Setting up an UNDETECTABLE VM for Malware Analysis

Подписаться 83 тыс.

Просмотров 62 тыс.

50% 1

Setting up an UNDETECTABLE VM for Malware Analysis
Official Discord Server - / discord
Follow me on X - / atericparker
VMWare-Hardened-Loader github.com/hzq...
O&O Shutup 10 - www.oo-softwar...
Atlas OS (yes hell froze over I'm actually promoting this) - atlasos.net/
Additional resources for hiding your VMS:
docs.vrchat.co...
forum.level1te...
For network analysis you can either do what I do with mitmproxy, or you can store the sslkeylogfile and decrypt it in wireshark: wiki.wireshark...
Disclaimer: The content in this video is for education and entertainment purposes to showcase the dangers of malware & malicious software. I do not encourage any form of illegal hacking, nor do I encourage the usage of game cheats, cracks or hacks.
Cracks are sometimes shown to highlight the dangers of software piracy, my content is not intended to teach anybody how to pirate, or maliciously hack.
More Malware Investigation Videos:
→ The latest "NORD" Malware - Nordsecured: • The latest 'NORD' Malw...
→🧧VIRUS WARNING🧧 NEW Optifine for Minecraft 1.16 SCAM: • 🧧VIRUS WARNING🧧 NEW Op...
→ The wilkreate RU-vid stealer virus that started this whole trend: • Fake sponsor DESTROYS ...
(C) Eric Parker 2024

Опубликовано:

19 авг 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 285

@Beetlebugoid 2 месяца назад

1:55 "lain" ...Obviously

@lainpilled 2 месяца назад

and navi haha

@umzfbupzvatg1916 2 месяца назад

@@lainpilled i thought i was the only one who names my hostnames navi lol, i even made copland os grub and sddm theme

@trajectoryunown 2 месяца назад

@@umzfbupzvatg1916 I call mine NAVI too!

@debil3206 Месяц назад

let's all love lain :)

@Dayreaverthe_Theo День назад

@@debil3206 TOKYOPILL MENTIONED GRAHHH

@JoeyGarvey 2 месяца назад

there was a video that Jim Browning did on creating an undetectable VM for scambaiting , but it's a bit outdated and I couldn't really find a tutorial for once ever since. Thank you!!

@EricParker 2 месяца назад

The needs for that are different. Malware (except for very advanced cases) just scans a few strings, humans use different heuristics.

@leslyschafer1879 2 месяца назад

@@EricParkerIf it's truly undetectable, try running Valorant with vanguard.

@nothappyz 2 месяца назад

@@leslyschafer1879 if you'd seen the video you'd know that it does not support vanguard-level anticheats

@DianRBLX 2 месяца назад

@@leslyschafer1879 3:56

@trimidsmod6391 Месяц назад

@@leslyschafer1879 dude said it's not detected for most things, he never said it's not detected for everything

@Astrid-- 2 месяца назад

Tip: If you have relatives or friends that would fall for malware or scams, do the reverse of this video and make their PC look like a VM :3

@EasternAnalogue1289 2 месяца назад

That... Might actually be a good idea!!

@Yarpopcat08 2 месяца назад

I believe I actually saw a github project, that did exactly that) Sadly, I don't remember it's name anymore

@biigsmokee 2 месяца назад

Scammers tend to destroy the VM when they see it's a VM so..

@JustLinuxMan 2 месяца назад

@@biigsmokeereally? Any example you may have?

@EasternAnalogue1289 2 месяца назад

@@JustLinuxMan Edit: This comment was a misunderstanding. my bad. He didn't mean it in a mean way. I choose to keep it here because I shouldn't hide my mistakes. "Literally anywhere on RU-vid, 'Scammer Destroys VM'? You can't invalidate someone's argument just because you were too lazy to find the proof yourself."

@kabooki22 2 месяца назад

Yes, I'm totally here for a tutorial and NOT just here because it was in my recommended.

@GriffinForte 2 месяца назад

Yes

@Lord_common_sense 2 месяца назад

Yes

@GriffinForte 2 месяца назад

Wait opps

@BlackXixo 2 месяца назад

Yuuuup

@DaffyDaffyDaffy33322 Месяц назад

Wait is that better or worse than RU-vid thinking it's a good recommendation for you?

@j2sk 2 месяца назад

If it can't run in a vm, its gotta be malware lol AntiCheats: sweats profusely

@nezu_cc 2 месяца назад

or DRM

@Sharpless2 2 месяца назад

@@nezu_cc DRM is malware

@warmike 2 месяца назад

Bingo!

@bait6571 2 месяца назад

legit man, it sucks

@synexiasaturnds727yearsago7 2 месяца назад

@@nezu_cc so malware

@Xylon6301 2 месяца назад

GOAT level timing with RATs everywhere now.

@SaarN1337 2 месяца назад

It's always interesting to see VMs,Linux and Windows being used for new things - like security. I really enjoy watching your content.

@ikcikor3670 Месяц назад

I am quite sure 99% of Cyber security ever was done on either Windows or Linux

@cooolgamer-vanced 2 месяца назад

Great tutorial! I really like to see virus tests and how they work, as Enderman and Siam Alam does (they're not active anymore it seems...). But it's nice to see someone else doing the same thing and going deeper into the analysis than them :)

@jonctr 2 месяца назад

Thanks just what I wanted - had a feeling that some downloads were not fully active under my normal VM

@splxt669 2 месяца назад

been binging your vids recently, keep up the good work man!

@jp46614 2 месяца назад

It would be great if these VM products provided a way to modify more attributes or be able to mimic a real machine, it's clearly possible to do that, although you likely wouldn't be able to use guest support since that's an easy spot for VM detectors.

@typingcat 2 месяца назад

I'm so glad that I no longer have to use ShutUp10 (awful user interface), because I moved to Linux.

@sudonim116 2 месяца назад

Welcome!

@southernflatland 2 месяца назад

Welcome fellow penguin 👍

@isheamongus811 2 месяца назад

Now you have to deal with GNOME:)

@LoganDark4357 2 месяца назад

@@isheamongus811 how do you know if they use GNOME?

@raggebatman Месяц назад

@@isheamongus811 or choose not to :)

@der.Schtefan 2 месяца назад

Got it. So I will build my Malware to stay dormant unless Windows telemetry is ON and we detect an Nvme

@WhoooshyYT 2 месяца назад

Thank you for this tutorial, Eric! Your instructions were precise, to the point, and easy to understand. I also learned new things along the way because you explained why you were going with certain settings instead of others. I was able to replicate this undetectable VM in my VMware Workstation.

@yilong_ma Месяц назад

Been waiting for an up to date video on this topic. Thank you so much Mr Parker!

@7chicken 2 месяца назад

question - what would happen if you configured everything to look like a VM, like a reverse spoof i guess? essentially the opposite of what you're doing in this video? would that be more effective as an antivirus than an antivirus?

@V530-15ICR 2 месяца назад

Depends on the malware. Maybe it doesn't care about if the PC is real or VM.

@tpd1864blake Месяц назад

For most malware, it probably won't do anything. For enterprise-grade malware, it might either refuse to run in the VM, or it detects that it's in a VM and uses an exploit to escape into your host system

@raskr8137 Месяц назад

I believe there is actually a recent project that does exactly that! Can't remember what it's called though. It's probably not going to be more effective than an antivirus, but nothing's preventing you from using that and a regular antivirus at the same time

@KyuDoesCode 19 дней назад

He handles that in a new video :)

@user-mp6sw2tu5v 16 дней назад

@@raskr8137 Cyber Scarecrow

@Decommissioned 2 месяца назад

For rdtsc all you need is a kernel patch, there are already a few online so all you need to do is recompile the Linux kernel with the patch applied.

@bait6571 2 месяца назад

I read on the unknowncheats forum that pafish's rdtsc check is very basic and the public rdtsc patches usually use pafish to check if they work. Then some anticheats more advanced timing checks which public patches dont fix.

@habibidom 2 месяца назад

Watching you since 17k, all i can say is, keep up the good content brother.

@omgsky-yt Месяц назад

A undetectable KVM tutorial would be appreciated

@BlueSheep95 2 месяца назад

You can use "Shift+g" and "gg" to jump to the top or bottom of a file in Vim.

@crimson750 2 месяца назад

Recently discovered your channel and I love the videos. Keep it up!

@definitelyaraven 2 месяца назад

OMW to do the reverse of this to make my gaming PC look like a virtual machine to malware

@daanmageddon 2 месяца назад

In "more or less" most of the nix apps, shift-g (a capital G) will get you to the end of the output. Maybe that's also true for Vi. I guess entering a number with g just goes to that line number.

@c128stuff 2 месяца назад

The 'official' way to do this in vi is ":$"

@daanmageddon 2 месяца назад

@@c128stuff I checked it out, seems both ":$" and "G" takes you to the beginning of the last line in the file, however not just "g" but "gg" takes you back to the first char in the file, i assumed just g. The "official way" to jump to a line number just seems to be ":n", where n is the line number. Could not find any reference to g combined with a number to jump to that line number, an undocumented feature?

@c128stuff 2 месяца назад

@@daanmageddon no idea about g combined with a number. : gets you to the line number mentioned. $ just happens to always be the last line. This also works for other commands which accept or require line numbers, for example :5,$s/old/new/g will replace every occurance of 'old' with 'new', starting at line 5 upto and including the last line of the file.

@mintydevil7982 Месяц назад

eric aint pregnant but he delivers.

@balsalmalberto8086 2 месяца назад

Next video idea: spoof our main system as a VM so vm aware malware doesn't run on it.

@EricParker 2 месяца назад

cyberscarecrow actually does that. Might make a video on it.

@ASpootifulMind Месяц назад

VirtualBox and qemu should try to make an abstraction layer for mirroring the hardware your running that VM on, that way it looks like the machine you're using but still running under emulation and harder to detect. Then again, I think qemu still has a problem giving direct access to the GPU in emulation (which is why you need two GPUs for that stuff) so I'm not sure that's happening anytime soon. It would be good for virtualisation and security, however, and something that should be more common even among the average user.

@qwe-lb9di 2 месяца назад

Literally searched for this two days ago, thanks a lot!

@shadowjoi1254 2 месяца назад

you need to be 3 mil subs keep up the work

@MysLouis 2 месяца назад

finally perfect tutorial! one time malware get on my computer 😅 im lucky that antyvirus catch it

@SkizzieSpeedruns Месяц назад

I know i am kinda late to this, but if you actually, before installation select to use BIOS instead of UEFI, you then won't see the Vmware version of bios in system info, but instead you'll see: "Phoenix Technologies LTD 6.00, 11/12/2020" I am also pretty sure that you can then modify the name of the BIOS to your liking. Renaming the BIOS version with the UEFI installation doesn't seem to work, and is still called after Vmware.

@euroski516 Месяц назад

where exactly in the part of the video if you dont mind me asking

@aaesth 2 месяца назад

i love lain

@pvc988 2 месяца назад

we all love lain

@muffinzmuffin-qs7sb 2 месяца назад

rare sewerslvt profile spotted

@balsalmalberto8086 2 месяца назад

he can haz cheez burger.

@kevinwydler7305 2 месяца назад

Makes me wonder: Could you modify these things on an everyday system in the opposite way so that malware thinks it‘s a VM even though its not ?

@vladislavkaras491 2 месяца назад

Thanks for the demonstration of some of your stuff!

@TabbyEgg312 2 месяца назад

omg i needed a tutorial for this, absolute great timing

@_eduard4869 2 месяца назад

Love you Eric best IT man!

@mendyc158 2 месяца назад

Me: maybe with this I’m gonna be able to play LoL/Valorant on VM inside Linux. Since QEMU doesn’t work Video: 4:20 it won’t allow vanguard Me: never mind

@Breemskin 2 месяца назад

I'm sure this is elsewhere in the comments, but shift+g will take you directly to the bottom of the file in vim

@Cainny 2 месяца назад

Hey Eric, I know you read these comments, and I have a cool video suggestion. You could try testing the 'bad reputation' anti viruses like McAfee, Avast, AVG, etc, against modern malware. People always talk bad about them, but I've never seen them tested. At least not in recent years. The PC Security channel does content testing 'Good AVs against modern malware. Why don't you test the bad ones 😁

@Kitulous 15 дней назад

couldn't malware detect that we have a SCSI ssd or an AMD engineering sample and therefore find out we're in a VM?

@Roizor 2 месяца назад

you can press “g” in normal mode to go straight to the bottom in neovim!

@hallrules 2 месяца назад

I tried pafish on my main machine and it detected the CPU timestamp thing you were talking about, along with the hypervisor and mouse things lol

@Kalphalus 2 месяца назад

Wait… can I spoof a main pcs mac address and other info to be vm defaults to block some malware from running?

@jamesphillips2285 2 месяца назад

AFAIK most Drivers let you modify the MAC address. If you set it to a Private MAC address: the malware may assume it is in a VM.

@pacsmile 2 месяца назад

4:03 "you're not gonna run riot vanguard on this, but why do you want to" it's literally the only reason i want an undetectable vm, to be able to play lol with a linux host lol

@bololop1625 8 дней назад

Error while opening the virtual machine: VMX file is corrupt. scsi0.sasWWID = "50 05 05 65 b8 9d c9 70"i

@crzyecks 2 месяца назад

I like your malware analysis videos

@jagjyot4828 2 месяца назад

could you try running something like Vanguard on this VM?

@c128stuff 2 месяца назад

Changing the disk type for a windows VM is a real pita, but not impossible without full reinstall. Its not worth the hassle usually.

@katykat5099 2 месяца назад

Oh, hey I was wondering about that! Thanks.

@gogiy 17 дней назад

It's not like malware developers can't just copy the code of paranoidfish to check for a virtual environment

@JaddarJexiszuir 2 месяца назад

In vim, you can just press 'G' to go to the last line.

@Sumire973 2 месяца назад

I wonder, will this work for games with anticheats and DRMs that detect the use of a VM? Because those tend to be the most powerful, widespread, and sophisticated kinds of corporate-sponsored malware.

@asunavk69 2 месяца назад

Up to some point, perhaps, like for instance fortnite if u do simpler spoofing, like shown in the video and some other further steps. Vanguard(if even possible) would like even need some recompilling(on linux) and really just more advanced stuff just to spoof and go undetected(granted if u cheat, u will speed the probability of things going wrong).

@Meppy0200 2 месяца назад

It's 3 AM and I don't know why I am here

@scoptimizations 17 дней назад

Hmmmm. I did everything how you described in the video.... got trace for pseudo devices; vmmouse.sys, vmhgfs.sys and Reg key. Anything which could cause this? Was using MS10Pro 22H2 iso from MS.

@Xiph1980 2 месяца назад

For vi shift+G to get to the end. gg to go to the start, and shift+A to append at the end of the line.

@Soup69God 2 месяца назад

Ill have to give this a try. I was using a special virtualbox loader but the devs stopped updating it and eventually removed the repo. 😢

@EvelynnandArt 2 месяца назад

i would want to run riot vanguard in a vm since im a linux user, and want to play the game, while not having it have access to my hole system

@MrMotoX450 Месяц назад

4:00 "you're not gonna run Riot Vanguard on this but, why do you want to?". Answer: Running Riot games on my M1 Mac via Parallels would be great!

@endoxidev 2 месяца назад

One question, wondering if triage is undetectable?

@isheamongus811 2 месяца назад

3:40 if the malware can write forst 512kB of the drive, nothing will help except on BIOS level.

@Tco-exploiter 2 месяца назад

AINT NO WAY THIS WAS 20SECCONDS AGO

@Plasticshavings 2 месяца назад

it wasn't. youtube delays the shit out of release dates for some reason

@FireTigerARG Месяц назад

What if malware blacklists that HardenedLoader driver ?

@falling_ Месяц назад

5:44 My vms drive still shows up as "vmware" Edit: "VMware, Asus (thats what i made it) SCSI Disk Device

@yuras784 Месяц назад

if I don't install vm tools i don't have a network connection..

@asddsaasdfg2846 2 месяца назад

This is so useful thank you!

@reecemartin2794 2 месяца назад

Love this, more tutorials please

@PracticalPcGuide 2 месяца назад

why not changing the CPU ID to something believable other than AMD sample? like having a 5950x and call it i7 4770k with 4c8t assigned or something with equivalent clock speed and c-t?

@EricParker 2 месяца назад

I didn't spoof it period (that is my real CPU). It's a fingerprint for sure, but it's not likely to be blocked.

@leonniebuhr7193 2 месяца назад

do kernel level anticheats see it as vm?

@FoxyAnimater 2 месяца назад

is there a way to do this in qemu-kvm on Linux using Vert-Manager? a lot of us linux users would like to contain the windows malware and increase compatibility with the games we can play(essentially, how do we create an environment to containerize a kernel-level anticheat that(for all intents and purposes) is malware anyway and won't run in Wine/Proton?)

@POLARTTYRTM 2 месяца назад

Couldn't you use a server version of BSD to set up a virtual environment by companies, shops, hospitals, etc for one machine since they heavily use that for virtualization and most malware runs on these virtual environments without ever knowing it's virtual?

@EricParker 2 месяца назад

Depends hugely on the malware. Linux / IOT malware will run under VMs without complaint, most windows malware will not

@POLARTTYRTM 2 месяца назад

@@EricParker I badly worded my reply. I meant they use BSD or Linux for virtualization but many of them use windows VMs to serve as everyday using for their daily activities while having only one computer running the entire company, shop, etc but their hypervisors don't really run these VMs as VMs as far as I know because of the way they are set up, malware just think they are real machines and that's how many malware just go rogue infecting entire networks.

@baraka629 2 месяца назад

Think this VM approach would also work for isolating kernel-level anticheat tools? I heard people who tried to run some games under Linux had success with a nested VM approach (using intel's Hyper-v)

@gordonfreeman9641 2 месяца назад

He specifically said it won't, i tested roblox just for shits n giggles and it still detects it

@baraka629 2 месяца назад

@@gordonfreeman9641 oh right, just got to the part in the video. guess nested VMs it is, then.

@EricParker 2 месяца назад

It's incompatible with 3d acceleration regardless of detection. Our "rootkit" is not useful against another kernel driver.

@trimidsmod6391 Месяц назад

@@EricParker Can't you still install vmware tools and just make that not detected?

@kufito2592 Месяц назад

i try to do the steps and dont work for me

@binboupan8076 2 месяца назад

rdtsc can be passed with a modified kernel

@anuario3708 Месяц назад

Can I use it to avoid respondus lockdown detection

@JS-ii3rn Месяц назад

Nvim: gg = first line; Shift+g = last line

@Maske4 2 месяца назад

What OS do you use in your everyday desktop?

@EricParker 2 месяца назад

Arch

@j233wfyw 2 месяца назад

@@EricParkergoat 🎉 i love arch and lain

@Maske4 Месяц назад

@@EricParker 😮😮😮😮😮

@Anim4000 2 месяца назад

there is similar with KVM? so I can pass through PCIe Card like Network Card, GPU and USB

@Proferk Месяц назад

whats the point of making such a stealthy vm, when the only thing in your skillset is using wireshark and mitmproxy?

@dedicatedserver8214 13 дней назад

The VM is super laggy and slow without vmware tools installed

@poocyx 2 месяца назад

great video eric.

@JustAmnesias 2 месяца назад

The best thank you ( i really need it )

@WickedNinja48 2 месяца назад

hey buddy, "eric", nice thumbnail on this one, Google cleverly blocked my dearrow thumbnail changer for THIS video. One way google codes is they throw a mix into the algorithm that jokes back at the user with videos like these that are unable to see the other thumbnail options because the video is being shown with some other voodoo CSS/HTML javascript for the thumbnail to be different than other videos considering otherwise the extension code likely would have worked. Actually been a fan of the channel its good content, I agree with other users you zoom is a bit too focused and not technically better for mobile.

@DMitchXO 20 дней назад

is there one for virtualbox or im just outdated?..

@oussaber Месяц назад

"G" to go to the bottom of the file in VIM

@distortions Месяц назад

Can you make one for virtualbox?

@lennywhere Месяц назад

let's all love lain

@Veticia 2 месяца назад

How do I make my to-the-metal windows pc appear as VM so malware is scared to run on it?

@orngjce223 2 месяца назад

You know, this is also a tutorial for how to run certain extremely popular games with invasive anticheats on Linux.

@James2210 2 месяца назад

to go to the end of file use G and then a

@runed0s86 2 месяца назад

Can you make one of these videos for a Linux host? It would be a much more useful video.

@EricParker 2 месяца назад

I'm on Linux. If you mean with QEMU / KVM I am actually planning to, but I am in the process of installing Gentoo for it, as it involves quite a bit of kernel patching.

@H.N7 2 месяца назад

The rdtsc hack doesn't have 100% success chance. Works at first, but eventually it'll start failing.

@prohax1 2 месяца назад

Does this also unlock CPU features?

@EricParker 2 месяца назад

What do you want to unlock?

@andreluiz9726 2 месяца назад

"G" goes to the botton when using vim

@rogercruz1547 2 месяца назад

Can I use this to attempt running some games that don't run on linux without having to dual boot?

@GogoTheSomeone 2 месяца назад

I was just trying to find a video like this. The virus ran on vmware tools, but it is very persistent :(

@Salad_ 2 месяца назад

when you showed the vmhardended thing the first thing that came in mind was riot vanguard, do you think there is any way to still get it to work on a vm? i want to switch to linux but i also play riot games often enough that i cant do it yet haha