Let's continue our example again, again we use example from VM Detector
The other parameters that we are interested in is the BIOS Parameter.
The Bios Data is retrieved from this particular WMIC class which is Win32_BIOS. We can retrieve it via Powershell. (Get-WmiObject -class Win32_BIOS)
If you are using VMWare the BIOS Serial number is actually generated and stored in the .vmx file of the VM.
But here's the problem we can spoof any bios serial however VMWARE will prepended the SerialNumber with the "Vmware " thus making it a problem. There are multiple approach on how to sovle this problem, but in our case we can spoof the spoof the BIOS information by changing the way how Windows represent this information.
We can inspect how the Win32_Bios class retrieve our information by inspecting C:\Windows\System32\wbem\cimwin32.mof
Notice there is a another class referred by WIN32_BIOS which is CIM_BIOSElement . The structure of this class is as followed
Inspecting the subclass CIM_SoftwareElement will return the following structure.
Based on the information above we can overwrite the Win32_BIOS class with our own class by compiling it using mofcomp. The following code should be sufficient in our case.
Compile it with mofcomp and the serial number no longer contains the string VMWARE