-
Notifications
You must be signed in to change notification settings - Fork 22
/
fsp.ps1
57 lines (49 loc) Β· 2.09 KB
/
fsp.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# Simulate processes of analysis, sandbox and VM software that some malware will try to evade.
# This just spawns ping.exe with different names (wireshark.exe, vboxtray.exe, ...)
#
# This is the updated version with no system load at all. I might also add some more fake processes in future updates.
# Maintained by NuclearPhoenixx, get updates and fixes on https://github.com/NuclearPhoenixx/fake-sandbox/
#
# Usage (CMD): Powershell -executionpolicy remotesigned -F "C:\Full\Path\To\File\fsp.ps1"
$action = read-host " What do you want to do? (start/stop)"
# Your processes come here:
$fakeProcesses = @('WinDbg.exe','idaq.exe','wireshark.exe','vmacthlp.exe','VBoxService.exe','VBoxTray.exe','procmon.exe','ollydbg.exe','vmware-tray.exe','idag.exe','ImmunityDebugger.exe')
# If you type in "start" it will run this:
if ($action -ceq "start") {
# We will store our renamed binaries into a temp folder
$tmpdir = [System.Guid]::NewGuid().ToString()
$binloc = Join-path $env:temp $tmpdir
# Creating temp folder
New-Item -Type Directory -Path $binloc
$oldpwd = $pwd
Set-Location $binloc
foreach ($proc in $fakeProcesses) {
# Copy ping.exe and rename binary to fake one
Copy-Item c:\windows\system32\ping.exe "$binloc\$proc"
# Start infinite ping process (invalid ip) that pings every 3600000 ms (1 hour)
Start-Process ".\$proc" -WindowStyle Hidden -ArgumentList "-t -w 3600000 -4 1.1.1.1"
write-host "[+] Spawned $proc"
}
Set-Location $oldpwd
write-host ""
write-host "Press any key to close..."
cmd /c pause | out-null
}
# If you type in "stop" it will run this:
elseif ($action -ceq "stop") {
write-host ""
foreach ($proc in $fakeProcesses) {
Stop-Process -processname "$proc".Split(".")[0]
write-host "[+] Killed $proc"
}
write-host ""
write-host "Press any key to close..."
cmd /c pause | out-null
}
# Else print this:
else {
write-host ""
write-host "Bad usage: You need to use either 'start' or 'stop' for this to work!" -foregroundcolor Red
write-host "Press any key to close..."
cmd /c pause | out-null
}