[Question] Are there possibilities to spoof ALL CIM-WMI values to bypass detection ?

[Greatz08]

I saw someone who with the help of powershell script was able to spoof atleast some values but not 100% so was curious to know if there are any possibilities to spoof ALL CIM-WMI checks which is performed by this project ?

[FortuneDan]

The cim_ classes are base classes that when queried just return instances of their derived classes, for example selecting for cim_coolingdevice will return instances of win32_fan.

The trick is to hook IWbemServices::ExecQuery, ExecQueryAsync, CreateInstanceEnum, and CreateInstanceEnumAsync and then inject fake instances that are created by using IWBemServices::GetObject("classname") where classname is the true derived class being returned (ex: win32_fan, even if they select cim_coolingdevice) then using classObject->SpawnInstance to create fake instances of that class, call instance->Put() to fill it's members with fake data, then return that from the query.

Goodluck