-
-
Save rootbsd/7cac96708cad9e0d52c7b0017becb2d1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simulate fake processes of analysis sandbox/VM that some malware will try to evade | |
| # This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...) | |
| # It's just a PoC and it's ugly as f*ck but hey, if it works... | |
| # Usage: .\fake_sandbox.ps1 -action {start,stop} | |
| param([Parameter(Mandatory=$true)][string]$action) | |
| $fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe", | |
| "VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe", | |
| "idag.exe", "ImmunityDebugger.exe") | |
| if ($action -ceq "start") { | |
| # We will store our renamed binaries into a temp folder | |
| $tmpdir = [System.Guid]::NewGuid().ToString() | |
| $binloc = Join-path $env:temp $tmpdir | |
| # Creating temp folder | |
| New-Item -Type Directory -Path $binloc | |
| $oldpwd = $pwd | |
| Set-Location $binloc | |
| foreach ($proc in $fakeProcesses) { | |
| # Copy ping.exe and rename binary to fake one | |
| Copy-Item c:\windows\system32\ping.exe "$binloc\$proc" | |
| # Start infinite ping process (localhost) - that's kind of ugly | |
| Start-Process ".\$proc" -WindowStyle Hidden -ArgumentList "-t -4 127.0.0.1" | |
| write-host "[+] Process $proc spawned" | |
| } | |
| Set-Location $oldpwd | |
| } | |
| elseif ($action -ceq "stop") { | |
| foreach ($proc in $fakeProcesses) { | |
| Stop-Process -processname "$proc".Split(".")[0] | |
| write-host "[+] Killed $proc" | |
| } | |
| } | |
| else { | |
| write-host "Bad usage: need '-action start' or '-action stop' parameter" | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment