Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
# Simulate fake processes of analysis sandbox/VM that some malware will try to evade
# This just spawn ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
# It's just a PoC and it's ugly as f*ck but hey, if it works...
# Usage: .\fake_sandbox.ps1 -action {start,stop}
$fakeProcesses = @("wireshark.exe", "vmacthlp.exe", "VBoxService.exe",
"VBoxTray.exe", "procmon.exe", "ollydbg.exe", "vmware-tray.exe",
"idag.exe", "ImmunityDebugger.exe")
if ($action -ceq "start") {
# We will store our renamed binaries into a temp folder
$tmpdir = [System.Guid]::NewGuid().ToString()
$binloc = Join-path $env:temp $tmpdir
# Creating temp folder
New-Item -Type Directory -Path $binloc
$oldpwd = $pwd
Set-Location $binloc
foreach ($proc in $fakeProcesses) {
# Copy ping.exe and rename binary to fake one
Copy-Item c:\windows\system32\ping.exe "$binloc\$proc"
# Start infinite ping process (localhost) - that's kind of ugly
Start-Process ".\$proc" -WindowStyle Hidden -ArgumentList "-t -4"
write-host "[+] Process $proc spawned"
Set-Location $oldpwd
elseif ($action -ceq "stop") {
foreach ($proc in $fakeProcesses) {
Stop-Process -processname "$proc".Split(".")[0]
write-host "[+] Killed $proc"
else {
write-host "Bad usage: need '-action start' or '-action stop' parameter"
Copy link

Benno1308 commented Aug 29, 2016

You could also add those: (IDA Pro uses idaQ While the 5.0 Free Version uses idaG)

Copy link

ichttt commented Sep 1, 2016

You could also use ping -t -w (any high number) and then ping an invaid IP (like, which would reduce CPU utilisation.

Copy link

Phoenix1747 commented Sep 4, 2016

Hi, I created a GitHub Repo for this script. I added the suggestion by @ichttt and created an installer for autostart, etc.

Come round and make some improvements if you like 📦 :

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment