Script to create templates to use with VirtualBox to make vm detection harder
A script to help you create templates, which you can use with VirtualBox to make VM detection harder.
My first post on the subject was in 2012 and have after that been updated at random times. The blog format might have not been the best way of publishing the information and some people did make nice and "easy to apply" script based on the content.
As a way to make it easier for me to add new content, I have decided to do the very same.
The purpose of this script is to use available settings without modifying the VirtualBox base. There are people who do really neat things by patching Virtualbox. But that is out of the scoop for this script. I think this approach has some merits as it does not (hopefully) break with every new release of VirtualBox. Overtime I have also included "things" that are not directly VM related, but rather things that malware is using to fingerprint installations with, I hope you don't mind..
The main script will create the following files:
sudo apt install python3-pip libcdio-utils acpica-tools mesa-utils smartmontools
sudo pip3 install -r requirements.txt
wget https://download.sysinternals.com/files/VolumeId.zip https://www.nirsoft.net/utils/devmanview-x64.zip(x64 version).
hostname > computer.lst,
whoami > user.lst. Modify if you want to use different machine names and users for the VMs (recommended is to fill the files with a long list of user and computer names)
sudo python3 antivmdetect.py
sudo chmod a+x xxxxx.sh
/bin/bash xxxxx.sh my-virtual-machine-name
If applied correctly, a Pafish run will result in this (no need to modify Virtualbox).
Please note, that this script does other things that is not covered by Pafish (for example W10 artifacts)
First stab at trying to extract the correct disk, has been a source for headache for many. (Issue #35 (and a few others old issues), thanks @oaustin)
Improved the string handing in the shell script (Issue #35 and #36 and PR #44, thanks @oaustin, @dashjuvi and @corownik)
Added a link to a online DSDT resource (Issue #37, thanks @MasterCATZ)
Updated the README to make installations instructions more clear, thanks @jorants (issue #38)
Check if the DSDT dump is really created, thanks @nov3mb3r (Issue: #42)
Added a license notice. thanks @obilodeau (issue #43)
Code clean-up: removed RAID disk support due to lack of access to server hardware.. and a lot of other small improvements
Improved support for Windows 10
Merged markup fix from @bryant1410 (PR #14)
Solved an issue for people using macOS + VBox/VMWare Fusion to create the templates.
Creating the template from a virtual machine is not the best way regardless .. (issue #12 and possibly #15)
Windows 10 is now supported (feedback welcome)
Several new artifacts "corrected" for W10 installations
New dependency: mesa-utils
Merged bug fix from @Fullmetal5 (#10)
Misc code fix
Updated the readme
Added a pop-up after the second run, to make it more clear that you are good to go
Added a function that spawns a few instances of notepad, this feature will be extended in future versions
Reworked the RandomDate function, thanks to @Antelox for making me aware of the issue with the old one (#8)
Acpidump shipped with older versions of Ubuntu, does not support the "-s" switch. This is now handled with an error message. Thanks to @Antelox for this issue (#7)
Devmanview.exe was not removed after the second run, fixed
Added support for associating and de-associating (default disabled) file extensions. Reference: https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight
Added support for user supplied clipboard buffer. If not present a random string will be generated. Fill the file with Honeytokens of your choice
Removed XP support
Converted the batch script sections to Powershell. Moved more logic to the guest script, in short there is less reason to create/re-generate the template often, as more items are randomized on the guest.
Added a function that randomizes the Desktop background image
Added a function that creates documents of "all" sorts on the guest
Added a function that creates documents of "all" sorts on the guest and moves them to the recycle bin
Randomizing the DigitalProductId in two more locations:
Use paravirtualization Interface: None (verified with VBox 5.1.4) - Check updated to reflect this change. I assume this change in VBox came about thanks to: TiTi87, thanks!
Fixed a bug for users of python-dmidecode 3.10.13-3, this one was all me..
Added a function that randomizes VolumeID (new prerequisite: VolumeID.exe), this information is for example collected by Rovnix
Added a function that randomizes username and computername/hostname (new prerequisites: list of usernames and computernames)
First attempt to add information to the clipboard buffer, idea (command) came from a tweet by @shanselman . Will be improved in the next release
Updated the readme: new dependencies and new features that requires reboot
Copy and set the CPU brand string.
Check if an audio device is attached to the guest. Reference: http://www.joesecurity.org/reports/report-61f847bcb69d0fe86ad7a4ba3f057be5.html
Check OS architecture vs DevManView binary.
Randomizing the ProductId in two more locations:
Purge the Windows product key from the registry (to prevent someone from stealing it...).
Edit the DigitalProductId (HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId) to match the new ProductId.
Check if the Legacy paravirtualization interface is being used (Usage of the Legacy interface will mitigate the "cpuid feature" detection).
Check for CPU count (Less than 2 == alert).
Check for memory size (Less than 2GB == alert).
Check if the default IP/IP-range is being used for vboxnet0 (You can ignore the notification if you don't use it).
Randomizing the ProductId.
Merged PR #3 from r-sierra (Thanks for helping out!
Fixed a bug in the AcpiCreatorId (Thanks @Nadacsc for reporting it to me!).
Fixed a bug in the DmiBIOSReleaseDate parsing.
Fixed a bug in DmiBIOSReleaseDate, to handle both the "default" misspelled variant and the correctly spelled one (Thanks @WanpengQian for reporting it to me!).
The DevManView inclusion did not work as expected, It should be fixed in this release.
Supports SATA controller as well (Previously only IDE settings was modified)
Updated the readme
Resolved the WMI detection make famous by the HT. Added
DevManView.exe (your choice of architecture) to the prerequisites.
< 0.1.0 No version history kept prior to this, need to start somewhere I guess.
Feedback is always welcome! =)