Place the following lines in the .vmx file of a halted virtual machine:
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
CAUTION Although these commands are quite effective at thwarting redPill,
Scoopy, Jerry, VmDetect, and others, they will break some ???comfort???
functionality of the virtual machine such as the mouse, drag and drop, file
sharing, clipboard, and so on. These settings are not documented by
VMware??”use at your own risk!
By loading a virtual machine with the preceding settings, you will thwart most tools
like VmDetect.
References
Honeynet Organization www.honeynet.org/
Lance Spitzner, Honeypots: Tracking Hackers (Addison-Wesley Pub Co, 2002) www.trackinghackers.
com
Patch for VMware http://honeynet.
Pages:
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885