Antivirus protection
On a computer where CrowdStrike Falcon Sensor is installed, using this VB module resulted in VB.psm1
being quarantined because it was considered malicious. (The error message being This script contains malicious content and has been blocked by your antivirus software.).
The offending statement seems to be the following, which is found in the init()
function.
$assembly = [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
On such systems, for the time being, the function init()
and the reference that, calls it must be removed manually. The LoadWithPartialName()
then needs to be executed on the command line.
Alternatively, I also seemed to have some success by replacing the code-line with
$assembly = [System.Reflection.Assembly]::LoadFrom('C:\WINDOWS\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll')
Source code
VB.psm1
#
# https://docs.microsoft.com/en-us/dotnet/api/microsoft.visualbasic?view=net-5.0
set-strictMode -version latest
function init() {
#
# TODO: Should the following assembly be loaded?
#
$assembly = [System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic')
if ($assembly -eq $null) {
write-host 'Could not load VB assembly'
}
}
function typeName($obj) {
if ($obj -eq $null) {
return 'null'
}
#
# If $obj is a COM object: return the COM type name.
# Otherwise, return the PowerShell type name:
#
if ($obj -is [System.__ComObject]) {
return [Microsoft.VisualBasic.Information]::TypeName($obj)
}
return $obj.GetType().FullName
}
#
# $var = new-object 'Microsoft.VisualBasic.VariantType[][]' 5,3
# ubound($var) # -> 4
# ubound($var.item(1)) # -> 2
#
function lBound($obj) {
return [Microsoft.VisualBasic.Information]::LBound($obj)
}
function uBound($obj) {
return [Microsoft.VisualBasic.Information]::UBound($obj)
}
function varType($obj) {
return [Microsoft.VisualBasic.Information]::VarType($obj)
}
# isXyz() functions {
function isArray($obj) {
return [Microsoft.VisualBasic.Information]::IsArray($obj)
}
function isDate($obj) {
return [Microsoft.VisualBasic.Information]::IsDate($obj)
}
function isDBNull($obj) {
#
# isDBNull $null -> False
#
return [Microsoft.VisualBasic.Information]::IsDBNull($obj)
}
function isNothing($obj) {
#
# isNothing $null -> True
# isNothing 42
# isNothing $acc
#
return [Microsoft.VisualBasic.Information]::IsNothing($obj)
}
function isError($obj) {
return [Microsoft.VisualBasic.Information]::IsError($obj)
}
function isReference($obj) {
return [Microsoft.VisualBasic.Information]::IsReference($obj)
}
# }
function appActivate($procName) {
#
# TODO: AppActivate() can be invoked with either the application's title (case insensitive, but no partial name) or
# the application's process ID (as is done in the following).
#
[Microsoft.VisualBasic.Interaction]::AppActivate( (get-process $procName).id )
}
function rgb($red, $green, $blue) {
[Microsoft.VisualBasic.Information]::RGB($red, $green, $blue)
}
function callByName {
param (
[parameter(mandatory=$true )][__ComObject] $obj,
[parameter(mandatory=$true )][string] $proc,
[parameter(mandatory=$true )][Microsoft.VisualBasic.CallType] $callType, # get(2), let(4), set(8), method(1)
[parameter(mandatory=$false)][object[]] $args
)
try {
return [Microsoft.VisualBasic.Interaction]::CallByName($obj, $proc, $callType, $args)
}
catch [System.Management.Automation.MethodInvocationException] {
"callByName: MethodInvocationExceptionException"
$_ | select *
}
catch {
"callByName: other Exception $($_.GetType().FullName)"
$_ | select *
}
}
init
VB.psd1
@{
RootModule = 'VB.psm1'
ModuleVersion = '0.1'
FunctionsToExport = @(
'typeName' ,
'lBound' ,
'uBound' ,
'varType' ,
'isArray' ,
'isDate' ,
'isDBNull' ,
'isNothing' ,
'isError' ,
'isReference',
'appActivate',
'rgb' ,
'callByName'
)
}