Virtual Machine - Hiding a VMware machine's true nature

As the title suggests. Does anyone know how to completely disguise the fact that a VM is a VM (from a guest using a remote desktop connection e.g. Citrix at al)?

The reason I ask, is because I like to call tech support scammers and mess with them. I've done some relatively simple things such as disabling the VMTools tray icon, editing the .vmx file with 'SMBIOS.reflectHost = TRUE'

Also some registry edits have made devices in the Device Manager appear to be, well, whatever I call them (i.e. not VMware related).

My ultimate goal is that any and all references to VMware are no longer there, as tech support scammers are becoming more aware of scambaiting. Another thing....is there any way to change the 'description' of a Process running in the Task Manager? Renaming the executable is simple enough, but I often run a RAT in the background to further play with them. It's now been named to svchost.exe but the description remains 'TrollRAT'.

Apologies if this is a bit wordy, badly laid out etc.

3 Likes

LOL you've already gone farther than I could have helped you.

Keep fighting the good fight.

Thanks! That VM has been a labour of love, evolved over a few months. Thanks for the reply nonetheless and I shall!

I found something that's about changing a service description:

https://technet.microsoft.com/en-us/library/cc742069(v=ws.11).aspx

Adding more vram + vm extensions will help the most

Some more info on how to stay undetected as a VM


(stopping malware from noticing its in a VM - is probably even higher magic)

PDF on hiding your VM from malware and atackers: http://www.gta.ufrj.br/ensino/CPE758/artigos-basicos/carpenter07.pdf

I love fucking with scammers and call them all day like that guy from The Hoax Hotel.
I have never had to disguise a VM, as they never really look for it. However, I wanted to circumvent it before it became an issue. Since I had the resources already in place, I just pulled out an old laptop and setup Win 7. Then I would make a custom .WIM after it was all configured and then put it on my Windows Server with WDS. If they screwed up the system then it was a quick restore without all the setup and configuration. It's a difficult setup if you haven't done it, but it seemed to make sense as I already had most of everything in place and the extra laptop to do it with.
Some of the articles that have been posted here are interesting reads too.

How so? Just having VMtools is another thing I have to hide. I'm curious though.

@Eon. I love to mess with them too, but trust me a lot of them have become more 'clever' (their script tells them) about looking out for signs. In one call, the guy knew as soon as the remote connection had been established - he'd sent a request for the process list, and I believe he saw some VMware related things in there (they definitely are in there, and they just look for 'VM' nowadays).

Your solution is far more simple though, and if I had a laptop to, well, not throw away but let it restore while I don't need it, I'd definitely do that instead.

I shall scour the place for articles though, and thanks!

@Th3Z0ne The thing is, I'm hiding a VM not from regular attackers (though on occasion, a scammer will try something nefarious), but a social engineer. They've been messed with so much in the last few months that I believe they're being trained to look out for VMs. So I'm not hiding it from Malware, or a real hacker, just a monkey in a call centre with a script about looking for processes and such.

Its makes the system WAY faster.
Will be as responsive as a real pc

Well I was trying to help - but if you manage to hide the fact it is a VM from a Virus I think it would also hide from a human that's probably not even as technically trained - social engineer, not necessarily engineer

Did the part about Changing Service Description work?

@Dje4321 It's already as fast as a real PC, though in part to it residing on an NVMe drive and having 8GB RAM assigned to it (that's mostly for the illusion of it being a real PC; an i7 6700k with 4GB looks a bit ridiculous). Besides VMtools, what extensions do you refer to?

@Th3Z0ne I appreciate any help. I haven't yet looked into the Service Descriptions, but if I'm able to edit those, I'll be about as airtight as I can get. I use a RAT to remotely close/crash anything I don't like them running, but I'd rather not have to do that, and obviously killing everything with 'VM' in the descriptions will cause problems.

Cant remember the name of it but it added stuff like 3d acceleration and the like.

Ever thought about just setting up a qemu VM?

True 3d acceleration would be nice actually. I can easily run Quake, but that's very old. I believe Nvidia are doing something in the realm of virtualisation, but I don't remember what. Qemu might be a little dangerous, if it can actually execute code on my host machine. Some of these scammers are technically savvy, and try to create backdoors, install malware and so on. I've had them threaten to break out of the VM into my host machine, but when I asked him to try, he just folded. I really wanted to see his attempt.

1 Like

Cant remember the name of the youtuber but he would just run a vm in a vm incase of that.

with qemu i think you could simulate full hardware. So you could have a P4 system on a i7-6700k. Not sure, never used qemu before.

Pasted that in the wrong thread, sorry.