π§ͺ Beyond the limitations of the Virtual Environment I
It doesn't matter if you're an amateur malware tester or a professional cyber-sec expert, you've surely had a problem where a sample just wouldn't run on your virtual environment, be it a Sandbox, or a Virtual Machine. Regardless of your struggle, there exists a common technique used to detect any suspicious environment, and it allows for developers to filter hardware their applications can run on, be it for malicious or defensive purposes. It's commonly called an Anti-VM and there are various proprietary and open-source solutions (e. g. VMProtect, Safengine) providing a wide range of application protection utilities.
Despite all the expenses developers go for to secure their application, the Anti-VM mechanisms are very predictable and relatively easy to bypass. Their weakest point is the fact that a virtual environment isn't so much different from a real one. The only potential fruitful ways to detect a virtual environment are hardware signatures and drivers for that specific set of hardware. Some cheeky paid tools go as far as searching for generic patterns and strings in the local network, known VM files in your system directory, but such checks are far more strict and can't ever warrant a Virtual Machine on the other end.
I will not get into technical side of things in this post, and we don't really need them to bypass basic Anti-VM checks and evade even some of the paid solutions out there. Essentially, we will be cooking up an Anti-Anti-VM environment to trick pesky programs to run without the need of real hardware.
The cornerstone of that endeavor will be the VMware Hardened Loader by hzqst. As the name suggests, you will need a VMware machine to pull this off. I'll boil down the tutorial to a few simple steps down below. You can find the original text in the readme file attached in the repository.
βͺοΈ Create a virtual machine with a SCSI hard disk
βͺοΈ Replace all the optical drives with SCSI ones
π» Paste the following settings inside the .vmx file of your newly created VM:
Now you want to rename virtual drives to remove VMware from their name:
It doesn't matter if you're an amateur malware tester or a professional cyber-sec expert, you've surely had a problem where a sample just wouldn't run on your virtual environment, be it a Sandbox, or a Virtual Machine. Regardless of your struggle, there exists a common technique used to detect any suspicious environment, and it allows for developers to filter hardware their applications can run on, be it for malicious or defensive purposes. It's commonly called an Anti-VM and there are various proprietary and open-source solutions (e. g. VMProtect, Safengine) providing a wide range of application protection utilities.
Despite all the expenses developers go for to secure their application, the Anti-VM mechanisms are very predictable and relatively easy to bypass. Their weakest point is the fact that a virtual environment isn't so much different from a real one. The only potential fruitful ways to detect a virtual environment are hardware signatures and drivers for that specific set of hardware. Some cheeky paid tools go as far as searching for generic patterns and strings in the local network, known VM files in your system directory, but such checks are far more strict and can't ever warrant a Virtual Machine on the other end.
I will not get into technical side of things in this post, and we don't really need them to bypass basic Anti-VM checks and evade even some of the paid solutions out there. Essentially, we will be cooking up an Anti-Anti-VM environment to trick pesky programs to run without the need of real hardware.
The cornerstone of that endeavor will be the VMware Hardened Loader by hzqst. As the name suggests, you will need a VMware machine to pull this off. I'll boil down the tutorial to a few simple steps down below. You can find the original text in the readme file attached in the repository.
βͺοΈ Create a virtual machine with a SCSI hard disk
βͺοΈ Replace all the optical drives with SCSI ones
π» Paste the following settings inside the .vmx file of your newly created VM:
hypervisor.cpuid.v0 = "FALSE"They will minimize the hardware signature presence inside your VM.
board-id.reflectHost = "TRUE"
hw.model.reflectHost = "TRUE"
serialNumber.reflectHost = "TRUE"
smbios.reflectHost = "TRUE"
SMBIOS.noOEMStrings = "TRUE"
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.restrict_backdoor = "TRUE"
Now you want to rename virtual drives to remove VMware from their name:
scsi0:0.productID = "Samsung SSD"The rest of the steps are in the next post.
scsi0:0.vendorID = "Samsung"
scsi0:X.productID = "Matshita DVD-RAM" // X is the DVD slot
scsi0:X.vendorID = "Matshita"
π€―44π17β€4π€3β‘2π2π±1π€¬1
π§ͺ Beyond the limitations of the Virtual Environment II
π» Open NAT settings, click Advanced and modify the MAC address. The MAC address cannot start with the following sequences (they signify VMware):
βͺοΈ Install any 64-bit Windows version starting from Vista on the VM.
βͺοΈ DO NOT INSTALL VMWARE TOOLS, that defeats the purpose of this project.
βͺοΈ Use ISO files and your virtual SCSI optical drive to transfer data between the host and guest. Despite the inconvenience and added hassle, it adds another layer of isolation, which is always good when you're working with malware.
βͺοΈ Download the repository and transfer the 3 files from the bin folder to your VM. Place vmloader.sys inside the root of the C:\ drive and open install.bat with administrator rights. It will install the virtual signature remover as a service to your virtual system.
βͺοΈ Reboot your machine. Last, but not least, open the registry editor and search for "VMware". You may find lots of values referring to VMware, but the only one that can actually trigger the Anti-VM mechanism is the BIOS Information, or something along these lines. If you do find it, go ahead and change the value to American Megatrends or anything else that comes to your mind first.
Once you've completed all the steps listed here, you should be golden. Now that your virtual machine is tweaked accordingly, the apps with Anti-VM integrated should run perfectly fine, as if that's real hardware.
I will definitely make a video on that topic soon. Hope you learned something interesting, happy circumventing!
@endermanch
π» Open NAT settings, click Advanced and modify the MAC address. The MAC address cannot start with the following sequences (they signify VMware):
00:05:69
00:0C:29
00:1C:14
00:50:56
βͺοΈ Install any 64-bit Windows version starting from Vista on the VM.
βͺοΈ DO NOT INSTALL VMWARE TOOLS, that defeats the purpose of this project.
βͺοΈ Use ISO files and your virtual SCSI optical drive to transfer data between the host and guest. Despite the inconvenience and added hassle, it adds another layer of isolation, which is always good when you're working with malware.
βͺοΈ Download the repository and transfer the 3 files from the bin folder to your VM. Place vmloader.sys inside the root of the C:\ drive and open install.bat with administrator rights. It will install the virtual signature remover as a service to your virtual system.
βͺοΈ Reboot your machine. Last, but not least, open the registry editor and search for "VMware". You may find lots of values referring to VMware, but the only one that can actually trigger the Anti-VM mechanism is the BIOS Information, or something along these lines. If you do find it, go ahead and change the value to American Megatrends or anything else that comes to your mind first.
Once you've completed all the steps listed here, you should be golden. Now that your virtual machine is tweaked accordingly, the apps with Anti-VM integrated should run perfectly fine, as if that's real hardware.
I will definitely make a video on that topic soon. Hope you learned something interesting, happy circumventing!
@endermanch
π50π€―9β‘8π€©4π€3β€2π±1π€¬1
π Python 3.10.1 for Windows 7
In case you're still running Windows 7, which is a great operating system, you might have noticed the developers are slowly but surely starting to drop Windows 7 compatibility for arguably more convenient API that was introduced with Windows 8.
The project aims to bring the newest Python features back to Windows 7, which isn't a painstakingly difficult thing to do, considering localizing and reverting the syntax sugar API from Windows 8 to improve backwards compatibility is simply trial and error until you get the interpreter running. Patience and understanding are the key.
Nonetheless, I'm happy NulAsh spent hours worth of elbow grease to treat us with a powerful tool, developers of which weren't patient enough to hold onto Windows 7 for a little bit more, until its official ESU end of life, which will occur on January 10th, 2023.
π Download here!
In case you're still running Windows 7, which is a great operating system, you might have noticed the developers are slowly but surely starting to drop Windows 7 compatibility for arguably more convenient API that was introduced with Windows 8.
The project aims to bring the newest Python features back to Windows 7, which isn't a painstakingly difficult thing to do, considering localizing and reverting the syntax sugar API from Windows 8 to improve backwards compatibility is simply trial and error until you get the interpreter running. Patience and understanding are the key.
Nonetheless, I'm happy NulAsh spent hours worth of elbow grease to treat us with a powerful tool, developers of which weren't patient enough to hold onto Windows 7 for a little bit more, until its official ESU end of life, which will occur on January 10th, 2023.
π Download here!
π35π14β‘8π7β€4π3π€¬1
This media is not supported in your browser
VIEW IN TELEGRAM
420 subscribers π
π72π€©18β€13π11π9π€8π5β‘4π4π±4π€¬1
Update your Windows XP computer in 2022
Do you still own an older Windows computer that you'd like to fully update, but don't want to spend your time manually searching for the packages?
You can get the free robust update manager at https://legacyupdate.net/
That's an awesome community project that brings Windows Update back to life.
Do you still own an older Windows computer that you'd like to fully update, but don't want to spend your time manually searching for the packages?
You can get the free robust update manager at https://legacyupdate.net/
That's an awesome community project that brings Windows Update back to life.
Legacy Update
Home
Getting error 8007EFE when checking for Windows Updates on your old version of Windows? Legacy Update continues support for Windows XP, Vista, 7, 8.1, etc. where Microsoft left off.
π€―72π13π€©6β‘4π3π±3π€2π1π€¬1π1
And by the way, MERRY CHRISTMAS, my fellow subscribers! ππ₯
π97β€26β‘4π3π1π1π€¬1
I thought you might find this interesting. There's an entire list of such configurations on GitHub loaded with a complete paper full of mathematical explanations behind that phenomenon.
This is so stupid and useless, but I love it. It's just awesome.
Please open Telegram to view this post
VIEW IN TELEGRAM
π€―43π5π€2β‘1β€1π€¬1π’1π€©1
Media is too big
VIEW IN TELEGRAM
β€΅οΈ KomputerΕwiat.pl Downloading Timelapse
Taken down by YouTube on February 2nd, 2023. Likely forever. Original link: https://youtu.be/IKFhu1_2ho8
Downloading is very beneficial for your health. You must excel at downloading to succeed at life. Credit goes to PatRyk.
-- Message from PatRyk --
5 hours of pure downloading sped up into 4 minutes.
Komputer Εwiat was a magazine dedicated to technology. It came with DVD's which had a bunch of programs, as well as a code on them to redeem the magazines on their website. With the magazine added to your account, you could download software featured in said magazine.
They stopped making them half a year ago - on February 1st they shut down the website. Everything would be lost if I didn't save it, so I did. In fact, this video would've been 1/4 the size if not for a friend that shared his account that had stuff from 2012 and onwards added.
I may make this into a public archive soon, if I can manage to upload 500GB to some service.
https://malwarewatch.org
Taken down by YouTube on February 2nd, 2023. Likely forever. Original link: https://youtu.be/IKFhu1_2ho8
Downloading is very beneficial for your health. You must excel at downloading to succeed at life. Credit goes to PatRyk.
-- Message from PatRyk --
5 hours of pure downloading sped up into 4 minutes.
Komputer Εwiat was a magazine dedicated to technology. It came with DVD's which had a bunch of programs, as well as a code on them to redeem the magazines on their website. With the magazine added to your account, you could download software featured in said magazine.
They stopped making them half a year ago - on February 1st they shut down the website. Everything would be lost if I didn't save it, so I did. In fact, this video would've been 1/4 the size if not for a friend that shared his account that had stuff from 2012 and onwards added.
I may make this into a public archive soon, if I can manage to upload 500GB to some service.
https://malwarewatch.org
π€―22π9π’6β‘5β€4π€¬1