How do they detected VMs without looking on the machine?

wirushunter · 2018 年 10 月 20 日午後 12:26

So I trawl the numbers here, make the call, and have a story to tell them , which has an end goal. It has had some success but only with the dumber scammers. Nothing I will go into on here.

I let them connect to my VB VM,

One bought my tale about the pop up etc.
We went through the usual gotoassist name/ID stuff. Once he connected, his tone changed and I think he was calling me names in Hindi in between English haha, and he bascially said "its a vm". He didnt even run msinfo32 or dxdiag which I have 99% patched/updated. He literally just connected.
Afterwards he deleted all my icons and rebooted me haha. Not even a syskey attempt.

Does gotoassist display guest info to this level ?

The only System Info I havent been able to change is under mscfong32-> Components-> Display "Adapter Type" which still shows Virtualbox. Even vBoxSysInfoMod doesnt touch that part.
If anybody has a way to mask/mod that, it would be appreciated.

AussieScamBuster · 2018 年 10 月 20 日午後 12:57

Probably your BIOS, have a read> replace/d/10659-web-expert-instantly-know-i-m-using-virtualbox-when-i-use-win10-as-client/16

wirushunter · 2018 年 10 月 20 日午後 4:21

@AussieScamBuster#59850

Nice one, I will have a look thanks

AussieScamBuster · 2018 年 10 月 21 日午前 7:18

@Rajeshi_Gardner edit 3 Reg Keys:(might not have to edit all 3, but I did)

Computer\HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System

Computer\HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig{98bf5298-3cb8-db49-a8de-182c42c7226b}

Computer\HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current

Also if you reboot your VM it will revert back to vbox and you have to edit registry again

wirushunter · 2018 年 10 月 21 日午後 6:57

I just checked this key and yes, it shows VBOX stuff

Will export the key from my legit laptop, edit it and import it

Even though most of msinfo32 says Dell, the reg says different

thunder · 2018 年 10 月 21 日午後 7:35

[[3,4],[1]]

Mustango · 2018 年 10 月 22 日午後 1:58

I found this on youtube. I will try it and I hope it will help you too.

https://www.youtube.com/watch?v=gThdRKsMzvI

wirushunter · 2018 年 10 月 23 日午後 9:09

This is handy as a guide, tweak the entires

https://github.com/hfiref0x/VBoxHardenedLoader/blob/master/Binary/data/hidevm_ide.cmd

My final challenge is VBOX HARDDISK which can be seen in msinfo32

The command below changes the vbox file but generates an error on boot. Maybe because its a SATA and this is modding IDE ........ ?
VBoxManage setextradata imagename "VBoxInternal/Devices/piix3ide/0/Config/PrimaryMaster/ModelNumber" "Wester Digital Disk"

wirushunter · 2018 年 10 月 23 日午後 9:16

Progress ? ahci allows boot but doesnt change it

VBoxManage setextradata imagename “VBoxInternal/Devices/ahci/0/Config/PrimaryMaster/ModelNumber” “Western Digital Disk”

wirushunter · 2018 年 10 月 23 日午後 9:33

The registry give access denied to these keys as the device is in use