Computer Hope
Software => BSD, Linux, and Unix => Topic started by: snoopyaqui on November 08, 2016, 04:40:52 PM
-
I am a beginner with command strings.
what does this mean? Explain is IDIOT form because I am learning.
Parent command-line: cmd.exe
Process command-line: C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe -windowstyle hidden -noninteractive -ExecutionPolicy bypass - string deleted by Allan due to malicious website content
-
I will not tell. :-X
Here is some reference material.
https://msdn.microsoft.com/en-us/powershell/scripting/core-powershell/console/powershell.exe-command-line-help
PowerShell[.exe]
[-EncodedCommand <Base64EncodedCommand>]
[-ExecutionPolicy <ExecutionPolicy>]
[-InputFormat {Text | XML}]
[-Mta]
[-NoExit]
[-NoLogo]
[-NonInteractive]
[-NoProfile]
[-OutputFormat {Text | XML}]
[-PSConsoleFile <FilePath> | -Version <Windows PowerShell version>]
[-Sta]
[-WindowStyle <style>]
[-File <FilePath> [<Args>]]
[-Command { - | <script-block> [-args <arg-array>]
| <string> [<CommandParameters>] } ]
PowerShell[.exe] -Help | -? | /?
-WindowStyle
Sets the window style for the session. Valid values are Normal, Minimized, Maximized and Hidden.
-ExecutionPolicy
Sets the default execution policy for the current session and saves it in the $env:PSExecutionPolicyPreference environment variable. This parameter does not change the Windows PowerShell execution policy that is set in the registry. For information about Windows PowerShell execution policies, including a list of valid values, see
-EncodedCommand
Accepts a base-64-encoded string version of a command. Use this parameter to submit commands to Windows PowerShell that require complex quotation marks or curly braces.
-NonInteractive
Does not present an interactive prompt to the user.
The command may do something that somebody else does not want you to understand. So do not expect to find out what it is. :D
-
Is that group of letters called a command or a string? Hey thanks for that link...I loved it. I just don't understand why all those letter are there. Looks like someone pushed a lot of random letters.
-
Powershell can take a number of commands on a single line. The last command was
-EncodedCommand JABFA....
The single space separates the command for the code that follows. What looks like gibberish is really base 64 code which allows complex constructions in the command line.
Windows can allow a line length of 8192 characters. I am not sure id that is the limitof Powershell. Anyway, it means that the administrator can have a supr command using single line pf Powershell. The base 64 set of characters do not violate any special character restrictions that would otherwise make the command fail. Symbols that would not be allowed are embedded in the base 64 code.
Put another way, this is a neat feature that few of us would every use. If the embedded code had 8000 chars, it could represent over 100 lines of code that do not go over 80 char sin length.
Does that help any?
-
Where is this command from?
The large block of text is what's known as "Base64 encoded" which when decoded (which can be done with a website such as https://www.base64decode.org/ (https://www.base64decode.org/) shows the actual command. To be this looks somewhat malicious as it mentions a URL that appears to be associated with "Trojan.Zlob.Q"
-
Thanks guys! This helps a ton. I am trying to learn more about coding but I have to learn the basics. You guys Rock!
-
Wow I did it! I used a decoder and saw all the words and the command to go to a specific website. I took that website and researched it for malicious activity. It was a back site. Thanks for all the help. I want to learn more ...thanks again.