Why not release builds / binaries?

[mngyuan]

I'm just getting into researching anti-vm techniques and wanted to ask. as far as I can tell the process for generating xxxx.ps1 is host machine agnostic, and the guest OS is always W7 or W10, so genuine question, why not just release the generated batch files? Is it because the host machines DSDT needs to be dumped (why)?

[nsmfoo]

Hi @mngyuan , it's a valid question and if people like to send me generated templates files which I can host here, please do. But the main reason is that the .sh, .ps1 and the DSDT dump all contain information, that you would like to be kept unique, so if all clients end up with the same serial number, name etc. It would be much easier for malware to just detect these installations.

I hope that make sense?

/Mikael

[mngyuan]

that does make sense, but it is sort of frustrating that theoretically this technique is sort of limited to a 1:1 mapping between real machines and vms, because it piggy backs off of real hardware values. I guess as long as they stay out of the hands of malware agents it doesn't really matter how much you reuse your DSDTs, etc though. Anyway I originally asked because I wasn't sure it was worth my time to go through this whole process just for fun but I took the dive. Closing this!