Thursday, October 9, 2008

Setting Vmware to trick Malware

Here are some configuration options for VMware that can be useful to thwart some malware
when they check for virtual machine presence. It's not going to fool all malware but
there are a lot that will fall.  So fire up your text editor and add this lines to your virtual machine VMX file:

isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"

With this configuration you can trick most VM detections like RedPill, Scoopy checks and other techniques.

Becareful with this configuration because will break the communication channel, thus nullifying the VMtools.

This configuration was provided by Ed Skoudis and Tom Liston in their document "Thwarting Virtual Machine Detection"

If you have another trick please share it here :)

CMM

No comments:

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...