Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-27-2020, 03:56
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Sentinel SHK Virtual Machine

Hi all,

Anyone knows what kind of detection Sentinel SHK uses to detect Virtual Machines?

I can run it fine into Oracle VirtualBox.
But it refuses to run into VMWare ou Terminal Services.

I just ask, to avoid reinvent the wheel.

But, after I find the solution, I will post here!

Thanks
Reply With Quote
  #2  
Old 08-27-2020, 09:03
Gladiyator's Avatar
Gladiyator Gladiyator is offline
Family
 
Join Date: Jan 2009
Location: .:: Tehran ::.
Posts: 106
Rept. Given: 78
Rept. Rcvd 59 Times in 19 Posts
Thanks Given: 130
Thanks Rcvd at 107 Times in 35 Posts
Gladiyator Reputation: 59
provide some sample to analyze
Reply With Quote
The Following User Says Thank You to Gladiyator For This Useful Post:
phroyt (08-30-2020)
  #3  
Old 08-28-2020, 00:31
user1 user1 is offline
Family
 
Join Date: Sep 2012
Location: OUT
Posts: 1,041
Rept. Given: 547
Rept. Rcvd 120 Times in 67 Posts
Thanks Given: 695
Thanks Rcvd at 566 Times in 337 Posts
user1 Reputation: 41
like all soft do

see C++ examples in net.
Reply With Quote
  #4  
Old 08-30-2020, 09:21
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Quote:
Originally Posted by Gladiyator View Post
provide some sample to analyze
You need to install the whole software and run it on a Terminal Services machine.
BTW thanks for interest.

If you really want to help, here go:
Code:
http://download.softwell.com.br/makerstudiobootstrap/Instaladores/Instalador_Maker_Studio_Bootstrap.zip
And the medicine:
Code:
https://mega.nz/file/coJ1CCiJ#NrMWTpHOTzf79cp3zdVJtKrZx6ziSEtV_AI8rOpRtsY
After install, replace SentinelKeyW.dll with DLL above.
It will ask for a activation code.
Send me and I give you back.
Reply With Quote
  #5  
Old 07-05-2022, 23:51
phroyt phroyt is offline
Friend
 
Join Date: May 2018
Posts: 77
Rept. Given: 0
Rept. Rcvd 8 Times in 4 Posts
Thanks Given: 35
Thanks Rcvd at 106 Times in 40 Posts
phroyt Reputation: 8
Hi all,

after some research, I found the solution.

First, SentinelSHK calls GetSystemMetrics to simply identify Remote Desktop.

PHP Code:
SM_REMOTESESSION = $1000//4096
GetSystemMetrics(SM_REMOTESESSION); 
If the result is true, the execution is aborted.

After that, SentinelSHK calls WTSQuerySessionInformationA to identify if the current session is running over Remote Desktop.

It doesn't check any further parameters, just compares if the WTSQuerySessionInformationA returns a valid value.
If it does, the execution is aborted.

The wtsApi32.dll is loaded on the fly, so the solution doesn't need to hook WTSQuerySessionInformationA.

The solution was Hooking GetSystemMetrics and catching when SM_REMOTESESSION is queried, returning zero (0).
And patch some byte from the calling address when its region resides on the main application.

PS.: Sometimes comctrls32.dll call GetSystemMetrics with SM_REMOTESESSION,
that's why you need to confirm the memory region.

Just patching one jump in the main application solves the problem.

PHP Code:
074C0581 8D4424 18                lea eax,dword ptr ss:[esp+18]                 
074C0585 8D5424 10                lea edx,dword ptr ss:[esp+10]                 
074C0589 50                       push eax                                      
074C058A 
52                       push edx                                      
074C058B 
6A 10                    push 10                                       
074C058D 
6A FF                    push FFFFFFFF                                 
074C058F 
57                       push edi                                      
074C0590 
897C24 24                mov dword ptr ss:[esp+24],edi                 
074C0594 
897C24 2C                mov dword ptr ss:[esp+2C],edi                 
074C0598 
FFD1                     call ecx                                <= WTSQuerySessionInformationA 
074C059A 
8B4424 10                mov eax,dword ptr ss:[esp+10]                 
074C059E 3BC7                     cmp eax,edi                                   
074C05A0 
74 27                    je app.74C05C9                             
074C05A2 
66:3938                  cmp word ptr ds:[eax],di                      
074C05A5 
EB 22                    jmp app.74C05C9                         <= PATCH        
074D55A7 
50                       push eax                                              
074D55A8 
FF15 70E94A07            call dword ptr ds:[<&WTSFreeMemory>]                  
074D55AE 55                       push ebp                                              
074D55AF 
897C24 14                mov dword ptr ss:[esp+14],edi                         
074D55B3 
FF15 98206C07            call dword ptr ds:[<&FreeLibrary>]                    
074D55B9 5F                       pop edi                                               
074D55BA 
5E                       pop esi                                               
074D55BB 
5D                       pop ebp                                               
074D55BC 
B8 CB000000              mov eax,CB                                            
074D55C1 
5B                       pop ebx                                               
074D55C2 
81C4 10010000            add esp,110                                           
074D55C8 
C3                       ret                                                   
074D55C9 
8B35 28206C07            mov esi,dword ptr ds:[<&GetVersionExA>]               
... 

Last edited by phroyt; 07-05-2022 at 23:55. Reason: fix typo
Reply With Quote
The Following User Gave Reputation+1 to phroyt For This Useful Post:
user1 (07-06-2022)
The Following 5 Users Say Thank You to phroyt For This Useful Post:
besoeso (07-06-2022), NoneForce (07-06-2022), user1 (07-06-2022), vic4key (07-06-2022), WRP (07-06-2022)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can I detect whether a 'Virtual machine' is currently running? me0007 General Discussion 5 06-16-2004 17:44
Cracking inside a virtual machine yaa General Discussion 3 11-20-2003 19:54


All times are GMT +8. The time now is 18:53.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )