kevoreilly · cccs-mog · Apr 21, 2026 · Apr 23, 2026 · Apr 29, 2026 · Apr 29, 2026
diff --git a/hook_network.c b/hook_network.c
@@ -26,6 +26,8 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #include "config.h"
 #include "misc.h"
 
+#define NERR_Success 0
+
 extern unsigned int dropped_count;
 extern BOOL DumpRegion(PVOID Address);
 extern void DebugOutput(_In_ LPCTSTR lpOutputString, ...);
@@ -994,9 +996,27 @@ HOOKDEF(ULONG, WINAPI, NetGetJoinInformation,
 	_Out_ DWORD *				BufferType
 ) {
 	ULONG ret = Old_NetGetJoinInformation(lpServer, lpNameBuffer, BufferType);
-
-	LOQ_zero("network", "uuI", "Server", lpServer, "NetBIOSName", *lpNameBuffer, "JoinStatus", BufferType);
-
+	if (ret != 0 || ret == NULL)
+		LOQ_zero("network", "u", "Server", lpServer, "NetBIOSName");
+		return ret;
+	if (g_config.no_stealth) 
+	{
+		LOQ_zero("network", "uuI", "Server", lpServer, "NetBIOSName", *lpNameBuffer, "JoinStatus", BufferType);
+	}
+	else 
+	{
+		//Faking to be part of a domain in order to bypass some detections
+		LOQ_zero("network", "uuI", "Server", lpServer, "NetBIOSName", *lpNameBuffer, "JoinStatus", BufferType);
+		if (*BufferType !=3) {
+			*BufferType = 3; 
+			LPWSTR fake_domain_name = L"myDomain";
+			DWORD net = NetApiBufferAllocate(sizeof(WCHAR) * wcslen((LPCWSTR)fake_domain_name), (LPVOID *)&fake_domain_name);
+			if(net == NERR_Success)
+				lpNameBuffer = &fake_domain_name;
+			else
+				*lpNameBuffer = *fake_domain_name;
+		}
+	}
 	return ret;
 }
 

diff --git a/hook_wmi.c b/hook_wmi.c
@@ -83,6 +83,10 @@ void SpoofWmiData(const wchar_t* szClassName, const wchar_t* wszName, VARIANT* p
 			}
 		}
 	}
+	else if (pVal->vt == VT_BOOL) {
+		if ((!_wcsicmp(szClassName, L"Win32_ComputerSystem") && (!_wcsicmp(wszName, L"PartOfDomain"))))
+			pVal->boolVal = VARIANT_TRUE;
+	}
 	//
 	// Spoofery logic for NULL
 	//