{"id":13540366,"url":"https://github.com/nsmfoo/antivmdetection","last_synced_at":"2025-04-02T07:31:00.454Z","repository":{"id":28259689,"uuid":"31769767","full_name":"nsmfoo/antivmdetection","owner":"nsmfoo","description":"Script to create templates to use with VirtualBox to make vm detection harder","archived":false,"fork":false,"pushed_at":"2022-11-05T15:56:55.000Z","size":238,"stargazers_count":713,"open_issues_count":11,"forks_count":123,"subscribers_count":42,"default_branch":"master","last_synced_at":"2024-11-03T05:32:45.245Z","etag":null,"topics":["antivm","malware-analysis","sandbox","virtualbox"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nsmfoo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-03-06T13:11:00.000Z","updated_at":"2024-10-21T10:37:09.000Z","dependencies_parsed_at":"2023-01-14T08:30:03.003Z","dependency_job_id":null,"html_url":"https://github.com/nsmfoo/antivmdetection","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsmfoo%2Fantivmdetection","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsmfoo%2Fantivmdetection/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsmfoo%2Fantivmdetection/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nsmfoo%2Fantivmdetection/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nsmfoo","download_url":"https://codeload.github.com/nsmfoo/antivmdetection/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246774359,"owners_count":20831526,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivm","malware-analysis","sandbox","virtualbox"],"created_at":"2024-08-01T09:01:47.740Z","updated_at":"2025-04-02T07:30:55.924Z","avatar_url":"https://github.com/nsmfoo.png","language":"Python","readme":"# Antivmdetection\n\n## Background\n\nA script to help you create templates, which you can use with VirtualBox to make VM detection harder.\n\nMy first post on the subject was in 2012 and have after that been updated at random times. The blog format might have not been the best way of publishing the information and some people did make nice and \"easy to apply\" script based on the content.\n\nAs a way to make it easier for me to add new content, I have decided to do the very same.\n\nThe purpose of this script is to use available settings without modifying the VirtualBox base. There are people who do really neat things by patching Virtualbox. But that is out of the scoop for this script. I think this approach has some merits as it does not (hopefully) break with every new release of VirtualBox.\nOvertime I have also included \"things\" that are not directly VM related, but rather things that malware is using to fingerprint installations with, I hope you don't mind..\n\nThe main script will create the following files:\n\n* One shell script, that can be used as a template, to be used from the host OS and applied to the VM that you like to modify.\n* A dump of the DSDT, that is used in the template script above.\n* A Windows Powershell file to be used inside the guest, to handle the settings that is not possible to change from the host. This script will have to be run twice, one for the changes that requires reboot and the second time for the pesky things that resurface at reboot.\n\n## Usage\n\n## Generate script from host\n\n* Install dependencies `sudo apt install python3-pip libcdio-utils acpica-tools mesa-utils smartmontools`\n* Install Python modules: `sudo pip3 install -r requirements.txt`\n* Download the following Windows binaries and extract them in the antivmdetection directory : `wget https://download.sysinternals.com/files/VolumeId.zip  https://www.nirsoft.net/utils/devmanview-x64.zip` (x64 version).\n* Create computer and user text files : `hostname \u003e computer.lst`, `whoami \u003e user.lst` . Modify if you want to use different machine names and users for the VMs (recommended is to fill the files with a long list of user and computer names)\n* Run python script as sudo `sudo python3 antivmdetect.py`\n* Make generated host script executable from current user `sudo chmod a+x xxxxx.sh`\n* If you do get the following message: \"ACPI tables bigger than 64KB (VERR_TOO_MUCH_DATA)\", this is due to a limitation in Virtualbox, for more context see this case: \u003chttps://github.com/nsmfoo/antivmdetection/issues/37\u003e . Not verified to work, but \u003chttps://www.tonymacx86.com/dsdt-database\u003e might a good resource...\n\n## Setup VM\n\n* Create the VM but don't start it, also exit the VirtualBox GUI. The shell script needs to be run before installation!.\n* Verify that \"I/O APIC\" is enabled (System \u003e Motherboard tab).\n* Verify that \"Paravirtualization Interface\" is set to \"None\" (System \u003e Acceleration tab).\n* Change CPU count to 2 or more if possible.\n* Set VM IP (File \u003e Host Network Manager \u003e Configure Adapter Manually \u003e IPV4 adress).\n* The script expects that the storage layout to look like the following: + IDE: Primary master (Disk) and Primary slave (CD-ROM) + * ATA: Port 0 (Disk) and Port 1 (CD-ROM)\n* Run script as current user (because VMs are located in current user home dir) : `/bin/bash xxxxx.sh my-virtual-machine-name`\n* Install the Windows Operating System (Supports W7 and W10)\n\n## Run script from inside the VM\n\n* Move the batch script (xxxx.ps1) to the newly installed guest.\n* Run the batch script inside the guest. Remember that most of the settings that gets modified, are reverted after each reboot. So make it run at boot if needed.\n* As of version 0.1.4, some applied settings will require a reboot. So run the batch script once, the guest will be rebooted. Then run the script once again to finalize the setup.\n* Before you apply the batch script inside the guest, please disable UAC (reboot required) otherwise you will not be able to modify the registry with the script.\n* For Windows 10 users: run the PS script as an administrator (right-click on the cmd.exe -\u003e run as admin, navigate to the PS script and execute)\n* If applied correctly, a Pafish run will result in this (no need to modify Virtualbox).\n\n* Please note, that this script does other things that is not covered by Pafish (for example W10 artifacts)\n\n![alt text](vmdetect0.1.5.png \"VMDetect 1.5.x\")\n\n## Notes\n\n* When the antivmdetect script can't find any suitable values to use, it will comment these settings in the newly created script, with a \"#\". These needs manual review as they might have impact on what is displayed in the VM.\n\n## Version History\n\n* 0.1.9:\n    \u003cbr\u003ePython3 compatible \n    \u003cbr\u003eFirst stab at trying to extract the correct disk, has been a source for headache for many. (Issue #35 (and a few others old issues), thanks @oaustin)\n    \u003cbr\u003eImproved the string handing in the shell script (Issue #35 and #36 and PR #44, thanks @oaustin, @dashjuvi and @corownik)\n    \u003cbr\u003eAdded a link to a online DSDT resource (Issue #37, thanks @MasterCATZ) \n    \u003cbr\u003eUpdated the README to make installations instructions more clear, thanks @jorants (issue #38)\n    \u003cbr\u003eCheck if the DSDT dump is really created, thanks @nov3mb3r (Issue: #42)\n    \u003cbr\u003eAdded a license notice. thanks @obilodeau (issue #43)\n    \u003cbr\u003eCode clean-up: removed RAID disk support due to lack of access to server hardware.. and a lot of other small improvements\n\n* 0.1.8:\n    \u003cbr\u003eImproved support for Windows 10\n    \u003cbr\u003eMerged markup fix from @bryant1410 (PR #14)\n    \u003cbr\u003eSolved an issue for people using macOS + VBox/VMWare Fusion to create the templates.\n    \u003cbr\u003eCreating the template from a virtual machine is not the best way regardless .. (issue #12 and possibly #15)\n\n* 0.1.7:\n    \u003cbr\u003eWindows 10 is now supported (feedback welcome)\n    \u003cbr\u003eSeveral new artifacts \"corrected\" for W10 installations\n    \u003cbr\u003eNew dependency: mesa-utils\n    \u003cbr\u003eMerged bug fix from @Fullmetal5 (#10)\n    \u003cbr\u003eMisc code fix\n    \u003cbr\u003eUpdated the readme\n\n* 0.1.6:\n    \u003cbr\u003eAdded a pop-up after the second run, to make it more clear that you are good to go\n    \u003cbr\u003eAdded a function that spawns a few instances of notepad, this feature will be extended in future versions\n    \u003cbr\u003eReworked the RandomDate function, thanks to @Antelox for making me aware of the issue with the old one (#8)\n    \u003cbr\u003eAcpidump shipped with older versions of Ubuntu, does not support the \"-s\" switch. This is now handled with an error message. Thanks to @Antelox for this issue (#7)\n    \u003cbr\u003eDevmanview.exe was not removed after the second run, fixed\n\n* 0.1.5:\n    \u003cbr\u003eAdded support for associating and de-associating (default disabled) file extensions. Reference: \u003chttps://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight\u003e\n    \u003cbr\u003eAdded support for user supplied clipboard buffer. If not present a random string will be generated. Fill the file with Honeytokens of your choice\n    \u003cbr\u003eRemoved XP support\n    \u003cbr\u003eConverted the batch script sections to Powershell. Moved more logic to the guest script, in short there is less reason to create/re-generate the template often, as more items are randomized on the guest.\n    \u003cbr\u003eAdded a function that randomizes the Desktop background image\n    \u003cbr\u003eAdded a function that creates documents of \"all\" sorts on the guest\n    \u003cbr\u003eAdded a function that creates documents of \"all\" sorts on the guest and moves them to the recycle bin\n    \u003cbr\u003eRandomizing the DigitalProductId in two more locations:\n      \u003cbr\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Registration\\DigitalProductId.\n      \u003cbr\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DefaultProductKey\\DigitalProductId.\n    \u003cbr\u003eUse paravirtualization Interface: None (verified with VBox 5.1.4)  - Check updated to reflect this change. I assume this change in VBox came about thanks to: TiTi87, thanks!\n\n* 0.1.4:\n    \u003cbr\u003eFixed a bug for users of python-dmidecode 3.10.13-3, this one was all me..\n    \u003cbr\u003eAdded a function that randomizes VolumeID (new prerequisite: VolumeID.exe), this information is for example collected by Rovnix\n    \u003cbr\u003eAdded a function that randomizes username and computername/hostname (new prerequisites: list of usernames and computernames)\n    \u003cbr\u003eFirst attempt to add information to the clipboard buffer, idea (command) came from a tweet by @shanselman . Will be improved in the next release\n    \u003cbr\u003eUpdated the readme: new dependencies and new features that requires reboot\n\n* 0.1.3:\n    \u003cbr\u003eCopy and set the CPU brand string.\n    \u003cbr\u003eCheck if an audio device is attached to the guest. Reference: \u003chttp://www.joesecurity.org/reports/report-61f847bcb69d0fe86ad7a4ba3f057be5.html\u003e\n    \u003cbr\u003eCheck OS architecture vs DevManView binary.\n    \u003cbr\u003eRandomizing the ProductId in two more locations:\n        \u003cbr\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\Registration\\ProductId.\n        \u003cbr\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DefaultProductKey\\ProductId.\n    \u003cbr\u003ePurge the Windows product key from the registry (to prevent someone from stealing it...).\n    \u003cbr\u003eEdit the DigitalProductId (HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\DigitalProductId) to match the new ProductId.\n* 0.1.2:\n    \u003cbr\u003eCheck if the Legacy paravirtualization interface is being used (Usage of the Legacy interface will mitigate the \"cpuid feature\" detection).\n* 0.1.1:\n    \u003cbr\u003eCheck for CPU count (Less than 2 == alert).\n    \u003cbr\u003eCheck for memory size (Less than 2GB == alert).\n    \u003cbr\u003eCheck if the default IP/IP-range is being used for vboxnet0 (You can ignore the notification if you don't use it).\n    \u003cbr\u003eRandomizing the ProductId.\n    \u003cbr\u003eMerged PR #3 from r-sierra (Thanks for helping out!\n    \u003cbr\u003eFixed a bug in the AcpiCreatorId (Thanks @Nadacsc for reporting it to me!).\n    \u003cbr\u003eFixed a bug in the DmiBIOSReleaseDate parsing.\n    \u003cbr\u003eFixed a bug in DmiBIOSReleaseDate, to handle both the \"default\" misspelled variant and the correctly spelled one (Thanks @WanpengQian for reporting it to me!).\n    \u003cbr\u003eThe DevManView inclusion did not work as expected, It should be fixed in this release.\n    \u003cbr\u003eSupports SATA controller as well (Previously only IDE settings was modified)\n    \u003cbr\u003eUpdated the readme\n* 0.1.0:\n    \u003cbr\u003eResolved the WMI detection make famous by the HT. Added \u003cbr\u003eDevManView.exe (your choice of architecture) to the prerequisites.\n* \u003c 0.1.0 No version history kept prior to this, need to start somewhere I guess.\n\n/Mikael\n\nFeedback is always welcome! =)\n","funding_links":[],"categories":["\u003ca id=\"a2df15c7819a024c2f5c4a7489285597\"\u003e\u003c/a\u003e密罐\u0026\u0026Honeypot","\u003ca name=\"honeypots\"\u003e\u003c/a\u003e Honeypots","Honeypots",":wrench: Tools"],"sub_categories":["\u003ca id=\"2af349669891f54649a577b357aa81a6\"\u003e\u003c/a\u003e未分类-Honeypot","Media"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnsmfoo%2Fantivmdetection","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnsmfoo%2Fantivmdetection","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnsmfoo%2Fantivmdetection/lists"}