这是键盘记录程序吗?它是做什么的?

问题描述 投票:0回答:1

由于使用Windows10任务管理器,因此我正在运行powershell.exe,它持续消耗8%的CPU并阻塞64MB的RAM。检查我的Windows事件日志后,我发现了带有以下代码的管道事件(800):

Add-Type -AssemblyName System.Core
function Run-Server() {
  param([string]$h);
  $b = New-Object byte[] 8;
  $p = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h);
  if ($p) {
    $l = $p.Read($b, 0, 8); while ($l -gt 7) {
      $c = [System.BitConverter]::ToInt32($b, 0); $l = System.BitConverter]::ToInt32($b, 4);
      $t = $null; if ($l -gt 0) {
        $t1 = New-Object byte[] $l;
        $l = $p.Read($t1, 0, $t1.Length);
        $t = [System.Text.Encoding]::UTF8.GetString($t1, 0, $l) }
      if ($c -eq 1) { Invoke-Expression $t } elseif ($c -eq 9) { break } $l = $p.Read($b, 0, 8) } 
   $p.Dispose() 
    } 
} Run-Server -h 728

我在公司环境中工作,但我不是Powershell专家,但是似乎脚本正在逐字节捕获并从中获取字符串?您是否知道此脚本可以用于什么用途?您认为这会导致给定的8%CPU和64MB RAM使用率指示吗?

powershell security
1个回答
2
投票

我格式化了代码,更改了变量名并添加了一些注释,以使其更易于理解:

Add-Type -AssemblyName System.Core

function Run-Server() {

    param(
        [string]$h
    );


    $buffer = New-Object byte[] 8;

    # Creates an annonymous pipe
    $pipe = New-Object System.IO.Pipes.AnonymousPipeClientStream -ArgumentList @([System.IO.Pipes.PipeDirection]::In, $h);

    if ($pipe) {

        # Read up to 8 bytes from the pipe
        $readBytes = $pipe.Read($buffer,0, 8); #(byte[] buffer, int offset, int count);

        # if it managed to read 8 bytes
        while ($readBytes -gt 7) {

            # Seems the sender is sending some kind of 'command' or instruction. 
            # If command is '1' means execute the rest as a script
            # If command is '9' means terminate
            $command = [System.BitConverter]::ToInt32($buffer,0); 

            # Seems that in position 4 it sends how big the text will be
            $textSize = [System.BitConverter]::ToInt32($buffer,4); # ToInt32 (byte[] value, int startIndex);

            # based on the $textSize, read the full message and convert it to string ($text)
            $text = $null;
            if ($readBytes -gt 0) {
                $text1 = New-Object byte[] $textSize;
                $readBytes = $pipe.Read($text1, 0, $text1.Length);
                $text = [System.Text.Encoding]::UTF8.GetString($text1, 0, $readBytes) 
            }

            if ($command -eq 1) { 
                # Scary! execute the text string that came from the pipe
                Invoke-Expression $text 
            }
            elseif ($command -eq 9) {
                 break 
            } 
            $readBytes = $pipe.Read($buffer,0, 8) 
        } 
        $pipe.Dispose() 
    } 
} 

Run-Server -h 728

关于管道的信息:AnonymousPipeClientStream Class

该代码创建一个带有句柄728In管道,并从另一个进程接收脚本,然后执行该脚本

一些细节:

第一条消息似乎是command($ c的一种,并且指示了脚本的大小($ l)]

然后,它读取大小为($ l)的第二条消息,如果command == 1,它将执行第二条消息,就好像它是Powershell脚本一样:Invoke-Expression $t(吓人! )

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.