-
Notifications
You must be signed in to change notification settings - Fork 16
/
Invoke-AntiVM-Interaction.ps1
59 lines (50 loc) · 1.61 KB
/
Invoke-AntiVM-Interaction.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# these functions should really get multithreaded in the future
function checkMouseMovement()
{
$output = @()
Try
{
Add-Type -AssemblyName System.Windows.Forms
$start = [System.Windows.Forms.Cursor]::Position
Start-Sleep -s 5
$end = [System.Windows.Forms.Cursor]::Position
if ($start.x -eq $end.x -and $start.y -eq $end.y)
{
$obj = New-Object -TypeName psobject
$obj | Add-Member -MemberType NoteProperty -Name "status" -value 2
$obj | Add-Member -MemberType NoteProperty -Name "class" -value "User Input"
$obj | Add-Member -MemberType NoteProperty -Name "property" -value "Mouse"
$obj | Add-Member -MemberType NoteProperty -Name "property_value" -value "No movement"
$output += $obj
}
}
Catch {}
return $output
}
# Work in Progress
function checkKeyPress
{
$found = 1 # better to assume already running inside a VM
$output = @()
$signature = @'
[DllImport("user32.dll")]
public static extern short GetAsyncKeyState(int virtualKeyCode);
'@
$getKeyState = Add-Type -memberDefinition $signature -name "Newtype" -namespace newnamespace -passThru
for ($i=0; $i -lt 10000; $i++)
{
#Start-Sleep -Milliseconds 40
$logged = ""
for ($vkey=1;$vkey -le 254;$vkey++)
{
$logged = $getKeyState::GetAsyncKeyState($vkey)
if ($logged -eq -32767) # key pressed = -32767
{
$found = 0
$values = "Keypress detected - int($($vkey))"
return ($found, $values)
}
}
}
return ($found, $values)
}