for everyone saying i can add those key in my windows machine technically yes it can help you prevent some malware that check for those keys but you will get an error message if you try to run an app or program that doest want their code to be peeked at eg : Anticheat & some Paid Software its because those app and program thought your real machine was a virtual environment , you were trying to reverse engineer their app either you want to hack it or crack it Which why i dont recommend you guys add it in a real windows machine you guys just gonna having a bad time unless those machine was just used for a production stuff like databases or other server stuff (most of server and databases stuff wont detect those keys)
There is another way is by checking the gpu. virtual machines GPUs is virtual and not named like any physical graphics card. How we're gonna defend ourselfs from this? By going to some keys in regeditor and edit the gpu name to a real one so the malware that have the gpu as a definer of real or virtual machines will just fall
From what I've heard this can be done if your virtualisation software has bugs or you have set up networking in a way that VM can connect to other machines. I haven't explored this topic yet so I can't tell much more.
Virtualization software 0 days, or it could be malware that exploits a certain services that you may be running on your machine and you misconfigured the network of the malware analysis VM. For example, if you were reversing a malware and you had a RDP vulnerable version to BlueKeep and that malware happens to exploit BlueKeep + you have not isolated your vm's network from your main network it will just jump from your VM from your machine
they do a lot of other things to detect VMs, like installed application (process hacker, IDA, ...), resolution, present users, disk size, process running, ... and there is not only virtual box (VMware, qemu, ...), so checking only this registry keys is really not enought
Use C99 or change extension to cpp and you can skip Declaring Variables at the start of the scope. It makes Code more readable if you need to check the type of Variable.
Yeah, but is a common technique, you need creativity to check some things that is not publicly available like the presents of a driver specific for VMs or something which is unique.
you can rename the reg values. im not really an expert on this topic but besides registry folders there might be other things malware detects in a vm in order for to recognize its being toy'd with. but try renaming it and let me know
Very simple, short, easy and amateur way of detecting vm's this can be bypassed with ease. Next time come with something more sophisticated and advanced.
Those are the Registry Keys for VirtualBox Guest Additions, an optional package of VirtualBox services you can install in the guest machine to communicate better with the host. I think in VMWare has something similar called VMWare Tools so the registry keys should be different.
@@screeck ye checked it and vmware key is SYSTEM\\CurrentControlSet\\Services\\vmhgfs (if someone is interested on it) if i have time i'll put in my github a repo about this that if it is a vm, does nothing and if it ain't a vm, gives a rev shell. I'll obviously thank to this video :P really nice project bro
@@EduardoEscarez So then they aren't there unless you run a Windows client machine AND has installed the guest additions AND it is run under Virtual Box (on any host OS I suppose). The script kiddies might be tripped by this (and they are plentiful), but hardly any more serious malware. Those that use for example VMWare, Hyper-V (Windows host), KVM (Linux host) or others will not be "affected", but I think also there are more advanced ways to detect that one runs within a virtual machine.
@@benhetland576 Yep, the guest environment needs to have the Additions (there are also versions for other OS) to have the keys in addition to be run under VirtualBox. And yes, there are other ways to detect if an OS is under virtualization (devices in the environment, CPU behavior, number of cores available, etc) but that's more tricky and Unix/Linux hosts can provide more ways to make a Windows guest more real.
thx,now i can add those keys in my machine to defend against malwares
Smart move my boy 🗿👍
And not be able to run some games
thats what I was thinking lol
There is app that lets you do that
@EricParker did this in his video
"A person who thinks all the time"
for everyone saying i can add those key in my windows machine
technically yes it can help you prevent some malware that check for those keys
but you will get an error message if you try to run an app or program that doest want their code to be peeked at
eg : Anticheat & some Paid Software
its because those app and program thought your real machine was a virtual environment , you were trying to reverse engineer their app either you want to hack it or crack it
Which why i dont recommend you guys add it in a real windows machine you guys just gonna having a bad time
unless those machine was just used for a production stuff like databases or other server stuff (most of server and databases stuff wont detect those keys)
I had no idea some malwares even did that. So devious lol.
some? mostly all do, they just make it undetectable if you have a vm, and theres many diff ways too
So could you defend yourself from certain malwares just by creating those registry keys? :-)
Well, technically yes haha
Yes, Eric Parker did a video about it :)
th-cam.com/video/zTOKEKQ8ITA/w-d-xo.html
Penguins need HUGS
That's exactly what Cyber Scarecrow does (It's a program that makes your machine looks like a VM to prevent these types of malware)
@@r3arie yoo, this seems pretty cool. I'll check it out
thanks bro for the information it will be very useful in my next malware.
There is another way is by checking the gpu. virtual machines GPUs is virtual and not named like any physical graphics card. How we're gonna defend ourselfs from this? By going to some keys in regeditor and edit the gpu name to a real one so the malware that have the gpu as a definer of real or virtual machines will just fall
I've heard some malware can even break out of VM's how do they do that?
From what I've heard this can be done if your virtualisation software has bugs or you have set up networking in a way that VM can connect to other machines. I haven't explored this topic yet so I can't tell much more.
Virtualization software 0 days, or it could be malware that exploits a certain services that you may be running on your machine and you misconfigured the network of the malware analysis VM. For example, if you were reversing a malware and you had a RDP vulnerable version to BlueKeep and that malware happens to exploit BlueKeep + you have not isolated your vm's network from your main network it will just jump from your VM from your machine
Mostly networks connections, like if you have ur VM connected into your network, they can make it out by the network connection, like how worms do .
Kay? Resoult?
kay was fixed to key. Resoult might be any word.
So theoretically, I could make that keys and my pc will be malwareproof? (Semi)
Exactly what I thought of lmao... Outsmarting scammers :)
i have seen certain cracking tool checking for serial number of motherboard too (apparently most VMs software set the serial number to zero)
Wow. Where do you learn all of this stuff ?
they do a lot of other things to detect VMs, like installed application (process hacker, IDA, ...), resolution, present users, disk size, process running, ... and there is not only virtual box (VMware, qemu, ...), so checking only this registry keys is really not enought
Good video! But for me keybord sounds are a little to loud or maybe there is something wrong with me
Penguins need HUGS
przyjemnie się ogląda, pozdro
Pozdro
Use C99 or change extension to cpp and you can skip Declaring Variables at the start of the scope. It makes Code more readable if you need to check the type of Variable.
Would definitely love more videos on this topic
If malware detect files to see if it should run or not, can't we just add those files and we would be safe from malware attakes.
Some software won't work
@@senan9142 oh okay, thanks
Yeah, but is a common technique, you need creativity to check some things that is not publicly available like the presents of a driver specific for VMs or something which is unique.
How did you learn all this?
I do research. I'll make a video on how to write yout first malware soon.
Learn*
@@screeck yeehaw!
What if main machine pretend to be VM?
Is it possible to lets say hook those winAPI's and return them information that there are no such registry keys?
I’m certain, but I don’t have a single clue about it
Awesome video, keep it up!
OMG you're also from Poland :)
What if i use VMWare and run that code in VMWare?
Is there any way to bypass this script? Like using fakenet or deleting these registrykeys from the VM?
you can rename the reg values. im not really an expert on this topic but besides registry folders there might be other things malware detects in a vm in order for to recognize its being toy'd with. but try renaming it and let me know
@@MLS-125 aight thank you
It's more easy to detect if a proccess is running.
Very simple, short, easy and amateur way of detecting vm's this can be bypassed with ease. Next time come with something more sophisticated and advanced.
Nice posters dude :D
for vmware vms it'd work the same or the reg keys are the same?
No, they are not the same, but if you find reg keys for vmware, this method should work.
Those are the Registry Keys for VirtualBox Guest Additions, an optional package of VirtualBox services you can install in the guest machine to communicate better with the host. I think in VMWare has something similar called VMWare Tools so the registry keys should be different.
@@screeck ye checked it and vmware key is SYSTEM\\CurrentControlSet\\Services\\vmhgfs (if someone is interested on it)
if i have time i'll put in my github a repo about this that if it is a vm, does nothing and if it ain't a vm, gives a rev shell. I'll obviously thank to this video :P really nice project bro
@@EduardoEscarez So then they aren't there unless you run a Windows client machine AND has installed the guest additions AND it is run under Virtual Box (on any host OS I suppose). The script kiddies might be tripped by this (and they are plentiful), but hardly any more serious malware. Those that use for example VMWare, Hyper-V (Windows host), KVM (Linux host) or others will not be "affected", but I think also there are more advanced ways to detect that one runs within a virtual machine.
@@benhetland576 Yep, the guest environment needs to have the Additions (there are also versions for other OS) to have the keys in addition to be run under VirtualBox.
And yes, there are other ways to detect if an OS is under virtualization (devices in the environment, CPU behavior, number of cores available, etc) but that's more tricky and Unix/Linux hosts can provide more ways to make a Windows guest more real.
more blue team strategy
Now you don't have to scan the thing for malware, just put and run it under vm, lol.
Thank you for the video!
how to pack project into one exe file?
resoult
Please doun't insoult us, ok?
Everyone just switch to a Virtual Machine :)
its prob the most easy way to bypass XD
Długo już się uczysz informatyki? Po akcencie słychać, że jesteś Polakiem haha
No pare lat już będzie, ale z różną intensywnością. Przez ostatni rok chyba najwięcej
@@screeck Oki. A uczysz się z podręczników czy raczej tylko internet?
@@arthurmorgan2774 Głównie z internetu. Ale są też fajne książki na przykład Windows Internals part1 o architekturze winodwsa