How to programmatically resolve real hardware MAC adress (or confirm it's not spoofed) in Windows environment?
Network devices parameters are stored in registry:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Class/{4D36E972-E325-11CE-BFC1-08002bE10318}
Each device has it's own registry folder : 0000, 0001 , 0002 etc. , inside AdapterModel field will inform you specifically with which device you are dealing.
Now other there are two possible options:
1) Device is using it's fabric MAC address , the NetworkAddress field will not appear
2) Device is using a spoofed MAC address, the NetworkAddress will contain it's value
To determine real hardware MAC address:
Find the device in registry, check if NetworkAddress field appers
(It's missing): Just get the MAC with any method (WMI, GetAdapterInfo or NetBIOS) and you are set.
(It's there):
- Backup the value
- Remove the NetworkAdress field from device's registry key
- Restart network device(that's the most evil part...)
- Get the real hardware MAC with any method(see above)
- Restore the backup value in the registry(recreate the NetworkAdress field)
- Restart network device(evil part strikes again)
Voila!