problem with running the antivmdetect code in windows 10 virtual machine

[NisarHotac]

Hi there

My name is nisar and i have this project of hardening a sandbox e.g. virtual windows 10 to be harden for anti vm malware not to get detect and the anti vm malware should successfully run in it.

so I run Pafish it gives me few stuff to change in the virtual machine windows 10 system for the anti vm malware successfully to run. but then i was googling and i came across this post, now i have problem running the "antivmdetect" code inmy virtual windows 10.

so i install python 3.8.2 installed pip3

i started the cmd as administrator it still gives me problem such as

--- Generate VirtualBox templates to help thwart VM detection and more .. - Mikael, @nsmfoo --- Traceback (most recent call last): File "C:\Users\User\Desktop\antivmdetection-master\antivmdetect.py", line 20, in if not os.geteuid()==0: AttributeError: module 'os' has no attribute 'geteuid'

any idea please

[nsmfoo]

@NisarHotac sorry for my late reply! So judging by the path in your error message: "C:\Users\User\Desktop\antivmdetection-master\antivmdetect.py" . It looks like you are running the template builder from inside Windows. which is not going to work. Please consult the README.md. If you still are unable to get it to work, please let me know.

[NisarHotac]

i run the script in the the VM as according to the README.md. m i not mint to run it from inside the VM. i have installed everything except "sudo apt install python3-pip libcdio-utils acpica-tools mesa-utils" this line of code is for linux its not recognised by windows? any update please

thank you

[NisarHotac]

also i dont undrestand this bit of the README.md

"Create computer and user text files : hostname > computer.lst, whoami > user.lst . Modify if you want to use different machine names and users for the VMs (recommended is to fill the files with a long list of user and computer names)" ?

[nsmfoo]

@NisarHotac By reading what you write I'm convinced that you apply the template in the wrong way, perhaps the readme file is a bit unclear.

The main python script should be run from a Linux installation. When successfully executed. You will end up with a few files, a shell file that should be run outside of the VM guest and a Powershell file that you should run from inside the VM. The Linux machine from which you generate the template does not have to be the same computer which you vill use it on, if that make sense?

Regarding your second question, the two files "computer.lst" and "user.lst" can contain everything from one row each to as many as you fancy. The more the merrier as for each run inside the VM your computer will get a different computer and username.

I hope this make things a bit clearer, if not please let me know

[NisarHotac]

i really apreciate your reply, i have ubuntu 18.04 LTS on real physical machine, i tried to run the "antivmdetect.py" python3 code from terminal by typing "sudo python3 antivmdetect.py" in terminal it gives me the following warning and tells me to install dependencies such as

"--- Generate VirtualBox templates to help thwart VM detection and more .. - Mikael, @nsmfoo --- [WARNING] Dependencies are missing, please verify that you have installed: DevManView.exe

i saw u r comment on issues, another guy had a same problem, question hw do i get a copy of DevManView.exe?

thank u "

[NisarHotac]

here is the photo i have installled DevManView but when i try to run DiveManView on ubuntu it telles me to install DevManView rather then accepting that its installled?

[NisarHotac]

how do i create this: "Create computer and user text files : hostname > computer.lst, whoami > user.lst . Modify if you want to use different machine names and users for the VMs (recommended is to fill the files with a long list of user and computer names)"

is it just making a text file one called computer.lst and the other one user.lst also i got the copy of DevManView from the link "wget https://download.sysinternals.com/files/VolumeId.zip https://www.nirsoft.net/utils/devmanview-x64.zip (x64 version)."

and installed wine in ubuntu to read and execute .exe files so when i open cmd and refer to the same directory as where the DevManView is then i type wine DevManView.exe it opens a windows of the DevManView as shown in above comment rather then installing it? is this correct or what?

thank you

[NisarHotac]

i solve the above problem now when i try to run the command "sudo python3 antivmdetect.py" i get this problem how can i solve this problem i tried to un install dmidcode from pip but i couldnt do that ether?

[NisarHotac]

also tell me about how to create that computer.lst and user.lst text file do i make this and dump it anywhere or locate them specifically in certain place

[nsmfoo]

@NisarHotac let's see if I can help you out.

Regarding devmanview, it should not be installed on Linux, so just drop the Windows binary in the location where you run the template script. The binary will be encoded and added to the output template, the reasons for this is to have only one Powershell script that you can move to your VM's

The dmidecode error message looks to me like you are missing the Python module, did you run: pip3 install -r requirements.txt ?

[NisarHotac]

yes i did run pip3 install -r requirements.txt ? it still give me the same problem .

i m sorry i didn't quite get your answer if i dont run the devmanview on linux then should i run this devmanview on my windoes 10 pyisical machine or what?

i thouhgt you told me to run the python code on linux and then it will produce to file which i would run one on physiucal machine which cantians the vm and the other on vm

[NisarHotac]

could you not provide me with the two power shell we need to run one on vm and the other of real physical machine that would solve the problem?

i mean the ultimate two files which i m doing all this work for?

[mngyuan]

you just need to download and extract the devmanview (and volumeid) zips in the antivmdetection folder, as per the README:

• Download the following Windows binaries and extract them in the antivmdetection directory: wget https://download.sysinternals.com/files/VolumeId.zip https://www.nirsoft.net/utils/devmanview-x64.zip

the full commands might look like so

cd ~/Desktop/antivmdetection-master
wget https://download.sysinternals.com/files/VolumeId.zip https://www.nirsoft.net/utils/devmanview-x64.zip
unzip VolumeId.zip
unzip devmanview-x64.zip

you might be getting the No module named 'dmidecode' error because the README suggests using sudo to run the script but it doesn't suggest using sudo to run pip3, so the module is installed for the current user, not root. you can get around this by using sudo to install like so:

sudo pip3 install -r requirements.txt

@nsmfoo you might consider updating the readme around this?

[NisarHotac]

could you not provide me with the two power shell we need to run one on vm and the other of real physical machine that would solve the problem?

i mean the ultimate two files which i m doing all this work for?

i did what u said. it generated 3 files as shown bellow its giving me an error and telling me "please give a vm name!"

any idea thank you

[nsmfoo]

@NisarHotac perfect, soon your are "done! So judging by the screenshot, VBox is not able to locate the VM. If you review the README, specifically the "Setup VM" part. If you have done that, then it's because it was done using another users. Meaning that, the command: "VBoxManage list vms" should list the VM(s).

I hope this make sense, I know the whole procedure is a bit much. As noted in an other case I think it's time to revisit the whole thing ...

[NisarHotac]

i read and i tried to do as its described in README so this is what i did

i created a new virtual machine with exactly name as the file produced "SatalletC50-A-1DV" i changed the stuff according to README , 250 GB, changing the processor < 2 or equal, none virtualization, static ipv4 is set, I/O APIC was enabled and i didnt start the vm i closed the virtualbox windows. but i couldnt change anything in storage as mentioned in README bellow is a screen shot of my virtualbox storage.

after i installed the vm and then I executed the to power shell in my real physical machine, its giving me the problem as my previous post

thank you

[nsmfoo]

@NisarHotac The command: "VBoxManage list vms", is a native VirtualBox command. If you don't see any VM's using that command, the template script will not work. So you need to make sure that you do see the VM you have created.

Possible issues might be that the user you are running the scripts as is not member of the vbox group.

[NisarHotac]

but what is a vbox group? it sounds like its a user is it user in my physical machine or is it a user in virtual machine. e.g. if my physical machine was named "nisar" like what? do u expect me to change this? and i runing the scrip in my physical machine first?

but i think i have the right name as the name of the power shell see screen shot below this is my virtual box vm installed in it

[nsmfoo]

@NisarHotac so when you run: "VBoxManage list vms" do you get a list of VMs?

[NisarHotac]

hereis the list of my VMs in VBoxManage is that correct?

this SATELLITEC50-A-1DV is the VM i m targeting

what is the name of the VM that the script is even looking for?

[NisarHotac]

the problem was:

[WARNING] Size of the DSDT file is too large (> 64k). Try to build the template from another computer

i looked at it manfully the size of the file was 108k i tried to work it with the link you provided but unfortunately didn't work.

[nsmfoo]

Hi @NisarHotac

1) So the script is not looking for a particular VM name, that's why you are asked by the script, during execution to pick the VM that you like to use. The command that I wanted you to run before: "VBoxManage list vms". It's a native VirtualBox command that should display all registered VM's on your machine.

But I noticed now that you use Windows to execute the shell script, given that I don't have much experience with Linux subsystem which I guess you need to run shell script in Windows? I can't currently help you further on that subject.

2) The issue with the size of the DSDT larger than 64k is a stupid hardcoded limitation that the Virtual box developers does not seem too keen on fixing, but please let them know that 2020 might be the year to finally go a head and do it. So the only solution is to dust off your relatives laptop from the dark ages.. if you can't find a dump online.

[adindrabkin]

@NisarHotac By reading what you write I'm convinced that you apply the template in the wrong way, perhaps the readme file is a bit unclear.

The main python script should be run from a Linux installation. When successfully executed. You will end up with a few files, a shell file that should be run outside of the VM guest and a Powershell file that you should run from inside the VM. The Linux machine from which you generate the template does not have to be the same computer which you vill use it on, if that make sense?

Regarding your second question, the two files "computer.lst" and "user.lst" can contain everything from one row each to as many as you fancy. The more the merrier as for each run inside the VM your computer will get a different computer and username.

I hope this make things a bit clearer, if not please let me know

I had this exact issue. Spent an hour trying to translate the script to work on my mac before seeing your comment here about running it on linux.

[nsmfoo]

As the issue have not had any new comments in a while, I will close it. If you feel that the issue(s) persist please re-open the case