As the title suggests. Does anyone know how to completely disguise the fact that a VM is a VM (from a guest using a remote desktop connection e.g. Citrix at al)?
The reason I ask, is because I like to call tech support scammers and mess with them. I've done some relatively simple things such as disabling the VMTools tray icon, editing the .vmx file with 'SMBIOS.reflectHost = TRUE'
Also some registry edits have made devices in the Device Manager appear to be, well, whatever I call them (i.e. not VMware related).
My ultimate goal is that any and all references to VMware are no longer there, as tech support scammers are becoming more aware of scambaiting. Another thing....is there any way to change the 'description' of a Process running in the Task Manager? Renaming the executable is simple enough, but I often run a RAT in the background to further play with them. It's now been named to svchost.exe but the description remains 'TrollRAT'.
Apologies if this is a bit wordy, badly laid out etc.
I love fucking with scammers and call them all day like that guy from The Hoax Hotel. I have never had to disguise a VM, as they never really look for it. However, I wanted to circumvent it before it became an issue. Since I had the resources already in place, I just pulled out an old laptop and setup Win 7. Then I would make a custom .WIM after it was all configured and then put it on my Windows Server with WDS. If they screwed up the system then it was a quick restore without all the setup and configuration. It's a difficult setup if you haven't done it, but it seemed to make sense as I already had most of everything in place and the extra laptop to do it with. Some of the articles that have been posted here are interesting reads too.
@Eon. I love to mess with them too, but trust me a lot of them have become more 'clever' (their script tells them) about looking out for signs. In one call, the guy knew as soon as the remote connection had been established - he'd sent a request for the process list, and I believe he saw some VMware related things in there (they definitely are in there, and they just look for 'VM' nowadays).
Your solution is far more simple though, and if I had a laptop to, well, not throw away but let it restore while I don't need it, I'd definitely do that instead.
I shall scour the place for articles though, and thanks!
@Th3Z0ne The thing is, I'm hiding a VM not from regular attackers (though on occasion, a scammer will try something nefarious), but a social engineer. They've been messed with so much in the last few months that I believe they're being trained to look out for VMs. So I'm not hiding it from Malware, or a real hacker, just a monkey in a call centre with a script about looking for processes and such.
Well I was trying to help - but if you manage to hide the fact it is a VM from a Virus I think it would also hide from a human that's probably not even as technically trained - social engineer, not necessarily engineer
Did the part about Changing Service Description work?
@Dje4321 It's already as fast as a real PC, though in part to it residing on an NVMe drive and having 8GB RAM assigned to it (that's mostly for the illusion of it being a real PC; an i7 6700k with 4GB looks a bit ridiculous). Besides VMtools, what extensions do you refer to?
@Th3Z0ne I appreciate any help. I haven't yet looked into the Service Descriptions, but if I'm able to edit those, I'll be about as airtight as I can get. I use a RAT to remotely close/crash anything I don't like them running, but I'd rather not have to do that, and obviously killing everything with 'VM' in the descriptions will cause problems.
True 3d acceleration would be nice actually. I can easily run Quake, but that's very old. I believe Nvidia are doing something in the realm of virtualisation, but I don't remember what. Qemu might be a little dangerous, if it can actually execute code on my host machine. Some of these scammers are technically savvy, and try to create backdoors, install malware and so on. I've had them threaten to break out of the VM into my host machine, but when I asked him to try, he just folded. I really wanted to see his attempt.