Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how to spoof MAC address via code

Tags:

c#

mac-address

I'm trying to spoof the MAC address of the computer that executes my program. Right now I'm getting the current MAC address of the machine using the 'getmac' command via cmd, then I want to change it via the 'RegistryKey' class(windows.system32).

The issue is that I don't know the string to pass to the OpenSubKey method.

For example this is the method to read the current MAC with registry key reading:

 private string readMAC()
    {
        RegistryKey rkey;
        string MAC;
        rkey = Registry.LocalMachine.OpenSubKey("SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}\\0012", true); //--->this is the string to change 
        MAC = (string)rkey.GetValue("NetworkAddress");
        rkey.Close();
        return MAC;
    }
like image 248
user3402649 Avatar asked Mar 10 '14 20:03

user3402649


2 Answers

I got curious so I pulled the source for MadMACs. Turned out to be pretty straightforward to port the core logic to C#, so here it is if anyone is interested.

private const string baseReg =
    @"SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\";

public static bool SetMAC(string nicid, string newmac)
{
    bool ret = false;
    using (RegistryKey bkey = GetBaseKey())
    using (RegistryKey key = bkey.OpenSubKey(baseReg + nicid))
    {
        if (key != null)
        {
            key.SetValue("NetworkAddress", newmac, RegistryValueKind.String);

            ManagementObjectSearcher mos = new ManagementObjectSearcher(
                new SelectQuery("SELECT * FROM Win32_NetworkAdapter WHERE Index = " + nicid));

            foreach (ManagementObject o in mos.Get().OfType<ManagementObject>())
            {
                o.InvokeMethod("Disable", null);
                o.InvokeMethod("Enable", null);
                ret = true;
            }
        }
    }

    return ret;
}

public static IEnumerable<string> GetNicIds()
{
    using (RegistryKey bkey = GetBaseKey())
    using (RegistryKey key = bkey.OpenSubKey(baseReg))
    {
        if (key != null)
        {
            foreach (string name in key.GetSubKeyNames().Where(n => n != "Properties"))
            {
                using (RegistryKey sub = key.OpenSubKey(name))
                {
                    if (sub != null)
                    {
                        object busType = sub.GetValue("BusType");
                        string busStr = busType != null ? busType.ToString() : string.Empty;
                        if (busStr != string.Empty)
                        {
                            yield return name;
                        }
                    }
                }
            }
        }
    }
}

public static RegistryKey GetBaseKey()
{
    return RegistryKey.OpenBaseKey(
        RegistryHive.LocalMachine,
        InternalCheckIsWow64() ? RegistryView.Registry64 : RegistryView.Registry32);
}

For brevity's sake, I've left out the implementation of InternalCheckIsWow64(), but that can be found here. Without this, I was running into issues with not finding the registry I wanted due to structural differences between 32- and 64-bit OSes.

Obligatory disclaimer -- play with the registry at your own peril.

like image 164
Dan Avatar answered Sep 28 '22 23:09

Dan


This should point you in the right direction, but you're going to have to figure out the code:

  1. look in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\ and you'll see a few sub keys corresponding to the interfaces in the "network connections" control panel. Probably only one will have a valid IP, and the others will have 0.0.0.0 You'll need to do some pattern matching to figure out which one is the right one.
  2. get the key name for the interface (it's a GUID, or at least looks like one), and go back to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} and check each one's NetCfgInstanceId value (or search) for the GUID of the interface.
like image 41
1.618 Avatar answered Sep 28 '22 21:09

1.618