#1
|
|||
|
|||
Sentinel SHK Virtual Machine
Hi all,
Anyone knows what kind of detection Sentinel SHK uses to detect Virtual Machines? I can run it fine into Oracle VirtualBox. But it refuses to run into VMWare ou Terminal Services. I just ask, to avoid reinvent the wheel. But, after I find the solution, I will post here! Thanks |
#3
|
|||
|
|||
like all soft do
see C++ examples in net. |
#4
|
|||
|
|||
You need to install the whole software and run it on a Terminal Services machine.
BTW thanks for interest. If you really want to help, here go: Code:
http://download.softwell.com.br/makerstudiobootstrap/Instaladores/Instalador_Maker_Studio_Bootstrap.zip Code:
https://mega.nz/file/coJ1CCiJ#NrMWTpHOTzf79cp3zdVJtKrZx6ziSEtV_AI8rOpRtsY It will ask for a activation code. Send me and I give you back. |
#5
|
|||
|
|||
Hi all,
after some research, I found the solution. First, SentinelSHK calls GetSystemMetrics to simply identify Remote Desktop. PHP Code:
After that, SentinelSHK calls WTSQuerySessionInformationA to identify if the current session is running over Remote Desktop. It doesn't check any further parameters, just compares if the WTSQuerySessionInformationA returns a valid value. If it does, the execution is aborted. The wtsApi32.dll is loaded on the fly, so the solution doesn't need to hook WTSQuerySessionInformationA. The solution was Hooking GetSystemMetrics and catching when SM_REMOTESESSION is queried, returning zero (0). And patch some byte from the calling address when its region resides on the main application. PS.: Sometimes comctrls32.dll call GetSystemMetrics with SM_REMOTESESSION, that's why you need to confirm the memory region. Just patching one jump in the main application solves the problem. PHP Code:
Last edited by phroyt; 07-05-2022 at 23:55. Reason: fix typo |
The Following User Gave Reputation+1 to phroyt For This Useful Post: | ||
user1 (07-06-2022) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
How can I detect whether a 'Virtual machine' is currently running? | me0007 | General Discussion | 5 | 06-16-2004 17:44 |
Cracking inside a virtual machine | yaa | General Discussion | 3 | 11-20-2003 19:54 |