[英]How can i read the contents of a powershell script running in the background?
I get this line by ProcessExplorer 我通过ProcessExplorer得到这行
C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));
C:\\ Windows \\ System32 \\ WindowsPowerShell \\ v1.0 \\ powershell.exe“ -noprofile -windowstyle隐藏-executionpolicy绕过iex([Text.Encoding] :: ASCII.GetString([Convert] :: FromBase64String((gp'HKCU: \\ Software \\ Classes \\ ZXWNMNLIMAGAL')。LOOTDA)));
It looks suspicious or normal ? 看起来可疑还是正常? Is that mean that the script is saved in registry and not in a file ?
这是否意味着脚本保存在注册表中而不是文件中? how to read then ?
怎么看呢?
Edit : Now i'm sure that can be an encoded virus when i read this on the registry : 编辑:现在,当我在注册表上阅读此文件时,我确定它可以是编码的病毒:
Google Update REG_SZ
Google更新REG_SZ
"C:\\Users\\michael\\AppData\\Local\\Google\\Update\\GoogleUpdate.exe" /c {BE9473EA-5660-4BF7-91C3-2A2258213EE1} REG_SZ C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));“ C:\\ Users \\ michael \\ AppData \\ Local \\ Google \\ Update \\ GoogleUpdate.exe” / c {BE9473EA-5660-4BF7-91C3-2A2258213EE1} REG_SZ C:\\ Windows \\ system32 \\ WindowsPowerShell \\ v1.0 \\ powershell.exe -noprofile -windowstyle隐藏的-executionpolicy绕过iex([Text.Encoding] :: ASCII.GetString([Convert] :: FromBase64String((gp'HKCU:\\ Software \\ Classes \\ ZXWNMNLIMAGAL')。LOOTDA)));
Edit on 29/03/2016 @ 15:55 编辑于29/03/2016 @ 15:55
If anybody want to continue this discussion i asked it here to decode this virus : 如果有人想继续进行讨论,我在这里要求它对这种病毒进行解码:
How can i read the source code of this encoded powershell script from the registry? 如何从注册表中读取此编码的Powershell脚本的源代码?
C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));
C:\\ Windows \\ System32 \\ WindowsPowerShell \\ v1.0 \\ powershell.exe“ -noprofile -windowstyle隐藏-executionpolicy绕过iex([Text.Encoding] :: ASCII.GetString([Convert] :: FromBase64String((gp'HKCU: \\ Software \\ Classes \\ ZXWNMNLIMAGAL')。LOOTDA)));
This code means that PowerShell will execute with no window and bypassing ExecutionPolicy restrictions a command from registry key HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL
(base64-encoded). 此代码意味着PowerShell将在没有窗口的情况下执行,并绕过ExecutionPolicy限制,该命令来自注册表项
HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL
(base64编码)。
Looks like a virus to me. 在我看来像是病毒。
You can identify the command if you execute this code in the PowerShell console: 如果在PowerShell控制台中执行以下代码,则可以标识命令:
([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\ZXWNMNLIMAGAL').LOOTDA)))
This will show you what is intended to execute. 这将向您显示打算执行什么。
I got the same. 我也一样 i'm not sure, but it would be a hidden script runs in powershell.
我不确定,但这将是在Powershell中运行的隐藏脚本。 the script may be a phishing one.
该脚本可能是网络钓鱼。 i think mine send emails to my outlook contacts.
我认为我的电子邮件发送给我的Outlook联系人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.