This media is not supported in your browser
VIEW IN TELEGRAM
๐คฏ128๐ค19โค14โก5๐5๐คฉ4๐ฑ3๐2๐คฌ1
Hello everyone, Enderman here. This is the first post on this channel. I'll think of something more interesting to post later on. ๐
https://malwarewatch.org
https://malwarewatch.org
malwarewatch.org
Malware collection, analysis and preservation.
๐114๐15โค10๐ฅ10๐9โก7๐คฏ5๐ฑ3๐คฌ2๐1
๐งช Beyond the limitations of the Virtual Environment I
It doesn't matter if you're an amateur malware tester or a professional cyber-sec expert, you've surely had a problem where a sample just wouldn't run on your virtual environment, be it a Sandbox, or a Virtual Machine. Regardless of your struggle, there exists a common technique used to detect any suspicious environment, and it allows for developers to filter hardware their applications can run on, be it for malicious or defensive purposes. It's commonly called an Anti-VM and there are various proprietary and open-source solutions (e. g. VMProtect, Safengine) providing a wide range of application protection utilities.
Despite all the expenses developers go for to secure their application, the Anti-VM mechanisms are very predictable and relatively easy to bypass. Their weakest point is the fact that a virtual environment isn't so much different from a real one. The only potential fruitful ways to detect a virtual environment are hardware signatures and drivers for that specific set of hardware. Some cheeky paid tools go as far as searching for generic patterns and strings in the local network, known VM files in your system directory, but such checks are far more strict and can't ever warrant a Virtual Machine on the other end.
I will not get into technical side of things in this post, and we don't really need them to bypass basic Anti-VM checks and evade even some of the paid solutions out there. Essentially, we will be cooking up an Anti-Anti-VM environment to trick pesky programs to run without the need of real hardware.
The cornerstone of that endeavor will be the VMware Hardened Loader by hzqst. As the name suggests, you will need a VMware machine to pull this off. I'll boil down the tutorial to a few simple steps down below. You can find the original text in the readme file attached in the repository.
โช๏ธ Create a virtual machine with a SCSI hard disk
โช๏ธ Replace all the optical drives with SCSI ones
๐ป Paste the following settings inside the .vmx file of your newly created VM:
Now you want to rename virtual drives to remove VMware from their name:
It doesn't matter if you're an amateur malware tester or a professional cyber-sec expert, you've surely had a problem where a sample just wouldn't run on your virtual environment, be it a Sandbox, or a Virtual Machine. Regardless of your struggle, there exists a common technique used to detect any suspicious environment, and it allows for developers to filter hardware their applications can run on, be it for malicious or defensive purposes. It's commonly called an Anti-VM and there are various proprietary and open-source solutions (e. g. VMProtect, Safengine) providing a wide range of application protection utilities.
Despite all the expenses developers go for to secure their application, the Anti-VM mechanisms are very predictable and relatively easy to bypass. Their weakest point is the fact that a virtual environment isn't so much different from a real one. The only potential fruitful ways to detect a virtual environment are hardware signatures and drivers for that specific set of hardware. Some cheeky paid tools go as far as searching for generic patterns and strings in the local network, known VM files in your system directory, but such checks are far more strict and can't ever warrant a Virtual Machine on the other end.
I will not get into technical side of things in this post, and we don't really need them to bypass basic Anti-VM checks and evade even some of the paid solutions out there. Essentially, we will be cooking up an Anti-Anti-VM environment to trick pesky programs to run without the need of real hardware.
The cornerstone of that endeavor will be the VMware Hardened Loader by hzqst. As the name suggests, you will need a VMware machine to pull this off. I'll boil down the tutorial to a few simple steps down below. You can find the original text in the readme file attached in the repository.
โช๏ธ Create a virtual machine with a SCSI hard disk
โช๏ธ Replace all the optical drives with SCSI ones
๐ป Paste the following settings inside the .vmx file of your newly created VM:
hypervisor.cpuid.v0 = "FALSE"They will minimize the hardware signature presence inside your VM.
board-id.reflectHost = "TRUE"
hw.model.reflectHost = "TRUE"
serialNumber.reflectHost = "TRUE"
smbios.reflectHost = "TRUE"
SMBIOS.noOEMStrings = "TRUE"
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.restrict_backdoor = "TRUE"
Now you want to rename virtual drives to remove VMware from their name:
scsi0:0.productID = "Samsung SSD"The rest of the steps are in the next post.
scsi0:0.vendorID = "Samsung"
scsi0:X.productID = "Matshita DVD-RAM" // X is the DVD slot
scsi0:X.vendorID = "Matshita"
๐คฏ44๐17โค4๐ค3โก2๐2๐ฑ1๐คฌ1
๐งช Beyond the limitations of the Virtual Environment II
๐ป Open NAT settings, click Advanced and modify the MAC address. The MAC address cannot start with the following sequences (they signify VMware):
โช๏ธ Install any 64-bit Windows version starting from Vista on the VM.
โช๏ธ DO NOT INSTALL VMWARE TOOLS, that defeats the purpose of this project.
โช๏ธ Use ISO files and your virtual SCSI optical drive to transfer data between the host and guest. Despite the inconvenience and added hassle, it adds another layer of isolation, which is always good when you're working with malware.
โช๏ธ Download the repository and transfer the 3 files from the bin folder to your VM. Place vmloader.sys inside the root of the C:\ drive and open install.bat with administrator rights. It will install the virtual signature remover as a service to your virtual system.
โช๏ธ Reboot your machine. Last, but not least, open the registry editor and search for "VMware". You may find lots of values referring to VMware, but the only one that can actually trigger the Anti-VM mechanism is the BIOS Information, or something along these lines. If you do find it, go ahead and change the value to American Megatrends or anything else that comes to your mind first.
Once you've completed all the steps listed here, you should be golden. Now that your virtual machine is tweaked accordingly, the apps with Anti-VM integrated should run perfectly fine, as if that's real hardware.
I will definitely make a video on that topic soon. Hope you learned something interesting, happy circumventing!
@endermanch
๐ป Open NAT settings, click Advanced and modify the MAC address. The MAC address cannot start with the following sequences (they signify VMware):
00:05:69
00:0C:29
00:1C:14
00:50:56
โช๏ธ Install any 64-bit Windows version starting from Vista on the VM.
โช๏ธ DO NOT INSTALL VMWARE TOOLS, that defeats the purpose of this project.
โช๏ธ Use ISO files and your virtual SCSI optical drive to transfer data between the host and guest. Despite the inconvenience and added hassle, it adds another layer of isolation, which is always good when you're working with malware.
โช๏ธ Download the repository and transfer the 3 files from the bin folder to your VM. Place vmloader.sys inside the root of the C:\ drive and open install.bat with administrator rights. It will install the virtual signature remover as a service to your virtual system.
โช๏ธ Reboot your machine. Last, but not least, open the registry editor and search for "VMware". You may find lots of values referring to VMware, but the only one that can actually trigger the Anti-VM mechanism is the BIOS Information, or something along these lines. If you do find it, go ahead and change the value to American Megatrends or anything else that comes to your mind first.
Once you've completed all the steps listed here, you should be golden. Now that your virtual machine is tweaked accordingly, the apps with Anti-VM integrated should run perfectly fine, as if that's real hardware.
I will definitely make a video on that topic soon. Hope you learned something interesting, happy circumventing!
@endermanch
๐50๐คฏ9โก8๐คฉ4๐ค3โค2๐ฑ1๐คฌ1
๐ Python 3.10.1 for Windows 7
In case you're still running Windows 7, which is a great operating system, you might have noticed the developers are slowly but surely starting to drop Windows 7 compatibility for arguably more convenient API that was introduced with Windows 8.
The project aims to bring the newest Python features back to Windows 7, which isn't a painstakingly difficult thing to do, considering localizing and reverting the syntax sugar API from Windows 8 to improve backwards compatibility is simply trial and error until you get the interpreter running. Patience and understanding are the key.
Nonetheless, I'm happy NulAsh spent hours worth of elbow grease to treat us with a powerful tool, developers of which weren't patient enough to hold onto Windows 7 for a little bit more, until its official ESU end of life, which will occur on January 10th, 2023.
๐ Download here!
In case you're still running Windows 7, which is a great operating system, you might have noticed the developers are slowly but surely starting to drop Windows 7 compatibility for arguably more convenient API that was introduced with Windows 8.
The project aims to bring the newest Python features back to Windows 7, which isn't a painstakingly difficult thing to do, considering localizing and reverting the syntax sugar API from Windows 8 to improve backwards compatibility is simply trial and error until you get the interpreter running. Patience and understanding are the key.
Nonetheless, I'm happy NulAsh spent hours worth of elbow grease to treat us with a powerful tool, developers of which weren't patient enough to hold onto Windows 7 for a little bit more, until its official ESU end of life, which will occur on January 10th, 2023.
๐ Download here!
๐35๐14โก8๐7โค4๐3๐คฌ1
This media is not supported in your browser
VIEW IN TELEGRAM
420 subscribers ๐
๐72๐คฉ18โค13๐11๐9๐ค8๐5โก4๐4๐ฑ4๐คฌ1
Update your Windows XP computer in 2022
Do you still own an older Windows computer that you'd like to fully update, but don't want to spend your time manually searching for the packages?
You can get the free robust update manager at https://legacyupdate.net/
That's an awesome community project that brings Windows Update back to life.
Do you still own an older Windows computer that you'd like to fully update, but don't want to spend your time manually searching for the packages?
You can get the free robust update manager at https://legacyupdate.net/
That's an awesome community project that brings Windows Update back to life.
Legacy Update
Home
Getting error 8007EFE when checking for Windows Updates on your old version of Windows? Legacy Update continues support for Windows XP, Vista, 7, 8.1, etc. where Microsoft left off.
๐คฏ72๐13๐คฉ6โก4๐3๐ฑ3๐ค2๐1๐คฌ1๐1
And by the way, MERRY CHRISTMAS, my fellow subscribers! ๐๐ฅ
๐97โค26โก4๐3๐1๐1๐คฌ1