主页 / computer / 问题 / 1757109
Accepted
brandeded
Asked: 2022-12-10 19:29:22 +0800 CST

如何在没有交互的情况下在 powershell.exe 中设置变量?

  • 772

我的 Windows 机器上发生了一件非常奇怪的事情。

不管我是否加载我的,启动时都会立即设置$profile一个名为的变量。$itempowershell.exe

我执行了以下操作:

  • 在调用-noprofile期间使用了开关。powershell.exe
  • 审查了由 加载的所有 DLL powershell.exe,并验证没有 DLL 是通过AppInit_DLLs键加载的。
  • powershell.exe从另一台没有出现问题的机器上复制了一个版本。
  • 我已经尝试作为另一个用户,并且该值仍然存在于该用户拥有的进程中。
  • 我列举了functions:PSdrive
  • 我在流程资源管理器中查看了环境变量。
  • 我已经查看了所有配置文件(在 中列出$profile | select *

怎么可能$item一开机就设置powershell.exe

windows

1 个回答

  1. Best Answer

    我在使用版本22.1.2.217的Sentinel One XDR(例如 S1)时遇到了这个问题。它们将代码加载到会话中并污染全局变量命名空间。您可以在 Windows 中打开Powershell 日志记录以查看所有代码。认为该功能称为agent.deepVisibility.scripts.powershell可以找到以Administrator身份运行命令行应用程序。以下是启用日志记录的摘录。SentinelCtl configure

    要启用自动转录,请通过管理模板 -> Windows 组件 -> Windows PowerShell 在组策略中启用打开 PowerShell 脚本块日志记录功能。

    Github上的这个问题详细介绍了代码。此外,有关 S1 脚本的一般信息也在此存储库中。第三,可以在链接到Twitter线程 Github评论中找到少量信息。以下是玷污用户变量命名空间的适用代码。

    $local:Po_wer_Spl_oit_Indicators = (
    ("{0}{5}{4}{2}{3}{1}" -f 'Inv','ion','nje','ct','I','oke-Dll'),
    ("{6}{2}{3}{8}{1}{7}{5}{0}{4}" -f 'o','eP','nvoke-','Reflect','n','ecti','I','EInj','iv'),
    ("{1}{0}{3}{2}"-f'v','In','lcode','oke-Shel'),
    ("{0}{2}{3}{1}" -f'Invoke-','ommand','W','miC'),
    ("{5}{1}{3}{2}{4}{0}" -f 'd','t-E','a','ncodedComm','n','Ou'),
    ("{4}{0}{2}{3}{1}" -f 'ut-C','l','ompre','ssedDl','O'),
    ("{2}{3}{4}{1}{0}" -f't','p','Out-Encrypted','Sc','ri'),
    ("{0}{2}{3}{1}"-f 'Rem','t','ove-Comm','en'),
    ("{0}{3}{7}{6}{2}{4}{5}{1}"-f'New','ion','te','-User','n','ceOpt','is','Pers'),
    ("{3}{2}{5}{1}{0}{4}" -f'eOpt','istenc','w-Elevated','Ne','ion','Pers'),
    ("{2}{3}{0}{1}{4}"-f 'is','te','Ad','d-Pers','nce'),
    ("{0}{3}{2}{1}" -f'Install-','P','S','S'),
    ("{4}{0}{3}{2}{5}{1}" -f 't-S','s','ka','ecurityPac','Ge','ge'),
    ("{3}{2}{1}{0}"-f 'gnature','-AVSi','ind','F'),
    ("{6}{2}{3}{1}{0}{5}{4}"-f 'u','ip','voke-T','okenMan','ion','lat','In'),
    ("{0}{3}{2}{4}{5}{1}" -f'In','n','oke-C','v','re','dentialInjectio'),
    ("{1}{2}{0}{3}{4}" -f'Nin','I','nvoke-','jaCop','y'),
    ("{2}{0}{1}" -f'Mimika','tz','Invoke-'),
    ("{1}{2}{3}{0}" -f'rokes','Get','-Ke','yst'),
    ("{2}{4}{1}{3}{0}"-f'ord','PPP','Get','assw','-G'),
    ("{3}{2}{1}{0}" -f'on','log','GPPAuto','Get-'),
    ("{3}{1}{5}{0}{2}{4}"-f 'cr','d','e','Get-Time','enshot','S'),
    ("{2}{4}{0}{1}{5}{3}"-f'lumeS','had','N','y','ew-Vo','owCop'),
    ("{1}{0}{3}{2}"-f '-VolumeShad','Get','py','owCo'),
    ("{1}{2}{3}{5}{4}{0}"-f 'y','Mount-Vol','umeShad','o','op','wC'),
    ("{2}{3}{4}{1}{0}{5}"-f 'wCop','eShado','Remo','ve-','Volum','y'),
    ("{2}{3}{4}{0}{1}{5}"-f'i','a','Get-VaultC','red','ent','l'),
    ("{1}{3}{2}{0}"-f'p','Out-M','um','inid'),
    ("{4}{1}{2}{0}{3}" -f 'neAudi','et-Mi','cropho','o','G'),
    ("{3}{5}{2}{6}{0}{1}{4}"-f'oot','Rec','te','S','ord','et-Mas','rB'),
    ("{0}{2}{1}{3}"-f 'Set-Crit','calP','i','rocess'),
    ("{2}{0}{1}{3}"-f 'oke','-Po','Inv','rtscan'),
    ("{1}{3}{2}{0}"-f 'ttpStatus','G','H','et-'),
    ("{2}{3}{1}{0}"-f'DnsLookup','-Reverse','Invo','ke'),
    ("{1}{3}{2}{0}" -f'oup','Get-Pro','r','cessTokenG'),
    ("{2}{0}{1}"-f 'et-Syst','em','G'),
    ("{0}{4}{3}{2}{1}" -f'Invok','oast','er','b','e-Ker')
)
foreach ($item in $local:Po_wer_Spl_oit_Indicators) {
        Set-PSBreakpoint -Command $item -Action { <#sentinelbreakpoints#> . {
    $local:PreviousErrCount = $error.count
    try { '' | out-file ':::::\windows\sentinel\8' } catch {}
    while ($PreviousErrCount -ne $error.count) {
        $error.remove($error[0])
    }
    Remove-Variable PreviousErrCount -Scope local -Confirm:$false -WhatIf:$false} } | Out-Null
};

    如果您想完全清除会话中的干扰,下面是一些代码。他们挂钩$PSDefaultParameterValues并减慢会话速度。此外,S1 中断了管道的使用Get-PSBreakpoint | Remove-PSBreakpoint

    # VS Code doesn't have the same issue for some reason.
if ($PSVersionTable.PSEdition -eq 'Desktop' -and $env:TERM_PROGRAM -ne 'vscode') {
    # Addition of breakpoints slow down the session. Calling fully qualified function to avoid using function override.
    Microsoft.PowerShell.Utility\Get-PSBreakpoint | Microsoft.PowerShell.Utility\Remove-PSBreakpoint
    # Software doesn't clean up these variables
    Remove-Variable -Name 'item', 'Po_wer_Spl_oit_Indicators' -ErrorAction 'Ignore'
    # Software overrides and hooks into these functions and breaks things. For instance, `gbp | rbp` doesn't work
    Remove-Item -Path 'Function:\Get-PSBreakpoint' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\New-Object' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Set-ExecutionPolicy' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Remove-PSBreakpoint' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Disable-PSBreakpoint' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Enable-PSBreakpoint' -ErrorAction 'Ignore'
    # Other functions added that aren't needed
    Remove-Item -Path 'Function:\Disable-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Enable-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Get-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\New-Object_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Remove-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Set-ExecutionPolicy_Hook' -ErrorAction 'Ignore'
}
    • 2

相关问题