New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suspicious behavior #287
Comments
Why suspicious? :D Now if serious...
Why Sophia-Script-for-Windows/Sophia Script/Sophia Script for Windows 10/Module/Sophia.psm1 Line 2666 in 88b9380
As you may see $Signature = @{
Namespace = "WinAPI"
Name = "GetStr"
Language = "CSharp"
MemberDefinition = @"
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("user32.dll", CharSet = CharSet.Auto)]
internal static extern int LoadString(IntPtr hInstance, uint uID, StringBuilder lpBuffer, int nBufferMax);
public static string GetString(uint strId)
{
IntPtr intPtr = GetModuleHandle("shell32.dll");
StringBuilder sb = new StringBuilder(255);
LoadString(intPtr, strId, sb, sb.Capacity);
return sb.ToString();
}
"@
}
if (-not ("WinAPI.GetStr" -as [type]))
{
Add-Type @Signature -Using System.Text
} PowerShell tried to complied this code using .cs files in the temp folder (yes, literally. It can do it), but failed. I don't know why your OS "have access to this path" (I translated it). The code is very simple, and has been using for about 3 years. Do you have an admin access to this folder (%TEMP%)? |
So?.. |
It is on admin account and run with admin privileges but ESET classified this as rozena trojan. |
This is very funny. Report ESET that's a false positive. I can't fix it. The error is very simple: you have no access to this folder... |
Prerequisites
Steps to reproduce
So, care to explain why your script tries to embed Rozena_GenA malware tool while running? I'm talking about weird dll's generating in temp folder.
Screenshot
The text was updated successfully, but these errors were encountered: