├── VmwareEagle.png ├── README.md └── eagle.py /VmwareEagle.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/AlicanAkyol/eagle/HEAD/VmwareEagle.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | #Bypass AntiVm Techniques (Working...) 3 | 4 | ###How To Use It? 5 | 6 | - When your vm is closed, run below command in your host machine.
-> python eagle.py -c "Your Vm's .vmx file path" 7 | - Start your vm and run below command in your vm.
-> python eagle.py 8 | - After restart your vm, run below command in your vm.
-> python eagle.py -v 9 | 10 | ###Requirements 11 | - import wmi
-> https://pypi.python.org/pypi/WMI/ 12 | - import pywin32
-> https://sourceforge.net/projects/pywin32/files/pywin32/Build%20220/ 13 | 14 | ###Bypass Anti VirtualMachine Techniques (Working on) 15 | 16 | When cuckoo_detection.exe what is in https://github.com/AlicanAkyol/sems is run in Vmware, result is shown below(Win7 - 64 bit):
17 | ![alt tag](https://github.com/AlicanAkyol/sems/blob/master/vmware_normal.png) 18 | 19 | When eagle is run in Vmware, result is show below(Win7 - 64 bit):
20 | ![alt tag](https://github.com/AlicanAkyol/eagle/blob/master/VmwareEagle.png) 21 | 22 | ###Bypass Anti VirtualBox Techniques (In progress) 23 | 24 | ###Bypass Anti Cuckoo Sandbox Techniques (In progress) 25 | -------------------------------------------------------------------------------- /eagle.py: -------------------------------------------------------------------------------- 1 | # -*- coding: cp1254 -*- 2 | from _winreg import * 3 | import os 4 | import sys 5 | import argparse 6 | import wmi 7 | import win32serviceutil 8 | import subprocess 9 | import ctypes 10 | import random, string 11 | import platform 12 | 13 | # r"SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000" 14 | 15 | KEY1 = "HARDWARE\\DEVICEMAP\\Scsi\\" 16 | KEY2 = "\\Target Id 0\\Logical Unit Id 0" 17 | BACKWARD_SLASH = "\\" 18 | conf_arr = [ 'isolation.tools.getPtrLocation.disable = "TRUE"', 19 | 'isolation.tools.setPtrLocation.disable = "TRUE"', 20 | 'isolation.tools.setVersion.disable = "TRUE"', 21 | 'isolation.tools.getVersion.disable = "TRUE"', 22 | 'monitor_control.disable_directexec = "TRUE"', 23 | 'monitor_control.disable_chksimd = "TRUE"', 24 | 'monitor_control.disable_ntreloc = "TRUE"', 25 | 'monitor_control.disable_selfmod = "TRUE"', 26 | 'monitor_control.disable_reloc = "TRUE"', 27 | 'monitor_control.disable_btinout = "TRUE"', 28 | 'monitor_control.disable_btmemspace = "TRUE"', 29 | 'monitor_control.disable_btpriv = "TRUE"', 30 | 'monitor_control.disable_btseg = "TRUE"' 31 | ] 32 | 33 | global_list = [] 34 | xp = False 35 | 36 | def modifyValue( arrr ): 37 | 38 | try: 39 | aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE) 40 | aKey = OpenKey(aReg, arrr[0], 0, KEY_ALL_ACCESS) 41 | try: 42 | # asubkey_name = EnumKey(aKey,i) 43 | # asubkey = OpenKey(aKey,asubkey_name) 44 | val = QueryValueEx(aKey, arrr[1]) 45 | for j in range (len(arrr)): 46 | if j > 1: 47 | try: 48 | if arrr[j].upper() in val[0].upper(): 49 | SetValueEx(aKey, arrr[1], 0, REG_SZ, "NVIDIA") 50 | except Exception, err: 51 | try: 52 | for k in range(len(val[0])): 53 | if arrr[j].upper() in val[0][k].upper(): 54 | SetValueEx(aKey, arrr[1], 0, REG_SZ, "NVIDIA") 55 | except Exception, err: 56 | pass 57 | 58 | except Exception,err: 59 | pass 60 | 61 | CloseKey(aKey) 62 | CloseKey(aReg) 63 | 64 | except Exception, err: 65 | pass 66 | 67 | 68 | 69 | def checkAndDeleteKey( vmRegKeys ): ## unused 70 | 71 | try: 72 | aReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE) 73 | aKey = OpenKey(aReg, vmRegKeys, 0, KEY_ALL_ACCESS) 74 | if aKey: 75 | 76 | try: 77 | print vmRegKeys 78 | DeleteValue( aKey, "LocalizedString" ) 79 | 80 | except Exception,err: 81 | pass 82 | 83 | CloseKey(aKey) 84 | CloseKey(aReg) 85 | 86 | except Exception,err: 87 | pass 88 | 89 | def traverse( key, reg_list): 90 | 91 | try: 92 | hReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE) 93 | hKey = OpenKey(hReg, key, 0, KEY_ALL_ACCESS) 94 | #hKey = _winreg.OpenKey(root, key); 95 | try: 96 | i = 0 97 | while True: 98 | strFullSubKey = "" 99 | strSubKey = "" 100 | try: 101 | strSubKey = EnumKey(hKey, i) 102 | print strSubKey 103 | strFullSubKey = key + "\\" + strSubKey; 104 | except WindowsError: 105 | hKey.Close(); 106 | return; 107 | traverse( key, global_list); 108 | print strSubKey 109 | global_list.append(key); 110 | i += 1 111 | 112 | except WindowsError,err: 113 | pass 114 | hKey.Close(); 115 | 116 | except: 117 | pass 118 | 119 | 120 | 121 | def regDeleteKey( key ): 122 | 123 | try: 124 | #traverse( key, global_list); 125 | #print global_list 126 | #for item in global_list: 127 | #hReg = ConnectRegistry(None, HKEY_LOCAL_MACHINE) 128 | #hKey = OpenKey(hReg, item, 0, KEY_ALL_ACCESS) 129 | 130 | #try: 131 | #DeleteKey(hKey, item); 132 | #except: 133 | # pass 134 | 135 | #hKey.Close(); 136 | hReg = ConnectRegistry(None,HKEY_LOCAL_MACHINE) 137 | hKey = OpenKey(hReg, key, 0, KEY_ALL_ACCESS) 138 | DeleteKey(hReg, key); 139 | hKey.Close(); 140 | 141 | 142 | except Exception, err: 143 | print err 144 | print key 145 | pass 146 | 147 | 148 | def keyList(): 149 | 150 | vmRegKeys = [ 151 | "SOFTWARE\\Clients\\StartMenuInternet\\VMWAREHOSTOPEN.EXE", 152 | "SOFTWARE\\VMware, Inc.\\VMware Tools", 153 | "SOFTWARE\\Microsoft\\ESENT\\Process\\vmtoolsd", 154 | "SYSTEM\\CurrentControlSet\\Enum\\IDE\\CdRomNECVMWar_VMware_SATA_CD01_______________1.00____", 155 | "SYSTEM\\CurrentControlSet\\Enum\\IDE\\CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____", 156 | "SYSTEM\\CurrentControlSet\\Enum\\SCSI\\Disk&Ven_VMware_&Prod_VMware_Virtual_S&Rev_1.0", 157 | "SYSTEM\\CurrentControlSet\\Enum\\SCSI\\Disk&Ven_VMware_&Prod_VMware_Virtual_S", 158 | "SYSTEM\\CurrentControlSet\\Control\\CriticalDeviceDatabase\\root#vmwvmcihostdev", 159 | "SYSTEM\\CurrentControlSet\\Control\\VirtualDeviceDrivers", 160 | "SYSTEM\\CurrentControlSet\\Services\\IRIS5", 161 | "SOFTWARE\\eEye Digital Security", 162 | "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Wireshark", 163 | "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\wireshark.exe", 164 | "SOFTWARE\\ZxSniffer.exe", 165 | "SOFTWARE\\Cygwin", 166 | "SOFTWARE\\B Labs\\Bopup Observer", 167 | "AppEvents\\Schemes\\Apps\\Bopup Observer", 168 | "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Win Sniffer_is1", 169 | "SOFTWARE\\Win Sniffer" 170 | ] 171 | 172 | for reg in vmRegKeys: 173 | try: 174 | regDeleteKey( reg ) 175 | except Exception,err: 176 | pass 177 | 178 | 179 | def valueList(): 180 | 181 | arr = [ [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", 182 | "DriverDesc", 183 | "vmware svga ii", 184 | "vmware svga 3d", 185 | "vmware vmscsi controller" ], 186 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E96F-E325-11CE-BFC1-08002BE10318}\\0000", 187 | "InfSection", 188 | "vmmouse" ], 189 | [ "SYSTEM\\CurrentControlSet\\Control\\Video\\{4BEF3D64-1F2B-4026-9EE4-B6D8CD9FEA1B}\\0000", 190 | "Device Description", 191 | "vmware svga ii" ], 192 | [ "SYSTEM\\CurrentControlSet\\Control\\Video\\{3A8088C5-4419-4572-801C-A10BA858952F}\\0000", 193 | "Device Description", 194 | "vmware svga 3d" ], 195 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", 196 | "HardwareInformation.AdapterString", 197 | "VMware SVGA 3D" ], 198 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", 199 | "HardwareInformation.ChipType", 200 | "VMware Virtual SVGA 3D Graphics Adapter" ], 201 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", 202 | "InfSection", 203 | "VM3D_AMD64" ], 204 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", 205 | "InstalledDisplayDrivers", 206 | "vm3dum64", 207 | "vm3dum", 208 | "vm3dgl64", 209 | "vm3dgl" ], 210 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", 211 | "OpenGLDriverName", 212 | "vm3dgl64.dll" ], 213 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", 214 | "OpenGLDriverNameWow", 215 | "vm3dgl.dll" ], 216 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", 217 | "ProviderName", 218 | "VMware, Inc." ], 219 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", 220 | "UserModeDriverName", 221 | "vm3dum64.dll" ], 222 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", 223 | "UserModeDriverNameWow", 224 | "vm3dum.dll" ], 225 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E96F-E325-11CE-BFC1-08002BE10318}\\0000", 226 | "DriverDesc", 227 | "VMware Pointing Device" ], 228 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E96F-E325-11CE-BFC1-08002BE10318}\\0000", 229 | "ProviderName", 230 | "VMware, Inc." ], 231 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E96F-E325-11CE-BFC1-08002BE10318}\\0001", 232 | "DriverDesc", 233 | "VMware USB Pointing Device" ], 234 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E96F-E325-11CE-BFC1-08002BE10318}\\0000", 235 | "InfSection", 236 | "VMUsbMouse" ], 237 | [ "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E96F-E325-11CE-BFC1-08002BE10318}\\0000", 238 | "ProviderName", 239 | "VMware, Inc." ] 240 | ] 241 | 242 | arr_val1 = [ "Scsi Port 0", "Scsi Port 1", "Scsi Port 2", "Scsi Port 3", "Scsi Port 4" ]; 243 | arr_val2 = [ "Scsi Bus 0", "Scsi Bus 1", "Scsi Bus 2", "Scsi Bus 3", "Scsi Bus 4", "Scsi Bus 5", "Scsi Bus 6" ]; 244 | 245 | for j in range(len(arr_val1)): 246 | for k in range(len(arr_val2)): 247 | first_value = KEY1 + arr_val1[j] + BACKWARD_SLASH + arr_val2[k] + KEY2 248 | arr_port = [ [first_value, 249 | "Identifier", 250 | "vmware"] 251 | ] 252 | modifyValue(arr_port[0]) 253 | 254 | for i in range(len(arr)): 255 | modifyValue( arr[i] ) 256 | 257 | def stopAndDeleteServices( service_name ): ## working on... 258 | 259 | try: 260 | for i in range( len( service_name ) ): 261 | try: 262 | win32serviceutil.StopService( service_name[i] ) 263 | except: 264 | pass 265 | 266 | except Exception,err: 267 | pass 268 | 269 | try: 270 | for i in range( len( service_name ) ): 271 | try: 272 | delete_service_command = "sc delete " + service_name[i] 273 | subprocess.call(delete_service_command, shell=True) 274 | except: 275 | pass 276 | 277 | except Exception,err: 278 | pass 279 | 280 | try: 281 | vmFiles() 282 | 283 | except Exception, err: 284 | pass 285 | 286 | 287 | def servicesList(): ## working on... 288 | 289 | services = [ "vmhgfs", "VMMEMCTL", "vmmouse", "vmrawdsk", 290 | "VMTools", "vmusbmouse", "vmvss", "vmscsi", 291 | "VMware Physical Disk Helper Service", 292 | "vmxnet", "vmx_svga", "vmbus", "VMBusHID", "vmci" ] 293 | 294 | stopAndDeleteServices ( services ) 295 | 296 | def randomword( length ): 297 | 298 | return ''.join(random.choice(string.lowercase) for i in range(length)) 299 | 300 | def vmFiles(): 301 | #"C:\Windows\System32\drivers\\vmmouse.sys", 302 | files = [ 303 | "C:\WINDOWS\System32\\vm3dgl64.dll", 304 | "C:\WINDOWS\System32\\vm3dgl.dll", 305 | "C:\WINDOWS\System32\\vm3dum64.dll", 306 | "C:\WINDOWS\System32\\vm3dum.dll", 307 | "C:\WINDOWS\System32\VmbuxCoinstaller.dll", 308 | "C:\WINDOWS\System32\\vmGuestLib.dll", 309 | "C:\WINDOWS\System32\\vmGuestLibJava.dll", 310 | "C:\WINDOWS\System32\\vmhgfs.dll", 311 | "C:\WINDOWS\System32\\vmicsvc.exe", 312 | "C:\WINDOWS\System32\\vmwogl32.dll", 313 | "C:\WINDOWS\System32\\vmmreg32.dll", 314 | "C:\WINDOWS\System32\\vmx_fb.dll", 315 | "C:\WINDOWS\System32\\vmx_mode.dll", 316 | "C:\WINDOWS\System32\\vmhgfs.dll", 317 | "C:\WINDOWS\System32\VMUpgradeAtShutdownWXP.dll", 318 | "C:\Windows\System32\drivers\\vmhgfs.sys", 319 | "C:\Windows\System32\drivers\\VMMEMCTL.sys", 320 | "C:\Windows\System32\drivers\\vmrawdsk.sys", 321 | "C:\Windows\System32\drivers\VMTools.sys", 322 | "C:\Windows\System32\drivers\\vmusbmouse.sys", 323 | "C:\Windows\System32\drivers\\vmvss.sys", 324 | "C:\Windows\System32\drivers\\vmscsi.sys", 325 | "C:\Windows\System32\drivers\VMware Physical Disk Helper Service.sys", 326 | "C:\Windows\System32\drivers\\vmxnet.sys", 327 | "C:\Windows\System32\drivers\\vmx_svga.sys", 328 | "C:\Windows\System32\drivers\\vmbus.sys", 329 | "C:\Windows\System32\drivers\\VMBusHID.sys", 330 | "C:\Windows\System32\drivers\\vmci.sys" 331 | ] 332 | 333 | files2 = [ 334 | "C:\WINDOWS\SysWOW64\\vm3dgl64.dll", 335 | "C:\WINDOWS\SysWOW64\\vm3dgl.dll", 336 | "C:\WINDOWS\SysWOW64\\vm3dum64.dll", 337 | "C:\WINDOWS\SysWOW64\\vm3dum.dll", 338 | "C:\WINDOWS\SysWOW64\VmbuxCoinstaller.dll", 339 | "C:\WINDOWS\SysWOW64\\vmGuestLib.dll", 340 | "C:\WINDOWS\SysWOW64\\vmGuestLibJava.dll", 341 | "C:\WINDOWS\SysWOW64\\vmhgfs.dll", 342 | "C:\WINDOWS\SysWOW64\\vmicsvc.exe", 343 | "C:\WINDOWS\SysWOW64\\vmwogl32.dll", 344 | "C:\WINDOWS\SysWOW64\\vmmreg32.dll", 345 | "C:\WINDOWS\SysWOW64\\vmx_fb.dll", 346 | "C:\WINDOWS\SysWOW64\\vmx_mode.dll", 347 | "C:\WINDOWS\SysWOW64\\vmhgfs.dll", 348 | "C:\WINDOWS\SysWOW64\VMUpgradeAtShutdownWXP.dll", 349 | "C:\Windows\SysWOW64\drivers\\vmhgfs.sys", 350 | "C:\Windows\SysWOW64\drivers\\VMMEMCTL.sys", 351 | "C:\Windows\SysWOW64\drivers\\vmrawdsk.sys", 352 | "C:\Windows\SysWOW64\drivers\VMTools.sys", 353 | "C:\Windows\SysWOW64\drivers\\vmusbmouse.sys", 354 | "C:\Windows\SysWOW64\drivers\\vmvss.sys", 355 | "C:\Windows\SysWOW64\drivers\\vmscsi.sys", 356 | "C:\Windows\SysWOW64\drivers\VMware Physical Disk Helper Service.sys", 357 | "C:\Windows\SysWOW64\drivers\\vmxnet.sys", 358 | "C:\Windows\SysWOW64\drivers\\vmx_svga.sys", 359 | "C:\Windows\SysWOW64\drivers\\vmbus.sys", 360 | "C:\Windows\SysWOW64\drivers\\VMBusHID.sys", 361 | "C:\Windows\SysWOW64\drivers\\vmci.sys" 362 | ] 363 | 364 | for i in range( len( files ) ): 365 | 366 | try: 367 | os.remove( files[i] ) 368 | 369 | except Exception, err: 370 | pass 371 | 372 | for i in range( len( files2 ) ): 373 | 374 | try: 375 | os.remove( files2[i] ) 376 | 377 | except Exception, err: 378 | pass 379 | 380 | if xp == False: 381 | uninstallVmTools() 382 | 383 | def rename_files ( fileName, files ): 384 | 385 | try: 386 | fileName = files.split("\\") 387 | if "dll" in fileName[len(fileName) - 1]: 388 | newFile = randomword( 15 ) + ".dll" 389 | files = files.replace(fileName[len(fileName) - 1], newFile) 390 | else: 391 | newFile = randomword( 15 ) + ".sys" 392 | files = files.replace(fileName[len(fileName) - 1], newFile) 393 | 394 | newFileName = "" 395 | for j in range(len(fileName)): 396 | if j == 0: 397 | newFileName = fileName[j] 398 | else: 399 | newFileName += "\\" + fileName[j] 400 | 401 | os.rename( newFileName, files ) 402 | except: 403 | pass 404 | 405 | def uninstallVmTools (): 406 | 407 | try: 408 | uninstall_vmtools_command = "wmic product where name='VMware Tools' call uninstall" 409 | subprocess.call(uninstall_vmtools_command, shell=True) 410 | except: 411 | pass 412 | 413 | def addValuesToConf ( path ): 414 | 415 | try: 416 | with open(path, "a") as myfile: 417 | for i in range ( len (conf_arr) ): 418 | myfile.write("\n" + conf_arr[i]) 419 | 420 | except Exception, err: 421 | print err 422 | 423 | 424 | def start (): 425 | 426 | valueList() 427 | keyList() 428 | servicesList() 429 | finish() 430 | 431 | def finish (): 432 | 433 | print "Completed..." 434 | 435 | def disableWow64 (): 436 | 437 | try: 438 | k32 = ctypes.windll.kernel32 439 | wow64 = ctypes.c_long( 0 ) 440 | k32.Wow64DisableWow64FsRedirection( ctypes.byref(wow64) ) 441 | start() 442 | k32.Wow64EnableWow64FsRedirection( wow64 ) 443 | except: 444 | pass 445 | 446 | def main (): 447 | 448 | usage = "Usage: use --help for further information" 449 | description = "Bypass AntiVM Technics" 450 | parser = argparse.ArgumentParser(description = description, usage = usage) 451 | parser.add_argument('-c', '--config', dest = 'config', action = 'store', help = 'It should be called in your host. Your vm must be off. Config file is your .vmx file. Example: python eagle.py -c C:\Users\user\vm\myvm.vmx') 452 | parser.add_argument('-v', '--value', dest = 'valueList', action = 'store_true', help = 'Modify Registry Values, It should be called after the vm is restarted. Except XP!', default = False) 453 | parser.add_argument('-u', '--uninstallvmtools', dest = 'vmtools', action = 'store_true', help = 'Uninstall VmTools. It should be called firstly for XP!', default = False) 454 | parser.add_argument('-x', '--XP', dest = 'xp', action = 'store_true', help = 'Run except uninstallvmtools. It should be called after uninstallVmtools for XP!', default = False) 455 | args = parser.parse_args() 456 | 457 | if args.valueList: 458 | valueList() 459 | 460 | if args.vmtools: 461 | uninstallVmTools() 462 | 463 | if args.xp: 464 | xp = True 465 | start() 466 | 467 | if args.config != None: 468 | addValuesToConf ( args.config ) 469 | 470 | elif "64" in platform.uname()[4]: 471 | disableWow64() 472 | 473 | else: 474 | start() 475 | 476 | 477 | if __name__ == "__main__": 478 | 479 | main() 480 | --------------------------------------------------------------------------------