hzqst/VmwareHardenedLoader hzqst/VmwareHardenedLoader

  • Stars
    star
    1,216
  • Rank 38,365 (Top 0.8 %)
  • Language
    C
  • License
    MIT License
  • Created about 6 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
hzqst/VmwareHardenedLoader
github

hzqst

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Vmware Hardened VM detection mitigation loader (anti anti-vm)

VMwareHardenedLoader

VMware Hardened VM detection mitigation loader

For now, only Windows (vista~win10) x64 guests are supported.

It get VMware guest undetected by VMProtect 3.2, Safengine and Themida (anti-vm feature).

What it does

The VmLoader driver patches SystemFirmwareTable at runtime, it removes all detectable signatures like "VMware" "Virtual" "VMWARE".

Build

Visual Studio 2015 / 2017 and Windows Driver Kit 10 are required.

Open VmLoader.sln with Visual Studio 2015 / 2017

Build VmLoader as x64/Release. (No x86 support for now)

Remember to test-sign "bin/vmloader.sys" if you want to load it in test-sign mode.

Installation

Warning

Do not install vmtools, it will ruin everything!

Use TeamViewer / AnyDesk / mstsc / VNC viewer instead!

1st Step: Add following settings into .vmx

hypervisor.cpuid.v0 = "FALSE"
board-id.reflectHost = "TRUE"
hw.model.reflectHost = "TRUE"
serialNumber.reflectHost = "TRUE"
smbios.reflectHost = "TRUE"
SMBIOS.noOEMStrings = "TRUE"
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.restrict_backdoor = "TRUE"

If you have a SCSI virtual disk at scsi0 slot (first slot) as your system drive, remember to add

scsi0:0.productID = "Whatever you want"
scsi0:0.vendorID = "Whatever you want"

I use

scsi0:0.productID = "Tencent SSD"
scsi0:0.vendorID = "Tencent"

2nd Step: Modify MAC address

Modify guest's MAC address to whatever except below:

	TCHAR *szMac[][2] = {
		{ _T("\x00\x05\x69"), _T("00:05:69") }, // VMWare, Inc.
		{ _T("\x00\x0C\x29"), _T("00:0c:29") }, // VMWare, Inc.
		{ _T("\x00\x1C\x14"), _T("00:1C:14") }, // VMWare, Inc.
		{ _T("\x00\x50\x56"), _T("00:50:56") },	// VMWare, Inc.
	};

mac

You could add

ethernet0.address = "Some random mac address"

Into vmx file instead of modifying MAC address in VMware GUI

I use

ethernet0.address = "00:11:56:20:D2:E8"

3rd Step: Run install.bat in vm guest as Administrator Priviledge

If an error occurs when start service, use DbgView to capture kernel debug output. you can post an issue with DbgView output information and with your ntoskrnl.exe attached.

If no error occurs, then everything works fine.

Showcase

VMware guest win8.1 x64 with VMProtect 3.2 packed program (anti-vm option enabled)

before sigs after

License

This software is released under the MIT License, see LICENSE.

Some util procedures are from https://github.com/tandasat/HyperPlatform

https://github.com/aquynh/capstone is used to disasm ntoskrnl code.

TODO

VMware virtual graphic card information could be detected by querying DXGI interface, which could be modified by editing graphic driver files.

More Repositories

1

Syscall-Monitor

Syscall Monitor is a system monitor program (like Sysinternal's Process Monitor) using Intel VT-X/EPT for Windows7+
POV-Ray SDL
666
star
2

unicorn_pe

Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files.
C
617
star
3

FuckCertVerifyTimeValidity

This tiny project prevents the signtool from verifing cert time validity and let you sign your bin with outdated cert without changing system time manually
C++
160
star
4

MetaHookSv

MetaHook (https://github.com/nagist/metahook) porting for SvEngine (GoldSrc engine modified by Sven-Coop)
C++
93
star
5

CGAssistantJS

CGAssistant is a helper for you to play CrossGate (中译:魔力宝贝) with highly automated game experience.
JavaScript
49
star
6

CGAssistant

CGAssistant is a helper for you to play CrossGate (中译:魔力宝贝) with highly automated game experience.
C++
48
star
7

MetaRenderer

C++
16
star
8

FortniteLama

This project exploits the lama bug from Fortnite Save the World that every times you quit SSD with +ALT+F4 you get 4 mini lama(s)
C++
12
star
9

CaptionMod

This is a caption/subtitle plugin designed for displaying captions/subtitles in GoldSRC engine & VGUI2 based singleplayer games.
C++
10
star
10

metamod-fallguys

It's a metamod plugin for Fall Guys maps in Sven Co-op
C
8
star
11

ForniteCNCrashFix

the driver fix a bug that Fornite Chinese server version always crash under Windows 10.
C++
4
star
12

Chicken-Fortress-3

Chicken Fortress 3 is a Half-Life mod that ported source game Team Fortress 2 to GoldSRC engine.
3
star
13

SteamAppsLocation

SteamAppsLocation is a simple program using Steam-Apps-Management-API to locate InstallDir for steam games.
C#
2
star
14

BindlessTextureMinimumDemo

Basically the title
C++
1
star
15

sven-fallguys

Fall Guys in Sven Co-op
1
star