Sentinel SHK Virtual Machine
Hi all,
Anyone knows what kind of detection Sentinel SHK uses to detect Virtual Machines? :) I can run it fine into Oracle VirtualBox. But it refuses to run into VMWare ou Terminal Services. I just ask, to avoid reinvent the wheel. But, after I find the solution, I will post here! Thanks |
provide some sample to analyze
|
like all soft do
see C++ examples in net. |
Quote:
BTW thanks for interest. If you really want to help, here go: Code:
http://download.softwell.com.br/makerstudiobootstrap/Instaladores/Instalador_Maker_Studio_Bootstrap.zip Code:
https://mega.nz/file/coJ1CCiJ#NrMWTpHOTzf79cp3zdVJtKrZx6ziSEtV_AI8rOpRtsY It will ask for a activation code. Send me and I give you back. |
Hi all,
after some research, I found the solution. First, SentinelSHK calls GetSystemMetrics to simply identify Remote Desktop. PHP Code:
After that, SentinelSHK calls WTSQuerySessionInformationA to identify if the current session is running over Remote Desktop. It doesn't check any further parameters, just compares if the WTSQuerySessionInformationA returns a valid value. If it does, the execution is aborted. The wtsApi32.dll is loaded on the fly, so the solution doesn't need to hook WTSQuerySessionInformationA. The solution was Hooking GetSystemMetrics and catching when SM_REMOTESESSION is queried, returning zero (0). And patch some byte from the calling address when its region resides on the main application. PS.: Sometimes comctrls32.dll call GetSystemMetrics with SM_REMOTESESSION, that's why you need to confirm the memory region. Just patching one jump in the main application solves the problem. PHP Code:
|
All times are GMT +8. The time now is 22:18. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX