastCallDictTstate+0x15d
32 00000065`407bcb30 00007ffc`f031043f     python310!PyEval_EvalCode+0x82
33 00000065`407bcbb0 00007ffc`f031033f     python310!PyNumber_Negative+0x45f
34 00000065`407bcc00 00007ffc`f02f09d7     python310!PyNumber_Negative+0x35f
35 00000065`407bcc30 00007ffc`f03293b4     python310!Py_HashPointer+0x1257
36 00000065`407bcc80 00007ffc`f0329197     python310!PyVectorcall_Call+0x5c
37 00000065`407bcce0 00007ffc`f03292cf     python310!PyObject_Call+0x4f
38 00000065`407bcd10 00007ffc`f030122d     python310!PyObject_Call+0x187
39 00000065`407bcd70 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x58cd
3a 00000065`407bd0c0 00007ffc`f02fd4e8     python310!PyFunction_Vectorcall+0x87
3b 00000065`407bd110 00007ffc`f02fc8c5     python310!PyEval_EvalFrameDefault+0x1b88
3c 00000065`407bd460 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0xf65
3d 00000065`407bd7b0 00007ffc`f02fc067     python310!PyFunction_Vectorcall+0x87
3e 00000065`407bd800 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x707
3f 00000065`407bdb50 00007ffc`f02fc067     python310!PyFunction_Vectorcall+0x87
40 00000065`407bdba0 00007ffc`f02faa97     python310!PyEval_EvalFrameDefault+0x707
41 00000065`407bdef0 00007ffc`f02e4769     python310!PyFunction_Vectorcall+0x87
42 00000065`407bdf40 00007ffc`f0310c23     python310!PyObject_CallFunction+0xa25
43 00000065`407bdf90 00007ffc`f0310b5c     python310!PyObject_CallMethodIdObjArgs+0x137
44 00000065`407be020 00007ffc`f031085d     python310!PyObject_CallMethodIdObjArgs+0x70
45 00000065`407be070 00007ffc`f031bf99     python310!PyObject_CallFunctionObjArgs+0x11d
46 00000065`407be0e0 00007ffc`f031a77d     python310!PyImport_ImportModuleLevelObject+0x369
47 00000065`407be180 00007ffc`f031c24a     python310!PyMapping_Size+0x281
48 00000065`407be200 00007ffc`f02e4877     python310!PyObject_IsTrue+0xd2
49 00000065`407be230 00007ffc`f02e3dda     python310!PyObject_CallFunction+0xb33
4a 00000065`407be280 00007ffc`f02e3bda     python310!PyObject_CallFunction+0x96
4b 00000065`407be320 00007ffc`f030d5cf     python310!PyImport_Import+0x15e
4c 00000065`407be390 00007ffd`35094f6b     python310!PyImport_ImportModule+0x1f
4d 00000065`407be3c0 00007ffc`bedf959a     pythonplugin!CorePluginInit+0x120b
4e 00000065`407be960 00007ffc`bee07cdf     binaryninjacore!BNDumpString+0x5ca
4f 00000065`407beb00 00007ffc`bee07c0a     binaryninjacore!BNInitUserPlugins+0x7f
50 00000065`407beb60 00007ff6`1c988196     binaryninjacore!BNInitPlugins+0x3a
51 00000065`407beb90 00007ff6`1cbae2a8     binaryninja+0x48196
52 00000065`407bf7a0 00007ffd`4c7826ad     binaryninja+0x26e2a8
53 00000065`407bf7e0 00007ffd`4e08a9f8     KERNEL32!BaseThreadInitThunk+0x1d
54 00000065`407bf810 00000000`00000000     ntdll!RtlUserThreadStart+0x28

0:000> r
rax=0000000000000001 rbx=000001ebbd446cd0 rcx=0000000000000000
rdx=000001ebbd4e6150 rsi=0000000000000000 rdi=000001ebb90fc990
rip=00007ffd4b5bfe80 rsp=00000065407b8c08 rbp=00000065407b8d59
 r8=0000000000000000  r9=0000000000000000 r10=000001ebbd446cd0
r11=00000065407b8c68 r12=0000000000000000 r13=0000000000000000
r14=000001ebbd4e6150 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
KERNELBASE!CreateProcessW:
00007ffd`4b5bfe80 4c8bdc          mov     r11,rsp

0:000> du @rdx
000001eb`bd4e6150  "C:\WINDOWS\system32\cmd.exe /c ""
000001eb`bd4e6190  "ver""

[CouleeApps]

Try running with plugins disabled anyway? i.e. binaryninja.exe -p

[reversing-dev]

Same behavior. It's likely the default python interpreter that is shipped with binja. (I don't have a separate python installed)

[negasora]

The only place I see this being called from is https://github.com/python/cpython/blob/74c2422fa2d7e17969a7554a3bf17f91e4e5a85f/Lib/test/pythoninfo.py#L813 but we don't reach into that code

[CouleeApps]

Can confirm this happens on windows 11, although my box doesn't pop a cmd.exe window so I'm not sure why yours does.

[reversing-dev]

It doesn't show any window. I have a custom EDR sort of thing, which triggered on this. I think running cmd.exe is an issue (whether user sees it or not is a different issue, IMO)

[CouleeApps]

I'm guessing that cpython is the source of this, and I'm not sure this is really an issue nor a bug on our part at this point. I would expect other cpython programs on your machine to do similar though, so I don't think there is much we can/should do.

[CouleeApps]

Specifically, this bit for getting platform.version(): https://github.com/python/cpython/blob/d50930a6a846280b5da299f9c2f9a01669dbf06c/Lib/platform.py#L261

[CouleeApps]

>>> platform.win32_ver()
** windbg breakpoint procs**
('10', '10.0.22000', '', 'Multiprocessor Free')

Yeah this is cpython being cpython. We're not about to stop using platform.version() so I'm just closing this