GoSecure
Detection evasion and deception features
From a comment by @Svieg in #22, here's a collection of resources to discuss vm detection and anti-analysis features/concerns for malboxes. Perhaps a feature branch or break out a test profile for these ideas?
Refs:
- http://www.securityweek.com/dyre-banking-trojan-counts-processor-cores-detect-sandboxes
- http://unprotect.tdgt.org/index.php/Cheat_Sheets
- http://vmcloak.readthedocs.io/en/latest/hwconfig.html#hwconfig-create
VMCloak is GPL3 and Python2, so maybe there's so code there that can be called or used?
hth, adricnet
VM detection evasion is planned. There were references already in the TODO.adoc file at the root of the repository. I added your references to it. Thanks!
If you feel up to the task, go ahead and do it. I'll test your stuff and help you. However, implementing it on my own is not on my short-list of things I want to do with malboxes right now.
If you want some advice, I would start by running paranoid fish in a built Windows 7 VM and make changes to fix the issues outlined by that tool. Non-intrusive changes should go in the main profiles. Intrusive changes should be made in a different profile (ie: win10_32_analyst_paranoid).
Also, uninstalling stuff like chocolatey and guest tools in a post-setup step would also be something I would consider doing.
Thank you both. I will take a look at the profiles branch (and look over the TODO file as well).
And, I do agree that detection/evasion is not a priority for me for malboxes, but perhaps someone else will be able to pick up here.
On Sat, Jan 7, 2017 at 2:26 PM, Hugo Genesse [email protected] wrote:
The profiles branch is entirely for that purpose already though.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/GoSecure/malboxes/issues/23#issuecomment-271104349, or mute the thread https://github.com/notifications/unsubscribe-auth/ACzfwA2Nu1JuDt9mvwU4UoFFRzb0Kc2aks5rP-bhgaJpZM4Lbxiw .