Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Question] Are there possibilities to spoof ALL CIM-WMI values to bypass detection ? #278

Open
Greatz08 opened this issue Jan 5, 2025 · 1 comment
Open

[Question] Are there possibilities to spoof ALL CIM-WMI values to bypass detection ? #278

Greatz08 opened this issue Jan 5, 2025 · 1 comment

Comments

@Greatz08
Copy link

Greatz08 commented Jan 5, 2025

I saw someone who with the help of powershell script was able to spoof atleast some values but not 100% so was curious to know if there are any possibilities to spoof ALL CIM-WMI checks which is performed by this project ?
@FortiDan
Copy link

FortiDan commented Jan 28, 2025
edited
Loading

The cim_ classes are base classes that when queried just return instances of their derived classes, for example selecting for cim_coolingdevice will return instances of win32_fan.

The trick is to hook IWbemServices::ExecQuery, ExecQueryAsync, CreateInstanceEnum, and CreateInstanceEnumAsync and then inject fake instances that are created by using IWBemServices::GetObject("classname") where classname is the true derived class being returned (ex: win32_fan, even if they select cim_coolingdevice) then using classObject->SpawnInstance to create fake instances of that class, call instance->Put() to fill it's members with fake data, then return that from the query.

Goodluck

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Greatz08 @FortiDan