Closed Svieg closed 2 years ago
So while this provides a decent framework for further hiding our VMs, I believe the actual interesting addition here would be the registry keys / files / etc. As-is I don't think anyone would really start using the functionality.
Hi Jurriaan, What would be the modifications needed in order to make more interesting? It also already covers registry editing and directory modification. Maybe the way it is presented should change but are the functionalities interesting?
So yes, the possibilities are interesting. But the most important part here is not being able to do those operations, but actually doing them, so pretty much what's happening here https://github.com/cuckoosandbox/cuckoo/blob/master/analyzer/windows/modules/auxiliary/disguise.py
Do you think that premade profiles that users could modify be interesting ?
@Svieg sorry for the late reply - on Github anyway - yes, premade profiles is actually what would make this PR interesting. As mentioned here just the framework for doing such things won't be picked up by the regular users ;-) Please let me know if you intend to work on such profiles.
Yes, I would like to do it and provide a format that that would be used by Malboxes too. The profiles would be shareable between the two tools so we can help each other !
Sounds like a plan ;-)
This pull request adds bin/vmcloak-hide that enables you to apply custom configuration profiles (formatted in JSON) to modify registry keys and directories to to create a more realistic environment for your sandbox ! It also includes bin/vmcloak-createprofile to help you create those profiles with a step-by-step text interface or by using the CLI with parameters.