-
Notifications
You must be signed in to change notification settings - Fork 16
/
Invoke-AntiVM-Network.ps1
64 lines (62 loc) · 2.39 KB
/
Invoke-AntiVM-Network.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# resources:
# https://resources.infosecinstitute.com/pafish-paranoid-fish/
# https://www.thewindowsclub.com/clear-most-recently-used-mru-list
# https://www.cyberbit.com/blog/endpoint-security/anti-vm-and-anti-sandbox-explained/
# 1) checking cpu instructions
# - cpuid --> http://waynes-world-it.blogspot.com/2009/06/calling-cpuid-from-powershell-for-intel.html
# - mmx
# - in
# 2) known MAC addresses
# http://webcache.googleusercontent.com/search?q=cache:FRZ2kko0NG8J:pentestit.com/al-khaser-benign-malware-test-anti-malware/+&cd=12&hl=en&ct=clnk&gl=us
# https://github.com/nicehash/NiceHashMiner-Archived/blob/master/NiceHashMiner/PInvoke/CPUID.cs
function checkNetworkAdapter()
{
$props = @("Name", "Caption", "Description", "Manufacturer", "ProductName", "ServiceName", "MACAddress")
$class = "Win32_NetworkAdapter"
$objects = WMI_Query $class $props
$output = @()
ForEach ($obj in $objects)
{
$common = Common_String $obj.property_value
if ($common)
{
$obj | Add-Member -MemberType NoteProperty -Name "status" -value 1
$obj | Add-Member -MemberType NoteProperty -Name "class" -value $class
$output += $obj
}
if ($obj.property -eq "macaddress")
{
if ($obj.property_value -like "00:05:69*" -or $obj.property_value -like "00:0C:29*" -or $obj.property_value -like "00:1C:14*" -or $obj.property_value -like "00:50:56*")
{
$obj | Add-Member -MemberType NoteProperty -Name "status" -value 1
$obj | Add-Member -MemberType NoteProperty -Name "class" -value $class
$output += $obj
}
elseif ($obj.property_value -like "08:00:27*")
{
$obj | Add-Member -MemberType NoteProperty -Name "status" -value 1
$obj | Add-Member -MemberType NoteProperty -Name "class" -value $class
$output += $obj
}
}
}
return $output
}
function checkNetworkAdapterConfiguration()
{
$props = @("Caption", "Description", "DHCPLeaseObtained", "DNSHostName", "IPAddress", "MACAddress", "ServiceName")
$class = "Win32_NetworkAdapterConfiguration"
$objects = WMI_Query $class $props
$output = @()
ForEach ($obj in $objects)
{
$common = Common_String $obj.property_value
if ($common)
{
$obj | Add-Member -MemberType NoteProperty -Name "status" -value 1
$obj | Add-Member -MemberType NoteProperty -Name "class" -value $class
$output += $obj
}
}
return $output
}