Suspicious behavior #287
Comments
|
Why suspicious? :D Now if serious...
Why As you may see $Signature = @{
Namespace = "WinAPI"
Name = "GetStr"
Language = "CSharp"
MemberDefinition = @"
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("user32.dll", CharSet = CharSet.Auto)]
internal static extern int LoadString(IntPtr hInstance, uint uID, StringBuilder lpBuffer, int nBufferMax);
public static string GetString(uint strId)
{
IntPtr intPtr = GetModuleHandle("shell32.dll");
StringBuilder sb = new StringBuilder(255);
LoadString(intPtr, strId, sb, sb.Capacity);
return sb.ToString();
}
"@
}
if (-not ("WinAPI.GetStr" -as [type]))
{
Add-Type @Signature -Using System.Text
}PowerShell tried to complied this code using .cs files in the temp folder (yes, literally. It can do it), but failed. I don't know why your OS "have access to this path" (I translated it). The code is very simple, and has been using for about 3 years. Do you have an admin access to this folder (%TEMP%)? |
|
So?.. |
|
It is on admin account and run with admin privileges but ESET classified this as rozena trojan. |
|
This is very funny. Report ESET that's a false positive. I can't fix it. The error is very simple: you have no access to this folder... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Prerequisites
Steps to reproduce
So, care to explain why your script tries to embed Rozena_GenA malware tool while running? I'm talking about weird dll's generating in temp folder.
Screenshot
The text was updated successfully, but these errors were encountered: