Foro de elhacker.NET

El siguiente script, desarrollado en PowerShell (y apoyado en soluciones de IAs), sirve para realizar un diagnóstico específico del estado de seguridad del sistema durante el arranque (boot), verificando múltiples mecanismos críticos de protección en Windows y mostrando su estado de forma clara y estructurada.

Este script está diseñado como una herramienta de auditoría simple y rápida que permite identificar ciertas configuraciones inseguras, protecciones deshabilitadas o mecanismos vulnerables que puedan comprometer la integridad del sistema.
Boot Security Diagnostic.ps1
Código
# Boot Security Diagnostic v1.0 by ElektroStudios
 
$Host.UI.RawUI.WindowTitle = "Boot Security Diagnostic v1.0 by ElektroStudios"
 
# Set window size (Width, Height)
$Host.UI.RawUI.WindowSize = New-Object System.Management.Automation.Host.Size(85, 50)
$Host.UI.RawUI.BufferSize = New-Object System.Management.Automation.Host.Size(150, 300)
 
# Check for Admin Privileges
if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    Write-Host "ERROR: RUN AS ADMINISTRATOR" -ForegroundColor Red
    pause
    exit
}
 
# --- Helper Functions ---
 
function Write-Separator {
    Write-Host ("=" * 66) -ForegroundColor DarkCyan
}
 
function Write-SectionHeader {
    param([string]$Title)
    Write-Host ""
    Write-Host "[$Title]" -ForegroundColor Yellow
    Write-Host ""
}
 
function Write-Field {
    param(
        [string]$Label,
        [string]$Value,
        [string]$Color = "White"
    )
    $padding = 37 - $Label.Length
    if ($padding -lt 1) { $padding = 1 }
    $spaces = " " * $padding
    Write-Host "  $Label$spaces : " -NoNewline
    Write-Host $Value -ForegroundColor $Color
}
 
# ============================================================
# HEADER
# ============================================================
 
Write-Separator
Write-Host ("BOOT SECURITY DIAGNOSTIC").PadLeft(44).PadRight(66) -ForegroundColor Cyan
Write-Separator
 
# ============================================================
# OPERATING SYSTEM
# ============================================================
 
Write-SectionHeader "OPERATING SYSTEM"
$os = Get-CimInstance Win32_OperatingSystem
Write-Field "Caption" $os.Caption.Trim() "White"
Write-Field "Version" $os.Version.Trim() "White"
try {
    $displayVersion = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "DisplayVersion" -ErrorAction SilentlyContinue).DisplayVersion.Trim()
    if ($displayVersion) {
        Write-Field "Display Version" $displayVersion "White"
    }
} catch {}
Write-Field "Architecture" $os.OSArchitecture.Trim() "White"
Write-Field "Boot Device" $os.BootDevice.Trim() "White"
Write-Field "System Device" $os.SystemDevice.Trim() "White"
Write-Field "System Drive" $os.SystemDrive.Trim() "White"
Write-Field "Windows Directory" $os.WindowsDirectory.Trim() "White"
Write-Field "Last Boot Up Time" $os.LastBootUpTime "White"
 
# ============================================================
# CPU
# ============================================================
 
Write-SectionHeader "CPU"
$cpu = Get-CimInstance Win32_Processor
Write-Field "Caption" $cpu.Name.Trim() "White"
 
$brand = "Virtualization"
if ($cpu.Caption -match "AMD") {
    $brand = "Virtualization (AMD-V)"
} elseif ($cpu.Caption -match "Intel") {
    $brand = "Virtualization (Intel VT-X)"
}
if ($cpu.VirtualizationFirmwareEnabled) {
    Write-Field "$($brand)" "ENABLED" "Green"
} else {
    Write-Field "$($brand)" "DISABLED" "Red"
}
 
try {
    if ($cpu.Caption -match "AMD") {
        Write-Field "KVA Shadow (Meltdown Mitigation)" "NOT REQUIRED FOR AMD CPU" "Green"
    } elseif ($cpu.Caption -match "Intel") {
        $kva = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" -Name "FeatureSettingsOverride" -ErrorAction SilentlyContinue
        $kvaShadowDisabled = ($null -ne $kva.FeatureSettingsOverride) -and (($kva.FeatureSettingsOverride -band 0x02) -ne 0)
 
        if ($kvaShadowDisabled) {
            Write-Field "KVA Shadow (Meltdown Mitigation)" "DISABLED (UNPROTECTED)" "Red"
        } else {
            Write-Field "KVA Shadow (Meltdown Mitigation)" "ENABLED (PROTECTED)" "Green"
        }
    }
} catch {
    Write-Field "KVA Shadow" "QUERY FAILED" "Yellow"
}
 
# ============================================================
# BIOS
# ============================================================
 
Write-SectionHeader "BIOS"
 
# Firmware Type (UEFI vs Legacy)
try {
    Add-Type -TypeDefinition @"
        using System;
        using System.Runtime.InteropServices;
        public class FW {
            [DllImport("kernel32.dll", SetLastError=true)]
            public static extern uint GetFirmwareType(ref uint FirmwareType);
        }
"@ -ErrorAction SilentlyContinue
    [uint32]$fwResult = 0
    [FW]::GetFirmwareType([ref]$fwResult) | Out-Null
    switch ($fwResult) {
        1 { Write-Field "Firmware Type" "BIOS (Legacy)" "Yellow" }
        2 { Write-Field "Firmware Type" "UEFI" "Green" }
        default { Write-Field "Firmware Type" "UNKNOWN ($fwResult)" "Yellow" }
    }
} catch {
    Write-Field "Firmware Type" "QUERY FAILED" "Yellow"
}
 
# Secure Boot
try {
    $secureBootState = Confirm-SecureBootUEFI
    if ($secureBootState) {
        Write-Field "Secure Boot" "ENABLED" "Green"
    } else {
        Write-Field "Secure Boot" "DISABLED" "Red"
    }
} catch {
    Write-Field "Secure Boot" "NOT SUPPORTED / LEGACY BIOS" "Red"
}
 
# ============================================================
# DRIVER SIGNATURE ENFORCEMENT (DSE)
# ============================================================
 
Write-SectionHeader "DRIVER SIGNATURE ENFORCEMENT (DSE)"
 
$bcdOutput = ""
try {
    $bcdOutput = bcdedit /enum "{current}" 2>&1 | Out-String
} catch {}
 
# bcdedit testsigning
try {
    if ($bcdOutput -match "testsigning\s+Yes") {
        Write-Field "Test Signing     (Boot Option)" "ENABLED (Test Mode / DSE partial bypass)" "Red"
    } else {
        Write-Field "Test Signing     (Boot Option)" "DISABLED" "Green"
    }
 
} catch {
    Write-Field "Test Signing     (Boot Option)" "bcdedit QUERY FAILED" "Red"
}
 
# bcdedit nointegritychecks
try {
    if (-not ($bcdOutput -match "nointegritychecks\s+Yes")) {
        Write-Field "Integrity Checks (Boot Option)" "ENABLED" "Green"
    } else {
        Write-Field "Integrity Checks (Boot Option)" "DISABLED (DSE full bypass)" "Red"
    }
 
} catch {
    Write-Field "Integrity Checks (Boot Option)" "bcdedit QUERY FAILED" "Red"
}
 
# Live kernel query via NtQuerySystemInformation
$CodeIntegrityDefinition = @"
    using System;
    using System.Runtime.InteropServices;
 
    public class CI {
        [StructLayout(LayoutKind.Sequential)]
        public struct SYSTEM_CODEINTEGRITY_INFORMATION {
            public uint Length;
            public uint CodeIntegrityOptions;
        }
 
        [DllImport("ntdll.dll")]
        public static extern int NtQuerySystemInformation(int SystemInformationClass, ref SYSTEM_CODEINTEGRITY_INFORMATION SystemInformation, uint SystemInformationLength, out uint ReturnLength);
 
        public static uint GetOptions() {
            SYSTEM_CODEINTEGRITY_INFORMATION info = new SYSTEM_CODEINTEGRITY_INFORMATION();
            info.Length = (uint)Marshal.SizeOf(typeof(SYSTEM_CODEINTEGRITY_INFORMATION));
            uint retLen;
            NtQuerySystemInformation(103, ref info, info.Length, out retLen);
            return info.CodeIntegrityOptions;
        }
    }
"@
 
Add-Type -TypeDefinition $CodeIntegrityDefinition -ErrorAction SilentlyContinue
 
# Flag Constants:
# 0x01 = CODE_INTEGRITY_OPTION_ENABLED
# 0x02 = CODE_INTEGRITY_OPTION_TESTSIGNING
 
# NtQuerySystemInformation testsigning
try {
    $options = [CI]::GetOptions()
    $testSigningEnabled = ($options -band 0x02) -ne 0
    if ($testSigningEnabled) {
        Write-Field "Test Signing     (Live System)" "ENABLED (Test Mode / DSE partial bypass)" "Red"
 
    } else {
        Write-Field "Test Signing     (Live System)" "DISABLED" "Green"
    }
} catch {
    Write-Field "Test Signing     (Live System)" "NtQuerySystemInformation QUERY FAILED" "Red"
}
 
# NtQuerySystemInformation nointegritychecks
try {
    $options = [CI]::GetOptions()
    $ciEnabled = ($options -band 0x01) -ne 0
    if ($ciEnabled) {
        Write-Field "Integrity Checks (Live System)" "ENABLED" "Green"
    } else {
        Write-Field "Integrity Checks (Live System)" "DISABLED (DSE full bypass)" "Red"
    }
} catch {
    Write-Field "Integrity Checks (Live System)" "NtQuerySystemInformation QUERY FAILED" "Red"
}
 
# ============================================================
# WINDOWS HYPERVISOR
# ============================================================
 
Write-SectionHeader "WINDOWS HYPERVISOR"
 
# Hypervisor-Enforced Code Integrity (HVCI)
try {
    $hvciReg = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -ErrorAction SilentlyContinue).Enabled
    if ($hvciReg -eq 1) {
        Write-Field "HV-Enforced Code Integrity (HVCI)" "ENABLED" "Green"
    } elseif ($hvciReg -eq 0) {
        Write-Field "HV-Enforced Code Integrity (HVCI)" "DISABLED" "Red"
    } else {
        Write-Field "HV-Enforced Code Integrity (HVCI)" "NOT DETECTED" "Red"
    }
} catch {
    Write-Field "HV-Enforced Code Integrity (HVCI)" "REGISTRY QUERY FAILED" "Red"
}
 
# Virtualization Based Security (VBS)
try {
    $regVbs = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -ErrorAction SilentlyContinue).EnableVirtualizationBasedSecurity
    if ($regVbs -eq 1) {
        Write-Field "Virtualization Based Security (VBS)" "ENABLED" "Green"
    } elseif ($regVbs -eq 0) {
        Write-Field "Virtualization Based Security (VBS)" "DISABLED" "Red"
    } else {
        Write-Field "Virtualization Based Security (VBS)" "NOT DETECTED" "Red"
    }
} catch {
    Write-Field "Virtualization Based Security (VBS)" "REGISTRY QUERY FAILED" "Red"
}
 
# Credential Guard
try {
    $credGuard = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard" -Name "Enabled" -ErrorAction SilentlyContinue).Enabled
    if ($credGuard -eq 1) {
        Write-Field "Credential Guard" "ENABLED" "Green"
    } elseif ($credGuard -eq 0) {
        Write-Field "Credential Guard" "DISABLED" "Red"
    } else {
        Write-Field "Credential Guard" "NOT DETECTED" "Red"
    }
} catch {
    Write-Field "Credential Guard" "REGISTRY QUERY FAILED" "Red"
}
 
# Device Guard
try {
    $dg = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace "root\Microsoft\Windows\DeviceGuard" -ErrorAction SilentlyContinue
    if ($dg) {
        switch ($dg.VirtualizationBasedSecurityStatus) {
            0 { Write-Field "Device Guard" "DISABLED" "Red" }
            1 { Write-Field "Device Guard" "ENABLED (NOT RUNNING)" "Yellow" }
            2 { Write-Field "Device Guard" "ENABLED AND RUNNING" "Green" }
            default { Write-Field "Device Guard" "UNKNOWN ($($dg.VirtualizationBasedSecurityStatus))" "Red" }
        }
    } else {
        Write-Field "Device Guard" "NOT DETECTED" "Red"
    }
} catch {
    Write-Field "Device Guard" "WMI QUERY FAILED" "Red"
}
 
# ============================================================
# TRUSTED PLATFORM MODULE (TPM)
# ============================================================
 
Write-SectionHeader "TRUSTED PLATFORM MODULE (TPM)"
 
try {
    $tpm = Get-CimInstance -Namespace "root\CIMv2\Security\MicrosoftTpm" -ClassName Win32_Tpm -ErrorAction SilentlyContinue
    if ($tpm) {
        Write-Field "TPM Present" "YES" "Green"
        # Write-Field "TPM Activated" $(if ($tpm.IsActivated_InitialValue) { "YES" } else { "NO" }) $(if ($tpm.IsActivated_InitialValue) { "Green" } else { "Red" })
        Write-Field "TPM Enabled" $(if ($tpm.IsEnabled_InitialValue) { "YES" } else { "NO" }) $(if ($tpm.IsEnabled_InitialValue) { "Green" } else { "Red" })
        Write-Field "TPM Version" $tpm.SpecVersion.Split(',')[0].Trim() "White"
    } else {
        Write-Field "TPM Present" "NOT DETECTED" "Red"
    }
} catch {
    Write-Field "TPM Present" "WMI QUERY FAILED" "Red"
}
 
# ============================================================
# KERNEL DIRECT MEMORY ACCESS (DMA) PROTECTION
# ============================================================
 
Write-SectionHeader "KERNEL DIRECT MEMORY ACCESS (DMA) PROTECTION"
 
# DMA Group Policy
$dmaPolicy = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection" -Name "ExternalDeviceEnumeration" -ErrorAction SilentlyContinue).ExternalDeviceEnumeration
 
if ($null -ne $dmaPolicy) {
    switch ($dmaPolicy) {
        0 { 
            $policyText = "BLOCK ALL"
            $policyColor = "Green" 
        }
        1 { 
            $policyText = "BLOCK UNTIL USER LOG-IN"
            $policyColor = "Green" 
        }
        2 { 
            $policyText = "ALLOW ALL"
            $policyColor = "Red" 
        }
        default { 
            $policyText = "UNKNOWN ($dmaPolicy)"
            $policyColor = "Yellow" 
        }
    }
    Write-Field "Kernel DMA Group Policy (GPO)" $policyText $policyColor
} else {
    Write-Field "Kernel DMA Group Policy (GPO)" "NOT DEFINED" "Red"
}
 
# Check if hardware and kernel are actually executing it
try {
    $dg = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace "root\Microsoft\Windows\DeviceGuard" -ErrorAction SilentlyContinue
 
    if ($dg.DMAProtectionInUse) {
        Write-Field "Kernel DMA Protection Service" "RUNNING / ACTIVE" "Green"
    } else {
        # If not running, VT-d / AMD-Vi is likely missing or disabled in BIOS
        Write-Field "Kernel DMA Protection Service" "NOT RUNNING / INACTIVE" "Red"
    }
} catch {
    Write-Field "Kernel DMA Protection Service" "WMI QUERY FAILED" "Red"
}
 
Write-SectionHeader "EARLY LAUNCH ANTI-MALWARE (ELAM)"
 
try {
    $elamDrivers = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\EarlyLaunch" -Name "BackupPath" -ErrorAction SilentlyContinue
    if ($elamDrivers) {
        Write-Field "ELAM Backup Path" $elamDrivers.BackupPath.Trim() "White"
    }
} catch {}
 
try {
    $bootDrivers = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\EarlyLaunch" -ErrorAction SilentlyContinue
    $elamPolicy = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\CI" -Name "BootDriverPolicy" -ErrorAction SilentlyContinue).BootDriverPolicy
    switch ($elamPolicy) {
        $null   { Write-Field "Boot Driver Policy" "NOT SET (OS default)" "Yellow" }
        8       { Write-Field "Boot Driver Policy" "GOOD AND UNKNOWN" "Green" }
        1       { Write-Field "Boot Driver Policy" "GOOD ONLY" "Green" }
        3       { Write-Field "Boot Driver Policy" "GOOD AND BAD (permissive)" "Red" }
        7       { Write-Field "Boot Driver Policy" "ALL DRIVERS" "Red" }
        default { Write-Field "Boot Driver Policy" "CUSTOM ($elamPolicy)" "Yellow" }
    }
} catch {
    Write-Field "Boot Driver Policy" "QUERY FAILED" "Red"
}
 
# ============================================================
# LOCAL SECURITY AUTHORITY (LSA) PROTECTION
# ============================================================
 
Write-SectionHeader "LOCAL SECURITY AUTHORITY (LSA) PROTECTION"
 
try {
    $lsa = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -ErrorAction SilentlyContinue).RunAsPPL
    switch ($lsa) {
        1       { Write-Field "Run As Protected Process Light (PPL)" "ENABLED" "Green" }
        2       { Write-Field "Run As Protected Process Light (PPL)" "ENABLED (UEFI Lock)" "Green" }
        0       { Write-Field "Run As Protected Process Light (PPL)" "DISABLED (credential dumping risk)" "Red" }
        $null   { Write-Field "Run As Protected Process Light (PPL)" "NOT CONFIGURED (default = disabled)" "Red" }
        default { Write-Field "Run As Protected Process Light (PPL)" "UNKNOWN ($lsa)" "Yellow" }
    }
} catch {
    Write-Field "Run As Protected Process Light (PPL)" "REGISTRY QUERY FAILED" "Red"
}
 
# ============================================================
# DATA EXECUTION PREVENTION (DEP)
# ============================================================
 
Write-SectionHeader "DATA EXECUTION PREVENTION (DEP)"
try {
    if ($os.DataExecutionPrevention_Available) {
        switch ($os.DataExecutionPrevention_SupportPolicy) {
            0 { Write-Field "DEP Policy" "Always Off (vulnerable)" "Red" }
            1 { Write-Field "DEP Policy" "Always On (maximum protection)" "Green" }
            2 { Write-Field "DEP Policy" "Opt-In (limited protection)" "Yellow" }
            3 { Write-Field "DEP Policy" "Opt-Out (protected with exclusions)" "Green" }
            default { Write-Field "DEP Policy" "UNKNOWN ($($os.DataExecutionPrevention_SupportPolicy))" "Yellow" }
        }
    } else {
        Write-Field "DEP Hardware Support" "NOT SUPPORTED BY CPU" "Red"
    }
} catch {
    Write-Field "DEP Hardware Support" "QUERY FAILED" "Red"
}
 
# ============================================================
# BITLOCKER ENCRYPTION
# ============================================================
 
Write-SectionHeader "BITLOCKER ENCRYPTION"
 
try {
    $volumes = Get-BitLockerVolume -ErrorAction SilentlyContinue
    if ($volumes) {
        foreach ($vol in $volumes) {
            $status = $vol.ProtectionStatus
            $color = if ($status -eq "On") { "Green" } else { "Red" }
            $label = "Volume $($vol.MountPoint)"
            Write-Field $label "$($vol.VolumeStatus) (Protection: $status)" $color
        }
    } else {
        Write-Field "BitLocker" "NO VOLUMES FOUND" "Yellow"
    }
} catch {
    Write-Field "BitLocker" "NOT AVAILABLE / QUERY FAILED" "Red"
}
 
# ============================================================
# FOOTER
# ============================================================
 
Write-Host ""
Write-Separator
Write-Host ("END OF DIAGNOSTIC").PadLeft(44).PadRight(66) -ForegroundColor Cyan
Write-Separator
Write-Host ""
Write-Host "Press any key to exit..."
$null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")
Nota: Solo he tenido oportunidad de probarlo en una CPU AMD, y con la configuración actual de mi sistema, por lo que no puedo asegurar algún posible error o falso positivo en la información mostrada al usar este script bajo una CPU Intel, aunque en principio no debería.