drakvuf icon indicating copy to clipboard operation
drakvuf copied to clipboard

Published 20 hours ago verified publisher icon tklengyel

New HideVM plugin

Open blsvntn opened this issue 2 years ago • 3 comments

Hello! This plugin is designed to impove stealth of Windows VM while analyzing malware.

  1. It advances boot time by modifying KUSER_SHARED_DATA.TickCount and KUSER_SHARED_DATA.TickCountMultiplier fields;
  2. Hooks IWbemServices::ExecQuery to spoof WQL-queries to WMI objects that aren't present on VM. Name of the requested object is overwritten to Win32_BIOS which is alway presented. It is done to bypass checks like in al-khaser project (https://github.com/LordNoteworthy/al-khaser/blob/06399c26a488c1bbdea29fe2023cf5360b640bb7/al-khaser/AntiVM/Generic.cpp#L1673)
  3. Hooks NtDeviceIoControlFile syscall in 3 stages to provide fake data when MSAcpi_ThermalZoneTemperature object is requested to check current temperature.

blsvntn avatar Aug 12 '22 11:08 blsvntn

Can one of the admins verify this patch?

drakvuf-jenkins avatar Aug 12 '22 11:08 drakvuf-jenkins

@drakvuf-jenkins Test this please

tklengyel avatar Aug 14 '22 01:08 tklengyel

@drakvuf-jenkins Test this please

tklengyel avatar Aug 14 '22 21:08 tklengyel

@drakvuf-jenkins Test this please

tklengyel avatar Aug 22 '22 17:08 tklengyel

@blsvntn once review comments are resolved we are good to merge

tklengyel avatar Aug 26 '22 10:08 tklengyel

@tklengyel I already use this plugin and I think this PR is good enough to merge.

disaykin avatar Sep 05 '22 21:09 disaykin

Sgtm

tklengyel avatar Sep 06 '22 12:09 tklengyel