Ive reinstalled my windows 10 VM and Im trying my best to disguise it. Overall Im quite pleased, it would fool myself for pretty long, but there are few obvious ways to see this is a VM that I cant find solutions for.
1) installation date of windows apps in add/remove:
https://i.postimg.cc/VvpPLH1n/image.png
On scambait.club there is a short article explaining how to change these date in the registry:
https://scambait.club/stealth-tip-change-the-date-of-installed-software/
But this only works for some apps (32 bit?). Many apps dont appear there, and none of the native windows apps which get installed along with the OS. I have searched all over the registry for these dates in various formats, but I cant find it. I have removed as many as I can, but its still a huge red flag.
Another approach would have been to change the date of the computer during the VM installation, but that is not trivial either. I found no way to override windows clock, even after stopping clock services, W10 seems to have its ways to figure out the correct date and time.
2) Device Manager
Most descriptions in device manager that point to a VM, I have managed to change, but not the display adapter:
https://i.postimg.cc/VLNNsdQW/image.png
I can find plenty of references in the registry, but not the one that has an impact on what is shown in device manager.
I followed that same tutorial and it worked for some apps (32bit) but some would not go away. After much searhing I found how to do the same for 64bit programs (its just a different regedit location):
-<Windowskey> + <R>
-regedit
(32bit)-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
(64bit)-HKEY_LOCAL_MACHINE\SOFTWARE\Wow64Node\Microsoft\Windows\CurrentVersion\Uninstall
-left pane click on the key (most times the program name)
-in the right pane double click on InstallDate (If its not there: right click empty space, choose new>String Value, Call it InstallDate)
-change the date (format 11112233 -> 1=year, 2=month, 3=day)
works for Win7 at least (have not tested on Wind10)
I like putting my AVG install back to 1999 and am ready for a scammer to look at my programs and I can say 'THAT's why my computers broken my antivirus is 20 years old!' ;-)
For #2 If I recall correctly here is how I did it because there are lots of tutorials but they weren’t working for me until I found this one:
-Open Device manager
-Find device to rename. Right click>Properties>Details Tab> 'Driver Key'. RIght click>copy
-open regedit
-HKEY_LOCAL_MACHINE > SYSTEM > ControlSet001 > Enum
-Right click the Enum key you want (Display). Select Permissions. Click Add
-in the 'enter the object name' type the name of the user account. Click Check names. Click ok to exit
-While still in the permissions box. Click 'Advanced' then 'Owner' tab. Select the current user and check 'replace owner on subcontainers'. Click Apply then Ok a few time to exit back to the permissions box.
-Left click your username. Check the checkbos 'Full Control' then click apply.
-back in regedit Left click on the Enum key then press CTRL+F to open search. Paste the driver key copied earlier.
-It should bring you to the device to edit. Right click on a blank space on right and select New>String Value. Name the string FriendlyName double click to modify. Type the name you want the device to be named. (ie NVIDIA GTX 1060)
-Back into Device Manager and Action>Scan for Hardware Changes. (It should now be renamed)
Works for Win7 not sure on Win10. I'm not a computer expert just piecing everything together and ran into the same issue. Thanks!
There is a video by Jim Browning about setting up VMs. One of the hiding methods that sticks out the most in my memory is renaming the Hard Drive.
https://www.youtube.com/watch?v=6TM45vNI4Qc
Thanks, Jim Brown’s video gave me a hint to get to a much better solution. One that is simpler and also defeats dxdiag and probably just about any tool!
This registry key here:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_040515AD&REV_00\3&267a616a&0&10
contains DeviceDesc key with value:
@oem3.inf,%vboxvideo.svcdesc%;VirtualBox Graphics Adapter (WDDM)
That basically means, get the %vboxvideo.svcdesc% variable from the file oem3.inf. Jim replaces it entirely with a custom description in the registry, but its much better to just edit that .inf file! Its in C:\Windows\INF. You will need to take full ownership and I used notepad++ in admin mode. Look for VBoxVideo.SvcDesc
Now look at this:
https://i.postimg.cc/TPtfgnWw/image.png
Whoohoo
Still need to find out where to change the Chip type and DAC type, but this looks promising!
Ok you can change the Chip and DAC type in the registry, see last post here:
http://scammer.info/d/2272-removing-virtualbox-out-of-dxdiag/14
Unfortunately, it resets after a reboot.
Maybe you can edit it an .inf file somewhere, but I havent found that yet. Not sure how to search for a string inside all text files in a windows folder, in linux this would be trivial.
It is persistent, at least in windows 10. Just search the registry for
HardwareInformation.DacType
and
HardwareInformation.ChipType
and change those strings. Its going to take a really smart cookie to spot my VM now using either device manager or dxdiag!