@@JustLinuxMan Edit: This comment was a misunderstanding. my bad. He didn't mean it in a mean way. I choose to keep it here because I shouldn't hide my mistakes. "Literally anywhere on UA-cam, 'Scammer Destroys VM'? You can't invalidate someone's argument just because you were too lazy to find the proof yourself."
there was a video that Jim Browning did on creating an undetectable VM for scambaiting , but it's a bit outdated and I couldn't really find a tutorial for once ever since. Thank you!!
Great tutorial! I really like to see virus tests and how they work, as Enderman and Siam Alam does (they're not active anymore it seems...). But it's nice to see someone else doing the same thing and going deeper into the analysis than them :)
It would be great if these VM products provided a way to modify more attributes or be able to mimic a real machine, it's clearly possible to do that, although you likely wouldn't be able to use guest support since that's an easy spot for VM detectors.
Thank you for this tutorial, Eric! Your instructions were precise, to the point, and easy to understand. I also learned new things along the way because you explained why you were going with certain settings instead of others. I was able to replicate this undetectable VM in my VMware Workstation.
question - what would happen if you configured everything to look like a VM, like a reverse spoof i guess? essentially the opposite of what you're doing in this video? would that be more effective as an antivirus than an antivirus?
For most malware, it probably won't do anything. For enterprise-grade malware, it might either refuse to run in the VM, or it detects that it's in a VM and uses an exploit to escape into your host system
I believe there is actually a recent project that does exactly that! Can't remember what it's called though. It's probably not going to be more effective than an antivirus, but nothing's preventing you from using that and a regular antivirus at the same time
I read on the unknowncheats forum that pafish's rdtsc check is very basic and the public rdtsc patches usually use pafish to check if they work. Then some anticheats more advanced timing checks which public patches dont fix.
In "more or less" most of the nix apps, shift-g (a capital G) will get you to the end of the output. Maybe that's also true for Vi. I guess entering a number with g just goes to that line number.
@@c128stuff I checked it out, seems both ":$" and "G" takes you to the beginning of the last line in the file, however not just "g" but "gg" takes you back to the first char in the file, i assumed just g. The "official way" to jump to a line number just seems to be ":n", where n is the line number. Could not find any reference to g combined with a number to jump to that line number, an undocumented feature?
@@daanmageddon no idea about g combined with a number. : gets you to the line number mentioned. $ just happens to always be the last line. This also works for other commands which accept or require line numbers, for example :5,$s/old/new/g will replace every occurance of 'old' with 'new', starting at line 5 upto and including the last line of the file.
I know i am kinda late to this, but if you actually, before installation select to use BIOS instead of UEFI, you then won't see the Vmware version of bios in system info, but instead you'll see: "Phoenix Technologies LTD 6.00, 11/12/2020" I am also pretty sure that you can then modify the name of the BIOS to your liking. Renaming the BIOS version with the UEFI installation doesn't seem to work, and is still called after Vmware.
Think this VM approach would also work for isolating kernel-level anticheat tools? I heard people who tried to run some games under Linux had success with a nested VM approach (using intel's Hyper-v)
is there a way to do this in qemu-kvm on Linux using Vert-Manager? a lot of us linux users would like to contain the windows malware and increase compatibility with the games we can play(essentially, how do we create an environment to containerize a kernel-level anticheat that(for all intents and purposes) is malware anyway and won't run in Wine/Proton?)
VirtualBox and qemu should try to make an abstraction layer for mirroring the hardware your running that VM on, that way it looks like the machine you're using but still running under emulation and harder to detect. Then again, I think qemu still has a problem giving direct access to the GPU in emulation (which is why you need two GPUs for that stuff) so I'm not sure that's happening anytime soon. It would be good for virtualisation and security, however, and something that should be more common even among the average user.
I wonder, will this work for games with anticheats and DRMs that detect the use of a VM? Because those tend to be the most powerful, widespread, and sophisticated kinds of corporate-sponsored malware.
Up to some point, perhaps, like for instance fortnite if u do simpler spoofing, like shown in the video and some other further steps. Vanguard(if even possible) would like even need some recompilling(on linux) and really just more advanced stuff just to spoof and go undetected(granted if u cheat, u will speed the probability of things going wrong).
Hey Eric, I know you read these comments, and I have a cool video suggestion. You could try testing the 'bad reputation' anti viruses like McAfee, Avast, AVG, etc, against modern malware. People always talk bad about them, but I've never seen them tested. At least not in recent years. The PC Security channel does content testing 'Good AVs against modern malware. Why don't you test the bad ones 😁
Me: maybe with this I’m gonna be able to play LoL/Valorant on VM inside Linux. Since QEMU doesn’t work Video: 4:20 it won’t allow vanguard Me: never mind
4:03 "you're not gonna run riot vanguard on this, but why do you want to" it's literally the only reason i want an undetectable vm, to be able to play lol with a linux host lol
Couldn't you use a server version of BSD to set up a virtual environment by companies, shops, hospitals, etc for one machine since they heavily use that for virtualization and most malware runs on these virtual environments without ever knowing it's virtual?
@@EricParker I badly worded my reply. I meant they use BSD or Linux for virtualization but many of them use windows VMs to serve as everyday using for their daily activities while having only one computer running the entire company, shop, etc but their hypervisors don't really run these VMs as VMs as far as I know because of the way they are set up, malware just think they are real machines and that's how many malware just go rogue infecting entire networks.
when you showed the vmhardended thing the first thing that came in mind was riot vanguard, do you think there is any way to still get it to work on a vm? i want to switch to linux but i also play riot games often enough that i cant do it yet haha
Hi Eric, I tried to search everywhere but couldn't find an answer. If I try to install windows 11 I am not able to remove the initially created "nvme" hdd. The remove option is greyed out, I even created a secondary scsi hdd but still no remove option for the nvme. Any tips you can give on how I can proceed would be appreciated. Thanks, P
why not changing the CPU ID to something believable other than AMD sample? like having a 5950x and call it i7 4770k with 4c8t assigned or something with equivalent clock speed and c-t?
More sophisticated software have other ways of detecting a vmware, I guess stuff like this only works for malware not real software because there are many more fingerprints like the BIOS Version, dozens of drivers (which some are crutial to the vm) ect...
Hello! Could you please make a about what any "mmorpg silkroad online private server" would do to harm a user that is downloading the and run the exe file? I love the game, but 99% of the servers has trojans in them. The admins always say its "false positive", but i highly doubt it. They always say to put the files in a exeption folder in the antivirus/firewall. Thanks!
My Disk still say VMware right in front of the new disc name. I don't understand why. I checked through the whole VMX file and there was nothing saying "VMware".
Hmmmm. I did everything how you described in the video.... got trace for pseudo devices; vmmouse.sys, vmhgfs.sys and Reg key. Anything which could cause this? Was using MS10Pro 22H2 iso from MS.
этот гайд уже не рабочий ребят. я тестил на двух ОС - в дисп. устройств ВЕЗДЕ палится виртуалка. тоже самое в реестре. и вишенка на торте - в файла .vmx больше не существует параметра отвечающего за название ССД.
1:55 "lain" ...Obviously
and navi haha
@@lainpilled i thought i was the only one who names my hostnames navi lol, i even made copland os grub and sddm theme
@@umzfbupzvatg1916 I call mine NAVI too!
let's all love lain :)
@@debil3206 TOKYOPILL MENTIONED GRAHHH
Tip:
If you have relatives or friends that would fall for malware or scams, do the reverse of this video and make their PC look like a VM :3
That... Might actually be a good idea!!
I believe I actually saw a github project, that did exactly that) Sadly, I don't remember it's name anymore
Scammers tend to destroy the VM when they see it's a VM so..
@@biigsmokeereally? Any example you may have?
@@JustLinuxMan Edit: This comment was a misunderstanding. my bad. He didn't mean it in a mean way. I choose to keep it here because I shouldn't hide my mistakes.
"Literally anywhere on UA-cam, 'Scammer Destroys VM'? You can't invalidate someone's argument just because you were too lazy to find the proof yourself."
Yes, I'm totally here for a tutorial and NOT just here because it was in my recommended.
Yes
Yes
Wait opps
Yuuuup
Wait is that better or worse than UA-cam thinking it's a good recommendation for you?
there was a video that Jim Browning did on creating an undetectable VM for scambaiting , but it's a bit outdated and I couldn't really find a tutorial for once ever since. Thank you!!
The needs for that are different. Malware (except for very advanced cases) just scans a few strings, humans use different heuristics.
@@EricParkerIf it's truly undetectable, try running Valorant with vanguard.
@@leslyschafer1879 if you'd seen the video you'd know that it does not support vanguard-level anticheats
@@leslyschafer1879 3:56
@@leslyschafer1879 dude said it's not detected for most things, he never said it's not detected for everything
If it can't run in a vm, its gotta be malware lol
AntiCheats: sweats profusely
or DRM
@@nezu_cc DRM is malware
Bingo!
legit man, it sucks
@@nezu_cc so malware
It's always interesting to see VMs,Linux and Windows being used for new things - like security. I really enjoy watching your content.
I am quite sure 99% of Cyber security ever was done on either Windows or Linux
GOAT level timing with RATs everywhere now.
Thanks just what I wanted - had a feeling that some downloads were not fully active under my normal VM
Got it. So I will build my Malware to stay dormant unless Windows telemetry is ON and we detect an Nvme
Great tutorial! I really like to see virus tests and how they work, as Enderman and Siam Alam does (they're not active anymore it seems...). But it's nice to see someone else doing the same thing and going deeper into the analysis than them :)
It would be great if these VM products provided a way to modify more attributes or be able to mimic a real machine, it's clearly possible to do that, although you likely wouldn't be able to use guest support since that's an easy spot for VM detectors.
I'm so glad that I no longer have to use ShutUp10 (awful user interface), because I moved to Linux.
Welcome!
Welcome fellow penguin 👍
Now you have to deal with GNOME:)
@@isheamongus811 how do you know if they use GNOME?
@@isheamongus811 or choose not to :)
been binging your vids recently, keep up the good work man!
Thank you for this tutorial, Eric! Your instructions were precise, to the point, and easy to understand. I also learned new things along the way because you explained why you were going with certain settings instead of others. I was able to replicate this undetectable VM in my VMware Workstation.
Been waiting for an up to date video on this topic. Thank you so much Mr Parker!
A undetectable KVM tutorial would be appreciated
question - what would happen if you configured everything to look like a VM, like a reverse spoof i guess? essentially the opposite of what you're doing in this video? would that be more effective as an antivirus than an antivirus?
Depends on the malware. Maybe it doesn't care about if the PC is real or VM.
For most malware, it probably won't do anything. For enterprise-grade malware, it might either refuse to run in the VM, or it detects that it's in a VM and uses an exploit to escape into your host system
I believe there is actually a recent project that does exactly that! Can't remember what it's called though. It's probably not going to be more effective than an antivirus, but nothing's preventing you from using that and a regular antivirus at the same time
He handles that in a new video :)
@@raskr8137 Cyber Scarecrow
You can use "Shift+g" and "gg" to jump to the top or bottom of a file in Vim.
For rdtsc all you need is a kernel patch, there are already a few online so all you need to do is recompile the Linux kernel with the patch applied.
I read on the unknowncheats forum that pafish's rdtsc check is very basic and the public rdtsc patches usually use pafish to check if they work. Then some anticheats more advanced timing checks which public patches dont fix.
Watching you since 17k, all i can say is, keep up the good content brother.
OMW to do the reverse of this to make my gaming PC look like a virtual machine to malware
In "more or less" most of the nix apps, shift-g (a capital G) will get you to the end of the output. Maybe that's also true for Vi. I guess entering a number with g just goes to that line number.
The 'official' way to do this in vi is ":$"
@@c128stuff I checked it out, seems both ":$" and "G" takes you to the beginning of the last line in the file, however not just "g" but "gg" takes you back to the first char in the file, i assumed just g. The "official way" to jump to a line number just seems to be ":n", where n is the line number. Could not find any reference to g combined with a number to jump to that line number, an undocumented feature?
@@daanmageddon no idea about g combined with a number.
: gets you to the line number mentioned. $ just happens to always be the last line. This also works for other commands which accept or require line numbers, for example
:5,$s/old/new/g will replace every occurance of 'old' with 'new', starting at line 5 upto and including the last line of the file.
Literally searched for this two days ago, thanks a lot!
Recently discovered your channel and I love the videos. Keep it up!
I know i am kinda late to this, but if you actually, before installation select to use BIOS instead of UEFI, you then won't see the Vmware version of bios in system info, but instead you'll see: "Phoenix Technologies LTD 6.00, 11/12/2020" I am also pretty sure that you can then modify the name of the BIOS to your liking. Renaming the BIOS version with the UEFI installation doesn't seem to work, and is still called after Vmware.
where exactly in the part of the video if you dont mind me asking
Thanks for the demonstration of some of your stuff!
You know, this is also a tutorial for how to run certain extremely popular games with invasive anticheats on Linux.
omg i needed a tutorial for this, absolute great timing
finally perfect tutorial! one time malware get on my computer 😅 im lucky that antyvirus catch it
i love lain
we all love lain
rare sewerslvt profile spotted
he can haz cheez burger.
the only problem with this method is that the vm will run like dogshit without vmware tools
Love you Eric best IT man!
you need to be 3 mil subs keep up the work
you can press “g” in normal mode to go straight to the bottom in neovim!
Oh, hey I was wondering about that! Thanks.
I'm sure this is elsewhere in the comments, but shift+g will take you directly to the bottom of the file in vim
This is so useful thank you!
For vi shift+G to get to the end. gg to go to the start, and shift+A to append at the end of the line.
Changing the disk type for a windows VM is a real pita, but not impossible without full reinstall. Its not worth the hassle usually.
I like your malware analysis videos
In vim, you can just press 'G' to go to the last line.
Think this VM approach would also work for isolating kernel-level anticheat tools? I heard people who tried to run some games under Linux had success with a nested VM approach (using intel's Hyper-v)
He specifically said it won't, i tested roblox just for shits n giggles and it still detects it
@@gordonfreeman9641 oh right, just got to the part in the video. guess nested VMs it is, then.
It's incompatible with 3d acceleration regardless of detection. Our "rootkit" is not useful against another kernel driver.
@@EricParker Can't you still install vmware tools and just make that not detected?
is there a way to do this in qemu-kvm on Linux using Vert-Manager? a lot of us linux users would like to contain the windows malware and increase compatibility with the games we can play(essentially, how do we create an environment to containerize a kernel-level anticheat that(for all intents and purposes) is malware anyway and won't run in Wine/Proton?)
VirtualBox and qemu should try to make an abstraction layer for mirroring the hardware your running that VM on, that way it looks like the machine you're using but still running under emulation and harder to detect. Then again, I think qemu still has a problem giving direct access to the GPU in emulation (which is why you need two GPUs for that stuff) so I'm not sure that's happening anytime soon. It would be good for virtualisation and security, however, and something that should be more common even among the average user.
With Nvidia you have vgpu, but you need a license to do that
Next video idea: spoof our main system as a VM so vm aware malware doesn't run on it.
cyberscarecrow actually does that. Might make a video on it.
Love this, more tutorials please
AINT NO WAY THIS WAS 20SECCONDS AGO
it wasn't. youtube delays the shit out of release dates for some reason
Makes me wonder: Could you modify these things on an everyday system in the opposite way so that malware thinks it‘s a VM even though its not ?
I wonder, will this work for games with anticheats and DRMs that detect the use of a VM? Because those tend to be the most powerful, widespread, and sophisticated kinds of corporate-sponsored malware.
Up to some point, perhaps, like for instance fortnite if u do simpler spoofing, like shown in the video and some other further steps.
Vanguard(if even possible) would like even need some recompilling(on linux) and really just more advanced stuff just to spoof and go undetected(granted if u cheat, u will speed the probability of things going wrong).
The best thank you ( i really need it )
let's all love lain
Hey Eric, I know you read these comments, and I have a cool video suggestion.
You could try testing the 'bad reputation' anti viruses like McAfee, Avast, AVG, etc, against modern malware. People always talk bad about them, but I've never seen them tested. At least not in recent years.
The PC Security channel does content testing 'Good AVs against modern malware. Why don't you test the bad ones 😁
I tried pafish on my main machine and it detected the CPU timestamp thing you were talking about, along with the hypervisor and mouse things lol
Me: maybe with this I’m gonna be able to play LoL/Valorant on VM inside Linux. Since QEMU doesn’t work
Video: 4:20 it won’t allow vanguard
Me: never mind
couldn't malware detect that we have a SCSI ssd or an AMD engineering sample and therefore find out we're in a VM?
Ill have to give this a try. I was using a special virtualbox loader but the devs stopped updating it and eventually removed the repo. 😢
great video eric.
Wait… can I spoof a main pcs mac address and other info to be vm defaults to block some malware from running?
AFAIK most Drivers let you modify the MAC address. If you set it to a Private MAC address: the malware may assume it is in a VM.
4:03 "you're not gonna run riot vanguard on this, but why do you want to"
it's literally the only reason i want an undetectable vm, to be able to play lol with a linux host lol
could you try running something like Vanguard on this VM?
One question, wondering if triage is undetectable?
It's not like malware developers can't just copy the code of paranoidfish to check for a virtual environment
eric aint pregnant but he delivers.
It's 3 AM and I don't know why I am here
Can you share more info or links on the linux kernel hacking thing you were mentioning? Thank you!
So to make a malware that detects that its in a vm youd just make the malware install a game with vanguard and checks its status.
Interesting. Been trying to figure out how to do this for Pearson Vue. Any tips?
Underrated
Couldn't you use a server version of BSD to set up a virtual environment by companies, shops, hospitals, etc for one machine since they heavily use that for virtualization and most malware runs on these virtual environments without ever knowing it's virtual?
Depends hugely on the malware. Linux / IOT malware will run under VMs without complaint, most windows malware will not
@@EricParker I badly worded my reply. I meant they use BSD or Linux for virtualization but many of them use windows VMs to serve as everyday using for their daily activities while having only one computer running the entire company, shop, etc but their hypervisors don't really run these VMs as VMs as far as I know because of the way they are set up, malware just think they are real machines and that's how many malware just go rogue infecting entire networks.
rdtsc can be passed with a modified kernel
3:40 if the malware can write forst 512kB of the drive, nothing will help except on BIOS level.
do kernel level anticheats see it as vm?
4:00 "you're not gonna run Riot Vanguard on this but, why do you want to?". Answer: Running Riot games on my M1 Mac via Parallels would be great!
The rdtsc hack doesn't have 100% success chance. Works at first, but eventually it'll start failing.
Well I tried this tutorial for Roblox (fake exploit analyzing), but it sadly didn't work
found any way?
when you showed the vmhardended thing the first thing that came in mind was riot vanguard, do you think there is any way to still get it to work on a vm? i want to switch to linux but i also play riot games often enough that i cant do it yet haha
Hi Eric,
I tried to search everywhere but couldn't find an answer. If I try to install windows 11 I am not able to remove the initially created "nvme" hdd. The remove option is greyed out, I even created a secondary scsi hdd but still no remove option for the nvme. Any tips you can give on how I can proceed would be appreciated.
Thanks,
P
Did you ever find a solution? Same problem here :P
to go to the end of file use G and then a
why not changing the CPU ID to something believable other than AMD sample? like having a 5950x and call it i7 4770k with 4c8t assigned or something with equivalent clock speed and c-t?
I didn't spoof it period (that is my real CPU). It's a fingerprint for sure, but it's not likely to be blocked.
Thanks
Now how to make unsafe windows xp
Thanks for you helpful video!
Is there a way to fake cpu temperature, I'm analyzing a malware that detect a VM by the CPU temperature.
I cant even figure out how to turn off windows defender antivirus through the registry :D
there is similar with KVM? so I can pass through PCIe Card like Network Card, GPU and USB
More sophisticated software have other ways of detecting a vmware, I guess stuff like this only works for malware not real software because there are many more fingerprints like the BIOS Version, dozens of drivers (which some are crutial to the vm) ect...
Hello! Could you please make a about what any "mmorpg silkroad online private server" would do to harm a user that is downloading the and run the exe file? I love the game, but 99% of the servers has trojans in them. The admins always say its "false positive", but i highly doubt it. They always say to put the files in a exeption folder in the antivirus/firewall.
Thanks!
What OS do you use in your everyday desktop?
Arch
@@EricParkergoat 🎉 i love arch and lain
@@EricParker 😮😮😮😮😮
My Disk still say VMware right in front of the new disc name. I don't understand why. I checked through the whole VMX file and there was nothing saying "VMware".
Can I use this to attempt running some games that don't run on linux without having to dual boot?
Do not infect PCs witj graphox tablet and no mouse. Also not with PS/2 mouse (with exceptions)
Hmmmm.
I did everything how you described in the video....
got trace for pseudo devices; vmmouse.sys, vmhgfs.sys and Reg key.
Anything which could cause this? Was using MS10Pro 22H2 iso from MS.
5:19 that random i at the end didn't cause issues?
What if malware blacklists that HardenedLoader driver ?
wow, ty!
what if you do this in reverse for extra protection
Any thoughts on doing this with hyper v?
Does this also unlock CPU features?
What do you want to unlock?
этот гайд уже не рабочий ребят. я тестил на двух ОС - в дисп. устройств ВЕЗДЕ палится виртуалка. тоже самое в реестре. и вишенка на торте - в файла .vmx больше не существует параметра отвечающего за название ССД.
it dosent work on win11, maybe thats why idk
Error while opening the virtual machine: VMX file is corrupt.
scsi0.sasWWID = "50 05 05 65 b8 9d c9 70"i
whats the point of making such a stealthy vm, when the only thing in your skillset is using wireshark and mitmproxy?