diff --git a/README.md b/README.md index 9e82745..20d26d6 100644 --- a/README.md +++ b/README.md @@ -23,14 +23,17 @@ When you run the script, the output will be: 4) Move the batch script to the newly installed guest. 5) Run the batch script inside the guest. Remember that the settings that gets modified are reverted after each reboot. So make it auto run if needed. - - You can use the script to prepare not only your cuckoo guests, but any vm that you need to make vm detection harder on. Before you apply the batch script inside the guest, please disable UAC otherwise you will not be able to modify the registry with the script Virtualbox 5 users should stick to using the Legacy and Hyper-V Paravirtualization interfaces for now (System -> Acceleration). +#Version History: + +< 0.1.0 No version history kept, need to start somewhere I guess .. +0.1.0 Resolved the WMI detection make famous by the HT. Added DevManView.exe (your choice of architecture) to the prerequisites. + /Mikael Feedback is always welcome! diff --git a/antivmdetect.py b/antivmdetect.py index 5ee1290..fa896a9 100644 --- a/antivmdetect.py +++ b/antivmdetect.py @@ -12,10 +12,11 @@ import uuid import re import time +import StringIO # Check dependencies -if not (os.path.exists("/usr/bin/cd-drive")) or not (os.path.exists("/usr/bin/acpidump")) or not (os.path.exists("/usr/share/python-dmidecode")): - print '[WARNING] Dependencies are missing, please verify that you have installed: cd-drive, acpidump and python-dmidecode' +if not (os.path.exists("/usr/bin/cd-drive")) or not (os.path.exists("/usr/bin/acpidump")) or not (os.path.exists("/usr/share/python-dmidecode")) or not (os.path.exists("DevManView.exe")): + print '[WARNING] Dependencies are missing, please verify that you have installed: cd-drive, acpidump and python-dmidecode and a copy of DevManView.exe in the path of this script' exit() # Welcome @@ -404,8 +405,18 @@ def serial_randomize(start=0, string_length=10): machineGuid = str(uuid.uuid4()) logfile.write('@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d "' + machineGuid + '" /f\r\n') -# Prevent WMI identification -# logfile.write('@reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PlugPlay /v Start /t REG_MULTI_SZ /d "4" /f\r\n') +# Requires a copy of the DevManView.exe for the target architecture (http://www.nirsoft.net/utils/device_manager_view.html) +with open("DevManView.exe", "rb") as file: + data = file.read() + +logfile.write('(') +s = StringIO.StringIO(data.encode("base64")) +for line in s: + logfile.write('echo ' + line) +logfile.write(')>fernweh.tmp\r\n') +logfile.write('@certutil -decode fernweh.tmp "DevManView.exe"\r\n') +logfile.write('@DevManView.exe /uninstall "PCI\VEN_80EE&DEV_CAFE"* /use_wildcard\r\n') +logfile.write('@del DevManView.exe fernweh.tmp\r\n') logfile.close() print '[*] Finished: A Windows batch file has been created named:', file_name