Skip to content
Emulating Virtual Environment to stay protected against advanced malware
C++ D
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
FakeApp2
bin/Release
obj/Release
README.md
RocProtect.cbp
RocProtect.depend
RocProtect.layout
RunDirectory.h
RunFile.h
RunMac.h
RunProcess.h
RunRegistry.h
main.cpp
ressources.rc
unprotect.ico

README.md

RocProtect

Malware are able sometimes to detect a virtual environment to avoid analysis and detection. RocProtect is a quick and dirty POC to simulate virtual artifacts into a physical machine.

It will create the following on a machine:

  • Fake registry keys of Vmware/VirtualBox/Qemu
  • Fake processes (VmwareTray.exe, VboxService.exe, wireshark.exe...)
  • Fake directories (Wine, Vmware Tools, VirtualBox Tools...)
  • Fake files (vmouse.sys, vboxhook.dll, VboxGuest.sys...)
  • Fake MAC address related to Vmware or VirtualBox
You can’t perform that action at this time.