[Tutorial] How to make a stealthy Virtual Machine

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
these days i'm finding kanye and kanye tech support scammers here's an example all right just give me a while let me go ahead and check it for you so this guy has just connected and the first command he runs is device management he's taking a look at the devices he's dealing with in my case i run vmware and he selects a disk drive and looks carefully at the description he sees vmware oh i see that so he immediately knows that i'm probably trying to scam beat him and he decides just to hang up the call so a little while later i phoned the same organization back and i was able to disguise the drive this is a guide to show you how you too can disguise all of those devices on your virtual machine really stealthy okay so how do you make your windows 10 machine stealthy well the first thing to do is to make the devices stealthy you do this by running regedit again windows r reg edit will do this and when register editor comes up you're looking for a particular point called hitch key local machine then system then control set 0 0 1 and then enum again this will be in the description below if you could just navigate straight to this point in the registry so at this point i need to be able to edit this part of the registry and you won't normally be able to do this only system can actually change anything in the registry at this point so the first thing to do is give yourself that permission so if you right click on enum hit on permissions and then have a look at the permissions for enum and you'll see that only system is allowed to write or update this point owners owner rights are not given and everyone else can just read so if we look at the system what we need to do then is just add yourself as a an administrator for this object at this point and you do that by clicking on add type in your username whatever it is in this case my username is just username click on check names and hit ok and at this point i've added one user and i want to give this user full control at this point so if i hit apply it will say access denied and the reason for that is i still don't have permission so in order to give myself permission for not just this object but everything below it click on advanced and then change the owner of this point in the directory and i've not only got to change the owner at this point but everything below it so the first thing to do is click on change and again you'll need to type in your username again check names just to make sure it's spelt right and hit okay initially but you've only changed the top level at this point to username what you need to do is also tick this box saying replace owner on subcontainers and objects so again make sure that button is ticked hit apply and it will say couldn't set the owner on the key selector or some of its sub keys that should be okay and again okay right out of this again okay it's just telling you that i couldn't do everything so at this point i've allowed username to be the owner but i haven't still given everything below this point the permission so you've got to go again back into advanced and this time click on the replace all child object permission entries with inheritable permission entries from this object that just means that the full control that we've given ourselves at this point will be inherited by everything below it so i tick the box and again hit ok it will warn me that it will change submissions that's okay say yes and okay out of it again it will tell you that some sub keys couldn't be changed but that should be okay so again okay and apply okay at this point you should have permission to edit everything below this point but just do a double check if you expand enum maybe select something like scuzzy and select one of the disks here i'll select my cd-rom if you right-click at this point and press permissions you should see your username in here if you don't you won't be able to edit this so double check that you've done each of the two steps above give yourself ownership give yourself permission okay so at this point we now need to go back up to the enum level so just close that one and click on enum and at this point we look for three or four registry entries now again this is in the description but you need to right click the enum part of the registry click on find and paste in the first of the four values that are in the description the first one they all look very similar but you'll notice that at the end of the first batch of numbers this digit will change from a seven an eight to five and an f but if you look at this one this is actually going to be the grid for the disk so if we click on find next it should jump to the scuzzy part of the directory and it will highlight one particular value underneath something called disk and vendor and again its description is the vmware disk now you'll be editing one of two types either something called friendly name or device description in the case of a disk if you see a friendly name at all that's the one that you need to edit so click on friendly name right click to modify and again you'll see the typical device description that comes up whenever you expand what the disk device looks like so it's important to give it a fairly realistic value in my case i would advise you just to use whatever disk you currently use in your host machine so if it happens to be a samsung 500 gig disk let's give it a 500 gigabyte ati is usually what let's put into device at this point obviously vary this we don't want all of these virtual machines looking the same for scammers so if you click on ok again i've just changed the friendly name there's no need to just to change the device description as well just friendly name if it appears and that's it for the first part which is the disk the second place we're going to look is the device which is normally associated with the display adapter so we go back up to enum right click and do find and i replace this with the next value again there should be a digit 8 here if you do find next it should find yes in this case it's the svga device now here there's no friendly description so you have to edit the device description at this point so again click on the device description right click modify and although it's tempting just to change the last bit of this actually you'll find that vmware appears because it's pulling entries out of the device driver files so you actually need to delete the whole lot and give yourself whatever display adapter device you'd like let's try nvidia and we'll give ourselves a gtx 1080 okay whoops give yourself a realistic device and that's enough so the device description for this particular registry entry is enough so we go back to enum again right click and do find and this time you'll need the third registry entry to find again this is the in the description and you'll see it has a digit 5 at this point hit next and here we've got our vmware friendly name of the cd device so again there's booths by subscription on friendly name friendly names here modify it so this will now look like we'll give ourselves an nec nec dvd read writer or something i'll do it i'll call it sata dvd just to make it look convincing okay so the friendly name has changed here so that's it for that device the last one that we need to do again go up to enum and you will look for in this case another registry entry right click again do find enter the value that will have an f at the end now unfortunately this device has three entries so we look for the first one first and this is the mouse device and we'll give it a chance and it will find it should find something under the acpi and we need to go in again there's no friendly device description so we need to edit device description right click modify and we'll just call this again delete the whole lot microsoft microsoft pointing device but we're not finished yet unfortunately so you've updated one but there's another two to do f3 we'll look for the next entry which is just below that so we've already updated this that's just the description of the device so we need to hit f3 again at this point we go to different point in the registry and again it's got a device description you right click it modify and again give ourselves in this case this is the usb version of the same device so microsoft usb usb pointing device and if i click f3 it'll put just the next line so we've already updated this there's no need to update this part so our final f3 takes us to another point in the registry and again the device description needs to be modified here so right click modify and just make this microsoft okay and once i've made those three changes for that last registry entry that's it done as far as device descriptions gone so if i close registry and if i run up in this case device so let's have a look at our devices now so for this computer let's look at the disk drive we've got our samsung 500 gig let's look at the display adapter and that's an nvidia gtx 1080 let's look at the cd-rom and it's an nec dvd device and if you look at mouse it's a microsoft pointing device so all of these entries have now been updated and as if the scanner looks into your devices he won't see any references to vmware so that's one part the second part is how to disguise your vmware tools now i'm assuming at this point you've already installed vmware tools let's just have a look at them so the first thing to do is the easy bit which is just disabling this icon so it's not visible okay so it's no longer in our system tray but what we do need to do is make sure it doesn't appear in the included software so if i do again windows r app wiz dot cpl this is just a quick shortcut route to look at what software is installed and you can see that vmware tools is quite obviously there now at this point i decided to have a dig into the registry for vmware tools and as it turns out it's the same in every installation unlike devices where you really do have to go in and individually edit your registry because quite simply it's different for every case with vmware tools there's a standard installation and i've included two registry files one to update registry the other to restore okay so i've given myself two registry entries let me just switch on the fact that i just i never like this where i show my extensions so you should have two files from the download in the description one called restoretools.reg and the other one called stealthytools.reg these are editable so if you want to have a look at this you can see what i've put in as the description and most i've given the publisher as microsoft but i've called the display name as visual cd plus plus you can change this to whatever you want and there's a couple of registry entries to do this and so if you need to change that to something else or even give it a different icon there's ways of doing that if you just browse through that file anyway if you if you look at the installed software and if you double click stealthytools.reg you'll be asked to confirm do you want to update your um your registry if you click yes and it should be successfully added if it doesn't you need to be an admin user and if you click ok and then we look back at our programs which are installed so at this point you will see that vmware tools no longer appear but instead of that there's something called microsoft visual c plus 2005 say you can call the software whatever you like but that is now the disguised version of vmware tools if you really want to restore it again if you just double click the restore tools.reg and confirm and again go back into programs and features and you'll see that vmware tools reappears again so i'm going to keep that as stealthy so let me rerun stealthy tools yes and again and again if we go back into programs and features we've got our c plus 2005 entry so it's good to keep the vmware tools because that keeps the virtual machine running as fast as it can and you can cut and paste between your host machine and the vm so it's always important to have that and the very last thing you need to do and probably the easiest one that probably people know best it's simply to to update the bios information and you do that outside the vm so we're going to shut down this virtual machine let me do that when we shut it down we then need to go in and edit the vmx file associated with this virtual machine so the vmx file is simply a configuration file and you just need to search for that vmx file wherever you installed the virtual machine in my case it's a windows 10 machine so i simply right click the vmx file and add a line to it and i can ignore everything that's in this file we just need to add a line to it say it's called sm bios dot reflect host equals true and either have true or true inverted commas it doesn't really matter or the word number one and what that will do is it will change the vendor and the host machine from vmware to in this case whatever your particular host machine is so if we save this one click save and if i go back into the machine at this point it should be fully stealthy so let's fire it back up again so if we power that up quickly on so if we do windows r and the first thing we'll do is just check our devices so twice mgmt.msc let's go to our devices you should see that the four devices which are the giveaways disk drive display adapter cd-rom and mice do not contain the word vmware that looks fine again the second thing we need to do is the app wiz quiz.cpl and look for installed software again no indication that vmware is there and finally if we do ms info 32 we should see that the system manufacturer and system model do not contain vmware instead of running msnpro 32 the occasional scammer will also run a command called dxdiag in fact that command pulls the cm system manufacturer and system model information from the configuration of your host so even if we run dx diag which i'm just about to do you'll see that it also contains the word your gigabyte which is my motherboard manufacturer and system model again does not contain vmware so that's about it for this tutorial i hope this is useful and i hope it will keep people scam be a thing once as usual if you like this sort of video please give it a thumbs up and please do subscribe because it gives me the motivation to produce more of these and to track down scammers so once again thank you for watching and please comment below you
Info
Channel: Jim Browning
Views: 818,553
Rating: undefined out of 5
Keywords: scamming, scam baiting, VMWare, VMware tutorial, VMware registry files, Virtual Machine, How to make a virtual machine, tutorial, help with VM
Id: 6TM45vNI4Qc
Channel Id: undefined
Length: 18min 39sec (1119 seconds)
Published: Sat Feb 11 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.