Vmware Hardened VM detection mitigation loader
For now, only Windows (vista~win10) x64 guests are supported.
It get vmware guest undetected by VMProtect 3.2 (anti-vm feature).
the VmLoader driver patches SystemFirmwareTable at runtime, it removes all detectable signatures like "VMware" "Virtual" "VMWARE".
Do not install vmtools, it will ruin everything!
use TeamViewer / AnyDesk / mstsc / VNC viewer instead!
hypervisor.cpuid.v0 = "FALSE"
board-id.reflectHost = "TRUE"
hw.model.reflectHost = "TRUE"
serialNumber.reflectHost = "TRUE"
smbios.reflectHost = "TRUE"
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
Modify guest's MAC address to whatever except below:
TCHAR *szMac[][2] = {
{ _T("\x00\x05\x69"), _T("00:05:69") }, // VMWare, Inc.
{ _T("\x00\x0C\x29"), _T("00:0c:29") }, // VMWare, Inc.
{ _T("\x00\x1C\x14"), _T("00:1C:14") }, // VMWare, Inc.
{ _T("\x00\x50\x56"), _T("00:50:56") }, // VMWare, Inc.
};
I use
open command prompt as System Administrator, use the following commands
sc create vmloader binPath= "\??\c:\vmloader.sys" type= "kernel"
sc start vmloader
If an error occurs when start service, use DbgView to see whats happened. you can post an issue with DbgView output information if it does't work on your environment.
If no error, then everything works fine.
you could put "vmloader.sys" wherever you want, except vmware shared folders.
when you no longer need the mitigation, use
sc stop vmloader
sc delete vmloader
to unload the driver.
