仮想マシン上(VMware)でMalwareを動かす際の設定

参考サイト

vmxファイル(*.vmx)の設定変更

isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.restrict_backdoor = "TRUE"

HideToolz (プロセスの隠蔽)

Hacker Defender rootkit

> hxdef100.exe hide.ini
[Hidden Table]
hxd*
vmu*
vmt*
vmw*
tools*
procexp*
ollydbg*

[Root Processes]
hxd*
vmu*
vmt*
vmw*
tools*
procexp*
ollydbg*

[Hidden Services]
HackerDefender100
vmu*
vmt*
vmw*
procexp*

[Hidden RegKeys]
VMware, Inc.
Sysinternals

[Hidden RegValues]
vmu*
vmt*
vmw*

[Startup Run]

[Free Space]

[Hidden Ports]

[Settings]
Password=infected
BackdoorShell=cmd.exe
FileMappingName=_.-=[Hacker Defender]=-._
ServiceName=HackerDefender100
ServiceDisplayName=HXD Service 100
ServiceDescription=NT rootkit
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

[Comments]

参考情報:ScoopyNG - The VMware Detection Tool

上記3つの対策を施した上で実行した結果

####################################################
::       ScoopyNG - The VMware Detection Tool     ::
::              Windows version v1.0              ::

[+] Test 1: IDT
IDT base: 0x8003f400
Result  : Native OS


[+] Test 2: LDT
LDT base: 0xdead0000
Result  : Native OS


[+] Test 3: GDT
GDT base: 0x8003f000
Result  : Native OS


[+] Test 4: STR
STR base: 0x28000000
Result  : Native OS


[+] Test 5: VMware "get version" command
Result  : Native OS


[+] Test 6: VMware "get memory size" command
Result  : Native OS


[+] Test 7: VMware emulation mode
Result  : VMware detected (emulation mode detected)

::                   tk,  2008                    ::
::               [ www.trapkit.de ]               ::
####################################################