[bitstechs]

I just wanted to thank you guys so much for this information.

Upon creating a new virtual box vm I realized that I was unable to open some malware/viruses, more specifically Antivirus Security Pro. Then, I ran across this thread and after doing some research and applying these settings and dll's I started up the vm and Antivirus Security Pro popped up immediately. Again, thanks for all the info I feel a lot less like a vm noob now!

Edit: Also, the patched dll's for 4.3.2 that Derw_234 posted are the ones I used and they worked like a charm.

[rinn]

Hello.

Important fix for everyone who use VBox for malware research. Bug described here http://www.kernelmode.info/forum/viewto ... 930#p18930

Wrong instruction after single-step exception with 'rdtsc' and 'cpuid'

https://www.virtualbox.org/ticket/10947

Assume vmprotect author should do another research for VBox now.

Best Regards
-rin

[DerW_234]

Hello rin,

thanks for the heads up :).
I've attached the new patched DLLs for this version.

[EP_X0FF]

Hello.

Important fix for everyone who use VBox for malware research. Bug described here http://www.kernelmode.info/forum/viewto ... 930#p18930

Wrong instruction after single-step exception with 'rdtsc' and 'cpuid'

https://www.virtualbox.org/ticket/10947

Assume vmprotect author should do another research for VBox now.

Best Regards
-rin

Especially I like comment 2, https://www.virtualbox.org/ticket/10947#comment:2
Now you all know the reason and person who is responsible why this bug wasn't fixed for years -> a typical idiot who cannot into "asm".

[feryno]

Wrong instruction after single-step exception with 'rdtsc' and 'cpuid'

It seems there is (at least) one lazy programmer in the VirtualBox team - just forgot to generate #DB after emulating these instructions in VBox hypervisor vm exit handler. I would say it is more laziness than a bug.
I just wonder how they implement emulation if somebody sets DebugCtl.BTF and then do single step - implementing that into VBox is not so trivial task.

[DerW_234]

Happy new year everyone :).

I attached the patched DLLs for the latest VirtualBox version (4.3.6-91406).

PS: Does anybody know of a good hex editor that supports regular expression search? Would make the process a little faster.

[DerW_234]

New version for v4.3.8 r92456.
Also highly recommended reading (VMDE): http://www.kernelmode.info/forum/viewto ... =16&t=3178

[DerW_234]

New version (4.3.10-93012), new DLLs :).

[n0mad]

Hello,

My first post. I love this forums I am learning much. :shock:

I will post a Anti-AntiVM process I found on the Net:

1, Installation of VirtualBox Xp32bit VirtualMachine.

2, Use this 2 scripts (In windows you need Python 2 : https://www.python.org/downloads/ ):

Code: Select all

#!/usr/bin/env python  
   
 import os  
 import sys  
 import subprocess  
   
 def runcmd(cmd):  
   try:  
     print "Executing %s" % ' '.join(cmd)  
     output = subprocess.check_output(cmd)  
     print output  
     return output  
   except:  
     print "Failed"  
     return None  
   
 VBoxManage = '/usr/bin/VBoxManage'  
 vboxConfBios = '/MART/bin/vboxConfBios.py'  
   
 for machine in sys.argv[1:]:  
   hdpath = os.path.join('/','MART','VirtualBox VMs',machine,machine+'.vdi')  
   runcmd([VBoxManage,'createhd','--filename',hdpath,'--size',str(64*1024)])  
   runcmd([VBoxManage,'createvm','--name',machine,'--ostype','Windows7','--register'])  
   runcmd([VBoxManage,'storagectl',machine,'--name','SATA Controller','--add','sata','--controller','IntelAHCI'])  
   runcmd([VBoxManage,'storageattach',machine,'--storagectl','SATA Controller','--port','0','--device','0','--type','hdd','--medium',hdpath])  
   runcmd([VBoxManage,'modifyvm',machine,'--ioapic','on'])  
   runcmd([VBoxManage,'modifyvm',machine,'--boot1','net','--boot2','dvd','--boot3','disk','--boot4','none'])  
   runcmd([VBoxManage,'modifyvm',machine,'--memory','1024','--vram','128'])  
   runcmd([VBoxManage,'modifyvm',machine,'--nic1','bridged','--bridgeadapter1','eth0'])  
   runcmd([vboxConfBios,machine])

Code: Select all

#!/usr/bin/env python  
   
 import re  
 import subprocess  
 import sys  
 import os  
 import json  
   
 from pprint import pprint  
   
 def cloneMAC():  
   ifconfig_out = runcmd(["/sbin/ifconfig","eth0"])  
   regex = r"([0-9A-F]{2}[:-]){5}([0-9A-F]{2})"  
   pat = re.compile(regex, re.I | re.S | re.M)  
   for line in ifconfig_out:  
     if pat.search(line):  
       mac = pat.match(line).group().split(":")  
       pprint(mac)  
       mac[0] = int(mac[0], 16)  
       mac[1] = int(mac[1], 16)  
       mac[2] = int(mac[2], 16)  
       mac[3] = random.randint(0x00, 0x7f)  
       mac[4] = random.randint(0x00, 0xff)  
       mac[5] = random.randint(0x00, 0xff)  
       pprint(mac)  
       return ''.join(map(lambda x: "%02x" % x, mac))  
   
 def randomMAC():  
   # 00:1b:fc = ASUSTek COMPUTER INC.  
   mac = [ 0x00, 0x1b, 0xfc,  
     random.randint(0x00, 0x7f),  
     random.randint(0x00, 0xff),  
     random.randint(0x00, 0xff) ]  
   return ''.join(map(lambda x: "%02x" % x, mac))  
   
 def getnewmac(hostname):  
   regex = r"(%s)\s+([0-9A-Fa-f]+)\s+([0-9\.]+)" % hostname  
   pat = re.compile(regex, re.I | re.S | re.M)  
   with open("/MART/etc/macs.txt") as fh:  
     for line in fh:  
       if pat.search(line):  
         (hostname,mac,ip) = pat.match(line).groups()  
         if mac:  
           return mac  
   return randomMAC()  
   
 def runcmd(cmd):  
   try:  
     print "Executing %s" % ' '.join(cmd)  
     output = subprocess.check_output(cmd)  
     print output  
     return output  
   except:  
     print "Failed"  
     return None  
   
 # Gather system information  
 def getdmi():  
   dmi = {}  
   
   # Anti-VM detection, DMI BIOS information (type 0)  
   dmitmp = runcmd(["sudo","dmidecode","-t0"])  
   dmi['DmiBIOSVendor'] = re.search("Vendor: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBIOSVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBIOSReleaseDate']= re.search("Release Date: ([0-9\\/\\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   
   # Anti-VM detection, DMI BIOS information (type 1)  
   dmitmp = runcmd(["sudo","dmidecode","-t1"])  
   dmi['DmiSystemVendor'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemProduct'] = re.search("Product Name: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemSerial'] = "string:" + re.search("Serial Number: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemSKU']   = re.search("SKU Number: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemFamily'] = re.search("Family: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiSystemUuid']  = re.search("UUID: ([0-9A-Z\\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   
   # Anti-VM detection, DMI BIOS information (type 2)  
   MotherboardTypes = [  
     "Unknown",  
     "Other",  
     "Server Blade",  
     "Connectivity Switch",  
     "System Management Module",  
     "Processor Module",  
     "I/O Module",  
     "Memory Module",  
     "Daughter Board",  
     "Motherboard",  
     "Processor+Memory Module",  
     "Processor+I/O Module",  
     "Interconnect Board"  
   ]  
   
   dmitmp = runcmd(["sudo","dmidecode","-t2"])  
   
   dmi['DmiBoardVendor']   = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardProduct']  = re.search("Product Name: ([A-Z0-9\\ \\.\\-/]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardVersion']  = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardSerial']   = "string:" + re.search("Serial Number: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardAssetTag']  = re.search("Asset Tag: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardLocInChass'] = re.search("Location In Chassis: ([0-9A-Z\\ \\-\\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiBoardBoardType'] = str(MotherboardTypes.index(re.search("Type: ([0-9A-Z\\ \\-]+)", dmitmp, re.I | re.S | re.M).group(1))+1)  
   
   # Anti-VM detection, DMI system enclosure or chassis (type 3) 
   ChassiTypes = [  
     "Other",   
     "Unknown",  
     "Desktop",  
     "Low Profile Desktop",  
     "Pizza Box",  
     "Mini Tower",  
     "Tower",  
     "Portable",  
     "Laptop",  
     "Notebook",  
     "Hand Held",  
     "Docking Station",  
     "All In One",  
     "Sub Notebook",  
     "Space-saving",  
     "Lunch Box",  
     "Main Server Chassis",  
     "Expansion Chassis",  
     "Sub Chassis",  
     "Bus Expansion Chassis",  
     "Peripheral Chassis",  
     "RAID Chassis",  
     "Rack Mount Chassis",  
     "Sealed-case PC",  
     "Multi-system",  
     "CompactPCI",  
     "AdvancedTCA",  
     "Blade",  
     "Blade Enclosing"  
     ]  
   
   dmitmp = runcmd(["sudo","dmidecode","-t3"])  
   dmi['DmiChassisVendor']  = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiChassisType']   = str(ChassiTypes.index(re.search("Type: ([0-9A-Z\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1))+1)  
   dmi['DmiChassisVersion'] = "string:" + re.search("Version: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiChassisSerial']  = "string:" + re.search("Serial Number: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiChassisAssetTag'] = re.search("Asset Tag: ([A-Z0-9\\ \\.\\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
   
   # Anti-VM detection, DMI processor informatiion (type 4)    
   dmitmp = runcmd(["sudo","dmidecode","-t4"])  
   dmi['DmiProcManufacturer'] = re.search("Manufacturer: ([A-Z0-9\\ \\.]+)", dmitmp, re.I | re.S | re.M).group(1)  
   dmi['DmiProcVersion']   = "string:" + re.search("Version: ([A-Z0-9\\ \\.\\(\\)\\-]+)", dmitmp, re.I | re.S | re.M).group(1)  
      
   for key, value in dmi.iteritems():  
     if value == None:  
       del dmi[key]  
     else:  
       if isinstance( value, ( int, long ) ):  
         dmi[key] = str(value)  
       else:  
         dmi[key] = value.strip()  
   return dmi  
   
 dmi = None  
 try:  
   fh = open('/MART/etc/dmi.txt', 'r')  
   if fh:  
     dmi = json.load(fh)  
     fh.close()  
 except Exception:  
   dmi = getdmi()  
   with open('/MART/etc/dmi.txt', 'w') as outfile:  
     json.dump(dmi, outfile, sort_keys=True, indent=4, separators=(',', ': '))  
   print json.dumps(dmi, sort_keys=True, indent=4, separators=(',', ': '))  
   
 # Globals, of sorts  
 DSDT_BIN="/MART/etc/DSDT.BIN"  
 VBoxManage = '/usr/bin/VBoxManage'  
   
 # Get the DSDT   
 if not os.path.exists(DSDT_BIN):  
   try:  
     runcmd(['sudo','acpidump','-t','DSDT','-o',DSDT_BIN,'-b'])  
   except:  
     runcmd(['sudo','cat','/sys/firmware/acpi/tables/DSDT','>',DSDT_BIN])  
   
 for target in sys.argv[1:]:  
   # Configure all the virtual BIOS setings  
   for key, value in dmi.iteritems():  
     runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/" + key,value])  
   
   # Configure DSDT  
   if os.path.exists(DSDT_BIN):  
     runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/acpi/0/Config/CustomTable",DSDT_BIN])  
   
   # Setting guest MAC  
   #newmac = getnewmac(target)  
   newmac = cloneMAC()  
   runcmd([VBoxManage,"modifyvm",target,"--macaddress1",newmac])  
   
   # Enable memory ballooning  
   runcmd([VBoxManage,"modifyvm",target,"--pagefusion","on"])  
 dmi = None  
 try:  
   fh = open('/MART/etc/dmi.txt', 'r')  
   if fh:  
     dmi = json.load(fh)  
     fh.close()  
 except Exception:  
   dmi = getdmi()  
   with open('/MART/etc/dmi.txt', 'w') as outfile:  
     json.dump(dmi, outfile, sort_keys=True, indent=4, separators=(',', ': '))  
   print json.dumps(dmi, sort_keys=True, indent=4, separators=(',', ': '))  
   
 # Globals, of sorts  
 DSDT_BIN="/MART/etc/DSDT.BIN"  
 VBoxManage = '/usr/bin/VBoxManage'  
   
 # Get the DSDT   
 if not os.path.exists(DSDT_BIN):  
   try:  
     runcmd(['sudo','acpidump','-t','DSDT','-o',DSDT_BIN,'-b'])  
   except:  
     runcmd(['sudo','cat','/sys/firmware/acpi/tables/DSDT','>',DSDT_BIN])  
   
 for target in sys.argv[1:]:  
   # Configure all the virtual BIOS setings  
   for key, value in dmi.iteritems():  
     runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/pcbios/0/Config/" + key,value])  
   
   # Configure DSDT  
   if os.path.exists(DSDT_BIN):  
     runcmd([VBoxManage,"setextradata",target,"VBoxInternal/Devices/acpi/0/Config/CustomTable",DSDT_BIN])  
   
   # Setting guest MAC  
   #newmac = getnewmac(target)  
   newmac = cloneMAC()  
   runcmd([VBoxManage,"modifyvm",target,"--macaddress1",newmac])  
   
   # Enable memory ballooning  
   runcmd([VBoxManage,"modifyvm",target,"--pagefusion","on"])  
   
   # Configure VRDP  
   runcmd([VBoxManage,"modifyvm",target,"--vrde","on"])  
   runcmd([VBoxManage,"modifyvm",target,"--vrdeport",str(3389 + int(target.split("-")[2]))])

3, Use of scripts against the Virtual Mahine with XP32bit.

Code: Select all

C:\Python27> python createVBoxVM.py

and

C:\Python27> python vboxConfBios.py

Then replace the DLL's on your VB from the DLL's on this post acording to your VB version.

4, Try if the VM is Anti-AntiVM with "pafish" (Paranoid Fish). You can download pafish here: https://github.com/a0rtega/pafish

5, Check the "pafish.log" output.

Found: http://blog.michaelboman.org/2014/01/ma ... table.html

The End.

[EP_X0FF]

VirtualBox cannot be hidden at all, even we have a prof in vmde. All the above is only works for very stupid general malware.