Irregular Expressions

Aug 15 2012   1:17AM GMT

VMWare Malware Lab

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I am not going to cover the basic setup of a VMWare based lab, really you can use what ever you want as long as you can attempt to keep it isolated from the system.

I use VMWare for a couple reasons, mainly for the ability for me to take vm’s from fustion, workstation, ESXi and move them back and forth if needed.

The man reason is to try and avoid vmware detection, which you can do with some info from here.

Here is what you needed to add to the VMX file of the vm.


isolation.tools.getPtrLocation.disable ="TRUE"
isolation.tools.setPtrLocation.disable ="TRUE"
isolation.tools.setVersion.disable ="TRUE"
isolation.tools.getVersion.disable ="TRUE"
monitor_control.disable_directexec ="TRUE"
monitor_control.disable_chksimd ="TRUE"
monitor_control.disable_ntreloc ="TRUE"
monitor_control.disable_selfmod ="TRUE"
monitor_control.disable_reloc ="TRUE"
monitor_control.disable_btinout ="TRUE"
monitor_control.disable_btmemspace ="TRUE"
monitor_control.disable_btpriv ="TRUE"
monitor_control.disable_btseg ="TRUE"

I have found that if you are in the middle of a series of snapshots the best thing to do is revert, shutdown, add to VMX, set the VMX to read only, power on and play.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: