如何在没有交互的情况下在 powershell.exe 中设置变量?

tag-icon tag-icon windows powershell
如何在没有交互的情况下在 powershell.exe 中设置变量?

我的 Windows 机器上发生了一件非常奇怪的事情。

无论我是否加载我的,在启动时都会立即设置$profile一个名为的变量。$itempowershell.exe

我已执行以下操作:

  • -noprofile在调用期间使用了开关powershell.exe
  • 审查了由 加载的所有 DLL powershell.exe,并确认没有 DLL 是通过AppInit_DLLs密钥侧面加载的。
  • powershell.exe我从另一台没有发生此问题的机器上复制了一个版本。
  • 我已尝试以另一个用户身份执行此操作,并且该值仍然存在于该用户拥有的进程中。
  • 我已经枚举了functions:PSdrive
  • 我已经检查了进程资源管理器中的环境变量。
  • 我已查看所有个人资料(列于$profile | select *

如何$item在启动时立即设置powershell.exe

答案1

我有这个问题哨兵一号XDR(例如 S1)版本22.1.2.217。它们将代码加载到会话中并污染全局变量命名空间。您可以打开Powershell 日志记录在 Windows 中查看所有代码。我思考该功能称为代理.deepVisibility.脚本.powershell可以在SentinelCtl configure命令行应用程序中找到行政人员。下面是启用日志记录的摘录。

要启用自动转录,请通过管理模板 -> Windows 组件 -> Windows PowerShell 启用组策略中的打开 PowerShell 脚本块日志记录功能。

这个问题Github详细说明了代码。此外,有关 S1 脚本的一般信息也包含在这个 repo 中。第三,可以在 Github评论链接到推特线程。下面是玷污用户变量命名空间的适用代码。

$local:Po_wer_Spl_oit_Indicators = (
    ("{0}{5}{4}{2}{3}{1}" -f 'Inv','ion','nje','ct','I','oke-Dll'),
    ("{6}{2}{3}{8}{1}{7}{5}{0}{4}" -f 'o','eP','nvoke-','Reflect','n','ecti','I','EInj','iv'),
    ("{1}{0}{3}{2}"-f'v','In','lcode','oke-Shel'),
    ("{0}{2}{3}{1}" -f'Invoke-','ommand','W','miC'),
    ("{5}{1}{3}{2}{4}{0}" -f 'd','t-E','a','ncodedComm','n','Ou'),
    ("{4}{0}{2}{3}{1}" -f 'ut-C','l','ompre','ssedDl','O'),
    ("{2}{3}{4}{1}{0}" -f't','p','Out-Encrypted','Sc','ri'),
    ("{0}{2}{3}{1}"-f 'Rem','t','ove-Comm','en'),
    ("{0}{3}{7}{6}{2}{4}{5}{1}"-f'New','ion','te','-User','n','ceOpt','is','Pers'),
    ("{3}{2}{5}{1}{0}{4}" -f'eOpt','istenc','w-Elevated','Ne','ion','Pers'),
    ("{2}{3}{0}{1}{4}"-f 'is','te','Ad','d-Pers','nce'),
    ("{0}{3}{2}{1}" -f'Install-','P','S','S'),
    ("{4}{0}{3}{2}{5}{1}" -f 't-S','s','ka','ecurityPac','Ge','ge'),
    ("{3}{2}{1}{0}"-f 'gnature','-AVSi','ind','F'),
    ("{6}{2}{3}{1}{0}{5}{4}"-f 'u','ip','voke-T','okenMan','ion','lat','In'),
    ("{0}{3}{2}{4}{5}{1}" -f'In','n','oke-C','v','re','dentialInjectio'),
    ("{1}{2}{0}{3}{4}" -f'Nin','I','nvoke-','jaCop','y'),
    ("{2}{0}{1}" -f'Mimika','tz','Invoke-'),
    ("{1}{2}{3}{0}" -f'rokes','Get','-Ke','yst'),
    ("{2}{4}{1}{3}{0}"-f'ord','PPP','Get','assw','-G'),
    ("{3}{2}{1}{0}" -f'on','log','GPPAuto','Get-'),
    ("{3}{1}{5}{0}{2}{4}"-f 'cr','d','e','Get-Time','enshot','S'),
    ("{2}{4}{0}{1}{5}{3}"-f'lumeS','had','N','y','ew-Vo','owCop'),
    ("{1}{0}{3}{2}"-f '-VolumeShad','Get','py','owCo'),
    ("{1}{2}{3}{5}{4}{0}"-f 'y','Mount-Vol','umeShad','o','op','wC'),
    ("{2}{3}{4}{1}{0}{5}"-f 'wCop','eShado','Remo','ve-','Volum','y'),
    ("{2}{3}{4}{0}{1}{5}"-f'i','a','Get-VaultC','red','ent','l'),
    ("{1}{3}{2}{0}"-f'p','Out-M','um','inid'),
    ("{4}{1}{2}{0}{3}" -f 'neAudi','et-Mi','cropho','o','G'),
    ("{3}{5}{2}{6}{0}{1}{4}"-f'oot','Rec','te','S','ord','et-Mas','rB'),
    ("{0}{2}{1}{3}"-f 'Set-Crit','calP','i','rocess'),
    ("{2}{0}{1}{3}"-f 'oke','-Po','Inv','rtscan'),
    ("{1}{3}{2}{0}"-f 'ttpStatus','G','H','et-'),
    ("{2}{3}{1}{0}"-f'DnsLookup','-Reverse','Invo','ke'),
    ("{1}{3}{2}{0}" -f'oup','Get-Pro','r','cessTokenG'),
    ("{2}{0}{1}"-f 'et-Syst','em','G'),
    ("{0}{4}{3}{2}{1}" -f'Invok','oast','er','b','e-Ker')
)
foreach ($item in $local:Po_wer_Spl_oit_Indicators) {
        Set-PSBreakpoint -Command $item -Action { <#sentinelbreakpoints#> . {
    $local:PreviousErrCount = $error.count
    try { '' | out-file ':::::\windows\sentinel\8' } catch {}
    while ($PreviousErrCount -ne $error.count) {
        $error.remove($error[0])
    }
    Remove-Variable PreviousErrCount -Scope local -Confirm:$false -WhatIf:$false} } | Out-Null
};

如果您想要彻底清除会话中的干扰,请参阅以下代码。它们会挂接$PSDefaultParameterValues并减慢会话速度。此外,S1 会中断管道使用Get-PSBreakpoint | Remove-PSBreakpoint

# VS Code doesn't have the same issue for some reason.
if ($PSVersionTable.PSEdition -eq 'Desktop' -and $env:TERM_PROGRAM -ne 'vscode') {
    # Addition of breakpoints slow down the session. Calling fully qualified function to avoid using function override.
    Microsoft.PowerShell.Utility\Get-PSBreakpoint | Microsoft.PowerShell.Utility\Remove-PSBreakpoint
    # Software doesn't clean up these variables
    Remove-Variable -Name 'item', 'Po_wer_Spl_oit_Indicators' -ErrorAction 'Ignore'
    # Software overrides and hooks into these functions and breaks things. For instance, `gbp | rbp` doesn't work
    Remove-Item -Path 'Function:\Get-PSBreakpoint' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\New-Object' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Set-ExecutionPolicy' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Remove-PSBreakpoint' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Disable-PSBreakpoint' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Enable-PSBreakpoint' -ErrorAction 'Ignore'
    # Other functions added that aren't needed
    Remove-Item -Path 'Function:\Disable-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Enable-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Get-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\New-Object_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Remove-PSBreakpoint_Hook' -ErrorAction 'Ignore'
    Remove-Item -Path 'Function:\Set-ExecutionPolicy_Hook' -ErrorAction 'Ignore'
}

更新 1:

从某个版本的迭代开始23哨兵一号代理,整个引导脚本似乎已被删除。运行时不再显示断点microsoft.PowerShell.Utility\Get-PSBreakpoint,也不会创建上述函数。

相关内容