A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #2515  by CloneRanger
 Mon Aug 30, 2010 1:21 pm
I found this and it "appears" to me that it, or something based on it or similar, "might" be able in some way/s to be used by malware etc to disable/delete/interefere etc with VM type apps. If so not good :( I'm not skilled enough to look into this properly, that's why i'm posting my idea here so others who are can hopefully look into more deeply etc ;)

See what you think.

Visual Subst - Virtual Drives In Effect
How It Works

Generally, a virtual drive is just a symbolic link in the Local MS-DOS Device namespace. It is just one more Windows feature added for backward compatibility with old programs.

Virtual drives are therefore objects of the operating system, and Visual Subst can create, enumerate and delete these objects.

http://www.ntwind.com/software/utilitie ... subst.html
 #2518  by EP_X0FF
 Mon Aug 30, 2010 1:38 pm

actually it's not true Virtualisation like VMWare/VPC virtual disks. This is just a symbolic links :)

So I doubt that this can't be used for VM's bypassing, it's simple GUI for subst standard Windows utility.

For more info, look at DefineDosDeviceW function description.

Thread moved to Tools / Software.

Kind Regards.