al-khaser icon indicating copy to clipboard operation
al-khaser copied to clipboard
verified publisher icon LordNoteworthy

[Question] Are there possibilities to spoof ALL CIM-WMI values to bypass detection ?

Open Greatz08 opened this issue 11 months ago • 1 comments

I saw someone who with the help of powershell script was able to spoof atleast some values but not 100% so was curious to know if there are any possibilities to spoof ALL CIM-WMI checks which is performed by this project ?

Greatz08 avatar Jan 05 '25 15:01 Greatz08

The cim_ classes are base classes that when queried just return instances of their derived classes, for example selecting for cim_coolingdevice will return instances of win32_fan.

The trick is to hook IWbemServices::ExecQuery, ExecQueryAsync, CreateInstanceEnum, and CreateInstanceEnumAsync and then inject fake instances that are created by using IWBemServices::GetObject("classname") where classname is the true derived class being returned (ex: win32_fan, even if they select cim_coolingdevice) then using classObject->SpawnInstance to create fake instances of that class, call instance->Put() to fill it's members with fake data, then return that from the query.

Goodluck

FortuneDan avatar Jan 28 '25 23:01 FortuneDan