Skip to content
/ VmwareHardenedLoader Public
forked from hzqst/VmwareHardenedLoader

Vmware Hardened VM detection mitigation loader (anti anti-vm)

License

MIT license
0 stars 477 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

zths/VmwareHardenedLoader

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

68 Commits
VmLoader
VmLoader
 
 
bin
bin
 
 
capstone2 @ b3ae460
capstone2 @ b3ae460
 
 
hidden @ 85786fd
hidden @ 85786fd
 
 
img
img
 
 
.gitignore
.gitignore
 
 
.gitmodules
.gitmodules
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

VmwareHardenedLoader

Vmware Hardened VM detection mitigation loader

For now, only Windows (vista~win10) x64 guests are supported.

It get vmware guest undetected by VMProtect 3.2, Safengine and Themida (anti-vm feature).

What it does

the VmLoader driver patches SystemFirmwareTable at runtime, it removes all detectable signatures like "VMware" "Virtual" "VMWARE".

Build

Visual Studio 2015 / 2017 and Windows Driver Kit 10 are required.

Open VmLoader.sln with Visual Studio 2015 / 2017

Build capstone_static_winkernel as x64/Release

Build VmLoader as x64/Release

Remember to sign bin/vmloader.sys if you want to load it in Driver-Signature-Enforcement enabled environment.

Hidden stuffs are only necessary when registry keys are detected.

Build Hidden as x64/Release

Build HiddenLib as x64/Release

Build HiddenTests as x64/Release

Remember to sign bin/hidden.sys if you want to load it in Driver-Signature-Enforcement enabled environment.

Installation

Warning

Do not install vmtools, it will ruin everything!

use TeamViewer / AnyDesk / mstsc / VNC viewer instead!

1st Step: Add following settings into .vmx

hypervisor.cpuid.v0 = "FALSE"
board-id.reflectHost = "TRUE"
hw.model.reflectHost = "TRUE"
serialNumber.reflectHost = "TRUE"
smbios.reflectHost = "TRUE"
SMBIOS.noOEMStrings = "TRUE"
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.restrict_backdoor = "TRUE"

If you have a SCSI virtual disk at scsi0 slot (first slot) as your system drive, remember add

scsi0:0.productID = "Whatever you want"
scsi0:0.vendorID = "Whatever you want"

I use

scsi0:0.productID = "Tencent SSD"
scsi0:0.vendorID = "Tencent"

2nd Step: Modify MAC address

Modify guest's MAC address to whatever except below:

	TCHAR *szMac[][2] = {
		{ _T("\x00\x05\x69"), _T("00:05:69") }, // VMWare, Inc.
		{ _T("\x00\x0C\x29"), _T("00:0c:29") }, // VMWare, Inc.
		{ _T("\x00\x1C\x14"), _T("00:1C:14") }, // VMWare, Inc.
		{ _T("\x00\x50\x56"), _T("00:50:56") },	// VMWare, Inc.
	};

mac

You could add

ethernet0.address = "Some random mac address"

into vmx file instead of modifying MAC address in vmware GUI

I use

ethernet0.address = "00:11:56:20:D2:E8"

3rd Step: Load vmloader.sys in vm guest

put vmloader.sys at C:\

open command prompt with Administrator Priviledge, use the following commands

sc create vmloader binPath= "\??\c:\vmloader.sys" type= "kernel" start="system"
sc start vmloader

start="system" is optional. if you want the driver to be loaded automatically when system start, add this to the command.

If an error occurs when start service, use DbgView to capture kernel debug output. you can post an issue with DbgView output information and with your ntoskrnl.exe attached.

If no error occurs, then everything works fine.

you could put "vmloader.sys" wherever you want, except vmware shared folders.

when you no longer need the mitigation, use

sc stop vmloader
sc delete vmloader

to unload the driver.

4th Step: Load hidden.sys in vm guest and run HiddenTests (optional)

Only necessary when registry keys are detected.

put hidden.sys at C:\

open command prompt with Administrator Priviledge, use the following commands

sc create hidden binPath= "\??\c:\hidden.sys" type= "kernel" start="system"
sc start hidden

start="system" is optional. if you want the driver to be loaded automatically when system start, add this to the command.

when you no longer need the mitigation, use

sc stop hidden
sc delete hidden

to unload the driver.

Then run HiddenTests.exe with Administrator Priviledge (which could be placed wherever you want).

When you see "successful!!", it means it's all ok.

Showcase

Vmware guest win8.1 x64 with VMProtect 3.2 packed program (anti-vm option enabled)

before sigs after

License

This software is released under the MIT License, see LICENSE.

Some util procedures are from https://github.com/tandasat/HyperPlatform

https://github.com/aquynh/capstone is used to disasm ntoskrnl code.

TODO

Some registry keys are supposed to be hidden, like NOW MITIGATED reg

For now you have to delete those keys to bypass some shitty malwares' anti-vm check.

vmware SCSI virtual disk is also a detection vector, which could be hidden by installing a minifilter to take control of IRP_InternalIoctl that passed to disk device drivers. NOW MITIGATED

vmware virtual graphic card information could be detected by querying DXGI interface, which could be modified by editing graphic driver files.

About

Vmware Hardened VM detection mitigation loader (anti anti-vm)

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C++ 88.9%
  • C 10.2%
  • Batchfile 0.9%