(re)Solved the WMI detection make famous by HT

nsmfoo · Feb 12, 2016 · 6156267 · 6156267
1 parent d56e9a4
commit 6156267
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -23,14 +23,17 @@ When you run the script, the output will be:
 4) Move the batch script to the newly installed guest.
 5) Run the batch script inside the guest. Remember that the settings that gets modified are reverted after each reboot. So make it auto run if needed. 
 
-
-
 You can use the script to prepare not only your cuckoo guests, but any vm that you need to make vm detection harder on.
 Before you apply the batch script inside the guest, please disable UAC otherwise you will not be able to modify the registry with the script
 
 Virtualbox 5 users should stick to using the Legacy and Hyper-V Paravirtualization interfaces for now (System -> Acceleration).
 
 
+#Version History:
+
+< 0.1.0 No version history kept, need to start somewhere I guess ..
+0.1.0 Resolved the WMI detection make famous by the HT. Added DevManView.exe (your choice of architecture) to the prerequisites.  
+
 /Mikael
 
 Feedback is always welcome!

diff --git a/antivmdetect.py b/antivmdetect.py
@@ -12,10 +12,11 @@
 import uuid
 import re
 import time
+import StringIO
 
 # Check dependencies
-if not (os.path.exists("/usr/bin/cd-drive")) or not (os.path.exists("/usr/bin/acpidump")) or not (os.path.exists("/usr/share/python-dmidecode")):
- print '[WARNING] Dependencies are missing, please verify that you have installed: cd-drive, acpidump and python-dmidecode'
+if not (os.path.exists("/usr/bin/cd-drive")) or not (os.path.exists("/usr/bin/acpidump")) or not (os.path.exists("/usr/share/python-dmidecode")) or not (os.path.exists("DevManView.exe")):
+ print '[WARNING] Dependencies are missing, please verify that you have installed: cd-drive, acpidump and python-dmidecode and a copy of DevManView.exe in the path of this script'
  exit()
 
 # Welcome
@@ -404,8 +405,18 @@ def serial_randomize(start=0, string_length=10):
 machineGuid = str(uuid.uuid4())
 logfile.write('@reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid /t REG_SZ /d "' + machineGuid + '" /f\r\n')
 
-# Prevent WMI identification
-# logfile.write('@reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PlugPlay /v Start /t REG_MULTI_SZ /d "4" /f\r\n')
+# Requires a copy of the DevManView.exe for the target architecture (http://www.nirsoft.net/utils/device_manager_view.html)
+with open("DevManView.exe", "rb") as file:
+    data = file.read()
+
+logfile.write('(')
+s = StringIO.StringIO(data.encode("base64"))
+for line in s:
+    logfile.write('echo ' + line)
+logfile.write(')>fernweh.tmp\r\n')
+logfile.write('@certutil -decode fernweh.tmp "DevManView.exe"\r\n')
+logfile.write('@DevManView.exe /uninstall "PCI\VEN_80EE&DEV_CAFE"* /use_wildcard\r\n')
+logfile.write('@del DevManView.exe fernweh.tmp\r\n')
 
 logfile.close()
 print '[*] Finished: A Windows batch file has been created named:', file_name