A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #27249  by EP_X0FF
 Mon Nov 16, 2015 7:26 pm
nov5th wrote:thank you for this useful post. i use virtual machine for malware analysis with cuckoo. my questions are:
1. when i install virtual box (after disable networking, i get a msg: would you like to install this device software? Oracle corporation universal serial bus ... should i install it or it would give evidence to malware?
2. how can i use host-only network between guest and host? should i only use NAT?
3. will you post same topic but for linux x64 later?
thank you
1) You can install usb, it doesn't seems affect detection, vbox emulates nothing specific here as far as I remember.
2) You can use network as you want, make sure adapter mac address is not default. VBox emulate quite generic network adapter, so it can't be used for detection. The reason why I do not recommended VBox Networking install is because VBox network drivers prevents loader.exe driver loading (it cannot unload original vboxdrv.sys while vbox network drivers are not stopped). This can be solved by manual stopping of all vbox connections via control panel and stoping/unloading all network drivers (removing them from protocols) before running loader.exe. So as you see for most users is more simple to recommend simple do not install this feature, NAT is still available.
3) Maybe, I use it too. Maybe it possible to compile VBox for Linux already with antidetection changes.

Overall, where VBox emulate some known generic hardware - it can't be detected by this pattern. As one of exceptions - VirtualBox video, so it driver should never be installed (along with any kind of "tools and additions") and our patch fake this device by patching hardware id's and video bios.
 #27314  by enkidu
 Thu Nov 26, 2015 5:13 am
have you seen modified cuckoo (by brat) which have anti vm detection technique? does your suggested method work better? am jut trying to make my cuckoo function well, so i need to find best technique possible to hide vm from malware
 #27370  by marekrus1
 Sun Dec 06, 2015 5:14 pm
I've managed to install this but now I wonder - is there any way to make it work with direct3d acceleration? It seems it requires additions that acording to guide I shouldn't install. Is there a way to have direct3d support without additions?
 #27455  by EP_X0FF
 Wed Dec 23, 2015 6:46 am
marekrus1 wrote:I've managed to install this but now I wonder - is there any way to make it work with direct3d acceleration? It seems it requires additions that acording to guide I shouldn't install. Is there a way to have direct3d support without additions?
I dont think so. However for most modern malware DMI faked info is enough, so most of this hardcore patching (hw id's and vbox signatures patched in memory by tsugumi) is not required. In case when you only patch DMI info you can try VBox additions but such machine will be easy to detect by any "modern" enough malware.
 #27460  by EP_X0FF
 Thu Dec 24, 2015 7:23 am
As you know this VBoxAntiVMDetectHardened is a complex of methods implemented to reduce VM detection possibilities of the common malware.

DMI information faking, various BIOS replacements using documented VirtualBox interfaces etc;
Driver agent with loader used for hardcore VirtualBox patching in the memory, because unfortunately VirtualBox itself not enough customizable to do this simple.
Both parts can be used independently.

Note: this loader considered as something used to "circumvent protection policies" (c) Perryg an Oracle yet another imbecile. So don't waste your time with Oracle employees and do not ask anything related to this loader/or about hiding vm from malware. Oracle stuff either dumb or don't know, plus most of them are simple brainwashed idiots (for example bird).

Details what exactly patched by driver inside VBoxDD.dll can be found here -> http://www.kernelmode.info/forum/viewto ... 806#p24806, despite it was posted in the beginning of this year, patch targets are mostly the same, the only thing is changing between VBox releases are offsets inside VBoxDD.dll Having all this information you can easily create your own patch for any of existing Windows VirtualBox 4.3+ versions.

During patch driver overwrite hardware ID (VBOX_VENDOR_ID, VBOX_VGA_DEVICE_ID) used by VirtualBox for certain devices, including video. It works well for legacy VM setups without using UEFI. But if you run VM with UEFI setup, it will result in black screen, because UEFI module has it own video driver that does additional device checks before run. This was fixed in April 2015 update of loader - see http://www.kernelmode.info/forum/viewto ... 549#p25549, starting from this each loader update include patched version of VirtualBox UEFI module VBoxEFI64.fd to be placed inside VBox installation folder overwriting original file (here is additional readme especially for UEFI setup -> https://raw.githubusercontent.com/hfire ... dme1st.txt).

Now there details on this patch and how to do it manually.

Stage 1. Extract msi and cab file from VirtualBox setup.

Run setup (no admin rights required) and then goto %temp% folder. Here you will find folder "VirtualBox" with two files inside (depending on 32/64 they will be named differently):
common.cab
VirtualBox-5.0.10-r104061-MultiArch_amd64.msi (used 5.0.10 version as example).

Copy these files somewhere and cancel VBox installation.

Stage 2. Extract files using msiexec.

Use console (no admin rights required).
Code: Select all
msiexec /a c:\temp\virtualbox\VirtualBox-5.0.10-r104061-MultiArch_amd64.msi /qb TARGETDIR=C:\temp\extracted
This command will extract contents of msi file to the existing directory C:\temp\extracted.

Extracted files will be located in the C:\temp\extracted\PFiles\Oracle\VirtualBox folder. Go there. We need BIOS image file VBoxEFI64.fd file (and VBoxDD.dll if you plan to build your own patch table).

Stage 3. Extract VBoxVgaDxe EFI module from VBoxEFI64.fd

Download UEFITool (https://github.com/LongSoft/UEFITool/releases)
UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images.
It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes.
Original development was started here at MDL forums as a cross-platform analog to PhoenixTool's structure mode with some additional features, but the program's engine was proven to be usefull for another projects like UEFIPatch, UBU and OZMTool.
More info on project page.

Run it and open VBoxEFI64.fd with it (File -> Open image file...)
It will list you module structrure, we interested only in embedded drivers so go to as shown on picture below

Image

Extract VBoxVgaDxe as shown on figure below

Image

Extracted file is a 64 bit PE, EFI boot image. It complete source code located in

VirtualBox-5.0.12\src\VBox\Devices\EFI\Firmware\VBoxPkg\VBoxVgaDxe folder of the VirtualBox sources.

Stage 4. Patch and rebuild BIOS image.

We need to make 2 changes inside this binary and then replace it inside BIOS image.

Source code for place of patch: VirtualBox-5.0.12\src\VBox\Devices\EFI\Firmware\VBoxPkg\VBoxVgaDxe\VBoxVga.c

Target routine: VBoxVgaControllerDriverSupported
Code: Select all
  //
  // See if the I/O enable is on.  Most systems only allow one VGA device to be turned on
  // at a time, so see if this is one that is turned on.
  //
  //  if (((Pci.Hdr.Command & 0x01) == 0x01)) {
  //
  // See if this is a Cirrus Logic PCI controller
  //
  if (Pci.Hdr.VendorId == VBOX_VENDOR_ID) {
    if (Pci.Hdr.DeviceId == VBOX_VGA_DEVICE_ID) {
VBox devs very lazy to change comments regarding Cirrus Logic.
Code: Select all
//
// Cirrus Logic 5430 PCI Configuration Header values
//
#define VBOX_VENDOR_ID           0x80ee
#define VBOX_VGA_DEVICE_ID           0xbeef
Locate this check in the binary as shown on figure below, it only in 1 place.

Image

Overwrite HW ID's with HW ID's used in patch (F3 in Hiew), we use nVidia HW ID.

E.g.
Image


Save file. Then in UEFITool on selected VBoxVgaDxe use context menu "Replace body as is" and "File -> Save image file..." to commit changes.

Now you can replace installed VBoxEFI64.fd with your patched version and use VBox UEFI VM's together with hardened loader.
 #27576  by EP_X0FF
 Thu Jan 07, 2016 12:48 pm
First post updated to reflect current changes in VirtualBox 5.0 paravirtualization settings.
 #27702  by splinter_code
 Wed Jan 20, 2016 6:20 pm
Firstly thank you for this great guide EP_X0FF.

I test the vm detection with a good software (Pafish) to check the stealthiness of the vm created following your guide and the result is impressive :D

Image

It's almost undetectable :D

I hope that this can improve your work, wish u the best.

splinter_code
 #27703  by EP_X0FF
 Wed Jan 20, 2016 6:45 pm
This tool you use is level /b/
Also your screenshot indicated your failed to configure vm and installed/not properly removed vbox additions which turned your vm into crap.

Thats what it should give you, including bullshit.
Code: Select all
* Pafish (Paranoid fish) *

Some anti(debugger/VM/sandbox) tricks
used by malware for the general public.

[*] Windows version: 6.1 build 7601
[*] CPU: GenuineIntel         Intel(R) Xeon(TM) @ 3.30GHz

[-] Debuggers detection
[*] Using IsDebuggerPresent() ... OK

[-] CPU information based detections
[*] Checking the difference between CPU timestamp counters (rdtsc) ... traced! <-bullshit
[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM ex
it ... traced! <-bullshit
[*] Checking hypervisor bit in cpuid feature bits ... OK
[*] Checking cpuid vendor for known VM vendors ... OK

[-] Generic sandbox detection
[*] Using mouse activity ... OK
[*] Checking username ... OK
[*] Checking file path ... OK
[*] Checking common sample names in drives root ... OK
[*] Checking if disk size <= 60GB via DeviceIoControl() ... OK
[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... traced! <-bullshit
[*] Checking if Sleep() is patched using GetTickCount() ... OK
[*] Checking if NumberOfProcessors is < 2 via raw access ... OK
[*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK
[*] Checking if pysical memory is < 1Gb ... traced! <- mega bullshit
[*] Checking operating system uptime using GetTickCount() ... traced! <-bullshit
[*] Checking if operating system IsNativeVhdBoot() ... OK

[-] Hooks detection
[*] Checking function ShellExecuteExW method 1 ... OK
[*] Checking function CreateProcessA method 1 ... OK

[-] Sandboxie detection
[*] Using GetModuleHandle(sbiedll.dll) ... OK

[-] Wine detection
[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK
[*] Reg key (HKCU\SOFTWARE\Wine) ... OK

[-] VirtualBox detection
[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__) ... OK
[*] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*) ... OK
[*] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK
[*] Driver files in C:\WINDOWS\system32\drivers\VBox* ... OK
[*] Additional system files ... OK
[*] Looking for a MAC address starting with 08:00:27 ... OK
[*] Looking for pseudo devices ... OK
[*] Looking for VBoxTray windows ... OK
[*] Looking for VBox network share ... OK
[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK
[*] Looking for VBox devices using WMI ... OK

[-] VMware detection
[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... OK
[*] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK
[*] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK
[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:5
0:56 ... OK
[*] Looking for network adapter name ... OK
[*] Looking for pseudo devices ... OK
[*] Looking for VMware serial number ... OK

[-] Qemu detection
[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK

[-] Bochs detection
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid AMD wrong value for processor name ... OK
[*] cpuid Intel wrong value for processor name ... OK

[-] Cuckoo detection
[*] Looking in the TLS for the hooks information structure ... OK


[-] Feel free to RE me, check log file for more information.
 #27704  by splinter_code
 Wed Jan 20, 2016 7:12 pm
EP_X0FF wrote:This tool you use is level /b/
Also your screenshot indicated your failed to configure vm and installed/not properly removed vbox additions which turned your vm into crap.

Thats what it should give you, including bullshit.
Code: Select all
* Pafish (Paranoid fish) *

Some anti(debugger/VM/sandbox) tricks
used by malware for the general public.

[*] Windows version: 6.1 build 7601
[*] CPU: GenuineIntel         Intel(R) Xeon(TM) @ 3.30GHz

[-] Debuggers detection
[*] Using IsDebuggerPresent() ... OK

[-] CPU information based detections
[*] Checking the difference between CPU timestamp counters (rdtsc) ... traced! <-bullshit
[*] Checking the difference between CPU timestamp counters (rdtsc) forcing VM ex
it ... traced! <-bullshit
[*] Checking hypervisor bit in cpuid feature bits ... OK
[*] Checking cpuid vendor for known VM vendors ... OK

[-] Generic sandbox detection
[*] Using mouse activity ... OK
[*] Checking username ... OK
[*] Checking file path ... OK
[*] Checking common sample names in drives root ... OK
[*] Checking if disk size <= 60GB via DeviceIoControl() ... OK
[*] Checking if disk size <= 60GB via GetDiskFreeSpaceExA() ... traced! <-bullshit
[*] Checking if Sleep() is patched using GetTickCount() ... OK
[*] Checking if NumberOfProcessors is < 2 via raw access ... OK
[*] Checking if NumberOfProcessors is < 2 via GetSystemInfo() ... OK
[*] Checking if pysical memory is < 1Gb ... traced! <- mega bullshit
[*] Checking operating system uptime using GetTickCount() ... traced! <-bullshit
[*] Checking if operating system IsNativeVhdBoot() ... OK

[-] Hooks detection
[*] Checking function ShellExecuteExW method 1 ... OK
[*] Checking function CreateProcessA method 1 ... OK

[-] Sandboxie detection
[*] Using GetModuleHandle(sbiedll.dll) ... OK

[-] Wine detection
[*] Using GetProcAddress(wine_get_unix_file_name) from kernel32.dll ... OK
[*] Reg key (HKCU\SOFTWARE\Wine) ... OK

[-] VirtualBox detection
[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] Reg key (HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions) ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "VideoBiosVersion") ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\DSDT\VBOX__) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\FADT\VBOX__) ... OK
[*] Reg key (HKLM\HARDWARE\ACPI\RSDT\VBOX__) ... OK
[*] Reg key (HKLM\SYSTEM\ControlSet001\Services\VBox*) ... OK
[*] Reg key (HKLM\HARDWARE\DESCRIPTION\System "SystemBiosDate") ... OK
[*] Driver files in C:\WINDOWS\system32\drivers\VBox* ... OK
[*] Additional system files ... OK
[*] Looking for a MAC address starting with 08:00:27 ... OK
[*] Looking for pseudo devices ... OK
[*] Looking for VBoxTray windows ... OK
[*] Looking for VBox network share ... OK
[*] Looking for VBox processes (vboxservice.exe, vboxtray.exe) ... OK
[*] Looking for VBox devices using WMI ... OK

[-] VMware detection
[*] Scsi port 0,1,2 ->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\SOFTWARE\VMware, Inc.\VMware Tools) ... OK
[*] Looking for C:\WINDOWS\system32\drivers\vmmouse.sys ... OK
[*] Looking for C:\WINDOWS\system32\drivers\vmhgfs.sys ... OK
[*] Looking for a MAC address starting with 00:05:69, 00:0C:29, 00:1C:14 or 00:5
0:56 ... OK
[*] Looking for network adapter name ... OK
[*] Looking for pseudo devices ... OK
[*] Looking for VMware serial number ... OK

[-] Qemu detection
[*] Scsi port->bus->target id->logical unit id-> 0 identifier ... OK
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid CPU brand string 'QEMU Virtual CPU' ... OK

[-] Bochs detection
[*] Reg key (HKLM\HARDWARE\Description\System "SystemBiosVersion") ... OK
[*] cpuid AMD wrong value for processor name ... OK
[*] cpuid Intel wrong value for processor name ... OK

[-] Cuckoo detection
[*] Looking in the TLS for the hooks information structure ... OK


[-] Feel free to RE me, check log file for more information.
Ops, i unistalled vbox additions from guest OS but , like u said, it left some tracks in the registry (i will provide to manually delete it), thank you for the advice.
Anyway i think it could be usefull for other users to check if the configuration went well (it's open source software).
If you know better vm-detection software that produce a report (like/better than Pafish), please post it because could help other people to understand how well went the configuration of the vm. :D
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 25