# VMwareHardenedLoader
VMware Hardened VM detection mitigation loader
For now, only Windows (vista~win10) x64 guests are supported.
It get VMware guest undetected by VMProtect 3.2, Safengine and Themida (anti-vm feature).
## What it does
The VmLoader driver patches SystemFirmwareTable at runtime, it removes all detectable signatures like "VMware" "Virtual" "VMWARE".
## Build
Visual Studio 2015 / 2017 and [Windows Driver Kit 10](https://docs.microsoft.com/zh-cn/windows-hardware/drivers/download-the-wdk) are required.
Open VmLoader.sln with Visual Studio 2015 / 2017
Build VmLoader as x64/Release. (No x86 support for now)
Remember to test-sign "bin/vmloader.sys" if you want to load it in test-sign mode.
# Installation
## Warning
Do not install vmtools, it will ruin everything!
Use TeamViewer / AnyDesk / mstsc / VNC viewer instead!
## 1st Step: Add following settings into .vmx
```
hypervisor.cpuid.v0 = "FALSE"
board-id.reflectHost = "TRUE"
hw.model.reflectHost = "TRUE"
serialNumber.reflectHost = "TRUE"
smbios.reflectHost = "TRUE"
SMBIOS.noOEMStrings = "TRUE"
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.restrict_backdoor = "TRUE"
```
If you have a SCSI virtual disk at scsi0 slot (first slot) as your system drive, remember to add
```
scsi0:0.productID = "Whatever you want"
scsi0:0.vendorID = "Whatever you want"
```
I use
```
scsi0:0.productID = "Tencent SSD"
scsi0:0.vendorID = "Tencent"
```
## 2nd Step: Modify MAC address
Modify guest's MAC address to whatever except below:
```
TCHAR *szMac[][2] = {
{ _T("\x00\x05\x69"), _T("00:05:69") }, // VMWare, Inc.
{ _T("\x00\x0C\x29"), _T("00:0c:29") }, // VMWare, Inc.
{ _T("\x00\x1C\x14"), _T("00:1C:14") }, // VMWare, Inc.
{ _T("\x00\x50\x56"), _T("00:50:56") }, // VMWare, Inc.
};
```
![mac](https://github.com/hzqst/VmwareHardenedLoader/raw/master/img/4.png)
You could add
```
ethernet0.address = "Some random mac address"
```
Into vmx file instead of modifying MAC address in VMware GUI
I use
```
ethernet0.address = "00:11:56:20:D2:E8"
```
## 3rd Step: Run install.bat in vm guest as Administrator Priviledge
If an error occurs when start service, use DbgView to capture kernel debug output. you can post an issue with DbgView output information and with your ntoskrnl.exe attached.
If no error occurs, then everything works fine.
## Showcase
VMware guest win8.1 x64 with VMProtect 3.2 packed program (anti-vm option enabled)
![before](https://github.com/hzqst/VmwareHardenedLoader/raw/master/img/1.png)
![sigs](https://github.com/hzqst/VmwareHardenedLoader/raw/master/img/2.png)
![after](https://github.com/hzqst/VmwareHardenedLoader/raw/master/img/3.png)
## License
This software is released under the MIT License, see LICENSE.
Some util procedures are from https://github.com/tandasat/HyperPlatform
https://github.com/aquynh/capstone is used to disasm ntoskrnl code.
## TODO
VMware virtual graphic card information could be detected by querying DXGI interface, which could be modified by editing graphic driver files.
没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
收起资源包目录
Vmware强化虚拟机检测缓解加载器(反反虚拟机).rar (749个子文件)
mx86.bas 40KB
Module1.bas 26KB
mMisc.bas 9KB
make_windowsce7-armv7.bat 7KB
make_windowsce8-armv7.bat 6KB
install.bat 2KB
uninstall.bat 2KB
nmake-x86.bat 889B
nmake.bat 235B
ARMDisassembler.c 153KB
ARMInstPrinter.c 112KB
X86Mapping.c 108KB
M68KDisassembler.c 105KB
X86DisassemblerDecoder.c 68KB
AArch64InstPrinter.c 67KB
M680XDisassembler.c 56KB
PPCMapping.c 51KB
MipsDisassembler.c 51KB
AArch64Disassembler.c 48KB
TMS320C64xMapping.c 40KB
X86Disassembler.c 37KB
cs.c 36KB
X86IntelInstPrinter.c 34KB
X86ATTInstPrinter.c 33KB
AArch64BaseInfo.c 33KB
ocaml.c 32KB
MipsMapping.c 32KB
AArch64Mapping.c 31KB
PPCInstPrinter.c 28KB
SystemZMapping.c 24KB
XCoreDisassembler.c 24KB
ARMMapping.c 24KB
SparcMapping.c 19KB
TMS320C64xInstPrinter.c 17KB
TMS320C64xDisassembler.c 16KB
M68KInstPrinter.c 14KB
SparcDisassembler.c 13KB
SparcInstPrinter.c 13KB
PPCDisassembler.c 12KB
test_x86.c 11KB
MipsInstPrinter.c 11KB
cstool.c 11KB
SystemZInstPrinter.c 11KB
test_arm.c 11KB
test_detail.c 10KB
SystemZDisassembler.c 10KB
test_m680x.c 9KB
M680XInstPrinter.c 9KB
test_basic.c 9KB
EVMMapping.c 9KB
test_arm64.c 9KB
test_arm_regression.c 9KB
cstool_x86.c 9KB
test_iter.c 8KB
XCoreInstPrinter.c 8KB
XCoreMapping.c 7KB
EVMDisassembler.c 6KB
fuzz_disasm.c 6KB
test_m68k.c 5KB
test_tms320c64x.c 5KB
test_mips.c 4KB
fuzz_harness.c 4KB
test_skipdata.c 4KB
cstool_arm.c 4KB
test_ppc.c 4KB
test_iter_benchmark.c 4KB
cstool_arm64.c 4KB
cs_driver_mm.c 4KB
test_sparc.c 4KB
winkernel_mm.c 4KB
SStream.c 4KB
cstool_tms320c64x.c 3KB
test_systemz.c 3KB
MCRegisterInfo.c 3KB
cstool_m680x.c 3KB
cstool_m68k.c 3KB
cs_driver.c 3KB
test_xcore.c 3KB
MCInst.c 3KB
SystemZMCTargetDesc.c 3KB
utils.c 3KB
test_evm.c 3KB
X86Module.c 2KB
test_customized_mnem.c 2KB
cstool_ppc.c 2KB
M680XModule.c 2KB
cstool_systemz.c 2KB
cstool_sparc.c 1KB
cstool_xcore.c 1KB
ARMModule.c 1KB
cstool_mips.c 1KB
SystemZModule.c 1KB
MipsModule.c 1024B
AArch64Module.c 980B
onefile.c 966B
SparcModule.c 955B
XCoreModule.c 953B
PPCModule.c 948B
TMS320C64xModule.c 911B
M68KModule.c 832B
共 749 条
- 1
- 2
- 3
- 4
- 5
- 6
- 8
资源评论
徐浪老师
- 粉丝: 7371
- 资源: 6977
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功