-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New HideVM plugin #1499
New HideVM plugin #1499
Conversation
Can one of the admins verify this patch? |
@drakvuf-jenkins Test this please |
1 similar comment
@drakvuf-jenkins Test this please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the code, only part with hardcoded responses is worth changing.
const uint8_t binThermalZoneGuid[] = {0xC0, 0x18, 0xBC, 0xA1, 0xC8, 0xA7, 0xD1, 0x11, 0xBF, 0x3C, 0x00, 0xA0, 0xC9, 0x06, 0x29, 0x10}; | ||
const uint8_t WMI_data[] = {0xD4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
0x45, 0xCA, 0x73, 0x47, 0xBB, 0xC9, 0xD7, 0x01, 0xC0, 0x18, 0xBC, 0xA1, 0xC8, 0xA7, 0xD1, 0x11, | ||
0xBF, 0x3C, 0x00, 0xA0, 0xC9, 0x06, 0x29, 0x10, 0x00, 0x00, 0x00, 0x00, 0x81, 0x00, 0x01, 0x00, | ||
0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x94, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, | ||
0x4C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, 0x0C, 0x00, 0x00, | ||
0x00, 0x00, 0x00, 0x00, 0x94, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
0x00, 0x00, 0x00, 0x00, 0x98, 0x00, 0x00, 0x00, 0x30, 0x00, 0x41, 0x00, 0x43, 0x00, 0x50, 0x00, | ||
0x49, 0x00, 0x5C, 0x00, 0x54, 0x00, 0x68, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6D, 0x00, 0x61, 0x00, | ||
0x6C, 0x00, 0x5A, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x5C, 0x00, 0x54, 0x00, 0x48, 0x00, | ||
0x52, 0x00, 0x4D, 0x00, 0x5F, 0x00, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, | ||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fingerprintable af
@drakvuf-jenkins Test this please |
@blsvntn once review comments are resolved we are good to merge |
@tklengyel I already use this plugin and I think this PR is good enough to merge. |
Sgtm |
Hello! This plugin is designed to impove stealth of Windows VM while analyzing malware.
KUSER_SHARED_DATA.TickCount
andKUSER_SHARED_DATA.TickCountMultiplier
fields;IWbemServices::ExecQuery
to spoof WQL-queries to WMI objects that aren't present on VM. Name of the requested object is overwritten toWin32_BIOS
which is alway presented. It is done to bypass checks like in al-khaser project (https://github.com/LordNoteworthy/al-khaser/blob/06399c26a488c1bbdea29fe2023cf5360b640bb7/al-khaser/AntiVM/Generic.cpp#L1673)MSAcpi_ThermalZoneTemperature
object is requested to check current temperature.